CompTIA CS0-003 Online Practice Questions and Exam Preparation

CompTIA CS0-003 Online Questions & Answers

• Question 81:

  The SOC team reestablishes user access after a threat actor successfully performed a business account compromise in which the attacker revoked the legitimate user's access. The following logs are provided to a SOC analyst:

  

  Which of the following did the threat actor most likely use during the compromise?

  A. Brute-force password attack
  B. A valid, leaked credential
  C. Command-and-control traffic
  D. Introduction of a new account
  B. A valid, leaked credential

• Question 82:

  A risk assessment concludes that the perimeter network has the highest potential for compromise by an attacker, and it is labeled as a critical risk environment.

  Which of the following is a valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques?

  A. A control that demonstrates that all systems authenticate using the approved authentication method
  B. A control that demonstrates that access to a system is only allowed by using SSH
  C. A control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment
  D. A control that demonstrates that the network security policy is reviewed and updated yearly
  C. A control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment

  ---

  Explanation

  A valid compensating control to reduce the volume of valuable information in the perimeter network that an attacker could gain using active reconnaissance techniques is a control that demonstrates that firewall rules are peer reviewed for accuracy and approved before deployment. This control can help ensure that the firewall rules are configured correctly and securely, and that they do not allow unnecessary or unauthorized access to the perimeter network. The other options are not compensating controls or do not address the risk of active reconnaissance. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14;

  https://www.isaca.org/resources/isaca-journal/issues6/volume-3/compensating-controls

• Question 83:

  Which of the following best describe the external requirements that are imposed for incident management communication? (Choose two).

  A. Law enforcement involvement
  B. Compliance with regulatory requirements
  C. Transparency to stockholders
  D. Defined SLAs regarding services
  E. Industry advocacy group participation
  F. Framework guidelines
  A. Law enforcement involvement
  B. Compliance with regulatory requirements

• Question 84:

  A company's legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur. The department has asked a security analyst to help tailor the response plan to provide broad coverage for many situations.

  Which of the following is the best way to achieve this goal?

  A. Focus on incidents that have a high chance of reputation harm.
  B. Focus on common attack vectors first.
  C. Focus on incidents that affect critical systems.
  D. Focus on incidents that may require law enforcement support.
  B. Focus on common attack vectors first.

• Question 85:

  Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation.

  Which of the following tools should be used to maintain the integrity of the mobile phone while it is transported?

  (Select two).

  A. Signal-shielded bag
  B. Tamper-evident seal
  C. Thumb drive
  D. Crime scene tape
  E. Write blocker
  F. Drive duplicator
  A. Signal-shielded bag
  B. Tamper-evident seal

  ---

  Explanation

  A signal-shielded bag and a tamper-evident seal are tools that can be used to maintain the integrity of the mobile phone while it is transported. A signal-shielded bag prevents the phone from receiving or sending any signals that could compromise the data or evidence on the device. A tamper-evident seal ensures that the phone has not been opened or altered during the transportation.

  References:

  Mobile device forensics, Section: Acquisition

• Question 86:

  Which of the following is a circumstance in which a security operations manager would most likely consider using automation?

  A. The generation of NIDS rules based on received STIX messages
  B. The fulfillment of privileged access requests to enterprise domain controllers
  C. The verification of employee identities prior to initial PKI enrollment
  D. The analysis of suspected malware binaries captured by an email gateway
  A. The generation of NIDS rules based on received STIX messages

  ---

  Explanation

  Automating the generation of NIDS (Network Intrusion Detection System) rules based on Structured Threat Information eXpression (STIX) messages is a practical use of automation in security operations.

  Option B (Privileged access requests) should involve human oversight due to the high risk of unauthorized access.

  Option C (PKI identity verification) requires manual document verification and human approval.

  Option D (Malware analysis) often requires sandboxing and behavioral analysis, which benefit from human expertise.

  Thus, A is the correct answer, as automating threat intelligence ingestion and rule creation enhances efficiency in intrusion detection.

• Question 87:

  An analyst would like to start automatically ingesting IoCs into the EDR tool.

  Which of the following sources would be the most cost effective for the analyst to use?

  A. Government bulletins
  B. Social media
  C. Dark web
  D. Blogs
  A. Government bulletins

• Question 88:

  A systems analyst is limiting user access to system configuration keys and values in a Windows environment.

  Which of the following describes where the analyst can find these configuration items?

  A. config.ini
  B. ntds.dit
  C. Master boot record
  D. Registry
  D. Registry

  ---

  Explanation

  The registry is a database that stores system configuration keys and values in a Windows environment. The registry contains information about the hardware, software, users, and preferences of the system. The registry can be accessed and modified using the Registry Editor tool (regedit.exe) or the command-line tool (reg.exe). The registry is organized into five main sections, called hives, which are further divided into subkeys and values. The other options are not the best descriptions of where the analyst can find system configuration keys and values in a Windows environment. config.ini (A) is a file that stores configuration settings for some applications, but it is not a database that stores system configuration keys and values. ntds.dit (B) is a file that stores the Active Directory data for a domain controller, but it is not a database that stores system configuration keys and values. Master boot record ?is a section of the hard disk that contains information about the partitions and the boot loader, but it is not a database that stores system configuration keys and values.

• Question 89:

  A new zero-day vulnerability was released. A security analyst is prioritizing which systems should receive deployment of compensating controls deployment first. The systems have been grouped into the categories shown below:

  

  Which of the following groups should be prioritized for compensating controls?

  A. Group A
  B. Group B
  C. Group C
  D. Group D
  C. Group C

• Question 90:

  A security analyst is reviewing the following log entries to identify anomalous activity:

  

  Which of the following attack types is occurring?

  A. Directory traversal
  B. SQL injection
  C. Buffer overflow
  D. Cross-site scripting
  A. Directory traversal

  ---

  Explanation

  A directory traversal attack is a type of web application attack that exploits insufficient input validation or improper configuration to access files or directories that are outside the intended scope of the web server. The log entries given in the question show s" sequences in the URL, which indicate an attempt to move up one level in the directory structure. For "" tries to access the /etc/passwd file, which contains user account information on Linux systems. If successful, this attack could allow an attacker to read, modify, or execute files on the web server that are not meant to be accessible.