CompTIA CS0-003 CompTIA Cybersecurity Analyst (CySA+) Exam Practice Test

Page: 1 / 14
Total 428 questions
Question 1

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?



Answer : D

A threshold value is a parameter that defines the minimum or maximum level of a metric or event that triggers an alert. For example, a threshold value can be set to alert when the number of failed login attempts exceeds 10 in an hour, or when the CPU usage drops below 20% for more than 15 minutes. By setting a threshold value, the process can filter out irrelevant or insignificant alerts and focus on the ones that indicate a potential problem or anomaly.A threshold value can help to reduce the noise and false positives in the alert system, and improve the efficiency and accuracy of the analysis12


Question 2

An IT professional is reviewing the output from the top command in Linux. In this company, only IT and security staff are allowed to have elevated privileges. Both departments have confirmed they are not working on anything that requires elevated privileges. Based on the output below:

PID

USER

VIRT

RES

SHR

%CPU

%MEM

TIME+

COMMAND

34834

person

4980644

224288

111076

5.3

14.44

1:41.44

cinnamon

34218

person

51052

30920

23828

4.7

0.2

0:26.54

Xorg

2264

root

449628

143500

26372

14.0

3.1

0:12.38

bash

35963

xrdp

711940

42356

10560

2.0

0.2

0:06.81

xrdp

Which of the following PIDs is most likely to contribute to data exfiltration?



Answer : A

PID 2264 (bash running as root) is suspicious because:

It has elevated privileges (root user).

Bash (command-line shell) is running with high CPU usage (14.0%), which is unusual unless actively being used.

If unauthorized, an attacker could be exfiltrating data via command-line methods like scp, wget, or custom scripts.

Why Not Other Options?

B (34218 - Xorg) Xorg is a display server for GUI; no signs of exfiltration.

C (34834 - Cinnamon) Cinnamon is a desktop environment, not a threat.

D (35963 - xrdp) xrdp is a remote desktop service, expected behavior.


Question 3

While reviewing web server logs, a security analyst discovers the following suspicious line:

Which of the following is being attempted?



Answer : B

The suspicious line in the web server logs is an attempt to execute a command on the server, indicating a command injection attack.Reference:CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 5, page 197;CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 5, page 205.


Question 4

After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Windows 11 users have constant issues. Which of the

following did the change management team fail to do?



Answer : B

Testing is a crucial step in any change management process, as it ensures that the change is compatible with the existing systems and does not cause any errors or disruptions. In this case, the change management team failed to test the email client patch on Windows 11 devices, which resulted in a widespread issue for the users. Testing would have revealed the problem before the patch was deployed, and allowed the team to fix it or postpone the change.


Question 5

A cybersecurity analyst is participating with the DLP project team to classify the organization's dat

a. Which of the following is the primary purpose for classifying data?



Answer : D

The primary purpose of data classification is to determine the value of data to the organization. This helps in defining protection levels, access controls, and risk mitigation strategies.

Option A (Regulatory compliance requirements) is important but not the primary reason. Compliance is a result of data classification, not its purpose.

Option B (Facilitating DLP rules) is a secondary benefit, but classification is broader and not limited to DLP.

Option C (Prioritizing IT expenses) is unrelated to why organizations classify data.

Thus, D is the correct answer, as classification helps organizations prioritize data protection based on its value.


Question 6

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?



Answer : A

The analyst should focus on the impact of the events in order to move the incident forward. Impact is the measure of the potential or actual damage caused by an incident, such as data loss, financial loss, reputational damage, or regulatory penalties. Impact can help the analyst prioritize the events that need to be investigated based on their severity and urgency, and allocate the appropriate resources and actions to contain and remediate them. Impact can also help the analyst communicate the status and progress of the incident to the stakeholders and customers, and justify the decisions and recommendations made during the incident response12. Vulnerability score, mean time to detect, and isolation are all important metrics or actions for incident response, but they are not the main focus for moving the incident forward. Vulnerability score is the rating of the likelihood and severity of a vulnerability being exploited by a threat actor. Mean time to detect is the average time it takes to discover an incident. Isolation is the process of disconnecting an affected system from the network to prevent further damage or spread of the incident34 . Reference: Incident Response: Processes, Best Practices & Tools - Atlassian, Incident Response Metrics: What You Should Be Measuring, Vulnerability Scanning Best Practices, How to Track Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to Cybersecurity Incidents, [Isolation and Quarantine for Incident Response]


Question 7

The Chief Information Security Officer wants the same level of security to be present whether a remote worker logs in at home or at a coffee shop. Which of the following should be recommended as a starting point?



Answer : A

Comprehensive and Detailed Step-by-Step Non-persistent virtual desktop infrastructures (VDIs) are the most suitable choice to ensure consistent security across different locations. Non-persistent VDIs revert to their original state after a session, reducing the risk of data leakage or malware persistence. These systems are centrally managed, ensuring uniform security policies regardless of the user's location.


CompTIA CySA+ All-in-One Guide (Chapter 1: System and Network Architecture)

CompTIA CySA+ Objectives (Domain 1.1 - Infrastructure Concepts)

Page:    1 / 14   
Total 428 questions