ExamGecko
Search Search Login
Home Home / CompTIA / CS0-003

CompTIA CS0-003 Practice Test - Questions Answers, Page 22

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).
An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?
While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?
Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target's information assets?
An organization identifies a method to detect unexpected behavior, crashes, or resource leaks in a system by feeding invalid, unexpected, or random data to stress the application. Which of the following best describes this testing methodology?
A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?
A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?
Several reports with sensitive information are being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?
The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?

Question 211

Report
Export
Collapse

HOTSPOT

A company recently experienced a security incident. The security team has determined a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.

INSTRUCTIONS

Part 1

Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.

Part 2

Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each control may only be used once, and not all controls will be used.

Firewall log:

File integrity Monitoring Report:

Malware domain list:

Vulnerability Scan Report:

Phishing Email:


Question 211
Correct answer: Question 211

Question 212

Report
Export
Collapse

Which of the following is a nation-state actor least likely to be concerned with?

A.
Detection by MITRE ATT&CK framework.
A.
Detection by MITRE ATT&CK framework.
Answers
B.
Detection or prevention of reconnaissance activities.
B.
Detection or prevention of reconnaissance activities.
Answers
C.
Examination of its actions and objectives.
C.
Examination of its actions and objectives.
Answers
D.
Forensic analysis for legal action of the actions taken
D.
Forensic analysis for legal action of the actions taken
Answers
Suggested answer: D

Explanation:

A nation-state actor is a group or individual that conducts cyberattacks on behalf of a government or a political entity. They are usually motivated by national interests, such as espionage, sabotage, or influence operations. They are often highly skilled, resourced, and persistent, and they operate with the protection or support of their state sponsors. Therefore, they are less likely to be concerned with the forensic analysis for legal action of their actions, as they are unlikely to face prosecution or extradition in their own country or by international law. They are more likely to be concerned with the detection by the MITRE ATT&CK framework, which is a knowledge base of adversary tactics and techniques based on real-world observations. The MITRE ATT&CK framework can help defenders identify, prevent, and respond to cyberattacks by nation-state actors. They are also likely to be concerned with the detection or prevention of reconnaissance activities, which are the preliminary steps of cyberattacks that involve gathering information about the target, such as vulnerabilities, network topology, or user credentials. Reconnaissance activities can expose the presence, intent, and capabilities of the attackers, and allow defenders to take countermeasures. Finally, they are likely to be concerned with the examination of their actions and objectives, which can reveal their motives, strategies, and goals, and help defenders understand their threat profile and attribution.

1: MITRE ATT&CK

2: What is the MITRE ATT&CK Framework? | IBM

3: MITRE ATT&CK | MITRE

4: Cyber Forensics Explained: Reasons, Phases & Challenges of Cyber Forensics | Splunk

5: Digital Forensics: How to Identify the Cause of a Cyber Attack - G2

Question 213

Report
Export
Collapse

Which of the following most accurately describes the Cyber Kill Chain methodology?

A.
It is used to correlate events to ascertain the TTPs of an attacker.
A.
It is used to correlate events to ascertain the TTPs of an attacker.
Answers
B.
It is used to ascertain lateral movements of an attacker, enabling the process to be stopped.
B.
It is used to ascertain lateral movements of an attacker, enabling the process to be stopped.
Answers
C.
It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage
C.
It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage
Answers
D.
It outlines a clear path for determining the relationships between the attacker, the technology used, and the target
D.
It outlines a clear path for determining the relationships between the attacker, the technology used, and the target
Answers
Suggested answer: C

Explanation:

The Cyber Kill Chain methodology provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage. It is divided into seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. It helps network defenders understand and prevent cyberattacks by identifying the attacker's objectives and tactics.Reference:The Cyber Kill Chain: The Seven Steps of a Cyberattack

Question 214

Report
Export
Collapse

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

A.
Delivery
A.
Delivery
Answers
B.
Command and control
B.
Command and control
Answers
C.
Reconnaissance
C.
Reconnaissance
Answers
D.
Weaporization
D.
Weaporization
Answers
Suggested answer: B

Explanation:

The Command and Control stage of the Cyber Kill Chain describes the communication between the attacker and the compromised system. The attacker may use this channel to send commands, receive data, or update malware. If the analyst discovers unusual outbound connections to an IP that was previously blocked, it may indicate that the attacker has established a command and control channel and bypassed the security controls.Reference:Cyber Kill Chain | Lockheed Martin

Question 215

Report
Export
Collapse

A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurred by an issue?

