No products in the cart.
CompTIA CySA+ Exam Questions
Page 2 of 53
21.
What Linux command MOST likely produced this output?
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 2.2 167892 10508 ? Ss Nov11 2:03 /sbin/init
root 2 0.0 0.0 0 0 ? S Nov11 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? I< Nov11 0:00 [rcu_gp]
root 4 0.0 0.0 0 0 ? I< Nov11 0:00 [rcu_par_gp]
root 5 0.0 0.0 0 0 ? I< Nov11 0:00 [slub_flushwq]
root 6 0.0 0.0 0 0 ? I< Nov11 0:00 [netns]
-
ps aux
-
strings root
-
md5sum --all
-
nmap -sV localhost
Correct answer: ps aux
The Linux ps command provides information on Linux processes such as when they started, their CPU and memory consumption, and the process (command) that initiated them. Users can add additional flags to modify the output of the ps command. The example output in the question is from the "ps aux" command on a Linux system.
The strings command is a Linux utility commonly used to extract plaintext data in binary files.
md5sum is a Linux utility that generates MD5 sums based on a file that is provided as input. The output of the command is "<md5 hash value> <file name>", where <md5 hash value> is the MD5 hash and <file name> is the name of the input file.
nmap is a popular open-source port scanning utility that supports a variety of flags that modify it's behavior.
22.
Raha, an accountant at Acme Inc., installs a file sharing program on their laptop. The file sharing program was not approved by IT and a misconfiguration in Raha's settings led to sensitive accounting information being exposed to any user of the file share service with the URL. Which NIST threat classification BEST describes this incident?
-
Improper usage
-
Loss or theft of equipment
-
Web
-
External/removable media
Correct answer: Improper usage
NIST (National Institute for Standards and Technology) describes multiple attack vector categories that are useful for classifying threats. Those categories are summarized in the table below.
| Category | Description |
| External/removable media | Attack conducted using removable or external media such as a USB drive |
| Attrition | Brute-force style attacks such as a DDoS (Distributed Denial of Service) or trying many passwords to compromise an account |
| Web | Web-based attacks such as XSS (Cross-Site Scripting) |
| Email-based attacks such as a malicious attachment or link in an email message | |
| Impersonation | An attack where something malicious replaces something that is typically benign; examples include MiTM (Man-in-the-Middle) attacks and SQL injection attacks |
| Improper usage | Use of a system that violates acceptable use but is carried out by an authorized user |
| Loss or theft of equipment | Category for equipment that is lost or stolen |
| Unknown | Origin of attack is not known |
| Other | A catchall category for attack origins that do not meet any other category |
23.
Which of the following activities is NOT a common containment activity?
-
Evidence retention
-
Network segmentation
-
Isolation
-
Removing affected systems
Correct answer: Evidence retention
NIST (National Institute for Standards and Technology) SP 800-61 describes a four-phase incident handling process that includes these four phases:
- Preparation - The phase where teams prepare for incident response with training, documentation, procedure creation, planning, testing, and other preparatory steps
- Detection and analysis - The phase dedicated to detecting and identifying threats
- Containment, eradication, and recovery - The phase dedicated to eliminating and recovering from security incidents
- Post-incident activity - The phase dedicated to root cause analysis, lessons learned, and evidence retention
Network segmentation, isolation, and removing affected systems are all examples of containment activities.
24.
Which of the following is another name for a Man-in-the-Middle (MiTM) attack?
-
On-path attack
-
Directory traversal attack
-
Remote code execution
-
SSRF attack
Correct answer: On-path attack
On-path attacks, also known as Man-in-the-Middle (MiTM) attacks, occur when an attacker is able to interject themselves in the middle of legitimate communications. For example, an attacker that is able to compromise the network between a web server and a client can send requests back and forth while eavesdropping on the content.
Directory traversal occurs when an attacker is able to insert a filesystem path into a query that should not allow them to navigate a filesystem. In the example, the attacker is attempting to access the Linux passwd file.
Remote code execution vulnerabilities occur when an unauthorized attacker can run commands or execute code without physical access to the system. The vulnerability described in the question is an example of a remote code execution vulnerability.
