ExamGecko
Search Search Login
Home Home / CompTIA / CS0-003

CompTIA CS0-003 Practice Test - Questions Answers, Page 5

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).
An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?
While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?
Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target's information assets?
An organization identifies a method to detect unexpected behavior, crashes, or resource leaks in a system by feeding invalid, unexpected, or random data to stress the application. Which of the following best describes this testing methodology?
A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?
A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?
A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?
A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

Question 41

Report
Export
Collapse

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

A.
Agree on the goals and objectives of the plan
A.
Agree on the goals and objectives of the plan
Answers
B.
Determine the site to be used during a disaster C Demonstrate adherence to a standard disaster recovery process
B.
Determine the site to be used during a disaster C Demonstrate adherence to a standard disaster recovery process
Answers
C.
Identity applications to be run during a disaster
C.
Identity applications to be run during a disaster
Answers
Suggested answer: A

Explanation:

The first step that should be performed when establishing a disaster recovery plan is to agree on the goals and objectives of the plan. The goals and objectives of the plan should define what the plan aims to achieve, such as minimizing downtime, restoring critical functions, ensuring data integrity, or meeting compliance requirements. The goals and objectives of the plan should also be aligned with the business needs and priorities of the organization and be measurable and achievable.

Question 42

Report
Export
Collapse

A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

A.
Testing
A.
Testing
Answers
B.
Implementation
B.
Implementation
Answers
C.
Validation
C.
Validation
Answers
D.
Rollback
D.
Rollback
Answers
Suggested answer: C

Explanation:

The next step in the remediation process after applying a software patch is validation. Validation is a process that involves verifying that the patch has been successfully applied, that it has fixed the vulnerability, and that it has not caused any adverse effects on the system or application functionality or performance. Validation can be done using various methods, such as scanning, testing, monitoring, or auditing.

Question 43

Report
Export
Collapse

The analyst reviews the following endpoint log entry:

Which of the following has occurred?

A.
Registry change
A.
Registry change
Answers
B.
Rename computer
B.
Rename computer
Answers
C.
New account introduced
C.
New account introduced
Answers
D.
Privilege escalation
D.
Privilege escalation
Answers
Suggested answer: C

Explanation:

The endpoint log entry shows that a new account named ''admin'' has been created on a Windows system with a local group membership of ''Administrators''. This indicates that a new account has been introduced on the system with administrative privileges. This could be a sign of malicious activity, such as privilege escalation or backdoor creation, by an attacker who has compromised the system.

Question 44

Report
Export
Collapse

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

A.
Data enrichment
A.
Data enrichment
Answers
B.
Security control plane
B.
Security control plane
Answers
C.
Threat feed combination
C.
Threat feed combination
Answers
D.
Single pane of glass
D.
Single pane of glass
Answers
Suggested answer: D

Explanation:

A single pane of glass is a term that describes a unified view or interface that integrates multiple tools or data sources into one dashboard or console. A single pane of glass can help improve security operations by providing visibility, correlation, analysis, and alerting capabilities across various security controls and systems. A single pane of glass can also help reduce complexity, improve efficiency, and enhance decision making for security analysts. In this case, a security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM, which provides a single pane of glass for security operations. Official

Reference: https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-seven-steps-cyberattack

Question 45

Report
Export
Collapse

Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:

Which of the following choices should the analyst look at first?

A.
wh4dc-748gy.lan (192.168.86.152)
A.
wh4dc-748gy.lan (192.168.86.152)
Answers
B.
lan (192.168.86.22)
B.
lan (192.168.86.22)
Answers
C.
imaging.lan (192.168.86.150)
C.
imaging.lan (192.168.86.150)
Answers
D.
xlaptop.lan (192.168.86.249)
D.
xlaptop.lan (192.168.86.249)
Answers
E.
p4wnp1_aloa.lan (192.168.86.56)
E.
p4wnp1_aloa.lan (192.168.86.56)
Answers
Suggested answer: E

Explanation:

The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network. P4wnP1 ALOA is a tool that can be used to create a malicious USB device that can perform various attacks, such as keystroke injection, network sniffing, man-in-the-middle, or backdoor creation. The presence of a device with this name on the network could indicate that an attacker has plugged in a malicious USB device to a system and gained access to the network. Official

Reference: https://github.com/mame82/P4wnP1_aloa

Question 46

Report
Export
Collapse

When starting an investigation, which of the following must be done first?

A.
Notify law enforcement
A.
Notify law enforcement
Answers
B.
Secure the scene
B.
Secure the scene
Answers
C.
Seize all related evidence
C.
Seize all related evidence
Answers
D.
Interview the witnesses
D.
Interview the witnesses
Answers
Suggested answer: B

Explanation:

The first thing that must be done when starting an investigation is to secure the scene. Securing the scene involves isolating and protecting the area where the incident occurred, as well as any potential evidence or witnesses. Securing the scene can help prevent any tampering, contamination, or destruction of evidence, as well as any interference or obstruction of the investigation.

Question 47

Report
Export
Collapse

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

A.
The lead should review what is documented in the incident response policy or plan
A.
The lead should review what is documented in the incident response policy or plan
Answers
B.
Management level members of the CSIRT should make that decision
B.
Management level members of the CSIRT should make that decision
Answers
C.
The lead has the authority to decide who to communicate with at any t me
C.
The lead has the authority to decide who to communicate with at any t me
Answers
D.
Subject matter experts on the team should communicate with others within the specified area of expertise
D.
Subject matter experts on the team should communicate with others within the specified area of expertise
Answers
Suggested answer: A

Explanation:

The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents. The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure.

Question 48

Report
Export
Collapse

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

A.
Firewall logs
A.
Firewall logs
Answers
B.
Indicators of compromise
B.
Indicators of compromise
Answers
C.
Risk assessment
C.
Risk assessment
Answers
D.
Access control lists
D.
Access control lists
Answers
Suggested answer: B

Explanation:

Indicators of compromise (IoCs) are pieces of data or evidence that suggest a system or network has been compromised by an attacker or malware. IoCs can include IP addresses, domain names, URLs, file hashes, registry keys, network traffic patterns, user behaviors, or system anomalies. IoCs can be used to detect, analyze, and respond to security incidents, as well as to share threat intelligence with other organizations or authorities. IoCs can produce the data needed for an executive briefing on possible threats to the organization, as they can provide information on the source, nature, scope, impact, and mitigation of the threats.

Question 49

Report
Export
Collapse

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

A.
Beaconing
A.
Beaconing
Answers
B.
Cross-site scripting
B.
Cross-site scripting
Answers
C.
Buffer overflow
C.
Buffer overflow
Answers
D.
PHP traversal
D.
PHP traversal
Answers
Suggested answer: A

Question 50

Report
Export
Collapse

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

A.
Change the display filter to f cp. accive. pore
A.
Change the display filter to f cp. accive. pore
Answers
B.
Change the display filter to tcg.port=20
B.
Change the display filter to tcg.port=20
Answers
C.
Change the display filter to f cp-daca and follow the TCP streams
C.
Change the display filter to f cp-daca and follow the TCP streams
Answers
D.
Navigate to the File menu and select FTP from the Export objects option
D.
Navigate to the File menu and select FTP from the Export objects option
Answers
Suggested answer: C

Explanation:

The best way to see the entire contents of the downloaded files in Wireshark is to change the display filter to ftp-data and follow the TCP streams. FTP-data is a protocol that is used to transfer files between an FTP client and server using TCP port 20. By filtering for ftp-data packets and following the TCP streams, the analyst can see the actual file data that was transferred during the FTP session

Total 368 questions
Go to page: of 37
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms