CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 221:

  Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?

  A. Join an information sharing and analysis center specific to the company's industry

  B. Upload threat intelligence to the IPS in STIX'TAXII format

  C. Add data enrichment for IPs in the ingestion pipeline

  D. Review threat feeds after viewing the SIEM alert

  Correct Answer: C

  The best option to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address is C. Add data enrichment for IPS in the ingestion pipeline. Data enrichment is the process of adding more information and context to raw data, such as IP addresses, by using external sources. Data enrichment can help analysts to gain more insights into the nature and origin of the threats they face, and to prioritize and respond to them accordingly. Data enrichment for IPS (Intrusion Prevention System) means that the IPS can use enriched data to block or alert on malicious traffic based on various criteria, such as geolocation, reputation, threat intelligence, or behavior. By adding data enrichment for IPS in the ingestion pipeline, analysts can leverage the IPS's capabilities to filter out known-malicious IP addresses before they reach the SIEM, or to tag them with relevant information for further analysis. This can save time and resources for the analysts, and improve the accuracy and efficiency of the SIEM. The other options are not as effective or efficient as data enrichment for IPS in the ingestion pipeline. Joining an information sharing and analysis center (ISAC) specific to the company's industry (A) can provide valuable threat intelligence and best practices, but it may not be timely or comprehensive enough to cover all possible malicious IP addresses. Uploading threat intelligence to the IPS in STIX/TAXII format

  (B) can help the IPS to identify and block malicious IP addresses based on standardized indicators of compromise, but it may require manual or periodic updates and integration with the SIEM. Reviewing threat feeds after viewing the SIEM alert (D) can help analysts to verify and contextualize the malicious IP addresses, but it may be too late or too slow to prevent or mitigate the damage. Therefore, C is the best option among the choices given.

  Reference: https://ipinfo.io/use-cases/ip-data-for-data-enrichment

• Question 222:

  A security analyst must review a suspicious email to determine its legitimacy. Which of the following should be performed? (Choose two.)

  A. Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level

  B. Review the headers from the forwarded email

  C. Examine the recipient address field

  D. Review the Content-Type header

  E. Evaluate the HELO or EHLO string of the connecting email server

  F. Examine the SPF, DKIM, and DMARC fields from the original email

  Correct Answer: BF

  Review the headers from the forwarded email: Examining the email headers can provide crucial information about the email's source, path, and any intermediaries it went through. This information can help identify signs of spoofing or suspicious behavior.

  Examine the SPF, DKIM, and DMARC fields from the original email: These three mechanisms (Sender Policy Framework - SPF, DomainKeys Identified Mail - DKIM, and Domain-based Message Authentication, Reporting, and Conformance DMARC) are used to authenticate the sender's domain and reduce the likelihood of email spoofing. Checking these fields can provide insights into the authenticity of the email.

• Question 223:

  A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?

  A. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L - Base Score 6.0

  B. AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L - Base Score 7.2

  C. AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H - Base Score 6.4

  D. AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L - Base Score 6.5

  Correct Answer: A

• Question 224:

  A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be remediated within a specific amount of time. Which of the following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA?

  A. Integrate an IT service delivery ticketing system to track remediation and closure

  B. Create a compensating control item until the system can be fully patched

  C. Accept the risk and decommission current assets as end of life

  D. Request an exception and manually patch each system

  Correct Answer: A

  Reference: https://phoenix.security/using-slas-for-better-vulnerability-management-remediation-improving-developers-workflow/

• Question 225:

  Which of the following is the most important factor to ensure accurate incident response reporting?

  A. A well-defined timeline of the events

  B. A guideline for regulatory reporting

  C. Logs from the impacted system

  D. A well-developed executive summary

  Correct Answer: A

  Although all of the options presented are important factors in ensuring accurate incident response reporting, but option A, is generally considered the most important factor. Having a detailed timeline of events allows incident responders to understand the sequence of actions, the duration of the incident, and the relationships between different actions. This helps in identifying the root cause of the incident, understanding its scope, and crafting an effective response strategy.

• Question 226:

  A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?

  A. grep [IP address] packets.pcap

  B. cat packets.pcap | grep [IP Address]

  C. tcpdump -n -r packets.pcap host [IP address]

  D. strings packets.pcap | grep [IP Address]

  Correct Answer: C

  The -n flag ensures that numeric IP addresses are not resolved to hostnames, and the -r flag specifies the input pcap file. The host [IP address] expression filters packets that involve the specified IP address, helping the security analyst detect connections to the suspicious IP address.

• Question 227:

  A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

  A. Nmap

  B. TCPDump

  C. SIEM

  D. EDR

  Correct Answer: B

  In this scenario, where the administrator suspects a DoS attack related to half-open TCP sessions consuming memory, TCPDump would be the best tool to use. It can help prove whether the server is experiencing this behavior by capturing and analyzing the network packets to identify patterns consistent with half-open TCP sessions.

• Question 228:

  A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

  A. CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  B. CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  C. CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  D. CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

  Correct Answer: C

  Reference: https://www.first.org/cvss/specification-document

• Question 229:

  A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:

  

  Which of the following vulnerability types is the security analyst validating?

  A. Directory traversal

  B. XSS

  C. XXE

  D. SSRF

  Correct Answer: C

  XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

  In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

  References: https://portswigger.net/web-security/xxe https://portswigger.net/web-security/xxe/xml-entities https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

• Question 230:

  A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

  A. Implement segmentation with ACLs.

  B. Configure logging and monitoring to the SIEM.

  C. Deploy MFA to cloud storage locations.

  D. Roll out an IDS.

  Correct Answer: A