SSRF (Server-Side Request Forgery) attacks are possible when a server accepts a URL as input. If the server is not properly secured, an attacker can trick the server into accessing a URL and retrieving information.
25.
A database server at Acme Inc. is susceptible to a high-severity vulnerability. Before the server admin can patch the server, they must receive management approval. The management approval process typically takes one week. The delay caused by the approval process is an example of which type of inhibitor to remediation?
-
Organizational governance
-
MOU
-
SLA
-
Bastion hosting
Correct answer: Organizational governance
Organizational governance may include specific approval processes and validations that slow down how quickly a team can implement a remediation such as a patch. A management approval process for a security patch is an example of how organizational governance can become an inhibitor to remediation.
An MOU (Memorandum of Understanding) is an unofficial agreement between multiple parties. For IT systems, an MOU may include specific uptime and availability expectations and restrictions on who can work on a system. As a result, an MOU may limit how quickly an organization can implement a remediation for a cybersecurity incident.
SLAs (Service Level Agreements) are official agreements between a service provider and user of a service. An SLA may include specific obligations related to performance and availability that would not be met if certain remediations (e.g., a patch that requires downtime) are implemented.
A bastion host is a type of computer that is used to provide access from one network to another.
26.
An Acme Inc. vendor announces a security vulnerability with a CVSS score of 6.1. There is no patch for the vulnerability. This is an example of what type of vulnerability?
-
Zero-day vulnerabilities
-
Critical
-
Top 10
-
SLOs
Correct answer: Zero-day vulnerabilities
Zero-day vulnerabilities are vulnerabilities that are announced without a patch.
CVSS scores of 9.0–10.0 are considered critical. 6.1 is not.
Top 10 is a reference to top 10 lists such as the OWASP Top 10 API Security Risks.
SLOs (Service Level Objectives) are metrics that help track if a vendor or service is meeting their service level objectives.
27.
Acme Inc. uses 25 different SaaS and web applications. Acme Inc. employees are struggling to maintain all the different accounts required for these services and complaining of password fatigue. What technology would BEST help Acme Inc. address this problem?
-
SSO
-
FISMA
-
Webhook
-
PKI
Correct answer: SSO
SSO (Single Sign-On) enables users to authenticate one time with one set of credentials to access multiple systems. SSO reduces password fatigue, limits the risk of password reuse since users aren't creating multiple accounts, reduces the risk of credential exposure on third-party sites since the third-party site does not store the credentials, and requires users to remember fewer passwords, which can reduce support calls and password resets.
FISMA (Federal Information Security Management Act) applies to government agencies and organizations acting on their behalf. FISMA has various security requirements including requiring a vulnerability management program.
A webhook is a type of software integration that involves one application or service triggering an action in another application or service using a web request.
PKI (Public Key Infrastructure) is an asymmetric encryption framework that enables authentication, data confidentiality, and data integrity. Common use cases for PKI include code signing, encrypting data in transit, and generating SSL (Secure Sockets Layer) certificates for websites.
28.
New Org LLC. is a newly-formed business. Charlie, the CISO, is responsible for chartering New Org LLC.'s cybersecurity program. Which of the following is NOT one of the three key objectives of a cybersecurity program?
-
Encryption
-
Confidentiality
-
Integrity
-
Availability
Correct answer: Encryption
Confidentiality, Integrity, and Availability, also known as the CIA triad, are the three key objectives of modern cybersecurity programs.
Encryption can help enable these objectives, but is not a primary objective itself.
29.
What form of storage media sanitization typically has the LOWEST effectiveness in terms of reducing the chances of data recovery?
-
Clear
-
Destroy
-
Purge
-
Degauss
Correct answer: Clear
NIST SP 800-88 defines three main types of media sanitization. They are:
- Clear: Clearing uses standard logical techniques like read and write operations; clearing provides protection against basic noninvasive data recovery attempts
- Purge: Purging uses state-of-the-art lab techniques, such as block erase and cryptographic erase, to sanitize media and make data recovery more difficult than clearing
- Destroy: Destroying storage media makes data recovery infeasible; disintegration, pulverization, and incineration are examples of destruction techniques
Degaussing is a specific form of purging that uses magnetic fields to modify data on a storage device.
