CompTIA CySA+ Practice Test (CS0-003)

The most likely cause of the issue is that the employees' time settings are not properly synchronized between their authentication devices and the service used to verify their identity. These systems often rely on time-based one-time passwords (TOTP), which require synchronized time settings to generate and validate the correct code. If the time discrepancy is significant, the generated codes will not match between the device and the server, causing login failures. Other potential issues, such as username errors or temporary service outages, are less likely to affect multiple users at once, and password complexity does not influence the functioning of the additional authentication codes.

A legal hold is a process that requires data to be preserved for potential legal proceedings. It ensures that the integrity of data is maintained and that no modifications, deletions, or alterations occur. It is important for test takers to recognize this term and understand its role in incident response and the broader context of legal requirements for evidence preservation.

Designating a single trained and authorized spokesperson centralizes outward communication, ensuring that statements are consistent, approved, and do not reveal sensitive details that could compromise the response effort or violate regulations. Allowing every employee to speak invites conflicting information, refusing all engagement fuels speculation, and waiting until full resolution delays critical updates and harms trust.

The analyst is taking steps to restore the affected system to a normal, secure state after the compromise. Such measures-re-imaging, patching, and other post-incident remediation-are corrective controls because they reduce or eliminate the impact of a vulnerability once it has been exploited. Preventative controls are deployed before an attack to block it, detective controls identify events after or while they occur without necessarily fixing them, and compensating controls provide an alternative safeguard when a primary control is infeasible.

When choosing what to patch first, analysts weigh exploitability and exposure as much as raw CVSS. Although CVE-2025-1234 carries a higher base score, the database is shielded inside a segmented network. CVE-2023-9999 has no known exploit activity. CVE-2024-5678, however, is both internet-facing and confirmed to be actively exploited (it appears in the KEV catalog). Because attackers are already scanning for it and the server is publicly reachable, remediating CVE-2024-5678 first most effectively reduces immediate organizational risk.

The correct answer is 'SSL decryption policies on the firewall'. SSL inspection involves decrypting, inspecting, and re-encrypting SSL/TLS encrypted traffic as it passes through a security gateway or firewall. By implementing SSL decryption policies on the firewall, the organization can examine the content of encrypted traffic for potential threats, ensuring that harmful content is not missed due to encryption. This is especially critical as attackers could use encryption to mask malicious activities. 'URL filtering' is incorrect because it does not decrypt traffic but rather filters it based on URLs against a database of categorized websites. 'Application control policies' are incorrect because they manage application usage rather than inspect encrypted content. 'HTTPS deep packet inspection rules' is a misleading answer as deep packet inspection implies a thorough examination of data, but without proper SSL decryption, it cannot inspect encrypted HTTPS traffic.

The correct answer is 'The combined potential impact across all affected systems.' When a vulnerability spans multiple security zones, such as the internal network and the public-facing DMZ, its potential impact is magnified. A successful exploit could facilitate lateral movement from an external server to internal workstations. Therefore, assessing the total potential damage across all affected systems is the primary consideration. While exploitability on external systems, regulatory requirements, and threat actor likelihood are all important components of a full risk assessment, understanding the potential blast radius across different zones is the most direct consequence of the vulnerability's widespread presence.

Choosing a time when system usage is at its lowest reduces the impact on business operations. Scheduling maintenance during low-usage periods helps ensure minimal disruption and user complaints. Risk exposure, regulatory approval, and notification timelines are important but secondary considerations that support this primary objective.

The 'where' component of an incident report specifies the physical or, in this case, logical location of the incident. The source and destination IP addresses identify the network locations involved in the event. The timestamp corresponds to the 'when' component. The user account relates to the 'who' component. The description of the event helps define the 'what' component of the report.

The primary impact of the incident is the potential loss of sensitive data, which can lead to significant financial and reputational damage for the organization. Compromise of critical servers can disrupt business operations and necessitate costly recovery efforts. Unauthorized access, while serious, is secondary compared to the actual exfiltration and potential misuse of sensitive data. Financial loss due to downtime is an aspect of the operational disruption but not the most critical impact in this context. The compromise of sensitive data through the compromised servers represents the most immediate and severe impact.

The correct answer is verifying that all necessary tools are installed, configured, and tested on the systems they will be used on. This is crucial because, in an actual incident, having immediate access to tools that are pre-configured and fully functional allows for a quicker response, which can reduce the impact of the breach. Well-maintained tools minimize the risks of delays or malfunction during a high-stress incident response scenario. Ensuring compatibility with existing systems avoids unforeseen technical issues that can arise during an incident. Having a comprehensive set of tools may not be beneficial if they remain unconfigured or untested. Regular updates are important, but without initial proper setup, updates alone cannot guarantee effectiveness. Incorporating the latest AI technology isn't inherently the most critical aspect, as it may not align with the company’s existing infrastructure or response plan requirements.

The correct answer is 'Breakpoints'. Breakpoints allow the analyst to halt the program's execution at specified points, which enables the inspection of the state of the program at those moments. This can be vital in identifying the cause of crashes or other unexpected behaviors in the binary. 'Watchpoints' are used to monitor changes in specific variables, 'Single-stepping' is used for examining code execution line-by-line, and 'Core dumps' provide a snapshot of the program's memory at the time of crash, but do not provide the same level of interactive inspection as breakpoints.

To explain 'why' an incident happened, root cause analysis is essential. This analysis identifies the primary factors that led to the incident, providing a clear understanding of its origin. While the executive summary and timeline provide valuable context and structure, and recommendations suggest future actions, they do not directly address the root cause.

In the case of a ransomware attack, isolating the affected systems is critical to prevent the malware from spreading to other systems. Disconnecting infected machines from the network ensures that the ransomware cannot communicate with external servers or compromise additional data. Re-imaging may be necessary later, but initially, isolation is the priority. Initiating a legal hold and compensating controls are also part of the broader response strategy but are not the first steps to limit immediate impact.

SOAR platforms are designed to help organizations efficiently and effectively respond to security events by automating workflows and orchestrating various security tasks. They are not just about automation, but also about integrating different security tools and providing a coordinated response to incidents. This results in a faster response time, reduced manual effort, and a more streamlined security operation. While all the other options mentioned can be components of a SOAR solution, it is the SOAR platform itself that provides the necessary infrastructure for orchestration and automation.

The SDN controller holds the control plane for the entire network. Through southbound APIs such as OpenFlow, NETCONF, or gRPC, it can programmatically push flow rules and other configuration changes to all managed switches. This centralized, software-driven approach removes the need for engineers to log in to each switch's CLI, speeds response to changing conditions, and supports automated security policy enforcement. By contrast, traditional networks require manual, device-by-device configuration, and SNMP set commands are typically used only for limited management tasks. The controller does not replace the physical data-plane hardware; it instructs that hardware how to forward traffic.

In the scenario where vulnerabilities exist in an out-of-support proprietary system, conventional mitigation strategies like patching are not feasible. Therefore, compensating controls are the appropriate form of mitigation to suggest. Compensating controls refer to security measures that are put in place to satisfy the requirement for a security control that is deemed too difficult or impossible to implement at the present time. By framing the vulnerability in terms of inhibitors to remediation and suggesting compensating controls, the cybersecurity analyst shows an understanding of the constraints of proprietary systems. Other answers are less appropriate because they either ignore the proprietary and unsupported context of the system or suggest an unfit remediation strategy.

The most effective first step when using an IP reputation service like AbuseIPDB is to check or query the IP address to see if it already has a known history of malicious activity. This action provides immediate context and helps validate whether the observed behavior is part of a wider pattern. While reporting the IP is a valuable contribution to the community, it should be done after an initial assessment. A WHOIS lookup can provide ownership details but is a secondary step to assessing the immediate threat based on reputation. Adding an IP to an internal feed without first verifying its reputation could pollute the intelligence data with false positives.

The dd command is the correct tool for this task as it is designed to perform a raw, bit-for-bit copy of a source to a destination. This creates a forensically sound image of the entire drive, including unallocated space and remnants of deleted files, which is essential for a thorough investigation. The rsync command synchronizes files and directories, but it is a file-level copy tool and will not capture deleted files or unallocated space. The tar command is used to create file archives but does not create a block-level image of a disk. The scp command securely copies files over a network but, like rsync and tar, operates at the file level and is not suitable for creating a forensic disk image.

MTTR measures the average duration between vulnerability detection and complete remediation. A decrease from 15 to 6 days means the organization now closes vulnerabilities sooner, shrinking the window in which attackers could exploit them. The data show no change in MTTD, so detection speed is constant. MTBF is unrelated to vulnerability remediation, and a stable MTTD combined with a lower MTTR does not widen risk exposure-it reduces it.