CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 291:

  While reviewing system logs, a network administrator discovers the following entry:

  

  Which of the following occurred?

  A. An attempt was made to access a remote workstation.

  B. The PsExec services failed to execute.

  C. A remote shell failed to open.

  D. A user was trying to download a password file from a remote system.

  Correct Answer: A

• Question 292:

  A security analyst is analyzing the following output from the Spider tab of OWASP ZAP after a vulnerability scan was completed:

  

  Which of the following options can the analyst conclude based on the provided output?

  A. The scanning vendor used robots to make the scanning job faster

  B. The scanning job was successfully completed, and no vulnerabilities were detected

  C. The scanning job did not successfully complete due to an out of scope error

  D. The scanner executed a crawl process to discover pages to be assessed

  Correct Answer: D

  The output shows the result of usi"fter a vulnerability scan was completed. The Spider tab allows users to crawl web applications and discover pages and resources that can be assessed for vulnerabilities. The output shows that the scanner

  discovered various pages under different directories, such as /admin/, /blog/, /contact/, etc., as well as some parameters and forms that can be used for testing inputs and outputs. CompTIA Cybersecurity Analyst (CySA+) Certification Exam

  Objectives (CS0-002), page 9;

  https://www.zaproxy.org/docs/desktop/start/features/spider/

• Question 293:

  An organization implemented an extensive firewall access-control blocklist to prevent internal network ranges from communicating with a list of IP addresses of known command-and-control domains A security analyst wants to reduce the load on the firewall. Which of the following can the analyst implement to achieve similar protection and reduce the load on the firewall?

  A. A DLP system

  B. DNS sinkholing

  C. IP address allow list

  D. An inline IDS

  Correct Answer: B

  DNS sinkholing is a mechanism that can prevent internal network ranges from communicating with a list of IP addresses of known command-and-control domains by returning a false or controlled IP address for those domains. This can

  reduce the load on the firewall by intercepting the DNS requests before they reach the firewall and diverting them to a sinkhole server. The other options are not relevant or effective for this purpose. CompTIA Cybersecurity Analyst (CySA+)

  Certification Exam Objectives (CS0-002), page 9;

  https://www.enisa.europa.eu/topics/incidentresponse/glossary/dns-sinkhole

• Question 294:

  Which of the following describes the difference between intentional and unintentional insider threats'?

  A. Their access levels will be different

  B. The risk factor will be the same

  C. Their behavior will be different

  D. The rate of occurrence will be the same

  Correct Answer: C

  The difference between intentional and unintentional insider threats is their behavior. Intentional insider threats are malicious actors who deliberately misuse their access to harm the organization or its assets. Unintentional insider threats are

  careless or negligent users who accidentally compromise the security of the organization or its assets. Their access levels, risk factors, and rates of occurrence may vary depending on various factors, but their behavior is the main distinction.

  Reference:

  CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 12;

  https://www.cisa.gov/sites/default/files/publications/Insider_Threat_Mitigation_Guide_508.pdf

• Question 295:

  Which of the following is the BEST option to protect a web application against CSRF attacks?

  A. Update the web application to the latest version.

  B. Set a server-side rate limit for CSRF token generation.

  C. Avoid the transmission of CSRF tokens using cookies.

  D. Configure the web application to only use HTTPS and TLS 1.3.

  Correct Answer: C

  CSRF tokens are random values that are generated by the server and included in requests that perform state-changing actions. They are used to prevent CSRF attacks by verifying that the request originates from a legitimate source. However, if the CSRF tokens are transmitted using cookies, they are vulnerable to being stolen or forged by an attacker who can exploit other vulnerabilities, such as cross-site scripting (XSS) or cookie injection. Therefore, a better option is to avoid the transmission of CSRF tokens using cookies and use other methods, such as hidden form fields or custom HTTP headers. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 11; https:// owasp.org/www-community/attacks/csrf

• Question 296:

  The management team has asked a senior security engineer to explore DLP security solutions for the company's growing use of cloud-based storage. Which of the following is an appropriate solution to control the sensitive data that is being stored in the cloud?

