Comptia dumpspedia pearson Cs0-003 New Attempt by Sean q0 vce pdf

Page: 21 / 35

Exam Name:	CompTIA CyberSecurity Analyst CySA+ Certification Exam
Exam Code:	CS0-003 Dumps
Vendor:	CompTIA	Certification:	CompTIA CySA+
Questions:	482 Q&A's	Shared By:	sean

Question 84

An organization ' s website was maliciously altered.

INSTRUCTIONS

Review information in each tab to select the source IP the analyst should be concerned

about, the indicator of compromise, and the two appropriate corrective actions.

Questions 84

Options:

Discussion

Answer:

Answer:

see the explanation for step by step solution.

Explanation:

Step 1: Analyzing the SFTP Log

The SFTP log provides a record of file transfer and login activities:

User “sjames” logged in from several IP addresses:

192.168.10.32 and 192.168.10.37 (internal network IPs)

32.111.16.37 and 41.21.18.102 (external IPs)

We see file alterations in the /var/www directory, which is commonly the web directory.

Modified files: about_us.html, index.html

Suspicious activity:

192.168.11.102 and 41.21.18.102 modified the files.

32.111.16.37 had failed login attempts, indicating possible unauthorized access attempts.

The most suspicious IP here is 41.21.18.102, as it’s associated with direct file modifications, possibly indicating unauthorized access.

Step 2: Reviewing Netstat

The netstat output shows active connections and their states:

IP 41.21.18.102 has an ESTABLISHED connection with port 22, commonly used for SFTP.

IP 32.111.16.37 is also attempting connections, and 32.111.16.37 connections are in a TIME_WAIT state, showing prior connections were recently closed.

The netstat output reaffirms 41.21.18.102 is actively connected and potentially involved in malicious activities.

Step 3: Checking the HTTP Access Log

The HTTP Access log shows access to about_us.html:

32.111.16.37 repeatedly accessed /about_us.html with 404 errors, indicating attempts to reach non-existing pages.

41.21.18.102 accessed the 200 status code, showing successful page requests, but since this IP was modifying files directly on the server, it might be testing or verifying changes.

Again, 41.21.18.102 stands out as it matches both successful file modification and page request patterns, while 32.111.16.37 shows unsuccessful attempts.

Step 4: Selecting the IP of Concern

Based on the above analysis:

Answer: 41.21.18.102 should be the IP of concern due to its direct file modifications on critical web files (about_us.html, index.html).

Step 5: Identifying the Indicator of Compromise

Potential indicators include unauthorized file modifications:

Modified index.html file is the correct answer, as it indicates direct changes to website content and is often a clear sign of compromise.

Step 6: Selecting Corrective Actions

To mitigate and prevent further compromise:

Change the password on the “sjames” account: The account was used across various IPs, indicating potential account compromise.

Block external SFTP access: Restricting SFTP to internal IPs only would prevent unauthorized external modifications. Since 41.21.18.102 was external, this would stop similar threats.

Summary

IP of Concern: 41.21.18.102

Indicator of Compromise: Modified index.html file

Corrective Actions:

Change the password on the sjames account

Block external SFTP access

These selections address both the immediate security breach and implement a preventative measure against future unauthorized access.

Explanation84

Aliza

I used these dumps for my recent certification exam and I can say with certainty that they're absolutely valid dumps. The questions were very similar to what came up in the actual exam.

Jakub Mar 31, 2026

That's great to hear. I am going to try them soon.

Inaaya

Are these Dumps worth buying?

Fraser Apr 4, 2026

Yes, of course, they are necessary to pass the exam. They give you an insight into the types of questions that could come up and help you prepare effectively.

Faye

Yayyyy. I passed my exam. I think all students give these dumps a try.

Emmeline Apr 19, 2026

Definitely! I have no doubt new students will find them to be just as helpful as I did.

Stefan

Thank you so much Cramkey I passed my exam today due to your highly up to date dumps.

Ocean Apr 4, 2026

Agree….Cramkey Dumps are constantly updated based on changes in the exams. They also have a team of experts who regularly review the materials to ensure their accuracy and relevance. This way, you can be sure you're studying the most up-to-date information available.

Aryan

Absolutely rocked! They are an excellent investment for anyone who wants to pass the exam on the first try. They save you time and effort by providing a comprehensive overview of the exam content, and they give you a competitive edge by giving you access to the latest information. So, I definitely recommend them to new students.

Jessie Mar 31, 2026

did you use PDF or Engine? Which one is most useful?

Question 85

The Chief Executive Officer (CEO) has notified that a confidential trade secret has been compromised. Which of the following communication plans should the CEO initiate?

Options:

Alert department managers to speak privately with affected staff.

Schedule a press release to inform other service provider customers of the compromise.

Disclose to all affected parties in the Chief Operating Officer for discussion and resolution.

Verify legal notification requirements of PII and SPII in the legal and human resource departments.

Discussion

Question 86

A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurred by an issue?

Options:

Trends

Risk score

Mitigation

Prioritization

Discussion

Question 87

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

Options:

Firewall logs

Indicators of compromise

Risk assessment

Access control lists