Text Material Preview
CS0-003
Exam Name: CompTIA Cybersecurity Analyst (CySA+)
Exam
Full version: 128 Q&As
Full version of CS0-003 Dumps
Share some CS0-003 exam dumps below.
1. An analyst has been asked to validate the potential risk of a new ransomware campaign that
the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a
very small spring used in the newest fighter jet and is a critical piece of the supply chain for this
aircraft.
1 / 16
https://www.certqueen.com/CS0-003.html
Which of the following would be the best threat intelligence source to learn about this new
campaign?
A. Information sharing organization
B. Blogs/forums
C. Cybersecurity incident response team
D. Deep/dark web
Answer: A
Explanation:
An information sharing organization is a group or network of organizations that share threat
intelligence, best practices, or lessons learned related to cybersecurity issues or incidents. An
information sharing organization can help security analysts learn about new ransomware
campaigns or other emerging threats, as well as get recommendations or guidance on how to
prevent, detect, or respond to them. An information sharing organization can also help security
analysts collaborate or coordinate with other organizations in the same industry or region that
may face similar threats or challenges.
2. In situations where a choice must be made between confidentiality and availability, the
Company shall prioritize confidentiality of data over availability of systems and data.
3. Members of the sales team are using email to send sensitive client lists with contact
information to their personal accounts The company's AUP and code of conduct prohibits this
practice.
Which of the following configuration changes would improve security and help prevent this from
occurring?
A. Configure the DLP transport rules to provide deep content analysis.
B. Put employees' personal email accounts on the mail server on a blocklist.
C. Set up IPS to scan for outbound emails containing names and contact information.
D. Use Group Policy to prevent users from copying and pasting information into emails.
E. Move outbound emails containing names and contact information to a sandbox for further
examination.
Answer: A
Explanation:
Data loss prevention (DLP) is a set of policies and tools that aim to prevent unauthorized
disclosure of sensitive data. DLP transport rules are rules that apply to email messages that are
sent or received by an organization’s mail server. These rules can provide deep content
analysis, which means they can scan the content of email messages and attachments for
sensitive data patterns, such as client lists or contact information. If a rule detects a violation of
2 / 16
the DLP policy, it can take actions such as blocking, quarantining, or notifying the sender or
recipient. This would improve security and help prevent sales team members from sending
sensitive client lists to their personal accounts.
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002),
page 14; https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-
rules/data-loss-prevention
4. A security analyst performs a weekly vulnerability scan on a network that has 240 devices
and receives a report with 2.450 pages.
Which of the following would most likely decrease the number of false positives?
A. Manual validation
B. Penetration testing
C. A known-environment assessment
D. Credentialed scanning
Answer: D
Explanation:
Credentialed scanning is a method of vulnerability scanning that uses valid user credentials to
access the target systems and perform a more thorough and accurate assessment of their
security posture. Credentialed scanning can help to reduce the number of false positives by
allowing the scanner to access more information and resources on the systems, such as
configuration files, registry keys, installed software, patches, and permissions.
Reference: https://www.tenable.com/blog/credentialed-vulnerability-scanning-what-why-and-
how
5. A security analyst notices the following proxy log entries:
Which of the following is the user attempting to do based on the log entries?
A. Use a DoS attack on external hosts.
B. Exfiltrate data.
3 / 16
C. Scan the network.
D. Relay email.
Answer: C
Explanation:
Scanning the network is what the user is attempting to do based on the log entries. The log
entries show that the user is sending ping requests to various IP addresses on different ports
using a proxy server. Ping requests are a common network diagnostic tool that can be used to
test network connectivity and latency by sending packets of data and measuring their response
time. However, ping requests can also be used by attackers to scan the network and discover
active hosts, open ports, or potential vulnerabilities.
6. There are several reports of sensitive information being disclosed via file sharing services.
The company would like to improve its security posture against this threat.
Which of the following security controls would best support the company in this scenario?
A. Implement step-up authentication for administrators
B. Improve employee training and awareness
C. Increase password complexity standards
D. Deploy mobile device management
Answer: B
Explanation:
The best security control to implement against sensitive information being disclosed via file
sharing services is to improve employee training and awareness. Employee training and
awareness can help educate employees on the risks and consequences of using file sharing
services for sensitive information, as well as the policies and procedures for handling such
information securely and appropriately. Employee training and awareness can also help foster a
security culture and encourage employees to report any incidents or violations of information
security.
