[CompTIA] CS0-003 - CySA+ Exam Dumps & Study Guide

Free [CompTIA] CS0-003 - CySA+ Practice Questions Preview

• Question 1

  A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

  • A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
  • B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
  • C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
  • D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

  Correct Answer: A

  Explanation:

  I agree with the community and suggested answer of Option A. Although there is an apparent typographical error in the vector string (using

  Reason

  Option A is the most accurate choice because it satisfies the fundamental constraints given in the scenario. "PR:N" represents Privileges Required: None, aligning with

  Why the other options are not as suitable

  • Option B is incorrect because it specifies PR:H (Privileges Required: High) and UI:R (User Interaction: Required), both of which directly contradict the prompt's explicit statement that the vulnerability requires no user interaction or privilege escalation. It also contains invalid metric keys such as "AV:K".
  • Option C is incorrect because it specifies UI:H, which is not a valid CVSS v3.1 value for User Interaction (only N or R are valid), and indicates a low impact on confidentiality (C:L) and high impact on availability (A:H), contradicting the prompt.
  • Option D is incorrect because it specifies PR:R (which is not a valid CVSS v3.1 value for Privileges Required, as it uses N, L, or H), requires user interaction (UI:R), and indicates high availability impact (A:H), failing multiple conditions of the scenario.

  Citations

  • https://www.first.org/cvss/v3.1/specification-document

• Question 2

  Which of the following tools would work best to prevent the exposure of PII outside of an organization?

  • A. PAM
  • B. IDS
  • C. PKI
  • D. DLP

  Correct Answer: D

  Explanation:

  I agree with the community and suggested answer that DLP (Data Loss Prevention) is the correct choice. It is specifically engineered to detect, monitor, and block unauthorized egress of sensitive data like Personally Identifiable Information (PII) beyond the corporate boundary.

  Reason

  Option D is correct because DLP (Data Loss Prevention) software scans networks, endpoints, and storage repositories to identify and prevent the unauthorized transmission of sensitive information. It relies on content awareness and inspection policies to detect patterns matching PII (such as Social Security numbers or credit card details) and can block these data blocks from being emailed, uploaded, or copied externally.

  Why the other options are not as suitable

  • Option A is incorrect because PAM (Privileged Access Management) focuses on securing, controlling, and monitoring elevated access and credentials for administrative accounts, rather than inspecting outbound data content for PII leakage.
  • Option B is incorrect because an IDS (Intrusion Detection System) monitors network traffic for malicious activity or policy violations to alert administrators about external attacks or insider threats, but it does not natively possess the granular data-classification and outbound enforcement capabilities needed to prevent PII exfiltration.
  • Option C is incorrect because PKI (Public Key Infrastructure) provides the framework for managing digital certificates and public-key encryption to guarantee confidentiality and authentication, but it does not proactively inspect files to block the accidental or malicious transfer of unencrypted PII.

  Citations

  • https://www.comptia.org/blog/what-is-data-loss-prevention

• Question 3

  An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:
  
  Which of the following tuning recommendations should the security analyst share?

  • A. Set an HttpOnly flag to force communication by HTTPS
  • B. Block requests without an X-Frame-Options header
  • C. Configure an Access-Control-Allow-Origin header to authorized domains
  • D. Disable the cross-origin resource sharing header

  Correct Answer: C

  Explanation:

  I agree with the selected answer of C. The vulnerability assessment image highlights a Cross-Domain Misconfiguration alert. In web application security, this finding refers directly to misconfigured Cross-Origin Resource Sharing (CORS) headers, which are mitigated by restricting permissions to trusted origins rather than using risky wildcards.

  Reason

  Option C is correct because a Cross-Domain Misconfiguration indicates that the web server is overly permissive with resource sharing across different origins. Properly configuring the Access-Control-Allow-Origin header to whitelist only explicitly authorized domains ensures that malicious external domains cannot access sensitive data or execute cross-domain actions via an authenticated user's browser.

  Why the other options are not as suitable

  • Option A is incorrect because the HttpOnly flag prevents client-side scripts from accessing cookies to mitigate cross-site scripting (XSS) attacks; it does not force communication over HTTPS (which is handled by the Secure flag or HSTS).
  • Option B is incorrect because blocking requests missing an X-Frame-Options header deals with mitigating clickjacking attacks rather than rectifying a cross-domain sharing policy.
  • Option D is incorrect because completely disabling the cross-origin resource sharing header can break required modern application functionalities that legitimately depend on APIs hosted across separate subdomains or trusted third-party origins.

  Citations

  • https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/11-Client-side_Testing/07-Testing_Cross_Origin_Resource_Sharing

• Question 4

  Which of the following items should be included in a vulnerability scan report? (Choose two.)

  • A. Lessons learned
  • B. Service-level agreement
  • C. Playbook
  • D. Affected hosts
  • E. Risk score
  • F. Education plan

  Correct Answer: DE

  Explanation:

  I agree with the community and suggested answer of D and E. A vulnerability scan report must provide actionable and context-specific data to help administrators prioritize and patch issues, which inherently requires knowing which devices are impacted and how severe the risk is.

  Reason

  Affected hosts (Option D) is correct because remediation teams need to know exactly which IP addresses, hostnames, or assets contain the vulnerability to target their patching efforts. Risk score (Option E) is correct because it allows organizations to prioritize vulnerabilities based on severity (such as CVSS scores), ensuring that critical flaws are addressed before low-risk items.

  Why the other options are not as suitable

  • Option A is incorrect because Lessons learned is a phase associated with incident response or post-incident reviews, not a standard component generated by a vulnerability scanner.
  • Option B is incorrect because a Service-level agreement is a legal or contractual document defining performance standards between a provider and a customer, not an element of a technical scan report.
  • Option C is incorrect because a Playbook provides a step-by-step standard operating procedure for responding to specific security incidents or threats, rather than being part of a scan report. Option F is incorrect because an Education plan details employee training initiatives and is part of a broader security awareness program, not an output of a technical vulnerability assessment.

  Citations

  • https://www.comptia.org/certifications/cybersecurity-analyst

• Question 5

  The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

  • A. A mean time to remediate of 30 days
  • B. A mean time to detect of 45 days
  • C. A mean time to respond of 15 days
  • D. Third-party application testing

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A. The scenario describes a specific window of exposure: attacks actively exploit newly discovered vulnerabilities roughly 45 days after a patch becomes available. To mitigate this vulnerability window proactively before exploits occur, the organization must fully apply the patch across its environment. A mean time to remediate (MTTR) of 30 days guarantees that patches are completely deployed 15 days before the typical threat window opens.

  Reason

  Option A is correct because remediation explicitly refers to fixing the root cause of a security vulnerability (such as applying software patches or modifying configuration baselines). Since the organizational goal is to ensure patches are fully operational before the 45-day exploitation cycle begins, adopting a metric that enforces complete patch remediation within 30 days successfully protects the environment.

  Why the other options are not as suitable

  • Option B is incorrect because a mean time to detect of 45 days is far too slow; it means the organization takes 45 days just to discover an issue or an attack, leaving zero time to fix it before exploitation begins.
  • Option C is incorrect because mean time to respond typically quantifies initial incident response triage activities (such as isolation, containment, or logging) after an active exploit or security alert is detected, rather than the proactive structural distribution of software patches to resolve underlying security vulnerabilities.
  • Option D is incorrect because third-party application testing is an audit or assessment capability designed to find programming flaws; it does not dictate or accelerate the patch deployment schedule required to resolve known vendor-released updates.

  Citations

  • https://www.comptia.org/blog/what-is-vulnerability-management
  • https://www.cisa.gov/news-events/cybersecurity-advisories

• Question 6

  A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:
  
  Which of the following scripting languages was used in the script?

  • A. PowerShell
  • B. Ruby
  • C. Python
  • D. Shell script

  Correct Answer: A

  Explanation:

  I agree with the chosen answer, which is A. PowerShell. The provided script explicitly utilizes the Verb-Noun cmdlet structure (such as Get-ADUser, Add-ADGroupMember, and Set-ADUser) along with standard PowerShell pipeline syntax (|) and variables prefixed with the dollar sign ($), which are definitive identifiers of PowerShell.

  Reason

  Option A is correct because the syntax features standard PowerShell cmdlets (like Get-Content and Get-ADUser), loops (foreach), and Active Directory object manipulation commands designed for Windows-based administration frameworks.

  Why the other options are not as suitable

  • Option B is incorrect because Ruby does not use Verb-Noun cmdlets with hyphens or the Get-Content command structure to process files and objects.
  • Option C is incorrect because Python relies on indentation for block definition, utilizes keywords like 'for user in ...:', and requires specialized modules like 'pyad' or 'ldap3' rather than native cmdlet structures.
  • Option D is incorrect because a standard Unix Shell script (such as Bash) utilizes a different structure for loops (like 'for user in ...; do ... done') and handles commands via native binaries rather than Windows-specific cmdlet naming conventions.

  Citations

  • https://learn.microsoft.com/en-us/powershell/scripting/overview

• Question 7

  A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?

  • A. There is an issue with the SSL certificate causing port 443 to become unavailable for HTTPS access
  • B. An on-path attack is being performed by someone with internal access that forces users into port 80
  • C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
  • D. An error was caused by BGP due to new rules applied over the company's internal routers

  Correct Answer: B

  Explanation:

  I agree with the community and suggested answer of Option B. The intermittent downgrade from HTTPS to HTTP paired with compromised user accounts strongly indicates an active on-path (man-in-the-middle) stripping attack where credentials are being intercepted.

  Reason

  Option B is correct because an on-path attacker positioned within the internal network can actively perform SSL/TLS stripping. By intercepting communication, the attacker forces the user's connection to downgrade to unencrypted HTTP (port 80) while maintaining an HTTPS connection with the server. This explains both the compromised accounts (due to cleartext credential harvesting) and why the portal is only sometimes accessible securely.

