PassTest CS0-003問題集328問でCompTIA Cybersecurity Analystを確実実践
リアル最新CS0-003試験問題CS0-003問題集
質問 # 83
A small company does not have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?
- A. Operational controls
- B. Compensating controls
- C. Corrective controls
- D. Administrative controls
正解:B
質問 # 84
An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?
- A. Time synchronization
- B. Invalid playbook
- C. Access rights
- D. Network segmentation
正解:A
解説:
Time synchronization is the process of ensuring that all systems in a network have the same accurate time, which is essential for correlating data points from different sources. If the system has an issue with time synchronization, the analyst may have difficulty matching events that occurred at the same time or in a specific order. Access rights, network segmentation, and invalid playbook are not directly related to the issue of correlating data points. Verified References: [CompTIA CySA+ CS0-002 Certification Study Guide], page
23
質問 # 85
A security analyst is reviewing the following alert that was triggered by FIM on a critical system:
Which of the following best describes the suspicious activity that is occurring?
- A. A new program has been set to execute on system start.
- B. The host firewall on 192.168.1.10 was disabled.
- C. A fake antivirus program was installed by the user.
- D. A network drive was added to allow exfiltration of data.
正解:A
解説:
A new program has been set to execute on system start is the most likely cause of the suspicious activity that is occurring, as it indicates that the malware has modified the registry keys of the system to ensure its persistence. File Integrity Monitoring (FIM) is a tool that monitors changes to files and registry keys on a system and alerts the security analyst of any unauthorized or malicious modifications. The alert triggered by FIM shows that the malware has created a new registry key under the Run subkey, which is used to launch programs automatically when the system starts. The new registry key points to a file named "update.exe" in the Temp folder, which is likely a malicious executable disguised as a legitimate update file.
質問 # 86
An internally developed file-monitoring system identified the following except as causing a program to crash often:
char filedata[100];
fp = fopen(`access.log`, `r`);
srtcopy (filedata, fp);
printf (`%s\n`, filedata);
Which of the following should a security analyst recommend to fix the issue?
- A. Perform input sanitization.
- B. Open the access.log file in read/write mode.
- C. Replace the strcpy function.
- D. Increase the size of the file data butter.
正解:C
解説:
Use of insecure functions can make it much harder to secure code.
Functions like strcpy, which don't have critical security features built in, can result in code that is easier for attackers to target. In fact, strcpy is the only specific function that the CySA+ objectives call out, likely because of how commonly it is used for buffer overflow attacks in applications written in C. strcpy allows data to be copied without caring whether the source is bigger than the destination. If this occurs, attackers can place arbitrary data in memory locations past the original destination, possibly allowing a buffer overflow attack to succeed.
質問 # 87
The analyst reviews the following endpoint log entry:
Which of the following has occurred?
- A. Registry change
- B. Rename computer
- C. New account introduced
- D. Privilege escalation
正解:C
解説:
Explanation
The endpoint log entry shows that a new account named "admin" has been created on a Windows system with a local group membership of "Administrators". This indicates that a new account has been introduced on the system with administrative privileges. This could be a sign of malicious activity, such as privilege escalation or backdoor creation, by an attacker who has compromised the system.
質問 # 88
A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?
- A. Weaponization
- B. Reconnaissance
- C. Delivery
- D. Exploitation
正解:D
解説:
The Cyber Kill Chain is a framework that describes the stages of a cyberattack from reconnaissance to actions on objectives. The exploitation stage is where attackers take advantage of the vulnerabilities they have discovered in previous stages to further infiltrate a target's network and achieve their objectives. In this case, the malicious actor has gained access to an internal network by means of social engineering and does not want to lose access in order to continue the attack. This indicates that the actor is in the exploitation stage of the Cyber Kill Chain. Official Reference: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
質問 # 89
While conducting a cloud assessment, a security analyst performs a Prowler scan, which generates the following within the report:
Based on the Prowler report, which of the following is the BEST recommendation?
- A. Delete access key 2.
- B. Delete access key 1.
- C. Delete BusinessUsr access key 1.
- D. Delete CloudDev access key 1.
正解:C
解説:
The only "FAIL!" in this report is BusinessUsr.
質問 # 90
A cybersecurity analyst is recording the following details:
- ID
- Name
- Description
- Classification of information
- Responsible party
In which of the following documents is the analyst recording this information?
