CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 241:

  A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

  A. Leave the proxy as is.

  B. Decomission the proxy.

  C. Migrate the proxy to the cloud.

  D. Patch the proxy.

  Correct Answer: B

  Since the proxy is not in use and has a critical vulnerability with a high CVSS score, the best course of action is to decommission the proxy. Patching the proxy might be an option if it were actively being used and could not be replaced, but since a new proxy is already in place, decommissioning is the most appropriate action.

• Question 242:

  An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

  A. Access rights

  B. Network segmentation C. Time synchronization

  D. Invalid playbook

  Correct Answer: C

  When examining events in multiple systems and having difficulty correlating data points, the most likely issue could be a lack of proper time synchronization across the systems. Time synchronization is crucial for accurate event correlation and forensic analysis, as it ensures that events are properly aligned in chronological order.

• Question 243:

  An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

  A. SOAR

  B. SIEM

  C. SLA

  D. IoC

  Correct Answer: A

  SOAR (Security Orchestration, Automation, and Response) is the best option to help the analyst implement the recommendation, as it reflects the software solution that enables security teams to integrate and coordinate separate tools into streamlined threat response workflows and automate repetitive tasks. SOAR is a term coined by Gartner in 2015 to describe a technology that combines the functions of security incident response platforms, security orchestration and automation platforms, and threat intelligence platforms in one offering. SOAR solutions help security teams to collect inputs from various sources, such as EDR agents, firewalls, or SIEM systems, and perform analysis and triage using a combination of human and machine power. SOAR solutions also allow security teams to define and execute incident response procedures in a digital workflow format, using automation to perform low-level tasks or actions, such as blocking an IP address or quarantining a device. SOAR solutions can help security teams to improve efficiency, consistency, and scalability of their operations, as well as reduce mean time to detect (MTTD) and mean time to respond (MTTR) to threats. The other options are not as suitable as SOAR, as they do not match the description or purpose of the recommendation. SIEM (Security Information and Event Management) is a software solution that collects and analyzes data from various sources, such as logs, events, or alerts, and provides security monitoring, threat detection, and incident response capabilities. SIEM solutions can help security teams to gain visibility, correlation, and context of their security data, but they do not provide automation or orchestration features like SOAR solutions. SLA (Service Level Agreement) is a document that defines the expectations and responsibilities between a service provider and a customer, such as the quality, availability, or performance of the service. SLAs can help to manage customer expectations, formalize communication, and improve productivity and relationships, but they do not help to implement technical recommendations like SOAR solutions. IoC (Indicator of Compromise) is a piece of data or evidence that suggests a system or network has been compromised by a threat actor, such as an IP address, a file hash, or a registry key. IoCs can help to identify and analyze malicious activities or incidents, but they do not help to implement response actions like SOAR solutions.

• Question 244:

  An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

  A. Disable the user's network account and access to web resources.

  B. Make a copy of the files as a backup on the server.

  C. Place a legal hold on the device and the user's network share.

  D. Make a forensic image of the device and create a SHA-1 hash.

  Correct Answer: D

  Making a forensic image of the device and creating a SRA-1 hash is the best step to preserve evidence, as it creates an exact copy of the device's data and verifies its integrity. A forensic image is a bit-by-bit copy of the device's storage media, which preserves all the information on the device, including deleted or hidden files. A SRA-I hash is a cryptographic value that is calculated from the forensic image, which can be used to prove that the image has not been altered or tampered with. The other options are not as effective as making a forensic image and creating a SRA-1 hash, as they may not capture all the relevant data, or they may not provide sufficient verification of the evidence's authenticity.

  https://www.sans.org/blog/forensics-101-acquiring-an-image-with-ftk-imager/ https://swailescomputerforensics.com/digital-forensics-imaging-hash-value/

• Question 245:

  An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

  A. Insider threat

  B. Ransomware group

  C. Nation-state

  D. Organized crime

  Correct Answer: C

• Question 246:

  A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

  A. config.ini

  B. ntds.dit

  C. Master boot record

  D. Registry

  Correct Answer: D

  The registry is a database that stores system configuration keys and values in a Windows environment. The registry contains information about the hardware, software, users, and preferences of the system. The registry can be accessed and modified using the Registry Editor tool (regedit.exe) or the command-line tool (reg.exe). The registry is organized into five main sections, called hives, which are further divided into subkeys and values. The other options are not the best descriptions of where the analyst can find system configuration keys and values in a Windows environment. config.ini (A) is a file that stores configuration settings for some applications, but it is not a database that stores system configuration keys and values. ntds.dit (B) is a file that stores the Active Directory data for a domain controller, but it is not a database that stores system configuration keys and values. Master boot record ?is a section of the hard disk that contains information about the partitions and the boot loader, but it is not a database that stores system configuration keys and values.

• Question 247:

  A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:

  getConnection(database01,"alpha" ,"AxTv.127GdCx94GTd");

  Which of the following is the most likely vulnerability in this system?

  A. Lack of input validation

  B. SQL injection

  C. Hard-coded credential

  D. Buffer overflow

  Correct Answer: C

  The most likely vulnerability in this system is hard-coded credential. Hard-coded credential is a practice of embedding or storing a username, password, or other sensitive information in the source code or configuration file of a system or application. Hard-coded credential can pose a serious security risk, as it can expose the system or application to unauthorized access, data theft, or compromise if the credential is discovered or leaked by an attacker. Hard-coded credential can also make it difficult to change or update the credential if needed, as it may require modifying the code or file and redeploying the system or application.

• Question 248:

  A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?

  A. Operating system version

  B. Registry key values

  C. Open ports

  D. IP address

  Correct Answer: B

• Question 249:

  A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?

  A. /etc/shadow

  B. curl localhost

  C. ; printenv

  D. cat /proc/self/

  Correct Answer: A

  /etc/shadow is the pattern that the security analyst can use to search the web server logs for evidence of exploitation of the LFI vulnerability that can be exploited to extract credentials from the underlying host. LFI stands for Local File Inclusion, which is a ulnerability that allows an attacker to include local files on the web server into the output of a web application. LFI can be exploited to extract sensitive information from the web server, such as configuration files, passwords, or source code. The /etc/shadow file is a file that stores the encrypted passwords of all users on a Linux system. If an attacker can exploit the LFI vulnerability to include this file into the web application output, they can obtain the credentials of the users on the web server. Therefore, the security analyst can look for /etc/shadow in the request line of the web server logs to see if any attacker has attempted or succeeded in exploiting the LFI vulnerability.

  https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives https://www.comptia.org/certifications/cybersecurity-analyst https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered

• Question 250:

  A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https://office365password.acme.co. The site's standard VPN logon page is www.acme.com/logon. Which of the following is most likely true?

  A. This is a normal password change URL.

  B. The security operations center is performing a routine password audit.

  C. A new VPN gateway has been deployed.

  D. A social engineering attack is underway.

  Correct Answer: D

  The scenario you describe, where outbound traffic is going to a host IP that resolves to a domain similar to "office365password.acme.co," while the standard VPN logon page is "www.acme.com/logon," suggests a potential social engineering attack. Attackers often create deceptive domains that mimic legitimate ones to trick users into revealing sensitive information such as usernames and passwords. In this case, the similarity in domain names raises suspicion that it could be an attempt to phish login credentials from employees. Security analysts should investigate and take appropriate measures to mitigate the threat.