Summer Special Sale - 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: spcl70

Practice Free CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Exam Questions Answers With Explanation

We at Crack4sure are committed to giving students who are preparing for the CompTIA CS0-003 Exam the most current and reliable questions . To help people study, we've made some of our CompTIA CyberSecurity Analyst CySA+ Certification Exam exam materials available for free to everyone. You can take the Free CS0-003 Practice Test as many times as you want. The answers to the practice questions are given, and each answer is explained.

Question # 6

A security analyst reviews the following Arachni scan results for a web application that stores PII data:

CS0-003 question answer

Which of the following should be remediated first?

A.

SQL injection

B.

RFI

C.

XSS

D.

Code injection

Question # 7

Which of the following does " federation " most likely refer to within the context of identity and access management?

A.

Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access

B.

An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains

C.

Utilizing a combination of what you know, who you are, and what you have to grant authentication to a user

D.

Correlating one ' s identity with the attributes and associated applications the user has access to

Question # 8

Which of the following risk management principles is accomplished by purchasing cyber insurance?

A.

Accept

B.

Avoid

C.

Mitigate

D.

Transfer

Question # 9

A security analyst wants to implement new monitoring controls in order to find abnormal account activity for traveling employees. Which of the following techniques would deliver the expected results?

A.

Malicious command interpretation

B.

Network monitoring

C.

User behavior analysis

D.

SSL inspection

Question # 10

A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server

logs for evidence of exploitation of that particular vulnerability?

A.

/etc/ shadow

B.

curl localhost

C.

; printenv

D.

cat /proc/self/

Question # 11

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

CS0-003 question answer

Which of the following tuning recommendations should the security analyst share?

A.

Set an HttpOnlvflaq to force communication by HTTPS

B.

Block requests without an X-Frame-Options header

C.

Configure an Access-Control-Allow-Origin header to authorized domains

D.

Disable the cross-origin resource sharing header

Question # 12

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

A.

Weaponization

B.

Reconnaissance

C.

Delivery

D.

Exploitation

Question # 13

A systems administrator is reviewing after-hours traffic flows from data center servers and sees regular, outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

A.

Command-and-control beaconing activity

B.

Data exfiltration

C.

Anomalous activity on unexpected ports

D.

Network host IP address scanning

E.

A rogue network device

Question # 14

Which of the following is a KPI that is used to monitor or report on the effectiveness of an incident response reporting and communication program?

A.

Incident volume

B.

Mean time to detect

C.

Average time to patch

D.

Remediated incidents

Question # 15

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization ' s endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor ' s actions?

A.

Delivery

B.

Reconnaissance

C.

Exploitation

D.

Weaponizatign

Question # 16

A vulnerability scan shows the following issues:

Asset Type

CVSS Score

Exploit Vector

Workstations

6.5

RDP vulnerability

Storage Server

9.0

Unauthorized access due to server application vulnerability

Firewall

8.9

Default password vulnerability

Web Server

10.0

Zero-day vulnerability (vendor working on patch)

Which of the following actions should the security analyst take first?

A.

Contact the web systems administrator and request that they shut down the asset.

B.

Monitor the patch releases for all items and escalate patching to the appropriate team.

C.

Run the vulnerability scan again to verify the presence of the critical finding.

D.

Forward the advisory to the web security team and initiate the prioritization strategy for the other vulnerabilities.

Question # 17

Which of the following most accurately describes the Cyber Kill Chain methodology?

A.

It is used to correlate events to ascertain the TTPs of an attacker.

B.

It is used to ascertain lateral movements of an attacker, enabling the process to be stopped.

C.

It provides a clear model of how an attacker generally operates during an intrusion and the actions to take at each stage

D.

It outlines a clear path for determining the relationships between the attacker, the technology used, and the target

Question # 18

The developers recently deployed new code to three web servers. A daffy automated external device scan report shows server vulnerabilities that are failure items according to PCI DSS.

If the venerability is not valid, the analyst must take the proper steps to get the scan clean.

If the venerability is valid, the analyst must remediate the finding.

After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and Remediation Action for each server listed using the drop-down options.

INTRUCTIONS:

The simulation includes 2 steps.

Step1:Review the information provided in the network diagram and then move to the STEP 2 tab.

CS0-003 question answer

CS0-003 question answer

STEP 2: Given the Scenario, determine which remediation action is required to address the vulnerability.

CS0-003 question answer

Question # 19

Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting the organization?

A.

To establish what information is allowed to be released by designated employees

B.

To designate an external public relations firm to represent the organization

C.

To ensure that all news media outlets are informed at the same time

D.

To define how each employee will be contacted after an event occurs

Question # 20

K company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of code:

SELECT ’ From userjdata WHERE Username = 0 and userid8 1 or 1=1;—

Which of the following controls would be best to implement?

A.

Deploy a wireless application protocol.

B.

Remove the end-of-life component.

C.

Implement proper access control.

D.

Validate user input.

Question # 21

An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:

/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user & role=administrator

Which of the following controls would work best to mitigate the attack represented by this snippet?

A.

Limit user creation to administrators only.

B.

Limit layout creation to administrators only.

C.

