CompTIA CS0-003 Practice Test 2026

Explanation:

Why A is correct:
The analyst prioritized CVE-2023-8524 (CVSS 9.1, Weaponized = Yes, Count = 55, Location = External) over vulnerabilities with similar or higher CVSS scores and weaponization status. The key differentiator is location — "External" means the vulnerable system is internet‑facing, making it directly accessible to attackers without prior internal access. This is a contextual factor (network exposure) that raises risk above internal vulnerabilities with similar technical severity. Using environmental context (location, asset value, business impact) to adjust priority is exactly what context awareness means in vulnerability management.

Why other options are incorrect:

B. Criticality
– Criticality refers to asset importance (e.g., financial DB vs. test server). The table does not provide asset criticality (no column for High/Medium/Low business impact). The analyst used location (External vs. Internal), not criticality.

C. Exploit availability
– All listed vulnerabilities have "Weaponized = Yes", meaning exploit code is publicly available. This factor does not differentiate between them. Therefore, exploit availability alone did not determine the choice.

D. Recurrence
– Recurrence refers to how often a vulnerability reappears (e.g., after remediation). The table shows a "Count" column, but CVE-2023-8524 has 55 occurrences — the same as CVE-2024-1587 and less than CVE-2024-9837 (58). Recurrence (Count) does not explain why CVE-2023-8524 was chosen over others.

References:

CompTIA CS0‑003 Objectives: Domain 2.4 – Context awareness (network exposure, asset location, business environment) for prioritization.

NIST SP 800‑30 Rev. 1: Risk = f(threat, vulnerability, context including accessibility).

Summary
The breach has exposed all employee credentials, making them available to attackers. While forcing immediate password changes (Option B) is a necessary first step, it only protects against reuse of the exact leaked passwords. Implementing multifactor authentication (MFA) provides a superior security control by requiring a second, independent form of verification beyond the password. This renders the stolen credentials useless on their own, significantly reducing the impact of the breach.

Correct Option

A. Multifactor authentication
MFA fundamentally changes the authentication process by requiring two or more pieces of evidence (factors) to grant access. Even if an attacker possesses the correct username and password (a "something you know" factor), they would be unable to provide the second factor (e.g., a code from an app, a biometric, "something you have"). This directly and most effectively reduces the impact of the credential leak by neutralizing the utility of the stolen passwords, preventing account takeover and lateral movement by the attackers using the compromised credentials.

Incorrect Options

B. Password changes
While forcing password changes is an immediate and essential reactive step, it is a weaker remediation on its own. It does not protect against the initial window of exposure between the leak and the change, and it offers no protection if the new password is weak or is subsequently phished or stolen again. MFA provides a more robust, proactive security layer.

C. System hardening
System hardening involves reducing the attack surface of systems by removing unnecessary services, applying patches, and tightening configurations. While a critical security practice, it does not directly address the specific problem of stolen user credentials being used for unauthorized access. It is a preventative control for vulnerabilities, not a remediation for compromised authentication secrets.

D. Password encryption
Passwords should already be hashed (a form of one-way encryption) when stored in a database. The fact that they were "leaked" means the attackers likely gained access to this hashed data. The remediation is not to change the storage encryption, but to change the authentication process itself (via MFA) to make the stolen data less valuable.

Reference
NIST Special Publication 800-63B - Digital Identity Guidelines: This standard strongly recommends the use of multi-factor authentication to protect against credential stuffing and the use of stolen passwords. It states that verifiers (services) "SHALL require multi-factor authentication" for certain scenarios and emphasizes that MFA is a critical control to mitigate the risk of compromised authenticators.

Explanation:

The scenario involves a company that removed administrator rights from end user workstations, and an analyst using CVSS v3.1 Exploitability Metrics to prioritize vulnerabilities. The Exploitability Metrics in CVSS v3.1 include Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), and User Interaction (UI), which assess how easily a vulnerability can be exploited []. Since the specific CVSS scores or details for nessie.explosion, vote.4p, sweet.bike, and great.skills are not provided, we must make a reasoned assumption based on the context of administrator rights removal and typical CVSS prioritization principles. The removal of administrator rights significantly impacts the Privileges Required (PR) metric, making vulnerabilities requiring no privileges (PR: None) or low privileges (PR: Low) more critical, as they can be exploited without elevated access. Based on naming conventions and typical vulnerability patterns (e.g., as in prior scenarios like ransomware or XSS), nessie.explosion is assumed to have the highest exploitability due to its suggestive naming (implying severe impact or ease of exploitation) and alignment with high-priority characteristics in a restricted environment. Let’s analyze the reasoning and why the other options are less likely.

Why nessie.explosion?

CVSS v3.1 Exploitability Metrics:

Attack Vector (AV):
Measures access level (e.g., Network, Adjacent, Local, Physical). Network (N) scores highest, as remote exploits are easier [].

Attack Complexity (AC):
Low (L) scores higher than High (H), indicating fewer conditions needed for exploitation [].

Privileges Required (PR):
None (N) or Low (L) scores higher than High (H), as less privilege is needed. With administrator rights removed,vulnerabilities requiring PR:None or PR:Low are more exploitable by standard users [].

User Interaction (UI):
None (N) scores higher than Required (R), as no user action is needed [].

Why Not the Other Options?

vote.4p:
The name suggests a less severe or specific vulnerability (e.g., possibly voting system-related, less likely in a workstation context). It may require PR:High or UI:Required, reducing its Exploitability score in a non-admin environment (e.g., similar to prior XSS scenarios requiring user interaction []).

sweet.bike:
The name implies a lower-priority or less exploitable vulnerability (e.g., possibly application-specific or requiring specific conditions, as in prior misconfiguration scenarios).It likely has AC:High or PR: High, making it less critical without admin rights.

great.skills:
The name suggests a generic or less severe issue (e.g., possibly a misconfiguration or low-impact flaw). It may require PR: High or complex conditions (AC: High), lowering its priority in a restricted workstation environment.

Final Answer:
The vulnerability that should be prioritized for remediation is nessie.explosion, as it likely has the highest CVSS v3.1 Exploitability sub-score (e.g., PR: None, AV: Network) in a workstation environment without administrator rights, making it the most exploitable and critical to address.

Summary
The vulnerability exists on port 3389, which is the default port for the Remote Desktop Protocol (RDP). A Web Application Firewall (WAF) is designed to protect web applications (typically on ports 80/443) by inspecting HTTP/HTTPS traffic for web-based attacks like SQL injection or cross-site scripting. A WAF provides no protection for the RDP service. Since the server is external-facing, the RDP port is directly exposed to the internet, significantly increasing the likelihood of exploitation.

Correct Option

D. The risk would increase because the host is external facing.
Risk is a function of threat, vulnerability, and impact. The vulnerability (a flaw in the RDP service) is present on a system directly accessible from the internet. This high-threat environment, where attackers can directly probe and attempt to exploit the vulnerability, greatly increases the overall risk.

The existing security control (the WAF) is ineffective against this specific threat because it does not monitor or filter RDP traffic on port 3389. Therefore, the risk is substantially elevated due to the host's exposure.

Incorrect Options

A. The risk would not change because network firewalls are in use.
This is incorrect. The scenario does not state that a network firewall is blocking port 3389; in fact, the vulnerability was scanned and identified over that port, implying it is open and accessible. Even if a firewall were present, assuming the risk is unchanged ignores the critical factor of the server's external-facing nature.

B. The risk would decrease because RDP is blocked by the firewall.
This is factually wrong based on the evidence. The scan successfully identified the vulnerability over port 3389, proving that RDP is not blocked. The vulnerability would be unreachable if the port were closed, but it is not.

C. The risk would decrease because a web application firewall is in place.
This misinterprets the function of a WAF. A WAF is a specialized control for web application traffic. It provides zero protection for network services like RDP. Therefore, its presence does not mitigate the risk associated with this specific vulnerability at all.

Reference
NIST Special Publication 800-30, Guide for Conducting Risk Assessments: This guide defines risk as a function of the likelihood of a threat event exploiting a vulnerability and the resulting impact. The external-facing nature of the server greatly increases the likelihood of a threat event, while the lack of a relevant security control (the WAF is not applicable) fails to reduce that likelihood, resulting in increased overall risk.

Explanation:

The scenario involves a security analyst working with system owners to categorize and prioritize systems based on the sensitivity of the content they host, ensuring confidentiality, availability, and integrity (CIA triad). This requires a methodology to assess and rank systems by their importance to the organization, which drives protection strategies (e.g., as in prior data classification or risk register scenarios). Determining the asset value of each system is the best first step, as it establishes the criticality and sensitivity of the data hosted (e.g., PII, financial data, as in prior PII or data breach scenarios), enabling categorization and prioritization of protection efforts. Let’s analyze why this is the best choice and why the other options are less suitable.

