×

Quiz Session - Attempts With Random Questions

CompTIA CySA+ Exam Questions

Page 6 of 53

101.

Which of the following statements about injection flaws is FALSE?

  • Injection attacks only affect SQL databases

  • Parameterized queries can help prevent injection attacks

  • Injection attacks are commonly triggered through user input fields

  • Input validation can help prevent injection attacks

Correct answer: Injection attacks only affect SQL databases

Injection attacks are common web application vulnerabilities CySA+ candidates should be familiar with. Injection attacks are commonly triggered using user input fields with specially crafted data. Techniques such as parameterized queries and input validation can reduce the the risk of injection attacks. 

While injection attacks often target SQL databased, they are also possible with XML (Extensible Markup Language) and and other protocols like LDAP (Lightweight Directory Access Protocol).

102.

Alex, a systems engineer at Acme Inc., wants to bundle an application into a portable lightweight package with the smallest attack surface practical. Which of the following options should Alex use?

  • Containerization 

  • Virtual machines

  • VLANs

  • SSO

Correct answer: Containerization 

Containerization is a form of application-level virtualization that enables an application and its dependencies to be bundled into portable containers that can run on different operating systems as long as they support a compatible container engine. 

Virtual machines include a full operating system, are typically larger than containers, and typically have more dependencies. 

VLANs (Virtual Local Area Networks) are logical networks that can provide logical network segmentation to separate portions of a network. VLANs are typically implemented using a router or managed switch that supports VLAN tagging. 

SSO (Single Sign-On) enables users to authenticate one time with one set of credentials to access multiple systems. 

103.

A database vulnerability enables a threat actor to read all the data on a server without the required privileges. The threat actor cannot directly impact system performance for other users or modify the data. What is the CORRECT CVSS Confidentiality metric for this vulnerability?

  • High

  • Low

  • None

  • Medium

Correct answer: High 

When an attacker compromises all the information on a system, the confidentiality metric is high. In this case, the attacker can read all the data. 

104.

Which of the following is a reason to create a live clone of a disk instead of an offline clone?

  • Copying data stored in memory is required

  • Copying unallocated space is required

  • Reducing the risk of detection by malware is a priority

  • Avoiding changes to data during the cloning process is a priority

Correct answer: Copying data stored in memory is required

Creating a live image may be required when a system uses full-disk encryption or when a copy of data that is stored in memory but not on disk is needed. However, live images come with several downsides including:

  • Typically not including unallocated space
  • Risk of detection by malware
  • Potential changes to data while the image is being created

105.

Noam, a security analyst at Acme Inc., creates a virtual machine that is isolated from the rest of Acme Inc.'s network. Noam allows an attacker to compromise the system so the attacker's behavior can be observed in an isolated environment. The virtual machine in this scenario is an example of what?

  • Sandbox

  • CSIRT

  • Bastion host

  • Baseline

Correct answer: Sandbox

A sandbox is an isolated system that is intended for use in observing the behavior of a malicious user or program. 

CSIRT (Computer Security Incident Response Team) is a specific type of cybersecurity team. 

A bastion host is a type of computer that is used to provide access from one network to another. 

Baselining is a technique that involves taking snapshots (baselines) of a configuration at a specific point in time. 

106.

Noam, a security engineer at Acme Inc., is tasked with sanitizing a drive that Acme Inc. will reuse. The drive previously had information that had a "low" security categorization. What type of sanitization should Noam use on the drive?

  • Clear

  • Purge

  • Destroy

  • Degauss

Correct answer: Clear

NIST SP 800-88 defines three main types of media sanitization. They are:

  • Clear - Clearing uses standard logical techniques like read and write operations; clearing provides protection against basic noninvasive data recovery attempts
  • Purge - Purging uses state-of-the-art lab techniques, such as block erase and cryptographic erase, to sanitize media and make data recovery more difficult than clearing
  • Destroy - Destroying storage media makes data recovery infeasible; disintegration, pulverization, and incineration are examples of destruction techniques

Each type of sanitization involves different levels of cost and complexity, with clearing being the cheapest and least complex and destroying being the most complex and expensive. For storage media with a "low" security classification that will be reused within the same organization, NIST SP 800-61 recommends clearing as the proper sanitization option. 

107.

Which of the following statements about chain of custody are TRUE?

Select all that apply.

  • Chain of custody requires documentation regarding who can access evidence 

  • The collection of data must be tracked

  • Evidence cannot be transported once it is part of the chain of custody

  • Data analysis is not in scope for chain of custody requirements

Chain of custody requires that evidence is tracked end-to-end throughout its lifecycle, including collection and analysis. Who has access to data, how it is stored, where it is transferred, and how it is used are all relevant to chain of custody.

Evidence can be transferred from one location to another, but proper tracking and records are required to maintain a reliable chain of custody. 

108.

Luka, a security architect at Acme Inc., wants to create a darknet to monitor threat actor behavior. Luka purchased a /30 pool of public IPv4 addresses and is actively monitoring the addresses.

What type of workloads should Luka deploy to the IPv4 addresses to complete the darknet?

  • None

  • Containerized workloads 

  • Vulnerable virtual machines

  • Honeypots

Correct answer: None

A darknet is a pool of unused IP addresses that are monitored to detect potential attackers and identify malicious patterns. By definition, the IP addresses should remain unused. Deploying workloads such as honeypots would transform the darknet into a honeynet. 

109.

Acme Inc. owns a server that is worth $5,000. A risk to the server would cause it to lose half of its value. The risk is expected to occur once every ten years. What is the ARO of the risk?

  • 0.1

  • 1

  • $2,500

  • 50%

Correct answer: 0.1

In quantitative risk assessment, ARO (Annualized Rate of Occurrence) is the probability that a risk will occur within a given year. A risk that is likely to occur twice a year will have an ARO of 2. A risk that is expected to occur once every ten years has an ARO of 0.1. 

AV (Asset Value) is the value of the asset associated with the risk in question. This value is typically represented as a unit of currency (e.g., dollars or Euros). In this case, the server's AV is $5,000. 

EF (Exposure Factor) is the percentage of an asset that is expected to be lost or damaged if a risk manifests itself as an incident. The EF in this case is 50%.

110.

What type of impact describes the effect an incident has on an organization's ability to provide services to users?

  • Functional impact

  • Economic impact

  • Recoverability impact

  • Datatype impact

Correct answer: Functional impact

The functional impact of an incident describes the degree of impact a security incident has on an organization's service delivery. 

The economic impact describes the financial impact a security incident has on an organization. 

Recoverability effort (not recoveryability impact) describes the time and effort involved in recovering from a security incident. 

Datatypes (not datatype impact) describe the nature of the data involved in a security breach and the impact on privacy and data integrity. 

111.

What type of information can be found in AbuseIPDB?

  • Potentially malicious IP addresses

  • Revoked SSL certificates 

  • Trusted certificate authorities

  • Detailed logs of network traffic for a Linux mail server

Correct answer: Potentially malicious IP addresses

AbuseIPDB is an online database that enables users to check if an IP address, domain, or network has been reported as engaging in abusive behavior. There are other comparable online tools available, but AbuseIPDB is specifically called out on the CySA+ exam objectives and CySA+ candidates should be familiar with this online tool. 

112.

Kim, a server administrator at Acme Inc., needs to analyze a crash dump file from a Windows 10 computer. Which utility is the BEST option for this task?

  • WinDbg

  • John the Ripper

  • dd

  • netstat

Correct answer: WinDbg

WinDbg is a Windows utility that can be used to analyze data from a Windows crash dump file and perform other diagnostic functions.

John the Ripper is a password cracker.  

dd is a Linux utility that is often used for cloning drives. The dd utility creates images in RAW format. 

netstat is used for displaying network statistics and open ports on a system. 

113.

Application logs show that a user logged in from Canada on Nov 11, 2024 at 11:11:11 p.m. UTC and then logged in again from England on Nov 11, 2024 at 11:21:21 p.m UTC. This is an example of what type of abnormal account activity?

  • Impossible travel

  • Duplicate existence 

  • Recursive logins 

  • Duplicate identity 

Correct answer: Impossible travel

Impossible travel is a form of abnormal user activity. Impossible travel occurs when a user is recorded logging in from different geographical locations within a timeframe that would be impossible for a human. In this example, it's not possible for a human to travel from Canada to England in ten minutes.

Duplicate existence, recursive logins, and duplicate identity are incorrect. They are not standard forms of abnormal account activity. 

114.

A vulnerability on a web server requires an attacker to compromise administrative privileges and is exploitable over the network. Which of the following is TRUE about CVSS scoring for the vulnerability?

  • The privileges required metric is high

  • The privileges required metric is low

  • The attack vector metric is physical

  • The attack vector metric is local

Correct answer: The privileges required metric is high

CVSS (Common Vulnerability Scoring System) is a standard for quantifying the severity of a vulnerability. CVSS scores are derived using multiple metrics. Requiring administrative privileges for an exploit makes the privileges required metric for a CVSS score high. The attack vector metric for remotely (over a network) exploitable vulnerabilities is network.

115.

Alex is a security administrator at Acme Inc. tasked with reviewing the logs from several systems involved in a security incident. Alex notices that timestamps do not align across different system logs, even after accounting for different timezones. Which of the following could BEST explain why the log timestamps are not properly aligned across systems?

  • Improper NTP configuration 

  • Using HTTP instead of HTTPS

  • Improper log levels

  • Using MQTT instead of MQTTS

Correct answer: Improper NTP configuration  

NTP (Network Time Protocol) is a network protocol used to synchronize time across systems. NTP servers enable multiple client systems to synchronize their time with an authoritiative source and help keep timestamps in sync throughout a network. 

Log levels would not directly impact timestamps.

Using the HTTP(S) and MQTT(S) protocols would not directly impact timestamps. 

116.

What portion of a vulnerability report is LIKELY to include a recommendation to implement a WAF as a compensating control?

  • Mitigation options

  • Recurrence 

  • Prioritization 

  • Affected hosts 

Correct answer: Mitigation options

Common elements in a vulnerability report include:

  • Vulnerability details - Details such as a CVE (Common Vulnerabilities and Exposures) number and description
  • Affected hosts - IP addresses and hostname of systems found to be vulnerable 
  • Risk score - Details the risk severity in the context of the organization
  • Mitigation options - Ways to mitigate the vulnerability such as applying a patch or implementing a workaround such as a compensating control
  • Recurrence - How often the vulnerability has reoccurred 
  • Prioritization - Context that helps prioritize which vulnerabilities should be addressed first

117.

A security tool raises an alert for multiple logins that appear unusual based on geographic location. Incident responders investigate and determine the logins were performed by a legitimate user traveling for business. What term BEST describes the alert?

  • False positive

  • False negative

  • True positive

  • Incident

Correct answer: False positive

The alert from the security tool is an IoC (Indicator of Compromise). After an IoC is detected, incident responders should determine if there is legitimately an incident or if the IoC is a false positive. If there is legitimately an incident based on responder analysis, an incident is declared. In this case, the IoC was a false positive.

118.

The formula "Probability × Magnitude" is represents what concept?

  • Risk severity

  • Risk probability

  • Risk avoidance

  • Risk window

Correct answer: Risk severity 

Risk severity is often represented by the conceptual formula "Risk severity = Probability × Magnitude." This formula demonstrates that the two key contributing factors to risk severity are the likelihood of an event occurring and the impact (magnitude) that would result from the occurrence. 

119.

Which of the following is an example of a knowledge factor in authentication? 

  • Password

  • Fingerprint

  • Smartcard

  • Authenticator application

Correct answer: Password

Common authentication factors include:

  • Knowledge factors - "something you know," e.g., a password
  • Possession factors - "something you have," e.g., a smartcard or authenticator application
  • Biometric factors - "something you are," e.g., a fingerprint
  • Location factors - "where you are," e.g., accessing a system from a specific location

Authentication factors can be combined to improve security. MFA (Multifactor Authentication) combines two or more different authentication factors in the authentication process. 

120.

Acme Inc.'s security operations team wants to understand how long it takes on average from an incident to begin to one of their systems or engineers being aware of the incident. What KPI should they measure? 

  • Mean time to detect 

  • Mean time to respond 

  • Mean time to remediate

  • Alert volume

Correct answer: Mean time to detect 

Incident response metrics and KPIs (Key Performance Indicators) CySA+ candidates should be familiar with include:

  • Mean time to detect - The amount of time between an event that triggered an incident occurring and the event being detected
  • Mean time to respond - The time between incident detection and response activity beginning
  • Mean time to remediate - How long it takes to remediate an issue; this metric is typically significantly more complex than time to detect or time to respond and requires more nuanced communications and explanations
  • Alert volume - The number of alerts associated with an incident

Alert volume is typically less useful than the other metrics because different systems may generate a varying amount of alerts depending on configuration and specific incident details. 

×