×

Quiz Session - Attempts With Random Questions

CompTIA CySA+ Exam Questions

Page 4 of 53

61.

Raha, a penetration tester at Acme Inc., wants to set the TCP SYN flag and specify a port when checking connectivity to different systems. Which tool is the BEST option for this task?

  • hping

  • netstat

  • tcpdump

  • arp

Correct answer: hping

hping is a popular command-line utility that supports the creation of custom echo requests. hping supports features such as setting the TCP SYN flag and specifying a port which can increase the probability of host detection in many cases. 

netstat is used for displaying network statistics and open ports on a system. 

tcpdump is a packet capture utility.

arp is used to discovery layer 2 addresses (e.g., a MAC address). 

62.

Quinn, a security engineer at Acme Inc.,  is tasked with evaluating different tools to replace a legacy antivirus program for Windows endpoints. The business requirements call for threat detection, behavioral analysis, and alert notifications.

Which category of security tools is MOST likely to meet the requirements?

  • EDR

  • CRL

  • WAF

  • SPF

Correct answer: EDR 

EDR (Endpoint Detection and Response) tools are a category of security tools focused on detecting and responding to threats on endpoints such as personal computers. EDR solutions typically include threat detection, behavioral analysis, alert notification, and threat neutralization features. 

A CRL (Certificate Revocation List) is a list of certificates a CA has invalidated or canceled. 

A WAF (Web Application Firewall) is a special firewall intended for use with web applications. 

SPF (Sender Policy Framework) is an authentication standard designed to improve email security. 

63.

Which of the following is an example of a potential mitigation option?

  • A security patch for Windows 10

  • ping -t localhost

  • CVSS score: 9.1

  • Mutation testing on Linux system

Correct answer: A security patch for Windows 10

A mitigation option is a way to mitigate a vulnerability. Security patches, compensating controls, and workarounds are all examples of mitigation options. 

ping is a command commonly used to test connectivity. "ping -t localhost" is a command to continuously ping a local system. 

A CVSS score of 9.1 is in the range of CVSS scores typically classified as critical. 

Mutation testing is a form of testing that involves making changes to a program directly. Mutation testing helps identify issues that may occur when developers make changes or with code that is not frequently executed. 

64.

Alex, a security engineer at Acme Inc., configures a firewall to block all inbound traffic to port 22 on a Linux server. This is an example of which type of security control?

  • Technical 

  • Operational 

  • Managerial 

  • Branched

Correct answer: Technical 

There are three different categories of security controls CySA+ candidates should be familiar with. They are summarized in the table below.

Security control categoryDescription
Technical controlsDigital controls such as firewall rules and encryption that help support the confidentiality, integrity, and availability of systems 
Operational controlsPractices such as monitoring and vulnerability management that support cybersecurity efforts
Managerial controlsProcedural mechanisms that support the risk management process; examples include conducting risk assessments and integrating security into project management efforts

The control described in the question is an example of an Technical control. Note that controls can also be divided into types, such as preventative controls and detective controls. 

65.

What incident response metric measures the time between the event that triggered an incident occurring and the event being detected? 

  • Time to detect

  • Time to respond

  • Time to remediate

  • Alert volume

Correct answer: Time to detect

Incident response metrics and KPIs (Key Performance Indicators) CySA+ candidates should be familiar with include:

  • Time to detect - The amount of time between an event that triggered an incident occurring and the event being detected
  • Time to respond - The time between incident detection and response activity beginning
  • Time to remediate - How long it takes to remediate an issue; this metric is typically significantly more complex than time to detect or time to respond and requires more nuanced communications and explanations
  • Alert volume - The number of alerts associated with an incident

66.

An asset is worth $20,000. A risk to the asset would cause it to lose 10% of its value. The risk is expected to occur once every year.

What is the ARO of the risk?

  • 1

  • $2,000

  • 10%

  • $20,000

Correct answer: 1

In quantitative risk assessment, ARO (Annualized Rate of Occurrence) is the probability that a risk will occur within a given year. A risk that is likely to occur twice a year will have an ARO of 2. A risk that is expected to occur once every year has an ARO of 1.

67.

Rosario, a security analyst at Acme Inc., is conducting a forensic analysis. Rosario needs to attach a drive to a workstation while ensuring no modifications are made to the drive.

What tool should Rosario use to ENSURE the drive's contents are not modified?

  • Write blocker

  • RCA

  • Degausser

  • Baseliner

Correct answer: Write blocker

A write blocker is a tool that prevents writing to a drive, but still allows read operations. Write blockers come in software and hardware varieties, but hardware write blockers are more popular because of the potential problems with software-based tools.

RCA (Root Cause Analysis) focuses on determining why a problem or incident occurred so an organization can ensure the problem was properly addressed and future problems can be avoided.  

Degaussing is a specific form of purging that uses magnetic fields to modify data on a storage device. 

