CS0-003練習問題集で検証済みで更新された430問題あります
更新されたCS0-003試験問題集でPDF問題とテストエンジン
CompTIA CS0-003 認定試験の出題範囲:
| トピック | 出題範囲 |
|---|---|
| トピック 1 |
|
| トピック 2 |
|
| トピック 3 |
|
| トピック 4 |
|
質問 # 70
During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee's personal email. Which of the following should the analyst recommend be done first?
- A. Place a legal hold on the employee's mailbox.
- B. Enable filtering on the web proxy.
- C. Configure a deny rule on the firewall.
- D. Disable the public email access with CASB.
正解:A
解説:
Explanation
Placing a legal hold on the employee's mailbox is the best action to perform first, as it preserves all mailbox content, including deleted items and original versions of modified items, for potential legal or forensic purposes. A legal hold is a feature that allows an administrator to retain mailbox data for a user indefinitely or for a specified period, regardless of the user's actions or retention policies. A legal hold can be applied to a mailbox using Litigation Hold or In-Place Hold in Exchange Server or Exchange Online. A legal hold can help to ensure that evidence of data exfiltration or other malicious activities is not lost or tampered with, and that the organization can comply with any legal or regulatory obligations. The other actions are not as urgent or effective as placing a legal hold on the employee's mailbox, as they do not address the immediate threat of data loss or compromise. Enabling filtering on the web proxy may help to prevent some types of data exfiltration or malicious traffic, but it does not help to recover or preserve the data that has already been emailed externally. Disabling the public email access with CASB (Cloud Access Security Broker) may help to block or monitor the use of public email services by employees, but it does not help to recover or preserve the data that has already been emailed externally. Configuring a deny rule on the firewall may help to block or monitor the network traffic from the employee's laptop, but it does not help to recover or preserve the data that has already been emailed externally.
質問 # 71
A SIEM alert is triggered based on execution of a suspicious one-liner on two workstations in the organization's environment. An analyst views the details of these events below:
Which of the following statements best describes the intent of the attacker, based on this one-liner?
- A. Attacker is attempting to install persistence mechanisms on the target machine.
- B. Attacker is executing PowerShell script "AccessToken.psr.
- C. Attacker is utilizing custom malware to download an additional script.
- D. Attacker is escalating privileges via JavaScript.
正解:C
解説:
The one-liner script is utilizing JavaScript to execute a PowerShell command that downloads and runs a script from an external source, indicating the use of custom malware to download an additional script. Reference: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 156.
質問 # 72
A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?
- A. Segmenting the network between the users and the web server
- B. Implementing multifactor authentication on the server OS
- C. Hashing user passwords on the web application
- D. Performing input validation before allowing submission
正解:D
質問 # 73
A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?
- A. Agent-based scanning
- B. Dynamic scanning
- C. Credentialed network scanning
- D. Passive scanning
正解:A
解説:
Agent-based scanning is a method that involves installing software agents on the target systems or networks that can perform local scans and report the results to a central server or console.
Agent- based scanning can reduce the access to systems, as the agents do not require any credentials or permissions to scan the local system or network. Agent-based scanning can also provide the most accurate vulnerability scan results, as the agents can scan continuously or on- demand, regardless of the system or network status or location.
質問 # 74
Which of the following can be used to learn more about TTPs used by cybercriminals?
- A. theHarvester
- B. ZenMAP
- C. National Institute of Standards and Technology
- D. MITRE ATT&CK
正解:D
解説:
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. It can help security professionals understand, detect, and mitigate cyber threats by providing a comprehensive framework of TTPs.
質問 # 75
An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?
- A. The vulnerability management software needs to be updated.
- B. The vulnerability scanner was configured without credentials.
- C. A rollback had been executed on the instance.
- D. The finding is a false positive and should be ignored.
正解:C
解説:
A rollback had been executed on the instance. If a database server is restored to a previous state, it may reintroduce a vulnerability that was previously fixed. This can happen due to backup and recovery operations, configuration changes, or software updates. A rollback can undo the patching or mitigation actions that were applied to remediate the vulnerability. Reference: Vulnerability Remediation: It's Not Just Patching, Section: The Remediation Process; Vulnerability assessment for SQL Server, Section: Remediation
質問 # 76
The analyst reviews the following endpoint log entry:
Which of the following has occurred?
- A. New account introduced
- B. Privilege escalation
- C. Rename computer
- D. Registry change
正解:A
解説:
The endpoint log entry shows that a new account named "admin" has been created on a Windows system with a local group membership of "Administrators". This indicates that a new account has been introduced on the system with administrative privileges. This could be a sign of malicious activity, such as privilege escalation or backdoor creation, by an attacker who has compromised the system.
質問 # 77
An analyst needs to provide recommendations based on a recent vulnerability scan:
Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified?
- A. Scan not performed with admin privileges
- B. SSL certificate cannot be trusted
- C. SYN scanner
- D. SMB use domain SID to enumerate users
正解:A
解説:
This is because scanning without admin privileges can limit the scope and accuracy of the vulnerability scan, and potentially miss some critical vulnerabilities that require higher privileges to detect. According to the OWASP Vulnerability Management Guide1, "scanning without administrative privileges will result in a large number of false negatives and an incomplete scan". Therefore, the analyst should recommend addressing this issue to ensure potential vulnerabilities are identified.
