CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 301:

  Given the output below:

  #nmap 7.70 scan initiated Tues, Feb 8 12:34:56 2022 as: nmap -v -Pn -p 80,8000,443 --script http-* -oA server.out 192.168.220.42

  Which of the following is being performed?

  A. Cross-site scripting

  B. Local file inclusion attack

  C. Log4] check

  D. Web server enumeration

  Correct Answer: D

  Web server enumeration is the process of identifying information about a web server, such as its software version, operating system, configuration, services, and vulnerabilities. This can be done using tools like Nmap, which can scan ports and run scripts to gather information. In this question, the Nmap command is using the -p option to scan ports 80, 8000, and 443, which are commonly used for web services. It is also using the --script option to run scripts that start with http-*, which are related to web server enumeration. The output file name server.out also suggests that the purpose of the scan is to enumerate web servers. CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 8; https://partners.comptia.org/docs/defaultsource/ resources/comptia-cysa-cs0-002-exam-objectives

• Question 302:

  During the forensic analysis of a compromised machine, a security analyst discovers some binaries that are exhibiting abnormal behaviors. After extracting the strings, the analyst finds unexpected content. Which of the following is the next step the analyst should take?

  A. Validate the binaries' hashes from a trusted source.

  B. Use file integrity monitoring to validate the digital signature

  C. Run an antivirus against the binaries to check for malware.

  D. Only allow binaries on the approve list to execute.

  Correct Answer: A

  " from a trusted source is the next step the analyst should take after discovering some binaries that are exhibiting abnormal behaviors and finding unexpected content in their strings. A hash is a fixed-length value that uniquely represents the contents of a file or message. By comparing the hashes of the binaries on the compromised machine with the hashes of the original or legitimate binaries from a trusted source, such as the software vendor or repository, the analyst can determine whether the binaries have been modified or replaced by malicious code. If the hashes do not match, it indicates that the binaries have been tampered with and may contain malware.

• Question 303:

  While reviewing a vulnerability assessment, an analyst notices the following issue is identified in the report:

  

  this finding, which of the following would be most appropriate for the analyst to recommend to the network engineer?

  A. Reconfigure the device to support only connections leveraging TLSv1.2.

  B. Obtain a new self-signed certificate and select AES as the hashing algorithm.

  C. Replace the existing certificate with a certificate that uses only MD5 for signing.

  D. Use only signed certificates with cryptographically secure certificate sources.

  Correct Answer: D

• Question 304:

  A security engineer is reviewing security products that identify malicious actions by users as part of a company's insider threat program. Which of the following is the most appropriate product category for this purpose?

  A. SCAP

  B. SOAR

  C. UEBA

  D. WAF

  Correct Answer: C

  UEBA stands for User and Entity Behavior Analytics, which is a category of security products that use machine learning and statistical analysis to identify malicious actions by users or entities on a network. UEBA products can detect anomalous or suspicious behaviors that deviate from normal patterns or baselines, such as data exfiltration, privilege escalation, unauthorized access, insider threats, or compromised accounts. UEBA products can also provide alerts, reports, or recommendations for response actions based on the detected behaviors.

• Question 305:

  Which of the following ICS network protocols has no inherent security functions on TCP port 502?

  A. CIP

  B. DHCP

  C. SSH D. Modbus

  Correct Answer: D

  Modbus is an industrial control system (ICS) network protocol that is used for communication between devices such as sensors, controllers, actuators, and monitors. Modbus has no inherent security functions on TCP port 502, which is the default port for Modbus TCP/IP communication. Modbus does not provide any encryption, authentication, or integrity protection for the data transmitted over the network, making it vulnerable to various attacks such as replay, modification, spoofing, or denial-of-service.

• Question 306:

  A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called "packetCapture." The capture must be as efficient as possible, and the analyst wants to minimize the likelihood that packets will be missed. Which of the following commands will best accomplish the analyst's objectives?

  A. tcpdump -w packetCapture

  B. tcpdump -a packetCapture

  C. tcpdump -n packetCapture

  D. nmap -v > packetCapture

  E. nmap -oA > packetCapture

  Correct Answer: A

  The tcpdump command is a network packet analyzer tool that can capture and display network traffic. The -w option specifies a file name to write the captured packets to, in a binary format that can be read by tcpdump or other tools later. This option is useful for capturing large amounts of network data that will be analyzed at a later time, as the question requires. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called " . The capture must be as efficient as possible, and the -w option minimizes the processing and output overhead of tcpdump, reducing the likelihood that packets will be missed.

• Question 307:

  A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device. The security analyst then identifies the following additional details:

  1.

  Bursts of network utilization occur approximately every seven days.

  2.

  The content being transferred appears to be encrypted or obfuscated.

  3.

  A separate but persistent outbound TCP connection from the host to infrastructure in a third-party cloud is in place.

  4.

  The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.

  5.

  Single file sizes are 10GB.

  Which of the following describes the most likely cause of the issue?

  A. Memory consumption

  B. Non-standard port usage

  C. Data exfiltration

  D. System update

  E. Botnet participant

  Correct Answer: C

  data exfiltration is the unauthorized transfer of data from an " destination, usually for malicious purposes such as espionage, sabotage, or theft. The details given in the question suggest that data exfiltration is occurring from an endpoint device. The bursts of network utilization every seven days indicate periodic data transfers. The content being transferred appears to be encrypted or obfuscated to avoid detection or analysis. The persistent outbound TCP connection from the host to infrastructure in a third-party cloud indicates a possible command and control channel for an attacker. The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days, and single file sizes are 10GB, indicating that large amounts of data are being collected and compressed before being exfiltrated.

• Question 308:

  A security analyst is reviewing the following log entries to identify anomalous activity:

  

  Which of the following attack types is occurring?

  A. Directory traversal

  B. SQL injection

  C. Buffer overflow

  D. Cross-site scripting

  Correct Answer: A

  A directory traversal attack is a type of web application attack that exploits insufficient input validation or improper configuration to access files or directories that are outside the intended scope of the web server. The log entries given in the question show s" sequences in the URL, which indicate an attempt to move up one level in the directory structure. For "" tries to access the /etc/passwd file, which contains user account information on Linux systems. If successful, this attack could allow an attacker to read, modify, or execute files on the web server that are not meant to be accessible.

• Question 309:

  Given the Nmap request below:

  

  Which of the following actions will an attacker be able to initiate directly against this host?

  A. Password sniffing

  B. ARP spoofing

  C. A brute-force attack

  D. An SQL injection

  Correct Answer: C

  The Nmap command given in the question performs a TCP SYN scan (-sS), a service version detection scan (-sV), an OS detection scan (-O), and a port scan for ports 1-1024 (-p 1-1024) on the host 192.168.1.1. This command will reveal information about the hos" and running services, which can be used by an attacker to launch a brute-force attack against the host. A brute-force attack is a method of guessing passwords or encryption keys by trying many possible combinations until finding the correct one. An attacker can use the information from the Nmap scan to target specific services or protocols that may have weak or default credentials, such as FTP, SSH, Telnet, or HTTP.

• Question 310:

  A company's legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur. The department has asked a security analyst to help tailor the response plan to provide broad coverage for many situations. Which of the following is the best way to achieve this goal?

  A. Focus on incidents that have a high chance of reputation harm.

  B. Focus on common attack vectors first.

  C. Focus on incidents that affect critical systems.

  D. Focus on incidents that may require law enforcement support.

  Correct Answer: B