×

Quiz Session - Attempts With Random Questions

CompTIA CySA+ Exam Questions

Page 10 of 53

181.

Acme Inc. has an office near the ocean. The high humidity in the area contributed to a premature server failure that caused a database to go offline for six hours. The threat in this scenario is an example of which of the four threat categories identified by NIST? 

  • Structural 

  • Adversarial 

  • Accidental 

  • Environmental 

Correct answer: Structural 

NIST (The National Institute of Standards and Technology) identifies four categories of threats. They are:

  • Adversarial threats that try to intentionally harm an organization
  • Accidental threats which can occur when individuals make a mistake
  • Structural threats which can occur when equipment, resources, software, or infrastructure fail or are depleted
  • Environmental threats that stem from disasters (e.g., hurricanes, fires, or power outages) 

While the humidity contributed to the failure, this was not an environmental threat as it did not stem from a disaster. It was a structural threat as a piece of equipment failed. 

182.

Kai, a network administrator at Acme Inc., wants to capture all the DNS traffic going from a Windows server to a local network. Kai has administrator access to the Windows server. Which utility should Kai use to capture the DNS traffic?

  • Wireshark

  • strings

  • md5sum

  • ps

Correct answer: Wireshark

Wireshark is a popular network analyzer and packet capture utility that includes a Graphical User Interface (GUI). Wireshark would enable Kai to capture DNS traffic the Windows server is generating. 

The strings command is a Linux utility commonly used to extract plaintext data in binary files. 

md5sum is a Linux utility that generates MD5 sums based on a file that is provided as input. The output of the command is "<md5 hash value> <file name>", where <md5 hash value> is the MD5 hash and <file name> is the name of the input file. 

ps is a Linux utility that provides information on running processes. 

183.

Which of the following is an example of a cloud assessment tool?

  • Prowler

  • OWASP

  • John the Ripper

  • Let's Encrypt 

Correct answer: Prowler

Scout Suite, Pacu, and Prowler are three popular open-source cloud assessment tools. The CySA+ exam objectives call out these three tools in particular, so CySA+ candidates should be familiar with them. 

OWASP is an organization that focuses on web application security.

John the Ripper is a password cracker. 

Let's Encrypt is a certificate authority. 

184.

Dana, a systems administrator at Acme Inc., is planning to update a database server to address a recently announced CVE that affects the server. Since the update will take the server and associated accounting application offline for four hours, Dana sends an announcement to all affected users notifying them the system will be unavailable from 12:00 p.m. to 4:00 p.m. on Saturday. This announcement is an example of an activity related to what type of action plan?

  • Patching

  • IR communications

  • Awareness, education, and training

  • Compensating controls

Correct answer: Patching

The CySA+ exam objectives call out five types of action plans CySA+ candidates should be familiar with. The table below summarizes each one. 

Category 

Description

Examples

Configuration managementDeals with proper configuration, hardening, and creating baseline configurations for systems 
  • Changing default passwords
  • Using configuration management tools like Ansible
PatchingDeals with applying upgrades to systems to address security issues and software bugs 
  • Updating an operating system
  • Communicating a maintenance window to apply a patch
Compensating controlsInvolves the use of security controls to address a vulnerability that can not be directly mitigated
  • Using a web application firewall to protect against common threats
  • Isolating a vulnerable system
Awareness, education, and trainingDeals with educating and training staff on cybersecurity practices and principles 
  • Training all staff on common social engineering threats
  • Running phishing simulations
Changing business requirementsModifying business requirements to address a vulnerability 
  • Changing a policy 
  • Updating a software requirements document

185.

Which of the following is a COMMON use case for Wireshark?

  • Capturing network traffic from a Windows server

  • Extracting plaintext data from a binary file

  • Validating image integrity

  • Listing running processes

Correct answer: Capturing network traffic from a Windows server

Wireshark is a popular network analyzer and packet capture utility that includes a Graphical User Interface (GUI). Capturing network traffic from a server is a common WireShark use case. Other tools would be better suited for the other use cases listed. 