7. Which of the following lines from this output most likely indicates that attackers could quickly
use brute force and determine the negotiated secret session key?
4 / 16
A. TLS_RSA_WITH_DES_CBC_SHA 56
B. TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits)
C. TLS_RSA_WITH_AES_256_CBC_SHA 256
D. TLS_DHE_RSA_WITH_AES_256_GCM_SHA256 DH (2048 bits)
Answer: B
Explanation:
The line from this output that most likely indicates that attackers could quickly use brute force
and determine the negotiated secret session key is
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits). This line indicates that the
cipher suite uses Diffie-Hellman ephemeral (DHE) key exchange with RSA authentication, AES
128-bit encryption with cipher block chaining (CBC) mode, and SHA-1 hashing. The DHE key
exchange uses a 1024-bit Diffie-Hellman group, which is considered too weak for modern
security standards and can be broken by attackers using sufficient computing power. The other
lines indicate stronger cipher suites that use longer key lengths or more secure algorithms.
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002),
page 9; https://learn.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel
5 / 16
8. An analyst is reviewing a vulnerability report for a server environment with the following
entries:
Which of the following systems should be prioritized for patching first?
A. 10.101.27.98
B. 54.73.225.17
C. 54.74.110.26
D. 54.74.110.228
Answer: D
Explanation:
The system that should be prioritized for patching first is 54.74.110.228, as it has the highest
number and severity of vulnerabilities among the four systems listed in the vulnerability report.
6 / 16
According to the report, this system has 12 vulnerabilities, with 8 critical, 3 high, and 1 medium
severity ratings. The critical vulnerabilities include CVE-2019-0708 (BlueKeep),CVE-2019-1182
(DejaBlue), CVE-2017-0144 (EternalBlue), and CVE-2017-0145 (EternalRomance), which are
all remote code execution vulnerabilities that can allow an attacker to compromise the system
without any user interaction or authentication. These vulnerabilities pose a high risk to the
system and should be patched as soon as possible.
9. During an audit, several customer order forms were found to contain inconsistencies between
the actual price of an item and the amount charged to the customer. Further investigation
narrowed the cause of the issue to manipulation of the public-facing web form used by
customers to order products.
Which of the following would be the best way to locate this issue?
A. Reduce the session timeout threshold
B. Deploy MFA for access to the web server.
C. Implement input validation.
D. Run a dynamic code analysis.
Answer: C
Explanation:
Implementing input validation is the best way to locate and prevent the issue of manipulation of
the public-facing web form used by customers to order products. Input validation is a technique
that checks and filters any user input that is sent to an application before processing it. Input
validation can help to ensure that the user input conforms to the expected format, length and
type, and does not contain any malicious characters or syntax that may alter the logic or
behavior of the application. Input validation can also reject or sanitize any input that does not
meet the validation criteria.
Reference: https://portswigger.net/web-security/input-validation
10. Given the Nmap request below:
7 / 16
Which of the following actions will an attacker be able to initiate directly against this host?
A. Password sniffing
B. ARP spoofing
C. A brute-force attack
D. An SQL injection
Answer: C
Explanation:
The Nmap command given in the question performs a TCP SYN scan (-sS), a service version
detection scan (-sV), an OS detection scan (-O), and a port scan for ports 1-1024 (-p 1-1024) on
the host 192.168.1.1. This command will reveal information about the host’s operating system,
open ports, and running services, which can be used by an attacker to launch a brute-force
attack against the host. A brute-force attack is a method of guessing passwords or encryption
keys by trying many possible combinations until finding the correct one. An attacker can use the
information from the Nmap scan to target specific services or protocols that may have weak or
default credentials, such as FTP, SSH, Telnet, or HTTP.
11. A security analyst is trying to identify anomalies on the network routing.
Which of the following functions can the analyst use on a shell script to achieve the objective
most accurately?
A. function x() { info=$(geoiplookup $1) && echo "$1 | $info" }
8 / 16
B. function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" }
C. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1}
').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }
D. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }
Answer: C
Explanation:
The function that can be used on a shell script to identify anomalies on the network routing most
accurately is:
function x() { info=(dig(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ’{print $1}
').origin.asn.cymru.com TXT +short) && echo “$1 | $info” }
This function takes an IP address as an argument and performs two DNS lookups using the dig
command. The first lookup uses the -x option to perform a reverse DNS lookup and get the
hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com
domain to get the
autonomous system number (ASN) and other information related to the IP address. The
function then prints the IP address and the ASN information, which can help identify any routing
anomalies or inconsistencies
12. Due to reports of unauthorized activity that was occurring on the internal network, an analyst
is performing a network discovery. The analyst runs an Nmap scan against a corporate network
to evaluate which devices were operating in the environment.
