CompTIA CS0-003 Practice Test

Explanation:
All the listed vulnerabilities are serious, but SQL Injection (SQLi) is the most critical and should be remediated first, especially in a web application that stores PII (Personally Identifiable Information).

1. SQL Injection (SQLi):
Impact: Allows attackers to interact directly with the database (exfiltrate, modify, delete sensitive data like PII). Criticality: High — It can lead to full database compromise. OWASP Top 10: Consistently ranked among the top web application security risks. Example: '; DROP TABLE users; -- NIST CVSS: Often scored 9.8–10.0 (Critical).

2. RFI (Remote File Inclusion):
Lets attacker include malicious files on the server (e.g., reverse shells). Dangerous, but requires more setup and doesn't immediately expose PII unless paired with another vulnerability.

3. XSS (Cross-Site Scripting):
Can be used for session hijacking or phishing. Typically impacts users, not the server/database directly. Less dangerous than SQLi in the context of PII exposure.

4. Code Injection:
Executes arbitrary code, but depends on application logic. If exploitable, could be severe, but SQLi remains more common and impactful in PII breaches.

Reference:
NIST SP 800-30 (Risk Assessment): Prioritize based on impact and likelihood.

Summary:
For a web app that stores PII, the SQL Injection poses the greatest threat and should be remediated first due to its critical impact and exploitability.

Explanation:
“Decomposing the application” is a key threat modeling procedure described in the OWASP Web Security Testing Guide (WSTG). It is a critical part of understanding the application’s architecture, data flow, and potential attack surfaces. This step allows security analysts to break down the application into its components — such as trust boundaries, entry points, assets, and data flows — to identify where threats may exist.

Why "Decomposing the application"?

It helps in identifying the attack surface.

You can map out user roles, entry points, trust boundaries, and components (e.g., APIs, databases).

OWASP WSTG lists it as part of threat modeling methodology, usually alongside:

Identifying security objectives

Application overview

Decomposing the application

Identifying threats

Documenting threats

Other options:

Review of security requirements:
Part of secure SDLC, but not listed under threat modeling procedures in the OWASP WSTG.

Compliance checks:
These are part of auditing or governance, not threat modeling.

Security by design:
A development principle, not a step in threat modeling per se.

Explanation:
The CVSS (Common Vulnerability Scoring System) metric string provided includes "E:U," which stands for Exploit Code Maturity: Unproven. This indicates that no exploit code is known to be available for the zero-day vulnerability, or it is theoretical and unproven. The other options represent different CVSS components: S:C (Scope: Changed), RC:R (Report Confidence: Reasonable), AV:N (Attack Vector: Network), and AC:L (Attack Complexity: Low), none of which describe exploit code maturity.

Reference:
CompTIA CySA+ Study Guide (CS0-003), Chapter 3: Vulnerability Management
NIST NVD CVSS v3.1 Specification: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Scenario Reminder:
The company is most concerned about data accuracy, so Integrity is the priority impact metric.

Option 1:
Vulnerability 1 This vulnerability has a High impact on Integrity, which is critical in this scenario because the organization is focused on maintaining the accuracy of data — a core aspect of integrity. While it also impacts confidentiality and availability slightly (Low), these are secondary concerns. According to NIST SP 800-30 Rev. 1, integrity ensures data is not altered in an unauthorized manner, and a High rating means a successful exploit could cause complete loss of trust in the system’s data accuracy. Therefore, this vulnerability is a strong candidate for remediation prioritization.

Option 2:
Vulnerability 2 This vulnerability primarily affects Confidentiality (High) and Availability (Medium), but it has a Low impact on Integrity. While confidentiality issues are important in many systems, they do not directly affect data accuracy, which is the organization’s main concern in this scenario. Availability issues could interrupt service but again, without affecting the trustworthiness of the data, they are secondary. According to CVSS v3.1 Specification, a Low Integrity impact means minimal consequences on the correctness of the data. Therefore, this would not be a top priority for remediation in this context

Option 3:
Vulnerability 3 This vulnerability has Medium impact on both Integrity and Confidentiality, and High impact on Availability. The medium Integrity score suggests that while there’s some risk to data accuracy, it’s not as severe as vulnerabilities with a High Integrity impact. A High availability impact implies the system may go offline or suffer significant performance degradation, but unless this also causes data corruption or unauthorized changes, it's not directly relevant to data accuracy. As per NIST IR 8179, prioritization should match the business impact, which in this case is accuracy, so Option 3 is not the top priority.

Option 4:
Vulnerability 4 This option has a High impact on Integrity, a High impact on Availability, and no impact on Confidentiality. This means it has the potential to severely damage data accuracy (e.g., by allowing unauthorized modifications or corruption), and could take systems offline. The lack of confidentiality impact makes it less dangerous for data privacy, but that’s not the concern here. According to the CVSS v3.1 specification, a High Integrity rating means the vulnerability could allow complete modification or destruction of data. Because it targets the accuracy and trustworthiness of the system’s data, this vulnerability should be prioritized equally or even more than Option 1 depending on context

References:
CVSS v3.1 Specification Document NIST SP 800-30 Rev. 1 - Guide for Conducting Risk Assessments NIST IR 8179 - Criticality Analysis Process Model OWASP Risk Rating Methodology

Explanation:

The question asks for a layer of defense on all endpoints that will better protect against external threats, regardless of the device's operating system.

Option D: EDR (Endpoint Detection and Response) — Correct

What it is: A security solution deployed on endpoints (laptops, servers, mobile devices) that monitors, detects, and responds to threats in real time.
OS-agnostic: Many EDR solutions work across multiple OS platforms (Windows, Linux, macOS).

Why it fits:

Specifically designed to protect endpoints from external threats (e.g., malware, ransomware, exploits).
Offers real-time monitoring, behavioral analysis, and automated response.
It is a proactive layer of defense.
Reference:

NIST SP 800-137 defines continuous monitoring of endpoints as essential to detecting and responding to advanced threats. Also see MITRE ATT&CK for how EDR maps to adversary behaviors.

Option A: SIEM (Security Information and Event Management)

What it is: A centralized logging and alerting platform.
Why not: It collects and analyzes data, but does not actively protect endpoints. It’s more useful after an event occurs.

Option B: CASB (Cloud Access Security Broker)

What it is: Monitors and secures cloud service usage.
Why not: It’s used to control cloud access and data movement, not endpoint-level protection.

Option C: SOAR (Security Orchestration, Automation, and Response)

What it is: A tool that automates security operations workflows.
Why not: It relies on other tools (like EDR) to detect threats. It does not provide direct protection to endpoints.

References:

CompTIA CySA+ CS0-003 Exam Objective 3.2 — Given a scenario, apply security solutions for infrastructure management. MITRE ATT&CK — Emphasizes the use of EDR in detecting and responding to adversary techniques.
NIST SP 800-137 — Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.

Explanation:

The malware described in the scenario has the following key traits:
Polymorphic: It changes its code to evade signature detection.
Conditional triggers: It only activates under certain conditions, such as:
Requires Internet access.
Requires CPU idle to be ≥ 70%.
The analyst wants to analyze the malware safely without risking internal network compromise.

Why the correct answer is best:

"Subscribe to an online service to create a sandbox environment"

Cloud-based sandboxes (e.g., Cuckoo Sandbox, Any.Run, Joe Sandbox) are isolated

environments specifically designed to safely detonate and analyze malware.

Polymorphic malware and conditional triggers can be tested in these sandboxes without exposing internal infrastructure.

These services often simulate real-world system behaviors, including network traffic, CPU load, and OS variants, to trick the malware into executing.

Network segmentation and isolation are inherently provided in these environments.

Reference:

CompTIA CySA+ CS0-003 Objective 2.1 – Given a scenario, apply environmental reconnaissance techniques using appropriate tools and processes.

NIST SP 800-83r1 – Guide to Malware Incident Prevention and Handling.

Why the other options are incorrect:

"Utilize an RDP session on an unused workstation to evaluate the malware"

Not isolated: Even if it's unused, the workstation is still on the organization's network.
Malware with network triggers could spread laterally or call back to C2 servers, compromising security.

"Disconnect and utilize an existing infected asset off the network"

Uncontrolled environment: Already compromised and unpredictable.
May have backdoors or active persistence mechanisms.
Poor forensic hygiene; may contaminate your analysis or spread laterally when reconnected.

"Create a virtual host for testing on the security analyst workstation"

Risky because:
If Internet access is allowed for testing, the analyst's machine could become a pivot point.
Not fully isolated unless configured carefully with network segmentation, which takes time.
Polymorphic malware may detect virtualized environments and refuse to execute.

Key Takeaway:

When dealing with advanced malware (polymorphic, conditionally triggered), use external, isolated, cloud-based sandbox services. They are built to safely analyze threats without risking your internal systems.

Explanation:

The scenario describes a situation where:

The firewall feed used for data enrichment suddenly stops working.

Other open intelligence feeds (likely public/open-source) are still operational.

So the issue is isolated to the firewall and its integration/enrichment function.

Why "The firewall certificate expired" is the correct answer:

Most enrichment feeds use secure HTTPS connections to transfer data (especially internal ones like from firewalls).

If the firewall's SSL/TLS certificate expires, secure connections fail, and data cannot be transmitted or retrieved for enrichment.

This would not affect open intelligence feeds if they use different sources or valid certificates.
It’s a common root cause in environments where feeds require secure authentication or encryption.

Reference:

NIST SP 800-52 Rev. 2: Guidelines for the Selection, Configuration, and Use of TLS Implementations

CompTIA CySA+ CS0-003 Objective 3.3: Given a scenario, apply configuration changes to existing controls to improve security.

Why the other options are incorrect:

The firewall service account was locked out

Would likely affect management or logging, but not specifically enrichment feeds.
Also, would not allow other firewall functionality to continue normally.

The firewall was using a paid feed

If billing was the issue, you’d likely lose access to all feeds from that vendor, not just enrichment. The scenario doesn’t mention any payment issue or feed vendor change.
The firewall failed open

“Fail open” refers to a default-permit behavior during failure (e.g., if a security device fails, it allows traffic through).

It’s about traffic control, not about data enrichment or feed access.

Summary:

When only one source (like a firewall) stops enriching data, and others are unaffected, a certificate expiration is the most likely cause.
Always check for TLS/SSL certificate validity on systems involved in secure data feeds.

Explanation:

A vulnerability scan report helps security teams understand what vulnerabilities exist in the environment, where they are located, and how severe they are. The main purpose is to inform remediation and risk prioritization.

D. Affected hosts

Lists IP addresses, hostnames, or asset IDs that were found to be vulnerable.
This helps teams know exactly which systems need remediation.
Critical for asset-based vulnerability tracking.
Referenced in CompTIA CySA+ CS0-003, Objective 2.5 — Summarize the process of vulnerability management.

E. Risk score

Indicates the severity or criticality of each vulnerability.
Usually based on CVSS (Common Vulnerability Scoring System).
Helps prioritize which vulnerabilities should be addressed first based on risk to the organization.
Reference: CVSS v3.1 from FIRST.org, and NIST SP 800-40 Rev. 3.

ircorect option

A. Lessons learned

"Lessons learned" is typically included in incident response reports, not vulnerability scan reports. This section reflects on what went well or poorly during the handling of a real security incident. Since a vulnerability scan is a proactive assessment rather than a response to an event, lessons learned is not relevant in this context.

B. Service-level agreement (SLA)

A service-level agreement is a contractual document that defines the expected level of service between parties, such as uptime guarantees or response times. While SLAs might influence how quickly vulnerabilities are expected to be addressed, they are not part of the technical findings or results of a scan. Therefore, they do not belong in a vulnerability scan report.

C. Playbook

A playbook is a predefined set of procedures used during incident response or in automated security operations (e.g., via SOAR tools). Playbooks guide how to respond to a known threat or event but are not part of vulnerability assessment outputs. Including it in a scan report would be unnecessary and out of scope.

F. Education plan

An education plan is focused on user awareness and training, often as part of a broader cybersecurity program. While employee training is important for overall security posture, it does not belong in a vulnerability scan report, which is a technical document that highlights system weaknesses, not human resource development strategies.

Explanation:

When preserving a hard drive for litigation or forensic purposes, the goal is to maintain the integrity and original state of the data. This ensures it is admissible in court and can be trusted as evidence.

Generate a hash value and make a backup image

This is the best practice in digital forensics.

Creating a bit-by-bit (forensic) image of the drive ensures a complete and exact copy is made.

A hash value (e.g., SHA-256 or MD5) is used to verify integrity — confirming that the image has not been altered during or after copying.

The original drive is then stored securely and left untouched.

Reference:

NIST SP 800-101 Rev. 1 – Guidelines on Mobile Device Forensics
CompTIA CySA+ CS0-003 Objective 4.2 – Explain the importance of preserving evidence integrity when performing incident response.

Why the other options are incorrect:

Encrypt the device to ensure confidentiality of the data

Encryption changes the data on the drive, which violates forensic integrity.

It may also make recovery more difficult without encryption keys.

Confidentiality is important, but in litigation, preservation and integrity take precedence.

Protect the device with a complex password

Password protection might deter unauthorized access, but it does not prevent internal modificationsIt

It also does not create a verified copy or prove data hasn't changed.

Perform a memory scan dump to collect residual data

Memory dumps are useful in live forensics but not sufficient for preserving hard drive contents.

RAM data is volatile and not a substitute for a full disk image.

This step might be done in some investigations but is not a substitute for proper drive imaging.

Summary:

For litigation or forensic evidence handling, always:

Create a forensic image

Generate a hash value before and after to prove integrity.

Store the original drive securely and work only on the image

Explanation:

The question asks for the best control to mitigate Layer 4 DDoS (Distributed Denial of Service) attacks targeting a company website. Layer 4 DDoS attacks, such as SYN floods or UDP floods, aim to overwhelm network resources (e.g., bandwidth, server capacity) at the transport layer, disrupting website availability. A Content Delivery Network (CDN) is the most effective solution, as it distributes website content across multiple geographically dispersed servers, absorbing and mitigating large-scale DDoS traffic while maintaining availability. This aligns with the CS0-003 exam’s Security Operations (Domain 1) and Incident Response and Management (Domain 3) objectives, which emphasize implementing controls to protect against network-based threats.

Why C is Correct:

Distributed Infrastructure: A CDN caches website content on edge servers worldwide, reducing the load on the origin server and dispersing attack traffic across a large network, making it harder for a Layer 4 DDoS to overwhelm any single point.
DDoS Mitigation: CDNs like Cloudflare or Akamai have built-in DDoS protection, using techniques like rate limiting, traffic filtering, and IP reputation analysis to block malicious Layer 4 traffic (e.g., SYN or UDP floods).
Scalability: CDNs handle high traffic volumes, ensuring website availability during an attack, which is critical for mitigating the impact of Layer 4 DDoS attacks.
Alignment with CS0-003: Deploying a CDN addresses proactive security operations and incident mitigation, key skills for a SOC analyst.

Why Other Options Are Wrong:

A. Block the attacks using firewall rules
Reason: Firewalls can block specific Layer 4 traffic (e.g., by dropping packets from known malicious IPs or limiting connection rates). However, they are typically deployed at the network perimeter and can become a bottleneck during large-scale DDoS attacks, as they lack the distributed infrastructure to handle massive traffic floods. Polymorphic or distributed attacks may also bypass static firewall rules, and managing rules for dynamic DDoS traffic is labor-intensive and less effective than a CDN’s automated mitigation.

B. Deploy an IPS in the perimeter network
Reason: An Intrusion Prevention System (IPS) detects and blocks malicious traffic based on signatures or anomalies, but it’s designed for higher-layer threats (e.g., application exploits) rather than volumetric Layer 4 DDoS attacks. Like firewalls, an IPS at the perimeter can be overwhelmed by high traffic volumes, and it lacks the scalability or distributed architecture to absorb DDoS traffic effectively, making it unsuitable for this scenario.

D. Implement a load balancer
Reason: A load balancer distributes traffic across multiple backend servers to improve performance and availability but is not optimized for DDoS mitigation. It operates closer to the origin server and lacks the global distribution and advanced filtering of a CDN. During a Layer 4 DDoS, a load balancer could still be overwhelmed if the attack saturates the network’s bandwidth or resources before reaching the balancer.

Reference: CompTIA CySA+ (CS0-003) Exam Objectives, Domains 1 (Security Operations) and 3 (Incident Response and Management)covering network security controls and DDoS mitigation.
CompTIA CySA+ Study Guide: Exam CS0-003 by Chapple and Seidl, which discusses CDNs as a defense against DDoS attacks in the context of security operations.