CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 211:

  Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?

  A. Mean time to detect

  B. Mean time to respond

  C. Mean time to remediate

  D. Service-level agreement uptime

  Correct Answer: A

• Question 212:

  Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

  A. Deploy a database to aggregate the logging

  B. Configure the servers to forward logs to a SIEM

  C. Share the log directory on each server to allow local access.

  D. Automate the emailing of logs to the analysts.

  Correct Answer: B

  The best implementation to give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually is B. Configure the servers to forward logs to a SIEM. A SIEM (Security Information and Event Management) is a security solution that helps organizations detect, analyze, and respond to security threats before they disrupt business1. SIEM tools collect, aggregate, and correlate log data from various sources across an organization's network, such as applications, devices, servers, and users. SIEM tools also provide real-time alerts, dashboards, reports, and incident response capabilities to help security teams identify and mitigate cyberattacks. By configuring the servers to forward logs to a SIEM, the security analysts can have a central view of potential threats and monitor security incidents across the corporate environment without logging in to the servers individually. This can save time, improve efficiency, and enhance security posture. Deploying a database to aggregate the logging (A) may not provide the same level of analysis, correlation, and alerting as a SIEM tool. Sharing the log directory on each server to allow local access ?may not be scalable or secure for a large number of servers. Automating the emailing of logs to the analysts (D) may not be timely or effective for real-time threat detection and response. Therefore, B is the best option among the choices given.

• Question 213:

  An organization recently changed its BC and DR plans. Which of the following would best allow for the incident response team to test the changes without any impact to the business?

  A. Perform a tabletop drill based on previously identified incident scenarios.

  B. Simulate an incident by shutting down power to the primary data center.

  C. Migrate active workloads from the primary data center to the secondary location.

  D. Compare the current plan to lessons learned from previous incidents.

  Correct Answer: A

  performing a tabletop drill based on previously identified incident scenarios, is the best choice to test the changes in the BC (Business Continuity) and DR (Disaster Recovery) plans without impacting the business.

  A tabletop drill involves gathering key stakeholders and walking through various hypothetical scenarios and how they would be handled based on the updated plans.This approach ensures that the organization can test its preparedness without causing any actual disruption or risk to business operations.

  Reference: https://www.alertmedia.com/blog/tabletop-exercises/

• Question 214:

  During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the analyst with this information?

  A. Header analysis

  B. Packet capture

  C. SSL inspection

  D. Reverse engineering

  Correct Answer: A

• Question 215:

  An analyst wants to ensure that users only leverage web-based software that has been pre-approved by the organization. Which of the following should be deployed?

  A. Blocklisting

  B. Allowlisting

  C. Graylisting

  D. Webhooks

  Correct Answer: B

  Reference: https://www.sentinelone.com/cybersecurity-101/application-whitelisting/

• Question 216:

  During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

  A. Shut down the server.

  B. Reimage the server.

  C. Quarantine the server.

  D. Update the OS to latest version.

  Correct Answer: C

  Quarantining the server is the best action to perform immediately, as it isolates the affected server from the rest of the network and prevents the ransomware from spreading to other systems or data. Quarantining the server also preserves the evidence of the ransomware attack, which can be useful for forensic analysis and law enforcement investigation. The other actions are not as urgent as quarantining the server, as they may not stop the ransomware infection, or they may destroy valuable evidence. Shutting down the server may not remove the ransomware, and it may trigger a data deletion mechanism by the ransomware. Reimaging the server may restore its functionality, but it will also erase any traces of the ransomware and make recovery of encrypted data impossible. Updating the OS to the latest version may fix some vulnerabilities, but it will not remove the ransomware or decrypt the data.

  https://www.cisa.gov/stopransomware/ransomware-guide https://www.cisa.gov/stopransomware/ive-been-hit-ransomware

• Question 217:

  A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

  A. Deploy agents on all systems to perform the scans

  B. Deploy a central scanner and perform non-credentialed scans

  C. Deploy a cloud-based scanner and perform a network scan

  D. Deploy a scanner sensor on every segment and perform credentialed scans

  Correct Answer: A

• Question 218:

  A security administrator needs to import PII data records from the production environment to the test environment for testing purposes. Which of the following would best protect data confidentiality?

  A. Data masking

  B. Hashing

  C. Watermarking

  D. Encoding

  Correct Answer: A

  Reference: https://aws.amazon.com/what-is/data-masking/#:~:text=Data%20masking%20creates%20fake%20versions,access%20to%20the%20original%20dataset

• Question 219:

  The email system administrator for an organization configured DKIM signing for all email legitimately sent by the organization. Which of the following would most likely indicate an email is malicious if the company's domain name is used as both the sender and the recipient?

  A. The message fails a DMARC check

  B. The sending IP address is the hosting provider

  C. The signature does not meet corporate standards

  D. The sender and reply address are different

  Correct Answer: A

  Reference: https://easydmarc.com/tools/dmarc-lookup

• Question 220:

  An organization was compromised, and the usernames and passwords of all employees were leaked online. Which of the following best describes the remediation that could reduce the impact of this situation?

  A. Multifactor authentication

  B. Password changes

  C. System hardening

  D. Password encryption

  Correct Answer: B