[2024年更新]CS0-003リアルな試験問題集でCS0-003練習テスト
CS0-003問題集でCompTIA Cybersecurity Analyst高確率練習問題集
質問 # 37
A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output:
Which of the following hosts should be patched first, based on the metrics?
- A. host02
- B. host01
- C. host04
- D. host03
正解:D
解説:
Host03 should be patched first, based on the metrics, as it has the highest risk score and the highest number of critical vulnerabilities. The risk score is calculated by multiplying the CVSS score by the exposure factor, which is the percentage of systems that are vulnerable to the exploit. Host03 has a risk score of 10 x 0.9 = 9, which is higher than any other host. Host03 also has 5 critical vulnerabilities, which are the most severe and urgent to fix, as they can allow remote code execution, privilege escalation, or data loss. The other hosts have lower risk scores and lower numbers of critical vulnerabilities, so they can be patched later.
質問 # 38
Which of the following best describes the key elements of a successful information security program?
- A. Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems
- B. Security policy implementation, assignment of roles and responsibilities, and information asset classification
- C. Business impact analysis, asset and change management, and security communication plan
- D. Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies
正解:B
解説:
A successful information security program consists of several key elements that align with the organization's goals and objectives, and address the risks and threats to its information assets.
Security policy implementation: This is the process of developing, documenting, and enforcing the rules and standards that govern the security of the organization's information assets. Security policies define the scope, objectives, roles, and responsibilities of the security program, as well as the acceptable use, access control, incident response, and compliance requirements for the information assets.
Assignment of roles and responsibilities: This is the process of identifying and assigning the specific tasks and duties related to the security program to the appropriate individuals or groups within the organization. Roles and responsibilities define who is accountable, responsible, consulted, and informed for each security activity, such as risk assessment, vulnerability management, threat detection, incident response, auditing, and reporting.
Information asset classification: This is the process of categorizing the information assets based on their value, sensitivity, and criticality to the organization. Information asset classification helps to determine the appropriate level of protection and controls for each asset, as well as the impact and likelihood of a security breach or loss. Information asset classification also facilitates the prioritization of security resources and efforts based on the risk level of each asset.
質問 # 39
During an incident, analysts need to rapidly investigate by the investigation and leadership teams. Which of the following best describes how PII should be safeguarded during an incident?
- A. Ensure permissions are limited in the investigation team and encrypt the data.
- B. Ensure that permissions are open only to the company.
- C. Implement data encryption and create a standardized procedure for deleting data that is no longer needed.
- D. Implement data encryption and close the data so only the company has access.
正解:A
解説:
The best option to safeguard PII during an incident is to ensure permissions are limited in the investigation team and encrypt the data. This is because limiting permissions reduces the risk of unauthorized access or leakage of sensitive data, and encryption protects the data from being read or modified by anyone who does not have the decryption key. Option A is not correct because closing the data may hinder the investigation process and prevent collaboration with other parties who may need access to the data. Option C is not correct because deleting data that is no longer needed may violate legal or regulatory requirements for data retention, and may also destroy potential evidence for the incident. Option D is not correct because opening permissions to the company may expose the data to more people than necessary, increasing the risk of compromise or misuse.
References: CompTIA CySA+ Study Guide: Exam CS0-002, 2nd Edition, Chapter 4, "Data Protection and Privacy Practices", page 195; CompTIA CySA+ Certification Exam Objectives Version 4.0, Domain 4.0
"Compliance and Assessment", Objective 4.1 "Given a scenario, analyze data as part of a security incident", Sub-objective "Data encryption", page 23 CompTIA CySA+ Study Guide: Exam CS0-002, 2nd Edition : CompTIA CySA+ Certification Exam Objectives Version 4.0.pdf)
質問 # 40
During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue?
- A. Degrading functionality
- B. Business process interruption
- C. Legacy system
- D. Configuration management
正解:C
解説:
The most likely cause of the issue where an ICS (Industrial Control System) could not be updated due to hardware versioning incompatibility is a legacy system. Legacy systems often have outdated hardware and software that may not be compatible with modern updates and patches. This can pose significant challenges in maintaining security and operational efficiency.
質問 # 41
A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:
Which of the following should be completed first to remediate the findings?
- A. Add the IP address allow listing for control panel access
- B. Purchase an appropriate certificate from a trusted root CA
- C. Perform proper sanitization on all fields
- D. Ask the web development team to update the page contents
正解:C
解説:
The first action that should be completed to remediate the findings is to perform proper sanitization on all fields. Sanitization is a process that involves validating, filtering, or encoding any user input or data before processing or storing it on a system or application. Sanitization can help prevent various types of attacks, such as cross-site scripting (XSS), SQL injection, or command injection, that exploit unsanitized input or data to execute malicious scripts, commands, or queries on a system or application. Performing proper sanitization on all fields can help address the most critical and common vulnerability found during the vulnerability assessment, which is XSS.
質問 # 42
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program.
Which of the following is the best priority based on common attack frameworks?
- A. Employ a network-based IDS
- B. Conduct thorough incident response
- C. Reduce the administrator and privileged access accounts
- D. Enable SSO to enterprise applications
正解:C
解説:
Explanation
The best priority based on common attack frameworks for a new program to reduce attack surface risks and threats as part of a zero trust approach is to reduce the administrator and privileged access accounts.
Administrator and privileged access accounts are accounts that have elevated permissions or capabilities to perform sensitive or critical tasks on systems or networks, such as installing software, changing configurations, accessing data, or granting access. Reducing the administrator and privileged access accounts can help minimize the attack surface, as it can limit the number of potential targets or entry points for attackers, as well as reduce the impact or damage of an attack if an account is compromised.
質問 # 43
Which of the following will most likely ensure that mission-critical services are available in the event of an incident?
- A. Asset management plan
- B. Vulnerability management plan
- C. Disaster recovery plan
- D. Business continuity plan
正解:C
質問 # 44
During the log analysis phase, the following suspicious command is detected-
Which of the following is being attempted?
- A. Buffer overflow
- B. Smurf attack
- C. ICMP tunneling
- D. RCE
正解:D
解説:
RCE stands for remote code execution, which is a type of attack that allows an attacker to execute arbitrary commands on a target system. The suspicious command in the question is an example of RCE, as it tries to download and execute a malicious file from a remote server using the wget and chmod commands. A buffer overflow is a type of vulnerability that occurs when a program writes more data to a memory buffer than it can hold, potentially overwriting other memory locations and corrupting the program's execution. ICMP tunneling is a technique that uses ICMP packets to encapsulate and transmit data that would normally be blocked by firewalls or filters. A smurf attack is a type of DDoS attack that floods a network with ICMP echo requests, causing all devices on the network to reply and generate a large amount of traffic. Verified References: What Is Buffer Overflow? Attacks, Types & Vulnerabilities - Fortinet1, What Is a Smurf Attack? Smurf DDoS Attack | Fortinet2, exploit - Interpreting CVE ratings: Buffer Overflow vs. Denial of ...3
質問 # 45
A security analyst is reviewing events that occurred during a possible compromise. The analyst obtains the following log:
Which of the following is most likely occurring, based on the events in the log?
- A. An adversary is performing a password stuffing attack.
. - B. An adversary is escalating privileges.
- C. An adversary is performing a vulnerability scan.
- D. An adversary is attempting to find the shortest path of compromise.
正解:C
解説:
Based on the events in the log, the most likely occurrence is that an adversary is performing a vulnerability scan. The log shows LDAP read operations and EDR enumerating local groups, which are indicative of an adversary scanning the system to find vulnerabilities or sensitive information. The final entry shows SMB connection attempts to multiple hosts from a single host, which could be a sign of network discovery or lateral movement. References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 161; Monitor logs from vulnerability scanners, Section: Reports on Nessus vulnerability data.
質問 # 46
An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?
- A. OS fingerprinting
- B. Service port identification
- C. Passive network foot printing
- D. Application versioning
正解:C
解説:
Passive network foot printing is the best description of the example, as it reflects the technique of collecting information about a network or system by monitoring or sniffing network traffic without sending any packets or interacting with the target. Foot printing is a term that refers to the process of gathering information about a target network or system, such as its IP addresses, open ports, operating systems, services, or vulnerabilities.
Foot printing can be done for legitimate purposes, such as penetration testing or auditing, or for malicious purposes, such as reconnaissance or intelligence gathering. Foot printing can be classified into two types:
active and passive. Active foot printing involves sending packets or requests to the target and analyzing the responses, such as using tools like ping, traceroute, or Nmap. Active foot printing can provide more accurate and detailed information, but it can also be detected by firewalls or intrusion detection systems (IDS). Passive foot printing involves observing or capturing network traffic without sending any packets or requests to the target, such as using tools like tcpdump, Wireshark, or Shodan. Passive foot printing can provide less information, but it can also avoid detection by firewalls or IDS. The example in the question shows that the attacker has gained access to the syslog server on a LAN and reviewed the syslog entries to prioritize possible next targets. A syslog server is a server that collects and stores log messages from various devices or applications on a network. A syslog entry is a record of an event or activity that occurred on a device or application, such as an error, a warning, or an alert. By reviewing the syslog entries, the attacker can obtain information about the network or system, such as its configuration, status, performance, or security issues.
This is an example of passive network foot printing, as the attacker is not sending any packets or requests to the target, but rather observing or capturing network traffic from the syslog server. The other options are not correct, as they describe different techniques or concepts. OS fingerprinting is a technique of identifying the operating system of a target by analyzing its responses to certain packets or requests, such as using tools like Nmap or Xprobe2. OS fingerprinting can be done actively or passively, but it is not what the attacker is doing in the example. Service port identification is a technique of identifying the services running on a target by scanning its open ports and analyzing its responses to certain packets or requests, such as using tools like Nmap or Netcat. Service port identification can be done actively or passively, but it is not what the attacker is doing in the example. Application versioning is a concept that refers to the process of assigning unique identifiers to different versions of an application, such as using numbers, letters, dates, or names. Application versioning can help to track changes, updates, bugs, or features of an application, but it is not related to what the attacker is doing in the example.
質問 # 47
Which of the following are the MOST likely reasons lo include reporting processes when updating an incident response plan after a breach? (Select TWO).
- A. To remediate vulnerabilities that led to the breach
- B. To limit reputation damage caused by the breach
- C. To establish a clear chain of command
- D. To provide secure network design changes
- E. To isolate potential insider threats
- F. To meet regulatory requirements for timely reporting
正解:C、F
質問 # 48
A security analyst is reviewing the following log entries to identify anomalous activity:
Which of the following attack types is occurring?
- A. Cross-site scripting
- B. Buffer overflow
- C. Directory traversal
- D. SQL injection
正解:C
解説:
A directory traversal attack is a type of web application attack that exploits insufficient input validation or improper configuration to access files or directories that are outside the intended scope of the web server. The log entries given in the question show several requests that contain ".../" sequences in the URL, which indicate an attempt to move up one level in the directory structure. For example, the request "/images/.../.../etc/passwd" tries to access the /etc/passwd file, which contains user account information on Linux systems. If successful, this attack could allow an attacker to read, modify, or execute files on the web server that are not meant to be accessible.
質問 # 49
A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:
getconnection (database01, "alpha " , "AXTV. 127GdCx94GTd") ;
Which of the following is the most likely vulnerability in this system?
- A. Lack of input validation
- B. Buffer overflow attacks
- C. Hard-coded credential
- D. SQL injection
正解:C
解説:
Explanation
The most likely vulnerability in this system is hard-coded credential. Hard-coded credential is a practice of embedding or storing a username, password, or other sensitive information in the source code or configuration file of a system or application. Hard-coded credential can pose a serious security risk, as it can expose the system or application to unauthorized access, data theft, or compromise if the credential is discovered or leaked by an attacker. Hard-coded credential can also make it difficult to change or update the credential if needed, as it may require modifying the code or file and redeploying the system or application.
質問 # 50
A security analyst observed the following activity from a privileged account:
. Accessing emails and sensitive information
. Audit logs being modified
. Abnormal log-in times
Which of the following best describes the observed activity?
- A. Irregular peer-to-peer communication
- B. Rogue devices on the network
- C. Insider attack
- D. Unauthorized privileges
正解:C
解説:
The observed activity from a privileged account indicates an insider attack, which is when a trusted user or employee misuses their access rights to compromise the security of the organization. Accessing emails and sensitive information, modifying audit logs, and logging in at abnormal times are all signs of malicious behavior by a privileged user who may be trying to steal, tamper, or destroy data, or cover their tracks. An insider attack can cause significant damage to the organization's reputation, operations, and compliance12.
References: The Privileged Identity Playbook Guides Management of Privileged User Accounts, How to Track Privileged Users' Activities in Active Directory
質問 # 51
In SIEM software, a security analysis selected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?
- A. Check the hash signatures, comparing them with malware databases to verify if the files are infected.
- B. Collect the network traffic during the day to understand if the same activity is also occurring during business hours
- C. Collect all the files that have changed and compare them with the previous baseline
- D. Fully segregate the affected servers physically in a network segment, apart from the production network.
正解:D
質問 # 52
A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?
- A. Exploitation
- B. Reconnaissance
- C. Weaponization
- D. Delivery
正解:A
解説:
The Cyber Kill Chain is a framework that describes the stages of a cyberattack from reconnaissance to actions on objectives. The exploitation stage is where attackers take advantage of the vulnerabilities they have discovered in previous stages to further infiltrate a target's network and achieve their objectives. In this case, the malicious actor has gained access to an internal network by means of social engineering and does not want to lose access in order to continue the attack. This indicates that the actor is in the exploitation stage of the Cyber Kill Chain. Official References:
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
質問 # 53
......
CS0-003リアルな問題と知能問題集:https://www.passtest.jp/CompTIA/CS0-003-shiken.html
合格できるCS0-003試験と最新CS0-003試験問題集PDF2024:https://drive.google.com/open?id=18Ca0glAGXlaxKA5kEPS4otTQqz9jdBKC