Q.

33
https://www.examtopics.com/discussions/comptia/view/145910-exam-cs0-003-topic-1-question-
260-discussion/

A company recently experienced a security incident. The security team has determined a user clicked
on a link embedded in a phishing email that was sent to the entire company. The link resulted in a
malware download, which was subsequently installed and run.

INSTRUCTIONS
Part 1
Review the artifacts associated with the security Incident. Identify the name of the malware, the
malicious IP address, and the date and time when the malware executable entered the organization.
Part 2
Review the kill chain items and select an appropriate control for each that would improve the security
posture of the organization and would have helped to prevent this incident from occurring. Each
control may only be used once, and not all controls will be used.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All
button.
c
zz
ANSWER:

Phishing email: Email filtering invoice.exe

81.161.63.253
Active links: Plain text email format 1 Dec 2019 14:03:19
Malicious website access: IP blocklist

Malware download: Firewall File type filter

Malware install: Restricted local user permissions

Malware execution: Updated antivirus

File encryption: Disk-level encryption

Q.122
https://www.examtopics.com/discussions/comptia/view/83306-exam-cs0-002-topic-1-question-6-
discussion/

You are a penetration tester who is reviewing the system hardening guidelines for a company's
distribution center. The company's hardening guidelines indicate the following:
✑ There must be one primary server or service per device.
✑ Only default ports should be used.
✑ Non-secure protocols should be disabled.
✑ The corporate Internet presence should be placed in a protected subnet.

INSTRUCTIONS -
Using the tools available, discover devices on the corporate network and the services that are running
on these devices.
You must determine:
✑ The IP address of each device.
✑ The primary server or service of each device.
✑ The protocols that should be disabled based on the hardening guidelines.
ANSWER:
Q.198
https://www.pass4success.com/comptia/discussions/exam-cs0-003-topic-2-question-32-discussion

A healthcare organization must develop an action plan based on the findings from a risk assessment.
The action plan must consist of:
* Risk categorization
* Risk prioritization
* Implementation of controls

INSTRUCTIONS
Click on the audit report, risk matrix, and SLA expectations documents to review their contents.
On the Risk categorization tab, determine the order in which the findings must be prioritized for
remediation according to the risk rating score. Then, assign a categorization to each risk.
On the Controls tab, select the appropriate control(s) to implement for each risk finding.
Findings may have more than one control implemented. Some controls may be used more than once
or not at all.
ANSWER:

2  LOW Implement web content filter

25  HIGH Implement SPF/Implement

mail filters

4  LOW
Approved software listing

9  MEDIUM Require data

deindentificaiton

3  LOW Require 2FA/Implemetn IAM

6  MEDIUM Relocate devices to secured

locations/PIN to print

15 HIGH Email encryption/DLP

IDS/IPS – Filter echo request

20  HIGH reply

Q.214
https://www.examtopics.com/discussions/comptia/view/100178-exam-cs0-002-topic-1-question-
326-discussion/

The developers recently deployed new code to three web servers. A daily automated external device
scan report shows server vulnerabilities that are failing items according to PCI DSS.
If the vulnerability is not valid, the analyst must take the proper steps to get the scan clean.

If the vulnerability is valid, the analyst must remediate the finding.

After reviewing the information provided in the network diagram, select the STEP 2 tab
to complete the simulation by selecting the correct Validation Result and Remediation
Action for each server listed using the drop-down options.

INSTRUCTIONS

STEP 1: Review the information provided in the network diagram.

STEP 2: Given the scenario, determine which remediation action is required to address the
vulnerability.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All
button.

Step 1
Step 2:
ANSWER:

Web Server 1 --> True positive - Encrypt entire session

Web Server 2 --> False Positive - Submit as non-issue

Web Server 3 --> True Positive - Request certificate from a public CA

Q.226
https://www.examtopics.com/discussions/comptia/view/22265-exam-cs0-001-topic-1-question-166-
discussion/

A security analyst performs various types of vulnerability scans.