Given the following output:
9 / 16
10 / 16
Which of the following choices should the analyst look at first?
A. wh4dc-748gy.lan (192.168.86.152)
B. lan (192.168.86.22)
C. imaging.lan (192.168.86.150)
D. xlaptop.lan (192.168.86.249)
E. p4wnp1_aloa.lan (192.168.86.56)
Answer: E
Explanation:
The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious
device on the network. P4wnP1 ALOA is a tool that can be used to create a malicious USB
device that can perform various attacks, such as keystroke injection, network sniffing, man-in-
the-middle, or backdoor creation. The presence of a device with this name on the network could
indicate that an attacker has plugged in a malicious USB device to a system and gained access
to the network.
Reference: https://github.com/mame82/P4wnP1_aloa
13. A Chief Information Security Officer (CISO) is concerned about new privacy regulations that
apply to the company. The CISO has tasked a security analyst with finding the proper control
functions to verify that a user's data is not altered without the user's consent.
Which of the following would be an appropriate course of action?
A. Automate the use of a hashing algorithm after verified users make changes to their data.
B. Use encryption first and then hash the data at regular, defined times.
C. Use a DLP product to monitor the data sets for unauthorized edits and changes.
D. Replicate the data sets at regular intervals and continuously compare the copies for
unauthorized changes.
Answer: A
Explanation:
Automating the use of a hashing algorithm after verified users make changes to their data is an
appropriate course of action to verify that a user’s data is not altered without the user’s
consent. Hashing is a technique that produces a unique and fixed-length value for a given input,
such as a file or a message. Hashing can help to verify the data integrity by comparing the hash
values of the original and modified data. If the hash values match, then the data has not been
altered without the user’s consent. If the hash values differ, then the data may have been
tampered with or corrupted.
11 / 16
14. A security analyst is performing an investigation involving multiple targeted Windows
malware binaries. The analyst wants to gather intelligence without disclosing information to the
attackers.
Which of the following actions would allow the analyst to achieve the objective?
A. Upload the binary to an air gapped sandbox for analysis
B. Send the binaries to the antivirus vendor
C. Execute the binaries on an environment with internet connectivity
D. Query the file hashes using VirusTotal
Answer: A
Explanation:
The best action that would allow the analyst to gather intelligence without disclosing information
to the attackers is to upload the binary to an air gapped sandbox for analysis. An air gapped
sandbox is an isolated environment that has no connection to any external network or system.
Uploading the binary to an air gapped sandbox can prevent any communication or interaction
between the binary and the attackers, as well as any potential harm or infection to other
systems or networks. An air gapped sandbox can also allow the analyst to safely analyze and
observe the behavior, functionality, or characteristics of the binary.
15. A cybersecurity analyst is researching operational data to develop a script that will detect
the presence of a threat on corporate assets.
Which of the following contains the most useful information to produce this script?
A. API documentation
B. Protocol analysis captures
C. MITRE ATT&CK reports
D. OpenloC files
Answer: C
Explanation:A cybersecurity analyst is researching operational data to develop a script that will detect the
presence of a threat on corporate assets. The most useful information to produce this script is
MITRE ATT&CK reports. MITRE ATT&CK is a knowledge base of adversary tactics and
techniques based on real-world observations. MITRE ATT&CK reports provide detailed
information on how different threat actors operate, what tools they use, what indicators they
leave behind, and how to detect or mitigate their attacks. The other options are not as useful or
relevant for this purpose.
Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002),
12 / 16
page 9; https://attack.mitre.org/
16. A user reports a malware alert to the help desk. A technician verities the alert, determines
the workstation is classified as a low-severity device, and uses network controls to block
access. The technician then assigns the ticket to a security analyst who will complete the
eradication and recovery processes.
Which of the following should the security analyst do next?
