CompTIA Cybersecurity Analyst (CySA+) CS0-003 Exam Practice Test

Answer : A

This scenario describes a strict governance policy requiring multiple approvals for high-risk security group changes. Organizational governance refers to policies that enforce security controls and approval workflows.

Option B (MOU - Memorandum of Understanding) refers to agreements between parties, not internal security processes.

Option C (SLA - Service Level Agreement) refers to service guarantees, not security governance.

Option D (Business process interruption) might be a consequence, but it is not the primary inhibitor to remediation in this case.

Thus, A is correct, as governance rules are restricting remediation speed.

Answer : D, G

D (4: HTTPS traffic to an external IP - 5.29.1.5)

The log entry shows an internal system (172.16.1.30) communicating with an external IP (5.29.1.5) over TCP 443 (HTTPS) using Browser.exe.

HTTPS traffic to an unknown external IP could indicate data exfiltration, as attackers often use encrypted channels to disguise stolen data transfers.

G (7: FTP traffic to an external backup server - bank.backup.com)

The log entry indicates that an internal machine (172.16.1.25) is transferring data to bank.backup.com using FTP (port 21) and FileZilla.

FTP is a major concern because it is an outdated, unencrypted protocol that can be exploited for data exfiltration. If unauthorized, this could be a serious data breach.

Other Options:

A (ARP traffic) Not a concern (Just address resolution)

B (RPC Kerberos traffic) Normal for authentication

C (SMB traffic) Internal file sharing

**E (DNS traffic) Common, though could be exfiltration in some cases, but not in this log)

F (WUS traffic) Appears to be Windows Update Service traffic, likely legitimate

Answer : D, F

The best recommendations to prevent an XSS vulnerability from being exploited are to implement a compensating control in the source code and to fix the vulnerability using a virtual patch at the WAF. A compensating control is a technique that mitigates the risk of a vulnerability by adding additional security measures, such as input validation, output encoding, or HTML sanitization. A virtual patch is a rule that blocks or modifies malicious requests or responses at the WAF level, without modifying the application code. These recommendations are effective, efficient, and less disruptive than the other options. Reference: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 156; Cross Site Scripting Prevention Cheat Sheet, Section: XSS Defense Philosophy.

Answer : D

Determining the asset value of each system is the best action to perform first, as it helps to categorize and prioritize the systems based on the sensitivity of the data they host. The asset value is a measure of how important a system is to the organization, in terms of its financial, operational, or reputational impact. The asset value can help the security analyst to assign a risk level and a protection level to each system, and to allocate resources accordingly. The other actions are not as effective as determining the asset value, as they do not directly address the goal of promoting confidentiality, availability, and integrity of the data. Interviewing the users who access these systems may provide some insight into how the systems are used and what data they contain, but it may not reflect the actual value or sensitivity of the data from an organizational perspective. Scanning the systems to see which vulnerabilities currently exist may help to identify and remediate some security issues, but it does not help to categorize or prioritize the systems based on their data sensitivity. Configuring alerts for vendor-specific zero-day exploits may help to detect and respond to some emerging threats, but it does not help to protect the systems based on their data sensitivity.

Answer : C

Attack simulations provide realistic, hands-on scenarios that mirror true incidents, allowing SOC analysts to practice detection, analysis, and response skills under real-world pressure. These simulations are crucial for developing and reinforcing SOC procedures and incident workflows.

Phishing assessments (A) are targeted, limited training.

OpenVAS (B) is a vulnerability scanner, not a training tool.

SOAR (D) is a response automation tool.

Honeypots (E) help observe attacker behavior, but aren't training-focused.

Reference:

CS0-003 Objectives 3.3 -- Incident Response Training

Mya Heath All-in-One -- Chapter 14: Post-Incident Activities and Training

Answer : D

Comprehensive Detailed To match the mitigation criteria, we analyze each machine's CVSS (Common Vulnerability Scoring System) attributes:

Attack Vector (AV): N for network (matches the requirement of network-based attack).

Attack Complexity (AC): L for low (meets the requirement for low complexity).

Privileges Required (PR): N for none (indicating no privileges are needed).

User Interaction (UI): N for none (matches the requirement that no user action is needed).

Confidentiality (C), Integrity (I), and Availability (A): Requires high confidentiality and availability with low integrity.

From these criteria:

Computer1 requires user interaction (UI:R), which disqualifies it.

Computer2 has a local attack vector (AV:L), which disqualifies it for a network-based attack.

Computer3 has a high attack complexity (AC:H), which does not meet the low complexity requirement.

Computer4 meets all criteria: network attack vector, low complexity, no privileges, no user interaction, and appropriate confidentiality, integrity, and availability levels.

Thus, Computer4 is the correct answer.

NIST NVD (National Vulnerability Database): CVSS vector standards.

CVSS 3.1 User Guide: Explanation of each CVSS metric and its application in vulnerability prioritization.

Answer : B

Business process interruption is the inhibitor to remediation that this scenario illustrates. Business process interruption is when the remediation of a vulnerability or an incident requires the disruption or suspension of a critical or essential business process, such as the point-of-sale application. This can cause operational, financial, or reputational losses for the organization, and may outweigh the benefits of the remediation. Therefore, the organization may decide to postpone or avoid the remediation until a more convenient time, such as a change freeze window, which is a period of time when no changes are allowed to the IT environment12. Service-level agreement, degrading functionality, and proprietary system are other possible inhibitors to remediation, but they are not relevant to this scenario. Service-level agreement is when the remediation of a vulnerability or an incident violates or affects the contractual obligations or expectations of the service provider or the customer. Degrading functionality is when the remediation of a vulnerability or an incident reduces or impairs the performance or usability of a system or an application. Proprietary system is when the remediation of a vulnerability or an incident involves a system or an application that is owned or controlled by a third party, and the organization has limited or no access or authority to modify it3. Reference: Inhibitors to Remediation --- SOC Ops Simplified, Remediation Inhibitors - CompTIA CySA+, Information security Vulnerability Management Report (Remediation...