Practice Free CS0-003 Exam Online Questions – Page 9

Question #81

The Company shall prioritize patching of publicly available systems and services over patching of

internally available system.

According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

A)

文本

描述已自动生成

A . Option A
B . Option B
C . Option C
D . Option D

Reveal Solution Hide Solution

Question #82

A security analyst is trying to validate the results of a web application scan with Burp Suite.

The security analyst performs the following:

图形用户界面, 文本, 应用程序

描述已自动生成

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

A . SQL injection
B . LFI
C . XSS
D . CSRF

Reveal Solution Hide Solution

Question #83

A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network.

Which of the following metrics should the team lead include in the briefs?

A . Mean time between failures
B . Mean time to detect
C . Mean time to remediate
D . Mean time to contain

Reveal Solution Hide Solution

Question #84

An email hosting provider added a new data center with new public IP addresses.

Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

A . DKIM
B . SPF
C . SMTP
D . DMARC

Reveal Solution Hide Solution

Question #85

Which of the following evidence collection methods is most likely to be acceptable in court cases?

A . Copying all access files at the time of the incident
B . Creating a file-level archive of all files
C . Providing a full system backup inventory
D . Providing a bit-level image of the hard drive

Reveal Solution Hide Solution

Question #86

Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target’s information assets?

A . Structured Threat Information Expression
B . OWASP Testing Guide
C . Open Source Security Testing Methodology Manual
D . Diamond Model of Intrusion Analysis

Reveal Solution Hide Solution

Question #87

An analyst views the following log entries:

报纸上的表格

中度可信度描述已自动生成

The organization has a partner vendor with hosts in the 216.122.5.x range. This partner vendor is required to have access to monthly reports and is the only external vendor with authorized access. The organization prioritizes incident investigation according to the following hierarchy: unauthorized data disclosure is more critical than denial of service attempts.

which are more important than ensuring vendor data access.

Based on the log files and the organization’s priorities, which of the following hosts warrants additional investigation?

A . 121.19.30.221
B . 134.17.188.5
C . 202.180.1582
D . 216.122.5.5

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

The correct answer is A. 121.19.30.221.

Based on the log files and the organization’s priorities, the host that warrants additional investigation is 121.19.30.221, because it is the only host that accessed a file containing sensitive data and is not from the partner vendor’s range.

The log files show the following information:

The IP addresses of the hosts that accessed the web server

The date and time of the access

The file path of the requested resource

The number of bytes transferred

The organization’s priorities are:

Unauthorized data disclosure is more critical than denial of service attempts

Denial of service attempts are more important than ensuring vendor data access

According to these priorities, the most serious threat to the organization is unauthorized data disclosure, which occurs when sensitive, protected, or confidential data is copied, transmitted,

viewed, stolen, altered, or used by an individual unauthorized to do so123. Therefore, the host that accessed a file containing sensitive data and is not from the partner vendor’s range poses the highest risk to the organization.

The file that contains sensitive data is /reports/2023/financials.pdf, as indicated by its name and path. This file was accessed by two hosts: 121.19.30.221 and 216.122.5.5. However, only 121.19.30.221 is not from the partner vendor’s range, which is 216.122.5.x. Therefore, 121.19.30.221 is a potential unauthorized data disclosure threat and warrants additional investigation.

The other hosts do not warrant additional investigation based on the log files and the organization’s priorities.

Host 134.17.188.5 accessed /index.html multiple times in a short period of time, which could indicate a denial of service attempt by flooding the web server with requests45. However, denial of service attempts are less critical than unauthorized data disclosure according to the organization’s priorities, and there is no evidence that this host succeeded in disrupting the web server’s normal operations.

Host 202.180.1582 accessed /images/logo.png once, which does not indicate any malicious activity or threat to the organization.

Host 216.122.5.5 accessed /reports/2023/financials.pdf once, which could indicate unauthorized data disclosure if it was not authorized to do so. However, this host is from the partner vendor’s range, which is required to have access to monthly reports and is the only external vendor with authorized access according to the organization’s requirements.

Therefore, based on the log files and the organization’s priorities, host 121.19.30.221 warrants additional investigation as it poses the highest risk of unauthorized data disclosure to the organization.

Question #88

A SOC analyst observes reconnaissance activity from an IP address. The activity follows a pattern of short bursts toward a low number of targets. An open-source review shows that the IP has a bad reputation. The perimeter firewall logs indicate the inbound traffic was allowed. The destination hosts are high-value assets with EDR agents installed.

Which of the following is the best action for the SOC to take to protect against any further activity from the source IP?

A . Add the IP address to the EDR deny list.
B . Create a SIEM signature to trigger on any activity from the source IP subnet detected by the web proxy or firewalls for immediate notification.
C . Implement a prevention policy for the IP on the WAF
D . Activate the scan signatures for the IP on the NGFWs.

Reveal Solution Hide Solution

Question #89

While a security analyst for an organization was reviewing logs from web servers. the analyst found several successful attempts to downgrade HTTPS sessions to use cipher modes of operation susceptible to padding oracle attacks.

Which of the following combinations of configuration changes should the organization make to remediate this issue? (Select two).