- A. Incident response playbook
- B. Change control documentation
- C. Incident response plan
- D. Risk register
正解:D
質問 # 91
Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?
- A. Subject matter experts on the team should communicate with others within the specified area of expertise
- B. Management level members of the CSIRT should make that decision
- C. The lead should review what is documented in the incident response policy or plan
- D. The lead has the authority to decide who to communicate with at any t me
正解:C
解説:
Explanation
The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents. The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure.
質問 # 92
A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server
logs for evidence of exploitation of that particular vulnerability?
- A. cat /proc/self/
- B. /etc/ shadow
- C. curl localhost
- D. ; printenv
正解:B
解説:
/etc/shadow is the pattern that the security analyst can use to search the web server logs for evidence of exploitation of the LFI vulnerability that can be exploited to extract credentials from the underlying host. LFI stands for Local File Inclusion, which is a vulnerability that allows an attacker to include local files on the web server into the output of a web application. LFI can be exploited to extract sensitive information from the web server, such as configuration files, passwords, or source code. The /etc/shadow file is a file that stores the encrypted passwords of all users on a Linux system. If an attacker can exploit the LFI vulnerability to include this file into the web application output, they can obtain the credentials of the users on the web server. Therefore, the security analyst can look for /etc/shadow in the request line of the web server logs to see if any attacker has attempted or succeeded in exploiting the LFI vulnerability. Official Reference:
https://partners.comptia.org/docs/default-source/resources/comptia-cysa-cs0-002-exam-objectives
https://www.comptia.org/certifications/cybersecurity-analyst
https://www.comptia.org/blog/the-new-comptia-cybersecurity-analyst-your-questions-answered
質問 # 93
A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:
Security Policy 1006: Vulnerability Management
1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.
2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.
3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.
According to the security policy, which of the following vulnerabilities should be the highest priority to patch?
- A.

- B.

- C.

- D.

正解:C
解説:
According to the security policy, the company shall use the CVSSv3.1 Base Score Metrics to prioritize the remediation of security vulnerabilities. Option C has the highest CVSSv3.1 Base Score of 9.8, which indicates a critical severity level. The company shall also prioritize confidentiality of data over availability of systems and data, and option C has a high impact on confidentiality (C:H). Finally, the company shall prioritize patching of publicly available systems and services over patching of internally available systems, and option C affects a public-facing web server. Official References: https://www.first.org/cvss/
質問 # 94
An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?
- A. A rollback had been executed on the instance.
- B. The finding is a false positive and should be ignored.
- C. The vulnerability management software needs to be updated.
- D. The vulnerability scanner was configured without credentials.
正解:A
解説:
A rollback had been executed on the instance. If a database server is restored to a previous state, it may reintroduce a vulnerability that was previously fixed. This can happen due to backup and recovery operations, configuration changes, or software updates. A rollback can undo the patching or mitigation actions that were applied to remediate the vulnerability. Reference: Vulnerability Remediation: It's Not Just Patching, Section: The Remediation Process; Vulnerability assessment for SQL Server, Section: Remediation
質問 # 95
A security analyst is reviewing the following log entries to identify anomalous activity:
Which of the following attack types is occurring?
- A. SQL injection
- B. Directory traversal
- C. Buffer overflow
- D. Cross-site scripting
正解:B
解説:
A directory traversal attack is a type of web application attack that exploits insufficient input validation or improper configuration to access files or directories that are outside the intended scope of the web server. The log entries given in the question show several requests that contain ".../" sequences in the URL, which indicate an attempt to move up one level in the directory structure. For example, the request "/images/.../.../etc/passwd" tries to access the /etc/passwd file, which contains user account information on Linux systems. If successful, this attack could allow an attacker to read, modify, or execute files on the web server that are not meant to be accessible.
質問 # 96
You are a cybersecurity analyst tasked with interpreting scan data from Company As servers You must verify the requirements are being met for all of the servers and recommend changes if you find they are not
The company's hardening guidelines indicate the following
* TLS 1 2 is the only version of TLS
running.
* Apache 2.4.18 or greater should be used.
* Only default ports should be used.
INSTRUCTIONS
using the supplied dat
a. record the status of compliance With the company's guidelines for each server.
The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for Issues based ONLY on the hardening guidelines provided.
