CompTIA CySA+ (CS0-003) Certification Practice Exam

Jonnie Karnath2023-08-15T07:50:03+00:00

CompTIA CySA+ CS0-003 Certification exam is an intermediate-level certification that validates skills and knowledge in the field of cybersecurity analysis. Passing this exam demonstrates that a candidate has the knowledge and skills required to identify and address cybersecurity threats and vulnerabilities. If you are preparing for the CompTIA CySA+ CS0-003 Certification exam, Certspots offers a free online CompTIA CySA+ CS0-003 practice exam to help you assess your readiness. This CompTIA CySA+ CS0-003 practice exam is designed to simulate the actual exam experience, with questions that closely mirror those found on the real exam. By taking this CompTIA CySA+ CS0-003 practice exam, you can identify areas where you may need to focus your study efforts, and gain confidence in your ability to pass the actual exam.

Page 1 of 4

1. An analyst is reviewing a vulnerability report for a server environment with the following entries:

Which of the following systems should be prioritized for patching first?

10.101.27.98

54.73.225.17

54.74.110.26

54.74.110.228

2. Which of the following would help to minimize human engagement and aid in process improvement in security operations?

OSSTMM

SIEM

SOAR

QVVASP

3. A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment.

Which of the following implications should be considered on the new hybrid environment?

The current scanners should be migrated to the cloud

Cloud-specific misconfigurations may not be detected by the current scanners

Existing vulnerability scanners cannot scan laaS systems

Vulnerability scans on cloud environments should be performed from the cloud

4. As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information. After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for threat assessment?

Critical asset list

Threat vector

Attack profile

Hypothesis

5. An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft.

Which of the following would be the best threat intelligence source to learn about this new campaign?

Information sharing organization

Blogs/forums

Cybersecurity incident response team

Deep/dark web

6. An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware.

Which of the following factors would an analyst most likely communicate as the reason for this escalation?

Scope

Weaponization

CVSS

Asset value

7. Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

Identify any improvements or changes in the incident response plan or procedures

Determine if an internal mistake was made and who did it so they do not repeat the error

Present all legal evidence collected and turn it over to iaw enforcement

Discuss the financial impact of the incident to determine if security controls are well spent

8. The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released.

Which of the following would best protect this organization?

A mean time to remediate of 30 days

A mean time to detect of 45 days

A mean time to respond of 15 days

Third-party application testing

9. Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet.

Which of the following would be the best action for the incident response team to recommend?

Isolate Joe's PC from the network

Reimage the PC based on standard operating procedures

Initiate a remote wipe of Joe's PC using mobile device management

Perform no action until HR or legal counsel advises on next steps

10. The Company shall prioritize patching of publicly available systems and services over patching of

internally available system.

According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A)

Option A

Option B

Option C

Option D

Page 2 of 4

11. A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack.

Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

Weaponization

Reconnaissance

Delivery

Exploitation

12. A forensic analyst is conducting an investigation on a compromised server

Which of the following should the analyst do first to preserve evidence''

Restore damaged data from the backup media

Create a system timeline

Monitor user access to compromised systems

Back up all log files and audit trails

13. An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country.

Which of the following describes what the analyst has noticed?

Beaconing

Cross-site scripting

Buffer overflow

PHP traversal

14. While reviewing system logs, a network administrator discovers the following entry:

Which of the following occurred?

An attempt was made to access a remote workstation.

The PsExec services failed to execute.

A remote shell failed to open.

A user was trying to download a password file from a remote system.

15. A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a threat on corporate assets.

Which of the following contains the most useful information to produce this script?

API documentation

Protocol analysis captures

MITRE ATT&CK reports

OpenloC files

16. A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization.

Which of the following will produce the data needed for the briefing?

Firewall logs

Indicators of compromise

Risk assessment

Access control lists

17. A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself.

Which of the following can the analyst perform to see the entire contents of the downloaded files?

Change the display filter to f cp. accive. pore

Change the display filter to tcg.port=20

Change the display filter to f cp-daca and follow the TCP streams

Navigate to the File menu and select FTP from the Export objects option

18. A security analyst is trying to identify anomalies on the network routing.

Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

function x() { info=$(geoiplookup $1) && echo "$1 | $info" }

function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" }

function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1} ').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }

function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }

19. Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

The lead should review what is documented in the incident response policy or plan

Management level members of the CSIRT should make that decision

The lead has the authority to decide who to communicate with at any t me

Subject matter experts on the team should communicate with others within the specified area of expertise

20. A security analyst needs to automate the incident response process for malware infections.

When the following logs are generated, an alert email should automatically be sent within 30 minutes:

Which of the following is the best way for the analyst to automate alert generation?

Deploy a signature-based IDS

Install a UEBA-capable antivirus

Implement email protection with SPF

Create a custom rule on a SIEM

Page 3 of 4

21. An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets.

Which of the following steps of an attack framework is the analyst witnessing?

