CompTIA CS0-003 Exam Practice Test Instant Access

Question 1

Which of the following risk management decisions should be considered after evaluating all other options?

ATransfer

BAcceptance

CMitigation

DAvoidance

Answer : B

Risk Acceptance means acknowledging a risk and choosing not to take further action because the cost of mitigation may outweigh the benefits.

It is the last resort when:

The risk is low impact or unlikely to occur.

Other options (mitigation, transfer, avoidance) are not feasible.

Why Not Other Options?

A (Transfer) Moving risk to a third party (e.g., insurance).

C (Mitigation) Implementing security controls to reduce risk.

D (Avoidance) Eliminating the risk entirely (e.g., discontinuing a service).

Question 2

A security analyst identifies a device on which different malware was detected multiple times, even after the systems were scanned and cleaned several times. Which of the following actions would be most effective to ensure the device does not have residual malware?

AUpdate the device and scan offline in safe mode.

BReplace the hard drive and reimage the device.

CUpgrade the device to the latest OS version.

DDownload a secondary scanner and rescan the device.

Answer : B

Reimaging the device is the most effective way to eliminate persistent malware because some sophisticated malware, such as rootkits and firmware-level threats, can survive traditional scans and removals.

If a system keeps getting reinfected after cleaning, it may indicate a deeply embedded persistent threat, possibly in:

The Master Boot Record (MBR) or EFI firmware.

A compromised system restore point.

A hidden backdoor left by the malware.

Why Not Other Options?

A (Update and scan in safe mode) Might help, but if malware is persistent, it will likely return.

C (Upgrade OS) Does not necessarily remove malware; some malware survives OS upgrades.

D (Secondary scanner) Useful for detection but does not guarantee complete removal.

Best Practice:

Replace the hard drive to eliminate firmware-level infections.

Reimage the system from a known-good source.

Update the OS and security patches before reconnecting to the network.

Question 3

A user is flagged for consistently consuming a high volume of network bandwidth over the past week. During the investigation, the security analyst finds traffic to the following websites:

Date/Time

URL

Destination Port

Bytes In

Bytes Out

12/24/2023 14:00:25

youtube.com

450000

4587

12/25/2023 14:09:30

translate.google.com

2985

3104

12/25/2023 14:10:00

tiktok.com

443

675000

105

12/25/2023 16:00:45

netflix.com

443

525900

295

12/26/2023 16:30:45

grnail.com

443

1250

525984

12/31/2023 17:30:25

office.com

443

350000

450

12/31/2023 17:35:00

youtube.com

443

300

350000

Which of the following data flows should the analyst investigate first?

Anetflix.com

Byoutube.com

Ctiktok.com

Dgrnail.com

Etranslate.google.com

Foffice.com

Answer : D

D ('grnail.com') is a suspicious domain that resembles 'gmail.com.'

The high 'bytes out' value (525,984 bytes) indicates potential data exfiltration.

Attackers often use typosquatting (e.g., 'grnail.com' instead of 'gmail.com') to trick users into visiting malicious sites.

Why Not Other Options?

A (Netflix, B YouTube, C TikTok) Large downloads, but expected behavior for streaming sites.

E (Google Translate) Low data volume, no exfiltration risk.

F (Office.com) Microsoft service, no indication of malicious activity.

Question 4

The architecture team has been given a mandate to reduce the triage time of phishing incidents by 20%. Which of the following solutions will most likely help with this effort?

AIntegrate a SOAR platform.

BIncrease the budget to the security awareness program.

CImplement an EDR tool.

DInstall a button in the mail clients to report phishing.

Answer : A

SOAR (Security Orchestration, Automation, and Response) platforms help automate and orchestrate incident response tasks, including phishing triage.

SOAR reduces triage time by automatically:

Parsing phishing emails (checking headers, links, attachments).

Running automated playbooks to check for known malicious indicators.

Escalating real threats while dismissing false positives.

Why Not Other Options?

B (Increase security awareness) Helps prevent phishing but does NOT reduce triage time.

C (Implement EDR) EDR is useful for endpoint protection but does NOT specifically reduce phishing triage time.