Part 1:
AppServ2:
AppServ3:
AppServ4:

Part 2:

正解:
解説:
check the explanation part below for the solution
Explanation:
Part 1:
Part 2:
Based on the compliance report, I recommend the following changes for each server:
AppServ1: No changes are needed for this server.
AppServ2: Disable or upgrade TLS 1.0 and TLS 1.1 to TLS 1.2 on this server to ensure secure encryption and communication between clients and the server. Update Apache from version 2.4.17 to version 2.4.18 or greater on this server to fix any potential vulnerabilities or bugs.
AppServ3: Downgrade Apache from version 2.4.19 to version 2.4.18 or lower on this server to ensure compatibility and stability with the company's applications and policies. Change the port number from 8080 to either port 80 (for HTTP) or port 443 (for HTTPS) on this server to follow the default port convention and avoid any confusion or conflicts with other services.
AppServ4: Update Apache from version 2.4.16 to version 2.4.18 or greater on this server to fix any potential vulnerabilities or bugs. Change the port number from 8443 to either port 80 (for HTTP) or port 443 (for HTTPS) on this server to follow the default port convention and avoid any confusion or conflicts with other services.
質問 # 97
During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware.
Which of the following actions should be performed immediately?
- A. Shut down the server.
- B. Quarantine the server
- C. Reimage the server
- D. Update the OS to latest version.
正解:B
解説:
Quarantining the server is the best action to perform immediately, as it isolates the affected server from the rest of the network and prevents the ransomware from spreading to other systems or data. Quarantining the server also preserves the evidence of the ransomware attack, which can be useful for forensic analysis and law enforcement investigation. The other actions are not as urgent as quarantining the server, as they may not stop the ransomware infection, or they may destroy valuable evidence. Shutting down the server may not remove the ransomware, and it may trigger a data deletion mechanism by the ransomware. Reimaging the server may restore its functionality, but it will also erase any traces of the ransomware and make recovery of encrypted data impossible. Updating the OS to the latest version may fix some vulnerabilities, but it will not remove the ransomware or decrypt the data. Official References:
https://www.cisa.gov/stopransomware/ransomware-guide
https://www.cisa.gov/sites/default/files/publications/Ransomware_Executive_One-Pager_and_Technical_D
https://www.cisa.gov/stopransomware/ive-been-hit-ransomware
質問 # 98
A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8.
Which of the following best practices should the company follow with this proxy?
- A. Decomission the proxy.
- B. Patch the proxy
- C. Leave the proxy as is.
- D. Migrate the proxy to the cloud.
正解:A
解説:
The best practice that the company should follow with this proxy is to decommission the proxy.
Decommissioning the proxy involves removing or disposing of the proxy from the rack and the network, as well as deleting or wiping any data or configuration on the proxy. Decommissioning the proxy can help eliminate the vulnerability on the proxy, as well as reduce the attack surface, complexity, or cost of maintaining the network. Decommissioning the proxy can also free up space or resources for other devices or systems that are in use or needed by the company.
質問 # 99
Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?
- A. Threshold value
- B. Log retention
- C. Log rotation
- D. Maximum log size
正解:A
解説:
A threshold value is a parameter that defines the minimum or maximum level of a metric or event that triggers an alert. For example, a threshold value can be set to alert when the number of failed login attempts exceeds 10 in an hour, or when the CPU usage drops below 20% for more than 15 minutes. By setting a threshold value, the process can filter out irrelevant or insignificant alerts and focus on the ones that indicate a potential problem or anomaly. A threshold value can help to reduce the noise and false positives in the alert system, and improve the efficiency and accuracy of the analysis.
質問 # 100
Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:
Which of the following choices should the analyst look at first?
- A. xlaptop.lan (192.168.86.249)
- B. p4wnp1_aloa.lan (192.168.86.56)
- C. wh4dc-748gy.lan (192.168.86.152)
- D. imaging.lan (192.168.86.150)
- E. lan (192.168.86.22)
正解:B
解説:
The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network. P4wnP1 ALOA is a tool that can be used to create a malicious USB device that can perform various attacks, such as keystroke injection, network sniffing, man-in-the-middle, or backdoor creation. The presence of a device with this name on the network could indicate that an attacker has plugged in a malicious USB device to a system and gained access to the network. Official Reference: https://github.com/mame82/P4wnP1_aloa
質問 # 101
An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?