Set the directory trx_addons to read only for all users.

D.

Set the directory v2 to read only for all users.

Question # 22

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

A.

Scope

B.

Weaponization

C.

CVSS

D.

Asset value

Question # 23

During a routine review of DNS logs, a security analyst observes that Host X has been making frequent DNS requests to domains with random alphanumeric strings, such as ajd8ekthj.xyz. IPS anomaly rules are blocking these domains. This behavior started shortly after a new software installation on the host. Which of the following should the analyst do first to determine whether Host X has been compromised?

A.

Allow the domains because the DNS requests are part of a misconfigured software update.

B.

Check the software installation logs for errors and reinstall the software.

C.

Block all outbound connections from the host to prevent further DNS queries.

D.

Use threat intelligence to check if the queried domains are associated with legitimate sites.

Question # 24

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

A.

Log retention

B.

Log rotation

C.

Maximum log size

D.

Threshold value

Question # 25

During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

A.

Disk contents

B.

Backup data

C.

Temporary files

D.

Running processes

Question # 26

During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue?

A.

Legacy system

B.

Business process interruption

C.

Degrading functionality

D.

Configuration management

Question # 27

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed. Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

A.

Add the IP address to the EDR deny list.

B.

Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.

C.

Implement a prevention policy for the IP on the WAF

D.

Activate the scan signatures for the IP on the NGFWs.

Question # 28

An organization identifies a method to detect unexpected behavior, crashes, or resource leaks in a system by feeding invalid, unexpected, or random data to stress the application. Which of the following best describes this testing methodology?

A.

Reverse engineering

B.

Static

C.

Fuzzing

D.

Debugging

Question # 29

During the log analysis phase, the following suspicious command is detected-

CS0-003 question answer

Which of the following is being attempted?

A.

Buffer overflow

B.

RCE

C.

ICMP tunneling

D.

Smurf attack

Question # 30

Which of the following will most likely cause severe issues with authentication and logging?

A.

Virtualization

B.

Multifactor authentication

C.

Federation

D.

Time synchronization

Question # 31

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

A.

Scan the employee ' s computer with virus and malware tools.

B.

Review the actions taken by the employee and the email related to the event

C.

Contact human resources and recommend the termination of the employee.

D.

Assign security awareness training to the employee involved in the incident.

Question # 32

A security analyst has received an incident case regarding malware spreading out of control on a customer ' s network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

A.

Cross-reference the signature with open-source threat intelligence.

B.

Configure the EDR to perform a full scan.

C.

Transfer the malware to a sandbox environment.

D.

Log in to the affected systems and run necstat.

Question # 33

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

A.

SIEM ingestion logs are reduced by 20%.

B.

Phishing alerts drop by 20%.

C.

False positive rates drop to 20%.

D.

The MTTR decreases by 20%.

Question # 34

A company recently experienced a security incident. The security team has determined

a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.

INSTRUCTIONS

Part 1

Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.

Part 2

Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each

control may only be used once, and not all controls will be used.

CS0-003 question answer

Firewall log:

CS0-003 question answer

CS0-003 question answer

File integrity Monitoring Report:

CS0-003 question answer

CS0-003 question answer

Malware domain list:

CS0-003 question answer

Vulnerability Scan Report:

CS0-003 question answer

CS0-003 question answer

Phishing Email:

CS0-003 question answer

CS0-003 question answer

Question # 35

A company was able to reduce triage time by focusing on historical trend analysis. The business partnered with the security team to achieve a 50% reduction in phishing attempts year over year. Which of the following action plans led to this reduced triage time?

A.

Patching

B.

Configuration management

C.

Awareness, education, and training

D.

Threat modeling

Question # 36

A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the following output:

[+] XSS: In form input ' txtSearch ' with action https://localhost/search.aspx

[-] XSS: Analyzing response #1...

[-] XSS: Analyzing response #2...

[-] XSS: Analyzing response #3...

[+] XSS: Response is tainted. Looking for proof of the vulnerability.

Which of the following is the most likely reason for this vulnerability?

A.

The developer set input validation protection on the specific field of search.aspx.

B.

The developer did not set proper cross-site scripting protections in the header.

C.

The developer did not implement default protections in the web application build.

D.

The developer did not set proper cross-site request forgery protections.

Question # 37

An analyst wants to ensure that users only leverage web-based software that has been pre-approved by the organization. Which of the following should be deployed?

A.

Blocklisting

B.

Allowlisting

C.

Graylisting

D.

Webhooks

Question # 38

A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?

A.

Block the attacks using firewall rules.

B.

Deploy an IPS in the perimeter network.

C.

Roll out a CDN.

D.

Implement a load balancer.

Question # 39

An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Select two).

A.

Drop the tables on the database server to prevent data exfiltration.

B.

Deploy EDR on the web server and the database server to reduce the adversaries capabilities.

C.

Stop the httpd service on the web server so that the adversary can not use web exploits

D.

use micro segmentation to restrict connectivity to/from the web and database servers.

E.

Comment out the HTTP account in the / etc/passwd file of the web server

F.

Move the database from the database server to the web server.

Question # 40

Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the general public, as a best practice? (Select two).

A.

