CompTIA (CYSA+) Analyst+ CS0-003 Exam Questions 2025

A. This describes application security testing (AST) methodologies like SAST or DAST. While ATT&CK can inform such tests, it is not a testing method itself.

B. This is a better description of an Information Sharing and Analysis Center (ISAC) or a threat intelligence platform (TIP), which focus on the sharing and dissemination of intelligence.

C. This describes a primary use case or outcome of applying the ATT&CK framework, rather than describing the fundamental nature of the framework itself, which is a knowledge base.

E. This accurately describes the Lockheed Martin Cyber Kill Chain®, which models an intrusion as a linear sequence of phases, unlike the ATT&CK matrix, which is non-sequential.

1. The MITRE Corporation. (2023). About ATT&CK. MITRE ATT&CK®. Retrieved from https://attack.mitre.org/resources/getting-started/. In the "What is ATT&CK?" section, it is defined as "a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations." This supports the "tracks and understands threats" aspect. The community-driven and evolving nature is also a central theme.

2. NIST. (2021). Special Publication 800-160, Volume 2, Revision 1: Developing Cyber-Resilient Systems: A Systems Security Engineering Approach. National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-160v2r1. In Appendix F, Section F.3, ATT&CK is described as a "curated knowledge base and model for cyber adversary behavior" used to "characterize and describe adversary behaviors." This aligns with the concept of a tool to track and understand threats.

3. Applebaum, A. (2020). A Survey of the MITRE ATT&CK Framework. SANS Institute Reading Room. Retrieved from https://www.sans.org/white-papers/39390/. On page 4, the paper states, "The ATT&CK framework is a knowledge base of adversary behavior and a model for describing the actions an adversary may take... It is a living, community-driven knowledge base that is continuously updated..." This directly supports the description of an evolving, open project for understanding threats.

A. Law enforcement: Law enforcement is an external agency to be notified if a crime has occurred, not an internal entity that approves the organization's public communication process.

B. Governance: Governance provides the high-level framework and policies, but the specific, operational task of crafting and approving public statements falls to legal and PR teams.

D. Manager: This option is too vague. The incident manager is a manager who coordinates with other specific functional leads, such as the heads of legal and public relations.

F. Human resources: Human resources primarily handles internal communications and personnel-related matters, not external communications with the general public regarding a security incident.

1. National Institute of Standards and Technology (NIST). (2012). Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide.

Section 2.4.3, "Relationships with Other Groups," states, "The CSIRT should also have a close relationship with the organization’s general counsel and public affairs offices. The general counsel can provide advice on legal issues... Public affairs can handle the media, which is particularly important during a high-profile incident." This directly supports the involvement of Legal (general counsel) and Public Relations (public affairs).

2. University of Washington. (2023). UW-IT Information Security and Privacy: Incident Response Plan.

Section "Incident Response Team," under the subsection for "External Communications," explicitly lists "University Marketing & Communications" (the public relations function) and the "Office of the Attorney General" (the legal function) as the primary entities responsible for coordinating and approving communications with the media and the public.

3. Solove, D. J., & Citron, D. K. (2017). Risk and Anxiety: A Theory of Data-Breach Harms. The George Washington University Law School Public Law and Legal Theory Paper No. 2017-10.

Section IV.B, "The Response to a Data Breach," discusses the institutional response, emphasizing that "companies often hire public relations firms to help them manage the crisis" and that legal counsel is central to navigating the complex web of state and federal notification laws. This academic source underscores the essential roles of both PR and legal teams. (Available via SSRN and university repositories).

A. Irregular peer-to-peer communication: The evidence describes data access and log manipulation, not a specific network communication pattern like P2P file sharing.

B. Unauthorized privileges: The account is described as "privileged," meaning it already has high-level access. The issue is the abuse of existing privileges, not the acquisition of new, unauthorized ones.

C. Rogue devices on the network: The activity is tied to a user account, not an unauthorized piece of hardware. There is no information suggesting a new or unknown device is present.

1. National Institute of Standards and Technology (NIST). (2020). NIST Special Publication 800-53 Rev. 5: Security and Privacy Controls for Information Systems and Organizations.