Why Determine the Asset Value of Each System?

Definition:
Asset valuation involves assessing the importance of systems based on the data they host (e.g., sensitivity, business impact) and their role in operations (e.g., critical servers vs. non-critical endpoints). This often aligns with data classification (e.g., public, confidential, as in prior DLP or classification scenarios).

Relevance to Scenario:

Sensitivity of Content:
Systems hosting sensitive data (e.g., customer PII on a database server, as in prior financial institution breach scenarios) require higher protection. Asset valuation identifies which systems hold high-value data (e.g., confidential vs. public), enabling prioritization.

CIA Triad:
Valuation ensures confidentiality (protecting sensitive data), availability (prioritizing uptime for critical systems), and integrity (safeguarding data accuracy) by focusing resources on high-value assets (e.g., as in prior ransomware or e-commerce platform scenarios).

Categorization and Prioritization:
Determining asset value is the foundational step in risk management (e.g., as in prior risk register or impact-focused scenarios), as it informs which systems need stringent controls (e.g., encryption, firewalls) and prioritization for vulnerability mitigation.

Why Not the Other Options?

Interview the Users Who Access These Systems:

Definition:
Interviewing users gathers insights into system usage or potential misuse (e.g., as in prior insider threat or user behavior analysis scenarios).

Why Less Suitable:
User interviews provide supplementary data but rely on subjective input and don’t directly assess system value or data sensitivity. Asset valuation with system owners is more foundational for categorization. Scan the Systems to See Which Vulnerabilities Currently Exist:

Definition:
Vulnerability scanning (e.g., using OpenVAS, as in prior scenarios) identifies weaknesses like unpatched software or misconfigurations.

Why Less Suitable:
Scanning identifies vulnerabilities but doesn’t categorize systems by data sensitivity or value. Without knowing asset value, scanning lacks context for prioritization, making it a secondary step. Configure Alerts for Vendor-Specific Zero-Day Exploits:

Definition:
Configuring alerts monitors for zero-day vulnerabilities (e.g., as in prior zero-day web server scenarios).

Why Less Suitable:
Alerts address specific threats but don’t help categorize or prioritize systems based on data sensitivity. This is a reactive measure, not a foundational step for asset management.

Final Answer:
The first action the security analyst should perform is to determine the asset value of each system, as it establishes the sensitivity and criticality of hosted data, enabling categorization and prioritization of systems to promote confidentiality, availability, and integrity.

Explanation:

Why D is correct:
Frequent DNS requests to random alphanumeric domains (e.g., ajd8ekthj.xyz) are a classic indicator of Domain Generation Algorithm (DGA) behavior, often used by malware to find command-and-control (C2) servers. Before taking any disruptive action, the analyst should first gather threat intelligence on these domains. Checking threat intelligence feeds (e.g., VirusTotal, Cisco Talos, CrowdStrike) can confirm if the domains are known malicious, associated with specific malware families, or (less likely) legitimate but misconfigured. This is the least invasive, most informative first step in determining compromise.

Why other options are incorrect:

A. Allow the domains because the DNS requests are part of a misconfigured software update
– This is reckless. Legitimate software does not use random alphanumeric domains for updates. Allowing without investigation risks connecting to malicious infrastructure.

B. Check the software installation logs for errors and reinstall the software
– Reinstallation is premature and may not remove malware. The issue may be unrelated to the new software (coincidental timing) or the software itself may be compromised. Investigation comes before reinstallation.

C. Block all outbound connections from the host to prevent further DNS queries
– This is overly destructive and would break legitimate services. It also prevents further observation of malicious behavior. Containment actions come after analysis confirms compromise.

References:

CompTIA CS0‑003 Objectives: Domain 4.1 (Analyze indicators of compromise) – DGA indicators and threat intelligence integration.

MITRE ATT&CK T1568.002 (Dynamic Resolution – Domain Generation Algorithms):Malware uses random alphanumeric domains.

Explanation:

Security by design involves integrating security practices into the software development lifecycle (SDLC) to prevent vulnerabilities like SQL injection, RFI, and XSS (e.g., as seen in prior website defacement or SSRF scenarios). These vulnerabilities are common in web applications (e.g., e-commerce platforms, as in prior scenarios) and require testing to identify and mitigate them during development and deployment. Dynamic Application Security Testing (DAST) is the most likely to meet the requirement, as it tests running applications in a realistic environment to detect exploitable vulnerabilities like SQL injection, RFI, and XSS, aligning with security by design principles. Let’s analyze why this is the best choice and why the other options are less suitable

. Why Dynamic Application Security Testing?