Law enforcement

B.

Governance

C.

Legal

D.

Manager

E.

Public relations

F.

Human resources

Question # 41

Which of the following best describes the importance of implementing TAXII as part of a threat intelligence program?

A.

It provides a structured way to gain information about insider threats.

B.

It proactively facilitates real-time information sharing between the public and private sectors.

C.

It exchanges messages in the most cost-effective way and requires little maintenance once implemented.

D.

It is a semi-automated solution to gather threat intellbgence about competitors in the same sector.

Question # 42

A sales application was remediated to address a critical vulnerability. The process took five business hours and was ultimately successful. However, the change advisory board informed the company’s leadership team that the process resulted in a considerable financial loss. Which of the following best explains the reason for the financial loss?

A.

The loss is a normal cost of operations that relies on IT.

B.

The Chief Information Officer did not notify the board members.

C.

The IT team should have hired a penetration testing team before patching.

D.

The maintenance window was not properly communicated or scheduled.

Question # 43

After an upgrade to a new EDR, a security analyst received reports that several endpoints were not communicating with the SaaS provider to receive critical threat signatures. To comply with the incident response playbook, the security analyst was required to validate connectivity to ensure communications. The security analyst ran a command that provided the following output:

    ComputerName: comptia007

    RemotePort: 443

    InterfaceAlias: Ethernet 3

    TcpTestSucceeded: False

Which of the following did the analyst use to ensure connectivity?

A.

nmap

B.

tnc

C.

ping

D.

tracert

Question # 44

A security analyst must assist the IT department with creating a phased plan for vulnerability patching that meets established SLAs.

Which of the following vulnerability management elements will best assist with prioritizing a successful plan?

A.

Affected hosts

B.

Risk score

C.

Mitigation strategy

D.

Annual recurrence

Question # 45

A SOC team lead occasionally collects some DNS information for investigations. The team lead assigns this task to a new junior analyst. Which of the following is the best way to relay the process information to the junior analyst?

A.

Ask another team member to demonstrate their process.

B.

Email a link to a website that shows someone demonstrating a similar process.

C.

Let the junior analyst research and develop a process.

D.

Write a step-by-step document on the team wiki outlining the process.

Question # 46

An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?

A.

CIS Benchmarks

B.

PCI DSS

C.

OWASP Top Ten

D.

ISO 27001

Question # 47

While reviewing the web server logs, a security analyst notices the following snippet:

.. \ .. / .. \ .. /boot.ini

Which of the following Is belng attempted?

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of /etc/passwd

Question # 48

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

A.

CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/1: K/A: L

B.

CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

C.

CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H

D.

CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

Question # 49

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

A.

Enrich the SIEM-ingested data to include all data required for triage.

B.

Schedule a task to disable alerting when vulnerability scans are executing.

C.

Filter all alarms in the SIEM with low severity.

D.

Add a SOAR rule to drop irrelevant and duplicated notifications.

Question # 50

A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

A.

Wipe the computer and reinstall software

B.

Shut down the email server and quarantine it from the network.

C.

Acquire a bit-level image of the affected workstation.

D.

Search for other mail users who have received the same file.

Question # 51

A security operations center receives the following alerts related to an organization ' s cloud tenant:

CS0-003 question answer

Which of the following should an analyst do first to identify the initial compromise?

A.

Search audit logs for all activity under project staging-01 and correlate any actions against VM edoif j34.

B.

Search audit logs for userjdoe12@myorg.com and correlate the successful API requests on project staging-oi.

C.

Review audit logs for any successful compute instance actions targeting project staging-oi during the time of the alerts.

D.

Review logs for any audit action targeting compute instance APIs during the time of the alerts on VM fd03lf .

Question # 52

Which of the following is the best way to begin preparation for a report titled " What We Learned " regarding a recent incident involving a cybersecurity breach?

A.

Determine the sophistication of the audience that the report is meant for

B.

Include references and sources of information on the first page

C.

Include a table of contents outlining the entire report

D.

Decide on the color scheme that will effectively communicate the metrics

Question # 53

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

A.

Running regular penetration tests to identify and address new vulnerabilities

B.

Conducting regular security awareness training of employees to prevent social engineering attacks

C.

Deploying an additional layer of access controls to verify authorized individuals

D.

Implementing intrusion detection software to alert security teams of unauthorized access attempts

Question # 54

A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%. Which of the following best describes how the security analyst can effectively review the malware without compromising the organization ' s network?

A.

Utilize an RDP session on an unused workstation to evaluate the malware.

B.

Disconnect and utilize an existing infected asset off the network.

C.

Create a virtual host for testing on the security analyst workstation.

D.

Subscribe to an online service to create a sandbox environment.

Question # 55

A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device ' s operating system. Which of the following best meets this

requirement?

A.

SIEM

B.

CASB

C.

SOAR

D.

EDR

Question # 56

Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes

does this describe?

A.

Business continuity plan

B.

Lessons learned

C.

Forensic analysis

D.

Incident response plan

Question # 57

An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is the best option for the security analyst to configure to improve the efficiency of security operations?

A.

Configure a new SIEM specific to the management of the hosted environment.

B.