Review the vulnerability scan results to determine the type of scan that was executed and if a false
positive occurred for each device.
Instructions:
Select the Results Generated drop-down option to determine if the results were generated from a
credentialed scan, non-credentialed scan, or a compliance scan.
For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and
check the findings that display false positives. NOTE: If you would like to uncheck an option that is
currently selected, click on the option a second time.
Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to
the results.
The Linux Web Server, File-Print Server and Directory Server are draggable.
If at any time you would like to bring back the initial state of the simulation, please select the Reset
All button. When you have completed the simulation, please select the Done button to submit. Once
the simulation is submitted, please select the Next button to continue.

Hot Area:

ANSWER:

1. non-credentialed scan - File Print Server:

2. credentialed scan "" Linux Web Server: False Positive - 19407.
3. Compliance scan - Directory Server

Q.228
https://www.examtopics.com/discussions/comptia/view/90464-exam-cs0-002-topic-1-question-196-
discussion/
You are a cybersecurity analyst tasked with interpreting scan data from Company A’s servers. You
must verify the requirements are being met for all of the servers and recommend changes if you find
they are not.

The company’s hardening guidelines indicate the following:

• TLS 1.2 is the only version of TLS running.

• Apache 2.4.18 or grater should be used.
• Only default ports should be used

INSTRUCTIONS -

Using the supplied data, record the status of compliance with the company’s guidelines for each
server.

The question contains two parts; make sure you complete Part1 and Part2. Make recommendations
for issues based ONLY on the hardening guidelines provided.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All
button.
ANSWER:

• TLS 1.2 is the only version of TLS running.

• Apache 2.4.18 or greater should be used.
• Only default ports should be used

With that being said,

Scan Data Analysis is
AppServ 1 and 4 is only using TLS1.2
AppServ 1/3/4 is 2.4.18 or greater.

Recommendations are
AppServ2 - Apache Version - Upgrade Version
AppServ4 - SSH - Move to port 22 (Default port)

Questionable
AppServ 2 & 3 - ?HTTPD Security? - Restrict to TLS 1.2
Options are HTTPD Security / MySQL/ Telnet / ApacheVersion and / SSH.
Q.257
https://www.examtopics.com/discussions/comptia/view/80474-exam-cs0-002-topic-1-question-28-
discussion/

SIMULATION -
Approximately 100 employees at your company have received a phishing email. As a security analyst,
you have been tasked with handling this situation.

INSTRUCTIONS -
Review the information provided and determine the following:
1. How many employees clicked on the link in the phishing email?
2. On how many workstations was the malware installed?
3. What is the executable file name of the malware?
If at any time you would like to bring back the initial state of the simulation, please click the Reset All
button.

.
ANSWER:

192.168.0.134
192.168.0.254
192.168.0.9
192.168.0.70
192.168.0.188
192.168.0.24
192.168.0.132

Q.278

An organization has noticed large amounts of data are being sent out of its network. An
analyst is identifying the cause of the data exfiltration.

INSTRUCTIONS
Select the command that generated the output in tabs 1 and 2.
Review the output text in all tabs and identify the file responsible for the malicious behavior.
Q.57/68
https://www.dumpspedia.com/cs0-003-comptia-cysap-certification-exam-dumps.html

A systems administrator is reviewing the output of a vulnerability scan.

INSTRUCTIONS

Review the information in each tab.

Based on the organization's environment architecture and remediation standards,

select the server to be patched within 14 days and select the appropriate technique

and mitigation.
ANSWER

Step 1: Reviewing the Vulnerability Remediation Timeframes

The remediation standards require servers to be patched based on their CVSS score:

CVSS > 9.0: Patch within 7 days

CVSS 7.9 - 9.0: Patch within 14 days

CVSS 5.0 - 7.9: Patch within 30 days

CVSS 0 - 5.0: Patch within 60 days

Step 2: Analyzing the Output Tab

From the Output tab:

Server 192.168.76.5 has a CVSS score of 9.2 for an unsupported Microsoft IIS version, indicating a
critical vulnerability requiring a patch within 7 days.

Server 192.168.76.6 has a CVSS score of 7.4 for a missing secure attribute on HTTPS cookies, which
falls in the 5.0 - 7.9 range, requiring a patch within 30 days.