A. Document the procedures and walk through the incident training guide.
B. Reverse engineer the malware to determine its purpose and risk to the organization.
C. Sanitize the workstation and verify countermeasures are restored.
D. Isolate the workstation and issue a new computer to the user.
Answer: C
Explanation:
Sanitizing the workstation and verifying countermeasures are restored are part of the
eradication and recovery processes that the security analyst should perform next. Eradication is
the process of removing malware or other threats from the affected systems, while recovery is
the process of restoring normal operations and functionality to the affected systems. Sanitizing
the workstation can involve deleting or wiping any malicious files or programs, while verifying
countermeasures are restored can involve checking and updating any security controls or
settings that may have been compromised.
Reference: https://www.cynet.com/incident-response/incident-response-sans-the-6-steps-in-
depth/
17. The security team reviews a web server for XSS and runs the following Nmap scan:
Which of the following most accurately describes the result of the scan?
A. An output of characters > and " as the parameters used m the attempt
B. The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned
13 / 16
C. The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe
D. The vulnerable parameter and characters > and " with a reflected XSS attempt
Answer: D
Explanation:
A cross-site scripting (XSS) attack is a type of web application attack that injects malicious code
into a web page that is then executed by the browser of a victim user. A reflected XSS attack is
a type of XSS attack where the malicious code is embedded in a URL or a form parameter that
is sent to the web server and then reflected back to the user’s browser. In this case, the Nmap
scan shows that the web server is vulnerable to a reflected XSS attack, as it returns the
characters > and " without any filtering or encoding. The vulnerable parameter is id in the URL
http://172.31.15.2/1.php?id=2.
18. Which of the following security operations tasks are ideal for automation?
A. Suspicious file analysis:
- Look for suspicious-looking graphics in a folder.
- Create subfolders in the original folder based on category of graphics found.
- Move the suspicious graphics to the appropriate subfolder
B. Firewall IoC block actions:
Examine the firewall logs for IoCs from the most recently published zero-day exploit
Take mitigating actions in the firewall to block the behavior found in the logs
Follow up on any false positives that were caused by the block rules
C. Security application user errors:
Search the error logs for signs of users having trouble with the security application Look up the
user's phone number
Call the user to help with any questions about using the application
D. Email header analysis:
Check the email header for a phishing confidence metric greater than or equal to five
Add the domain of sender to the block list
Move the email to quarantine
Answer: D
Explanation:
Email header analysis is one of the security operations tasks that are ideal for automation.
Email header analysis involves checking the email header for various indicators of phishing or
spamming attempts, such as sender address spoofing, mismatched domains, suspicious
subject lines, or phishing confidence metrics. Email header analysis can be automated using
tools or scripts that can parse and analyze email headers and take appropriate actions based
14 / 16
on predefined rules or thresholds
19. Legacy medical equipment, which contains sensitive data, cannot be patched.
Which of the following is the best solution to improve the equipment's security posture?
A. Move the legacy systems behind a WAR
B. Implement an air gap for the legacy systems.
C. Place the legacy systems in the perimeter network.
D. Implement a VPN between the legacy systems and the local network.
Answer: B
Explanation:
Implementing an air gap for the legacy systems is the best solution to improve their security
posture. An air gap is a physical separation of a system or network from any other system or
network that may pose a threat. An air gap can prevent any unauthorized access or data
transfer between the isolated system or network and the external environment. Implementing an
air gap for the legacy systems can help to protect them from being exploited by attackers who
may take advantage of their unpatched vulnerabilities.
20. An organization conducted a web application vulnerability assessment against the corporate
website, and the following output was observed:
15 / 16
Which of the following tuning recommendations should the security analyst share?
A. Set an HttpOnlvflaq to force communication by HTTPS
B. Block requests without an X-Frame-Options header
C. Configure an Access-Control-Allow-Origin header to authorized domains
D. Disable the cross-origin resource sharing header
Answer: B
Explanation:
The output shows that the web application is vulnerable to clickjacking attacks, which allow an
attacker to overlay a hidden frame on top of a legitimate page and trick users into clicking on
malicious links. Blocking requests without an X-Frame-Options header can prevent this attack
by instructing the browser to not display the page within a frame.
More Hot Exams are available.
350-401 ENCOR Exam Dumps
350-801 CLCOR Exam Dumps
200-301 CCNA Exam Dumps
Powered by TCPDF (www.tcpdf.org)
16 / 16
https://www.certqueen.com/promotion.asp
https://www.certqueen.com/350-401.html
https://www.certqueen.com/350-801.html
https://www.certqueen.com/200-301.html
http://www.tcpdf.org