×

Quiz Session - Attempts With Random Questions

CompTIA CySA+ Exam Questions

Page 1 of 53

1.

Amal is a security engineer at Acme Inc. Amal has been tasked with performing active reconnaissance for a penetration test.

Which of the following is an example of a tool Amal is MOST likely to use as part of this task?

  • nmap

  • CWE

  • ISACs 

  • DKIM 

Correct answer: Port scanning

Active reconnaissance is a form of information gathering that involves the use of host scanning tools. nmap is a popular port scanning utility that can perform active reconnaissance.

CWEs (Common Weakness Enumerations) are standard types and descriptions of common software security issues. 

ISACs (Information Sharing and Analysis Centers) are organizations that help other organizations share and learn about threat information and can provide helpful cybersecurity tools and assistance. 

DKIM (DomainKeys Identified Mail) is a protocol that enables organizations to include content in email messages that can verify an email message was sent from a specific domain. 

2.

Using CVSS, a vulnerability has a 0.22 Confidentiality metric, a 0.56 Integrity metric, and a 0.22 availability metric. What is the ISS (round to the hundredths place)?

  • 0.73

  • 1

  • 0.56

  • 0.22

Correct answer: 0.73

The CVSS ISS (Impact Sub-Score) is calculated using this formula:

1 - ((1-Confidentiality metric) × (1 - Integrity Metric) × (1 - Availability Metric))

Therefore, the formula becomes:

1 - ((1-0.22) × (1 - 0.56) × (1 - 0.22))

1 - (0.78 × 0.44 × 0.78)

1 - 0.267696 = 0.732304

3.

A threat actor breached Acme Inc.'s network at 01:15 and installed a keylogger on an executive's personal computer. An EDR (Endpoint Detection and Response) program on the computer detected the keylogger and alerted the Security Operations Center (SoC) by sending a email alert at 02:00. The EDR program sent follow up alerts at 02:05 and 02:10. A security engineer read the alert and began proactively working to contain the malware at 02:15. What was the time to respond for this incident? 

  • 15 minutes

  • 10 minutes

  • 45 minutes

  • 60 minutes

Correct answer: 15 minutes

Incident response metrics and KPIs (Key Performance Indicators) CySA+ candidates should be familiar with include:

  • Time to detect - The amount of time between an event that triggered an incident occurring and the event being detected
  • Time to respond - The time between incident detection and response activity beginning
  • Time to remediate - How long it takes to remediate an issue; this metric is typically significantly more complex than time to detect or time to respond and requires more nuanced communications and explanations
  • Alert volume - The number of alerts associated with an incident

In this case, the security engineer took 15 minutes to respond since detection occurred at 02:00 and they responded at 02:15.

4.

Acme Inc. is considering using federated identities within their corporate network. Which of the following are common entities involved in federated identities?

Select all that apply.

  • IDP

  • Consumer

  • SASE

  • SPF

  • Supplicant 

Three key roles when using federated identities are:

  • IDP (identity provider): Provides identities, makes identity-related assertions to relying parties, and releases identity-related information to relying parties
  • RP (relying party) or service provider (SP): Provides services to federation members and securely handles user and IDP data
  • Consumer: The user of services that may make decisions about identity attributes and provide information to validate identity claims made to an IDP

SASE (secure access service edge or secure access secure edge; pronounced "sassy") is a network architecture that combines SD-WAN (Software-Defined Wide Area Networking) and security functions with a focus on endpoint and network layer security that are intended to meet the needs of modern decentralized networks (as opposed to centralized, data center-based networks).

SPF (sender policy framework) is an authentication standard designed to improve email security.

In 802.1X, the software agent running on the device requesting access is known as supplicant software.

5.

A smart camera has been sitting in an Acme Inc. storage room for two years. A network administrator pulls the camera out of storage to replace a failed camera of the same make and model in a hallway. Two days later, a weekly vulnerability scan detects six high severity security issues with the camera. The vulnerabilities were not detected when the previous camera was scanned the week before.

Given the information available, what would be MOST likely to address the security issues?

  • Updating the camera's firmware

  • Disabling SSL version 3

  • Enabling SSH

  • Disabling HTTP

Correct answer: Updating the camera's firmware

Firmware updates from a vendor can address known security issues with a device. Given the previous camera did not have the same issues and the replacement camera sat in storage for two years, it is likely a firmware update could solve the issues.

