ExamGecko
Search Search Login
Home Home / CompTIA / CS0-003

CompTIA CS0-003 Practice Test - Questions Answers, Page 13

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).
An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?
While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?
Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target's information assets?
An organization identifies a method to detect unexpected behavior, crashes, or resource leaks in a system by feeding invalid, unexpected, or random data to stress the application. Which of the following best describes this testing methodology?
A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?
A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?
Several reports with sensitive information are being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?
The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?

Question 121

Report
Export
Collapse

Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

A.
SLA
A.
SLA
Answers
B.
MOU
B.
MOU
Answers
C.
Best-effort patching
C.
Best-effort patching
Answers
D.
Organizational governance
D.
Organizational governance
Answers
Suggested answer: A

Explanation:

An SLA (Service Level Agreement) is a contract or agreement between a service provider and a customer that defines the expected level of service, performance, quality, and availability of the service. An SLA also specifies the responsibilities, obligations, and penalties for both parties in case of non-compliance or breach of the agreement. An SLA can help organizations to ensure that their security services are delivered in a timely and effective manner, and that any security incidents or vulnerabilities are addressed and resolved within a specified time frame.An SLA can also help to establish clear communication, expectations, and accountability between the service provider and the customer12

An MOU (Memorandum of Understanding) is a document that expresses a mutual agreement or understanding between two or more parties on a common goal or objective. An MOU is not legally binding, but it can serve as a basis for future cooperation or collaboration. An MOU may not be suitable for requiring remediation of a known threat within a given time frame, as it does not have the same level of enforceability, specificity, or measurability as an SLA.

Best-effort patching is an informal and ad hoc approach to applying security patches or updates to systems or software. Best-effort patching does not follow any defined process, policy, or schedule, and relies on the availability and discretion of the system administrators or users. Best-effort patching may not be effective or efficient for requiring remediation of a known threat within a given time frame, as it does not guarantee that the patches are applied correctly, consistently, or promptly. Best-effort patching may also introduce new risks or vulnerabilities due to human error, compatibility issues, or lack of testing.

Organizational governance is the framework of rules, policies, procedures, and processes that guide and direct the activities and decisions of an organization. Organizational governance can help to establish the roles, responsibilities, and accountabilities of different stakeholders within the organization, as well as the goals, values, and principles that shape the organizational culture and behavior. Organizational governance can also help to ensure compliance with internal and external standards, regulations, and laws. Organizational governance may not be sufficient for requiring remediation of a known threat within a given time frame, as it does not specify the details or metrics of the service delivery or performance. Organizational governance may also vary depending on the size, structure, and nature of the organization.

Question 122

Report
Export
Collapse

A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been

compromised. Which of the following steps should the administrator take next?

A.
Inform the internal incident response team.
A.
Inform the internal incident response team.
Answers
B.
Follow the company's incident response plan.
B.
Follow the company's incident response plan.
Answers
C.
Review the lessons learned for the best approach.
C.
Review the lessons learned for the best approach.
Answers
D.
Determine when the access started.
D.
Determine when the access started.
Answers
Suggested answer: B

Explanation:

An incident response plan is a set of predefined procedures and guidelines that an organization follows when faced with a security breach or attack. An incident response plan helps to ensure that the organization can quickly and effectively contain, analyze, eradicate, and recover from the incident, as well as prevent or minimize the damage and impact to the business operations, reputation, and customers. An incident response plan also defines the roles and responsibilities of the incident response team, the communication channels and protocols, the escalation and reporting procedures, and the tools and resources available for the incident response.

By following the company's incident response plan, the administrator can ensure that they are following the best practices and standards for handling a security incident, and that they are coordinating and collaborating with the relevant stakeholders and authorities. Following the company's incident response plan can also help to avoid or reduce any legal, regulatory, or contractual liabilities or penalties that may arise from the incident.

The other options are not as effective or appropriate as following the company's incident response plan. Informing the internal incident response team (A) is a good step, but it should be done according to the company's incident response plan, which may specify who, when, how, and what to report. Reviewing the lessons learned for the best approach is a good step, but it should be done after the incident has been resolved and closed, not during the active response phase. Determining when the access started (D) is a good step, but it should be done as part of the analysis phase of the incident response plan, not before following the plan.

Question 123

Report
Export
Collapse

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to reduce risks associated with the application development?

