CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Free Practice Exam Questions (2025 Updated)

Integrity validation is the process of ensuring that the digital evidence has not been altered or tampered with during collection, acquisition, preservation, or analysis. It usually involves generating and verifying cryptographic hashes of the evidence, such as MD5 or SHA-1. Integrity validation is essential for maintaining the accuracy and admissibility of the digital evidence in court. 

ABusiness Impact Analysis (BIA)is the correct document thatidentifies critical servicesand definesRecovery Point Objectives (RPOs)andRecovery Time Objectives (RTOs). It helps organizations determine the impact of downtime and the maximum tolerable outages for business functions.

Disaster recovery plan (A)uses the information from the BIA.

Playbooks (C)are tactical and focus on specific incidents.

Backup plans (D)support BIA but don't define RPO/RTO themselves.

A signal-shielded bag and a tamper-evident seal are tools that can be used to maintain the integrity of the mobile phone while it is transported. A signal-shielded bag prevents the phone from receiving orsending any signals that could compromise the data or evidence on the device. A tamper-evident seal ensures that the phone has not been opened or altered during the transportation. References: Mobile device forensics, Section: Acquisition

The root cause analysis identifies the contributing items that facilitated the event is the best reason for conducting a root cause analysis, as it reflects the main goal and benefit of this problem-solving approach. A root cause analysis (RCA) is a process of discovering the root causes of problems in order to identify appropriate solutions. A root cause is the core issue or factor that sets in motion the entire cause-and-effect chain that leads to the problem. A root cause analysis assumes that it is more effective to systematically prevent and solve underlying issues rather than just treating symptoms or putting out fires. A root cause analysis can be performed using various methods, tools, and techniques that help to uncover the causes of problems, such as events and causal factor analysis, change analysis, barrier analysis, or fishbone diagrams. A root cause analysis can help to improve quality, performance, safety, or efficiency by finding and eliminating the sources of problems. The other options are not as accurate as the root cause analysis identifies the contributing items that facilitated the event, as they do not capture the essence or value of conducting a root cause analysis. The root cause analysis ensures that proper timelines were documented is a possible outcome or benefit of conducting a root cause analysis, but it is not the best reason for doing so. Documenting timelines can help to establish the sequence of events and actions that led to the problem, but it does not necessarily identify or address the root causes. The root cause analysis allows the incident to be properly documented for reporting is also a possible outcome or benefit of conducting a root cause analysis, but it is not the best reason for doing so. Documenting and reporting incidents can help to communicate and share information about problems and solutions, but it does not necessarily identify or address the root causes. The root cause analysis develops recommendations to improve the process is another possible outcome or benefit of conducting a root cause analysis, but it is not the best reason for doing so. Developing recommendations can help to implement solutions and prevent future problems, but it does not necessarily identify or address the root causes.

The first and most urgent step to mitigate the impact of compromised credentials on the dark web is to perform a forced password reset for the affected user. This will prevent the cybercriminals from using the stolen credentials to access the company’s network and systems. Multifactor authentication is a good security measure, but it is not foolproof and can be bypassed by sophisticated attackers. Therefore, changing the password as soon as possible is the best practice to reduce the risk of a data breach or other cyber attack123 References: 1: How to monitor the dark web for compromised employee credentials 2: How to prevent corporate credentials ending up on the dark web 3: Data Breach Prevention: Identifying Leaked Credentials on the Dark Web

This log shows multiple 404 errors being triggered from requests to different directories or paths, which strongly suggests adirectory brute-force attack. In this type of attack, an adversary uses automated tools to enumerate directory or file paths in an attempt to find hidden or misconfigured resources. The frequent 404 “Not Found” HTTP responses from a single IP address attempting to access different URL paths is the signature pattern for directory brute-forcing. This behavior is not consistent with XSS, SQLi, or RCE, which would involve payloads or specific encoded commands, not merely probing paths.

The best recommendations to prevent an XSS vulnerability from being exploited are to implement a compensating control in the source code and to fix the vulnerability using a virtual patch at the WAF. A compensating control is a technique that mitigates the risk of a vulnerability by adding additional security measures, such as input validation, output encoding, or HTML sanitization. A virtual patch is a rule that blocks or modifies malicious requests or responses at the WAF level, without modifying the application code. These recommendations are effective, efficient, and less disruptive than the other options. References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 4: Security Operations and Monitoring, page 156; Cross Site Scripting Prevention Cheat Sheet, Section: XSS Defense Philosophy.

AUSB drop attackis acommon method for delivering ransomware, where an attacker leaves infected USB drives in strategic locations,tricking employees into plugging them into corporate devices​.

Option B (LFI - Local File Inclusion)exploitsweb applications, but the scenario lacksnetwork intrusion indicators.