Exploitation

Reconnaissance

Command and control

Actions on objectives

22. A company's legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur. The department has asked a security analyst to help tailor the response plan to provide broad coverage for many situations.

Which of the following is the best way to achieve this goal?

Focus on incidents that have a high chance of reputation harm.

Focus on common attack vectors first.

Focus on incidents that affect critical systems.

Focus on incidents that may require law enforcement support.

23. A security analyst received a malicious binary file to analyze.

Which of the following is the best technique to perform the analysis?

Code analysis

Static analysis

Reverse engineering

Fuzzing

24. A security analyst is reviewing the network security monitoring logs listed below:

Which of the following is the analyst most likely observing? (Select two).

10.1.1.128 sent potential malicious traffic to the web server.

10.1.1.128 sent malicious requests, and the alert is a false positive

10.1.1.129 successfully exploited a vulnerability on the web server

10.1.1.129 sent potential malicious requests to the web server

10.1.1.129 can determine mat port 443 is being used

10.1.1.130 can potentially obtain information about the PHP version

25. A security analyst performs a weekly vulnerability scan on a network that has 240 devices and receives a report with 2.450 pages.

Which of the following would most likely decrease the number of false positives?

Manual validation

Penetration testing

A known-environment assessment

Credentialed scanning

26. A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation.

Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

Create a timeline of events detailinq the date stamps, user account hostname and IP information associated with the activities

Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identity the case as an HR-related investigation

Notify the SOC manager for awareness after confirmation that the activity was intentional

27. A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data.

Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

Credentialed network scanning

Passive scanning

Agent-based scanning

Dynamic scanning

28. Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

Command and control

Actions on objectives

Exploitation

Delivery

29. A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS.

Which of the following most likely describes the observed activity?

There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access

An on-path attack is being performed by someone with internal access that forces users into port 80

The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80

An error was caused by BGP due to new rules applied over the company's internal routers

30. During an investigation, an analyst discovers the following rule in an executive's email client:

The executive is not aware of this rule.

Which of the following should the analyst do first to evaluate the potential impact of this security incident?

Check the server logs to evaluate which emails were sent to <someaddress@domain,com>.

Use the SIEM to correlate logging events from the email server and the domain server.

Remove the rule from the email client and change the password.

Recommend that the management team implement SPF and DKI

Page 4 of 4

31. Which of the following describes the difference between intentional and unintentional insider threats?

Their access levels will be different

The risk factor will be the same

Their behavior will be different

The rate of occurrence will be the same

32. Which of the following ICS network protocols has no inherent security functions on TCP port 502?

CIP

DHCP

SSH

Modbus

33. A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers.

Which of the following actions would allow the analyst to achieve the objective?

Upload the binary to an air gapped sandbox for analysis

Send the binaries to the antivirus vendor

Execute the binaries on an environment with internet connectivity

Query the file hashes using VirusTotal

34. A security analyst is supporting an embedded software team.

Which of the following is the best recommendation to ensure proper error handling at runtime?

Perform static code analysis.

Require application fuzzing.

Enforce input validation.

Perform a code review.

35. The following output is from a tcpdump al the edge of the corporate network:

Which of the following best describes the potential security concern?

Payload lengths may be used to overflow buffers enabling code execution.

Encapsulated traffic may evade security monitoring and defenses

This traffic exhibits a reconnaissance technique to create network footprints.

The content of the traffic payload may permit VLAN hopping.

36. A security engineer is reviewing security products that identify malicious actions by users as part of a company's insider threat program.

Which of the following is the most appropriate product category for this purpose?

SCAP

SOAR

UEBA

WAF

37. A cybersecurity analyst is concerned about attacks that use advanced evasion techniques.

Which of the following would best mitigate such attacks?

Keeping IPS rules up to date

Installing a proxy server

Applying network segmentation

Updating the antivirus software

38. An organization wants to move non-essential services into a cloud computing environment. The management team has a cost focus and would like to achieve a recovery time objective of 12 hours.

Which of the following cloud recovery strategies would work best to attain the desired outcome?

Duplicate all services in another instance and load balance between the instances.

Establish a hot site with active replication to another region within the same cloud provider.

Set up a warm disaster recovery site with the same cloud provider in a different region.

Configure the systems with a cold site at another cloud provider that can be used for failover.

39. A security analyst is logged on to a jump server to audit the system configuration and status.

The organization's policies for access to and configuration of the jump server include the following:

• No network access is allowed to the internet.

• SSH is only for management of the server.

• Users must utilize their own accounts, with no direct login as an administrator.

• Unnecessary services must be disabled.

The analyst runs netstar with elevated permissions and receives the following output:

Which of the following policies does the server violate?

Unnecessary services must be disabled.

SSH is only for management of the server.

No network access is allowed to the internet.

Users must utilize their own accounts, with no direct login as an administrator.

Facebook Twitter LinkedIn Google + Email