  Why the other options are not as suitable

  • Option A is incorrect because a problem with the SSL certificate would typically result in explicit browser security warnings or a total denial of HTTPS access rather than silently dropping users back to an unencrypted HTTP connection.
  • Option C is incorrect because a high volume of traffic or resource exhaustion on a web server would cause connection timeouts, 5xx server errors, or crashes, rather than selectively rewriting configuration rules to forward traffic over port 80.
  • Option D is incorrect because BGP (Border Gateway Protocol) is an exterior gateway protocol responsible for routing traffic between autonomous systems across the internet; it does not dictate layer 7 protocol properties or port redirection on an internal corporate portal.

  Citations

  • https://www.comptia.org/blog/what-is-a-man-in-the-middle-attack

• Question 8

  A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:
  Security Policy 1006: Vulnerability Management
  1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.
  2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.
  3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system.
  According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

  • A. Name: THOR.HAMMER -CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HInternal System
  • B. Name: CAP.SHIELD -CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExternal System
  • C. Name: LOKI.DAGGER -CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExternal System
  • D. Name: THANOS.GAUNTLET -CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NInternal System

  Correct Answer: B

  Explanation:

  I agree with the community and suggested answer of Option B. The organization's policy dictates a higher priority for vulnerabilities impacting Confidentiality (C:H) over Availability (A:H), and prioritizes externally accessible systems over internal ones. Option B matches all these high-priority criteria perfectly.

  Reason

  Option B is correct because its CVSS string shows a high impact on confidentiality (C:H), which satisfies Security Policy 1006, Rule 2 stating confidentiality must be prioritized over availability. Furthermore, it resides on an External System, satisfying Rule 3 which mandates prioritizing publicly available systems over internal systems.

  Why the other options are not as suitable

  • Option A is incorrect because it impacts availability (A:H) instead of confidentiality (C:N) and resides on an Internal System, giving it the lowest priority across both rules.
  • Option C is incorrect because despite being an External System, its high impact metric is tied to availability (A:H) rather than confidentiality (C:N), violating Rule 2.
  • Option D is incorrect because it resides on an Internal System, meaning it falls behind
  • Option B under Rule 3, which explicitly prioritizes external systems when all other metrics are equal.

  Citations

  • https://www.first.org/cvss/v3.1/specification-document

• Question 9

  Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

  • A. Business continuity plan
  • B. Vulnerability management plan
  • C. Disaster recovery plan
  • D. Asset management plan

  Correct Answer: A

  Explanation:

  I agree with the suggested answer A. A Business Continuity Plan (BCP) is designed to ensure that mission-critical services and operations continue running with minimal or no disruption during an ongoing incident.

  Reason

  Option A is correct because a Business Continuity Plan (BCP) focuses on high-level business resilience and contains the protocols necessary to maintain continuous operations and keep mission-critical functions available throughout an adverse event or incident.

  Why the other options are not as suitable

  • Option B is incorrect because a vulnerability management plan focuses on identifying, prioritizing, and remediating weaknesses within systems before they can be exploited, rather than maintaining operational availability during an active incident.
  • Option C is incorrect because a Disaster Recovery Plan (DRP) is a subset of the BCP that focuses specifically on restoring systems and data after a major disruption or disaster has already knocked them offline, rather than ensuring continuous availability during an incident.
  • Option D is incorrect because an asset management plan involves tracking, inventorying, and managing physical and digital assets over their lifecycle, which does not directly dictate incident operational availability procedures.

  Citations

  • https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-34r1.pdf

• Question 10

  The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

  • A. Deploy a CASB and enable policy enforcement
  • B. Configure MFA with strict access
  • C. Deploy an API gateway
  • D. Enable SSO to the cloud applications

  Correct Answer: A

  Explanation:

  I agree with the community and suggested answer of Option A. A Cloud Access Security Broker (CASB) is explicitly designed to solve the problem of shadow IT by discovering unapproved cloud usage, assessing risk, and enforcing security policies across an enterprise's cloud environment.

  Reason

  Option A is correct because a CASB acts as a security policy enforcement point placed between cloud service consumers and cloud service providers. It is specifically designed to provide visibility into shadow IT, identify high-risk cloud applications being used without authorization, and actively block or restrict traffic to those applications based on enterprise policies.

  Why the other options are not as suitable

  • Option B is incorrect because configuring MFA (Multi-Factor Authentication) secures authorized corporate identities and access paths, but it does not discover or mitigate the risk of unauthorized shadow IT cloud applications.
  • Option C is incorrect because an API gateway manages, secures, and routes API traffic for applications owned or managed by the organization; it cannot monitor or control general employee web traffic to external shadow IT cloud applications.
  • Option D is incorrect because enabling SSO (Single Sign-On) centralizes authentication for sanctioned, managed enterprise applications, but it cannot prevent users from bypassing corporate infrastructure to access unapproved, unsanctioned high-risk cloud applications.

  Citations

  • https://www.comptia.org/blog/what-is-a-casb-cloud-access-security-broker