Option C (Cross-site request forgery - CSRF)is used forexploiting authenticated web sessions, not ransomware delivery.

Option D (SQL injection)is used fordatabase exploitation, not file encryption malware.

Thus,A (USB drop) is the correct answer, asphysical malware introduction is a known ransomware attack vector​.

Tocapture and analyze network traffic, the two best tools are:

tcpdump (Option A)– A command-line packet capture tool used for network traffic analysis.

Wireshark (Option D)– A GUI-based network packet analysis tool that provides deep inspection capabilities​.

Option B (SIEM)is forlog aggregationand does notcapturetraffic.

Option C (Vulnerability scanner)identifies weaknesses but does notcapturenetwork traffic.

Option E (Nmap)is used for network discovery and port scanning, not capturing traffic.

Option F (SOAR)automates security processes but does not capture traffic.

Thus,A (tcpdump) and D (Wireshark) are correct, asthey are the best tools for capturing and analyzing anomalous network traffic​.

The most volatile type of evidence that must be collected first in a computer system is running processes. Running processes are programs or applications that are currently executing on a computer system and using its resources, such as memory, CPU, disk space, or network bandwidth. Running processes are very volatile because they can change rapidly or disappear completely when the system is shut down, rebooted, logged off, or crashed. Running processes can also be affected by other processes or users that may modify or terminate them. Therefore, running processes must be collected first before any other type of evidence in a computer system

The correct answer is A. To provide metrics and test continuity controls.

A disaster recovery exercise is a simulation or a test of the disaster recovery plan, which is a set of procedures and resources that are used to restore the normal operations of an organization after a disaster or a major incident. The goal of a disaster recovery exercise is to provide metrics and test continuity controls, which are the measures that ensure the availability and resilience of the critical systems and processes of an organization. A disaster recovery exercise can help evaluate the effectiveness, efficiency, and readiness of the disaster recovery plan, as well as identify and address any gaps or issues .

The other options are not the best descriptions of the goal of a disaster recovery exercise. Verifying the roles of the incident response team (B) is a goal of an incident response exercise, which is a simulation or a test of the incident response plan, which is a set of procedures and roles that are used to detect, contain, analyze, and remediate an incident. Providing recommendations for handling vulnerabilities © is a goal of a vulnerability assessment, which is a process of identifying and prioritizing the weaknesses and risks in an organization’s systems or network. Performing tests against implemented security controls (D) is a goal of a penetration test, which is an authorized and simulated attack on an organization’s systems or network to evaluate their security posture and identify any vulnerabilities or misconfigurations.

The correct answer is A. Configure the server to prefer TLS 1.3 and B. Remove cipher suites that use CBC.

A padding oracle attack is a type of attack that exploits the padding validation of a cryptographic message to decrypt the ciphertext without knowing the key. A padding oracle is a system that responds to queries about whether a message has a valid padding or not, such as a web server that returns different error messages for invalid padding or invalid MAC. A padding oracle attack can be applied to the CBC mode of operation, where the attacker can manipulate the ciphertext blocks and use the oracle’s responses to recover the plaintext12.

To remediate this issue, the organization should make the following configuration changes:

Configure the server to prefer TLS 1.3. TLS 1.3 is the latest version of the Transport Layer Security protocol, which provides secure communication between clients and servers. TLS 1.3 has several security improvements over previous versions, such as:

It deprecates weak and obsolete cryptographic algorithms, such as RC4, MD5, SHA-1, DES, 3DES, and CBC mode.

It supports only strong and modern cryptographic algorithms, such as AES-GCM, ChaCha20-Poly1305, and SHA-256/384.

It reduces the number of round trips required for the handshake protocol, which improves performance and latency.

It encrypts more parts of the handshake protocol, which enhances privacy and confidentiality.

It introduces a zero round-trip time (0-RTT) mode, which allows resuming previous sessions without additional round trips.

It supports forward secrecy by default, which means that compromising the long-term keys does not affect the security of past sessions3456.

Remove cipher suites that use CBC. Cipher suites are combinations of cryptographic algorithms that specify how TLS connections are secured. Cipher suites that use CBC mode are vulnerable to padding oracle attacks, as well as other attacks such as BEAST and Lucky 13. Therefore, they should be removed from the server’s configuration and replaced with cipher suites that use more secure modes of operation, such as GCM or CCM78.

The other options are not effective or necessary to remediate this issue.

Option C is not effective because configuring the server to prefer ephemeral modes for key exchange does not prevent padding oracle attacks. Ephemeral modes for key exchange are methods that generate temporary and random keys for each session, such as Diffie-Hellman or Elliptic Curve Diffie-Hellman. Ephemeral modes provide forward secrecy, which means that compromising the long-term keys does not affect the security of past sessions. However, ephemeral modes do not protect against padding oracle attacks, which exploit the padding validation of the ciphertext rather than the key exchange9.