Subscribe to a threat feed related to the vendor ' s application.

C.

Use a vendor-provided API to automate pulling the logs in real time.

D.

Download and manually import the logs outside of business hours.

Question # 58

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:

CVSS: 3.1/AV:N/AC: L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R

Which of the following represents the exploit code maturity of this critical vulnerability?

A.

E:U

B.

S:C

C.

RC:R

D.

AV:N

E.

AC:L

Question # 59

A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:

CS0-003 question answer

Which of the following vulnerability types is the security analyst validating?

A.

Directory traversal

B.

XSS

C.

XXE

D.

SSRF

Question # 60

Results of a SOC customer service evaluation indicate high levels of dissatisfaction with the inconsistent services provided after regular work hours. To address this, the SOC lead drafts a document establishing customer expectations regarding the SOC ' s performance and quality of services. Which of the following documents most likely fits this description?

A.

Risk management plan

B.

Vendor agreement

C.

Incident response plan

D.

Service-level agreement

Question # 61

Which of the following choices is most likely to cause obstacles in vulnerability remediation?

A.

Not meeting an SLA

B.

Patch prioritization

C.

Organizational governance

D.

Proprietary systems

Question # 62

After a risk assessment, a server was found hosting a vulnerable legacy system that has the following characteristics:

• There is no patch or official fix available from the vendor.

• There is no official support provided by the vendor.

• Customers consider the system mission critical.

Which of the following actions will best decrease the risk posed by the legacy system?

A.

Decommission the server immediately and find a new solution to replace the legacy system.

B.

Implement firewall rules to block inbound connections and allow outbound traffic.

C.

Install and configure a web application firewall tailored to the legacy server.

D.

Apply compensating controls, including isolation, restricted access, and continuous monitoring.

Question # 63

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

A.

Data enrichment

B.

Security control plane

C.

Threat feed combination

D.

Single pane of glass

Question # 64

An organization is conducting a pilot deployment of an e-commerce application. The application ' s source code is not available. Which of the following strategies should an analyst recommend to evaluate the security of the software?

A.

Static testing

B.

Vulnerability testing

C.

Dynamic testing

D.

Penetration testing

Question # 65

A cybersecurity analyst is recommending a solution to ensure emails that contain links or attachments are tested before they reach a mail server. Which of the following will the analyst most likely recommend?

A.

Sandboxing

B.

MFA

C.

DKIM

D.

Vulnerability scan

Question # 66

Which of the following is the best technical method to protect sensitive data at an organizational level?

A.

Deny all traffic on port 8080 with sensitive information on the VLAN.

B.

Develop a Python script to review email traffic for PII.

C.

Employ a restrictive policy for the use and distribution of sensitive information.

D.

Implement a DLP for all egress and ingress of sensitive information on the network.

Question # 67

Which of the following is the most appropriate action a security analyst to take to effectively identify the most security risks associated with a locally hosted server?

A.

Run the operating system update tool to apply patches that are missing.

B.

Contract an external penetration tester to attempt a brute-force attack.

C.

Download a vendor support agent to validate drivers that are installed.

D.

Execute a vulnerability scan against the target host.

Question # 68

Which of the following would eliminate the need for different passwords for a variety or internal application?

A.

CASB

B.

SSO

C.

PAM

D.

MFA

Question # 69

An organization has implemented code into a production environment. During a routine test, a penetration tester found that some of the code had a backdoor implemented, causing a developer to make changes outside of the change management windows. Which of the following is the best way to prevent this issue?

A.

SDLC training

B.

Dynamic analysis

C.

Debugging

D.

Source code review

Question # 70

A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output:

CS0-003 question answer

Which of the following hosts should be patched first, based on the metrics?

A.

host01

B.

host02

C.

host03

D.

host04

Question # 71

Which of the following characteristics ensures the security of an automated information system is the most effective and economical?

A.

Originally designed to provide necessary security

B.

Subjected to intense security testing

C.

Customized to meet specific security threats

D.

Optimized prior to the addition of security

Question # 72

Which of the following responsibilities does the legal team have during an incident management event? (Select two).

A.

Coordinate additional or temporary staffing for recovery efforts.

B.

Review and approve new contracts acquired as a result of an event.

C.

Advise the Incident response team on matters related to regulatory reporting.

D.

Ensure all system security devices and procedures are in place.

E.

Conduct computer and network damage assessments for insurance.

F.

Verify that all security personnel have the appropriate clearances.

Question # 73

A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path traversal, and cross-site scripting. Which of the following tools would the security team most likely recommend to perform this test?

A.

Has heat

B.

OpenVAS

C.

OWASP ZAP

D.

Nmap

Question # 74

An analyst is reviewing processes running on a Windows host. The analyst reviews the following information:

CS0-003 question answer

Which of the following processes should the analyst review first?

A.

533

B.

740

C.

768

D.

1100

Question # 75

Which of the following is the best way to provide realistic training for SOC analysts?

A.

Phishing assessments

B.

OpenVAS

C.

Attack simulation

D.

SOAR

E.

Honeypot

Question # 76

Several reports with sensitive information are being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

A.

Implement step-up authentication for administrators.

B.

Improve employee training and awareness.