Reference: Appendix F, Security Control Catalog, AU-11 (Audit Record Retention), discusses the importance of protecting audit logs from unauthorized modification. The scenario's "audit logs being modified" is a direct violation of this principle and a key indicator of an attempt to cover tracks, common in insider attacks.

2. Cappelli, D. M., Moore, A. P., & Trzeciak, R. F. (2012). The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Sabotage (Theft, Fraud). Addison-Wesley Professional.

Reference: Chapter 3, "A Closer Look at the Malicious Insider," details common indicators. It explicitly lists technical indicators such as "Abuse of privileges" and behavioral indicators like "Working odd hours without authorization," which directly correspond to the activities observed in the scenario.

3. Carnegie Mellon University, Software Engineering Institute. (2018). Common Sense Guide to Mitigating Insider Threats, Sixth Edition.

Reference: Page 15, Practice 4: "Monitor and respond to suspicious or disruptive behavior." This guide lists "unusual remote access" and "accessing sensitive information not associated with their job" as key indicators. The modification of logs is described as an attempt to "conceal their actions."

4. Zwicky, E. D., Cooper, S., & Chapman, D. B. (2000). Building Internet Firewalls, 2nd Edition. O'Reilly & Associates. (A foundational text often used in university curricula).

Reference: Chapter 26, "Responding to Security Incidents," describes patterns of intrusion. It notes that attackers, including insiders, often attempt to "cover their tracks" by altering logs and that unusual login times are a primary indicator of a compromised account or malicious insider activity.

A. Multifactor authentication on the server OS protects logons to the host, not the web application code path exploited by the form.

B. Hashing passwords at rest limits post-compromise damage but does not stop an attacker from exploiting the form to read data before hashing occurs.

D. Network segmentation limits lateral movement; it does not address the direct flaw inside the application logic that allows credential extraction.

1. NIST Special Publication 800-53 Rev.5, “System and Information Integrity – SI-10: Input Validation,” pp. 413-414.

2. NIST Special Publication 800-115, “Technical Guide to Information Security Testing and Assessment,” §4.3.3 (Injection Attacks) – recommends input validation to mitigate.

3. MIT OpenCourseWare, 6.858 “Computer Systems Security” Lecture 13: SQL Injection, slides 20-22 – emphasizes sanitization/validation of user input as the primary fix.

4. Viega, J., & McGraw, G. (2019). “Building Secure Software,” Addison-Wesley, Ch. 5, pp. 127-130 – lists input validation as foundational for preventing credential-stealing injections.

A. Perform OS hardening.

This is a system-level, not an application-level, mitigation. It strengthens the operating system but does not fix the underlying coding flaw in the application itself.

C. Update third-party dependencies.

This is only effective if the buffer overflow vulnerability exists within a third-party library the application uses, not in the application's own custom code.

D. Configure address space layout randomization.

Address Space Layout Randomization (ASLR) is an OS-level memory-protection feature that makes exploitation more difficult but does not prevent the buffer overflow from happening.

---

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (Special Publication 800-53, Revision 5).

Reference: Control SI-10, "Information Input Validation."

Quote/Paraphrase: The documentation for this control explicitly states that input validation is used to protect against many threats, including "buffer overflows." It emphasizes checking input for validity against defined requirements before it is processed by the application.

2. Kaashoek, M. F., & Zeldovich, N. (2014). 6.858 Computer Systems Security, Fall 2014 Lecture Notes. MIT OpenCourseWare.

Reference: Lecture 2: "Control-flow attacks and defenses."

Quote/Paraphrase: The lecture notes discuss defenses against buffer overflows, highlighting the importance of "checking buffer bounds" before writing data. This bounds checking is a core component of input validation and is presented as a direct countermeasure to prevent the overflow from occurring at the source code level.

3. Dowd, M., McDonald, J., & Schuh, J. (2006). The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley Professional.

Reference: Chapter 5, "Memory Corruption."

Quote/Paraphrase: This foundational academic text on software security explains that the fundamental cause of buffer overflows is a lack of input validation and bounds checking. It details how validating the size of incoming data is a primary preventative measure that must be implemented by developers at the application level.

A. This is too broad. While creating a playbook is useful, it doesn't address the root cause of where the reporting SLAs originate, and it incorrectly bundles containment with the reporting issue.

C. This action only defines which incidents require reporting, but the question's scenario already implies reporting was needed. It fails to address the specific problems of "who" and "when."

D. This addresses the "who" (roles) but completely ignores the "timing requirements," which was an equally critical part of the identified problem. Assigning a role without defining the deadline is an incomplete solution.

1. National Institute of Standards and Technology (NIST). (2012). Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide. Section 2.3.2, "Incident Response Policies," states that policy should define external reporting requirements to entities like government agencies and regulatory bodies. This necessitates researching those specific requirements to create a compliant policy.

2. ENISA (European Union Agency for Cybersecurity). (2022). Good practice guide on breach reporting. Section 4, "The notification process," details the legal timelines for reporting under regulations like the GDPR (e.g., "without undue delay and, where feasible, not later than 72 hours after having become aware of it"). This shows that reporting SLAs are derived directly from regulatory compliance research.

3. Romanosky, S. (2016). Examining the costs and causes of cyber incidents. Journal of Cybersecurity, 2(2), 121–135. https://doi.org/10.1093/cybsec/tyw001. This academic journal discusses how incident response is heavily influenced by regulatory environments, stating, "state and federal laws require firms to notify individuals and government agencies of a breach," which reinforces the need to research these laws to define response procedures.

A. A diagram of all systems and interdependent applications is a technical artifact for recovery but lacks the business-driven prioritization that guides the BCP.

B. A repository for all the software used by the organization is an element of disaster recovery, not the strategic input for creating the BCP.

D. A configuration management database (CMDB) provides technical details but does not define the business criticality or recovery priority of systems.

1. National Institute of Standards and Technology (NIST). (2010). Special Publication 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems. Section 2.2, Business Impact Analysis (BIA), p. 11. "The BIA is a key step in the contingency planning process... The BIA helps to identify and prioritize information systems and components critical to supporting the organization’s mission/business processes."

2. International Organization for Standardization. (2019). ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements. Clause 8.2.2, "Business impact analysis and risk assessment." The standard mandates that an organization shall "identify the processes that support its products and services and the impact that a disruption can have on them" and "determine the priorities for the resumption of products and services and processes."

3. Carnegie Mellon University, Software Engineering Institute. (2016). CERT Resilience Management Model, Version 1.2 (CMU/SEI-2016-TR-010). Service Continuity (SVC) Process Area, SG 2, "Prepare for Service Continuity," SP 2.1, p. 137. This specific practice involves identifying and prioritizing "essential functions and assets" to ensure their continuity.

A. tiki: The finding for TikiWiki is a missing .htaccess file, which is a medium-risk configuration issue but less urgent than a potentially executable vulnerability.

B. phpList: The scan only identifies the presence of the application and its admin directory, which is a low-risk information disclosure finding.

D. sshome: The scan merely reports the installation of Sshome without noting any specific vulnerabilities, making it the lowest priority among the choices.

1. OWASP Web Security Testing Guide (WSTG) v4.2, Section 4.8.3 "Test for CGI Vulnerabilities (OTG-CONFIG-006)": This guide details the security risks associated with CGI. It states, "The cgi-bin directory is a special directory in the root of the web server that is used to house scripts that are to be executed by the web server... Misconfigured or legacy scripts could be abused by an attacker to gain control of the web server." The presence of shtml.exe directly aligns with this high-risk scenario.

2. NIST Special Publication 800-115, "Technical Guide to Information Security Testing and Assessment," Section 5.5.2, "Web Application Scanning": This document outlines the process of security testing, which includes analyzing scanner output. The methodology implicitly requires prioritizing findings based on potential impact. A vulnerability that could lead to code execution (like a flawed CGI executable) would be ranked higher than information disclosure or missing security headers.

3. Carnegie Mellon University, Software Engineering Institute (SEI), "Vulnerability Analysis," Courseware Module: University-level cybersecurity courseware emphasizes the principle of prioritizing vulnerabilities based on exploitability and impact. A server-side executable script in a cgi-bin directory presents a direct vector for server compromise, making it a critical finding that requires immediate attention over less severe configuration issues.

B. This suggests human error, but the question asks for the most likely scenario occurring with the time stamps, implying a technical cause for the discrepancy itself.

C. A difference between UTC and a local time zone would result in an offset of one or more full hours (or half-hours), not an arbitrary value like 43 minutes.

D. A host being offline would mean it stops sending logs, but it does not explain why the timestamps in the logs it already sent are out of sync.

---

1. National Institute of Standards and Technology (NIST). (2006). Guide to Computer Security Log Management (Special Publication 800-92).

Section 4.3.1, Time Stamps, Page 4-4: "If the clocks on hosts are not synchronized, it is impossible to have a consistent time reference... The Network Time Protocol (NTP) is typically used to perform time synchronization. Without proper time synchronization, it is impossible to determine the order in which events occurred from their log entries." This directly supports that a lack of synchronization (via NTP) causes time reference issues, which is the root of the problem in the scenario.

2. Zeltser, L. (2012). SANS Institute InfoSec Reading Room: Critical Log Review Checklist for Security Incidents.

Section: Time Synchronization, Page 3: "Confirm that all systems involved in the incident had their time synchronized to a common time source. If time was not synchronized, determine the time offset for each system." This highlights time synchronization as a critical first step in incident analysis and triage, reinforcing that its absence is a common and significant problem.

3. CompTIA. (2022). CompTIA Cybersecurity Analyst (CySA+) CS0-003 Exam Objectives.

Section 2.3, Page 10: This objective requires the candidate to "analyze data as part of security monitoring activities," specifically mentioning "Log - Timestamps." The scenario directly tests the analyst's ability to interpret and troubleshoot issues with log timestamps, a core competency for the exam. The discrepancy points to a failure in the underlying mechanism (NTP) responsible for maintaining accurate timestamps.

A. Implementing credentialed scanning: While credentialed scanning provides more accurate data for the vulnerability report, it does not solve the underlying problem of different teams having inconsistent views of the asset inventory itself.

B. Changing from a passive to an active scanning approach: This changes the data collection method but does not address the foundational need for an agreed-upon asset inventory, which is the source of the inter-team inconsistencies.

D. Performing agentless scanning: This is a deployment choice for how scans are conducted. It does not inherently solve the problem of inconsistent asset information between different organizational teams.

---

1. National Institute of Standards and Technology (NIST). (2020). Security and Privacy Controls for Information Systems and Organizations (Special Publication 800-53, Revision 5).

Section: Control CM-8, Information System Component Inventory.

Content: This control mandates the development and maintenance of an inventory of system components. The discussion section states, "The inventory of information system components is essential for many other security controls, such as... flaw remediation (SI-2)... An accurate and up-to-date inventory is a prerequisite for an effective security program." This highlights that a central inventory is foundational for vulnerability management.

2. Fling, R., & Schmidt, D. C. (2009). An Integrated Framework for IT Asset and Security Configuration Management. Proceedings of the 42nd Hawaii International Conference on System Sciences.

Section: 3. An Integrated Framework for IT Asset and Security Configuration Management.

DOI: https://doi.org/10.1109/HICSS.2009.105

Content: The paper argues that effective security management is impossible without accurate asset management. It states, "Without an accurate and up-to-date inventory of IT assets, it is impossible to effectively manage their security configurations... Discrepancies between discovered and recorded information can then be identified and reconciled." This directly supports using a central asset repository to resolve inconsistencies.

3. Kim, D., & Solomon, M. G. (2021). CompTIA CySA+ Cybersecurity Analyst Certification All-in-One Exam Guide, Second Edition (Exam CS0-002). McGraw-Hill. (Note: While a commercial book, its principles are derived from and align with official CompTIA objectives and are widely used in academic settings as courseware. The principle is directly applicable to CS0-003).

Chapter 3: Vulnerability Management.

Content: The text emphasizes that the vulnerability management lifecycle begins with asset inventory. It explains that knowing what assets exist on the network is a prerequisite for scanning them and managing their vulnerabilities effectively. This establishes the central asset inventory as the starting point for reducing discrepancies.