×

Quiz Session - Attempts With Random Questions

CompTIA CySA+ Exam Questions

Page 5 of 53

81.

A threat actor breached Acme Inc.'s network at 01:15 and installed a keylogger on an executive's personal computer. An EDR program on the computer detected the keylogger and alerted the Security Operations Center (SoC) by sending a email alert at 02:00. The EDR program sent follow up alerts at 02:05 and 02:10. A security engineer read the alert and began proactively working to contain the malware at 02:15. What was the alert volume for this incident? 

  • 3

  • 1

  • 45

  • 15

Correct answer: 3

Incident response metrics and KPIs (Key Performance Indicators) CySA+ candidates should be familiar with include:

  • Mean time to detect - The amount of time between an event that triggered an incident occurring and the event being detected
  • Mean time to respond - The time between incident detection and response activity beginning
  • Mean time to remediate - How long it takes to remediate an issue; this metric is typically significantly more complex than time to detect or time to respond and requires more nuanced communications and explanations
  • Alert volume - The number of alerts associated with an incident

In this case, there were 3 alerts. One each at 02:00, 02:05, and 02:10.

82.

The Acme Inc. finance department and accounting department both use an internal web application for critical business functions. A threat actor that breached the Acme Inc. network and took down the server that hosts the website. As a result, no user's were able to access the application for three hours. Which functional impact categorization should be given to this incident? 

  • High

  • Medium

  • Low

  • None

Correct answer: High

NIST (National Institute of Standards and Technology) recommends these four categorizations of functional impact:

  • None - No effect on an organization’s ability to provide services to all of their users
  • Low - All critical services can still be provided, but an efficiency loss occurred
  • Medium - A critical service cannot be provided to some users
  • High - A critical service cannot be provided to any users

83.

On a Linux system, a file "test.log" contains the the text "I will pass the CySA+ exam" on a single line. There are no other contents in the file. Assuming the user has permission to read the file and is in the same directory as "test.log", which of these grep commands would return a match?

Select all that apply.

  • grep -i cysa test.log

  • grep -ni cysa test.log

  • grep + test.log 

  • grep cysa test.log

The grep command is used to search files for patterns and return content that matches. The grep command supports different flags that modify its behavior. For example, the -i flag makes a grep search case insensitive (case sensitive is the default behavior).

  • "grep -i cysa test.log" will match because the -i flag makes the search case-insensitive and "cysa" will match "CySA"
  • "grep -ni cysa test.log" will work the same as "grep -i cysa test.log" except it will include a line number in the output
  • "grep + test.log" will match because "+" has an exact match in the file

"grep cysa test.log" will not match because grep is case-sensitive by default and there is no exact match for "cysa".

84.

Which of the following is NOT a valid mitigation for a zero-day vulnerability the day the vulnerability is annoucned? 

  • Applying a patch to affected hosts

  • Logically isolating affected hosts

  • Air gapping affected hosts

  • Creating firewall rules that limit traffic to affected hosts

Correct answer: Applying a patch to affected hosts

By definition, a zero-day vulnerability does not have a patch available. Therefore, applying a patch is not possible. 

Isolating affected systems and implementing compensating controls like firewall rules are valid mitigation options. 

85.

Kiran, a security analyst at Acme Inc., added a GPU to their forensic workstation. Which of the following benefits is Kiran MOST likely to see as a result of this upgrade?

  •  Increased speed with password cracking tools

  • Increased storage space for local databases 

  • Increased network throughput

  • Decreased network latency 

Correct answer: Increased speed with password cracking tools

GPU (Graphics Processing Units) can drastically increase the speed of password cracking operations relative to a comparable CPU (Central Processing Unit). GPUs do not typically have significant impact on network throughput or latency directly. GPUs also do not meaningfully increase storage space. 

86.

TTP are based on the tactics, techniques, and procedures of what type of threat actor? 

  • APT

  • Script kiddies

  • OSINT

  • Honeypot

Correct answer: APT

APTs (Advanced Persistent Threats) are sophisticated threat actors that carry out complex attacks. TTP (Tactics, Techniques, and Procedures) are derived by studying APT behavior.

Script kiddies are a type of threat actor, but they're not the basis for TTP. Script kiddies are unsophisticated and typically depend on readily available tools and low-complexity attacks.

OSINT (Open Source Intelligence) is not a type of threat actor.

A honeypot is a system that is intentionally vulnerable to exploits and is designed to lure attackers.

87.

Alex, a security administrator at Acme Inc., is creating an incident response (IR) report. Which of the following sections are common IR report components that may appear in Alex's report?

Select all that apply.

  • 5 Ws

  • Timeline

  • Top ten

  • Containment, Eradication, and Discovery

There are several incident response report components CySA+ candidates should be familiar with. The components and their purpose are summarized in the table below. 

Report componentDescription 
Executive summaryShort description that explains the incident, impact, and current state at a high level.
5 WsThe narrative that describes the who, what, when, where, and why related to the incident.
RecommendationsTypically based on lessons learned activities, this section documents what corrective actions should be performed.
TimelineThe sequence of events associated with an incident. This section can help identify if responses occurred in a timely fashion or not.  
Impact assessmentDetails on the overall impact an incident had on an organization (e.g., financial or reputational damage).
ScopeCovers what services, systems, and other aspects of an organization were affected by the incident.
Evidence Specific data and details from the incident investigation. Evidence may be included as a separate appendix or as part of the report.

Top ten lists are lists of common vulnerabilites, such as the OWASP Top 10 Web Application Security Risks.

Containment, Eradication, and Discovery is a phase of the incident response lifecycle.

88.

During a lessons learned exercise, the Acme Inc. SOC (Security Operations Center) realized they could not sufficiently correlate information from multiple network devices in the datacenter. What tool is the BEST option to help them solve this problem?

  • SIEM

  • Firewall

  • Event Viewer

  • smss.exe

Correct answer: SIEM

SIEM (Security Information and Event Management) tools are often used to combine and correlate security information from multiple systems. 

A firewall is typically used to block or allow network traffic. 

Windows Event Viewer is useful for viewing event records on Windows systems, but does not perform correlations and aggregation on par with a SIEM. 

smss.exe is a Windows system process. 

89.

Which of the following is an example of CHD?

  • Primary account number

  • 127.0.0.1:8080 

  • HKU

  • sysLocation

Correct answer: Primary account number

CHD (Cardholder Data) refers to credit card information such as primary credit card account numbers, cardholder name, and credit card expiration date. CHD data is sometimes called

PCI (Payment Card Industry) data because of it's relevance to PCI DSS (Payment Card Industry Data Security Standard). 

127.0.0.1:8080 is an IPv4 loopback address (127.0.0.1) and port number (8080) combination. 

HKEY_USERS (HKU) is a Windows registry root key. Information underneath this root key is related to user accounts on the system. 

sysLocation is a value commonly associated with SNMP (Simple Network Management Protocol) monitoring that contains information about a system's location. 

90.

What organization publishes a Web Security Testing Guide that provides detailed information on security testing for web applications?

  • OWASP

  • MQTT

  • HTTPS

  • AMQP

Correct answer: OWASP

The OWASP (Open Web Application Security Project) Web Security Testing Guide is a popular reference that provides detailed information on security testing for web applications.

The other answers are protocols, not organizations. 

91.

Which of the following are consistent with NIST's recommendations for media communications related to incident response? 

Select all that apply.

  • Assigning a backup point of contact for media communications

  • Conducting practice sessions for incident response 

  • Designating as many media points of contact as an organization can reasonably facilitate

  • Ensuring all communications are only given verbally to specific approved media outlets

NIST makes several recommendations for media communication related to cybersecurity incidents, including:

  • Assigning a single media point of contact with a backup
  • Conducting practice sessions
  • Maintaining a status document for the incident
  • Establishing procedures for media briefing

Designating multiple points of contact is not consistent with these recommendations and could create confusion or inconsistent messaging. Similarly, only providing verbal updates is not consistent with the recommendations and could increase the risk of miscommunication.

92.

Acme Inc. is subject to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). The Acme Inc. datacenter was compromised in what CIRCIA defined as a qualifying incident 12 hours ago. How much time does Acme Inc. have to report the incident to the Cybersecurity and Infrastructure Security Agency (CISA)? 

  • 60 hours

  • 36 hours

  • 12 hours

  • 84 hours

Correct answer: 60 hours

Under the United States' Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), a qualifying incident must be reported within 72 hours. Since 12 hours have elapsed, Acme Inc. has 60 hours left. Ransomware payments must be reported within 24 hours. 

93.

Dani, a security engineer at Acme Inc., is creating a system hardening checklist for servers the organization maintains. Which of the following should Dani include in the checklist?

  • Restrict administrative access

  • Disable disk encryption

  • Enable the guest account

  • Disable secure boot

Correct answer: Restrict administrative access

Restricting administrative access is a common hardening technique that helps enforce the principle of least privilege. 

Secure boot and disk encryption can help improve security, so disabling them is not typically a recommended step for system hardening. 

Enabling a guest account on a Windows server allows "guests" to access the system. This increases security risk and is typically not a recommended step for system hardening, 

94.

Which of the following is one of the "three As" in AAA?

  • Accounting

  • Access

  • Administration

  • Adversary

Correct answer: Accounting

The "three As" in AAA are: 

  • Authentication, which deals with verifying identities
  • Authorization, which deals with allowing or disallowing an identity access to resources
  • Accounting, which deals with monitoring and logging

95.

Acme Inc. is using the AAA framework as part of a new network design. Lucian, a network architect at Acme Inc., is tasked with designing all the components related to accounting.

Which of the following is MOST likely to be part of Lucian's task?

  • Defining default log levels

  • Choosing an identity provider

  • Configuring OAuth

  • Financial reporting

Correct answer: Defining default log levels

AAA is a framework for controlling and managing access to resources such as networks and computers. The "three As" in AAA are: 

  • Authentication, which deals with verifying identities
  • Authorization, which deals with allowing or disallowing an identity access to resources
  • Accounting, which deals with monitoring and logging

Since Lucian is responsible for accounting, setting default log levels is most likely to become their responsibility. 

Financial reporting would be the responsibility of accounting (in a different context) and finance departments. 

Choosing an identity provider is an authentication related task. OAuth is an authorization standard. 

96.

A misconfigured application on a server deployed in a small lab network created a huge spike in network traffic and caused performance issues across the entire network. This is an example of what type of network issue? 

  • Bandwidth consumption

  • Beaconing 

  • Social engineering 

  • Phishing 

Correct answer: Bandwidth consumption

Bandwidth consumption issues occur when a significant amount of network bandwidth is consumed and business functions are disrupted or service outages occur as a result. Common causes of bandwidth consumption issues include malicious activity, misconfigurations, and traffic spikes. 

Beaconing is a type of network traffic that enables operators of botnets or other malware that uses a command and control model to detect if they have compromised a system, check system status, or perform malicious activity such as running unauthorized commands. 

Social engineering is a type of attack that involves influencing human behavior to compromise information or systems. Phishing is a common example of social engineering. 

97.

What section of an incident response report provides details on which specific systems and services were affected by an incident? 

  • Scope

  • Impact assessment

  • Evidence

  • Timeline

Correct answer: Scope

There are several incident response report components CySA+ candidates should be familiar with. The components and their purpose are summarized in the table below. 

Report componentDescription 
Executive summaryShort description that explains the incident, impact, and current state at a high level
5W’sThe narrative that describes the who, what, when, where, and why related to the incident
RecommendationsTypically based on lessons learned activities, this section documents what corrective actions should be performed
TimelineThe sequence of events associated with an incident. This section can help identify if responses occurred in a timely fashion or not
Impact assessmentDetails on the overall impact an incident had on an organization (e.g., financial or reputational damage)
ScopeCovers what services, systems, and other aspects of an organization were affected by the incident
Evidence Specific data and details from the incident investigation. Evidence may be included as a separate appendix or as part of the report.

98.

Assume http://malicoussite.example.com is a site hosting malware and safesite.example.net is a legitimate website. The HTML code below is a simple example of what technique?

<a href="http://malicoussite.example.com">https://safesite.example.net</a>

  • Obfuscated link

  • Honeypot

  • Script kiddie

  • MQTT

Correct answer: Obfuscated link

Obfuscated links are links that hide their destination from users. For example, a shortened URL that redirects to a malicious webpage is an example of an obfuscated link. The HTML code above displays the text "https://safesite.example.net" but actually links to the malicious site "http://malicioussite.example.com".

A honeypot is a system that is intentionally vulnerable to exploits and is designed to lure attackers.

A script kiddie is a type of threat actor. 

MQTT (Message Queuing Telemetry Transport)  is a network protocol. 

99.

Alex, a security engineer at Acme Inc., is reviewing outbound from a VLAN dedicated to the Acme Inc. accounting department. Alex notices an unusual spike in traffic from one endpoint. What should Alex do next?

  • Have incident responders investigate

  • Declare an incident

  • Ignore the spike

  • Begin the recovery phase

Correct answer: Have incident responders investigate

The unusual spike in traffic is an IoC (Indicator of Compromise). It should not be ignored. After an IoC is detected, incident responders should determine if there is legitimately an incident or if the IoC is a false positive. If there is legitimately an incident based on responder analysis, an incident is declared. 

Recovery activities come after an incident is declared. 

100.

Cruz, a senior software developer at Acme Inc., is putting together a training course for junior developers. The course includes a section on secure coding.

Which of the following are secure coding practices that Cruz should include in the training?

Select all that apply.

  • Precompile SQL queries 

  • Convert special characters 

  • Send data in plaintext

  • Trust user input

There are several secure coding best practices that CySA+ candidates should be familiar with. The table below summarizes six of those best practices.

Secure coding best practice Description
Input validationChecks inputs to ensure they can be used safely, which can help reduce the risk of, or outright prevent, many cybersecurity issues including injection attacks and XSS (cross-site scripting)
Output encodingConverts special characters to a safe equivalent and reduces the risk of XSS
Secure session managementReduces the risk of session hijacking and other session issues
AuthenticationForces users to authenticate to access resources, which can help ensure only authorized users can access systems and data
Data protection techniquesIncludes technologies like encryption that can improve confidentiality and reduce the risk of eavesdropping 
Parameterized queries Reduces the risk of SQL injection attacks with precompiled queries

Precompiling SQL queries and converting special characters are explicitly mentioned in the above table.

Not trusting user input helps reinforce practices like input validation.

Avoiding sending data in plaintext is another way to encourage the use of technologies like encryption.

×