Baselining is a technique that involves taking snapshots (baselines) of a configuration at a specific point in time. 

68.

What type of file carving looks at information such as character counts and text in a file?

  • Content-based

  • File structure-based

  • Header-based

  • Hash-based

Correct answer: Content-based

File carving is a popular forensic analysis technique used when filesystems have issues and data cannot be easily recovered. File carving tools analyze data on a block-by-block basis and find indicators as to what was on a drive such as file headers or partially in-tact files. 

The three common types of file carving are: 

  • Header and footer-based carving that looks at header and footer data in files
  • Content-based carving that looks for information in files (e.g., text recognition)
  • File structure-based that looks at information related to file structures 

69.

Acme Inc. security contractors are conducting a penetration test on an Acme Inc. datacenter. This is an example of what type of security control?

  • Operational

  • Technical 

  • Application

  • Configuration

Correct answer: Operational 

Operational security controls are procedures and practices that improve security posture. Examples of operational controls include running penetration tests, reverse engineering, and security awareness training. 

Technical controls are the different applications, systems, devices, and configurations that help enforce security policies and improve security posture. 

70.

At what point in the incident response process should communication and reporting occur?

  • Throughout the process

  • After recovery

  • After RCA

  • After the lessons learned session is completed

Correct answer: Throughout the process

Effective reporting and communication is an essential aspect of incident response and should occur throughout the process. 

71.

A new customer accesses an Acme Inc. web server. The server's log file records the HTTP GET request in a log. What term BEST describes this occurrence?

  • Event

  • Incident

  • CISRT

  • Security incident

Correct answer: Event or security event 

Key terms related to security incidents in a system or network that CYSA+ candidates should be familiar with include: 

  • Event or security event - An observable occurrence
  • Adverse event - An event that has a negative impact
  • Security incident - Violation of a security policy or standard practice or the imminent threat of such a violation; a security incident will always include at least one security event, but a security event is not always a security incident
  • CSIRT (Computer Security Incident Response Team) - Team responsible for responding to security incidents

72.

SSL inspection would be MOST USEFUL for which of the following use cases?

  • Reading HTTPS traffic

  • Password cracking

  • Time synchronization

  • Password hashing

Correct answer: Reading HTTPS traffic

Modern HTTPS traffic is encrypted using TLS (Transport Layer Security). This encryption creates a challenge for organizations that want to inspect traffic. Without the ability to decrypt the traffic, the data payloads are illegible. SSL (Secure Sockets Layer) inspection solves this problem by terminating SSL/TLS connections at an inspection appliance and passing the traffic to/from the source/destination. With the SSL inspection appliance (which can be a security device such as a firewall or intrusion prevention system) able to decrypt the traffic, organizations can now monitor and inspect traffic. 

NTP (Network Time Protocol) servers are typically used for time synchronization. 

Password hashing and password cracking are not standard SSL inspection use cases. 

73.

A network appliance vendor makes multiple social media posts about a new zero-day vulnerability affecting their products. The posts are an example of what category of security event indicator? 

  • Publicly available information

  • Alerts

  • Logs

  • Discredited source

Correct answer: Publicly available information

There are multiple security event indicators CySA+ candidates should be familiar with. NIST (National Institute for Standards and Technology) SP 800-61 describes these four categories of indicators:

Security event indicator categoryDescription
AlertsNotifications from security tools such as IDS (Intrusion Detection System) and Intrusion Prevention System (IPS) appliances and antivirus software
LogsRecords created by systems such as servers and network devices
Publicly available informationInformation that is made publicly available regarding security vulnerabilities. For example, the announcement of a zero-day vulnerability on a vendor’s website
PeopleHumans that report threat-related information

"Discreted source" is not a standard category of security event indicator. 

74.

Which of the following are TRUE about Nikto?

Select all that apply.

  • It is open-source software

  • It is a web application scanner

  • It offers a command-line interface

  • It offers a graphical user interface

  • It is closed-source commercial software

  • It is a language based on XML used for threat intelligence data

Nikto is an open-source web application scanner that offers a command-line interface.

STIX (Structured Threat Information Expression) is a language based on XML (eXtensible Markup Language) used for threat intelligence data.

75.

Which of the following is MOST likely to result in random and invalid data being sent to a web application?

  • Fuzzing

  • Static code analysis

  • Edge discovery 

  • RAD

Correct answer: Fuzzing

Fuzz testing, also known as fuzzing, is a form of testing where invalid or random data is sent to an application to see how it responds. Fuzz tests are typically automated and useful for uncovering issues like poor error handling and memory leaks.

Static code analysis, also known as source code analysis, analyzes source code for software flaws and cybersecurity issues. Static code analysis can be performed manually or automatically. 

Edge discovery scans are scans that identify an organization’s systems that are exposed to the public.

RAD (Rapid Application Development) is an iterative process that does not have a planning phase at all and relies heavily on prototype creation. 

76.

A vulnerable server cannot be updated to address a vulnerability. Taylor, a network administrator at Acme Inc., created an access control list on a network firewall to limit traffic to the system. This is an example of an activity that is part of what type of action plan? 

  • Compensating controls

  • Configuration management

  • Patching

  • Changing business requirements

Correct answer: Compensating controls

The CySA+ exam objectives call out five types of action plans CySA+ candidates should be familiar with. The table below summarizes each one. 

Category DescriptionExamples
Configuration managementDeals with proper configuration, hardening, and creating baseline configurations for systems
  • Changing default passwords
  • Using configuration management tools like Ansible
PatchingDeals with applying upgrades to systems to address security issues and software bugs
  • Updating an operating system
  • Communicating a maintenance window to apply a patch
Compensating controlsInvolves the use of security controls to address a vulnerability that can not be directly mitigated 
  • Using a web application firewall to protect against common threats
  • Isolating a vulnerable system
Awareness, education, and trainingDeals with educating and training staff on cybersecurity practices and principles 
  • Training all staff on common social engineering threats
  • Running phishing simulations
Changing business requirementsModifying business requirements to address a vulnerability
  • Changing a policy 
  • Updating a software requirements document

77.

Which of these software development models uses an iterative and incremental apporach to creating software that focuses on breaking work into small chunks and delivering working software frequently?

  • Agile

  • SCAP

  • Waterfall

  • Spiral

Correct answer: Agile

Agile is an iterative and incremental approach to software development. Agile development focuses on breaking work into small chunks and delivering working software frequently. It has less up-front planning than waterfall or spiral. 

Waterfall methodology is a software development method where steps occur sequentially and one step is completed before the next begins. A typical waterfall approach to software development is:

  1. Gather requirements
  2. Analyze
  3. Design
  4. Implement
  5. Test
  6. Deploy

Spiral is similar to waterfall, but it iterates through four stages (identification, design, build, and evaluation) multiple times. The spiral model heavily emphasizes risk assessment in software development.

SCAP (Security Content Automation Protocol) is an effort — led by NIST (the National Institute for Standards and Technology) — to standardize aspects of reporting cybersecurity information and enable automation. Notable SCAP standards are summarized in the table below:

 

SCAP StandardDescription
CCE (Common Configuration Enumberation) Used for system configuration issues
CPE (Common Platform Enumeration) Used for product names and versions
CVE (Common Vulnerabilites and Exposures)Used for security-related software flaws
CVSS (Common Vulnerability Scoring System)Used for quantifying the severity of security-related software flaws
XCCDF (Extensible Configuration Checklist Description Format)Used for checklists
OVAL (Open Vulnerability and Assessment Language)Used for describing low-level testing procedures checklists use

78.

What type of metrics should a team define and measure to establish remediation goals and determine if they are meeting them?

  • SLOs

  • RTOs

  • Alert volume

  • CVSS score

Correct answer: SLOs

SLOs (Service Level Objectives) are metrics that measure whether or not a service meets specific service level agreements. For cybersecurity reporting, time to remediate or patch is an example of an SLO. 

RTO (Recovery Time Objective) is the maximum acceptable time a system can be down as part of recovery from an incident. 

Alert volume is  the number of alerts associated with an incident 

A CVSS (Common Vulnerability Scoring System) score is an example of a vulnerability score. A vulnerability score uses a structured system to calculate a score for a given vulnerability. A risk score measures risk within the context of a specific organization. For example, a risk score will consider affected systems, their exposure, and importance. 

79.

A threat actor intercepts a session token and users it to send requests to a web server that appear to come from an authorized user. This is an example of what type of attack?

  • Session hijacking

  • Broken authentication

  • Credential stuffing

  • SSRF

Correct answer: Session hijacking

Session hijacking occurs when an attacker compromises an existing session a victim has opened. This typically occurs when an attacker compromises a token or cookie from an active session. 

Broken authentication refers to improper authentication mechanisms that allow unauthorized users to access information.

Credential stuffing occurs when an attacker uses known credentials from one service on other services. 

SSRF (Server-Side Request Forgery) attacks are possible when a server accepts a URL as input. If the server is not properly secured, an attacker can trick the server into accessing a URL and retrieving information. 

80.

Which of the following statements about legal holds is TRUE?

  • A legal hold can override preexisting retention policies 

  • Legal holds occur after eDiscovery

  • Legal holds before after eDiscovery

  • A legal hold can NOT override preexisting retention policies 

Correct answer: A legal hold can override preexisting retention policies 

A legal hold can require that data which may have otherwise been deleted is preserved. This means a legal hold can override preexisting retention policies. 

Legal holds are part of the eDiscovery process, so they do not occur before or after eDiscovery. 

×