A.
Perform static analyses using an integrated development environment.
A.
Perform static analyses using an integrated development environment.
Answers
B.
Deploy compensating controls into the environment.
B.
Deploy compensating controls into the environment.
Answers
C.
Implement server-side logging and automatic updates.
C.
Implement server-side logging and automatic updates.
Answers
D.
Conduct regular code reviews using OWASP best practices.
D.
Conduct regular code reviews using OWASP best practices.
Answers
Suggested answer: D

Explanation:

Conducting regular code reviews using OWASP best practices is the most effective action to reduce risks associated with the application development. Code reviews are a systematic examination of the source code of an application to detect and fix errors, vulnerabilities, and weaknesses that may compromise the security, functionality, or performance of the application. Code reviews can help to improve the quality and security of the code, as well as to identify and remediate common security risks, such as insufficient logging capabilities. OWASP (Open Web Application Security Project) is a global nonprofit organization that provides free and open resources, tools, standards, and best practices for web application security. OWASP best practices for logging include following a common logging format and approach, logging relevant security events and data, protecting log data from unauthorized access or modification, and using log analysis and monitoring tools to detect and respond to security incidents. By following OWASP best practices for logging, developers can ensure that their web applications have sufficient and effective logging capabilities that can help to prevent, detect, and mitigate security threats.

Question 124

Report
Export
Collapse

A security audit for unsecured network services was conducted, and the following output was generated:

Which of the following services should the security team investigate further? (Select two).

A.
21
A.
21
Answers
B.
22
B.
22
Answers
C.
23
C.
23
Answers
D.
636
D.
636
Answers
E.
1723
E.
1723
Answers
F.
3389
F.
3389
Answers
Suggested answer: C, D

Explanation:

The output shows the results of a port scan, which is a technique used to identify open ports and services running on a network host.Port scanning can be used by attackers to discover potential vulnerabilities and exploit them, or by defenders to assess the security posture and configuration of their network devices1

The output lists six ports that are open on the target host, along with the service name and version associated with each port. The service name indicates the type of application or protocol that is using the port, while the version indicates the specific release or update of the service. The service name and version can provide useful information for both attackers and defenders, as they can reveal the capabilities, features, and weaknesses of the service.

Among the six ports listed, two are particularly risky and should be investigated further by the security team: port 23 and port 636.

Port 23 is used by Telnet, which is an old and insecure protocol for remote login and command execution. Telnet does not encrypt any data transmitted over the network, including usernames and passwords, which makes it vulnerable to eavesdropping, interception, and modification by attackers.Telnet also has many known vulnerabilities that can allow attackers to gain unauthorized access, execute arbitrary commands, or cause denial-of-service attacks on the target host23

Port 636 is used by LDAP over SSL/TLS (LDAPS), which is a protocol for accessing and modifying directory services over a secure connection. LDAPS encrypts the data exchanged between the client and the server using SSL/TLS certificates, which provide authentication, confidentiality, and integrity. However, LDAPS can also be vulnerable to attacks if the certificates are not properly configured, verified, or updated. For example, attackers can use self-signed or expired certificates to perform man-in-the-middle attacks, spoofing attacks, or certificate revocation attacks on LDAPS connections.

Therefore, the security team should investigate further why port 23 and port 636 are open on the target host, and what services are running on them.The security team should also consider disabling or replacing these services with more secure alternatives, such as SSH for port 23 and StartTLS for port 6362

Question 125

Report
Export
Collapse

While reviewing web server logs, a security analyst found the following line:

<IMG SRC='vbscript:msgbox('test')'>

Which of the following malicious activities was attempted?

A.
Command injection
A.
Command injection
Answers
B.
XML injection
B.
XML injection
Answers
C.
Server-side request forgery
C.
Server-side request forgery
Answers
D.
Cross-site scripting
D.
Cross-site scripting
Answers
Suggested answer: D

Explanation:

XSS is a type of web application attack that exploits the vulnerability of a web server or browser to execute malicious scripts or commands on the client-side. XSS attackers inject malicious code, such as JavaScript, VBScript, HTML, or CSS, into a web page or application that is viewed by other users.The malicious code can then access or manipulate the user's session, cookies, browser history, or personal information, or perform actions on behalf of the user, such as stealing credentials, redirecting to phishing sites, or installing malware12

The line in the web server log shows an example of an XSS attack using VBScript. The attacker tried to insert an <IMG> tag with a malicious SRC attribute that contains a VBScript code. The VBScript code is intended to display a message box with the text ''test'' when the user views the web page or application.This is a simple and harmless example of XSS, but it could be used to test the vulnerability of the web server or browser, or to launch more sophisticated and harmful attacks3

Question 126

Report
Export
Collapse

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

A.
Log retention
A.
Log retention
Answers
B.
Log rotation
B.
Log rotation
Answers
C.
Maximum log size
C.
Maximum log size
Answers
D.
Threshold value
D.
Threshold value
Answers
Suggested answer: D

Explanation:

A threshold value is a parameter that defines the minimum or maximum level of a metric or event that triggers an alert. For example, a threshold value can be set to alert when the number of failed login attempts exceeds 10 in an hour, or when the CPU usage drops below 20% for more than 15 minutes. By setting a threshold value, the process can filter out irrelevant or insignificant alerts and focus on the ones that indicate a potential problem or anomaly.A threshold value can help to reduce the noise and false positives in the alert system, and improve the efficiency and accuracy of the analysis12

Question 127

Report
Export
Collapse

Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?