C.

Increase password complexity standards.

D.

Deploy mobile device management.

Question # 77

A security analyst reviews a SIEM alert related to a suspicious email and wants to verify the authenticity of the message:

SPF = PASS

DKIM = FAIL

DMARC = FAIL

Which of the following did the analyst most likely discover?

A.

An insider threat altered email security records to mask suspicious DNS resolution traffic.

B.

The message was sent from an authorized mail server but was not signed.

C.

Log normalization corrupted the data as it was brought into the central repository.

D.

The email security software did not process all of the records correctly.

Question # 78

Which of the following risk management decisions should be considered after evaluating all other options?

A.

Transfer

B.

Acceptance

C.

Mitigation

D.

Avoidance

Question # 79

An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

A.

Proprietary systems

B.

Legacy systems

C.

Unsupported operating systems

D.

Lack of maintenance windows

Question # 80

An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the initial hash of the evidence drive does not match the resultant hash of the imaged copy. Which of the following best describes the reason for the conflicting investigative findings?

A.

Chain of custody was not maintained for the evidence drive.

B.

Legal authorization was not obtained prior to seizing the evidence drive.

C.

Data integrity of the imaged drive could not be verified.

D.

Evidence drive imaging was performed without a write blocker.

Question # 81

A security analyst runs the following command:

# nmap -T4 -F 192.168.30.30

Starting nmap 7.6

Host is up (0.13s latency)

PORT STATE SERVICE

23/tcp open telnet

443/tcp open https

636/tcp open ldaps

Which of the following should the analyst recommend first to harden the system?

A.

Disable all protocols that do not use encryption.

B.

Configure client certificates for domain services.

C.

Ensure that this system is behind a NGFW.

D.

Deploy a publicly trusted root CA for secure websites.

Question # 82

Which of the following is the appropriate phase in the incident response process to perform a vulnerability scan to determine the effectiveness of corrective actions?

A.

Lessons learned

B.

Reporting

C.

Recovery

D.

Root cause analysis

Question # 83

A company ' s security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which

of the following groups should the issue be escalated to first in order to comply with industry best practices?

A.

Help desk

B.

Law enforcement

C.

Legal department

D.

Board member

Question # 84

The Chief Executive Officer (CEO) has notified that a confidential trade secret has been compromised. Which of the following communication plans should the CEO initiate?

A.

Alert department managers to speak privately with affected staff.

B.

Schedule a press release to inform other service provider customers of the compromise.

C.

Disclose to all affected parties in the Chief Operating Officer for discussion and resolution.

D.

Verify legal notification requirements of PII and SPII in the legal and human resource departments.

Question # 85

Which of the following describes the importance of an organization understanding SLOs when outsourcing incident response to a third party?

A.

To track the performance of specific KPIs

B.

To understand the hidden costs of an SLA

C.

To ensure that an objective risk score can be calculated

D.

To quantify the risk appetite in an MOU

Question # 86

A security analyst needs to develop a solution to protect a high-value asset from an exploit like a recent zero-day attack. Which of the following best describes this risk management strategy?

A.

Avoid

B.

Transfer

C.

Accept

D.

Mitigate

Question # 87

A vulnerability scan shows the following vulnerabilities in the environment:

CS0-003 question answer

At the same time, the following security advisory was released:

" A zero-day vulnerability with a CVSS score of 10 may be affecting your web server. The vendor is working on a patch or workaround. "

Which of the following actions should the security analyst take first?

A.

Contact the web systems administrator and request that they shut down the asset.

B.

Monitor the patch releases for all items and escalate patching to the appropriate team.

C.

Run the vulnerability scan again to verify the presence of the critical finding and the zero-day vulnerability in the environment.

D.

Forward the advisory to the web security team and initiate the prioritization strategy for the other vulnerabilities.

Question # 88

An IT professional is reviewing the output from the top command in Linux. In this company, only IT and security staff are allowed to have elevated privileges. Both departments have confirmed they are not working on anything that requires elevated privileges. Based on the output below:

PID

USER

VIRT

RES

SHR

%CPU

%MEM

TIME+

COMMAND

34834

person

4980644

224288

111076

5.3

14.44

1:41.44

cinnamon

34218

person

51052

30920

23828

4.7

0.2

0:26.54

Xorg

2264

root

449628

143500

26372

14.0

3.1

0:12.38

bash

35963

xrdp

711940

42356

10560

2.0

0.2

0:06.81

xrdp

Which of the following PIDs is most likely to contribute to data exfiltration?

A.

2264

B.

34218

C.

34834

D.

35963

Question # 89

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

A.

SLA

B.

MOU

C.

NDA

D.

Limitation of liability

Question # 90

A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

A.

CVSS 3.0/AVP/AC:L/PR:L/UI:N/S U/C:H/I:H/A:H

B.

CVSS 3.0/AV:A/AC .L/PR:L/UI:N/S:U/C:H/I:H/A:H

C.

CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S;U/C:H/I:H/A:H

D.

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Question # 91

The DevSecOps team is remediating a Server-Side Request Forgery (SSRF) issue on the company ' s public-facing website. Which of the following is the best mitigation technique to address this issue?

