CompTIA CompTIA CySA+ CS0-003 Questions & Answers

• Question 11:

  A security manager is looking at a third-party vulnerability metric (SMITTEN) to improve upon the company's current method that relies on CVSSv3. Given the following:

  

  Which of the following vulnerabilities should be prioritized?

  A. Vulnerability 1

  B. Vulnerability 2

  C. Vulnerability 3

  D. Vulnerability 4

  Correct Answer: B

  Vulnerability 2 should be prioritized as it is exploitable, has high exploit activity, and is exposed externally according to the SMITTEN metric.

  References:

  Vulnerability Management Metrics: 5 Metrics to Start Measuring in Your Program, Section: Vulnerability Severity.

• Question 12:

  An analyst is investigating a phishing incident and has retrieved the following as part of the investigation:

  cmd.exe /c c:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile -EncodedCommand

  Which of the following should the analyst use to gather more information about the purpose of this command?

  A. Echo the command payload content into 'base64 -d'.

  B. Execute the command from a Windows VM.

  C. Use a command console with administrator privileges to execute the code.

  D. Run the command as an unprivileged user from the analyst workstation.

  Correct Answer: A

  The command in question involves an encoded PowerShell command, which is typically used by attackers to obfuscate malicious scripts. To decode and understand the payload, one would need to decode the base64 encoded string. This is why option A is the correct answer, as 'base64 -d' is a command used to decode data encoded with base64. This process will reveal the plaintext of the encoded command, which can then be analyzed to understand the actions that the attacker was attempting to perform. Option B is risky and not advised without a controlled and isolated environment. Option C is not safe because executing unknown or suspicious code with administrator privileges could cause harm to the system or network. Option D also poses a risk of executing potentially harmful code on an analyst's workstation.

• Question 13:

  Which of the following threat actors is most likely to target a company due to its questionable environmental policies?

  A. Hacktivist

  B. Organized crime

  C. Nation-state

  D. Lone wolf

  Correct Answer: A

  Hacktivists are threat actors who use cyberattacks to promote a social or political cause, such as environmentalism, human rights, or democracy. They may target companies that they perceive as violating their values or harming the public interest. Hacktivists often use techniques such as defacing websites, launching denial-of-service attacks, or leaking sensitive data to expose or embarrass their targets. References: An introduction to the cyber threat environment, page 3; What is a Threat Actor? Types and Examples of Cyber Threat Actors, section 2.

• Question 14:

  The SOC received a threat intelligence notification indicating that an employee's credentials were found on the dark web. The user's web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

  A. Perform a forced password reset.

  B. Communicate the compromised credentials to the user.

  C. Perform an ad hoc AV scan on the user's laptop.

  D. Review and ensure privileges assigned to the user's account reflect least privilege.

  E. Lower the thresholds for SOC alerting of suspected malicious activity.

  Correct Answer: A

  The first and most urgent step to mitigate the impact of compromised credentials on the dark web is to perform a forced password reset for the affected user. This will prevent the cybercriminals from using the stolen credentials to access the company's network and systems. Multifactor authentication is a good security measure, but it is not foolproof and can be bypassed by sophisticated attackers. Therefore, changing the password as soon as possible is the best practice to reduce the risk of a data breach or other cyber attack123 References: 1: How to monitor the dark web for compromised employee credentials 2: How to prevent corporate credentials ending up on the dark web 3: Data Breach Prevention: Identifying Leaked Credentials on the Dark Web

• Question 15:

  While reviewing web server logs, a security analyst discovers the following suspicious line:

  

  Which of the following is being attempted?

  A. Remote file inclusion

  B. Command injection

  C. Server-side request forgery

  D. Reverse shell

  Correct Answer: D

  The suspicious line of code indicates an attempt to establish a reverse shell connection from the compromised web server to an external IP address (10.0.0.1) and a specific port (1234). This indicates that the attacker is attempting to gain unauthorized remote access to the web server by opening a network socket, executing a shell command (/bin/sh -i), and redirecting the input and output to the network socket.

• Question 16:

  A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the most likely cause?

  A. A local red team member is enumerating the local RFC1918 segment to enumerate hosts.

  B. A threat actor has a foothold on the network and is sending out control beacons.

  C. An administrator executed a new database replication process without notifying the SOC.

  D. An insider threat actor is running Responder on the local segment, creating traffic replication.

  Correct Answer: C

  Port 1433 is commonly used by Microsoft SQL Server, which is a database management system. A spike in traffic on this port between two IP addresses on opposite sides of a WAN connection could indicate a database replication process, which is a way of copying and distributing data from one database server to another. This could be a legitimate activity performed by an administrator, but it should be communicated to the security operations center (SOC) to avoid confusion and false alarms. References: CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 3: Security Operations, page 107; CompTIA CySA+ Study Guide: S0-003, 3rd Edition, Chapter 4: Security Operations, page 153.

• Question 17:

  Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Select two).

  A. Performing dynamic application security testing

  B. Reviewing the code

  C. Fuzzing the application

  D. Debugging the code

  E. Implementing a coding standard

  F. Implementing IDS

  Correct Answer: BD

  Reviewing the code and debugging the code are two methods that can help a developer identify and fix runtime errors in the code. Reviewing the code involves checking the syntax, logic, and structure of the code for any errors or inconsistencies. Debugging the code involves running the code in a controlled environment and using tools such as breakpoints, watches, and logs to monitor the execution and find the source of errors. Both methods can help improve the quality and security of the code.

• Question 18:

  Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes does this describe?

  A. Business continuity plan

  B. Lessons learned

  C. Forensic analysis

  D. Incident response plan

  Correct Answer: B

  The lessons learned process is the final stage of the incident management life cycle, where the incident team reviews the incident and evaluates the effectiveness of the response and the plans in place. The lessons learned report should include the who-what-when information and any recommendations for improvement

• Question 19:

  The security team at a company, which was a recent target of ransomware, compiled a list of hosts that were identified as impacted and in scope for this incident. Based on the following host list:

  

  Which of the following systems was most pivotal to the threat actor in its distribution of the encryption binary via Group Policy?

  A. SQL01

  B. WK10-Sales07

  C. WK7-Plant01

  D. DCEast01

  E. HQAdmin9

  Correct Answer: D

  Since the binary was distributed via group policy, gaining access to the domain controller would be pivotal.

• Question 20:

  After reviewing the final report for a penetration test, a cybersecurity analyst prioritizes the remediation for input validation vulnerabilities. Which of the following attacks is the analyst seeking to prevent?

  A. DNS poisoning

  B. Pharming

  C. Phishing

  D. Cross-site scripting

  Correct Answer: D

  Cross-site scripting (XSS): This attack exploits input validation vulnerabilities. XSS allows attackers to inject malicious scripts into webpages viewed by other users. Proper input validation and sanitization of user inputs are essential to prevent XSS attacks.