A.
CASB
A.
CASB
Answers
B.
DMARC
B.
DMARC
Answers
C.
SIEM
C.
SIEM
Answers
D.
PAM
D.
PAM
Answers
Suggested answer: A

Explanation:

A CASB (Cloud Access Security Broker) is a security solution that acts as an intermediary between cloud users and cloud providers, and monitors and enforces security policies for cloud access and usage. A CASB can help organizations protect their data and applications in the cloud from unauthorized or malicious access, as well as comply with regulatory standards and best practices.A CASB can also provide visibility, control, and analytics for cloud activity, and identify and mitigate potential threats12

The other options are not correct.DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that helps email domain owners prevent spoofing and phishing attacks by verifying the sender's identity and instructing the receiver how to handle unauthenticated messages34SIEM (Security Information and Event Management) is a security solution that collects, aggregates, and analyzes log data from various sources across an organization's network, such as applications, devices, servers, and users, and provides real-time alerts, dashboards, reports, and incident response capabilities to help security teams identify and mitigate cyberattacks56PAM (Privileged Access Management) is a security solution that helps organizations manage and protect the access and permissions of users, accounts, processes, and systems that have elevated or administrative privileges.PAM can help prevent credential theft, data breaches, insider threats, and compliance violations by monitoring, detecting, and preventing unauthorized privileged access to critical resources78

Question 128

Report
Export
Collapse

After completing a review of network activity. the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily at 10:00 p.m. Which of the following is potentially occurring?

A.
Irregular peer-to-peer communication
A.
Irregular peer-to-peer communication
Answers
B.
Rogue device on the network
B.
Rogue device on the network
Answers
C.
Abnormal OS process behavior
C.
Abnormal OS process behavior
Answers
D.
Data exfiltration
D.
Data exfiltration
Answers
Suggested answer: D

Explanation:

Data exfiltration is the theft or unauthorized transfer or movement of data from a device or network. It can occur as part of an automated attack or manually, on-site or through an internet connection, and involve various methods. It can affect personal or corporate data, such as sensitive or confidential information.Data exfiltration can be prevented or detected by using compression, encryption, authentication, authorization, and other controls1

The network activity shows that a device on the network is sending an outbound email via a mail client to a non-company email address daily at 10:00 p.m. This could indicate that the device is compromised by malware or an insider threat, and that the email is used to exfiltrate data from the network to an external party. The email could contain attachments, links, or hidden data that contain the stolen information. The timing of the email could be designed to avoid detection by normal network monitoring or security systems.

Question 129

Report
Export
Collapse

Approximately 100 employees at your company have received a Phishing email. AS a security analyst. you have been tasked with handling this Situation.

Review the information provided and determine the following:

1- HOW many employees Clicked on the link in the Phishing email?

2- on how many workstations was the malware installed?

3- what is the executable file name of the malware?

A.
See the answer in explanation
A.
See the answer in explanation
Answers
Suggested answer: A

Explanation:

1. How many employees clicked on the link in the phishing email?

According to the email server logs, 25 employees clicked on the link in the phishing email.

2. On how many workstations was the malware installed?

According to the file server logs, the malware was installed on 15 workstations.

3. What is the executable file name of the malware?

The executable file name of the malware is svchost.EXE.

Answers

1. 25

2. 15

3. svchost.EXE

Question 130

Report
Export
Collapse

You are a cybersecurity analyst tasked with interpreting scan data from Company As servers You must verify the requirements are being met for all of the servers and recommend changes if you find they are not

The company's hardening guidelines indicate the following

* TLS 1 2 is the only version of TLS running.

* Apache 2.4.18 or greater should be used.

* Only default ports should be used.

INSTRUCTIONS

using the supplied data. record the status of compliance With the company's guidelines for each server.

The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for Issues based ONLY on the hardening guidelines provided.

Part 1:

AppServ2:

AppServ3:

AppServ4:

Part 2:

A.
See the answer in explanation
A.
See the answer in explanation
Answers
Suggested answer: A

Explanation:

Part 1:

AppServ1 is only using TLS.1.2 -

AppServ4 is only using TLS.1.2 -

AppServ1 is using Apache 2.4.18 or greater

AppServ3 is using Apache 2.4.18 or greater

AppServ4 is using Apache 2.4.18 or greater

Part 2:

AppSrv1 - HTTPD Security - Restrict to TLS 1.2

AppSrv2 - Apache Version - Upgrade Version

AppSrv3 - HTTPD Security - Restrict to TLS 1.2

AppSrv4 - SSH - Move to Port 22


Total 368 questions
Go to page: of 37
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms