CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 131:

  SIMULATION You are a cybersecurity analyst tasked with interpreting scan data from Company As servers You must verify the requirements are being met for all of the servers and recommend changes if you find they are not The company's hardening guidelines indicate the following:

  1.

  TLS 1 2 is the only version of TLS running.

  2.

  Apache 2.4.18 or greater should be used.

  3.

  Only default ports should be used.

  INSTRUCTIONS

  using the supplied data. record the status of compliance With the company's guidelines for each server.

  The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for Issues based ONLY on the hardening guidelines provided.

  Part 1: AppServ1:

  

  AppServ2:

  

  AppServ3:

  

  AppServ4:

  

  Part 2:

  

  

  A. See the solution below in Explanation.

  B. PlaceHoder

  C. PlaceHoder

  D. PlaceHoder

  Correct Answer: A

  Part 1:

  

  Part 2:

  Based on the compliance report, I recommend the following changes for each server: AppServ1: No changes are needed for this server. AppServ2: Disable or upgrade TLS 1.0 and TLS 1.1 to TLS 1.2 on this server to ensure secure encryption and communication between clients and the server. Update Apache from version 2.4.17 to version 2.4.18 or greater on this server to fix any potential vulnerabilities or bugs. AppServ3: Downgrade Apache from version 2.4.19 to version 2.4.18 or lower on this server to ensure compatibility and stability with the company's applications and policies. Change the port number from 8080 to either port 80 (for HTTP) or port 443 (for HTTPS) on this server to follow the default port convention and avoid any confusion or conflicts with other services. AppServ4: Update Apache from version 2.4.16 to version 2.4.18 or greater on this server to fix any potential vulnerabilities or bugs. Change the port number from 8443 to either port 80 (for HTTP) or port 443 (for HTTPS) on this server to follow the default port convention and avoid any confusion or conflicts with other services.

• Question 132:

  SIMULATION

  A healthcare organization must develop an action plan based on the findings from a risk assessment. The action plan must consist of:

  1.

  Risk categorization

  2.

  Risk prioritization

  3.

  Implementation of controls

  INSTRUCTIONS

  Click on the audit report, risk matrix, and SLA expectations documents to review their contents.

  On the Risk categorization tab, determine the order in which the findings must be prioritized for remediation according to the risk rating score. Then, assign a categorization to each risk.

  On the Controls tab, select the appropriate control(s) to implement for each risk finding.

  Findings may have more than one control implemented. Some controls may be used more than once or not at all.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  A. See the solution below in Explanation.

  B. PlaceHoder

  C. PlaceHoder

  D. PlaceHoder

  Correct Answer: A

  

• Question 133:

  HOTSPOT

  A company recently experienced a security incident. The security team has determined a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run. INSTRUCTIONS Part 1 Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization. Part 2

  Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each control may only be used once, and not all controls will be used.

  

  Firewall log:

  

  

  File integrity Monitoring Report:

  

  Malware domain list:

  

  Vulnerability Scan Report:

  

  Phishing Email:

  

  Hot Area:

  

  Correct Answer:

  

  

• Question 134:

  HOTSPOT

  An organization has noticed large amounts of data are being sent out of its network. An analyst is identifying the cause of the data exfiltration.

  INSTRUCTIONS

  Select the command that generated the output in tabs 1 and 2.

  Review the output text in all tabs and identify the file responsible for the malicious behavior.

  If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

  

  

  Hot Area:

  

  Correct Answer:

  

• Question 135:

  A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

  A. Corrective controls

  B. Compensating controls

  C. Operational controls

  D. Administrative controls

  Correct Answer: B

  Compensating controls are alternative controls that provide a similar level of protection as the original controls, but are used when the original controls are not feasible or cost-effective. In this case, the CISO implemented compensating controls by reviewing logs and audit trails to mitigate the risk of error and fraud in payroll management, since segregating duties was not possible due to the small staff size

• Question 136:

  Which of the following is the most important reason for an incident response team to develop a formal incident declaration?

  A. To require that an incident be reported through the proper channels

  B. To identify and document staff who have the authority to declare an incident

  C. To allow for public disclosure of a security event impacting the organization

  D. To establish the department that is responsible for responding to an incident

  Correct Answer: B

  The formal incident declaration is crucial to identify and document the staff who have the authority to declare an incident, ensuring that incidents are handled by authorized personnel. References: CompTIA CySA+ Study Guide: S0-003, 3rd Edition, Chapter 5: Incident Response, page 197.

• Question 137:

  After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Windows 11 users have constant issues. Which of the following did the change management team fail to do?

  A. Implementation

  B. Testing

  C. Rollback

  D. Validation

  Correct Answer: B

  Testing is a crucial step in any change management process, as it ensures that the change is compatible with the existing systems and does not cause any errors or disruptions. In this case, the change management team failed to test the email client patch on Windows 11 devices, which resulted in a widespread issue for the users. Testing would have revealed the problem before the patch was deployed, and allowed the team to fix it or postpone the change. References: 7 Reasons Why Change Management Strategies Fail and How to Avoid Them, CompTIA CySA+ CS0-003 Certification Study Guide

• Question 138:

  When undertaking a cloud migration of multiple SaaS application, an organizations system administrator struggled ... identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

  A. CASB

  B. SASE

  C. ZTNA

  D. SWG

  Correct Answer: A

  A Cloud Access Security Broker (CASB) would have reduced the complexity of identity and access management in cloud-based assets. CASBs provide visibility into cloud application usage, data protection, and governance for cloud-based services.

• Question 139:

  Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off their computers until the security team could be contacted about the issue. Which of the following is the first step the incident response staff members should take when they arrive?

  A. Turn on all systems, scan for infection, and back up data to a USB storage device.

  B. Identify and remove the software installed on the impacted systems in the department.

  C. Explain that malware cannot truly be removed and then reimage the devices.

  D. Log on to the impacted systems with an administrator account that has privileges to perform backups.

  E. Segment the entire department from the network and review each computer offline.

  Correct Answer: E

  Segmenting the entire department from the network and reviewing each computer offline is the first step the incident response staff members should take when they arrive. This step can help contain the malware infection and prevent it from spreading to other systems or networks. Reviewing each computer offline can help identify the source and scope of the infection, and determine the best course of action for recovery12. Turning on all systems, scanning for infection, and backing up data to a USB storage device is a risky step, as it can activate the malware and cause further damage or data loss. It can also compromise the USB storage device and any other system that connects to it. Identifying and removing the software installed on the impacted systems in the department is a possible step, but it should be done after segmenting the department from the network and reviewing each computer offline. Explaining that malware cannot truly be removed and then reimaging the devices is a drastic step, as it can result in data loss and downtime. It should be done only as a last resort, and after backing up the data and verifying its integrity. Logging on to the impacted systems with an administrator account that has privileges to perform backups is a dangerous step, as it can expose the administrator credentials and privileges to the malware, and allow it to escalate its access and capabilities34. References: Incident Response: Processes, Best Practices and Tools - Atlassian, Incident Response Best Practices | SANS Institute, Malware Removal: How to Remove Malware from Your Device, How to Remove Malware From Your PC | PCMag

• Question 140:

  An organization discovered a data breach that resulted in Pll being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?

  A. Creating a playbook denoting specific SLAs and containment actions per incident type

  B. Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs

  C. Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders

  D. Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks

  Correct Answer: B

  This option ensures that the organization is aligned with legal, regulatory, and policy requirements for incident reporting, including who is responsible for external reporting and the timing requirements. Documenting specific Service Level Agreements (SLAs) will provide clear guidance and help prevent discrepancies in future incidents.