Free CompTIA CS0-003 Practice Questions 2026 - Page 17

Explanation:

The question asks for the best layer of defense to protect all endpoints against external threats, regardless of the device’s operating system, as recommended by a SOC analyst. EDR (Endpoint Detection and Response) is the most suitable solution, as it provides real-time monitoring, threat detection, and response capabilities across diverse endpoints (e.g., Windows, macOS, Linux), effectively mitigating external threats like malware, ransomware, or phishing. This aligns with the CS0-003 exam’s Security Operations (Domain 1) and Incident Response and Management (Domain 3) objectives, which emphasize endpoint protection and threat response in a SOC environment.

Why D is Correct:

EDR Overview: EDR solutions (e.g., CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) deploy agents on endpoints to monitor behavior, detect malicious activities (e.g., malware execution, suspicious network connections), and respond (e.g., isolate endpoints, block processes). They are OS-agnostic, supporting Windows, macOS, Linux, and mobile devices.

Protection Against External Threats: EDR defends against external threats like phishing, ransomware, or exploits by using behavioral analysis, threat intelligence, and automated response, regardless of the endpoint’s OS. It detects IOCs (e.g., malicious files, C2 connections) and mitigates threats in real time.

Healthcare Context: In a healthcare organization (per prior questions), EDR protects endpoints handling PHI (e.g., laptops, servers) from external attacks, ensuring HIPAA compliance by detecting and containing threats like ransomware or data exfiltration.

CS0-003 Alignment: Domain 1 emphasizes deploying endpoint security solutions for threat protection, while Domain 3 supports rapid incident response on endpoints, both favoring EDR.

Why Other Options Are Incorrect:

A. SIEM (Security Information and Event Management)
Reason: SIEM systems (e.g., Splunk, QRadar) aggregate and analyze logs from multiple sources for correlation and alerting but don’t provide direct endpoint protection. They rely on endpoint agents (like EDR) for data, making SIEM a complementary, not primary, defense layer.

B. CASB (Cloud Access Security Broker)
Reason: CASB secures cloud-based services (e.g., SaaS like Microsoft 365) by enforcing policies on cloud access. It’s not designed for general endpoint protection against external threats and doesn’t cover non-cloud activities or diverse OSes as effectively as EDR.

C. SOAR (Security Orchestration, Automation, and Response)
Reason: SOAR (e.g., Splunk SOAR) automates incident response workflows and integrates data from tools like EDR or SIEM but doesn’t provide direct endpoint protection. It relies on EDR for endpoint-level threat detection and response, making it secondary to EDR.

Additional Context:

EDR Capabilities:

Monitors endpoint activities (e.g., processes, file changes, network traffic).

Detects external threats (e.g., phishing payloads, ransomware encryption) using behavioral analysis and threat intelligence.

Responds by isolating endpoints, killing malicious processes, or rolling back changes.

Example: Detects a reverse shell (per prior question) on a Windows 11 endpoint and quarantines it.

Cross-Platform Support: EDR solutions support diverse OSes (e.g., Windows 10/11, Ubuntu, macOS), meeting the requirement for OS-agnostic protection.

Healthcare Relevance: Protects healthcare endpoints (e.g., nurse workstations, servers) from external threats like phishing or malware, critical for PHI security.

CS0-003 Relevance: Domain 1 tests selecting endpoint security tools, while Domain 3 emphasizes rapid threat response, often via performance-based questions (PBQs)

Reference:

CompTIA CySA+ (CS0-003) Exam Objectives, Domains 1 (Security Operations) and 3 (Incident Response and Management), covering endpoint security and threat response.

Explanation:

The log snippet:

..\../..\../boot.ini

is a classic directory traversal attempt.

Directory traversal (also known as path traversal) is an attack technique where a threat actor attempts to access files and directories outside the intended web root folder by manipulating file path inputs. In Windows environments, this is often used to target files like:

boot.ini – a Windows system file used to identify the location of the operating system.

The repeated use of ..\ is meant to navigate up the directory structure and access system-level files.

Why other options are incorrect:

Remote file inclusion (RFI):
Refers to including remote scripts/files via vulnerable web parameters. Usually involves full URLs(http://malicious.com/script.php)—not relative file paths.

Cross-site scripting (XSS):
Involves injecting JavaScript or HTML into a website. This does not match the pattern shown.

