CompTIA CS0-003 Exam Practice Test Instant Access

Question 1

An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

APCI Security Standards Council

BLocal law enforcement

CFederal law enforcement

DCard issuer

Answer : D

Under the terms of PCI DSS, an organization that has experienced a breach of customer transactions should report the breach to the card issuer. The card issuer is the financial institution that issues the payment cards to the customers and that is responsible for authorizing and processing the transactions. The card issuer may have specific reporting requirements and procedures for the organization to follow in the event of a breach. The organization should also notify other parties that may be affected by the breach, such as customers, law enforcement, or regulators, depending on the nature and scope of the breach. Official Reference: https://www.pcisecuritystandards.org/

Question 2

A security analyst is reviewing events that occurred during a possible compromise. The analyst obtains the following log:

Which of the following is most likely occurring, based on the events in the log?

AAn adversary is attempting to find the shortest path of compromise.

BAn adversary is performing a vulnerability scan.

CAn adversary is escalating privileges.

DAn adversary is performing a password stuffing attack..

Answer : B

Based on the events in the log, the most likely occurrence is that an adversary is performing a vulnerability scan. The log shows LDAP read operations and EDR enumerating local groups, which are indicative of an adversary scanning the system to find vulnerabilities or sensitive information. The final entry shows SMB connection attempts to multiple hosts from a single host, which could be a sign of network discovery or lateral movement. Reference: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 161; Monitor logs from vulnerability scanners, Section: Reports on Nessus vulnerability data.

Question 3

Which of the following is the most appropriate action a security analyst to take to effectively identify the most security risks associated with a locally hosted server?

ARun the operating system update tool to apply patches that are missing.

BContract an external penetration tester to attempt a brute-force attack.

CDownload a vendor support agent to validate drivers that are installed.

DExecute a vulnerability scan against the target host.

Answer : D

A vulnerability scan is a process of identifying and assessing the security weaknesses of a system or network. A vulnerability scan can help a security analyst to effectively identify the most security risks associated with a locally hosted server, such as missing patches, misconfigurations, outdated software, or exposed services. A vulnerability scan can also provide recommendations on how to remediate the identified vulnerabilities and improve the security posture of the server12 Reference: 1: What is a Vulnerability Scan? | Definition and Examples 2: Securing a server: risks, challenges and best practices - Vaadata

Question 4

A SOC receives several alerts indicating user accounts are connecting to the company's identity provider through non-secure communications. User credentials for accessing sensitive, business-critical systems could be exposed. Which of the following logs should the SOC use when determining malicious intent?

ADNS

Btcpdump

CDirectory

DIDS

Answer : D

Intrusion Detection Systems (IDS) logs provide visibility into network traffic patterns and can help detect insecure or unusual connections. These logs will show if non-secure protocols are used, potentially revealing exposed credentials. According to CompTIA CySA+, IDS logs are essential for identifying malicious activity related to communications and network intrusions. Options like DNS (A) and tcpdump (B) provide network details, but IDS specifically monitors for intrusions and unusual activities relevant to security incidents.

Question 5

An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work. Which of the following is the most likely reason the firewall feed stopped working?

AThe firewall service account was locked out.

BThe firewall was using a paid feed.

CThe firewall certificate expired.

DThe firewall failed open.

Answer : C

The firewall certificate expired. If the firewall uses a certificate to authenticate and encrypt the feed, and the certificate expires, the feed will stop working until the certificate is renewed or replaced. This can affect the data enrichment process and the security analysis. Reference: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 161.

Question 6

A group of hacktivists has breached and exfiltrated data from several of a bank's competitors. Given the following network log output:

Source

Destination

Protocol

Service

172.16.1.1

172.16.1.10

ARP

AddrResolve

172.16.1.10

172.16.1.20

TCP 135

RPC Kerberos

172.16.1.10

172.16.1.30

TCP 445

SMB WindowsExplorer

172.16.1.30

5.29.1.5

TCP 443

HTTPS Browser.exe

11.4.11.28

172.16.1.1

TCP 53

DNS Unknown

20.109.209.108

172.16.1.1

TCP 443

HTTPS WUS

172.16.1.25

bank.backup.com

TCP 21

FTP FileZilla

Which of the following represents the greatest concerns with regard to potential data exfiltration? (Select two.)

Answer : D, G

D (4: HTTPS traffic to an external IP - 5.29.1.5)

The log entry shows an internal system (172.16.1.30) communicating with an external IP (5.29.1.5) over TCP 443 (HTTPS) using Browser.exe.

HTTPS traffic to an unknown external IP could indicate data exfiltration, as attackers often use encrypted channels to disguise stolen data transfers.

G (7: FTP traffic to an external backup server - bank.backup.com)

The log entry indicates that an internal machine (172.16.1.25) is transferring data to bank.backup.com using FTP (port 21) and FileZilla.

FTP is a major concern because it is an outdated, unencrypted protocol that can be exploited for data exfiltration. If unauthorized, this could be a serious data breach.

Other Options:

A (ARP traffic) Not a concern (Just address resolution)

B (RPC Kerberos traffic) Normal for authentication

C (SMB traffic) Internal file sharing

**E (DNS traffic) Common, though could be exfiltration in some cases, but not in this log)

F (WUS traffic) Appears to be Windows Update Service traffic, likely legitimate

Question 7

Which of the following is a commonly used four-component framework to communicate threat actor behavior?

ASTRIDE

BDiamond Model of Intrusion Analysis

CCyber Kill Chain

DMITRE ATT&CK

Answer : B

The Diamond Model of Intrusion Analysis is a framework that describes the relationship between four components of a cyberattack: adversary, capability, infrastructure, and victim. It helps analysts understand the behavior and motivation of threat actors, as well as the tools and methods they use to compromise their targets12. Reference: Main Analytical Frameworks for Cyber Threat Intelligence, section 4; Strategies, tools, and frameworks for building an effective threat intelligence team, section 3.

CompTIA CS0-003 CompTIA Cybersecurity Analyst (CySA+) Exam Practice Test