質問 # 78
An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country.
Which of the following best describes what is happening? (Choose two.)
- A. Address Resolution Protocol poisoning
- B. Domain Name System hijacking
- C. Obfuscated links
- D. Social engineering attack
- E. On-path attack
- F. Beaconinq
正解:C、D
解説:
A social engineering attack is a type of cyberattack that relies on manipulating human psychology rather than exploiting technical vulnerabilities. A social engineering attack may involve deceiving, persuading, or coercing users into performing actions that benefit the attacker, such as clicking on malicious links, divulging sensitive information, or granting access to restricted resources. An obfuscated link is a link that has been disguised or altered to hide its true destination or purpose. Obfuscated links are often used by attackers to trick users into visiting malicious websites or downloading malware. In this case, an incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. This indicates that the analyst is witnessing a social engineering attack using obfuscated links.
質問 # 79
Which of the following is a commonly used four-component framework to communicate threat actor behavior?
- A. MITRE ATT&CK
- B. Cyber Kill Chain
- C. Diamond Model of Intrusion Analysis
- D. STRIDE
正解:C
解説:
The Diamond Model of Intrusion Analysis is a framework that describes the relationship between four components of a cyberattack: adversary, capability, infrastructure, and victim. It helps analysts understand the behavior and motivation of threat actors, as well as the tools and methods they use to compromise their targets12. References: Main Analytical Frameworks for Cyber Threat Intelligence, section 4; Strategies, tools, and frameworks for building an effective threat intelligence team, section 3.
質問 # 80
An analyst is responding to an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the field. Malware was loaded on the device via the installation of a third-party software package. The analyst has baselined the device. Which of the following should the analyst do to BEST mitigate future attacks?
- A. Patch the mobile device's OS
- B. Block third-party applications
- C. Implement MDM
- D. Update the maiware catalog
正解:C
解説:
MDM solution to manage the configuration of those devices, automatically installing patches, requiring the use of encryption, and providing remote wiping functionality. MDM solutions may also restrict the applications that can be run on a mobile device to those that appear on an approved list.
質問 # 81
Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?
- A. To provide recommendations for handling vulnerabilities
- B. To verify the roles of the incident response team
- C. TO provide metrics and test continuity controls
- D. To perform tests against implemented security controls
正解:C
解説:
The correct answer is A. To provide metrics and test continuity controls.
A disaster recovery exercise is a simulation or a test of the disaster recovery plan, which is a set of procedures and resources that are used to restore the normal operations of an organization after a disaster or a major incident. The goal of a disaster recovery exercise is to provide metrics and test continuity controls, which are the measures that ensure the availability and resilience of the critical systems and processes of an organization.
A disaster recovery exercise can help evaluate the effectiveness, efficiency, and readiness of the disaster recovery plan, as well as identify and address any gaps or issues .
The other options are not the best descriptions of the goal of a disaster recovery exercise. Verifying the roles of the incident response team (B) is a goal of an incident response exercise, which is a simulation or a test of the incident response plan, which is a set of procedures and roles that are used to detect, contain, analyze, and remediate an incident. Providing recommendations for handling vulnerabilities is a goal of a vulnerability assessment, which is a process of identifying and prioritizing the weaknesses and risks in an organization's systems or network. Performing tests against implemented security controls (D) is a goal of a penetration test, which is an authorized and simulated attack on an organization's systems or network to evaluate their security posture and identify any vulnerabilities or misconfigurations.
質問 # 82
An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of the following attacks was most likely performed?
- A. RFI
- B. CSRF
- C. XSS
- D. LFI
正解:B
質問 # 83
Which of the following is the most likely reason for an organization to assign different internal departmental groups during the post-incident analysis and improvement process?
- A. To allow cross-training for staff who are not involved in the incident response process
- B. To verify that the organization playbook was properly followed throughout the incident
- C. To ensure all staff members get exposure to the review process and can provide feedback
- D. To expose flaws in the incident management process related to specific work areas
正解:D
解説:
The post-incident review process helps an organization identify gaps in its response and security posture. Assigning different departmental groups ensures that flaws in specific work areas (such as IT, HR, or legal teams) are identified and addressed.
Option B is incorrect because not all staff need exposure; the review focuses on relevant stakeholders.
Option C is a part of the process, but the main goal is improvement, not just playbook verification.
Option D (cross-training) is a benefit but not the main objective.
Thus, A is the best answer because it focuses on identifying flaws in specific areas of incident management.
質問 # 84
During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?
- A. Log in to the affected server and begin analysis of the logs
- B. Clone the virtual server for forensic analysis
- C. Restore from the last known-good backup to confirm there was no loss of connectivity
- D. Shut down the affected server immediately
正解:B
質問 # 85
......
最新(2025)CompTIA CS0-003試験問題集:https://jp.fast2test.com/CS0-003-premium-file.html
最適な練習法にはCompTIA CS0-003試験の素晴らしいCS0-003試験問題PDF:https://drive.google.com/open?id=1mYCLTozfngxpl2klGL6ausS2F83ioGSq