CompTIA CS0-003 Exam Dumps

An employee accessed a website that caused a device to become infected with invasivemalware. The incident response analyst has:• created the initial evidence log.• disabled the wireless adapter on the device.• interviewed the employee, who was unable to identify the website that was accessed• reviewed the web proxy traffic logs.Which of the following should the analyst do to remediate the infected device?

A. Update the system firmware and reimage the hardware.
B. Install an additional malware scanner that will send email alerts to the analyst.
C. Configure the system to use a proxy server for Internet access.
D. Delete the user profile and restore data from backup.

Answer: A

A SOC analyst identifies the following content while examining the output of a debuggercommand over a client-server application:getconnection (database01, "alpha " , "AXTV. 127GdCx94GTd") ;Which of the following is the most likely vulnerability in this system?

A. Lack of input validation
B. SQL injection
C. Hard-coded credential
D. Buffer overflow attacks

Answer: C

A security analyst must preserve a system hard drive that was involved in a litigationrequest Which of the following is the best method to ensure the data on the device is notmodified?

A. Generate a hash value and make a backup image.
B. Encrypt the device to ensure confidentiality of the data.
C. Protect the device with a complex password.
D. Perform a memory scan dump to collect residual data.

Answer: A

During an incident, some loCs of possible ransomware contamination were found in agroup of servers in a segment of the network. Which of the following steps should be takennext?

A. Isolation
B. Remediation
C. Reimaging
D. Preservation

Answer: A

Which of the following would eliminate the need for different passwords for a variety orinternal application?

A. CASB
B. SSO
C. PAM
D. MFA

Answer: B

An analyst wants to ensure that users only leverage web-based software that has beenpre-approved by the organization. Which of the following should be deployed?

A. Blocklisting
B. Allowlisting
C. Graylisting
D. Webhooks

Answer: B

An email hosting provider added a new data center with new public IP addresses. Which ofthe following most likely needs to be updated to ensure emails from the new data center donot get blocked by spam filters?

A. DKIM
B. SPF
C. SMTP
D. DMARC

Answer: B

A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Whichof the following types of activities is being observed?

A. Potential precursor to an attack
B. Unauthorized peer-to-peer communication
C. Rogue device on the network
D. System updates

Answer: A

An organization has activated the CSIRT. A security analyst believes a single virtual serverwas compromised and immediately isolated from the network. Which of the followingshould the CSIRT conduct next?

A. Take a snapshot of the compromised server and verify its integrity
B. Restore the affected server to remove any malware
C. Contact the appropriate government agency to investigate
D. Research the malware strain to perform attribution

Answer: A

A security analyst has prepared a vulnerability scan that contains all of the company'sfunctional subnets. During the initial scan, users reported that network printers began toprint pages that contained unreadable text and icons.Which of the following should the analyst do to ensure this behavior does not oocur duringsubsequent vulnerability scans?

A. Perform non-credentialed scans.
B. Ignore embedded web server ports.
C. Create a tailored scan for the printer subnet.
D. Increase the threshold length of the scan timeout.

Answer: C

Which of the following makes STIX and OpenloC information readable by both humans andmachines?

A. XML
B. URL
C. OVAL
D. TAXII

Answer: A

A security analyst found the following vulnerability on the company’s website:<INPUT TYPE=“IMAGE” SRC=“javascript:alert(‘test’);”>Which of the following should be implemented to prevent this type of attack in the future?

A. Input sanitization
B. Output encoding
C. Code obfuscation
D. Prepared statements

Answer: A

A systems administrator receives reports of an internet-accessible Linux server that isrunning very sluggishly. The administrator examines the server, sees a high amount ofmemory utilization, and suspects a DoS attack related to half-open TCP sessionsconsuming memory. Which of the following tools would best help to prove whether thisserver was experiencing this behavior?

A. Nmap
B. TCPDump
C. SIEM
D. EDR

Answer: B

Which of the following is the best action to take after the conclusion of a security incident toimprove incident response in the future?

A. Develop a call tree to inform impacted users
B. Schedule a review with all teams to discuss what occurred
C. Create an executive summary to update company leadership
D. Review regulatory compliance with public relations for official notification

Answer: B

Which of the following should be updated after a lessons-learned review?

A. Disaster recovery plan
B. Business continuity plan
C. Tabletop exercise
D. Incident response plan

Answer: D

A malicious actor has gained access to an internal network by means of social engineering.The actor does not want to lose access in order to continue the attack. Which of thefollowing best describes the current stage of the Cyber Kill Chain that the threat actor iscurrently operating in?

A. Weaponization
B. Reconnaissance
C. Delivery
D. Exploitation

Answer: D

Which of the following best describes the process of requiring remediation of a knownthreat within a given time frame?

A. SLA
B. MOU
C. Best-effort patching
D. Organizational governance

Answer: A

Which of the following can be used to learn more about TTPs used by cybercriminals?

A. ZenMAP
B. MITRE ATT&CK
C. National Institute of Standards and Technology
D. theHarvester

Answer: B

An analyst is evaluating a vulnerability management dashboard. The analyst sees that apreviously remediated vulnerability has reappeared on a database server. Which of thefollowing is the most likely cause?

A. The finding is a false positive and should be ignored.
B. A rollback had been executed on the instance.
C. The vulnerability scanner was configured without credentials.
D. The vulnerability management software needs to be updated.

Answer: B

A security program was able to achieve a 30% improvement in MTTR by integratingsecurity controls into a SIEM. The analyst no longer had to jump between tools. Which ofthe following best describes what the security program did?

A. Data enrichment
B. Security control plane
C. Threat feed combination
D. Single pane of glass

Answer: D

An incident response team found IoCs in a critical server. The team needs to isolate andcollect technical evidence for further investigation. Which of the following pieces of datashould be collected first in order to preserve sensitive information before isolating theserver?

A. Hard disk
B. Primary boot partition
C. Malicious tiles
D. Routing table
E. Static IP address

Answer: A

A company has a primary control in place to restrict access to a sensitive database.However, the company discovered an authentication vulnerability that could bypass thiscontrol. Which of the following is the best compensating control?

A. Running regular penetration tests to identify and address new vulnerabilities
B. Conducting regular security awareness training of employees to prevent socialengineering attacks
C. Deploying an additional layer of access controls to verify authorized individuals
D. Implementing intrusion detection software to alert security teams of unauthorized accessattempts

Answer: C

A Chief Information Security Officer has outlined several requirements for a newvulnerability scanning project:. Must use minimal network bandwidth. Must use minimal host resources. Must provide accurate, near real-time updates. Must not have any stored credentials in configuration on the scannerWhich of the following vulnerability scanning methods should be used to best meet theserequirements?

A. Internal
B. Agent
C. Active
D. Uncredentialed

Answer: B