Practice Free CS0-003 Exam Online Questions – Page 2

Question #11

An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract.

Which of the following is the first step for the security team to take to ensure compliance with the request?

A . Publicly disclose the request to other vendors.
B . Notify the departments involved to preserve potentially relevant information.
C . Establish a chain of custody, starting with the attorney’s request.
D . Back up the mailboxes on the server and provide the attorney with a copy.

Reveal Solution Hide Solution

Question #12

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

A . Agree on the goals and objectives of the plan
B . Determine the site to be used during a disaster
C Demonstrate adherence to a standard disaster recovery process
C . Identity applications to be run during a disaster

Reveal Solution Hide Solution

Question #13

A security audit for unsecured network services was conducted, and the following output was generated:

手机屏幕截图

描述已自动生成

Which of the following services should the security team investigate further? (Select two).

A . 21
B . 22
C . 23
D . 636
E . 1723
F . 3389

Reveal Solution Hide Solution

Correct Answer: CD
CD

Explanation:

The output shows the results of a port scan, which is a technique used to identify open ports and services running on a network host. Port scanning can be used by attackers to discover potential vulnerabilities and exploit them, or by defenders to assess the security posture and configuration of their network devices1

The output lists six ports that are open on the target host, along with the service name and version associated with each port. The service name indicates the type of application or protocol that is using the port, while the version indicates the specific release or update of the service. The service name and version can provide useful information for both attackers and defenders, as they can reveal the capabilities, features, and weaknesses of the service.

Among the six ports listed, two are particularly risky and should be investigated further by the security team: port 23 and port 636.

Port 23 is used by Telnet, which is an old and insecure protocol for remote login and command execution. Telnet does not encrypt any data transmitted over the network, including usernames and passwords, which makes it vulnerable to eavesdropping, interception, and modification by attackers. Telnet also has many known vulnerabilities that can allow attackers to gain unauthorized access, execute arbitrary commands, or cause denial-of-service attacks on the target host23

Port 636 is used by LDAP over SSL/TLS (LDAPS), which is a protocol for accessing and modifying directory services over a secure connection. LDAPS encrypts the data exchanged between the client

and the server using SSL/TLS certificates, which provide authentication, confidentiality, and integrity. However, LDAPS can also be vulnerable to attacks if the certificates are not properly configured, verified, or updated. For example, attackers can use self-signed or expired certificates to perform man-in-the-middle attacks, spoofing attacks, or certificate revocation attacks on LDAPS connections. Therefore, the security team should investigate further why port 23 and port 636 are open on the target host, and what services are running on them. The security team should also consider disabling or replacing these services with more secure alternatives, such as SSH for port 23 and StartTLS for port 6362

Question #14

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

A . The lead should review what is documented in the incident response policy or plan
B . Management level members of the CSIRT should make that decision
C . The lead has the authority to decide who to communicate with at any t me
D . Subject matter experts on the team should communicate with others within the specified area of expertise

Reveal Solution Hide Solution

Question #15

A security analyst needs to identify an asset that should be remediated based on the following information:

File Server

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/

Web Server

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/

Mail Server (corrected from “Mall server”)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/

Domain Controller

CVSS:3.1/AV:N/AC:L/PR:R/UI:R/S:U/C:H/I:H/A:H/

Which of the following assets should the analyst remediate first?

A . Mail server
B . Domain controller
C . Web server
D . File server

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Comprehensive and Detailed Explanation From Exact Extract:

To determine which system to remediate first using only CVSS vectors, the analyst should prioritize the vulnerability that is most severe and most easily exploitable, especially when it is exploitable over the network and requires no privileges and no user interaction.

The Web server has the most dangerous combination of exploitability and impact:

Attack Vector = Network (AV:N) → exploitable remotely over a network

Attack Complexity = Low (AC:L) → no special conditions required

Privileges Required = None (PR:N) → attacker doesn’t need credentials

User Interaction = None (UI:N) → no user action required

Impact = High for Confidentiality, Integrity, and Availability (C:H / I:H / A:H) → full compromise potential

The Sybex CySA+ Study Guide explains that CVSS provides a 0C10 severity score and that analysts must be able to interpret key metrics like Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Impact.

The All-in-One guide defines Attack Vector and notes that the more remote the vector, the higher the score (Network is remotely exploitable).

And Secbay Press states that organizations use CVSS as a basis for prioritization, typically addressing higher scores first.

Exact extract (Secbay Press): “Organizations often use CVSS scores as a basis for prioritizing vulnerabilities, addressing those with higher scores first.”

Why the other assets are lower priority than the Web server (based on the vectors)

File server (AV:L) is local attack vector, meaning the attacker must already have local access; that generally reduces priority compared to a remotely exploitable (AV:N) issue. (Attack vector definitions and scoring emphasize Network vs Local distinctions.)

Mail server (AC:H) requires high attack complexity, lowering exploitability compared to the Web server’s AC:L.

Domain controller (PR:R, UI:R) requires privileges and user interaction, which lowers exploitability compared to PR:N/UI:N on the Web server.

Bottom line: The Web server is the most immediately dangerous because it is remotely exploitable (AV:N) with low complexity (AC:L), requires no privileges (PR:N) and no user interaction (UI:N), and has high impact across C/I/A―making it the strongest candidate for first remediation under CVSS-based prioritization.

Reference (CompTIA CySA+ CS0-003 documents / study guides used):

Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): CVSS used to prioritize; higher scores addressed first

Mike Chapple & David Seidl, CompTIA CySA+ Study Guide (CS0-003): CVSS metrics and interpretation (AV/AC/PR/UI/Impact) and severity score concept

Mya Heath et al., CompTIA CySA+ All-in-One Exam Guide (CS0-003): Attack Vector/Attack Complexity definitions; remote vectors score higher

Question #16

A web application has a function to retrieve content from an internal URL to identify CSRF attacks in the logs. The security analyst is building a regular expression that will filter out the correctly formatted requests. The target URL is https://10. 1. 2.3/api, and the receiving API only accepts GET requests and uses a single integer argument named "id."

Which of the following regular expressions should the analyst use to achieve the objective?

A . (?!https://10.1.2.3/api?id=[0-9]+)
B . "https://10.1.2.3/api?id=d+
C . (?:"https://10.1.2.3/api?id-[0-9]+)
D . https://10.1.2.3/api?id«[0-9J$

Reveal Solution Hide Solution

Question #17

Which of the following statements best describes the MITRE ATT&CK framework?

A . It provides a comprehensive method to test the security of applications.
B . It provides threat intelligence sharing and development of action and mitigation strategies.
C . It helps identify and stop enemy activity by highlighting the areas where an attacker functions.
D . It tracks and understands threats and is an open-source project that evolves.
E . It breaks down intrusions into a clearly defined sequence of phases.

Reveal Solution Hide Solution

Question #18

While observing several host machines, a security analyst notices a program is overwriting data to a buffer.

Which of the following controls will best mitigate this issue?

A . Data execution prevention
B . Output encoding
C . Prepared statements
D . Parameterized queries

Reveal Solution Hide Solution

Question #19

A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host.

Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?

A . /etc/ shadow
B . curl localhost
C . ; printenv
D . cat /proc/self/

Reveal Solution Hide Solution

Question #20

A cybersecurity analyst is recommending a solution to ensure emails that contain links or attachments are tested before they reach a mail server.

Which of the following will the analyst most likely recommend?

A . Sandboxing
B . MFA
C . DKIM
D . Vulnerability scan

Reveal Solution Hide Solution

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

Exams