CompTIA Updated CS0-003 Exam Questions and Answers by katie

The scenario indicates the threat is still active and is appearing across multiple VMs in the same broadcast domain (suggesting lateral movement or propagation within that Layer 2 segment). Since quarantine of a single VM did not stop the threat, the appropriate next step is to broaden containment by isolating the affected subnet / network segment to prevent further spread.

The Sybex CySA+ Study Guide emphasizes that after identifying an incident in progress, responders should move into containment and that containment activities include segmentation and isolation:

Exact extract (Sybex Study Guide):

“After identifying a potential incident in progress, responders should take immediate action to contain the damage… Potential containment activities include network segmentation, isolation, and removal of affected systems.”

It also explains how segmentation (quarantine VLAN) is used to contain compromised systems and protect other systems:

Exact extract (Sybex Study Guide):

“During the early stages of an incident… [responders] built a separate virtual LAN (VLAN) to contain those systems… Putting the systems on this network segment provides some degree of isolation…”

Because the activity is occurring across the broadcast domain, isolating just one VM isn’t enough; the team should continue containment by isolating the subnet/segment where the issue is spreading (Option D). Moving to eradication (Option C) before containment is effective risks continued spread and loss of control.

The vulnerability with the highest CVSS score and an active exploit is Microsoft CVE-2021-34527 (PrintNightmare). Although only present on two instances, its high severity (8.4) and exploitable nature make it a priority. PrintNightmare is a well-known remote code execution vulnerability, which can be a critical risk. According to CompTIA CySA+ and vulnerability management practices, prioritizing based on severity and exploitability is essential, even over the number of instances. Other vulnerabilities listed are less severe or lack active exploitation.

Comprehensive Detailed Explanation:The nmap scan results show that Telnet (port 23) is open. Telnet transmits data, including credentials, in plaintext, which is insecure and should be disabled to enhance security. Here’s an explanation of each option:

A. Disable all protocols that do not use encryption

Explanation: Disabling unencrypted protocols (such as Telnet) reduces exposure to man-in-the-middle (MITM) attacks and credential sniffing. Telnet should be replaced with a secure protocol like SSH, which provides encryption for transmitted data.

B. Configure client certificates for domain services

Explanation: While client certificates enhance authentication security, they are more relevant to services like LDAP over SSL (port 636), which is already secure. This would not address the Telnet vulnerability.

C. Ensure that this system is behind a NGFW

Explanation: A Next-Generation Firewall (NGFW) provides enhanced network security, but it may not mitigate the risks of unencrypted protocols if they are allowed internally.

D. Deploy a publicly trusted root CA for secure websites

Explanation: Public root CAs are used for website authentication and encryption, relevant only if this system is hosting a publicly accessible HTTPS service. It would not impact Telnet security.

The output shows the results of a port scan, which is a technique used to identify open ports and services running on a network host. Port scanning can be used by attackers to discover potential vulnerabilities and exploit them, or by defenders to assess the security posture and configuration of their network devices1

The output lists six ports that are open on the target host, along with the service name and version associated with each port. The service name indicates the type of application or protocol that is using the port, while the version indicates the specific release or update of the service. The service name and version can provide useful information for both attackers and defenders, as they can reveal the capabilities, features, and weaknesses of the service.

Among the six ports listed, two are particularly risky and should be investigated further by the security team: port 23 and port 636.

Port 23 is used by Telnet, which is an old and insecure protocol for remote login and command execution. Telnet does not encrypt any data transmitted over the network, including usernames and passwords, which makes it vulnerable to eavesdropping, interception, and modification by attackers. Telnet also has many known vulnerabilities that can allow attackers to gain unauthorized access, execute arbitrary commands, or cause denial-of-service attacks on the target host23

Port 636 is used by LDAP over SSL/TLS (LDAPS), which is a protocol for accessing and modifying directory services over a secure connection. LDAPS encrypts the data exchanged between the client and the server using SSL/TLS certificates, which provide authentication, confidentiality, and integrity. However, LDAPS can also be vulnerable to attacks if the certificates are not properly configured, verified, or updated. For example, attackers can use self-signed or expired certificates to perform man-in-the-middle attacks, spoofing attacks, or certificate revocation attacks on LDAPS connections.

Therefore, the security team should investigate further why port 23 and port 636 are open on the target host, and what services are running on them. The security team should also consider disabling or replacing these services with more secure alternatives, such as SSH for port 23 and StartTLS for port 6362