Remote code execution (RCE):
Refers to executing arbitrary code on a target system. While directory traversal may be a step toward RCE, it is not RCE by itself.

Enumeration of /etc/passwd: Targets Linux systems specifically and looks like /etc/passwd, not boot.ini which is Windows-specific.

Reference:

CompTIA CySA+ CS0-003 Official Study Guide, Domain 2.2

Explanation:

In incidents involving physical locations, such as a malicious attack in a data closet, proper documentation of physical evidence is essential. This includes photographing the impacted items like:

Damaged or tampered equipment

Disconnected or rerouted cables

Physical access points

Any visible signs of compromise or sabotage

Taking photos provides a time-stamped, tamper-resistant visual record that can be used:

In forensic analysis

To support legal proceedings

For internal incident reports

It helps maintain the chain of custody and supports a clear understanding of the incident.

Why other options are incorrect:

Back up the configuration file for all network devices:

Useful for restoration or analysis but doesn’t capture physical evidence relevant to this case.

Record and validate each connection:

More relevant to logical network analysis, not physical compromise.

Create a full diagram of the network infrastructure:

Helpful for broader incident understanding but not specific to documenting a physical attack.

Reference:

CompTIA CySA+ CS0-003 Official Study Guide, Domain 3.2 – Incident Response

Explanation:

SOAR (Security Orchestration, Automation, and Response) platforms are designed to:

Automate repetitive security tasks (like triaging phishing emails)

Correlate data from multiple sources

Trigger predefined playbooks to handle incidents quickly

By automating the collection, analysis, and initial response to phishing incidents, a SOAR solution can drastically reduce the triage time, often by more than 20%. This allows analysts to focus on more complex tasks instead of manually reviewing every phishing alert.

Why other options are incorrect:

Increase the budget to the security awareness program:
This helps reduce the occurrence of phishing but does not reduce triage time.

Implement an EDR tool:
EDR focuses on endpoint detection and response, not specifically on email-based phishing incidents.

Install a button in the mail clients to report phishing:
This helps users report phishing but doesn’t directly reduce the analyst’s triage time unless combined with automation like SOAR.

Reference:

CompTIA CySA+ CS0-003 Official Study Guide, Domain 4.3 – Tools and Automation

Explanation:

The most effective and economical way to ensure the security of an automated information system is to have security built into the system from the beginning — this is known as security by design.

When a system is:

Originally designed to provide necessary security,

it means security requirements are considered during the planning, architecture, and development phases — not as an afterthought.

This avoids:

Costly redesigns or retrofits

Gaps in controls

Poor integration of security tools

Why other options are incorrect:

Subjected to intense security testing
➤ Testing is valuable, but if security wasn’t built into the design, testing may only identify symptoms, not address root design flaws.

Customized to meet specific security threats
➤ This approach is reactive and typically not cost-effective long term. It addresses known threats, but not future or unknown ones.

Optimized prior to the addition of security
➤ Optimizing a system before security is integrated can make it harder and more expensive to add security later.

Reference:

CompTIA CySA+ (CS0-003) Official Study Guide, Domain 2.2

Explanation:

The question asks which group, besides the security team, a company's security team should escalate the issue of inappropriate resource use (e.g., an employee installing cryptominers on workstations) to first to comply with industry best practices when updating the reporting policy. The legal department is the most appropriate group to escalate to first, as they can provide guidance on legal and regulatory implications, ensure compliance with applicable laws, and advise on internal policies regarding employee misconduct. This aligns with the CS0-003 exam’s Reporting and Communication (Domain 4) and Security Operations (Domain 1) objectives, which emphasize proper escalation and compliance with best practices during security incidents.

Why C is Correct:

Legal Department Role: The legal department is responsible for assessing legal risks, ensuring compliance with regulations (e.g., data protection laws, labor laws), and advising on disciplinary actions or investigations related to employee misconduct, such as installing cryptominers, which could violate company policy or laws (e.g., unauthorized use of resources, potential data breaches).

Healthcare Context: In a healthcare organization (per prior questions), inappropriate use of workstations (e.g., cryptominers) could risk PHI exposure or system performance, impacting HIPAA compliance. The legal department ensures proper handling to avoid regulatory penalties or lawsuits.

CS0-003 Alignment: Domain 4 emphasizes escalating incidents to appropriate stakeholders, including legal teams, for compliance and reporting, while Domain 1 supports adhering to policies for handling misuse incidents.

Why Other Options Are Incorrect:

A. Help desk
Reason: The help desk handles technical support and initial user issues but lacks authority to address policy violations or legal implications of employee misconduct. Escalating to the help desk is inappropriate, as they are not equipped to handle compliance or disciplinary matters.

B. Law enforcement
Reason: Escalating to law enforcement is premature without first consulting the legal department. Cryptomining may be a policy violation or civil matter, not necessarily a criminal act requiring immediate law enforcement involvement. Legal counsel assesses whether law enforcement is needed (e.g., if data theft or fraud is confirmed), ensuring compliance with best practices.

D. Board member
Reason: Board members oversee strategic governance, not operational incident handling. Escalating directly to a board member bypasses internal processes (e.g., legal, HR) and is not standard practice for employee misuse incidents unless they escalate to a significant organizational impact (e.g., major breach).

Additional Context:

Incident Details: Installing cryptominers on workstations is a misuse of resources, potentially degrading performance, increasing energy costs, or introducing malware risks (e.g., via unvetted software). It may also indicate insider threat behavior.

Escalation Process:

Legal Department: Review company policies (e.g., acceptable use policy), assess legal risks (e.g., data breach, intellectual property), and guide investigation (e.g., evidence collection without violating employee privacy).

Next Steps: Involve HR for disciplinary actions, IT for technical remediation (e.g., removing cryptominers, scanning for malware), and, if necessary, law enforcement for criminal activity.

Healthcare Relevance: Cryptomining could slow critical systems (e.g., EHR access), risking patient care or PHI exposure, making legal guidance critical for compliance.

CS0-003 Relevance: Domain 4 tests proper escalation and reporting, often via performance-based questions (PBQs), while Domain 1 emphasizes policy enforcement for misuse incidents.

Reference:

CompTIA CySA+ (CS0-003) Exam Objectives, Domains 1 (Security Operations) and 4 (Reporting and Communication), covering escalation and compliance reporting.

Explanation:

Let’s break down what the email authentication results mean:

SPF = PASS:
➤ The sending server is authorized to send emails for the domain (i.e., the IP matches what's in the domain’s SPF DNS record).

DKIM =FAIL:
➤ The message was either not signed or the signature did not match, indicating either:

No DKIM signature was present

The message content was altered in transit

DMARC = FAIL:
➤ DMARC requires either SPF or DKIM to pass AND align with the “From” domain.
➤ Since DKIM failed and SPF alignment likely failed too, DMARC also failed.

What this means:

The email came from a permitted mail server, but lacked proper DKIM signing, and failed DMARC because at least one required check failed to align properly.This usually happens when:

The server is authorized to send mail (SPF)

But it either did not sign the message using DKIM or signed it incorrect

ly So the message cannot be fully trusted

Why the other options are wrong:

"An insider threat altered email security records..."
➤ There's no evidence of DNS tampering or insider threat from this alert alone.

"Log normalization corrupted the data..."
➤ SIEM normalization errors wouldn't specifically cause SPF/DKIM/DMARC to fail in this way.

"The email security software did not process all of the records correctly"

➤ The results show valid processing (SPF passed, DKIM & DMARC failed), so this isn't a parsing or software issue. Reference:

CySA+ CS0-003 Official Study Guide, Domain 2.1 & 3.2 —

Explanation:

The question asks for two elements most likely required by the infrastructure team in a server patch management policy to be informed quickly about new patches and remediate vulnerabilities efficiently. CVE details and POC (Proof of Concept) availability are critical, as they provide specific information about vulnerabilities and their exploitability, enabling the team to prioritize and apply patches swiftly. This aligns with the CS0-003 exam’s Vulnerability Management (Domain 2) and Security Operations (Domain 1) objectives, which emphasize timely vulnerability remediation and effective communication of patch information.

Why C and D Are Correct:

C. CVE details:

Purpose: CVE (Common Vulnerabilities and Exposures) details include the CVE ID, description, affected systems, and CVSS score (e.g., severity, attack vector). This information identifies the vulnerability, its impact, and the specific patches needed (e.g., Microsoft KB for Windows, Ubuntu security updates).

Relevance: The infrastructure team needs CVE details to match vulnerabilities to affected servers (e.g., CVE-2021-44228 for Log4Shell) and prioritize patching based on severity (e.g., CVSS 9.0+). This ensures quick identification and application of relevant patches.

Healthcare Context: In a healthcare organization (per prior questions), CVE details help prioritize patches for systems handling PHI (e.g., servers like SVR01 from prior context), ensuring HIPAA compliance by addressing critical vulnerabilities.

CS0-003 Alignment: Domain 2 emphasizes using CVE data for vulnerability prioritization, while Domain 1 supports communicating vulnerability details for operational patching.

D. POC availability:

Purpose: POC (Proof of Concept) availability indicates whether a public exploit exists for the vulnerability, signaling the urgency of patching. If a POC is available (e.g., on GitHub or Exploit-DB), attackers can easily exploit the vulnerability, increasing risk.

Relevance: Knowing POC availability helps the infrastructure team prioritize patches for vulnerabilities with active exploits, reducing the window of exposure. For example, a POC for a web server vulnerability (e.g., on SVR01) demands immediate action.

Healthcare Context: POCs for vulnerabilities in internet-facing systems (e.g., IIS on SVR01) heighten the risk of PHI breaches, making this information critical for rapid remediation.

CS0-003 Alignment: Domain 2 emphasizes assessing exploitability for prioritization, while Domain 1 supports proactive patching to mitigate active threats.

Why Other Options Are Incorrect:

A. Hostname
Reason: Hostnames identify specific servers but don’t provide vulnerability or patch details. While useful for tracking affected systems, they’re less critical than CVE details or POC availability for informing the team about new patches and prioritizing remediation.

B. Missing KPI:
Reason: KPIs (Key Performance Indicators) measure performance (e.g., patch deployment time) but are unrelated to informing the team about new patches or vulnerabilities. They’re used for post-remediation analysis, not initial notification.

E. IOCs (Indicators of Compromise)
Reason: IOCs (e.g., malicious IPs, file hashes) are relevant for incident response (e.g., detecting a reverse shell, per prior questions) but not for patch management. They indicate active attacks, not vulnerabilities needing patches.

F. npm identifier
Reason: npm identifiers (e.g., package names for Node.js dependencies) are specific to JavaScript software vulnerabilities, not general server patch management. They’re irrelevant for most server OS or software patches (e.g., Windows Server, Apache)

Additional Context:

Patch Management Policy:

Include CVE details (e.g., via vulnerability scanners like Nessus or patch management tools like WSUS). Monitor POC availability through threat feeds (e.g., Exploit-DB, CISA alerts).

Automate notifications (e.g., via SIEM or patch management systems) to inform the infrastructure team quickly.

Example:

CVE Details: CVE-2021-34527 (PrintNightmare) specifies a Windows Server vulnerability, guiding the team to apply the relevant Microsoft patch.

POC Availability: A public POC for CVE-2021-34527 increases urgency, prompting immediate patching of SVR01 (Windows Server 2008 R2, per prior context).

Healthcare Relevance: Rapid patching of critical vulnerabilities protects PHI and ensures system availability, critical for HIPAA compliance.

CS0-003 Relevance: Domain 2 tests vulnerability prioritization using CVE and exploit data, while Domain 1 emphasizes efficient patch deployment, often via performance-based questions (PBQs).

Reference:

CompTIA CySA+ (CS0-003) Exam Objectives, Domains 1 (Security Operations) and 2 (Vulnerability Management), covering patch management and vulnerability prioritization.

Explanation:

To determine the scripting language, let's examine some key characteristics typically found in PowerShell scripts:

Common PowerShell Script Features:

If the script includes any of the following patterns, it's likely PowerShell:

Cmdlets (standard PowerShell commands), e.g.: Get-Process, Start-Process, Invoke-WebRequest

Use of parameters like -ExecutionPolicy, -File, -Command

Variables with $ prefix (e.g., $user)

.ps1 file extension (if shown)

Pipelining with | and use of Select-Object, Where-Object

Use of [Net.WebClient], .DownloadString(), etc.

Why Other Options Are Incorrect:

Ruby: Uses def, end, puts, @var, etc. Syntax and structure are very different.

Python: Relies on indentation, def, import, no use of -Command, $var, or cmdlets.

Shell Script (bash): Uses #!/bin/bash, syntax like if [ "$var" == "val" ], echo, apt, yum, etc.

Reference:
Domain 2.4: Analysts must be able to identify scripts (e.g., PowerShell, Python, shell) and recognize potentially malicious behavior.

