CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 21:

  Which of the following evidence collection methods is most likely to be acceptable in court cases?

  A. Copying all access files at the time of the incident

  B. Creating a file-level archive of all files

  C. Providing a full system backup inventory

  D. Providing a bit-level image of the hard drive

  Correct Answer: D

• Question 22:

  A SOC analyst determined that a significant number of the reported alarms could be closed after removing the duplicates. Which of the following could help the analyst reduce the number of alarms with the least effort?

  A. SOAR

  B. API

  C. XDR

  D. REST

  Correct Answer: A

  Security Orchestration, Automation, and Response (SOAR) can help the SOC analyst reduce the number of alarms by automating the process of removing duplicates and managing security alerts more efficiently. SOAR platforms enable security teams to define, prioritize, and standardize response procedures, which helps in reducing the workload and improving the overall efficiency of incident response by handling repetitive and low-level tasks automatically.

• Question 23:

  A penetration tester is conducting a test on an organization's software development website. The penetration tester sends the following request to the web interface:

  

  Which of the following exploits is most likely being attempted?

  A. SQL injection

  B. Local file inclusion

  C. Cross-site scripting

  D. Directory traversal

  Correct Answer: A

  SQL injection is a type of attack that injects malicious SQL statements into a web application's input fields or parameters, in order to manipulate or access the underlying database. The request shown in the image contains an SQL injection attempt, as indicated by the "UNION SELECT" statement, which is used to combine the results of two or more queries. The attacker is trying to extract information from the database by appending the malicious query to the original one

• Question 24:

  A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public MITRE repositories would be best to review?

  A. Cyber Threat Intelligence

  B. Common Vulnerabilities and Exposures

  C. Cyber Analytics Repository

  D. ATTandCK

  Correct Answer: B

  The Common Vulnerabilities and Exposures (CVE) is a public repository of standardized identifiers and descriptions for common cybersecurity vulnerabilities. It helps security analysts to identify, prioritize, and report on the most critical vulnerabilities in their systems and applications. The other options are not relevant for this purpose: Cyber Threat Intelligence (CTI) is a collection of information and analysis on current and emerging cyber threats; Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the ATTandCK adversary model; ATTandCK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.References: According to the CompTIA CySA+ Study Guide: S0-003, 3rd Edition1, one of the objectives for the exam is to "use appropriate tools and methods to manage, prioritize and respond to attacks and vulnerabilities". The book also covers the usage and syntax of various cybersecurity frameworks and standards, such as CVE, CTI, CAR, and ATTandCK, in chapter 1. Specifically, it explains the meaning and function of each framework and standard, such as CVE, which provides a common language for describing and sharing information about vulnerabilities1, page 28. Therefore, this is a reliable source to verify the answer to the question.

• Question 25:

  An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

  A. DKIM

  B. SPF

  C. SMTP

  D. DMARC

  Correct Answer: B

  SPF (Sender Policy Framework) is a DNS TXT record that lists authorized sending IP addresses for a given domain. If an email hosting provider added a new data center with new public IP addresses, the SPF record needs to be updated to include those new IP addresses, otherwise the emails from the new data center may fail SPF checks and get blocked by spam filters References:

  1: Use DMARC to validate email, setup steps

  2: How to set up SPF, DKIM and DMARC: other mail and hosting providers providers

  3: Set up SPF, DKIM, or DMARC records for my hosting email

• Question 26:

  A security analyst is trying to validate the results of a web application scan with Burp Suite.

  The security analyst performs the following: Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

  

  A. SQL injection

  B. LFI

  C. XSS

  D. CSRF

  Correct Answer: B

  The security analyst is validating a Local File Inclusion (LFI) vulnerability, as indicated by the "/.../.../.../" in the GET request which is a common indicator of directory traversal attempts associated with LFI. The other options are not relevant for

  this purpose:

  SQL injection involves injecting malicious SQL statements into a database query; XSS involves injecting malicious scripts into a web page; CSRF involves tricking a user into performing an unwanted action on a web application.

  References:

  According to the CompTIA CySA+ Study Guide: S0-003, 3rd Edition1, one of the objectives for the exam is to "use appropriate tools and methods to manage, prioritize and respond to attacks and vulnerabilities". The book also covers

  the usage and syntax of Burp Suite, a tool used for testing web application security, in chapter 6. Specifically, it explains the meaning and function of each component in Burp Suite, such as Repeater, which allows the security analyst to

  modify and resend individual requests1, page 239. Therefore, this is a reliable source to verify the answer to the question.

• Question 27:

  Which of the following is the most appropriate action a security analyst to take to effectively identify the most security risks associated with a locally hosted server?

  A. Run the operating system update tool to apply patches that are missing.

  B. Contract an external penetration tester to attempt a brute-force attack.

  C. Download a vendor support agent to validate drivers that are installed.

  D. Execute a vulnerability scan against the target host.

  Correct Answer: D

  A vulnerability scan is a process of identifying and assessing the security weaknesses of a system or network. A vulnerability scan can help a security analyst to effectively identify the most security risks associated with a locally hosted server, such as missing patches, misconfigurations, outdated software, or exposed services. A vulnerability scan can also provide recommendations on how to remediate the identified vulnerabilities and improve the security posture of the server12 References: 1: What is a Vulnerability Scan? | Definition and Examples 2: Securing a server: risks, challenges and best practices - Vaadata

• Question 28:

  During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?

  A. The risk would not change because network firewalls are in use.

  B. The risk would decrease because RDP is blocked by the firewall.

  C. The risk would decrease because a web application firewall is in place.

  D. The risk would increase because the host is external facing.

  Correct Answer: D

• Question 29:

  A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%. Which of the following best describes how the security analyst can effectively review the malware without compromising the organization's network?

  A. Utilize an RDP session on an unused workstation to evaluate the malware.

  B. Disconnect and utilize an existing infected asset off the network.

  C. Create a virtual host for testing on the security analyst workstation.

  D. Subscribe to an online service to create a sandbox environment.

  Correct Answer: D

  A sandbox environment is a safe and isolated way to analyze malware without affecting the organization's network. An online service can provide a sandbox environment without requiring the security analyst to set up a virtual host or use an RDP session. Disconnecting and using an existing infected asset is risky and may not provide accurate results. References: Malware Analysis: Steps and Examples, Dynamic Analysis

• Question 30:

  An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:

  CVSS: 3.1/AV:N/AC: L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R

  Which of the following represents the exploit code maturity of this critical vulnerability?

  A. E:U

  B. S:C

  C. RC:R

  D. AV:N

  E. AC:L

  Correct Answer: A

  The exploit code maturity of a vulnerability is indicated by the E metric in the CVSS temporal score. The value of U means that no exploit code is available or unknown1. The other options are not related to the exploit code maturity, but to other aspects of the vulnerability, such as attack vector, scope, availability, and complexity1.