A.

Place a Web Application Firewall (WAF) in front of the web server.

B.

Install a Cloud Access Security Broker (CASB) in front of the web server.

C.

Put a forward proxy in front of the web server.

D.

Implement MFA in front of the web server.

Question # 92

A company patches its servers using automation software. Remote SSH or RDP connections are allowed to the servers only from the service account used by the automation software. All servers are in an internal subnet without direct access to or from the internet. An analyst reviews the following vulnerability summary:

CS0-003 question answer

Which of the following vulnerability IDs should the analyst address first?

A.

1

B.

2

C.

3

D.

4

Question # 93

During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?

A.

The risk would not change because network firewalls are in use.

B.

The risk would decrease because RDP is blocked by the firewall.

C.

The risk would decrease because a web application firewall is in place.

D.

The risk would increase because the host is external facing.

Question # 94

A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.

Instructions:

Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.

For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.

Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.

The Linux Web Server, File-Print Server and Directory Server are draggable.

If at any time you would like to bring back the initial state of the simulation, please select the Reset All button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

CS0-003 question answer

CS0-003 question answer

Question # 95

Several incidents have occurred with a legacy web application that has had little development work completed. Which of the following is the most likely cause of the incidents?

A.

Misconfigured web application firewall

B.

Data integrity failure

C.

Outdated libraries

D.

Insufficient logging

Question # 96

A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment Which of the following must be considered to ensure the consultant does no harm to operations?

A.

Employing Nmap Scripting Engine scanning techniques

B.

Preserving the state of PLC ladder logic prior to scanning

C.

Using passive instead of active vulnerability scans

D.

Running scans during off-peak manufacturing hours

Question # 97

Which of the following evidence collection methods is most likely to be acceptable in court cases?

A.

Copying all access files at the time of the incident

B.

Creating a file-level archive of all files

C.

Providing a full system backup inventory

D.

Providing a bit-level image of the hard drive

Question # 98

When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgrounds containing host details, has bee running for over two days. Which of the following activities will provide the best insight into this potentially malicious process, based on the anomalous behavior?

A.

Changes to system environment variables

B.

SMB network traffic related to the system process

C.

Recent browser history of the primary user

D.

Activities taken by PID 1024

Question # 99

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

CS0-003 question answer

Which of the following tuning recommendations should the security analyst share?

A.

Set an Http Only flag to force communication by HTTPS.

B.

Block requests without an X-Frame-Options header.

C.

Configure an Access-Control-Allow-Origin header to authorized domains.

D.

Disable the cross-origin resource sharing header.

Question # 100

A security administrator has found indications of dictionary attacks against the company ' s external-facing portal. Which of the following should be implemented to best mitigate the password attacks?

A.

Multifactor authentication

B.

Password complexity

C.

Web application firewall

D.

Lockout policy

Question # 101

An analyst investigated a website and produced the following:

Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?

A.

nmap -sS -T4 -F insecure.org

B.

nmap -o insecure.org

C.

nmap -sV -T4 -F insecure.org

D.

nmap -A insecure.org

Question # 102

A threat hunter seeks to identify new persistence mechanisms installed in an organization ' s environment. In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated:

Which of the following actions should the hunter perform first based on the details above?

A.

Acquire a copy of taskhw.exe from the impacted host

B.

Scan the enterprise to identify other systems with taskhw.exe present

C.

Perform a public search for malware reports on taskhw.exe.

D.

Change the account that runs the -caskhw. exe scheduled task

Question # 103

An analyst is evaluating the following vulnerability report:

CS0-003 question answer

Which of the following vulnerability report sections provides information about the level of impact on data confidentiality if a successful exploitation occurs?

A.

Payloads

B.

Metrics

C.

Vulnerability

D.

Profile

Question # 104

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

A.

Impact

B.

Vulnerability score

C.

Mean time to detect

D.

Isolation

Question # 105

A systems administrator needs to gather security events with repeatable patterns from Linux log files. Which of the following would the administrator most likely use for this task?

A.

A regular expression in Bash

B.

Filters in the vi editor

C.

Variables in a PowerShell script

D.

A playbook in a SOAR tool

Question # 106

A Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost.

Which of the following risk treatments best describes what the CISO is looking for?

A.

Transfer

B.

Mitigate

C.

Accept

D.

Avoid

Question # 107

A new SOC manager reviewed findings regarding the strengths and weaknesses of the last tabletop exercise in order to make improvements. Which of the following should the SOC manager utilize to improve the process?

A.

The most recent audit report

B.

The incident response playbook

C.

The incident response plan

D.

The lessons-learned register

Question # 108

Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the patch cannot be deployed due to planned, routine system upgrades Which of the following is the best method to remediate the bugs?

A.

Reschedule the upgrade and deploy the patch

B.

Request an exception to exclude the patch from installation

C.

Update the risk register and request a change to the SLA

D.

Notify the incident response team and rerun the vulnerability scan

Question # 109

An organization was compromised, and the usernames and passwords of all em-ployees were leaked online. Which of the following best describes the remedia-tion that could reduce the impact of this situation?

A.

Multifactor authentication

B.

Password changes

C.

System hardening

D.