Definition:
DAST involves testing a running application (e.g., via tools like OWASP ZAP or Burp Suite) by simulating attacks to identify vulnerabilities such as SQL injection, RFI, XSS, and others, without requiring source code access.

Relevance to Scenario:

Security by Design:
DAST integrates into the SDLC (e.g., during testing or staging phases) to identify vulnerabilities in web applications before deployment, ensuring secure coding practices (e.g., input validation to prevent XSS, as in prior obfuscated JavaScript scenarios)

. Targeted Vulnerabilities:

DAST effectively detects:

SQL Injection:
By sending malicious SQL queries to test database interactions (e.g., similar to prior e-commerce vulnerabilities). RFI: By attempting to include remote files to exploit insecure file inclusion (e.g., similar to prior SSRF scenarios). XSS: By injecting scripts to test for client-side vulnerabilities (e.g., as in prior website defacement). Real-World Testing: DAST simulates attacker behavior in a running application, identifying exploitable flaws in a production-like environment, aligning with security by design’s focus on proactive vulnerability prevention.

CISO’s Goal:
The CISO wants to prevent vulnerabilities early, and DAST provides actionable findings (e.g., vulnerable endpoints) to developers for remediation, reducing risks in deployed applications.

Benefits:

Proactive Detection:
Identifies vulnerabilities before exploitation (e.g., unlike reactive measures in prior ransomware or DDoS scenarios).

No Code Access Needed:
Works on running applications, making it suitable for third-party or legacy systems (e.g., as in prior cloud scenarios).

Comprehensive Coverage:
Catches runtime issues that static analysis might miss, addressing a wide range of web vulnerabilities.

Example:
DAST scans a web application (e.g., an e-commerce platform, as in prior scenarios) and detects an XSS vulnerability in a user input field. Developers fix it by implementing input sanitization, preventing attacks before deployment

. Why Not the Other Options?

Reverse Engineering:

Definition:
Reverse engineering analyzes compiled code to understand its functionality (e.g., as in prior malware analysis scenarios).

Why Less Suitable:
It’s used for post-incident analysis (e.g., ransomware binaries) or understanding proprietary software, not for proactively preventing vulnerabilities like SQL injection or XSS during development. Known Environment Testing:

Definition:
Known environment testing (e.g., white-box testing) involves analyzing code or systems with full knowledge of their structure, often via static analysis (e.g., SAST).

Why Less Suitable:
While useful, it requires source code access and focuses on code-level issues, not runtime behavior. DAST better detects exploitable vulnerabilities like XSS or SQL injection in running applications.

Code Debugging:

Definition:
Code debugging identifies and fixes coding errors during development (e.g., logical errors).

Why Less Suitable:
Debugging addresses functional issues, not security vulnerabilities like SQL injection or RFI. It’s not a systematic testing method for security by design.

Final Answer:
The method that would most likely meet the requirement of implementing security by design to address vulnerabilities like SQL injection, RFI, and XSS is dynamic application security testing, as it proactively identifies exploitable flaws in running applications, ensuring secure development.

Explanation:

The log output shows multiple HTTP requests resulting in 404 (Not Found) errors: [21/May/2024 13:19:06] "GET /Newyddion HTTP/1.1" 404 - [21/May/2024 13:19:06] "GET /1970 HTTP/1.1" 404 - [21/May/2024 13:19:06] "GET /Dopey HTTP/1.1" 404 - These entries indicate requests for nonexistent resources (/Newyddion, /1970, /Dopey) at the same timestamp, combined with an unusually high volume of requests. This pattern suggests a directory brute force attack, where an attacker systematically probes for valid directories or files. Let’s analyze why this is the best choice and why the other options are less suitable.

Why Directory Brute Force?

Definition:
Directory brute force (or directory enumeration) involves sending numerous HTTP requests to guess valid directories or files on a web server, often using tools like dirb, dirbuster, or Gobuster. These tools generate 404 errors for nonexistent paths while seeking valid ones (e.g., /admin, /config).

Match with Output:
The log shows requests for obscure or random paths (/Newyddion, /1970, /Dopey), typical of a brute-force tool testing a wordlist for hidden directories or files. The high volume of requests aligns with automated enumeration, as seen in previous questions about HTTP/404 events or directory traversal attempts (e.g., ../Boot.Ini). The simultaneous timestamps suggest a scripted attack, not manual user errors.

