CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 381:

  An organization supports a large number of remote users. Which of the following is the best option to protect the data on the remote users' laptops?

  A. Require the use of VPNs.

  B. Require employees to sign an NDA.

  C. Implement a DLP solution.

  D. Use whole disk encryption.

  Correct Answer: D

  Using whole disk encryption is the best option to protect the d" Whole disk encryption is a technique that encrypts all data on a hard disk drive, including the operating system, applications and files. Whole disk encryption can prevent unauthorized access to the data if the laptop is lost, stolen or compromised. Whole disk encryption can also protect the data from physical attacks, such as removing the hard disk and connecting it to another device . https://www.techopedia.com/definition39/memory-dump

• Question 382:

  An organization wants to move non-essential services into a cloud computing environment. The management team has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work best to attain the desired outcome?

  A. Duplicate all services in another instance and load balance between the instances.

  B. Establish a hot site with active replication to another region within the same cloud provider.

  C. Set up a warm disaster recovery site with the same cloud provider in a different region.

  D. Configure the systems with a cold site at another cloud provider that can be used for failover.

  Correct Answer: C

  Setting up a warm disaster recovery site with the same cloud provider in a different region can help to achieve a recovery time objective (RTO) of 12 hours while keeping the costs low. A warm disaster recovery site is a partially configured site that has some of the essential hardware and software components ready to be activated in case of a disaster. A warm site can provide faster recovery than a cold site, which has no preconfigured components, but lower costs than a hot site, which has fully configured and replicated components. Using the same cloud provider can help to simplify the migration and synchronization processes, while using a different region can help to avoid regional outages or disasters . https://www.techopedia.com/definition39/memory-dump

• Question 383:

  A security analyst performs a weekly vulnerability scan on a network that has 240 devices and receives a report with 2.450 pages. Which of the following would most likely decrease the number of false positives?

  A. Manual validation

  B. Penetration testing

  C. A known-environment assessment

  D. Credentialed scanning

  Correct Answer: D

  Credentialed scanning is a method of vulnerability scanning that uses valid user credentials to access the target systems and perform a more thorough and accurate assessment of their security posture. Credentialed scanning can help to reduce the number of false positives by allowing the scanner to access more information and resources on the systems, such as configuration files, registry keys, installed software, patches, and permissions . https://www.tenable.com/blog/credentialed-vulnerability-scanning-what-why-and-how

• Question 384:

  A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application. Which of the following is a security concern when using a PaaS solution?

  A. The use of infrastructure-as-code capabilities leads to an increased attack surface.

  B. Patching the underlying application server becomes the responsibility of the client.

  C. The application is unable to use encryption at the database level.

  D. Insecure application programming interfaces can lead to data compromise.

  Correct Answer: D

  Insecure application programming interfaces (APIs) can lead to data compromise when using a PaaS solution. APIs are interfaces that allow applications to communicate with each other and with the underlying platform. APIs can expose sensitive data or functionality to unauthorized or malicious users if they are not properly designed, implemented, or secured. Insecure APIs can result in data breaches, denial of service, unauthorized access, or code injection . https://spot.io/ resources/cloud-security/paas-security-threats-solutions-and-bestpractices/

• Question 385:

  A company's threat team has been reviewing recent security incidents and looking for a common theme. The team discovered the incidents were caused by incorrect configurations on the impacted systems. The issues were reported to support teams, but no action was taken. Which of the following is the next step the company should take to ensure any future issues are remediated?

  A. Require support teams to develop a corrective control that ensures security failures are addressed once they are identified.

  B. Require support teams to develop a preventive control that ensures new systems are built with the required security configurations.

  C. Require support teams to develop a detective control that ensures they continuously assess systems for configuration errors.

  D. Require support teams to develop a managerial control that ensures systems have a documented configuration baseline.

  Correct Answer: B

  1.

  Preventive Control: Preventive controls are measures designed to prevent security incidents from occurring in the first place. By ensuring that new systems are built with the required security configurations from the outset, the company can significantly reduce the risk of configuration errors leading to security incidents.

  2.

  Corrective Control: While corrective controls (Option A) address issues after they have been identified, the goal here is to prevent the issues from occurring at all.

  3.

  Detective Control: Detective controls (Option C) help in identifying issues after they occur, but they do not prevent the issues from happening in the first place.

  4.

