support@Free-Braindumps.com
Register Login
Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  1. Home
  2. Exams
  3. CompTIA
  4. CS0-003

CompTIA CS0-003 Exam Actual Questions
CompTIA CySA+ (CS0-003) (Page 9 )

Updated On: 13-Jun-2026
Page 9 of 73
PDF with 571 Questions

New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new

employees are accountable for following the company policy?

  1. Human resources must email a copy of a user agreement to all new employees
  2. Supervisors must get verbal confirmation from new employees indicating they have read the user agreement
  3. All new employees must take a test about the company security policy during the onboardmg process
  4. All new employees must sign a user agreement to acknowledge the company security policy

Answer(s): D

Explanation:

Option D is correct because having all new employees sign a user agreement to acknowledge the company security policy creates formal accountability and a documented attestation of policy understanding, which aligns with policy enforcement and governance controls.
A) Incorrect — Emailing a copy does not create enforceable acknowledgment or accountability; it lacks documented proof of comprehension or commitment.
B) Incorrect — Verbal confirmation is informal and prone to misinterpretation; it does not provide a durable, auditable record.
C) Incorrect — A test assesses knowledge but does not establish formal acknowledgment or binding agreement to policy, reducing enforceability.



An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

  1. Information sharing organization
  2. Blogs/forums
  3. Cybersecurity incident response team
  4. Deep/dark web

Answer(s): A

Explanation:

Option A is correct because information-sharing organizations aggregate threat intel from multiple sources (CTI feeds, indicators of compromise, tactics, techniques, and procedures) and provide verified, contextualized data suitable for risk validation in critical supply chains.
B) Blogs/forums often contain unverified or speculative information and may lack timely, actionable fidelity necessary for risk assessment.
C) Cybersecurity incident response teams are internal or coordinated after incidents occur and may not provide proactive, external threat intelligence about new campaigns.
D) Deep/dark web data can be noisy, unverified, and not specifically tailored to a legitimate, enterprise risk assessment context without additional enrichment.



An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

  1. To satisfy regulatory requirements for incident reporting
  2. To hold other departments accountable
  3. To identify areas of improvement in the incident response process
  4. To highlight the notable practices of the organization's incident response team

Answer(s): C

Explanation:

Option C is correct because lessons learned are used to identify and implement improvements in the incident response process, enabling better detection, containment, eradication, and recovery in future incidents. A) While regulatory reporting may require some documentation, the primary purpose of lessons learned is process improvement, not compliance alone. B) Holding departments accountable is not the objective of lessons learned and can undermine collaboration. D) Highlighting notable practices is not the core purpose; lessons learned should drive actionable enhancements, not merely praise. Overall, lessons learned feed continual improvement in CSIRT methodologies and playbooks.



A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:



Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

  1. InLoud:
    Cobain: Yes
    Grohl: No
    Novo: Yes
    Smear: Yes
    Channing: No
  2. TSpirit:
    Cobain: Yes
    Grohl: Yes
    Novo: Yes
    Smear: No
    Channing: No
  3. ENameless:
    Cobain: Yes
    Grohl: No
    Novo: Yes
    Smear: No
    Channing: No
  4. PBleach:
    Cobain: Yes
    Grohl: No
    Novo: No
    Smear: No
    Channing: Yes

Answer(s): B

Explanation:

Option B is correct because TSpirit is the only listed vulnerability with Cobain: Yes, Novo: Yes, while Grohl: No, Smear: No, Channing: No, indicating urgent patches per the described third-party scoring that prioritizes those with multiple Yes across the scoring factors and deprioritizes Smear and Channing.
A) Incorrect — InLoud lacks the combination of multiple high-priority factors (Cobain/ Novo) and would not be the top patch under the stated weighting.
C) Incorrect — ENameless does not meet the strongest urgent pattern shown in the third-party scoring.
D) Incorrect — PBleach does not align with the highest-urgency combination as defined.



A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

  1. Hacktivist
  2. Advanced persistent threat
  3. Insider threat
  4. Script kiddie

Answer(s): C

Explanation:

Option C is correct because the user’s action involves exploiting access to internal systems and causing widespread impact, which fits an insider threat (malicious or compromised actor with legitimate access). Incorrect — A) Hacktivist: motivated by political or social goals, not typically confined to abusing internal access for mass infections. Incorrect — B) Advanced persistent threat: a highly skilled, persistent actor usually targeting organizations over time, often external; not defined by a single user’s accidental malware download. Incorrect — D) Script kiddie: uses readily available malware scripts with limited technical sophistication; not characterized by leveraging legitimate access to propagate across multiple systems.



An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

  1. Take a snapshot of the compromised server and verify its integrity
  2. Restore the affected server to remove any malware
  3. Contact the appropriate government agency to investigate
  4. Research the malware strain to perform attribution

Answer(s): A

Explanation:

Option A is correct because capturing a snapshot and verifying integrity preserves volatile and non-volatile evidence for forensic analysis, enabling chain-of-custody and later incident reconstruction. Incorrect — B: Restoring the server before analysis can destroy evidence and hinder forensics. Incorrect — C: Government notification is not a standard immediate CSIRT action unless required by policy or law; it’s not the next step for incident containment and evidence collection. Incorrect — D: Attribution research is investigative and may be performed later; it is not the immediate next action for containment and evidence preservation.



During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

  1. Disk contents
  2. Backup data
  3. Temporary files
  4. Running processes

Answer(s): D

Explanation:

Option D is correct because volatile memory (running processes) should be captured first to preserve in-memory evidence before shutdown or reboot. This data often contains active network connections, process handles, and RAM-resident malware indicators critical for timeline reconstruction.
A) Disk contents are non-volatile and should be collected after volatile data to avoid altering or contaminating it.
B) Backup data is non-volatile and not prioritized during initial volatile evidence collection.
C) Temporary files reside on non-volatile storage and may be modified or cleared after the volatile data capture, making them lower priority initially.



A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?

  1. function w() { a=$(ping -c 1 $1 | awk-F "/" 'END{print $1}') && echo "$1 | $a" }
  2. function x() { b=traceroute -m 40 $1 | awk 'END{print $1}') && echo "$1 | $b" }
  3. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" '{print $1}').origin.asn.cymru.com TXT +short }
  4. function z() { c=$(geoiplookup$1) && echo "$1 | $c" }

Answer(s): C

Explanation:

Option C is correct because it resolves a reverse DNS pointer to an ASN origin domain and queries Cymru’s ASN data, enabling identification of network blocks related to the same company/region. It leverages DNS-based mapping to infer autonomous system information, which helps group addresses by origin ASN.
A) Incorrect — function uses ping and extracts a field incorrectly; ping is ICMP-based, not suitable for identifying network blocks or ASN/region.
B) Incorrect — function attempts traceroute output parsing but uses incorrect syntax (awk argument) and does not reliably map to ASN or origin networks.
D) Incorrect — function relies on geoiplookup for a single IP, which may be inaccurate and does not correlate networks by ASN/region.



  PDF
Viewing page 9 of 73
Viewing questions 65 - 72 out of 571 questions


CS0-003 Exam Discussions & Posts (Share your experience with others)

AI Tutor AI Tutor 👋 I’m here to help!