CompTIA Cybersecurity Analyst (CySA+) Exam CS0-003 Practice Questions

Page: 1 / 14
Total 462 questions
Question 1

Which of the following entities must receive reports in a timely fashion according to data breach notification laws related to personally identifiable information?



Answer : D

Comprehensive and Detailed Explanation From Exact Extract:

Data breach notification laws for personally identifiable information (PII) generally require organizations to provide timely notification to (1) regulatory authorities (regulators/data protection authorities) and (2) affected individuals (customers/data subjects), within legally mandated timeframes.

The Secbay Press CySA+ CS0-003 guide explicitly describes this requirement in multiple places:

Regulatory reporting + notifying affected individuals:

Exact extract (Secbay Press): ''Reporting the incident to regulatory authorities and notifying affected individuals in accordance with... privacy laws...''

Timeliness is required by law:

Exact extract (Secbay Press): ''Timeliness of Reporting: Adhering to stipulated timeframes for reporting incidents...''

Customers/affected individuals must be notified within the legally mandated timeframe:

Exact extract (Secbay Press): ''Sending notifications to customers within the legally mandated timeframe after confirming a data breach.''

These extracts directly support Option D: Regulators and affected customers.

Why the other options are incorrect

A (Service providers and business associates): Those relationships may have contractual notification requirements, but breach notification laws for PII focus on regulators and affected individuals.

B (Law enforcement and the media): These may be involved depending on incident type/requirements, but they are not universally required recipients under PII breach notification laws.

C (CERTs and industry associations): These are optional coordination entities, not mandated recipients for PII breach notification laws.

Reference (CompTIA CySA+ CS0-003 documents / study guides used):


Question 2

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?



Answer : C

An unintentional insider threat is a type of network security threat that occurs when a legitimate user of the network unknowingly exposes the network to malicious activity, such as opening a phishing email or a malware-infected attachment from an unknown source. This can compromise the network security and allow attackers to access sensitive data or systems. The other options are not related to the threat concept of ensuring that all network users only open attachments from known sources.

ReferenceCompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 1: Threat and Vulnerability Management, page 13.What is Network Security | Threats, Best Practices | Imperva, Network Security Threats and Attacks, Phishing section.Five Ways to Defend Against Network Security Threats, 2. Use Firewalls section.


Question 3

A company classifies security groups by risk level. Any group with a high-risk classification requires multiple levels of approval for member or owner changes. Which of the following inhibitors to remediation is the company utilizing?



Answer : A

This scenario describes a strict governance policy requiring multiple approvals for high-risk security group changes. Organizational governance refers to policies that enforce security controls and approval workflows.

Option B (MOU - Memorandum of Understanding) refers to agreements between parties, not internal security processes.

Option C (SLA - Service Level Agreement) refers to service guarantees, not security governance.

Option D (Business process interruption) might be a consequence, but it is not the primary inhibitor to remediation in this case.

Thus, A is correct, as governance rules are restricting remediation speed.


Question 4

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?



Answer : C

The best way to see the entire contents of the downloaded files in Wireshark is to change the display filter to ftp-data and follow the TCP streams. FTP-data is a protocol that is used to transfer files between an FTP client and server using TCP port 20. By filtering for ftp-data packets and following the TCP streams, the analyst can see the actual file data that was transferred during the FTP session


Question 5

Which of the following best explains the importance of network microsegmentation as part of a Zero Trust architecture?



Answer : C

Microsegmentation involves dividing a network into smaller, isolated segments to restrict lateral movement within the network. This is crucial within a Zero Trust architecture, which assumes that no entity (internal or external) is inherently trustworthy. By limiting access to only necessary network segments, microsegmentation reduces the impact of a potential breach by containing it within a limited area. CompTIA emphasizes microsegmentation as an effective strategy to minimize risk and improve security posture by isolating resources based on the principle of least privilege.


Question 6

Based on an internal assessment, a vulnerability management team wants to proactively identify risks to the infrastructure prior to production deployments. Which of the following best supports this approach?



Answer : A

Threat modeling is a proactive approach used to identify, analyze, and mitigate potential threats before they impact production systems. It is especially useful in early development stages to anticipate vulnerabilities and attack paths.

Option B (Penetration testing) is a reactive measure performed on deployed systems, rather than prior to production.

Option C (Bug bounty) programs incentivize external researchers but do not proactively model risks before deployment.

Option D (SDLC training) improves security awareness but does not actively assess risks.

Thus, A (Threat modeling) is the best choice, as it enables early identification and mitigation of security risks.


Question 7

An IT professional is reviewing the output from the top command in Linux. In this company, only IT and security staff are allowed to have elevated privileges. Both departments have confirmed they are not working on anything that requires elevated privileges. Based on the output below:

PID

USER

VIRT

RES

SHR

%CPU

%MEM

TIME+

COMMAND

34834

person

4980644

224288

111076

5.3

14.44

1:41.44

cinnamon

34218

person

51052

30920

23828

4.7

0.2

0:26.54

Xorg

2264

root

449628

143500

26372

14.0

3.1

0:12.38

bash

35963

xrdp

711940

42356

10560

2.0

0.2

0:06.81

xrdp

Which of the following PIDs is most likely to contribute to data exfiltration?



Answer : A

PID 2264 (bash running as root) is suspicious because:

It has elevated privileges (root user).

Bash (command-line shell) is running with high CPU usage (14.0%), which is unusual unless actively being used.

If unauthorized, an attacker could be exfiltrating data via command-line methods like scp, wget, or custom scripts.

Why Not Other Options?

B (34218 - Xorg) Xorg is a display server for GUI; no signs of exfiltration.

C (34834 - Cinnamon) Cinnamon is a desktop environment, not a threat.

D (35963 - xrdp) xrdp is a remote desktop service, expected behavior.


Page:    1 / 14   
Total 462 questions