30.
Active reconnaissance is to capture the MOST data in which of the following scenarios?
-
When scans are run from a trusted server within the network
-
When scans are run from a virtual private cloud to an on-premises network
-
When scans are run from an external wireless network
-
When scans are run from an external wired network
Correct answer: When scans are run from a trusted server within the network
Active reconnaissance is a form of information gathering that typically involves the use of host scanning tools. Performing active reconnaissance from a trusted system is likely to lead to more valuable data being captured because the system is less likely to be blocked by security appliances and network policies. The only answer that involves running scans from a trusted system is "when scans are run from a trusted server within the network."
31.
When executed from a PowerShell prompt on a Windows 11 computer, what will the PowerShell code below do?
Write-Host "I am a CySA+ candidate!"
-
Print the text "I am a CySA+ candidate!" in the PowerShell window
-
Generate an error due to the unescaped "!" character
-
Create an empty .ps1 file
-
Create a .ps1 file with the Read-Host command appended to the first line
Correct answer: Print the text "I am a CySA+ candidate!" in the PowerShell window
CySA+ candidates should be familiar with basic PowerShell and Python code. The code in the question would print the text "I am a CySA+ candidate!" in the PowerShell window. It is valid PowerShell code, so it would not create an error. It also does not have any directives or cmdlets to create files, so it would not create any additional files. The "exit" command is used to close a PowerShell window and it is not present in the code sample.
32.
Which of the following are examples of CHD?
Select all that apply.
-
Cardholder name
-
Primary credit card account number
-
Prescription refill date
-
PCI DSS
-
PII
-
Preexisting conditions
CHD (cardholder data) refers to credit card information, such as primary credit card account numbers, cardholder name, and credit card expiration date. CHD data is sometimes called PCI (Payment Card Industry) data because of its relevance to PCI DSS (Payment Card Industry Data Security Standard).
PII (personally identifiable information) is a different type of sensitive data.
Prescription refill date and preexisting conditions are not cardholder data.
33.
During what phase of the incident response process would a team typically perform training?
-
Preparation
-
Detection and analysis
-
Containment, eradication, and recovery
-
Education
Correct answer:
NIST (National Institute for Standards and Technology) SP 800-61 describes a four-phase incident handling process that includes these four phases:
- Preparation - The phase where teams prepare for incident response with training, documentation, procedure creation, planning, testing, and other preparatory steps
- Detection and analysis - The phase dedicated to detecting and identifying threats
- Containment, eradication, and recovery - The phase dedicated to eliminating and recovering from security incidents
- Post-incident activity - The phase dedicated to root cause analysis, lessons learned, and evidence retention
Note that these phases are not "one-and-done" steps and teams will typically cycle through stages and continuously improve.
34.
What secure coding practice should software developers follow to ENSURE only users the adequate permissions can access a resource?
-
Enforce authentication
-
Encode all output
-
Validate input
-
Parameterized all SQL queries
Correct answer: Enforce authentication
There are several secure coding best practices CySA+ candidates should be familiar with. The table below summarizes six of those best practices.
| Secure coding best practice | Description |
| Input validation | Which checks inputs to ensure they can be used safely can help reduce the risk of, or outright prevent, many cybersecurity issues including injection attacks and XSS (Cross-Site Scripting) |
| Output encoding | Converts special characters to a safe equivalent and reduces the risk of XSS |
| Secure session management | Reduces the risk of session hijacking and other session issues |
| Authentication | Forces users to authenticate to access resources which can help ensure only authorized users can access systems and data |
| Data protection techniques | Includes technologies like encryption that can improve confidentiality and reduce the risk of eavesdropping |
| Parameterized queries | Reduce the risk of SQL injection attacks with precompiled queries |
35.
Which of the following is NOT the responsibility of a certificate authority in the PKI certificate issuance process?
-
Verifying requestor identity
-
Generating certificates
-
Storing certificates
-
Signing certificates
Correct answer: Verifying requestor identity
A CA (Certificate Authority) is a major component of PKI (Public Key Infrastructure). A CA is responsible for certificate generation, storage, and signing.
An RA (Registration Authority) is responsible for the verification of the identity of certificate requestors.
36.
Hao, a security engineer at Acme Inc., has been tasked with identifying a port scanning utility with a graphical user interface to help junior security engineers perform penetration testing. Which of the following is a VIABLE option for Hao to recommend?
-
Angry IP Scanner
-
nmap
-
DKIM
-
Apache httpd2
Correct answer: Angry IP Scanner
Angry IP Scanner is a port scanning utility with a graphical user interface. It requires Java to run and supports modules known as fetchers to extend its functionality.
nmap is a port scanning utility, but it is a command-line tool. Zenmap is the official nmap graphical user interface.
DKIM (DomainKeys Identified Mail) is a protocol that enables organizations to include content in email messages that can verify an email message was sent from a specific domain.
Apache httpd2 is a specific type of web server.
37.
A threat actor compromised a WordPress site and embedded code that includes a malicious link which, if a user is authenticated to Acme Banking Corp.'s website, would execute a funds transfer to the threat actor's account. This is an example of what type of COMMON vulnerability?
-
CSRF
-
Persistent XSS
-
Reflected XSS
-
Dereferencing
Correct answer: CSRF
CSRF (Cross-Site Request Forgery), sometimes called XSRF, is a common vulnerability that rests on the assumption users are often logged into a target website while browsing another website with the same browser. The attacker attempts to get the user to perform an action (e.g., click a link) on one site that would lead to an action on the site the user is authenticated to.
Persistent XSS, sometimes called stored XSS, occurs when an attacker is able to store (persist) malicious code on a web server. The code then executes when the user accesses or interacts with the affected portion of the website. This is different from CSRF because the attack occurs on the same website.
Reflected XSS (Cross-Site Scripting) occurs when a threat actor can trick a user into sending a malicious query to a server then executes code on the user's computer. For example, an attacker might include a script as part of a parameterized URL sent to the server.
Dereferencing typically occurs when an unset value — known as a NULL value — is used in a context where a set value is needed. Typically, this leads to a crash unless the error case is properly handled by the application.
38.
Defining baselines, turning off unused ports, and changing default passwords are all examples of activities related to what type of action plan?
-
Configuration management
-
Awareness, education, and training
-
Compensating controls
-
Patching
Correct answer: Configuration management
The CySA+ exam objectives call out five types of action plans CySA+ candidates should be familiar with. The table below summarizes each one.
| Category | Description | Examples |
| Configuration management | Deals with proper configuration, hardening, and creating baseline configurations for systems |
|
| Patching | Deals with applying upgrades to systems to address security issues and software bugs |
|
| Compensating controls | Involves the use of security controls to address a vulnerability that can not be directly mitigated |
|
| Awareness, education, and training | Deals with educating and training staff on cybersecurity practices and principles |
|
| Changing business requirements | Modifying business requirements to address a vulnerability |
|
39.
An API server provides users with access to resources after they are authenticated using the OAuth 2.0 protocol. The users in this scenario are which of the four parties involved in OAuth flows?
-
Resource Owners
-
Clients
-
Resource Servers
-
Authorization Servers
Correct answer: Resource Owners
There are four parties in OAuth flows. They are:
- Clients: Applications used by end users
- Resource Owners: End users
- Resource Servers: Servers from a service resource owners want applications to use
- Authorization Servers: Servers from the identity provider
The users consuming the APIs in this example are resource owners.
40.
Kalani, a DevSecOps engineer at Acme Inc., makes small modifications to an application and then tests how the modified application performs. The modified application is not intended for production use and Kalani's changes are not intended to be part of the production application at any point in time. This is an example of what type of testing?
-
Mutation testing
-
Load testing
-
Stress testing
-
Fuzz testing
Correct answer: Mutation testing
Mutation testing is a form of testing that involves making changes to a program directly. Mutation testing helps identify issues that may occur when developers make changes or with code that is not frequently executed.
A load test tests an application to confirm it works under normal loads.
Stress testing tests an application under loads that exceed normal conditions.
Fuzz testing, also known as fuzzing, is a form of testing where invalid or random data is sent to an application to see how it responds. Fuzz tests are typically automated and useful for uncovering issues like poor error handling and memory leaks.