  A. NAC

  B. IPS

  C. CASB

  D. WAF

  Correct Answer: C

  A cloud access security broker (CASB) is a security solution that monitors and controls the use of cloud-based services and applications. A CASB can provide data loss prevention (DLP) capabilities for sensitive data that is being stored in the cloud, such as encryption, masking, tokenization, or redaction. A CASB can also enforce policies and compliance requirements for cloud usage, such as authentication, authorization, auditing, and reporting. The other options are not appropriate solutions for controlling sensitive data in the cloud. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14; https://docs.microsoft.com/en-us/cloudapp-security/what-is-cloud-app-security

• Question 297:

  An organization announces that all employees will need to work remotely for an extended period of time. All employees will be provided with a laptop and supported hardware to facilitate this requirement. The organization asks the information security division to reduce the risk during this time. Which of the following is a technical control that will reduce the risk of data loss if a laptop is lost or stolen?

  A. Requiring the use of the corporate VPN

  B. Requiring the screen to be locked after five minutes of inactivity

  C. Requiring the laptop to be locked in a cabinet when not in use

  D. Requiring full disk encryption

  Correct Answer: D

  Full disk encryption (FDE) is a technical control that encrypts all the data on a disk drive, including the operating system and applications. FDE prevents unauthorized access to the data if the disk drive is lost or stolen, as it requires a password or key to decrypt the data. FDE can be implemented using software or hardware solutions and can protect data at rest on laptops and other devices. The other options are not technical controls or do not reduce the risk of data loss if a laptop is lost or stolen. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 10; https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlockeroverview

• Question 298:

  A security analyst is logged on to a jump server to audit the system configuration and status. The organization's policies for access to and configuration of the jump server include the following:

  1.

  No network access is allowed to the internet.

  2.

  SSH is only for management of the server.

  3.

  Users must utilize their own accounts, with no direct login as an administrator.

  4.

  Unnecessary services must be disabled.

  The analyst runs netstar with elevated permissions and receives the following output:

  

  Which of the following policies does the server violate?

  A. Unnecessary services must be disabled.

  B. SSH is only for management of the server.

  C. No network access is allowed to the internet.

  D. Users must utilize their own accounts, with no direct login as an administrator.

  Correct Answer: C

  The server violates the policy of no network access to the internet because it has an established connection to an external IP address (216.58.194.174) on port 443, which is used for HTTPS traffic. This indicates that the server is communicating with a web server on the internet, which is not allowed by the policy. The other policies are not violated because SSH is only used for management of the server (not for accessing other devices), users are utilizing their own accounts (not logging in as an administrator), and unnecessary services are not enabled (only SSH and HTTPS are running). CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 9; https://en.wikipedia.org/ wiki/Jump_server

• Question 299:

  While observing several host machines, a security analyst notices a program is overwriting data to a buffer. Which of the following controls will best mitigate this issue?

  A. Data execution prevention

  B. Output encoding

  C. Prepared statements

  D. Parameterized queries

  Correct Answer: A

  Data execution prevention (DEP) is a security feature that prevents code from being executed in memory regions that are marked as data-only. This helps mitigate buffer overflow attacks, which are a type of attack where a program overwrites data to a buffer beyond its allocated size, potentially allowing malicious code to be executed. DEP can be implemented at the hardware or software level and can prevent unauthorized code execution in memory buffers. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 10; https://docs.microsoft.com/enus/windows/win32/memory/data-execution-prevention

• Question 300:

  Members of the sales team are using email to send sensitive client lists with contact information to their personal accounts The company's AUP and code of conduct prohibits this practice.

  Which of the following configuration changes would improve security and help prevent this from occurring?

  A. Configure the DLP transport rules to provide deep content analysis.

  B. Put employees' personal email accounts on the mail server on a blocklist.

  C. Set up IPS to scan for outbound emails containing names and contact information.

  D. Use Group Policy to prevent users from copying and pasting information into emails.

  E. Move outbound emails containing names and contact information to a sandbox for further examination.

  Correct Answer: A

  Data loss prevention (DLP) is a set of policies and tools that aim to prevent unauthorized disclosure of sensitive data. DLP transport rules are rules that apply to email messages that are sent or received ". These rules can provide deep content analysis, which means they can scan the content of email messages and attachments for sensitive data patterns, such as client lists or contact information. If a rule detects a violation of the DLP policy, it can take actions such as blocking, quarantining, or notifying the sender or recipient. This would improve security and help prevent sales team members from sending sensitive client lists to their personal accounts. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 14; https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/data-lossprevention