Option D is not necessary because requiring client browsers to present a user certificate for mutual authentication does not prevent padding oracle attacks. Mutual authentication is a process that verifies the identity of both parties in a communication, such as using certificates or passwords. Mutual authentication enhances security by preventing impersonation or spoofing attacks. However, mutual authentication does not protect against padding oracle attacks, which exploit the padding validation of the ciphertext rather than the authentication.

Option E is not necessary because configuring the server to require HSTS does not prevent padding oracle attacks. HSTS stands for HTTP Strict Transport Security and it is a mechanism that forces browsers to use HTTPS connections instead of HTTP connections when communicating with a web server. HSTS enhances security by preventing downgrade or man-in-the-middle attacks that try to intercept or modify HTTP traffic. However, HSTS does not protect against padding oracle attacks, which exploit the padding validation of HTTPS traffic rather than the protocol.

Option F is not effective because removing cipher suites that use GCM does not prevent padding oracle attacks. GCM stands for Galois/Counter Mode and it is a mode of operation that provides both encryption and authentication for block ciphers, such as AES. GCM is more secure and efficient thanCBC mode, as it prevents various types of attacks, such as padding oracle, BEAST, Lucky 13, and IV reuse attacks. Therefore, removing cipher suites that use GCM would reduce security rather than enhance it .

The analyst should look at p4wnp1_aloa.lan (192.168.86.56) first, as this is the most suspicious device on the network. P4wnP1 ALOA is a tool that can be used to create a malicious USB device that can perform various attacks, such as keystroke injection, network sniffing, man-in-the-middle, or backdoor creation. The presence of a device with this name on the network could indicate that an attacker has plugged in a malicious USB device to a system and gained access to the network. Official References: https://github.com/mame82/P4wnP1_aloa

The key goal of the containment stage in an incident response process is to limit further damage from occurring. This involves taking immediate steps to isolate the affected systems or network segments to prevent the spread of the incident and mitigate its impact. Containment strategies can be short-term, to quickly stop the incident, or long-term, to prepare for the eradication and recovery phases.

Eradication is a step in the incident response process that involves removing any traces or remnants of the incident from the affected systems or networks, such as malware, backdoors, compromised accounts, or malicious files. Eradication also involves restoring the systems or networks to their normal or secure state, as well as verifying that the incident is completely eliminated and cannot recur. In this case, the analyst is remediating items associated with a recent incident by isolating the vulnerabilityand actively removing it from the system. This describes the eradication step of the incident response process.

Credentialed vulnerability scansallow the scanner tolog into systems and retrieve accurate informationabout installed patches and configurations. If the reportsdo not reflect current patching levels, it is likely that the scan is being performedwithout credentials, leading to incomplete or inaccurate results​.

Option A (Updating the scanning engine)ensures the tool has the latest detection capabilities but does not directly affect scan accuracy for missing patches.

Option B (Centralized patching)helps maintain consistency but does not correct reporting errors.

Option D (Resetting plug-ins)may be useful if plug-ins are outdated, but the primary issue islack of privileged accessduring scanning.

Thus,C is the correct answer, ascredentialed scans provide more accurate vulnerability assessments​.

TheDiamond Model of Intrusion Analysisconsists offour core attributes:

Adversary– The threat actor behind the attack.

Capability– The tools and techniques used.

Infrastructure– The systems used by the adversary (e.g., botnets, C2 servers).

Victim– The target of the attack​.

Option A (Delivery)andOption B (Weaponization)are part of theCyber Kill Chain, not the Diamond Model.

Option C (Command and control)is an attack phase butnot a core attribute of the Diamond Model.

Option D (Capability) is correct, as it represents the tools and attack methods used by adversaries.

Thus,D is the correct answer.

The most likely cause of the issue where an ICS (Industrial Control System) could not be updated due to hardware versioning incompatibility is a legacy system. Legacy systems often have outdated hardware and software that may not be compatible with modern updates and patches. This can pose significant challenges in maintaining security and operational efficiency.

The correct answer is A. System hardening.

System hardening is the process of securing a system by reducing its attack surface, applying patches and updates, configuring security settings, and implementing security controls. System hardening can help prevent or mitigate vulnerability events that may affect operating systems. Host-based IPS, firewalls, and two-factor authentication are examples of security controls that can be applied to harden a system1.

The other options are not the best descriptions of the scenario. A hybrid network architecture (B) is a network design that combines on-premises and cloud-based resources, which may or may not involve system hardening. Continuous authorization © is a security approach that monitors and validates the security posture of a system on an ongoing basis, which is different from system hardening. Secure access service edge (D) is a network architecture that delivers cloud-based security services to remote users and devices, which is also different from system hardening.