Pass the CompTIA CompTIA CySA+ CS0-003 Questions and answers with CertsForce

Vulnerability 2 should be prioritized as it is exploitable, has high exploit activity, and is exposed externally according to the SMITTEN metric. References: Vulnerability Management Metrics: 5 Metrics to Start Measuring in Your Program, Section: Vulnerability Severity.

Generating a hash value and making a backup image is the best method to ensure the data on the device is not modified, as it creates a verifiable copy of the original data that can be used for forensic analysis. Encrypting the device, protecting it with a password, or performing a memory scan dump do not prevent the data from being altered or deleted. Verified References: CompTIA CySA+ CS0-002 Certification Study Guide, page 3291

Reverse engineering is a technique that involves analyzing a binary file to understand its structure, functionality, and behavior. Reverse engineering can help security analysts perform malware analysis, vulnerability research, exploit development, and software debugging. Reverse engineering can be done using various tools, such as disassemblers, debuggers, decompilers, and hex editors.

Because the system is mission critical and there is no patch and no vendor support, the best risk-reduction approach is to implement compensating controls. Compensating controls are specifically recommended when immediate remediation is not possible, and for legacy systems where patches may not exist.

The Sybex CySA+ Study Guide states this directly:

Exact extract (Sybex Study Guide): “Legacy systems may not have patches available, meaning that compensating controls may be the only option available.”

Secbay Press also explains that legacy systems may lack vendor support/updates and that mitigation strategies like compensating controls or isolation are essential to reduce risk:

Exact extract (Secbay Press): “Legacy systems may lack vendor support and updates, making mitigation strategies essential… Implement specific mitigation strategies for legacy systems, such as compensating controls or isolation.”

And Secbay provides a legacy-system compensating control case study showing exactly the kinds of controls mentioned in option D—segmentation/isolation, access controls, and enhanced monitoring/continuous monitoring:

Exact extract (Secbay Press): “Selected compensating controls, such as network segmentation, intrusion detection systems, and enhanced monitoring, to mitigate the risks…”

Why the other options are not “best” given the constraints:

A (Decommission immediately): may be ideal long-term, but conflicts with “mission critical” (and “immediately” is often unrealistic for business operations).

B (Block inbound/allow outbound): helps somewhat but is incomplete and can still allow command-and-control or exfiltration outbound; also doesn’t address restricted admin access/monitoring comprehensively.

C (WAF): useful only if this is specifically a web application exposure; the scenario says “legacy system” broadly. Compensating controls are the most complete and universally applicable choice.

References (CompTIA CySA+ CS0-003 documents / study guides used):

Chapple/Seidl, CompTIA CySA+ Study Guide (CS0-003): legacy systems may have no patches; compensating controls may be the only option

Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): legacy systems lack support/updates; use compensating controls or isolation

Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): compensating controls for legacy systems include segmentation/isolation and enhanced/continuous monitoring

A cloud access security broker (CASB) is a tool that can help reduce the risk of shadow IT in the enterprise by providing visibility and control over cloud applications and services. A CASB can enable policy enforcement by blocking unauthorized or risky cloud applications, enforcing data loss prevention rules, encrypting sensitive data, and detecting anomalous user behavior.

The described behavior(pivoting across network segments, targeting domain servers, and exfiltrating data to an unknown location)is characteristic of anadvanced persistent threat (APT), often linked tonation-state actors​.

Option A (Hacktivist)attackers typically engage indefacements or disruptionrather thanstealthy exfiltration.

Option B (Zombie)refers tocompromised hosts in a botnet, but botnets do not usually pivot across networks.

Option C (Insider threat)could involve unauthorized access, but the traffic pattern suggests anexternalattacker withlateral movementtechniques.

Thus,D is the correct answer, asnation-state actors often use sophisticated tactics, including data exfiltration and network pivoting​.

The first step for the security team when receiving a legal hold request is to notify the relevant departments to preserve all potentially relevant information. This ensures that no data is altered, deleted, or otherwise tampered with, which is critical for maintaining the integrity of the evidence. Preserving information includes emails, documents, and any other data that might be relevant to the legal matter. Establishing a chain of custody and backing up data are also important steps, but notifying the involved parties is the immediate priority to prevent data loss.

A CASB (Cloud Access Security Broker) is a security solution that acts as an intermediary between cloud users and cloud providers, and monitors and enforces security policies for cloud access and usage. A CASB can help organizations protect their data and applications in the cloud from unauthorized or malicious access, as well as comply with regulatory standards and best practices. A CASB can also provide visibility, control, and analytics for cloud activity, and identify and mitigate potential threats12

The other options are not correct. DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication protocol that helps email domain owners prevent spoofing and phishing attacks by verifying the sender’s identity and instructing the receiver how to handle unauthenticated messages34 SIEM (Security Information and Event Management) is a security solution that collects, aggregates, and analyzes log data from various sources across an organization’s network, such as applications, devices, servers, and users, and provides real-time alerts, dashboards, reports, and incident response capabilities to help security teams identify and mitigate cyberattacks56 PAM (Privileged Access Management) is a security solution that helps organizations manage and protect the access and permissions of users, accounts, processes, and systems that have elevated or administrative privileges. PAM can help prevent credential theft, data breaches, insider threats, and compliance violations by monitoring, detecting, and preventing unauthorized privileged access to critical resources78

MITRE ATT & CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community. It can help security professionals understand, detect, and mitigate cyber threats by providing a comprehensive framework of TTPs.

The correct answer is B because this is a critical infrastructure / ICS / OT environment. The safest option listed is a targeted, low-impact banner-grabbing approach against the known standard ports: TCP 80 for HTTP and TCP 502 for Modbus. In critical infrastructure, the analyst should avoid aggressive or broad scanning methods that could disrupt fragile industrial systems.

Exact supporting extract: the Secbay CySA+ guide states that vulnerability scanning of OT environments, including ICS and SCADA systems, requires specialized tools and methodologies because these environments have unique security requirements and constraints. It also states that vulnerabilities in ICS can have severe operational and safety implications.

The same guide explains that Modbus is a protocol used in industrial control systems and enables communication among devices connected to the same network.

The Sybex CySA+ Study Guide explains that service identification may be done by connecting and grabbing the banner or connection information provided by the service. It also explains that Nmap can perform service and version detection, but the more aggressive options are less appropriate for sensitive ICS environments.

Why the other options are incorrect:

A is incorrect because a general IT vulnerability scanner may be too intrusive for an oil and gas pipeline ICS environment.

C is incorrect because -A enables aggressive Nmap detection features, which may include OS detection, version detection, scripts, and traceroute. That is riskier in ICS/OT environments.

D is incorrect because Masscan is designed for high-speed scanning and is inappropriate for sensitive critical infrastructure networks.

B is best because it targets only the known ports and uses a less aggressive identification method.