Password encryption

Question # 110

The security team at a company, which was a recent target of ransomware, compiled a list of hosts that were identified as impacted and in scope for this incident. Based on the following host list:

CS0-003 question answer

Which of the following systems was most pivotal to the threat actor in its distribution of the encryption binary via Group Policy?

A.

SQL01

B.

WK10-Sales07

C.

WK7-Plant01

D.

DCEast01

E.

HQAdmin9

Question # 111

A security manager is looking at a third-party vulnerability metric (SMITTEN) to improve upon the company ' s current method that relies on CVSSv3. Given the following:

CS0-003 question answer

Which of the following vulnerabilities should be prioritized?

A.

Vulnerability 1

B.

Vulnerability 2

C.

Vulnerability 3

D.

Vulnerability 4

Question # 112

AXSS vulnerability was reported on one of the non-sensitive/non-mission-critical public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Question # 113

A systems administrator receives several reports about emails containing phishing links. The hosting domain is always different, but the URL follows a specific pattern of characters. Which of the following is the best way for the administrator to find more messages that were not reported?

A.

Search email logs for a regular expression

B.

Open a support ticket with the email hosting provider

C.

Send a memo to all staff asking them to report suspicious emails

D.

Query firewall logs for any traffic with a suspicious website

Question # 114

An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

A.

Exploitation

B.

Reconnaissance

C.

Command and control

D.

Actions on objectives

Question # 115

A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

CS0-003 question answer

Which of the following best describes the suspicious activity that is occurring?

A.

A fake antivirus program was installed by the user.

B.

A network drive was added to allow exfiltration of data

C.

A new program has been set to execute on system start

D.

The host firewall on 192.168.1.10 was disabled.

Question # 116
A.

Disaster recovery plan

B.

Business impact analysis

C.

Playbook

D.

Backup plan

Question # 117

While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?

A.

Shut the network down immediately and call the next person in the chain of command.

B.

Determine what attack the odd characters are indicative of

C.

Utilize the correct attack framework and determine what the incident response will consist of.

D.

Notify the local law enforcement for incident response

Question # 118

An incident responder was able to recover a binary file through the network traffic. The binary file was also found in some machines with anomalous behavior. Which of the following processes most likely can be performed to understand the purpose of the binary file?

A.

File debugging

B.

Traffic analysis

C.

Reverse engineering

D.

Machine isolation

Question # 119

After reviewing the final report for a penetration test, a cybersecurity analyst prioritizes the remediation for input validation vulnerabilities. Which of the following attacks is the analyst seeking to prevent?

A.

DNS poisoning

B.

Pharming

C.

Phishing

D.

Cross-site scripting

Question # 120

The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

CS0-003 question answer

Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

A.

Vulnerability A

B.

Vulnerability B

C.

Vulnerability C

D.

Vulnerability D

Question # 121

A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following

would be missing from a scan performed with this configuration?

A.

Operating system version

B.

Registry key values

C.

Open ports

D.

IP address

Question # 122

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

A.

Business continuity plan

B.

Vulnerability management plan

C.

Disaster recovery plan

D.

Asset management plan

Question # 123

Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

A.

Command and control

B.

Actions on objectives

C.

Exploitation

D.

Delivery

Question # 124

ID

Source

Destination

Protocol

Service

1

172.16.1.1

172.16.1.10

ARP

AddrResolve

2

172.16.1.10

172.16.1.20

TCP 135

RPC Kerberos

3

172.16.1.10

172.16.1.30

TCP 445

SMB WindowsExplorer

4

172.16.1.30

5.29.1.5

TCP 443

HTTPS Browser.exe

5

11.4.11.28

172.16.1.1

TCP 53

DNS Unknown

6

20.109.209.108

172.16.1.1

TCP 443

HTTPS WUS

7

172.16.1.25

bank.backup.com

TCP 21

FTP FileZilla

Which of the following represents the greatest concerns with regard to potential data exfiltration? (Select two.)

A.

1

B.

2

C.

3

D.

4

E.

5

F.

6

G.

7

Question # 125

A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

A.

Testing

B.

Implementation

C.

Validation

D.

Rollback

Question # 126

When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

A.

RADIUS

B.

SDN

C.

ZTNA

D.

SWG

Question # 127

A company discovers that its proprietary information is being sold on the dark web. A security analyst uses threat hunting to search for signs of compromise. After running a network packet capture tool, the analyst identifies millions of packets similar to the following:

Internet Protocol Version 4, src: 192.168.1.2, dst: 104.21.75.76

Internet Control Message Protocol

Type: 8 Echo request

Code: 0

Checksum: 0x34db [correct]

Sequence number: 3362

No response seen

Data: 64 bytes

Data payload: 0e1bS8…157ea2054af44…9865b34857a05…24b45824…

The analyst does not detect or identify any other abnormalities. Which of the following is most likely the malicious activity in this scenario?

A.

An insider is using an IP command-and-control channel to sell proprietary information.

B.

A threat actor is performing exfiltration over an alternative protocol.

C.

A machine was infected with a virus that is trying to propagate.

D.

A hacktivist is conducting an ICMP DDoS attack against the company.