The strings command is a Linux utility commonly used to extract plaintext data in binary files. 

md5sum is a Linux utility that generates MD5 sums based on a file that is provided as input. The output of the command is "<md5 hash value> <file name>", where <md5 hash value> is the MD5 hash and <file name> is the name of the input file. 

ps is a Linux utility that provides information on running processes. 

186.

Which of the following BEST describes the differences between static code analysis and dynamic code analysis?

  • Static code analysis runs on source code, dynamic code analysis runs during execution of a program

  • Dynamic code analysis runs on source code, static code analysis runs during execution of a program

  • Both run only on source code

  • Both run only during execution of a program

Correct: Static code analysis runs on source code, dynamic code analysis runs during execution of a program

Static code analysis, also known as source code analysis, analyzes source code for software flaws and cybersecurity issues. Static code analysis can be performed manually or automatically. 

Dynamic code analysis analyzes software during the execution of a program and provides various inputs to test how the program responds. Dynamic code analysis can be performed manually or automatically, but automatic analysis is typically preferred due to how much testing is often required for effective analysis. 

187.

Which of the following should happen FIRST after an IoC is discovered?

  • Incident responders perform an investigation

  • The CSIRT contain the IoC

  • Incident responders eradicate the IoC

  • A system backup should be created

Correct answer: Incident responders perform an investigation

After an IoC (Indicator of Compromise) is detected, incident responders should determine if there is legitimately an incident or if the IoC is a false positive. If there is legitimately an incident based on responder analysis, an incident is declared. 

Recovery and containment come after an incident is declared. 

188.

What CVSS score range is associated with critical vulnerabilities? 

  • 9.0–10.0

  • 90–100

  • 4–5

  • 95–100

Correct answer: 9.0–10.0

CVSS (Common Vulnerability Scoring System) is a standard for quantifying the severity of a vulnerability. CVSS scores use a 0–10.0 scale. 9.0–10.0 is the CVSS score range for critical vulnerabilities. Critical vulnerabilities is a common metric tracked as part of vulnerability management. 

189.

A software bug causes Acme Inc.'s webserver to display detailed information about the configuration of the server in an error message. The message is displayed to all users, including unauthenticated users accessing the system over the internet. This is an example of which software development security issue?

  • Improper error handling 

  • Dereferencing

  • Race condition

  • Broken authentication

Correct answer: Improper error handling

Improper error handling occurs when an error message reveals information that an end user or attacker should not see. For example, a stack trace may reveal detailed information a threat actor can use to help compromise a system. 

Dereferencing typically occurs when an unset value — known as a NULL value — is used in a context where a set value is needed. Typically, this leads to a crash unless the error case is properly handled by the application.

Race conditions are timing-related errors that occur when an application attempts multiple operations at the same time.

Broken authentication refers to improper authentication mechanisms that allow unauthorized users to access information.

190.

Kim, a security engineer at Acme Inc., is reviewing logs to understand recent unusual behavior on the network. During the review, Kim realizes that the network has been breached. This activity BEST aligns with what incident response phase?

  • Detection and analysis

  • Discovery

  • Post-incident activity

  • Enumeration

Correct answer: Detection and analysis

NIST (National Institute for Standards and Technology) SP 800-61 describes a four-phase incident handling process that includes these four phases:

  • Preparation - The phase where teams prepare for incident response with training, documentation, procedure creation, planning, testing, and other preparatory steps 
  • Detection and analysis - The phase dedicated to detecting and identifying threats 
  • Containment, eradication, and recovery - The phase dedicated to eliminating and recovering from security incidents 
  • Post-incident activity - The phase dedicated to root cause analysis, lessons learned, and evidence retention 

Note that these phases are not "one-and-done" steps and teams will typically cycle through stages and continuously improve. 

191.

Kai, a security engineer at Acme Inc., needs to validate the integrity of a file as part of an analysis. Which type of algorithm is BEST for this purpose?

  • SHA1

  • AES

  • DES

  • Blowfish

Correct answer: SHA1

Hashing-algorithms are one-way functions where a given input reliably produces a given output. MD5, SHA1, and SHA2 are common hashing algorithms used to verify image integrity. While MD5 and SHA1 one are not recommended for many cybersecurity use cases, they are still common for validating image integrity.

AES (Advanced Encryption Standard) and DES ( (Data Encryption Standard) are block-ciphers that use symmetric keys and are not typically used as a hash-function.  Blowfish is also a block cipher.

192.

A threat actor breached Acme Inc.'s network at 01:00 and installed malware on a server. An anti-malware program on the server detected the malware and alerted the Security Operations Center (SoC) by sending a single email alert at 01:10. A security engineer read the email and began proactively working to contain the malware at 01:15. What was the alert volume for this incident? 

  • 1

  • 5

  • 15

  • 10

Correct answer: 1

Incident response metrics and KPIs (Key Performance Indicators) CySA+ candidates should be familiar with include:

  • Time to detect - The amount of time between an event that triggered an incident occurring and the event being detected
  • Time to respond - The time between incident detection and response activity beginning
  • Time to remediate - How long it takes to remediate an issue; this metric is typically significantly more complex than time to detect or time to respond and requires more nuanced communications and explanations
  • Alert volume - The number of alerts associated with an incident

In this case, there was exactly 1 alert. 

193.

Acme Inc. faces the risk of employees stealing spare computer and printer parts from a branch office. Acme Inc. management decides implementing security systems or hiring security guards to prevent office supply theft is too expensive. They decide to do nothing to proactively address this risk. This is an example of which type of risk management strategy?

  • Risk acceptance

  • Risk transference

  • Risk avoidance

  • Risk mitigation

Correct answer: Risk acceptance

There are four standard risk management strategies CySA+ candidates should be familiar with. They are:

  • Risk mitigation - The application of security controls to reduce the impact and/or probability of a risk. 
  • Risk avoidance - The modification of business practices to completely eliminate a risk.
  • Risk transference - The shifting of impact to another organization or entity (e.g., via purchasing an insurance policy).
  • Risk acceptance - The deliberate choice to accept a risk.

In this example, Acme Inc. management's deliberate choice to "do nothing" is an example of risk acceptance. 

194.

The Acme Inc. QA team load tests a web application deployed on a public cloud platform once every month. The testing is typically done during off-peak hours to avoid service disruptions. Due to a misconfiguration in the DevOps pipeline, some of the automated load tests during normal business hours and created significant performance degradation because Acme Inc.'s backbone router could not support all the traffic.

Which type of network issue BEST describes this problem?

  • Bandwidth consumption

  • Beaconing

  • Fuzzing

  • Network loop

Correct answer: Bandwidth consumption

Bandwidth consumption issues occur when a significant amount of network bandwidth is consumed and business functions are disrupted or service outages occur as a result. Common causes of bandwidth consumption issues include malicious activity, misconfigurations, and traffic spikes. 

Beaconing is a type of network traffic that enables operators of botnets or other malware that use a command and control model to detect if they have compromised a system, check system status, or perform malicious activity such as running unauthorized commands. 

Fuzz testing, also known as fuzzing, is a form of testing where invalid or random data is sent to an application to see how it responds. Fuzz tests are typically automated and useful for uncovering issues like poor error handling and memory leaks.

A network loop is a misconfiguration in network connection that can lead to rapid bandwidth consumption. 

195.

A threat actor breached Acme Inc.'s network at 01:00 and installed malware on a server. An anti-malware program on the server detected the malware and alerted the Security Operations Center (SoC) by sending a single email alert at 01:10. A security engineer read the email and began proactively working to contain the malware at 01:15. What was the time to respond for this incident? 

  • 5 minutes

  • 10 minutes

  • 15 minutes

  • 1 minute

Correct answer: 5 minutes

Incident response metrics and KPIs (Key Performance Indicators) CySA+ candidates should be familiar with include:

  • Time to detect - The amount of time between an event that triggered an incident occurring and the event being detected
  • Time to respond - The time between incident detection and response activity beginning
  • Time to remediate - How long it takes to remediate an issue; this metric is typically significantly more complex than time to detect or time to respond and requires more nuanced communications and explanations
  • Alert volume - The number of alerts associated with an incident

The incident was detected at 01:10 and the security engineer began their response 5 minutes later at 01:15.

196.

Acme Inc. is considering the pros and cons of threat intelligence sharing. Which of the following is NOT common use of threat intelligence sharing?

  • For improving confidentiality 

  • As a part of monitoring and detection 

  • For vulnerability management

  • As a part of risk management

Correct answer: For improving confidentiality 

Threat intelligence sharing plays an important role in overall cybersecurity. There are five areas for the use of threat intelligence sharing that CySA+ candidates should be familiar with. They are:

  • As a part of incident response
  • For vulnerability management
  • As a part of risk management
  • To inform and influence security engineering
  • As a part of monitoring and detection 

While threat intelligence sharing may indirectly improve confidentiality by helping an organization learn of new threats or techniques, it is not a direct use like the other answers.  

197.

After conducting a lessons learned session, the Acme Inc. security operations team identified four corrective actions the organization should implement. Which component of an incident response report should include details on these corrective actions?

  • Recommendations

  • Evidence 

  • Executive summary

  • Timeline

Correct answer: Recommendations

There are several incident response report components CySA+ candidates should be familiar with. The components and their purpose are summarized in the table below. 

Report componentDescription 
Executive summaryShort description that explains the incident, impact, and current state at a high level
5W’sThe narrative that describes the who, what, when, where, and why related to the incident
RecommendationsTypically based on lessons learned activities, this section documents what corrective actions should be performed
TimelineThe sequence of events associated with an incident. This section can help identify if responses occurred in a timely fashion or not
Impact assessmentDetails on the overall impact an incident had on an organization (e.g., financial or reputational damage)
ScopeCovers what services, systems, and other aspects of an organization were affected by the incident
Evidence Specific data and details from the incident investigation. Evidence may be included as a separate appendix or as part of the report

198.

Information from what source would be MOST likely indicate that impossible travel may have occurred?

  • Authentication logs

  • DNS logs 

  • NTP server

  • ISACs

Correct answer: Authentication logs

Impossible travel is a form of abnormal user activity. Impossible travel occurs when a user is recorded logging in from different geographical locations within a timeframe that would be impossible for a human. In this example, it's not possible for a human to travel from Canada to England in ten minutes. An authentication log would contain this sort of login information. 

DNS (Domain Name System) logs would contain information related to DNS lookups. 

NTP (Network Time Protocol) servers are used for time synchronization. 

ISACs (Information Sharing and Analysis Centers) are organizations that help other organizations share and learn about threat information and can provide helpful cybersecurity tools and assistance. 

199.

Dani, a security architect at Acme Inc., is tasked with enumerating all the Acme Inc. devices exposed on the public Internet. What technique is BEST suited for this task?

  • Edge discovery

  • Security controls testing

  • Rainbow tabling

  • Penetration testing

Correct answer: Edge discovery

Attack surface management activities encompass the different actions an organization can take to discover, test, and protect their overall attack surface. Common attack surface management activities include:

  • Edge discovery - Scans that identify an organization’s systems that are exposed to the public
  • Passive discovery - Techniques that monitor network traffic to detect assets that other scans may miss
  • Security controls testing - Tests that verify if existing security controls work as intended
  • Penetration testing and adversary emulation - Tests where threat actor behavior is emulated to discover issues in systems and security controls

Rainbow tables are used to check password hashes against a list of known hashes. 

200.

How many standard Cisco log levels are there?

  • 8

  • 7

  • 21

  • 11

Correct answer: 8

The eight standard Cisco log levels are:

  • Level 0- Emergencies
  • Level 1- Alerts
  • Level 2- Critical
  • Level 3- Errors
  • Level 4- Warning
  • Level 5- Notifications
  • Level 6- Information
  • Level 7- Debugging

The higher the log level number, the more information is included in the associated logs. Each higher-numbered log level includes the log messages from the lower-numbered levels. For example, Alerts (Level 1) include more log messages than Emergencies (Level 0) because Alerts include Level 1 and Level 0 messages. 

×