CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 71:

  A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well.

  Which of the following is the most likely explanation?

  A. C2 beaconing activity
  B. Data exfiltration
  C. Anomalous activity on unexpected ports
  D. Network host IP address scanning
  E. A rogue network device
  A. C2 beaconing activity

  ---

  Explanation

  The most likely explanation for this traffic pattern is C2 beaconing activity. C2 stands for command and control, which is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 beaconing activity is a type of network traffic that indicates a compromised system is sending periodic messages or signals to an " protocols, such as HTTP(S), DNS, ICMP, or UDP. C2 beaconing activity can enable the attacker to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels.

• Question 72:

  A security analyst needs to block vulnerable ports and disable legacy protocols. The analyst has ensured NetBIOS trio, Telnet, SMB, and TFTP are blocked and/or disabled.

  Which of the following additional protocols should the analyst block next?

  A. LDAPS v3
  B. SNMP v1
  C. TLS 1.3
  D. Kerberos v5
  B. SNMP v1

• Question 73:

  An analyst is trying to capture anomalous traffic from a compromised host.

  Which of the following are the best tools for achieving this objective?

  (Select two).

  A. tcpdump
  B. SIEM
  C. Vulnerability scanner
  D. Wireshark
  E. Nmap
  F. SOAR
  A. tcpdump
  D. Wireshark

  ---

  Explanation

  To capture and analyze network traffic, the two best tools are: tcpdump (Option A) ?A command-line packet capture tool used for network traffic analysis.

  Wireshark (Option D) ?A GUI-based network packet analysis tool that provides deep inspection capabilities.

  Option B (SIEM) is for log aggregation and does not capture traffic.

  Option C (Vulnerability scanner) identifies weaknesses but does not capture network traffic.

  Option E (Nmap) is used for network discovery and port scanning, not capturing traffic.

  Option F (SOAR) automates security processes but does not capture traffic. Thus, A (tcpdump) and D (Wireshark) are correct, as they are the best tools for capturing and analyzing anomalous network traffic.

• Question 74:

  A security analyst discovers a standard user has unauthorized access to the command prompt, PowerShell, and other system utilities.

  Which of the following is the BEST action for the security analyst to take?

  A. Disable the appropriate settings in the administrative template of the Group Policy.
  B. Use AppLocker to create a set of whitelist and blacklist rules specific to group membership.
  C. Modify the registry keys that correlate with the access settings for the System32 directory.
  D. Remove the user's permissions from the various system executables.
  B. Use AppLocker to create a set of whitelist and blacklist rules specific to group membership.

  ---

  Explanation

  AppLocker: This is a Windows feature that allows administrators to control which applications and files users can run. By creating a set of whitelist (allowed applications) and blacklist (blocked applications) rules specific to group membership, the security analyst can effectively control access to the command prompt, PowerShell, and other system utilities based on the user's group membership. This provides a flexible and manageable solution to restrict unauthorized access.

• Question 75:

  A vulnerability scanner generates the following output:

  

  The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities.

  Which of the following should the analyst prioritize first for remediation?

  A. Oracle JDK
  B. Cisco Webex
  C. Redis Server
  D. SSL Self-signed Certificate
  A. Oracle JDK

• Question 76:

  Which of the following best describes the key goal of the containment stage of an incident response process?

  A. To limit further damage from occurring
  B. To get services back up and running
  C. To communicate goals and objectives of theincidentresponse plan
  D. To prevent data follow-on actions by adversary exfiltration
  A. To limit further damage from occurring

  ---

  Explanation

  The key goal of the containment stage in an incident response process is to limit further damage from occurring. This involves taking immediate steps to isolate the affected systems or network segments to prevent the spread of the incident and mitigate its impact. Containment strategies can be short-term, to quickly stop the incident, or long-term, to prepare for the eradication and recovery phases.

• Question 77:

  The security team reviews a web server for XSS and runs the following Nmap scan:

  

  Which of the following most accurately describes the result of the scan?

  A. An output of characters > and " as the parameters used m the attempt
  B. The vulnerable parameter ID hccp://l72.31.15.2.php?id-2 and unfiltered characters returned
  C. The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe
  D. The vulnerable parameter and characters > and " with a reflected XSS attempt
  D. The vulnerable parameter and characters > and " with a reflected XSS attempt

  ---

  Explanation

  A cross-site scripting (XSS) attack is a type of web application attack that injects malicious code into a web page that is then executed by the browser of a victim user. A reflected XSS attack is a type of XSS attack where the malicious code is embedded in a URL or a form parameter that is sent to the web server and then reflected back t" case, the Nmap scan shows that the web server is vulnerable to a reflected XSS attack, as it returns the characters > and " without any filtering or encoding. The vulnerable parameter is id in the URL http:/.31.15.2.php?id=2.

• Question 78:

  A Chief Information Security Officer (CISO) has determined through lessons learned and an associated after-action report that staff members who use legacy applications do not adequately understand how to differentiate between non-malicious emails and phishing emails.

  Which of the following should the CISO include in an action plan to remediate this issue?

  A. Awareness training and education
  B. Replacement of legacy applications
  C. Organizational governance
  D. Multifactor authentication on all systems
  A. Awareness training and education

  ---

  Explanation

  Awareness training and education are essential to help staff recognize phishing emails and understand safe email practices, particularly when using legacy applications that might not have the latest security features. Training helps build a culture of security mindfulness, which is critical for preventing social engineering attacks. According to CompTIA Security+ and CySA+ frameworks, user education is a fundamental aspect of organizational defense against phishing. Options like replacing applications or implementing MFA (while helpful) do not directly address the need for user awareness in this scenario.

• Question 79:

  A company's internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of these incidents from reoccurring and has provided the developers with better security training. However, the company cannot allocate any more internal resources to the issue.

  Which of the following are the best options to help identify flaws within the system? (Select two).

  A. Deploying a WAF
  B. Performing a forensic analysis
  C. Contracting a penetration test
  D. Holding a tabletop exercise
  E. Creating a bug bounty program
  F. Implementing threat modeling
  C. Contracting a penetration test
  E. Creating a bug bounty program

  ---

  Explanation

  To identify existing vulnerabilities in the web application, the best options are to contract a penetration test and create a bug bounty program. A penetration test simulates attacks against the application to uncover security flaws proactively. A bug bounty program incentivizes external security researchers to find and report vulnerabilities, expanding the testing scope without overburdening internal resources. According to CompTIA CySA+, both methods are highly effective in identifying vulnerabilities from an external perspective, particularly when internal resources are limited. Options like a WAF (A) focus more on prevention than detection, while threat modeling (F) and tabletop exercises (D) are generally proactive measures not focused on active flaw identification.

• Question 80:

  Legacy medical equipment, which contains sensitive data, cannot be patched.

  Which of the following is the best solution to improve the equipment's security posture?

  A. Move the legacy systems behind a WAR
  B. Implement an air gap for the legacy systems.
  C. Place the legacy systems in the perimeter network.
  D. Implement a VPN between the legacy systems and the local network.
  B. Implement an air gap for the legacy systems.

  ---

  Explanation

  Implementing an air gap for the legacy systems is the best solution to improve their security posture. An air gap is a physical separation of a system or network from any other system or network that may pose a threat. An air gap can prevent any unauthorized access or data transfer between the isolated system or network and the external environment. Implementing an air gap for the legacy systems can help to protect them from being exploited by attackers who may take advantage of their unpatched vulnerabilities .