No products in the cart.
CompTIA CySA+ Exam Questions
Page 9 of 53
161.
During a threat modeling exercise, Dana, a security engineer at Acme Inc., maps out all the devices, networks, people, applications, and infrastructure that threat actors may target. This is an example of documenting what element of a threat model?
-
Attack surface
-
Impact
-
Attack vector
-
Adversary capabilities
Correct answer: Attack surface
Threat modeling is a complex task that takes many different variables into account. Typical elements of threat models include:
- Assessment of adversary capabilities that help ascertain what resources, skills, and intent threat actors have
- Attack surface assessment that details the entire attack surface a threat actor may attempt to compromise or exploit (e.g., systems, people, and infrastructure)
- Listing attack vectors a threat actor can use to gain access
- Attack impact
- Attack probability of success
162.
Yuri, a security analyst at Acme Inc., needs to select a hashing algorithm to validate the integrity of a file after it is downloaded. Which of the following is an example of a hashing algorithm?
-
MD5
-
ChaCha20
-
RC4
-
3DES
Correct answer: MD5
Hashes are one-directional functions that enable data of an arbitrary size to be transformed into a fixed size. Strong hash functions greatly reduce or reasonably eliminate the chance of a duplicate hash being generated unless two files are the same. SHA256 and MD5 are examples of hashing algorithms.
The other algorithms are symmetric key algorithms.
163.
Which of the following containment techniques provide more isolation than network segmentation provides?
Select all that apply.
-
Isolation
-
Removal
-
VLANs
-
Playbooking
Segmentation only provides logical isolation between different network segments within a broader network. Network isolation completely disconnects an attacker or compromised system from a network. Removal completely disconnects an attacker or compromised system from any networks.
VLANs (virtual local area networks) are an example of network segmentation.
Playbooks are useful tools to create repeatable step-by-step incident response processes.
164.
Amal logs into a banking website with a username, password, and code from an authenticator app. Which authentication factors did Amal use?
-
Knowledge and possession
-
Knowledge only
-
Possession and location
-
Possession only
Correct answer: Knowledge and possession
Common authentication factors include:
- Knowledge factors - "something you know," e.g., a password
- Possession factors - "something you have," e.g., a smartcard or authenticator application
- Biometric factors - "something you are," e.g., a fingerprint
- Location factors - "where you are," e.g., accessing a system from a specific location
Authentication factors can be combined to improve security. MFA (Multifactor Authentication) combines two or more different authentication factors in the authentication process.
165.
Amal is a security engineer at Acme Inc. Amal is helping the IT team develop a logging strategy for a new network. Which of the following should Amal recommend be incorporated into the logging strategy?
-
Send logs to a central location for storage, analysis, and reporting
-
Avoid using NTP for time synchronization, use RTC instead
-
Set all log levels to Emergencies
-
Set all log levels to Critical
Correct answer: Send logs to a central location for storage, analysis, and reporting
Logs should be sent to a central location to help streamline storage, analysis, and reporting. Centralization makes it easier for administrators to work with logs and add context to security incidents that impact multiple systems.
NTP (Network Time Protocol) is a network protocol used to synchronize time across systems. NTP servers enable multiple client systems to synchronize their time with an authoritative source and help keep timestamps in sync throughout a network. NTP would be useful for time synchronization in the new network.
There is no one-size-fits-all standard for the right logging level for an organization. Organizations should choose the logging level that balances capturing information, avoiding "floods" of data that are not useful, and storage. Nothing in the question tells us Emergencies or Critical are the right log levels in this case.
166.
How many authentication factors are TYPICALLY used with passwordless authentication?
-
One
-
Five
-
Three
-
Zero
Correct answer: One
Passwordless authentication typically uses one authentication factor such as a USB token.
167.
What cybersecurity objective deals with preventing unauthorized access to sensitive data?
-
Confidentiality
-
Integrity
-
Availability
-
Privacy
Correct answer: Confidentiality
Confidentiality, Integrity, and Availability, also known as the CIA triad, are the three key objectives of modern cybersecurity programs.
Confidentiality deals with preventing unauthorized access to sensitive data.
Integrity deals with ensuring data and systems are free from unauthorized modifications.
Availability deals with ensuring data and systems remain accessible to authorized users.
Privacy focuses on protecting how organizations share data related to individuals.
168.
An Acme Inc. vulnerability report details information for these vulnerabilities:
Name | CVSS Score | Patch available? |
| Database vuln 1 | 6.3 | No |
| Web server vuln 1 | 7.9 | Yes |
| Web server vuln 2 | 8.8 | Yes |
| Endpoint vuln 1 | 8.1 | No |
Based on CVSS score, how many critical vulnerability's are in the list?
-
0
-
1
-
2
-
4
Correct answer: 0
CVSS scores of 9.0–10.0 are typically considered critical. None of the vulnerabilities in the list are within that range.
169.
Acme Inc. is considering using OpenID for identity services as part of an upcoming project. Which of the following statements about OpenID is TRUE?
