CompTIA CS0-003 Exam Practice Questions to Pass CompTIA CySA+ Exam

Question 1

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

ADelivery

BCommand and control

CReconnaissance

DWeaporization

Answer : B

The Command and Control stage of the Cyber Kill Chain describes the communication between the attacker and the compromised system. The attacker may use this channel to send commands, receive data, or update malware. If the analyst discovers unusual outbound connections to an IP that was previously blocked, it may indicate that the attacker has established a command and control channel and bypassed the security controls.Reference:Cyber Kill Chain | Lockheed Martin

Question 2

A vulnerability manager analyzes suspicious data after scanning a database. Which of the following should the manager do to prioritize the remediation tasks?

AConduct further analysis and send the findings report to the incident response team.

BPerform an assessment in the command line and determine if there are true or false positives.

CIdentify the impact level and create a ticket that includes the time frame for fixing the issue.

DApply compensating controls and advise an analyst to document the problem in a risk register.

Answer : B

Comprehensive and Detailed Explanation From Exact Extract:

The key phrase is ''analyzes suspicious data after scanning''. Before you can prioritize remediation, you must first ensure the scan results are valid---i.e., determine whether the findings are true positives vs. false positives. That validation step is a core part of vulnerability management because it prevents wasting time remediating issues that do not actually exist and ensures your prioritization decisions are based on accurate findings.

The All-in-One CySA+ CS0-003 guide explicitly states that after receiving vulnerability scan data, the analyst's review process must focus on validating reported vulnerabilities (true/false positives). It also directly ties this to remediation/prioritization.

Exact extract (All-in-One Exam Guide):

''It is up to the analyst to review and make sense of vulnerability data and findings... The two most important outcomes of the review process are to determine the validity of reported vulnerabilities...''

It further emphasizes the importance of differentiating true positives from false positives for remediation and prioritization:

Exact extract (All-in-One Exam Guide):

''Distinguishing true positives from false positives... can be a tricky part of vulnerability remediation and prioritization.''

So, Option B (determine true/false positives) is the best action specifically to prioritize remediation tasks based on scan results.

Why the other options are not best:

A: Sending to IR may be appropriate if there is evidence of an active incident, but the question is framed as post-scan vulnerability management (not confirmed incident handling). Validation comes first.

C: Tickets and timeframes are important (often driven by SLAs/SLOs), but setting those correctly depends on confirming the findings are real and understanding severity/impact first.

D: Compensating controls and risk register entries are appropriate when remediation is not immediately feasible, but again you must confirm validity and then prioritize based on risk/impact.

Reference (CompTIA CySA+ CS0-003 documents / study guides used):

Mya Heath et al., CompTIA CySA+ All-in-One Exam Guide (CS0-003): validating vulnerability scan results; true/false positives; link to remediation prioritization

Question 3

Which of the following explains the importance of a timeline when providing an incident response report?

AThe timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis.

BAn incident timeline provides the necessary information to understand the actions taken to mitigate the threat or risk.

CThe timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken.

DAn incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timetable.

Answer : C

An incident response timeline is a detailed chronological record of all events and actions taken during the response to a security incident. It includes timestamps and descriptions of each step, providing a comprehensive overview of how the incident was detected, contained, mitigated, and resolved. This timeline is crucial for post-incident analysis, helping to understand the effectiveness of the response, identify areas for improvement, and ensure accountability and transparency in the incident handling process.

Question 4

Which of the following would eliminate the need for different passwords for a variety or internal application?

ACASB

BSSO

CPAM

DMFA

Answer : B

Single Sign-On (SSO) allows users to log in with a single ID and password to access multiple applications. It eliminates the need for different passwords for various internal applications, streamlining the authentication process.

Question 5

A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is

taking place?

AData exfiltration

BRogue device

CScanning

DBeaconing

Answer : D

Beaconing is the best term to describe the activity that is taking place, as it refers to the periodic communication between an infected host and a blocklisted external server. Beaconing is a common technique used by malware to establish a connection with a command-and-control (C2) server, which can provide instructions, updates, or exfiltration capabilities to the malware. Beaconing can vary in frequency, duration, and payload, depending on the type and sophistication of the malware. The other terms are not as accurate as beaconing, as they describe different aspects of malicious activity. Data exfiltration is the unauthorized transfer of data from a compromised system to an external destination, such as a C2 server or a cloud storage service. Data exfiltration can be a goal or a consequence of malware infection, but it does not necessarily involve blocklisted servers or consistent requests. Rogue device is a device that is connected to a network without authorization or proper security controls. Rogue devices can pose a security risk, as they can introduce malware, bypass firewalls, or access sensitive data. However, rogue devices are not necessarily infected with malware or communicating with blocklisted servers. Scanning is the process of probing a network or a system for vulnerabilities, open ports, services, or other information. Scanning can be performed by legitimate administrators or malicious actors, depending on the intent and authorization. Scanning does not imply consistent requests or blocklisted servers, as it can target any network or system.

Question 6

An incident response team is assessing attack vectors of malware that is encrypting data with ransomware. There are no indications of a network-based intrusion.

Which of the following is the most likely root cause of the incident?

AUSB drop

BLFI

CCross-site forgery

DSQL injection

Answer : A

A USB drop attack is a common method for delivering ransomware, where an attacker leaves infected USB drives in strategic locations, tricking employees into plugging them into corporate devices.

Option B (LFI - Local File Inclusion) exploits web applications, but the scenario lacks network intrusion indicators.

Option C (Cross-site request forgery - CSRF) is used for exploiting authenticated web sessions, not ransomware delivery.

Option D (SQL injection) is used for database exploitation, not file encryption malware.

Thus, A (USB drop) is the correct answer, as physical malware introduction is a known ransomware attack vector.

Question 7

During an incident, analysts need to rapidly investigate by the investigation and leadership teams. Which of the following best describes how PII should be safeguarded during an incident?

AImplement data encryption and close the data so only the company has access.

BEnsure permissions are limited in the investigation team and encrypt the data.

CImplement data encryption and create a standardized procedure for deleting data that is no longer needed.

DEnsure that permissions are open only to the company.

Answer : B

The best option to safeguard PII during an incident is to ensure permissions are limited in the investigation team and encrypt the data. This is because limiting permissions reduces the risk of unauthorized access or leakage of sensitive data, and encryption protects the data from being read or modified by anyone who does not have the decryption key. Option A is not correct because closing the data may hinder the investigation process and prevent collaboration with other parties who may need access to the data. Option C is not correct because deleting data that is no longer needed may violate legal or regulatory requirements for data retention, and may also destroy potential evidence for the incident. Option D is not correct because opening permissions to the company may expose the data to more people than necessary, increasing the risk of compromise or misuse.

CompTIA CySA+ Study Guide: Exam CS0-002, 2nd Edition : CompTIA CySA+ Certification Exam Objectives Version 4.0.pdf)

CompTIA Cybersecurity Analyst (CySA+) Exam CS0-003 Practice Questions