Question # 128

An analyst is reviewing system logs while threat hunting:

CS0-003 question answer

Which of the following hosts should be investigated first?

A.

PC1

B.

PC2

C.

PC3

D.

PC4

E.

PC5

Question # 129

A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

A.

Uncredentialed scan

B.

Discqyery scan

C.

Vulnerability scan

D.

Credentialed scan

Question # 130

The analyst reviews the following endpoint log entry:

CS0-003 question answer

Which of the following has occurred?

A.

Registry change

B.

Rename computer

C.

New account introduced

D.

Privilege escalation

Question # 131

While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the following controls is most likely preventing the analyst from finding the proper memory address of the piece of malicious code?

A.

Address space layout randomization

B.

Data execution prevention

C.

Stack canary

D.

Code obfuscation

Question # 132

A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

A.

Hacklivist

B.

Advanced persistent threat

C.

Insider threat

D.

Script kiddie

Question # 133

An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Question # 134

A security analyst provides the management team with an after-action report for a security incident. Which of the following is the management team most likely to review in order to correct validated issues with the incident response processes?

A.

Tabletop exercise

B.

Lessons learned

C.

Root cause analysis

D.

Forensic analysis

Question # 135

Numerous emails were sent to a company ' s customer distribution list. The customers reported that the emails contained a suspicious link. The company ' s SOC determined the links were malicious. Which of the following is the best way to decrease these emails?

A.

DMARC

B.

DKIM

C.

SPF

D.

SMTP

Question # 136

A Chief Information Security Officer (CISO) is concerned that a specific threat actor who is known to target the company ' s business type may be able to breach the network and remain inside of it for an extended period of time.

Which of the following techniques should be performed to meet the CISO ' s goals?

A.

Vulnerability scanning

B.

Adversary emulation

C.

Passive discovery

D.

Bug bounty

Question # 137

The most recent vulnerability scan results show the following

CS0-003 question answer

The vulnerability team learned the following from the asset owners:

• Server hqfinoi is a financial transaction database server used in the company ' s largest business unit.

• Server hqadmin02 is utilized by an end user with administrator privileges to several critical applications.

• No compensating controls exist for either issue.

Which of the following would the vulnerability team most likely do to determine remediation prioritization?

A.

Review the BCP and prioritize the remediation of the asset that would take more time to bring online for operational use.

B.

Contact the network and desktop engineering teams to discuss prioritizing the asset that Is faster to remediate.

C.

Reference the BIA to determine the value designation and prioritize vulnerability remediation of the more critical asset.

D.

Identify the network placement and configuration of each asset, then prioritize the asset with the least recent backups.

Question # 138

Which of the following should be updated after a lessons-learned review?

A.

Disaster recovery plan

B.

Business continuity plan

C.

Tabletop exercise

D.

Incident response plan

Question # 139

An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

A.

Access rights

B.

Network segmentation

C.

Time synchronization

D.

Invalid playbook

Question # 140

A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next?

A.

Preparation

B.

Validation

C.

Containment

D.

Eradication

Question # 141

Given the following CVSS string-

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:H

Which of the following attributes correctly describes this vulnerability?

A.

A user is required to exploit this vulnerability.

B.

The vulnerability is network based.

C.

The vulnerability does not affect confidentiality.

D.

The complexity to exploit the vulnerability is high.

Question # 142

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

A.

Code analysis

B.

Static analysis

C.

Reverse engineering

D.

Fuzzing

Question # 143

Which of the following best explains the importance of network microsegmentation as part of a Zero Trust architecture?

A.

To allow policies that are easy to manage and less granular

B.

To increase the costs associated with regulatory compliance

C.

To limit how far an attack can spread

D.

To reduce hardware costs with the use of virtual appliances

Question # 144

Which of the following is the best use of automation in cybersecurity?

A.

Ensure faster incident detection, analysis, and response.

B.

Eliminate configuration errors when implementing new hardware.

C.

Lower costs by reducing the number of necessary staff.

D.

Reduce the time for internal user access requests.

Question # 145

Which of the following best explains the importance of playbooks for incident response teams?

A.

Playbooks define compliance controls and help keep the monitoring process that is in place fully aligned with regulatory requirements as designed by international rules.

B.

Playbooks help implement mitigation controls to prevent the occurrence of incidents in accordance with internal policies and procedures as designed by the IT team.

C.

Playbooks set baseline requirements that are implemented before incidents happen to ensure the proper monitoring process in order to collect metrics and KPIs that will be used for lessons-learned procedures after a postmortem analysis.

D.

Playbooks help minimize negative impacts and restore data, systems, and operations through highly detailed, preplanned procedures that will be followed when particular types of incidents occur.

Question # 146

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following

would best aid in decreasing the workload without increasing staff?

A.

SIEM

B.

XDR

C.

SOAR

D.

EDR

CS0-003 PDF

$33

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

CS0-003 PDF + Testing Engine

$52.8

$175.99

3 Months Free Update

  • Exam Name: CompTIA CyberSecurity Analyst CySA+ Certification Exam
  • Last Update: Jul 5, 2026
  • Questions and Answers: 487
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

CS0-003 Engine

$39.6

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included