Free CS0-003 Sample Questions — CompTIA CySA+ (CS0-003)

A security administrator has found indications of dictionary attacks against the company’s external-facing portal. Which of the following should be implemented to best mitigate the password attacks?

• A. Multifactor authentication
• B. Password complexity
• C. Web application firewall
• D. Lockout policy

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware based on its telemetry?

• A. Cross-reference the signature with open-source threat intelligence
• B. Configure the EDR to perform a full scan
• C. Transfer the malware to a sandbox environment
• D. Log in to the affected systems and run netstat

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

• A. Scope
• B. Weaponization
• C. CVSS
• D. Asset value

Which of the following does "federation" most likely refer to within the context of identity and access management?

• A. Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access
• B. An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains
• C. Utilizing a combination of what you know who you are, and what you have to grant authentication to a user
• D. Correlating one's identity with the attributes and associated applications the user has access to

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

• A. C2 beaconing activity
• B. Data exfiltration
• C. Anomalous activity on unexpected ports
• D. Network host IP address scanning
• E. rogue network device

A company classifies security groups by risk level. Any group with a high-risk classification requires multiple levels of approval for member or owner changes. Which of the following inhibitors to remediation is the company utilizing?

• A. Organizational governance
• B. MOU
• C. SLA
• D. Business process interruption

When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

• A. OpenID
• B. SDN
• C. ZTNA
• D. SWG

The management team requests monthly KPI reports on the company’s cybersecurity program. Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?

• A. Employee turnover
• B. Intrusion attempts
• C. Mean time to detect
• D. Level of preparedness

A team of analysts is developing a new internal system that correlates information from a variety of sources, analyzes that information, and then triggers notifications according to company policy. Which of the following technologies was deployed?

• A. SIEM
• B. SOAR
• C. IPS
• D. CERT

Which of the following actions would an analyst most likely perform after an incident has been investigated?

• A. Risk assessment
• B. Root cause analysis
• C. Incident response plan
• D. Tabletop exercise

An analyst finds that duplicate entries may exist in the asset inventory, which is skewing vulnerability scan data. Which of the following is the best way for the analyst to improve the effectiveness of the vulnerability scan?

• A. Device fingerprinting
• B. Network mapping
• C. Uncredentialed reports
• D. Dynamic scans

An end user forwarded an email with a file attachment to the SOC for review. The SOC analysts think the file was specially crafted for the target. Which of the following investigative actions would best determine if the attachment was malicious?

• A. Review the file in Virus Total to determine if the domain is associated with any phishing
• B. Review the email header to analyze the DKIM, DMARC, and SPF values
• C. Review the source IP address in AbuseIPDB
• D. Review the attachment’s behavior in a sandbox environment while running Wireshark

A security analyst needs to develop a solution to protect a high-value asset from an exploit like a recent zero-day attack. Which of the following best describes this risk management strategy?

• A. Avoid
• B. Transfer
• C. Accept
• D. Mitigate

An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

• A. Disable the user’s network account and access to web resources
• B. Make a copy of the files as a backup on the server
• C. Place a legal hold on the device and the user’s network share
• D. Make a forensic image of the device and create a SHA-1 hash

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

• A. Hacktivist threat
• B. Advanced persistent threat
• C. Unintentional insider threat
• D. Nation-state threat

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

• A. Identify any improvements or changes in the incident response plan or procedures
• B. Determine if an internal mistake was made and who did it so they do not repeat the error
• C. Present all legal evidence collected and turn it over to iaw enforcement
• D. Discuss the financial impact of the incident to determine if security controls are well spent

Executives want to compare certain metrics from the most recent and last reporting periods to determine whether the metrics are increasing or decreasing. Which of the following would provide the necessary information to satisfy this request?

• A. Count level
• B. Trending analysis
• C. Impact assessment
• D. Severity score

A cybersecurity analyst is setting up a security control that monitors network traffic and produces an active response to a security event. Which of the following tools is the analyst configuring?

• A. EDR
• B. IPS
• C. CASB
• D. WAF

A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?

• A. Data exfiltration
• B. Rogue device
• C. Scanning
• D. Beaconing

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization's endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor's actions?

• A. Delivery
• B. Reconnaissance
• C. Exploitation
• D. Weaponization