CompTIA Updated CS0-002 Exam Questions and Answers by ozzie

The Common Vulnerability Scoring System (CVSS) is a standard for measuring the severity of vulnerabilities in software systems. One of the factors that affects the CVSS score is the attack vector, which describes how the vulnerability can be exploited. The possible values for the attack vector are network, adjacent network, local, or physical. In this case, the analyst should choose local as the value for the attack vector, because the Tomcat configuration file must be modified for the attack to be successful, which implies that the attacker needs local access to the system. Network, adjacent network, or physical are not appropriate values for the attack vector in this scenario. Reference: https://www.first.org/cvss/v3.1/specification-document#Vector-String

SSH stands for Secure Shell, which is a protocol that allows remote access and administration of a server. If the organization has a policy that services must run on standard ports and unneeded services must be disabled, then SSH should be disabled on both servers, because it runs on port 22, which is not a standard port for a web server or a database server, and it is not needed for those servers to function properly. Disabling HTTPS on 192.168.10.1, disabling IIS on 192.168.10.1, disabling DNS on 192.168.10.1, or disabling MSSQL on 192.168.10.2 are not appropriate actions, because they would affect the functionality of the web server or the database server and violate the organization’s policy of running services on standard ports. Reference: https://www.ssh.com/ssh/port

The suspicious event was able to accomplish establishing persistence by creating a registry change that runs a command shell process every time a user logs on. The registry change modifies the Userinit value under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon key, which specifies what programs should run when a user logs on to Windows. By appending “cmd.exe,” to the existing value, the event ensures that a command shell process will be launched every time a user logs on, which can allow the attacker to maintain access to the system or execute malicious commands. The other options are not related to the registry change. References: CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives (CS0-002), page 10; https://docs.microsoft.com/en-us/windows/win32/sysinfo/userinit-entry

Spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege are part of a known threat modeling method called STRIDE. STRIDE is a mnemonic that stands for six categories of threats that can affect the security of a system or application. STRIDE was developed by Microsoft in 1999 and has been widely adopted as a threat modeling method by many organizations. STRIDE can help identify and prioritize potential threats based on their impact and likelihood1.