There is not enough information in the question to suggest that any of the other steps would be likely to address the six vulnerabilities. 

6.

Acme Inc. wants to enable third party developers to interface with their web application. Which of the following technologies should they use to offer developers the MOST flexibility?

  • API

  • SNMP 

  • Plug-in

  • Honeypot

Correct answer: API

An API (Application Programming Interface) is a programmatic interface to a system that helps enable automation and system integrations. 

SNMP (Simple Network Management Protocol) is a protocol commonly used for monitoring network infrastructure. 

A plug-in is a program that runs inside of another program.

A honeypot is a system that is intentionally vulnerable to exploits, and it is designed to lure attackers.

7.

Nur, a senior security engineer that works as part of Acme Inc.'s CSIRT, is following a playbook to respond to a network breach. Nur realizes that the next step in the playbook is not relevant to the current situation and believes that it is best to deviate from the playbook to contain the threat. What should Nur do next?

  • Deviate from the playbook to contain the threat

  • Follow the playbook exactly as written

  • Start the steps in the playbook over to ensure nothing was missed

  • Repeat the previous step in the playbook

Correct answer: Deviate from the playbook to contain the threat

Playbooks are useful tools to create repeatable step-by-step incident response processes. However, playbooks cannot account for every scenario and are not a replacement for professional human judgement. If a security engineer on a CSIRT (Computer Security Incident Response Team) uses their judgement to determine different steps should be taken to address an issue, they should be allowed to make that judgement call. 

8.

Which of the following is an example of an open source threat intelligence source? 

  • Social media

  • Server logs

  • Firewall logs 

  • APTs

Correct answer: Social media

Open source threat intelligence refers to information about threats that come from sources that are available to the general public. Social media, websites, and the dark web are examples of open source threat intelligence sources. 

An APT (Advanced Persistent Threat) is a type of sophisticated threat actor. 

Server logs and firewall logs are not typically available to the general public.

9.

What portion of a vulnerability report specifies the systems affected by the vulnerability?

  • Affected hosts

  • Risk score

  • Mitigation options

  • Prioritization

Correct answer: Affected hosts

Common elements in a vulnerability report include:

  • Vulnerability details: Details such as a CVE (Common Vulnerabilities and Exposures) number and description
  • Affected hosts: IP addresses and hostname of systems found to be vulnerable 
  • Risk score: Details the risk severity in the context of the organization
  • Mitigation options: Ways to mitigate the vulnerability 
  • Recurrence: How often the vulnerability has reoccurred 
  • Prioritization: Context that helps prioritize which vulnerabilities should be addressed first

10.

Which of the following is the BEST example of a threat that would be classified as an "attrition" threat using NIST definitions?

  • DDoS

  • MiTM 

  • XSS

  • Spear phishing

Correct answer: DDoS

NIST (National Institute for Standards and Technology) describes multiple attack vector categories that are useful for classifying threats. Those categories are summarized in the table below.

CategoryDescription 
External/removable mediaAttack conducted using removable or external media such as a USB drive
Attrition Brute-force style attacks such as a DDoS (Distributed Denial of Service) or trying many passwords to compromise an account
WebWeb-based attacks such as XSS (Cross-Site Scripting)
EmailEmail-based attacks such as a malicious attachment or link in an email message 
ImpersonationAn attack where something malicious replaces something that is typically benign; Examples include MiTM (Man-in-the-Middle) attacks and SQL injection attacks 
Improper usageUse of a system that violates acceptable use but is carried out by an authorized user 
Loss or theft of equipmentCategory for equipment that is lost or stolen 
UnknownOrigin of attack is not known
OtherA catchall category for attack origins that do not meet any other category 

Note that spear phishing attacks are targeted attacks. 

11.

What is the difference between well-known ports and system ports?

  • They are the same

  • Well-known ports cover a larger range

  • System ports cover a larger range

  • Well-known ports are used on Windows, system ports are used on Linux, Unix, and macOS

Correct answer: They are the same

Understanding port numbers is an important part of network mapping and port scanning. Well-known ports, also known as system ports, are network ports in the range 0–1023. Ports from 1024–49151 are registered ports which are assigned by the IANA (Internet Assigned Numbers Authority). 

12.

An Acme Inc. web server supports a feature that allows user's to specify a URL to an image. A threat actor abuses this feature and inputs a URL to a document that the attacker is not authorized to access and requires authentication to view. The web server retrieves the document and presents it to the threat actor in their browser. This is an example of what type of COMMON vulnerability?  

  • SSRF 

  • File inclusion

  • CSRF

  • Directory traversal 

Correct answer: SSRF

SSRF (Server-Side Request Forgery) attacks are possible when a server accepts a URL as input. If the server is not properly secured, an attacker can trick the server into accessing a URL and retrieving information. 

CSRF (Cross-Site Request Forgery), sometimes called XSRF, is a common vulnerability that rests on the assumption users are often logged into a target website while browsing another website with the same browser. The attacker attempts to get the user to perform an action (e.g., click a link) on one site that would lead to an action on the site the user is authenticated to.  

File inclusion attacks involve an attacker tricking a web server into uploading malicious code.

Directory traversal occurs when an attacker is able to insert a filesystem path into a query that should not allow them to navigate a filesystem.

13.

Izumi, a security analyst at Acme Inc., needs to create a copy of memory from an Ubuntu 22.04 system. Which tool is BEST suited for this task?

  • LiME

  • DumpIT

  • md5sum 

  • Wireshark

Correct answer: LiME

Ubuntu 22.04 is a Linux operating system.

LiME is a Linux kernel module that enables memory access. LiME can create copies of memory to specific file. 

DumpIT is a Windows tool for memory capture. 

md5sum is a Linux utility that generates MD5 sums based on a file that is provided as input. The output of the command is "<md5 hash value> <file name>", where <md5 hash value> is the MD5 hash and <file name> is the name of the input file. 

Wireshark is a popular network analyzer and packet capture utility that includes a Graphical User Interface (GUI).

14.

Which of the following is the BEST example of risk transference? 

  • Purchasing insurance

  • Deploying a firewall

  • Purchasing a load balancer

  • Configuring a firewall

Correct answer: Purchasing insurance 

There are four standard risk management strategies CySA+ candidates should be familiar with. They are:

  • Risk mitigation - The application of security controls to reduce the impact and/or probability of a risk 
  • Risk avoidance - The modification of business practices to completely eliminate a risk
  • Risk transference - The shifting of impact to another organization or entity (e.g., via purchasing an insurance policy)
  • Risk acceptance - The deliberate choice to accept a risk

15.

Dana, a security analyst, uses scanning tools to infer that a device is a specific type of router based information, such as responses to the device's operating system and software it is running. This is an example of what cybersecurity technique?

  • Device fingerprinting 

  • Operating system fingerprinting

  • Webhooking

  • Honeypotting

Correct answer: Device fingerprinting

Device fingerprinting is a technique that uses data such as software, services, and operating system information to uniquely identify a device or device type. 

Operating system fingerprinting is a technique that enables tools and testers to infer an operating system version based on data, such as TCP and UDP responses, how systems respond to requests, and TCP options supported. 

A webhook is a type of software integration that involves one application or service triggering an action in another application or service using a web request. 

A honeypot is a system that is intentionally vulnerable to exploits, and is designed to lure attackers.

16.

Amal, a senior security engineer at Acme Inc., is helping create guidelines for security incident communications in the organization. Which document would provide Amal with useful information related to security incident communications? 

  • NIST SP 800-61

  • OSS TMM

  • OWASP Web Security Testing Guide 

  • Cyber Kill Chain

Correct answer: NIST SP 800-61

NIST (National Institute of Standards and Technology) SP (Special Publication) 800-61 is the Computer Security Incident Handling Guide that includes guidelines for communications and incident handling. The CySA+ exam objectives reflect some of the content related to communications from SP 800-61. 

OSS TMM (Open Source Security Testing Methodology Manual) is a resource published by the Institute for Security and Open Methodologies that provides guidance related to security testing with a focus on: communications, human interactions, and physical locations. 

The OWASP (Open Web Application Security Project) Web Security Testing Guide is a popular reference that provides detailed information on security testing for web applications.

Lockheed Martin's Cyber Kill Chain is an attack framework that uses seven steps to help frame how an attacker may act against an organization. 

17.

An Acme Inc. vulnerability report details information for these vulnerabilities:

Name

CVSS ScorePatch available?
Database vuln 16.3No
Web server vuln 17.9Yes
Web server vuln 28.8Yes
Endpoint vuln 18.1No

How many zero-day vulnerabilities are in the list?

  • 2

  • 0

  • 4

  • 1

Correct answer: 2

Zero-day vulnerabilities are vulnerabilities that are announced without a patch. There are two vulnerabilities without a patch in the list. 

18.

Which of the following is NOT an example of an on-premises security solution?

  • VPC

  • IDS

  • IPS

  • Firewall

Correct answer: VPC

A VPC (Virtual Private Cloud) is an environment in a public cloud that is semi-isolated from the rest of the infrastructure. Typically, this isolation is achieved by placing the VPC in a private subnet. VPCs may also include additional security controls. A VPC is inherently part of cloud infrastructure, not on-premises infrastructure. 

A firewall, IPS (Intrusion Prevention System), and IDS (Intrusion Detection System) appliance are all examples of hardware security devices that could be deployed on-premises. 

19.

What Linux command provides information about process run times, CPU utilization, and memory consumption?

  • ps

  • df

  • ping

  • Sysinternals 

Correct answer: ps

The Linux ps command provides information on Linux processes such as when they started, their CPU and memory consumption, and the process (command) that initiated them. Users can add additional flags to modify the output of the ps command. Here is an example output from the "ps aux" command on a Linux system:

root@server:~# ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  2.2 167892 10508 ?        Ss   Nov11   2:03 /sbin/init
root           2  0.0  0.0      0     0 ?        S    Nov11   0:00 [kthreadd]
root           3  0.0  0.0      0     0 ?        I<   Nov11   0:00 [rcu_gp]
root           4  0.0  0.0      0     0 ?        I<   Nov11   0:00 [rcu_par_gp]
root           5  0.0  0.0      0     0 ?        I<   Nov11   0:00 [slub_flushwq]
root           6  0.0  0.0      0     0 ?        I<   Nov11   0:00 [netns]
root           8  0.0  0.0      0     0 ?        I<   Nov11   0:00 [kworker/0:0H-events_highpri]
root          10  0.0  0.0      0     0 ?        I<   Nov11   0:00 [mm_percpu_wq]
root          11  0.0  0.0      0     0 ?        S    Nov11   0:00 [rcu_tasks_rude_]
root          12  0.0  0.0      0     0 ?        S    Nov11   0:00 [rcu_tasks_trace]
root          13  0.0  0.0      0     0 ?        S    Nov11   0:48 [ksoftirqd/0]

The Linux df command provides information on disk utilization. Users can add additional flags to modify the output of the df command. 

The ping command is used to test connectivity between network devices. 

Sysinternals is a suite of Windows system resource monitoring tools. 

20.

The web interface of a smart network switch deployed on an Acme Inc. LAN is vulnerable to a user enumeration exploit. Alex, a network engineer at Acme Inc., applied a software update from the switch vendor to address the issue. This is an example of an activity that is part of what type of action plan? 

  • Patching

  • Changing business requirements

  • Configuration management

  • Compensating controls

Correct answer: Patching

The CySA+ exam objectives call out five types of action plans CySA+ candidates should be familiar with. The table below summarizes each one. 

Category 

Description

Examples

Configuration managementDeals with proper configuration, hardening, and creating baseline configurations for systems
  • Changing default passwords
  • Using configuration management tools like Ansible
PatchingDeals with applying upgrades to systems to address security issues and software bugs
  • Updating an operating system
  • Communicating a maintenance window to apply a patch
Compensating controlsInvolves the use of security controls to address a vulnerability that can not be directly mitigated 
  • Using a web application firewall to protect against common threats
  • Isolating a vulnerable system
Awareness, education, and trainingDeals with educating and training staff on cybersecurity practices and principles 
  • Training all staff on common social engineering threats
  • Running phishing simulations
Changing business requirementsModifying business requirements to address a vulnerability
  • Changing a policy 
  • Updating a software requirements document
×