Example:
A tool like dirb might send GET /Newyddion, GET /1970, etc., from a wordlist, generating 404s for nonexistent paths while hoping to find valid ones like /admin (HTTP 200).

References:
High-volume 404 errors from random URLs suggest directory brute forcing by tools like dirb.
Automated directory enumeration generates numerous 404s, as seen in the logs.

Final Answer:
The activity the analyst will confirm is directory brute force, as the high volume of HTTP 404 requests for random paths like /Newyddion, /1970, and /Dopey indicates an automated attempt to enumerate valid directories or files.

Explanation:

The scenario involves outbound traffic to a suspicious domain (https://offce365password.acme.co) that deviates from the company’s standard VPN logon page (www.acme.com/logon). The domain name’s similarity to legitimate services (e.g., “offce365” resembling “Office 365”) and its association with “password” strongly suggest malicious intent. Let’s analyze why a social engineering attack is the most likely explanation and why the other options are less appropriate, with references to the CS0-003 exam and cybersecurity frameworks.

Why a Social Engineering Attack?
A social engineering attack, such as phishing or credential harvesting, involves manipulating users into divulging sensitive information (e.g., login credentials) or performing actions that compromise security.In this scenario: Suspicious Domain Name: The URL https://offce365password.acme.co is highly suspicious. It mimics a legitimate domain by including “acme.co” (resembling the company’s legitimate domain, acme.com) and uses “offce365” (a typo mimicking “Office 365”) combined with “password,” suggesting an attempt to trick users into entering credentials on a fake login page.

Deviation from Standard VPN Logon:
The legitimate VPN logon page is www.acme.com/logon, a standard and expected URL for the company’s VPN. The traffic to offce365password.acme.co indicates users are accessing a non-standard, potentially malicious site, likely due to a phishing email or redirected link.

Outbound Traffic:
The analyst’s observation of outbound traffic to this host IP suggests that users within the organization are connecting to the suspicious site, possibly after clicking a phishing link designed to capture credentials.

Common Tactic:
Social engineering attacks often use typosquatting (e.g., “offce” instead of “office”) or domain spoofing to create convincing fake login pages. This aligns with phishing campaigns targeting employee credentials for services like VPNs or Office 365.

Alignment with CS0-003 Objectives:
This scenario aligns with Domain 1.0: Security Operations (objective 1.2: Analyze indicators of potentially malicious activity), which includes recognizing phishing and social engineering as indicators of compromise (IoCs). It also relates to Domain 3.0: Incident Response and Management (objective 3.2), which emphasizes identifying and responding to social engineering attacks during incident response.

References:
[Source]: Describes typosquatting and phishing attacks using fake domains that mimic legitimate ones (e.g., “offce365” instead of “Office 365”) to steal credentials, a common social engineering tactic.

[Source]: Highlights that outbound traffic to suspicious domains is a key indicator of phishing, requiring immediate investigation by SOC analysts.

Final Answer:
The most likely explanation is that a social engineering attack is underway, as the suspicious domain https://offce365password.acme.co suggests a phishing or credential harvesting attempt, leveraging typosquatting to mimic legitimate company services and trick users into entering credentials.

Explanation:

Why B is correct:
The log shows a request from 10.203.10.17 using DirBuster-1.0-RC1 as the user agent. DirBuster is an OWASP tool used for directory and file brute-forcing – it systematically requests common directory paths (e.g., /admin, /backup, /config) to discover hidden web content. This is a reconnaissance (information gathering) activity, not an active exploit or data theft.

Why other options are incorrect:

A. Network lateral movement
– Lateral movement involves moving from one compromised host to another using protocols like SMB, RDP, or SSH. The log shows a single HTTP GET request from a scanning tool, not evidence of pivoting or authentication to another internal system.

C. Data exfiltration
– Exfiltration typically involves large outbound data transfers, unusual DNS tunneling, or POST requests with large payloads. The log shows a simple GET request with a scanning user agent; no data is leaving the network.

D. Cloning the website
– Website cloning (e.g., wget --mirror) would show repeated GET requests for pages, CSS, JS, and images. DirBuster specifically brute-forces directory names to map structure, not to clone content.

References:

CompTIA CS0-003 Objectives: Domain 1.4 (Analyze network and web logs) – Recognize scanning/reconnaissance tools like DirBuster.

OWASP DirBuster Project: Purpose is to identify hidden directories and files – reconnaissance phase of penetration testing.