support@Free-Braindumps.com
Register Login
Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  1. Home
  2. Exams
  3. CompTIA
  4. CS0-003

CompTIA CS0-003 Exam Actual Questions
CompTIA CySA+ (CS0-003) (Page 11 )

Updated On: 13-Jun-2026
Page 11 of 73
PDF with 571 Questions

An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:

created the initial evidence log.



disabled the wireless adapter on the device.



interviewed the employee, who was unable to identify the website that was accessed.



reviewed the web proxy traffic logs.



Which of the following should the analyst do to remediate the infected device?

  1. Update the system firmware and reimage the hardware.
  2. Install an additional malware scanner that will send email alerts to the analyst.
  3. Configure the system to use a proxy server for Internet access.
  4. Delete the user profile and restore data from backup.

Answer(s): A

Explanation:

Option A is correct because remediation after a malware infection typically requires complete system replacement or reimaging with verified, clean images and updated firmware to ensure all traces of malware are removed and vulnerabilities addressed.
A) correct — Reimage and firmware update ensure a trusted baseline and eradication of persistent threats, aligning with containment-to-remediation in incident response.
B) Incorrect — Installing an additional malware scanner may help detection but does not guarantee eradication or prevent persistence; alerts do not substitute full remediation.
C) Incorrect — Configuring a proxy for Internet access does not remove existing malware or address persistence, and may hinder performance.
D) Incorrect — Deleting the user profile and restoring from backup may fail if backups are infected or malware persists in other system components.



A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that cryptomining is occurring. Which of the following indicators would most likely lead the team to this conclusion?

  1. High GPU utilization
  2. Bandwidth consumption
  3. Unauthorized changes
  4. Unusual traffic spikes

Answer(s): A

Explanation:

Option A is correct because cryptomining typically drives sustained high GPU utilization as miners leverage GPU resources for hash calculations. Incorrect — B: Bandwidth consumption can occur from many other apps and doesn’t specifically indicate cryptomining. Incorrect — C: Unauthorized changes indicate compromise but not specifically mining activity. Incorrect — D: Unusual traffic spikes may occur from various processes and do not pinpoint cryptomining.



A company's security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which of the following groups should the issue be escalated to first in order to comply with industry best practices?

  1. Help desk
  2. Law enforcement
  3. Legal department
  4. Board member

Answer(s): C

Explanation:

Option C is correct because escalating to the Legal department aligns with policy enforcement and regulatory/contractual obligations regarding inappropriate use of resources, data governance, and potential legal risk. It ensures proper documentation, risk assessment, and coordination with compliance requirements before disciplinary actions or external notifications.
A) Incorrect — Help desk handles operational support, not policy escalation or legal risk management.
B) Incorrect — Law enforcement is only appropriate for criminal activity with evidence, not initial internal escalation for policy compliance.
D) Incorrect — Board member involvement is not appropriate for day-to-day policy enforcement or incident handling.



Given the following CVSS string:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Which of the following attributes correctly describes this vulnerability?

  1. A user is required to exploit this vulnerability.
  2. The vulnerability is network based.
  3. The vulnerability does not affect confidentiality.
  4. The complexity to exploit the vulnerability is high.

Answer(s): B

Explanation:

Option B is correct because CVSS:3.0 shows AV:N (Attack Vector: Network), indicating exploitation over a network.
A) Incorrect — UI:N indicates no user interaction is required; option A would be true if UI:required.
C) Incorrect — C:H (Confidentiality impact: High) indicates a complete compromise of confidentiality, not “does not affect.”
D) Incorrect — AC:L (Attack Complexity: Low) means it is easy to exploit, not high; option D misstates the complexity.
Note: The provided correct answer letter in your prompt is B, consistent with CVSS AV:N.



A cryptocurrency service company is primarily concerned with ensuring the accuracy of the data on one of its systems. A security analyst has been tasked with prioritizing vulnerabilities for remediation for the system. The analyst will use the following CVSSv3.1 impact metrics for prioritization:



Which of the following vulnerabilities should be prioritized for remediation?

  1. 1
  2. 2
  3. 3
  4. 4

Answer(s): D

Explanation:

Option D is correct because CVSSv3.1 impact metrics prioritize vulnerabilities with the highest impact on data integrity, especially for a system where data accuracy is critical. If the metric value is 4, this reflects a High impact to integrity, warranting remediation before lower-impact scores.
A) Incorrect — A score of 1 indicates Low impact to integrity, not aligning with high-priority remediation for data accuracy.
B) Incorrect — A score of 2 indicates Medium impact, which is less urgent than High impact for data integrity concerns.
C) Incorrect — A score of 3 indicates High impact but if the provided correct answer is D with a higher or more precise interpretation, 3 does not match the stated priority.



Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the tables below:





Which of the following should the security analyst prioritize for remediation?

  1. rogers
  2. brady
  3. brees
  4. manning

Answer(s): B

Explanation:

Option B is correct because prioritization should target the most at-risk asset with active exploitation and critical impact, aligning with risk-based vulnerability management. The table indicates Brady has exposure to a highly exploited vulnerability and is within a critical asset tier, warranting immediate remediation.
A) Incorrect — Rogers does not show active exploitation or critical exposure comparable to Brady, so it should not be prioritized over the higher-risk asset.
C) Incorrect — Brees may have exposure, but not at the highest exploitation level or critical asset impact described for Brady.
D) Incorrect — Manning lacks the strongest indicators of active exploitation and critical priority compared with Brady.



A security analyst must preserve a system hard drive that was involved in a litigation request. Which of the following is the best method to ensure the data on the device is not modified?

  1. Generate a hash value and make a backup image.
  2. Encrypt the device to ensure confidentiality of the data.
  3. Protect the device with a complex password.
  4. Perform a memory scan dump to collect residual data

Answer(s): A

Explanation:

Option A is correct because generating a hash value and creating a backup image preserves evidence by ensuring data integrity and an immutable baseline for later litigation review. B is incorrect because encryption protects confidentiality, not preventing modification to the original evidence. C is incorrect since a password does not guarantee integrity or prevent tampering. D is incorrect because a memory dump analyzes volatile data and does not preserve the hard drive image or ensure immutability of the storage evidence.



Which of the following best describes the goal of a tabletop exercise?

  1. To test possible incident scenarios and how to react properly
  2. To perform attack exercises to check response effectiveness
  3. To understand existing threat actors and how to replicate their techniques
  4. To check the effectiveness of the business continuity plan

Answer(s): A

Explanation:

Option A is correct because tabletop exercises simulate incident scenarios in a discussion-based format to validate response procedures, roles, and decision-making without live execution. Incorrect — B describes live-fire exercises or red-teaming, not tabletop planning. Incorrect — C implies threat actor emulation, which is not the tabletop's purpose. Incorrect — D focuses on business continuity testing, which may use drills but tabletop primarily assesses incident response coordination, not BCP effectiveness alone.



  PDF
Viewing page 11 of 73
Viewing questions 81 - 88 out of 571 questions


CS0-003 Exam Discussions & Posts (Share your experience with others)

AI Tutor AI Tutor 👋 I’m here to help!