A . Configure the server to prefer TLS 1.3.
B . Remove cipher suites that use CBC.
C . Configure the server to prefer ephemeral modes for key exchange.
D . Require client browsers to present a user certificate for mutual authentication.
E . Configure the server to require HSTS.
F . Remove cipher suites that use GCM.

Reveal Solution Hide Solution

Correct Answer: AE
AE

Explanation:

The correct answer is A. Configure the server to prefer TLS 1.3 and B. Remove cipher suites that use CBC.

A padding oracle attack is a type of attack that exploits the padding validation of a cryptographic message to decrypt the ciphertext without knowing the key. A padding oracle is a system that responds to queries about whether a message has a valid padding or not, such as a web server that returns different error messages for invalid padding or invalid MAC. A padding oracle attack can be applied to the CBC mode of operation, where the attacker can manipulate the ciphertext blocks and use the oracle’s responses to recover the plaintext12.

To remediate this issue, the organization should make the following configuration changes: Configure the server to prefer TLS 1.3. TLS 1.3 is the latest version of the Transport Layer Security protocol, which provides secure communication between clients and servers.

TLS 1.3 has several security improvements over previous versions, such as:

It deprecates weak and obsolete cryptographic algorithms, such as RC4, MD5, SHA-1, DES, 3DES, and CBC mode.

It supports only strong and modern cryptographic algorithms, such as AES-GCM, ChaCha20-Poly1305, and SHA-256/384.

It reduces the number of round trips required for the handshake protocol, which improves performance and latency.

It encrypts more parts of the handshake protocol, which enhances privacy and confidentiality.

It introduces a zero round-trip time (0-RTT) mode, which allows resuming previous sessions without additional round trips.

It supports forward secrecy by default, which means that compromising the long-term keys does not affect the security of past sessions3456.

Remove cipher suites that use CBC. Cipher suites are combinations of cryptographic algorithms that specify how TLS connections are secured. Cipher suites that use CBC mode are vulnerable to padding oracle attacks, as well as other attacks such as BEAST and Lucky 13. Therefore, they should be removed from the server’s configuration and replaced with cipher suites that use more secure modes of operation, such as GCM or CCM78.

The other options are not effective or necessary to remediate this issue.

Option C is not effective because configuring the server to prefer ephemeral modes for key exchange does not prevent padding oracle attacks. Ephemeral modes for key exchange are methods that generate temporary and random keys for each session, such as Diffie-Hellman or Elliptic Curve Diffie-Hellman. Ephemeral modes provide forward secrecy, which means that compromising the long-term keys does not affect the security of past sessions. However, ephemeral modes do not protect against padding oracle attacks, which exploit the padding validation of the ciphertext rather than the key exchange9.

Option D is not necessary because requiring client browsers to present a user certificate for mutual authentication does not prevent padding oracle attacks. Mutual authentication is a process that verifies the identity of both parties in a communication, such as using certificates or passwords. Mutual authentication enhances security by preventing impersonation or spoofing attacks. However, mutual authentication does not protect against padding oracle attacks, which exploit the padding validation of the ciphertext rather than the authentication.

Option E is not necessary because configuring the server to require HSTS does not prevent padding oracle attacks. HSTS stands for HTTP Strict Transport Security and it is a mechanism that forces browsers to use HTTPS connections instead of HTTP connections when communicating with a web server. HSTS enhances security by preventing downgrade or man-in-the-middle attacks that try to intercept or modify HTTP traffic. However, HSTS does not protect against padding oracle attacks, which exploit the padding validation of HTTPS traffic rather than the protocol.

Option F is not effective because removing cipher suites that use GCM does not prevent padding

oracle attacks. GCM stands for Galois/Counter Mode and it is a mode of operation that provides both

encryption and authentication for block ciphers, such as AES. GCM is more secure and efficient than

CBC mode, as it prevents various types of attacks, such as padding oracle, BEAST, Lucky 13, and IV

reuse attacks. Therefore, removing cipher suites that use GCM would reduce security rather than

enhance it.

Reference: 1 Padding oracle attack – Wikipedia

2 flast101/padding-oracle-attack-explained – GitHub

3 A Cryptographic Analysis of the TLS 1.3 Handshake Protocol | Journal of Cryptology

4 Which block cipher mode of operation does TLS 1.3 use? – Cryptography Stack Exchange

5 The Essentials of Using an Ephemeral Key Under TLS 1.3

6 Guidelines for the Selection, Configuration, and Use of … – NIST

7 CBC decryption vulnerability – .NET | Microsoft Learn

8 The Padding Oracle Attack | Robert Heaton

9 What is Ephemeral Diffie-Hellman? | Cloudflare

[10] What is Mutual TLS? How mTLS Authentication Works | Cloudflare

[11] What is HSTS? HTTP Strict Transport Security Explained | Cloudflare

[12] Galois/Counter Mode – Wikipedia

[13] AES-GCM and its IV/nonce value – Cryptography Stack Exchange

Question #90

Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?

A . CASB
B . DMARC
C . SIEM
D . PAM

Reveal Solution Hide Solution

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

Exams