CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 91:

  An organization has tracked several incidents that are listed in the following table:

  

  Which of the following is the organization's MTTD?

  A. 140

  B. 150

  C. 160

  D. 180

  Correct Answer: C

  The MTTD (Mean Time To Detect) is calculated by averaging the time elapsed in detecting incidents. From the given data: (180+150+170+140)/4 = 160 minutes. This is the correct answer according to the CompTIA CySA+ CS0-003 Certification Study Guide1, Chapter 4, page 161. References: CompTIA CySA+ Study Guide: S0-003, 3rd Edition, Chapter 4, page 153; CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 4, page 161.

• Question 92:

  Which of the following would likely be used to update a dashboard that integrates.....?

  A. Webhooks

  B. Extensible Markup Language

  C. Threat feed combination

  D. JavaScript Object Notation

  Correct Answer: D

  JavaScript Object Notation (JSON) is commonly used for transmitting data in web applications and would be suitable for updating dashboards that integrate various data sources. It's lightweight and easy to parse and generate.

• Question 93:

  A Chief Information Security Officer wants to implement security by design, starting with the implementation of a security scanning method to identify vulnerabilities, including SQL injection, FRI, XSS, etc. Which of the following would most likely meet the requirement?

  A. Reverse engineering

  B. Known environment testing

  C. Dynamic application security testing

  D. Code debugging

  Correct Answer: C

  Dynamic Application Security Testing (DAST) is used to detect vulnerabilities in running applications, including common issues like SQL injection, FRI, XSS, etc. It aligns with the goal of implementing security by design.

• Question 94:

  An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party that the message came from the sender.

  Which of the following information security goals is the analyst most likely trying to achieve?

  A. Non-repudiation

  B. Authentication

  C. Authorization

  D. Integrity

  Correct Answer: A

  Non-repudiation ensures that a message sender cannot deny the authenticity of their sent message. This is crucial in banking communications for legal and security reasons. The goal of allowing a message recipient to prove the message's origin is non-repudiation. This ensures that the sender cannot deny the authenticity of their message. Non- repudiation is a fundamental aspect of secure messaging systems, especially in banking and financial communications.

• Question 95:

  A security team identified several rogue Wi-Fi access points during the most recent network scan. The network scans occur once per quarter. Which of the following controls would best all ow the organization to identity rogue devices more quickly?

  A. Implement a continuous monitoring policy.

  B. Implement a BYOD policy.

  C. Implement a portable wireless scanning policy.

  D. Change the frequency of network scans to once per month.

  Correct Answer: A

  The best control to allow the organization to identify rogue devices more quickly is A. Implement a continuous monitoring policy. A continuous monitoring policy is a set of procedures and tools that enable an organization to detect and respond to unauthorized or anomalous activities on its network in real time or near real time. A continuous monitoring policy can help identify rogue access points as soon as they appear on the network, rather than waiting for quarterly or monthly scans. A continuous monitoring policy can also help improve the overall security posture and compliance of the organization by providing timely and accurate information about its network assets, vulnerabilities, threats, and incidents1.

• Question 96:

  An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on it infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause? (Select two).

  A. Creation time of dropper

  B. Registry artifacts

  C. EDR data

  D. Prefetch files

  E. File system metadata

  F. Sysmon event log

  Correct Answer: BC

  Registry artifacts: Registry artifacts may contain traces of the malware's activities, including changes to system configurations, startup entries, and other modifications that the malware might have made to disable security services. EDR data: Endpoint Detection and Response (EDR) data provides comprehensive visibility into the actions taken by the malware on the host. It can capture details such as process execution, file modifications, and any attempts by the malware to clean up after itself.

  These sources are likely to contain valuable information for understanding how the malware was deployed, what actions it took, and how it was able to achieve its objectives.

• Question 97:

  A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

  A. Scan the employee's computer with virus and malware tools.

  B. Review the actions taken by the employee and the email related to the event

  C. Contact human resources and recommend the termination of the employee.

  D. Assign security awareness training to the employee involved in the incident.

  Correct Answer: B

  In case of a phishing attack, it's crucial to review what actions were taken by the employee and analyze the phishing email to understand its nature and impact.References: CompTIA CySA+ Study Guide: S0-003, 3rd Edition, Chapter 6, page 246; CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 6, page 255.

• Question 98:

  A security analyst is responding to an indent that involves a malicious attack on a network. Data closet. Which of the following best explains how are analyst should properly document the incident?

  A. Back up the configuration file for alt network devices

  B. Record and validate each connection

  C. Create a full diagram of the network infrastructure

  D. Take photos of the impacted items

  Correct Answer: D

  When documenting a physical incident in a network data closet, taking photos provides a clear and immediate record of the situation, which is essential for thorough incident documentation and subsequent investigation. Proper documentation of an incident in a data closet should include taking photos of the impacted items. This provides visual evidence and helps in understanding the physical context of the incident, which is crucial for a thorough investigation. Backing up configuration files, recording connections, and creating network diagrams, while important, are not the primary means of documenting the physical aspects of an incident.

• Question 99:

  Which of the following should be updated after a lessons-learned review?

  A. Disaster recovery plan

  B. Business continuity plan

  C. Tabletop exercise

  D. Incident response plan

  Correct Answer: D

  A lessons-learned review is a process of evaluating the effectiveness and efficiency of the incident response plan after an incident or an exercise. The purpose of the review is to identify the strengths and weaknesses of the incident response plan, and to update it accordingly to improve the future performance and resilience of the organization. Therefore, the incident response plan should be updated after a lessons-learned review. References: The answer was based on the NCSC CAF guidance from the National Cyber Security Centre, which states: "You should use post-incident and post-exercise reviews to actively reduce the risks associated with the same, or similar, incidents happening in future. Lessons learned can inform any aspect of your cyber security, including: System configuration Security monitoring and reporting Investigation procedures Containment/recovery strategies"

• Question 100:

  A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment.

  Which of the following must be considered to ensure the consultant does no harm to operations?

  A. Employing Nmap Scripting Engine scanning techniques

  B. Preserving the state of PLC ladder logic prior to scanning

  C. Using passive instead of active vulnerability scans

  D. Running scans during off-peak manufacturing hours

  Correct Answer: C

  In environments with fragile and legacy equipment, passive scanning is preferred to prevent any potential disruptions that active scanning might cause.

  When assessing the security of an Operational Technology (OT) network, especially one with fragile and legacy equipment, it's crucial to use passive instead of active vulnerability scans. Active scanning can sometimes disrupt the operation of sensitive or older equipment. Passive scanning listens to network traffic without sending probing requests, thus minimizing the risk of disruption.