D (Install a 'Report Phishing' button) Helps report phishing but does NOT automate the triage process.

Question 5

A group of hacktivists has breached and exfiltrated data from several of a bank's competitors. Given the following network log output:

Source

Destination

Protocol

Service

172.16.1.1

172.16.1.10

ARP

AddrResolve

172.16.1.10

172.16.1.20

TCP 135

RPC Kerberos

172.16.1.10

172.16.1.30

TCP 445

SMB WindowsExplorer

172.16.1.30

5.29.1.5

TCP 443

HTTPS Browser.exe

11.4.11.28

172.16.1.1

TCP 53

DNS Unknown

20.109.209.108

172.16.1.1

TCP 443

HTTPS WUS

172.16.1.25

bank.backup.com

TCP 21

FTP FileZilla

Which of the following represents the greatest concerns with regard to potential data exfiltration? (Select two.)

Answer : D, G

D (4: HTTPS traffic to an external IP - 5.29.1.5)

The log entry shows an internal system (172.16.1.30) communicating with an external IP (5.29.1.5) over TCP 443 (HTTPS) using Browser.exe.

HTTPS traffic to an unknown external IP could indicate data exfiltration, as attackers often use encrypted channels to disguise stolen data transfers.

G (7: FTP traffic to an external backup server - bank.backup.com)

The log entry indicates that an internal machine (172.16.1.25) is transferring data to bank.backup.com using FTP (port 21) and FileZilla.

FTP is a major concern because it is an outdated, unencrypted protocol that can be exploited for data exfiltration. If unauthorized, this could be a serious data breach.

Other Options:

A (ARP traffic) Not a concern (Just address resolution)

B (RPC Kerberos traffic) Normal for authentication

C (SMB traffic) Internal file sharing

**E (DNS traffic) Common, though could be exfiltration in some cases, but not in this log)

F (WUS traffic) Appears to be Windows Update Service traffic, likely legitimate

Question 6

A security manager reviews the permissions for the approved users of a shared folder and finds accounts that are not on the approved access list. While investigating an incident, a user discovers data discrepancies in the file. Which of the following best describes this activity?

AFilesystem anomaly

BIllegal software

CUnauthorized changes

DData exfiltration

Answer : C

The discovery of unapproved accounts accessing shared data, along with data discrepancies, strongly indicates unauthorized changes.

Indicators of Unauthorized Changes:

Unexpected user permissions found during audits.

Modified or deleted data without proper documentation.

Altered system or security configurations, allowing unintended access.

Why Not Other Options?

A . Filesystem Anomaly: This refers to unexpected behavior in the file structure, such as corrupt metadata or missing files, rather than unauthorized user access.

B . Illegal Software: Would involve unlicensed or unauthorized applications, not unauthorized file modifications.

D . Data Exfiltration: If data was removed, it might be exfiltration, but in this case, data modifications were detected instead.

To prevent unauthorized changes, security teams should use:

File Integrity Monitoring (FIM) to detect unauthorized modifications.

Access control audits to verify correct user permissions.

SIEM tools to analyze logs for anomalies.

Question 7

A vulnerability scan shows several vulnerabilities. At the same time, a zero-day vulnerability with a CVSS score of 10 has been identified on a web server. Which of the following actions should the security analyst take first?

AContact the web systems administrator and request that they shut down the asset.

BMonitor the patch releases for all items and escalate patching to the appropriate team.

CRun the vulnerability scan again to verify the presence of the critical finding and the zero-day vulnerability.

DForward the advisory to the web security team and initiate the prioritization strategy for the other vulnerabilities.

Answer : A

A CVSS 10 vulnerability represents a critical security risk, often leading to remote code execution or complete system compromise.

Option A (Shut down the asset) is the best immediate containment action for preventing exploitation.

Option B (Monitor patches) is important but should be done after containment.

Option C (Rescanning) is unnecessary when a high-confidence security advisory has been issued.

Option D (Forwarding advisory) is good practice but does not immediately mitigate the threat.

CompTIA CS0-003 CompTIA Cybersecurity Analyst (CySA+) Exam Practice Test