CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 571:

  The security team is reviewing a list of vulnerabilities present on the environment, and they want to prioritize the remediation based on the CVSS v4.0 metrics:

  

  Which of the following vulnerabilities should the security manager request to fix first?

  A. System A
  B. System B
  C. System C
  D. System D
  E. System E
  A. System A

• Question 572:

  A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls.

  Which of the following would best address this issue?

  A. Increasing training and awareness for all staff
  B. Ensuring that malicious websites cannot be visited
  C. Blocking all scripts downloaded from the internet
  D. Disabling all staff members' ability to run downloaded applications
  A. Increasing training and awareness for all staff

  ---

  Explanation

  Increasing training and awareness for all staff is the best way to address the issue of employees being enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. This issue is an example of social engineering, which is a technique that exploits human psychology and behavior to manipulate people into performing actions or divulging information that benefit the attackers. Social engineering can take many forms, such as phishing, vishing, baiting, quid pro quo, or impersonation. The best defense against social engineering is to educate and train the staff on how to recognize and avoid common social engineering tactics, such as: Verifying the identity and legitimacy of the caller or sender before following their instructions or clicking on any links or attachments Being wary of unsolicited or unexpected requests for information or action, especially if they involve urgency, pressure, or threats Reporting any suspicious or anomalous activity to the security team or the appropriate authority Following the organization's policies and procedures on security awareness and best practices

  Official References:

  https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectiveshttps://www.comptia.org/certifications/cybersecurity-analysthttps://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

• Question 573:

  A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk.

  Which of the following did the CISO implement?

  A. Corrective controls
  B. Compensating controls
  C. Operational controls
  D. Administrative controls
  B. Compensating controls

  ---

  Explanation

  Compensating controls are alternative controls that provide a similar level of protection as the original controls, but are used when the original controls are not feasible or cost-effective. In this case, the CISO implemented compensating controls by reviewing logs and audit trails to mitigate the risk of error and fraud in payroll management, since segregating duties was not possible due to the small staff size

• Question 574:

  Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

  A. Command and control
  B. Actions on objectives
  C. Exploitation
  D. Delivery
  A. Command and control

  ---

  Explanation

  Command and control (C2) is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 enables the adversary to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels. C2 allows the adversary to maintain persistence, exfiltrate data, execute commands, deliver payloads, or spread to other systems or networks.

• Question 575:

  Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

  A. The lead should review what is documented in the incident response policy or plan
  B. Management level members of the CSIRT should make that decision
  C. The lead has the authority to decide who to communicate with at any t me
  D. Subject matter experts on the team should communicate with others within the specified area of expertise
  A. The lead should review what is documented in the incident response policy or plan

  ---

  Explanation

  The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents.

  The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure.

• Question 576:

  A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers.

  Which of the following actions would allow the analyst to achieve the objective?

  A. Upload the binary to an air gapped sandbox for analysis
  B. Send the binaries to the antivirus vendor
  C. Execute the binaries on an environment with internet connectivity
  D. Query the file hashes using VirusTotal
  A. Upload the binary to an air gapped sandbox for analysis

  ---

  Explanation

  The best action that would allow the analyst to gather intelligence without disclosing information to the attackers is to upload the binary to an air gapped sandbox for analysis. An air gapped sandbox is an isolated environment that has no connection to any external network or system. Uploading the binary to an air gapped sandbox can prevent any communication or interaction between the binary and the attackers, as well as any potential harm or infection to other systems or networks. An air gapped sandbox can also allow the analyst to safely analyze and observe the behavior, functionality, or characteristics of the binary.

• Question 577:

  A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%.

  Which of the following best describes how the security analyst can effectively review the malware without compromising the organization's network?

  A. Utilize an RDP session on an unused workstation to evaluate the malware.
  B. Disconnect and utilize an existing infected asset off the network.
  C. Create a virtual host for testing on the security analyst workstation.
  D. Subscribe to an online service to create a sandbox environment.
  D. Subscribe to an online service to create a sandbox environment.

  ---

  Explanation

  A sandbox environment is a safe and isolated way to analyze malware without affecting the organization's network. An online service can provide a sandbox environment without requiring the security analyst to set up a virtual host or use an RDP session. Disconnecting and using an existing infected asset is risky and may not provide accurate results.

  References:

  Malware Analysis: Steps & Examples, Dynamic Analysis

• Question 578:

  A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory.

  Which of the following tools would best help to prove whether this server was experiencing this behavior?

  A. Nmap
  B. TCPDump
  C. SIEM
  D. EDR
  B. TCPDump

  ---

  Explanation

  In this scenario, where the administrator suspects a DoS attack related to half-open TCP sessions consuming memory, TCPDump would be the best tool to use. It can help prove whether the server is experiencing this behavior by capturing and analyzing the network packets to identify patterns consistent with half-open TCP sessions.

• Question 579:

  A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network.

  Which of the following activities should the analyst perform next?

  A. Wipe the computer and reinstall software
  B. Shut down the email server and quarantine it from the network.
  C. Acquire a bit-level image of the affected workstation.
  D. Search for other mail users who have received the same file.
  D. Search for other mail users who have received the same file.

  ---

  Explanation

  Searching for other mail users who have received the same file is the best activity to perform next, as it helps to identify and contain the scope of the ransomware attack and prevent further damage. Ransomware is a type of malware that encrypts files on a system and demands payment for their decryption. Ransomware can spread through phishing emails that contain malicious attachments or links that download the ransomware. By searching for other mail users who have received the same file, the analyst can alert them not to open it, delete it from their inboxes, and scan their systems for any signs of infection. The other activities are not as urgent or effective as searching for other mail users who have received the same file, as they do not address the immediate threat of ransomware spreading or affecting more systems. Wiping the computer and reinstalling software may restore the functionality of the affected workstation, but it will also erase any evidence of the ransomware attack and make recovery of encrypted files impossible. Shutting down the email server and quarantining it from the network may stop the delivery of more phishing emails, but it will also disrupt normal communication and operations for the organization. Acquiring a bit-level image of the affected workstation may preserve the evidence of the ransomware attack, but it will not help to stop or remove the ransomware or decrypt the files.

• Question 580:

  A Chief Information Officer wants to implement a BYOD strategy for all company laptops and mobile phones. The Chief Information Security Officer is concerned with ensuring all devices are patched and running some sort of protection against malicious software.

  Which of the following existing technical controls should a security analyst recommend to BEST meet all the requirements?

  A. EDR
  B. Port security
  C. NAC
  D. Segmentation
  A. EDR

  ---

  Explanation

  EDR stands for endpoint detection and response, which is a type of security solution that monitors and protects all devices that are connected to a network, such as laptops and mobile phones. EDR can help to ensure that all devices are patched and running some sort of protection against malicious software by providing continuous visibility, threat detection, incident response, and remediation capabilities. EDR can also help to enforce security policies and compliance requirements across all devices .

  https://www.crowdstrike.com/epp-101/what-is-endpoint-detection-and-response-edr/