  Managerial Control: Managerial controls (Option D) focus on policy, documentation, and oversight. While important, they do not directly address the prevention of incorrect configurations. Ensuring that systems are correctly configured from the beginning is a proactive approach to reducing the risk of security incidents caused by configuration errors.

• Question 386:

  A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output: Which of the following commands should the administrator run next to further analyze the compromised system?

  

  A. gbd /proc1

  B. rpm -V openssh-server

  C. /bin/Is -1 /proc1/exe

  D. kill -9 1301

  Correct Answer: C

  /bin/ls -1 /proc1/exe is the command that will show the absolute path to the executed binary file associated with the process ID 1301, which is ./usr/sbin/sshd. This information can help the security analyst determine if the binary is an official version and has not been modified, which could be an indicator of a compromise. /proc1/exe is a special symbolic link that points to the executable file that was used to start the process 1301 . https://unix.stackexchange.com/questions854/how-does-the-proc-pid-exe-symlinkdiffer-from-ordinary-symlinks

• Question 387:

  The following output is from a tcpdump al the edge of the corporate network:

  

  Which of the following best describes the potential security concern?

  A. Payload lengths may be used to overflow buffers enabling code execution.

  B. Encapsulated traffic may evade security monitoring and defenses

  C. This traffic exhibits a reconnaissance technique to create network footprints.

  D. The content of the traffic payload may permit VLAN hopping.

  Correct Answer: B

  Encapsulated traffic may evade security monitoring and defenses by hiding or obfuscating the actual content or source of the traffic. Encapsulation is a technique that wraps data packets with additional headers or protocols to enable communication across different network types or layers. Encapsulation can be used for legitimate purposes, such as tunneling, VPNs, or NAT, but it can also be used by attackers to bypass security controls or detection mechanisms that are not able to inspect or analyze the encapsulated traffic . https://www.techopedia.com/definition39/memory-dump

• Question 388:

  During an investigation, an analyst discovers the following rule in an executive's email client:

  

  The executive is not aware of this rule. Which of the following should the analyst do first to evaluate the potential impact of this security incident?

  A. Check the server logs to evaluate which emails were sent to .

  B. Use the SIEM to correlate logging events from the email server and the domain server.

  C. Remove the rule from the email client and change the password.

  D. Recommend that the management team implement SPF and DKIM.

  Correct Answer: C

• Question 389:

  A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is compatia.org. The testing is successful, and the security technician is prepared to fully implement the solution. Which of the following actions should the technician take to accomplish this task?

  A. Add TXT @ "v=spfl mx include:_spf.comptia. org -all" to the DNS record.

  B. Add : XT @ "v=spfl mx include:_sp?comptia.org -al"; to the email server.

  C. Add TXT @ "v=spfl mx include:_sp?comptia.org +al"; to the domain controller.

  D. AddTXT @ "v=apfl mx lnclude:_spf .comptia.org +a 11" to the web server.

  Correct Answer: A

  " to the DNS record can help to prevent

  outside entities from spoofing t"ich is comptia.org. This is an example of a Sender Policy Framework (SPF) record, which is a type of DNS record that specifies which mail servers are authorized to send email on behalf of a domain. SPF

  records can help to prevent spoofing by allowing the recipient mail servers to check the validity of" " at the end of the SPF record indicates that any mail server that is not listed in the SPF record is not authorized to send email for comptia.org .

  https://www.cloudflare.com/learning/ssl/what-is-domain-spoofing/

• Question 390:

  A security analyst who works in the SOC receives a new requirement to monitor for indicators of compromise. Which of the following is the first action the analyst should take in this situation?

  A. Develop a dashboard to track the indicators of compromise.

  B. Develop a query to search for the indicators of compromise.

  C. Develop a new signature to alert on the indicators of compromise.

  D. Develop a new signature to block the indicators of compromise.

  Correct Answer: B

  Developing a query to search for the indicators of compromise is the first action the analyst should take in this situation. Indicators of compromise (IOCs) are pieces of information that suggest a system or network has been compromised by

  an attacker. IOCs can include IP addresses, domain names, file hashes, URLs, or other artifacts that are associated with malicious activity. Developing a query to search for IOCs can help to identify any potential incidents or threats in the

  environment and initiate further investigation or response .

  https://www.crowdstrike.com/cybersecurity-101/incident-response/indicators-ofcompromise/