CompTIA CS0-003 - CompTIA CyberSecurity Analyst CySA+ Certification Exam

SQL injection is a type of attack that injects malicious SQL statements into a web application’s input fields or parameters, in order to manipulate or access the underlying database. The request shown in the image contains an SQL injection attempt, as indicated by the “UNION SELECT” statement, which is used to combine the results of two or more queries. The attacker is trying to extract information from the database by appending the malicious query to the original one

Deploying an additional layer of access controls to verify authorized individuals is the best compensating control for the authentication vulnerability that could bypass the primary control. A compensating control is a security measure that is implemented to mitigate the risk of a vulnerability ora threat when the primary control is not sufficient or feasible. A compensating control should provide a similar or greater level of protection as the primary control, and should be closely related to the vulnerability or the threat it is addressing1. In this case, the primary control is to restrict access to a sensitive database, and the vulnerability is an authentication bypass. Therefore, the best compensating control is to deploy an additional layer of access controls, such as multifactor authentication, role-based access control, or encryption, to verify the identity and the authorization of the individuals who are accessing the database. This way, the compensating control can prevent unauthorized access to the database, even if the primary control is bypassed23. Running regular penetration tests, conducting regular security awareness training, and implementing intrusion detection software are all good security practices, but they are not compensating controls for the authentication vulnerability, as they do not provide a similar or greater level of protection as the primary control, and they are not closely related to the vulnerability or the threat they are addressing. References: Compensating Controls: An Impermanent Solution to an IT … - Tripwire, What is Multifactor Authentication (MFA)? | Duo Security, Role-Based Access Control (RBAC) and Role-Based Security, [What is a Penetration Test and How Does It Work?]

The tcpdump filter (udp and port 53) isolates DNS traffic. In the output, the analyst can see DNS queries/responses, including PTR lookups and NXDomain responses. What makes this suspicious is the context (“unusual volume of traffic”) combined with the appearance of encoded/high-entropy-looking content embedded in the DNS-related data in the capture.

This pattern strongly aligns with DNS tunneling, a technique used to move data (including stolen data) inside DNS queries because DNS (port 53) is widely allowed and often less inspected. In other words, the capture indicates a covert channel over DNS consistent with data exfiltration.

The All-in-One CySA+ CS0-003 guide explicitly describes DNS tunneling as an exfiltration method:

Exact extract (All-in-One Exam Guide):

“Domain Name System (DNS) tunneling, for example, is a method of sending data via encoded DNS queries… Hunters will need to keep an eye out for abnormal DNS queries or unusually high query volumes.”

That maps directly to this scenario:

You were told there is an unusual volume of traffic.

The traffic is DNS (UDP/53).

The output shows encoded/abnormal-looking DNS content, consistent with “sending data via encoded DNS queries.”

The Sybex CySA+ Study Guide reinforces that DNS queries can be used as covert channels (including encoded/encrypted data inside DNS requests), and that abnormal DNS patterns are IoCs:

Exact extract (Sybex Study Guide):

“DNS tunneling is another potential issue that can be monitored… DNS queries that include encoded or encrypted data are potential IoCs to watch for.”

Why the other options are not supported by the pcap output

A (Meterpreter payload delivery): Meterpreter delivery is not something you’d typically conclude from DNS-only traffic unless you see very specific exploit/payload staging indicators; the capture shown is DNS query/response behavior consistent with tunneling, not a clear Meterpreter staging pattern.

C (SQL injection): SQLi evidence is normally visible in HTTP(S) requests, parameters, URIs, or server responses—nothing in the DNS-only view indicates SQLi payloads.

D (DNSSEC): DNSSEC would be indicated by DNSSEC-specific records/flags (e.g., DNSKEY/DS/RRSIG/NSEC, DO bit usage). The shown traffic is not presented as DNSSEC validation traffic; the suspicious element is encoded/high-entropy data consistent with tunneling.

E (Normal Unix-based traffic): “Normal” is contradicted by the scenario’s stated unusual traffic volume and by the presence of encoded/abnormal DNS content consistent with tunneling IoCs.

References (CompTIA CySA+ CS0-003 documents / study guides used):

Mya Heath et al., CompTIA CySA+ All-in-One Exam Guide (CS0-003): DNS tunneling = sending data via encoded DNS queries; watch for abnormal queries / high volume

Mike Chapple & David Seidl, CompTIA CySA+ Study Guide (CS0-003): DNS tunneling and DNS queries containing encoded/encrypted data are IoCs

Under the terms of PCI DSS, an organization that has experienced a breach of customer transactions should report the breach to the card issuer. The card issuer is the financial institution that issues the payment cards to the customers and that is responsible for authorizing and processing the transactions. The card issuer may have specific reporting requirements and procedures for the organization to follow in the event of a breach. The organization should also notify other parties that may be affected by the breach, such as customers, law enforcement, or regulators, depending on the nature and scope of the breach. Official References: https://www.pcisecuritystandards.org/

This is a type of web application vulnerability called cross-site scripting (XSS), which allows an attacker to inject malicious code into a web page that is viewed by other users. XSS can be used to steal cookies, session tokens, credentials, or other sensitive information, or to perform actions on behalf of the victim.

Input sanitization is a technique that prevents XSS attacks by checking and filtering the user input before processing it. Input sanitization can remove or encode any characters or strings that may be interpreted as code by the browser, such as < , > , " , ' , or javascript:. Input sanitization can also validate the input against a predefined format or range of values, and reject any input that does not match.

Output encoding is a technique that prevents XSS attacks by encoding the output before sending it to the browser. Output encoding can convert any characters or strings that may be interpreted as code by the browser into harmless entities, such as < , > , " , ' , or javascript:. Output encoding can also escape any special characters that may have a different meaning in different contexts, such as , /, or ;.