- A. OWASP Top Ten
- B. PCI DSS
- C. CIS Benchmarks
- D. ISO 27001
正解:C
解説:
The best resource to ensure secure configuration of cloud infrastructure is A. CIS Benchmarks.
CIS Benchmarks are a set of prescriptive configuration recommendations for various technologies, including cloud providers, operating systems, network devices, and server software.
They are developed by a global community of cybersecurity experts and help organizations protect their systems against threats more confidently.
PCI DSS, OWASP Top Ten, and ISO 27001 are also important standards for information security, but they are not focused on providing specific guidance for hardening cloud infrastructure. PCI DSS is a compliance scheme for payment card transactions, OWASP Top Ten is a list of common web application security risks, and ISO 27001 is a framework for establishing and maintaining an information security management system. These standards may have some relevance for cloud security, but they are not as comprehensive and detailed as CIS Benchmarks.
質問 # 102
A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive dat
a. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?
- A. Passive scanning
- B. Agent-based scanning
- C. Credentialed network scanning
- D. Dynamic scanning
正解:B
解説:
Agent-based scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console. Agent-based scanning can reduce the access to systems, as the agents do not require any credentials or permissions to scan the local system or network. Agent-based scanning can also provide the most accurate vulnerability scan results, as the agents can scan continuously or on-demand, regardless of the system or network status or location.
質問 # 103
An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?
- A. Command and control
- B. Actions on objectives
- C. Exploitation
- D. Reconnaissance
正解:D
解説:
Reconnaissance is the first stage in the Cyber Kill Chain and involves researching potential targets before carrying out any penetration testing. The reconnaissance stage may include identifying potential targets, finding their vulnerabilities, discovering which third parties are connected to them (and what data they can access), and exploring existing entry points as well as finding new ones. Reconnaissance can take place both online and offline. In this case, an analyst finds that an IP address outside of the company network is being used to run network and vulnerability scans across external-facing assets. This indicates that the analyst is witnessing reconnaissance activity by an attacker. Official Reference: https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
質問 # 104
Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes does this describe?
- A. Forensic analysis
- B. Lessons learned
- C. Business continuity plan
- D. Incident response plan
正解:B
解説:
The lessons learned process is the final stage of the incident management life cycle, where the incident team reviews the incident and evaluates the effectiveness of the response and the plans in place. The lessons learned report should include the who-what-when information and any recommendations for improvement123 Reference: 1: What is incident management? Steps, tips, and best practices 2: 5 Steps of the Incident Management Lifecycle | RSI Security 3: Navigating the Incident Response Life Cycle: A Comprehensive Guide
質問 # 105
An analyst needs to provide recommendations based on a recent vulnerability scan:
Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified?
- A. Scan not performed with admin privileges
- B. SMB use domain SID to enumerate users
- C. SSL certificate cannot be trusted
- D. SYN scanner
正解:A
解説:
This is because scanning without admin privileges can limit the scope and accuracy of the vulnerability scan, and potentially miss some critical vulnerabilities that require higher privileges to detect. According to the OWASP Vulnerability Management Guide1, "scanning without administrative privileges will result in a large number of false negatives and an incomplete scan". Therefore, the analyst should recommend addressing this issue to ensure potential vulnerabilities are identified.
質問 # 106
An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?
- A. PCI Security Standards Council
- B. Federal law enforcement
- C. Local law enforcement
- D. Card issuer
正解:D
解説:
Explanation
Under the terms of PCI DSS, an organization that has experienced a breach of customer transactions should report the breach to the card issuer. The card issuer is the financial institution that issues the payment cards to the customers and that is responsible for authorizing and processing the transactions. The card issuer may have specific reporting requirements and procedures for the organization to follow in the event of a breach. The organization should also notify other parties that may be affected by the breach, such as customers, law enforcement, or regulators, depending on the nature and scope of the breach. Official References:
https://www.pcisecuritystandards.org/
質問 # 107
......
CompTIA CS0-003 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
CS0-003別格な問題集で最上級の成績にさせるCS0-003問題:https://www.passtest.jp/CompTIA/CS0-003-shiken.html
手に入れよう!最新CS0-003認定の有効な試験問題集解答:https://drive.google.com/open?id=1kIZpv65jOY_e0lcXqsO01rjWViXpTyfJ