CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 251:

  While reviewing web server logs, a security analyst found the following line:

  

  Which of the following malicious activities was attempted?

  A. Command injection

  B. XML injection

  C. Server-side request forgery

  D. Cross-site scripting

  Correct Answer: D

  XSS is a type of web application attack that exploits the vulnerability of a web server or browser to execute malicious scripts or commands on the client-side. XSS attackers inject malicious code, such as JavaScript, VBScript, HTML, or CSS, into a web page or application that is viewed by other users. The malicious code can then access or manipulate the user's session, cookies, browser history, or personal information, or perform actions on behalf of the user, such as stealing credentials, redirecting to phishing sites, or installing malware

  The line in the web server log shows an example of an XSS attack using VBScript. The attacker tried to insert an tag with a malicious SRC attribute that contains a VBScript code. The VBScript code is intended to display a message box with the text "test" when the user views the web page or application. This is a simple and harmless example of XSS, but it could be used to test the vulnerability of the web server or browser, or to launch more sophisticated and harmful attacks

• Question 252:

  Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

  A. SLA

  B. LOI

  C. MOU

  D. KPI

  Correct Answer: A

• Question 253:

  A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?

  A. Data exfiltration

  B. Rogue device

  C. Scanning

  D. Beaconing

  Correct Answer: D

  Beaconing is the best term to describe the activity that is taking place, as it refers to the periodic communication between an infected host and a blocklisted external server. Beaconing is a common technique used by malware to establish a connection with a command-and-control (C2) server, which can provide instructions, updates, or exfiltration capabilities to the malware. Beaconing can vary in frequency, duration, and payload, depending on the type and sophistication of the malware. The other terms are not as accurate as beaconing, as they describe different aspects of malicious activity. Data exfiltration is the unauthorized transfer of data from a compromised system to an external destination, such as a C2 server or a cloud storage service. Data exfiltration can be a goal or a consequence of malware infection, but it does not necessarily involve blocklisted servers or consistent requests. Rogue device is a device that is connected to a network without authorization or proper security controls. Rogue devices can pose a security risk, as they can introduce malware, bypass firewalls, or access sensitive data. However, rogue devices are not necessarily infected with malware or communicating with blocklisted servers. Scanning is the process of probing a network or a system for vulnerabilities, open ports, services, or other information. Scanning can be performed by legitimate administrators or malicious actors, depending on the intent and authorization. Scanning does not imply consistent requests or blocklisted servers, as it can target any network or system.

• Question 254:

  A technician is analyzing output from a popular network mapping tool for a PCI audit:

  

  Which of the following best describes the output?

  A. The host is not up or responding.

  B. The host is running excessive cipher suites.

  C. The host is allowing insecure cipher suites.

  D. The Secure Shell port on this host is closed.

  Correct Answer: C

• Question 255:

  A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?

  A. SIEM

  B. XDR

  C. SOAR

  D. EDR

  Correct Answer: C

• Question 256:

  An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Choose two).

  A. Drop the tables on the database server to prevent data exfiltration.

  B. Deploy EDR on the web server and the database server to reduce the adversary's capabilities.

  C. Stop the httpd service on the web server so that the adversary can not use web exploits.

  D. Use microsegmentation to restrict connectivity to/from the web and database servers.

  E. Comment out the HTTP account in the /etc/passwd file of the web server.

  F. Move the database from the database server to the web server.

  Correct Answer: BD

• Question 257:

  A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?

  A. Interview the users who access these systems.

  B. Scan the systems to see which vulnerabilities currently exist.

  C. Configure alerts for vendor-specific zero-day exploits.

  D. Determine the asset value of each system.

  Correct Answer: D

  Determining the asset value of each system is the best action to perform first, as it helps to categorize and prioritize the systems based on the sensitivity of the data they host. The asset value is a measure of how important a system is to the organization, in terms of its financial, operational, or reputational impact. The

  asset value can help the security analyst to assign a risk level and a protection level to each system, and to allocate resources accordingly. The other actions are not as effective as determining the asset value, as they do not directly address

  the goal of promoting confidentiality, availability, and integrity of the data.

  Interviewing the users who access these systems may provide some insight into how the systems are used and what data they contain, but it may not reflect the actual value or sensitivity of the data from an organizational perspective.

  Scanning the systems to see which vulnerabilities currently exist may help to identify and remediate some security issues, but it does not help to categorize or prioritize the systems based on their data sensitivity. Configuring alerts for vendor-

  specific zero-day exploits may help to detect and respond to some emerging threats, but it does not help to protect the systems based on their data sensitivity.

• Question 258:

  An incident response team member is triaging a Linux server. The output is shown below:

  

  Which of the following is the adversary most likely trying to do?

  A. Create a backdoor root account named zsh.

  B. Execute commands through an unsecured service account.

  C. Send a beacon to a command-and-control server.

  D. Perform a denial-of-service attack on the web server.

  Correct Answer: B

• Question 259:

  A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

  

  Which of the following best describes the suspicious activity that is occurring?

  A. A fake antivirus program was installed by the user.

  B. A network drive was added to allow exfiltration of data.

  C. A new program has been set to execute on system start.

  D. The host firewall on 192.168.1.10 was disabled.

  Correct Answer: C

  A new program has been set to execute on system start is the most likely cause of the suspicious activity that is occurring, as it indicates that the malware has modified the registry keys of the system to ensure its persistence. File Integrity Monitoring (FIM) is a tool that monitors changes to files and registry keys on a system and alerts the security analyst of any unauthorized or malicious modifications. The alert triggered by FIM shows that the malware has created a new registry key under the Run subkey, which is used to launch programs automatically when the system starts. The new registry key points to a file named "update.exe" in the Temp folder, which is likely a malicious executable disguised as a legitimate update file.

  https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives https://www.comptia.org/training/books/cysa-cs0-002-study-guide

• Question 260:

  A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:

  

  Which of the following log entries provides evidence of the attempted exploit?

  A. Log entry 1

  B. Log entry 2

  C. Log entry 3

  D. Log entry 4

  Correct Answer: A