Code obfuscation is a technique that makes the source code of a web application more difficult to read and understand by humans. Code obfuscation can use techniques such as renaming variables and functions, removing comments and whitespace, replacing literals with expressions, or adding dummy code. Code obfuscation can help protect the intellectual property and trade secrets of a web application, but it does not prevent XSS attacks.

SIEM (Security Information and Event Management) technology aggregates and analyzes activity from many different resources across your IT infrastructure. The description of correlating information from various sources and triggering notifications aligns with the capabilities of a SIEM system.

SLA (Service Level Agreement) is the best term to describe the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m., as it reflects the agreement between a service provider and a customer that specifies the services, quality, availability, and responsibilities that are agreed upon. An SLA is a common type of document that is used in various industries and contexts, such as IT, telecom, cloud computing, or outsourcing. An SLA typically includes metrics and indicators to measure the performance and quality of the service, such as uptime, response time, or resolution time. An SLA also defines the consequences or remedies for any breaches or failures of the service, such as penalties, refunds, or credits. An SLA can help to manage customer expectations, formalize communication, improve productivity, and strengthen relationships. The other terms are not as accurate as SLA, as they describe different types of documents or concepts. LOI (Letter of Intent) is a document that outlines the main terms and conditions of a proposed agreement between two or more parties, before a formal contract is signed. An LOI is usually non-binding and expresses the intention or interest of the parties to enter into a future agreement. An LOI can help to clarify the key points of a deal, facilitate negotiations, or demonstrate commitment. MOU (Memorandum of Understanding) is a document that describes a mutual agreement or cooperation between two or more parties, without creating any legal obligations or commitments. An MOU is usually more formal than an LOI, but less formal than a contract. An MOU can help to establish a common ground, define roles and responsibilities, or outline expectations and goals. KPI (Key Performance Indicator) is a concept that refers to a measurable value that demonstrates how effectively an organization or individual is achieving its key objectives or goals. A KPI is usually quantifiable andspecific, such as revenue growth, customer satisfaction, or employee retention. A KPI can help to track progress, evaluate performance, or identify areas for improvement.

This answer matches the description of the zero-day threat. The attack vector is network (AV:N), the attack complexity is low (AC:L), no privileges are required (PR:N), no user interaction is required (UI:N), the scope is unchanged (S:U), the confidentiality and integrity impacts are high (C:H/I:H), and the availability impact is low (A:L). Official References: https://nvd.nist.gov/vuln-metrics/cvss

The first step should be to perform a public search for malware reports on taskhw.exe, as this file is suspicious for several reasons: it is located in a non-standard path, it has a high CPU usage, it is signed by an unknown entity, and it is only present on one host. A public search can help to determine if this file is a known malware or a legitimate program. If it is malware, the hunter can then take appropriate actions to remove it and prevent further damage. The other options are either premature or ineffective, as they do not provide enough information to assess the threat level of taskhw.exe. References: Cybersecurity Analyst+ - CompTIA, taskhw.exe Windows process - What is it? - file.net, Taskhostw.exe - What Is Taskhostw.exe & Is It Malware? - MalwareTips Forums

To determine which system to remediate first using only CVSS vectors, the analyst should prioritize the vulnerability that is most severe and most easily exploitable, especially when it is exploitable over the network and requires no privileges and no user interaction.

The Web server has the most dangerous combination of exploitability and impact:

Attack Vector = Network (AV:N) → exploitable remotely over a network

Attack Complexity = Low (AC:L) → no special conditions required

Privileges Required = None (PR:N) → attacker doesn’t need credentials

User Interaction = None (UI:N) → no user action required

Impact = High for Confidentiality, Integrity, and Availability (C:H / I:H / A:H) → full compromise potential

The Sybex CySA+ Study Guide explains that CVSS provides a 0–10 severity score and that analysts must be able to interpret key metrics like Attack Vector, Attack Complexity, Privileges Required, User Interaction, and Impact.

The All-in-One guide defines Attack Vector and notes that the more remote the vector, the higher the score (Network is remotely exploitable).

And Secbay Press states that organizations use CVSS as a basis for prioritization, typically addressing higher scores first.

Exact extract (Secbay Press): “Organizations often use CVSS scores as a basis for prioritizing vulnerabilities, addressing those with higher scores first.”

Why the other assets are lower priority than the Web server (based on the vectors)

File server (AV:L) is local attack vector, meaning the attacker must already have local access; that generally reduces priority compared to a remotely exploitable (AV:N) issue. (Attack vector definitions and scoring emphasize Network vs Local distinctions.)

Mail server (AC:H) requires high attack complexity, lowering exploitability compared to the Web server’s AC:L.

Domain controller (PR:R, UI:R) requires privileges and user interaction, which lowers exploitability compared to PR:N/UI:N on the Web server.

Bottom line: The Web server is the most immediately dangerous because it is remotely exploitable (AV:N) with low complexity (AC:L), requires no privileges (PR:N) and no user interaction (UI:N), and has high impact across C/I/A—making it the strongest candidate for first remediation under CVSS-based prioritization.

References (CompTIA CySA+ CS0-003 documents / study guides used):

Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): CVSS used to prioritize; higher scores addressed first

Mike Chapple & David Seidl, CompTIA CySA+ Study Guide (CS0-003): CVSS metrics and interpretation (AV/AC/PR/UI/Impact) and severity score concept

Mya Heath et al., CompTIA CySA+ All-in-One Exam Guide (CS0-003): Attack Vector/Attack Complexity definitions; remote vectors score higher