CompTIA CS0-003 - CompTIA CyberSecurity Analyst CySA+ Certification Exam

The best action for the incident response team to recommend in this scenario is to perform no action until HR or legal counsel advises on next steps. This action can help avoid any potential legal or ethical issues, such as violating employee privacy rights, contractual obligations, or organizational policies. This action can also help ensure that any evidence or information collected from the employee’s system or network is admissible and valid in case of any legal action or dispute. The incident response team should consult with HR or legal counsel before taking any action that may affect the employee’s system or network.

CompTIA CySA+ CS0-003 explicitly lists “proprietary systems” as an inhibitor to remediation (i.e., a common obstacle that can delay or block patching/remediation).

Why D (Proprietary systems) is most likely to cause obstacles:

Proprietary systems often require vendor-provided patches, may have restricted modification, and can create delays due to vendor response time and dependencies on vendor updates. The Secbay Press guide explains that proprietary systems can be challenging due to “restricted access, dependencies on vendor updates, and potential delays in patching.”

The Sybex Study Guide also describes that proprietary systems may not have patches available quickly (or at all), and that vendor support requirements can conflict with vulnerability management needs:Exact extract (Sybex Study Guide): “Proprietary systems… may not have patches available or may have specific requirements placed on them by vendors… creating a conflict between vulnerability management policies and functional or business requirements.”

Why the other options are less “most likely” here:

A (Not meeting an SLA) is typically an outcome (a consequence) rather than the obstacle itself. The inhibitor is the SLA constraints, not “not meeting it.” CompTIA objectives list SLA as an inhibitor, not “not meeting an SLA.”

B (Patch prioritization) is a normal vulnerability management activity, not typically categorized as an inhibitor/obstacle in the CS0-003 inhibitor list.

C (Organizational governance) is also an inhibitor (bureaucracy/change control can slow remediation), but proprietary systems are often the most “hard-blocking” because you may be unable to patch without vendor action/support. Both are valid inhibitors, but “most likely” in practice (especially in exam framing) commonly points to vendor-controlled/proprietary constraints.

References (CompTIA CySA+ CS0-003 documents / study guides used):

CompTIA CS0-003 Exam Objectives v4.0: “Inhibitors to remediation” includes proprietary systems

Secbay Press CS0-003: Proprietary systems create remediation challenges due to vendor dependency and patch delays

Sybex CS0-003 Study Guide: proprietary systems may restrict patching and vendor support requirements can block remediation

A mean time to remediate (MTTR) is a metric that measures how long it takes to fix a vulnerability after it is discovered. A MTTR of 30 days would best protect the organization from the new attacks that are exploited 45 days after a patch is released, as it would ensure that the vulnerabilities are fixed before they are exploited

OpenVAS is an open-source tool that performs comprehensive vulnerability scanning and assessment on the network. It can generate reports and evidence of the scan results, which can be used for auditingpurposes. References: CompTIA CySA+ Study Guide: Exam CS0-003, 3rd Edition, Chapter 5, page 199; CompTIA CySA+ CS0-003 Certification Study Guide, Chapter 5, page 207.

A “network data closet” attack is a physical-environment incident (hardware, cabling, physical access/tampering). Proper documentation in such cases includes documenting the scene and physical state of impacted items so that investigators can reconstruct what was present, what was changed, and how things were connected.

The All-in-One CySA+ guide explicitly states that an important step is documenting the physical environment and that an easy way is to take lots of photos of the scene:

Exact extract (All-in-One Exam Guide):

“Another important… step is to document the entire physical environment around a device. An easy way to do this is to take lots of photos of the scene.”

Why the other options are less correct:

A is a recovery/ops task, not primary incident documentation of a physical attack scene.

B may be useful in some contexts, but the best practice for a physical incident scene is to photograph impacted items and surroundings.

C can help later, but it’s not the first/best documentation action for a physical tampering incident compared to capturing the scene as-found.

The correct answer is B. Adversary emulation.

Adversary emulation is a technique that involves mimicking the tactics, techniques, and procedures (TTPs) of a specific threat actor or group to test the effectiveness of the security controls and incident response capabilities of an organization1. Adversary emulation can help identify and address the gaps and weaknesses in the security posture of an organization, as well as improve the readiness and skills of the security team. Adversary emulation can also help measure the dwell time, which is the duration that a threat actor remains undetected inside the network2.

The other options are not the best techniques to meet the CISO’s goals. Vulnerability scanning (A) is a technique that involves scanning the network and systems for known vulnerabilities, but it does not simulate a real attack or test the incident response capabilities. Passive discovery © is a technique that involves collecting information about the network and systems without sending any packets or probes, but it does not identify or exploit any vulnerabilities or test the security controls. Bug bounty (D) is a program that involves rewarding external researchers or hackers for finding and reporting vulnerabilities in an organization’s systems or applications, but it does not focus on a specific threat actor or group.

The Diamond Model of Intrusion Analysis focuses on understanding the relationships between the adversary, their capabilities, infrastructure, and victim. It provides a structured approach to examining how attackers exploit information assets. According to CompTIA CySA+, this model is valuable for detailing attack patterns and understanding the infrastructure attackers use. The other options, like Structured Threat Information Expression (A) and OWASP Testing Guide (B), address threat data sharing and web application testing, respectively, while the Open Source Security Testing Methodology Manual (OSSTMM) (C) covers general security testing procedures.

The best practice that the company should follow with this proxy is to decommission the proxy. Decommissioning the proxy involves removing or disposing of the proxy from the rack and the network, as well as deleting or wiping any data or configuration on the proxy. Decommissioning the proxy can help eliminate the vulnerability on the proxy, as well as reduce the attack surface, complexity, or cost of maintaining the network. Decommissioning the proxy can also free up space or resources for other devices or systems that are in use or needed by the company.

The best priority based on common attack frameworks for a new program to reduce attack surface risks and threats as part of a zero trust approach is to reduce the administrator and privileged access accounts. Administrator and privileged access accounts are accounts that have elevated permissions or capabilities to perform sensitive or critical tasks on systems or networks, such as installing software, changing configurations, accessing data, or granting access. Reducing the administrator and privileged access accounts can help minimize the attack surface, as it can limit the number of potential targets orentry points for attackers, as well as reduce the impact or damage of an attack if an account is compromised.

Intrusion Detection Systems (IDS) logs provide visibility into network traffic patterns and can help detect insecure or unusual connections. These logs will show if non-secure protocols are used, potentially revealing exposed credentials. According to CompTIA CySA+, IDS logs are essential for identifying malicious activity related to communications and network intrusions. Options like DNS (A) and tcpdump (B) provide network details, but IDS specifically monitors for intrusions and unusual activities relevant to security incidents.