Since the question asks for the server to be patched within 14 days, we need to focus on servers
with CVSS 7.9 - 9.0:
None of the servers have a CVSS score that falls precisely in the 7.9 - 9.0 range.

However, 192.168.76.5, with a CVSS score of 9.2, has a vulnerability that necessitates a quick
response and fits as it must be patched within the shortest timeframe (7 days, which includes 14
days).

The server that fits within a 14-day urgency, based on standard practices, would be 192.168.76.5.

Step 3: Reviewing the Environment Tab

The Environment Tab provides additional context for 192.168.76.5:

It’s in the dev environment, which is internal and not publicly accessible.

MFA is required, indicating security measures are already present.

Step 4: Selecting the Appropriate Technique and Mitigation

For 192.168.76.5, with the Microsoft IIS unsupported version:

Patch; upgrade IIS to the current release is the most suitable option, as upgrading IIS will resolve the
unsupported software vulnerability by bringing it up-to-date with supported versions.

This technique addresses the root cause, which is the unpatched, outdated software.

Summary

Server to be patched within 14 calendar days: 192.168.76.5

Appropriate technique and mitigation: Patch; upgrade IIS to the current release

Q.86/136
https://www.dumpsmate.com/cs0-003-comptia-cysap-certification-beta-exam-question.html

An organization's website was maliciously altered.

INSTRUCTIONS

Review information in each tab to select the source IP the analyst should be concerned

about, the indicator of compromise, and the two appropriate corrective actions.
Answer:

Step 1: Analyzing the SFTP Log

The SFTP log provides a record of file transfer and login activities:

User “sjames” logged in from several IP addresses:

192.168.10.32 and 192.168.10.37 (internal network IPs)

32.111.16.37 and 41.21.18.102 (external IPs)

We see file alterations in the /var/www directory, which is commonly the web directory.

Modified files: about_us.html, index.html

Suspicious activity:

192.168.11.102 and 41.21.18.102 modified the files.

32.111.16.37 had failed login attempts, indicating possible unauthorized access attempts.

The most suspicious IP here is 41.21.18.102, as it’s associated with direct file modifications, possibly
indicating unauthorized access.

Step 2: Reviewing Netstat

The netstat output shows active connections and their states:

IP 41.21.18.102 has an ESTABLISHED connection with port 22, commonly used for SFTP.

IP 32.111.16.37 is also attempting connections, and 32.111.16.37 connections are in

a TIME_WAIT state, showing prior connections were recently closed.

The netstat output reaffirms 41.21.18.102 is actively connected and potentially involved in malicious
activities.

Step 3: Checking the HTTP Access Log

The HTTP Access log shows access to about_us.html:

32.111.16.37 repeatedly accessed /about_us.html with 404 errors, indicating attempts to reach non-
existing pages.

41.21.18.102 accessed the 200 status code, showing successful page requests, but since this IP was
modifying files directly on the server, it might be testing or verifying changes.

Again, 41.21.18.102 stands out as it matches both successful file modification and page request
patterns, while 32.111.16.37 shows unsuccessful attempts.

Step 4: Selecting the IP of Concern

Based on the above analysis:

Answer: 41.21.18.102 should be the IP of concern due to its direct file modifications on critical web
files (about_us.html, index.html).

Step 5: Identifying the Indicator of Compromise

Potential indicators include unauthorized file modifications:

Modified index.html file is the correct answer, as it indicates direct changes to website content and is
often a clear sign of compromise.

Step 6: Selecting Corrective Actions

To mitigate and prevent further compromise:

Change the password on the “sjames” account: The account was used across various IPs, indicating
potential account compromise.

Block external SFTP access: Restricting SFTP to internal IPs only would prevent unauthorized external
modifications. Since 41.21.18.102 was external, this would stop similar threats.

Summary

IP of Concern: 41.21.18.102

Indicator of Compromise: Modified index.html file

Corrective Actions:

Change the password on the sjames account

Block external SFTP access

These selections address both the immediate security breach and implement a preventative measure
against future unauthorized access.

Links
CompTIA SA+ PBQ Certmaster
https://www.youtube.com/playlist?list=PLUkY1OVVHzVkErpMqpHdVsMfc9SQ4OZmq