A.
Trends
A.
Trends
Answers
B.
Risk score
B.
Risk score
Answers
C.
Mitigation
C.
Mitigation
Answers
D.
Prioritization
D.
Prioritization
Answers
Suggested answer: B

Explanation:

A risk score is a numerical value that represents the potential impact and likelihood of a vulnerability being exploited. It can help to identify the potential loss incurred by an issue and prioritize remediation efforts accordingly. https://www.comptia.org/training/books/cysa-cs0-003-study-guide

Question 216

Report
Export
Collapse

Which of the following is a benefit of the Diamond Model of Intrusion Analysis?

A.
It provides analytical pivoting and identifies knowledge gaps.
A.
It provides analytical pivoting and identifies knowledge gaps.
Answers
B.
It guarantees that the discovered vulnerability will not be exploited again in the future.
B.
It guarantees that the discovered vulnerability will not be exploited again in the future.
Answers
C.
It provides concise evidence that can be used in court
C.
It provides concise evidence that can be used in court
Answers
D.
It allows for proactive detection and analysis of attack events
D.
It allows for proactive detection and analysis of attack events
Answers
Suggested answer: A

Explanation:

The Diamond Model of Intrusion Analysis is a framework that helps analysts to understand the relationships between the adversary, the victim, the infrastructure, and the capability involved in an attack. It also enables analytical pivoting, which is the process of moving from one piece of information to another related one, and identifies knowledge gaps that need further investigation.

Question 217

Report
Export
Collapse

Which of the following does 'federation' most likely refer to within the context of identity and access management?

A.
Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access
A.
Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access
Answers
B.
An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains
B.
An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains
Answers
C.
Utilizing a combination of what you know, who you are, and what you have to grant authentication to a user
C.
Utilizing a combination of what you know, who you are, and what you have to grant authentication to a user
Answers
D.
Correlating one's identity with the attributes and associated applications the user has access to
D.
Correlating one's identity with the attributes and associated applications the user has access to
Answers
Suggested answer: B

Explanation:

Federation is a system of trust between two parties for the purpose of authenticating users and conveying information needed to authorize their access to resources. By using federation, a user can use one set of credentials to access multiple domains that trust each other.

Question 218

Report
Export
Collapse

A security analyst noticed the following entry on a web server log:

Warning: fopen (http://127.0.0.1:16) : failed to open stream:

Connection refused in /hj/var/www/showimage.php on line 7

Which of the following malicious activities was most likely attempted?

A.
XSS
A.
XSS
Answers
B.
CSRF
B.
CSRF
Answers
C.
SSRF
C.
SSRF
Answers
D.
RCE
D.
RCE
Answers
Suggested answer: C

Explanation:

The malicious activity that was most likely attempted is SSRF (Server-Side Request Forgery). This is a type of attack that exploits a vulnerable web application to make requests to other resources on behalf of the web server. In this case, the attacker tried to use the fopen function to access the local loopback address (127.0.0.1) on port 16, which could be a service that is not intended to be exposed to the public. The connection was refused, indicating that the port was closed or filtered.

Reference: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 2: Software and Application Security, page 66.

Question 219

Report
Export
Collapse

A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?

A.
Potential precursor to an attack
A.
Potential precursor to an attack
Answers
B.
Unauthorized peer-to-peer communication
B.
Unauthorized peer-to-peer communication
Answers
C.
Rogue device on the network
C.
Rogue device on the network
Answers
D.
System updates
D.
System updates
Answers
Suggested answer: A

Question 220

Report
Export
Collapse

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?

A.
The finding is a false positive and should be ignored.
A.
The finding is a false positive and should be ignored.
Answers
B.
A rollback had been executed on the instance.
B.
A rollback had been executed on the instance.
Answers
C.
The vulnerability scanner was configured without credentials.
C.
The vulnerability scanner was configured without credentials.
Answers
D.
The vulnerability management software needs to be updated.
D.
The vulnerability management software needs to be updated.
Answers
Suggested answer: B

Explanation:

A rollback had been executed on the instance. If a database server is restored to a previous state, it may reintroduce a vulnerability that was previously fixed. This can happen due to backup and recovery operations, configuration changes, or software updates. A rollback can undo the patching or mitigation actions that were applied to remediate the vulnerability.

Reference: Vulnerability Remediation: It's Not Just Patching, Section: The Remediation Process; Vulnerability assessment for SQL Server, Section: Remediation

Total 368 questions
Go to page: of 37
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms