×

Quiz Session - Attempts With Random Questions

CompTIA CySA+ Exam Questions

Page 7 of 53

121.

Port security is MOST commonly associated with which unique identifier on a device? 

  • MAC address

  • Serial number

  • UUID

  • FQDN

Correct answer: MAC address

Port security is an access control that limits network access based on MAC (Media Access Control) addresses. 

While a serial number, FQDN (Fully Qualified Domain Name), or UUID (Universal Unique Identifier) can be useful identifiers in different contexts, MAC addresses are typically the basis of port security. 

122.

Which aspect of the AAA framework focuses on monitoring and logging?

  • Accounting

  • Access

  • Alerting

  • Authorization

Correct answer: Accounting

AAA is a framework for controlling and managing access to resources such as networks and computers. The "three As" in AAA are: 

  • Authentication, which deals with verifying identities
  • Authorization, which deals with allowing or disallowing an identity access to resources
  • Accounting, which deals with monitoring and logging

123.

The Acme Inc. finance department and accounting department both use an internal web application for critical business functions. A threat actor breached the Acme Inc. network and took down the network link that provides the accounting department with access to the web application. Automated failover processes are able to restore service to users within one hour. What is the CORRECT recoverability effort categorization for this incident? 

  • Regular

  • Supplemented

  • Extended

  • Not recoverable

Correct answer: Regular

NIST (National Institute of Standards and Technology) recommends these four categorizations of recoverability effort:

  • Regular - Recovery time is predictable with available resources
  • Supplemented - Recovery time is predictable, but additional resources are needed
  • Extended - Recovery time is not predictable; additional resources and outside help required
  • Not recoverable - The incident is not recoverable; an investigation should be launched 

124.

What do the first four digits (after "CVE-") in a CVE number represent? 

  • The year the vulnerability was discovered

  • The base score of the vulnerability 

  • The impact score for the vulnerability 

  • The base score and impact score for the vulnerability

Correct answer: The year the vulnerability was discovered

The first four digits (after "CVE-") in a CVE (Common Vulnerabilities and Exposures) number represent the year that specific vulnerability was discovered. For example, CVE-2023-44323 was discovered in 2023 and CVE-2017-7670 in 2017. 

125.

What is the primary purpose of SCAP?

  • Standardize cybersecurity reporting and enable automation

  • Streamline API documentation and testing

  • Improve security testing in DevSecOps pipelines

  • Integrate SIEMs and SOARs

Correct answer: Standardize cybersecurity reporting and enable automation

SCAP (Security Content Automation Protocol) is an effort — led by NIST (the National Institute for Standards and Technology) — to standardize aspects of reporting cybersecurity information and enable automation.

While SCAP may be used by a variety of other tools and platforms, none of the other answers describe its primary purpose. 

126.

A security engineer working in the security operations center at Acme Inc. receives a notice about an ongoing security incident and begins to investigate. This action is an example of which type of security control, categorized by its intended effect?

  • Responsive 

  • Compensating 

  • Preventative 

  • Corrective 

Correct answer: Responsive 

Security controls can be divided into specific types of controls based on the effect they are intended to have. The table below summarizes the five types of security controls. 

Security control typeDescription
Preventative controlPrevents an issue before it occurs; example: firewall rule that blocks malicious traffic
Detective controlDetects a security issue that has already occurred; example: intrusion detection system flagging suspicious behavior
Responsive controlsHelp teams respond to an ongoing incident; example: a security operations center that is on call to respond to security events
Corrective controlsHelp recover from incidents that have already occurred; example: restoring from backups after an attack compromised a system
Compensating controlsHelp mitigate the risk that comes from granting exceptions to a security policy; example: placing a vulnerable legacy system on a highly isolated network instead of upgrading it

Note that security controls are often categorized as technical, managerial, or operational. This type of categorization focuses on how the controls work rather than their desired effect.

127.

Acme Payment Processing Inc. is a payment processor that handles personal data from EU (European Union ) citizens. A recent security incident lead to a data compromise that impacted customer data. To remain compliant with GDPR (General Data Protection Regulation), Acme Inc. issues a report on the incident to a supervisory authority. This is an example of what type of report?

  • Regulatory

  • Vulnerability

  • Threat

  • PCI DSS

Correct answer: Regulatory

Reports required by law are regulatory reports. Required reporting under GDPR is an example of a regulatory report. 

While the incident may also impact finances and include one or more vulnerabilities and threats, neither of those categories best describe this report type. 

PCI DSS (Payment Card Industry Data Security Standard) is a standard that applies to organizations that handle credit card transactions. It has requirements related to vulnerability management including requirements for internal and external scans, running scans at least every quarter, and using an Approved Scanning Vendor for external scans. 

128.

Which of the following is BEST describes why legacy systems can create cybersecurity risk?

  • Legacy systems no longer receive patches

  • Legacy systems are poorly coded

  • Legacy systems do not support HTTPS

  • Legacy systems do not support SSH

Correct answer: Legacy systems no longer receive patches

Legacy systems are systems that are out-of-date and no longer receive patches or security updates. There are many legacy systems that support the SSH and HTTPS protocols and being a legacy system does not necessarily imply the code quality of the system is poor. 

129.

An Acme Inc. security policy requires that all PowerShell scripts downloaded from the Internet are signed by a trusted publisher.

Which execution policies are compliant with this policy?

Select the option that includes ALL PowerShell execution policies that permit remote scripts to run ONLY if they are signed by a trusted publisher.

  • AllSigned and RemoteSigned

  • AllSigned and Restricted

  • RemoteSigned and Bypass

  • AllSigned

Correct answer: AllSigned and RemoteSigned

PowerShell execution policies determine what type of PowerShell scripts are allowed to run on a system. The five different execution policies, from most to least restrictive are:

  1. Restricted: No PowerShell scripts can execute
  2. AllSigned: Allows the execution of scripts that have a trusted signature
  3. RemoteSigned: Allows the execution of any locally created scripts but requires external scripts to have a trusted signature
  4. Unrestricted: Allows the execution of any scripts, but prompts for confirmation if when external scripts are executed
  5. Bypass: Allows the execution of any scripts

Restricted is not compliant because it does not allow the execution of signed scripts.

Unrestricted and bypass are not compliant because they do not require signatures on remote scripts.

AllSigned and RemoteSigned both enforce the requirement for signatures on remote scripts.

130.

"As a user, I want to reset my password so that I can access my mobile app" is an example of which agile software development concept?

  • User story

  • Business model

  • Backlog component

  • RAD artifact 

Correct answer: User story

Agile is an iterative and incremental approach to software development. Agile development focuses on breaking work into small chunks and delivering working software frequently. It has less up-front planning than waterfall or spiral. Agile development has several special terms associated with it.

  • The backlog is a list of features or tasks that need to be completed.
  • Planning poker is an estimation technique where participants use estimation cards and reveal bids that represent the effort they think is required for a task.
  • A timebox is a predefined amount of time that will be allocated to a specific piece of work.
  • User stories are user-focused descriptions that act as high-level requirements.
  • Velocity is a metric that compares agile estimates to the amount of work actually completed.

RAD (Rapid Application Development) is an iterative process that does not have a planning phase at all and relies heavily on prototype creation. 

131.

What does a risk score include that a vulnerability score does NOT?

  • Organizational context

  • Numeric values

  • Structured calculation

  • Multiple inputs 

Correct answer: Organizational context

A vulnerability score uses a structured system to calculate a score for a given vulnerability. 

A risk score measures risk within the context of a specific organization. For example, a risk score will consider affected systems, their exposure, and importance. 

A CVSS (Common Vulnerability Scoring System) score is an example of a vulnerability score. CVSS scores are numeric values based on multiple inputs used as part of a structured calculation. 

132.

A security research firm posts a social media announcement and corresponding blog post about a new vulnerability they discovered in the Linux kernel. The announcement and blog post are an example of what MAJOR category of security event indicator from NIST SP 800-61?

  • Publicly available information

  • Open source

  • OSINT

  • Alerts

Correct answer: Publicly available information

There are multiple security event indicators CySA+ candidates should be familiar with. NIST (National Institute for Standards and Technology) SP 800-61 describes these four categories of indicators:

Security event indicator categoryDescription
AlertsNotifications from security tools such as IDS (Intrusion Detection System) and Intrusion Prevention System (IPS) appliances and antivirus software
LogsRecords created by systems such as servers and network devices
Publicly available informationInformation that is made publicly available regarding security vulnerabilities. For example, the announcement of a zero-day vulnerability on a vendor’s website
PeopleHumans that report threat-related information

133.

Which freely available attack framework details the complete threat lifecycle and uses detailed matrices to describe mitigation and detection techniques? 

  • MITRE ATT&CK

  • CSIRT

  • Device fingerprinting 

  • ISAC modeling 

Correct answer: MITRE ATT&CK

The MITRE ATT&CK framework is a freely available attack framework that provides detailed threat lifecycle information and matrices that describe useful information such as mitigations and threat actor groups. 

None of the other answers are standard attack frameworks. 

CSIRT (Computer Security Incident Response Team) is a specific type of cybersecurity team. 

Device fingerprinting is a technique that uses data such as software, services, and operating system information to uniquely identify a device or device type. 
ISACs (Information Sharing and Analysis Centers) are organizations that help other organizations share and learn about threat information and can provide helpful cybersecurity tools and assistance. 

134.

A vulnerability scanner detected an FTP service available on an Acme Inc. server. Because FTP transmits data in plaintext, the Acme Inc. security team recommended the service be disabled. Disabling the service would leave users without a file-sharing solution on the LAN and employee productivity would be reduced until an alternative was found. As a result, the security team and business stakeholders are analyzing whether or not disabling the service is worthwhile. 

In this scenario, disabling FTP is an example of which inhibitor to remediation? 

  • Degrading functionality

  • RPO loss

  • RTO loss

  • Legacy system

Correct answer: Degrading functionality 

Degraded functionality refers to the loss or reduction in utility of a service or system. A patch may lead to degrading functionality in some cases because it turns off a specific network service or changes performance in a way that negatively impacts users. The loss of FTP (File Transfer Protocol) services that a business unit depends on is an example of degraded functionality. Analyzing whether or not the degraded functionality is justifiable could lead to delays in remediation. 

RTO (Recovery Time Objective) is the maximum acceptable time a system can be down as part of recovery from an incident.

RPO (Recovery Point Objective) is the maximum amount of acceptable data loss and helps determine what backup frequency an organization should use. 

Legacy systems are systems that are out-of-date and no longer receive patches or security updates. There is no indicator this is the case for the server in the question. 

135.

Izumi, a security analyst at Acme Inc., is leading a root cause analysis related to a recent clickjacking attack that compromised sensitive data. Izumi is currently creating a list of events in chronological order. What term BEST describes this type of list?

  • Timeline

  • Syslog

  • SIEM

  • SOAR

Correct answer: Timeline

A timeline typically details the sequence of events associated with an incident. Timelines of events are useful both in RCA (Root Cause Analysis) and incident response reports.

Syslog records are typically automatically created by a system. 

SIEMs (Security Information and Event Management) and SOARs (Security Orchestration, Automation and Response) are types of security tooling. 

136.

During a network breach, a threat actor gained root access to an Ubuntu 22.04 server on the Acme Inc. network. Which of the following should Acme Inc. do to ensure the server is safe to redeploy? 

  • Reimage the system from a known secure state

  • Change the root password and reboot the server

  • Upgrade to Ubuntu 24.04

  • Change all user account passwords and upgrade to Ubuntu 24.04

Correct answer: Reimage the system from a known secure state

If an attacker gains control of a system, such as gaining root access on a Linux server, it should be considered untrustworthy until it is either completely rebuilt or reimaged from a known secure state.

Changing passwords or updating the operating system would not make the systems trustworthy again. 

137.

Acme Inc. purchased and actively monitors a pool of public IPv4 addresses. Acme Inc. has not deployed any workloads that use the IP addresses and only uses the monitoring data to identify potential attack patterns. This is an example of what type of active defense? 

  • Darknet

  • Honeypot

  • Dark web

  • Honeynet

Correct answer: Darknet

A darknet is a pool of unused IP addresses that are monitored to detect potential attackers and identify malicious patterns. 

A honeypot is a system that is intentionally vulnerable to exploits and is designed to lure attackers.

A honeynet is a network of honeypots. 

The dark web is a portion of the internet that typically requires a Tor web browser to access.

138.

Taylor, a security administrator at Acme Inc., is attempting to find specific messages in a /var/log/cysa/ directory that include the string "Auth". Taylor wants to use grep to search files in /var/log/cysa/ and all the directories under it recursively. Which command should Taylor use?

  • grep -r Auth  /var/log/cysa/

  • grep -i Auth  /var/log/cysa/

  • grep -n auth  /var/log/

  • grep -e /var/

Correct answer: grep -r Auth  /var/log/cysa/

The grep command is used to search files for patterns and return content that matches. The grep command supports different flags that modify its behavior. For example, the -i flag makes a grep search case insensitive (case sensitive is the default behavior). 

Other common grep flags include:

  • "-c" counts how many matches there are for a specific pattern
  • "-n" shows the line and line number for a match
  • "-v" shows all lines that are not a match
  • "-r" reads files under a directory recursively
  • "-e" searches a specified pattern(s)

The -r flag is what Taylor needs in this case. 

139.

Kalani, an accountant at Acme Inc., downloads a program from a public website.  The website was compromised by a threat actor and when Kalani runs the program, it installs malware onto Kalani's computer. An daily antimalware scan detects the malware and alerts Alex, a security engineer at Acme Inc. What step should Alex take FIRST? 

  • Isolate the computer to contain the damage

  • Create a backup of the computer

  • Enroll Kalani in security awareness training

  • Install an updated EDR

Correct answer: Isolate the computer to contain the damage

Containing the threat is the first step in the containment, eradication, and recovery phase of incident response. 

Creating a backup of the computer is not useful at this stage because malware is already installed. 

Enrolling Kalani in security awareness training may be useful, but is NOT the first step Alex should take in this case.

Similarly, installing an updated EDR may be useful, but is NOT the first step Alex should take in this case. 

140.

Alex, a security analyst at Acme Inc., receives an alert from a monitoring tool suggesting that an employee has logged in from an unusual geographic location. Alex begins to investigate the alert by reviewing logs and contacting the employee via a phone call. These activities BEST align with what incident response phase?

  • Detection and analysis

  • Discovery

  • Preparation

  • Beaconing

Correct answer: Detection and analysis

NIST (National Institute for Standards and Technology) SP 800-61 describes a four-phase incident handling process that includes these four phases:

  • Preparation - The phase where teams prepare for incident response with training, documentation, procedure creation, planning, testing, and other preparatory steps 
  • Detection and analysis - The phase dedicated to detecting and identifying threats 
  • Containment, eradication, and recovery - The phase dedicated to eliminating and recovering from security incidents 
  • Post-incident activity - The phase dedicated to root cause analysis, lessons learned, and evidence retention 

Note that these phases are not "one-and-done" steps and teams will typically cycle through stages and continuously improve. 

×