×

Quiz Session - Attempts With Random Questions

CompTIA CySA+ Exam Questions

Page 3 of 53

41.

A threat actor uses a custom suite of scripts they developed to compromise a web server at Acme Inc. Using the Diamond Model of Intrusion Analysis, which Core Feature best describes Acme Inc. in this scenario?

  • Victim

  • Target

  • Infrastructure owner

  • Protector

 Correct answer: Victim

Adversary, capability, infrastructure, and victim are the four vertices that make up the diamond in the Diamond Model of Intrusion Analysis. These are known as Core Features. Adversaries use capabilities that target a victim's infrastructure. In this example, Acme Inc. was the victim that had their infrastructure targeted. 

42.

The Acme Inc. finance department and accounting department both use an internal web application for critical business functions. A threat actor that breached the Acme Inc. network and took down the network link that provides the accounting department with access to the web application. The accounting department could not access the web application for five hours. The finance department's access was uninterrupted. Which functional impact categorization should be given to this incident? 

  • Medium

  • High

  • Low

  • None

Correct answer: Medium

NIST (National Institute of Standards and Technology) recommends these four categorizations of functional impact:

  • None - No effect on an organization’s ability to provide services to all of their users
  • Low - All critical services can still be provided, but an efficiency loss occurred
  • Medium - A critical service cannot be provided to some users
  • High - A critical service cannot be provided to any users

43.

802.1X is typically used to implement what?

  • NAC

  • SNMP

  • DKIM

  • VDI

Correct answer: NAC

802.1X is an authentication protocol typically used to implement NAC (Network Access Control). 

DKIM (DomainKeys Identified Mail) is a protocol that enables organizations to include content in email messages that can verify an email message was sent from a specific domain. 

VDI (Virtual Desktop Infrastructure) is a form of virtualization that provides access to desktop operating systems by streaming them from centralized hardware.

SNMP (Simple Network Management Protocol) is a protocol typically used for monitoring and managing network devices. 

44.

Acme Inc. decides NOT to provide employees with work cellphones. Acme Inc. management made this decision because they felt the risk of data compromise on mobile devices outweighed the productivity benefits possible by providing employees with work-issued cellphones. This is an example of what type of risk management strategy? 

  • Risk avoidance

  • Risk mitigation

  • Risk transference

  • Risk acceptance

Correct answer: Risk avoidance

There are four standard risk management strategies CySA+ candidates should be familiar with. They are:

  • Risk mitigation - The application of security controls to reduce the impact and/or probability of a risk. 
  • Risk avoidance - The modification of business practices to completely eliminate a risk.
  • Risk transference - The shifting of impact to another organization or entity (e.g., via purchasing an insurance policy).
  • Risk acceptance - The deliberate choice to accept a risk.

Not issuing work-related cell phones effectively completely eliminates the risk of data being compromised because it was intentionally made available to users of those phones. This is an example of risk avoidance.  

45.

Using NIST terminology, what team is typically responsible for responding to computer security incidents within an organization? 

  • CSIRT

  • SCAP

  • FISMA 

  • OSINT

Correct answer: CSIRT

According to NIST (National Institute for Standards and Technology) definitions, a CSIRT (Computer Security Incident Response Team) is a team responsible for responding to security incidents. 

SCAP (Security Content Automation Protocol) is an effort — led by NIST — to standardize aspects of reporting cybersecurity information and enable automation.

OSINT (Open Source Intelligence) is data collected and analyzed from publicly available sources such as websites, social media, and WHOIS records. 

FISMA (Federal Information Security Management Act) applies to government agencies and organizations acting on their behalf. FISMA has various security requirements, including requiring a vulnerability management program. 

46.

What type of information does the netstat command typically display in its output?

  • Open ports and network statistics

  • Detailed DNS records

  • ICMP packets and headers

  • A list of revoked certificates

Correct answer: Open ports and network statistics 

netstat is a command-line utility used for displaying network statistics and open ports on a system. 

nslookup is used for looking up DNS (Domain Name Services) related information.

ping is a command line utility that uses ICMP (Internet Control Message Protocol) to test connectivity between endpoints. 

A CRL (Certificate Revocation List) is a list of certificates a CA has invalidated or cancelled. 

47.

What does this Linux command do?

grep -i exam cysa.log

  • Search the file "cysa.log" for the text "exam"

  • Italicize all instances of the word "exam" in the file "cysa.log"

  • Copy the contents of the file "cysa.log" to a new file named "exam"

  • Copy the contents of the file "exam" to a new file named "cysa.log"

Correct answer: Search the file "cysa.log" for the text "exam"

The grep command is used to search files for patterns and return content that matches. The grep command supports different flags that modify its behavior. For example, the -i flag makes a grep search case insensitive (case sensitive is the default behavior). 

48.

Which of the following is the BEST example of a vulnerability?

  • A webserver affected by CVE-2014-0160

  • A script kiddie

  • An insider threat

  • A darknet

Correct answer: A webserver affected by CVE-2014-0160

A vulnerability is a weakness in a system or process that could allow an exploit or attack. CVE-2014-0160 (the Heartbleed bug) is a common vulnerability. 

A script kiddie and an insider threat are both threat actors that might exploit a vulnerability.

A darknet is a pool of unused IP addresses that are monitored to detect potential attackers and identify malicious patterns. 

49.

What is the primary responsibility of a CSIRT?

  •  Incident response

  • Compliance 

  • Fuzz testing

  • SSL certificate validation

Correct answer: Incident response

According to NIST (National Institute for Standards and Technology) definitions, a CSIRT (Computer Security Incident Response Team) is a team responsible for responding to security incidents. 

While compliance, testing, and SSL (Secure Sockets Layer) certificates may be involved in a specific incident, they are not a CSIRT's primary responsibility. 

50.

Kai, a security engineer at Acme Inc., is performing a fuzz test on an application. Which of the following steps is Kai LIKELY to take during the test?

  • Send invalid data to the application

  • Review the source code of the application

  • Run a port scan on the server hosting the application

  • Deploy the source code to production

Correct answer: Send invalid data to the application

Fuzz testing, also known as fuzzing, is a form of testing where invalid or random data is sent to an application to see how it responds. Fuzz tests are typically automated and useful for uncovering issues like poor error handling and memory leaks.

A fuzz test would not typically require a port scan, source code review, or production deployment. 

51.

The Acme Inc. software development team has struggled with large requirements gathering exercises early in past projects. The team would prefer to work in small increments and deliver working software frequently. You are hired as a consultant to help the team solve this problem. You want to give the team the opportunity to take an approach that is consistent with their preferences. What do you recommend?

  • Adopt an agile approach to software development

  • Use spiral software development

  • Adopt a waterfall approach to software development

  • Create a tarpit to learn more and evaluate the data to make a decision later

Correct answer: Adopt an agile approach to software development

Agile is an iterative and incremental approach to software development. Agile development focuses on breaking work into small chunks and delivering working software frequently. It has less up-front planning than waterfall or spiral. 

Waterfall methodology is a software development method where steps occur sequentially and one step is completed before the next begins. A typical waterfall approach to software development is:

  1. Gather requirements
  2. Analyze
  3. Design
  4. Implement
  5. Test
  6. Deploy

Spiral is similar to waterfall, but it iterates through four stages (identification, design, build, and evaluation) multiple times. The spiral model heavily emphasizes risk assessment in software development.

A tarpit is an active defense technique that exposes fake targets to slow down and confuse attackers. 

52.

A threat actor is looking up data on Acme Inc. executives in an attempt to create a spear phishing attack. The threat actor's research corresponds with which stage of the Cyber Kill Chain?

  • Reconnaissance

  • C2

  • Actions on Objectives

  • Weaponization

Correct answer: Reconnaissance

The seven stages in Lockheed Martin's Cyber Kill Chain attack framework are:

  1. Reconnaissance - Targets are selected and researched
  2. Weaponization - Tools for exploitation are created
  3. Delivery - A weapon(s) is sent to a target (e.g., via email)
  4. Exploitation - A malicious program is executed
  5. Installation - Backdoors or similar programs installed
  6. Command-and-Control (C2) - The stage where the intruder has access to manipulate systems
  7. Actions on Objectives - The intruder performs the activities they desire, such as exfiltrating data or damaging a system

53.

Which of the following is NOT an example of forensic software? 

  • CASB

  • FTK

  • EnCase

  • TSK 

Correct answer: CASB

Forensic software is software that provides capabilities related to the creation and analysis of forensic images. FTK (Forensic Toolkit), EnCase, and TSK (The Sleuth Kit) are all examples of forensic software.   

CASBs (Cloud Access Security Broker) provide policy-enforcement checkpoints that can help enable secure access to cloud resources. CASBs can be deployed on-premises or in the cloud. 

54.

In the context of vulnerability management reporting, a workaround for a vulnerability is an example of what?

  • Mitigation option

  • Hack

  • Exploit

  • Recurrence indicator

Correct answer: Mitigation option

Common elements in a vulnerability report include:

  • Vulnerability details - Details such as a CVE (Common Vulnerabilities and Exposures) number and description
  • Affected hosts - IP addresses and hostname of systems found to be vulnerable 
  • Risk score - Details the risk severity in the context of the organization
  • Mitigation options - Ways to mitigate the vulnerability 
  • Recurrence - How often the vulnerability has reoccurred 
  • Prioritization - Context that helps prioritize which vulnerabilities should be addressed first

A workaround is an example of a mitigation option. 

55.

A threat actor breaches a network and installs a keylogger on an engineer's workstation computer. What term BEST describes this series of occurrences?

  • Security incident

  • Adverse event

  • Security event

  • CSIRT

Correct answer: Security incident

Key terms related to security incidents in a system or network that CYSA+ candidates should be familiar with include: 

  • Event or security event - An observable occurrence
  • Adverse event - An event that has a negative impact
  • Security incident - Violation of a security policy or standard practice or the imminent threat of such a violation; a security incident will always include at least one security event, but a security event is not always a security incident 
  • CSIRT (Computer Security Incident Response Team) - Team responsible for responding to security incidents

56.

Amal, a security engineer at Acme Inc., is calculating a CVSS base score for a vulnerability. The calculated values add up to 10.3. What value should Amal use as the CVSS base score?

  • 10

  • 0

  • 10.3

  • 103

Correct answer: 10

CVSS (Common Vulnerability Scoring System) is a standard for quantifying the severity of a vulnerability. CVSS scores are derived using multiple metrics to derive a base score and uses a severity scale of 0–10. If calculated metrics add up to more than 10, the CVSS base score should be set to 10.

57.

Which of the following is the BEST indicator of a race condition?

  • The issue occurs intermittently 

  • The issue occurs on a web app

  • The issue occurs when a NULL value is set

  • Strcpy is involved

Correct answer: The issue occurs intermittently 

Race conditions are timing-related errors that occur when an application attempts multiple operations at the same time. Therefore, it is possible to see issues related to race conditions intermittently. 

A web app is not necessarily more susceptible to race conditions than other apps. 

Use of insecure functions is the practice of using functions that lack strong security features and can compromise overall application security. Using the strcpy function is an example of a potential use of an insecure function because strcpy does not validate the size of the data source vs. the size of the destination and therefore increases the risk of a buffer overflow. 

Dereferencing issues typically occur when an unset value — known as a NULL value — is used in a context where a set value is needed. Typically, this leads to a crash unless the error case is properly handled by the application.

58.

Lee, a security engineer at Acme Inc., is running a vulnerability scan on a new web application for the first time. This activity is a part of which stage of the vulnerability management lifecycle?

  • Detection

  • Planning

  • Testing

  • Remediation 

Correct answer: Detection

The steps in the vulnerability management lifecycle are:

  • Detection - Vulnerabilities are discovered
  • Remediation - Vulnerabilities are addressed
  • Testing - Validation confirms remediation worked as intended

Lee is running a vulnerability scanner on the web application for the first time which would help detect what vulnerabilities are present. 

59.

Select the command that is MOST likely to produce output that includes:

Reply from 192.0.2.11: bytes=32 time=22ms TTL=57
Reply from 192.0.2.11: bytes=32 time=11ms TTL=57
Reply from 192.0.2.11: bytes=32 time=17ms TTL=57
Reply from 192.0.2.11: bytes=32 time=17ms TTL=57

  • ping 192.0.2.11

  • nslookup 192.0.2.11

  • netstat -ano 192.0.2.11

  • ttl 192.0.2.11

Correct answer: ping 192.0.2.11

The ping command is supported on a wide variety of operating systems and a successful ping to IP address 192.0.2.11 would return output similar to the output in the question. 

nslookup is used for looking up DNS (Domain Name Services) related information. netstat is used for displaying network statistics and open ports on a system. Neither netstat nor nslookup would typically return output like the output in the question.

ttl is not a standard command. 

60.

Yuri, a software developer at Acme Inc., installs and activates a widget in their Integrated Development Environment (IDE) that performs static code analysis to detect potential security issues in their code. This is an example of what type of tool integration?

  • Plug-in

  • Webhook

  • API

  • Honeypot

Correct answer: Plug-in

A plug-in is a program that runs inside of another program.

A webhook is a type of software integration that involves one application or service triggering an action in another application or service using a web request.

An API (Application Programming Interface) is a programmatic interface to a system that helps enable automation and system integrations. 

A honeypot is a system that is intentionally vulnerable to exploits, and it is designed to lure attackers.

×