Explanation:

The question asks which scenario most likely describes the observed activity where user accounts have been compromised and the company's internal portal is inconsistently accessible via HTTP (port 80) or HTTPS (port 443). An on-path attack (also known as a man-in-the-middle attack) by someone with internal access forcing users to HTTP is the most plausible explanation, as it accounts for both the compromised accounts (e.g., via credential theft) and the inconsistent HTTP/HTTPS access (e.g., through SSL stripping or redirection to unencrypted HTTP). This aligns with the CS0-003 exam’s Incident Response and Management (Domain 3) and Security Operations (Domain 1) objectives, which emphasize identifying attack techniques and indicators of compromise (IOCs) in network environments.

Why B is Correct:

On-Path Attack Overview: An on-path attack (man-in-the-middle, MITM) involves an attacker intercepting communication between users and the internal portal. With internal access (e.g., via compromised accounts), the attacker can manipulate traffic, such as redirecting HTTPS requests to HTTP (port 80) using techniques like SSL stripping or ARP spoofing, exposing sensitive data (e.g., login credentials).

Explaining Observed Activity:

Compromised Accounts: An attacker with internal access (e.g., stolen credentials from phishing, per prior questions) can perform an on-path attack to intercept additional credentials or session data, explaining the account compromises.

HTTP/HTTPS Inconsistency: Forcing users to HTTP (unencrypted) instead of HTTPS (encrypted) allows the attacker to capture data in plaintext. Tools like sslstrip or DNS manipulation can cause this behavior, making the portal sometimes accessible via HTTP and sometimes HTTPS, depending on the attacker’s actions or network conditions.

Healthcare Context: In a healthcare organization (per prior questions), an on-path attack targeting an internal portal could expose PHI or login credentials, risking HIPAA violations. The inconsistent protocol access suggests active manipulation, consistent with an attacker’s presence.

CS0-003 Alignment: Domain 3 emphasizes identifying attack techniques like MITM during incident response, while Domain 1 supports detecting network-based IOCs (e.g., unexpected HTTP traffic), both pointing to an on-path attack.

Why Other Options Are Incorrect:

A. There is an issue with the SSL certificate causing port 443 to become unavailable for HTTPS access
Reason: An SSL certificate issue (e.g., expired or misconfigured certificate) could prevent HTTPS access, forcing users to HTTP if the server falls back to port 80. However, this doesn’t explain the compromised accounts or the intermittent nature of HTTP/HTTPS access (sometimes HTTP, sometimes HTTPS). Certificate issues typically cause consistent HTTPS failures, not selective redirection, and lack a direct link to account compromise.

C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
Reason: A web server overwhelmed by HTTPS requests might degrade performance but is unlikely to redirect users to HTTP, as this requires explicit configuration (e.g., rewrite rules in Apache/Nginx) and is not a default behavior. This also doesn’t explain the compromised accounts, as server overload is unrelated to credential theft.

D. An error was caused by BGP due to new rules applied over the company’s internal routers
Reason: BGP (Border Gateway Protocol) errors affect external routing between networks, not internal portal access or HTTP/HTTPS switching. BGP misconfigurations could cause connectivity issues but not protocol downgrades or account compromises, making this irrelevant to the observed activity.

Additional Context:

On-Path Attack Mechanics:

Techniques: ARP spoofing to redirect traffic, DNS poisoning to point the portal to an attacker-controlled server, or SSL stripping to downgrade HTTPS to HTTP.

IOCs: Unexpected HTTP traffic in logs (e.g., tcpdump port 80), unusual redirects in proxy logs, or SIEM alerts for anomalous network activity.

Healthcare Relevance: An internal portal (e.g., EHR access) compromised via an on-path attack risks PHI exposure or further account theft, critical for HIPAA compliance.

Next Steps: Investigate compromised accounts (e.g., review login logs, reset passwords), monitor network traffic for MITM indicators (e.g., Wireshark for ARP anomalies), enforce HTTPS-only access (e.g., HSTS), and deploy EDR (per prior questions) to detect attacker activity.

CS0-003 Relevance: Domain 3 tests identifying attack techniques like MITM, often via performance-based questions (PBQs), while Domain 1 emphasizes monitoring network security for internal threats.

Reference:

CompTIA CySA+ (CS0-003) Exam Objectives, Domains 1 (Security Operations) and 3 (Incident Response and Management), covering attack techniques and network monitoring.