-
OpenID supports authentication
-
OpenID supports authorization
-
OpenID is immune to replay attacks
-
OpenID is immune to redirect manipulation
Correct answer: OpenID supports authentication
OpenID is a federated identity technology that supports authentication. OpenID does not support authorization. Potential security risks related to OpenID include redirect manipulation, phishing, and replay attacks.
170.
Which of the following is ONE of the OWASP Top Ten web application vulnerabilities for 2021?
-
Cryptographic failures
-
Password cracking
-
Passive monitoring
-
SOAR optimization
Correct answer: Cryptographic failures
The OWASP (Open Web Application Security Project) Top Ten web application vulnerabilities is an awareness document that highlights common risks to web applications. The 2021 OWASP Top Ten web application vulnerabilities are:
- Broken access control
- Cryptographic failures
- Injection
- Insecure Design
- Security misconfiguration
- Vulnerable and outdated components
- Identification and authentication failures
- Software and data integrity failures
- Security logging and monitoring failures
- Server-side request forgery
171.
EDR is BEST described as a modern replacement for what type of technology?
-
Antivirus
-
SSL
-
WAF
-
Relational database
Correct answer: Antivirus
EDR (Endpoint Detection and Response) tools are a category of security tools focused on detecting and responding to threats on endpoints such as personal computers. EDR solutions typically include threat detection, behavioral analysis, alert notification, and threat neutralization features. They can be described as modern replacements for traditional antivirus programs.
An EDR is not a viable replacement for SSL (or TLS), a WAF (Web Application Firewall), or a relational database.
172.
Acme Inc. purchased a commercial web application scanner. Which of the following types of vulnerabilities is the web application scanner MOST likely to detect?
-
XSS
-
Dereferencing
-
Race condition
-
Use of strcpy
Correct answer: XSS
Web application scanners are designed to test web applications for vulnerabilities such as XSS (Cross-Site Scripting), CSRF (Cross-Site Request Forgery), and injection attacks.
While security tools may help discover other vulnerabilities, they are less likely than XSS to be detected by a tool dedicated to web application security scanning.
173.
Dani, a security architect at Acme Inc., is tasked with discovering devices that may not have shown up in port and network scans the security operations team ran. What technique is BEST suited for this task?
-
Passive discovery
-
Edge discovery
-
Rainbow tabling
-
Adversary emulation
Correct answer: Passive discovery
Attack surface management activities encompass the different actions an organization can take to discover, test, and protect their overall attack surface. Common attack surface management activities include:
- Edge discovery - Scans that identify an organization’s systems that are exposed to the public
- Passive discovery - Techniques that monitor network traffic to detect assets that other scans may miss
- Security controls testing - Tests that verify if existing security controls work as intended
- Penetration testing and adversary emulation - Tests where threat actor behavior is emulated to discover issues in systems and security controls
Rainbow tables are used to check password hashes against a list of known hashes.
174.
Tabletop exercises, also known as TTX, occur during what phase of the incident response process?
-
Preparation
-
Detection and analysis
-
Education
-
Post-incident activity
Correct answer: Preparation
NIST (National Institute for Standards and Technology) SP 800-61 describes a four-phase incident handling process that includes these four phases:
- Preparation - The phase where teams prepare for incident response with training, documentation, procedure creation, planning, testing, and other preparatory steps
- Detection and analysis - The phase dedicated to detecting and identifying threats
- Containment, eradication, and recovery - The phase dedicated to eliminating and recovering from security incidents
- Post-incident activity - The phase dedicated to root cause analysis, lessons learned, and evidence retention
Tabletop exercises, also known as TTX, are a specific type of role-playing activity that can help identify areas where cybersecurity posture can be improved. The CySA+ exam objectives call out "tabletop" as one of the preparation phase activities, so CySA+ candidates should be familiar with tabletop exercises.
Note that these phases are not "one-and-done" steps and teams will typically cycle through stages and continuously improve.
175.
What formula represents how risk severity is typically expressed?
-
Risk severity = Probability × Magnitude
-
Magnitude = Probability + Risk severity
-
Risk = Asset value × Magnitude
-
Asset value = Magnitude + Probability
Correct answer: Risk severity = Probability × Magnitude
Risk severity is often represented by the conceptual formula "Risk severity = Probability × Magnitude." This formula demonstrates that the two key contributing factors to risk severity are the likelihood of an event occuring and the impact (magnitude) that would result from the occurrence.
176.
Which of the following is TRUE about JSON formatting?
-
It uses curly brackets to structure data
-
It uses dotted-decimal notation to structure data
-
It uses angle brackets to structure data
-
It does NOT support key:value pairs natively
Correct answer:
JSON (JavaScript Object Notation) is a data format that uses key:value pairs and curly brackets {} to structure data.
{
"org": "CompTIA",
"exam": "CySA+"
}
is an example of data using a JSON format.
177.
A web server at Acme Inc. is vulnerable to an exploit where a threat actor can trick a user into sending a malicious query to the server which then executes code on the user's computer. This is an example of what type of COMMON vulnerability?
-
Reflected XSS
-
Improper error handling
-
Race condition
-
Persistent XSS
Correct answer: Reflected XSS
Reflected XSS (Cross-Site Scripting) occurs when a threat actor can trick a user into sending a malicious query to a server then it executes code on the user's computer. For example, an attacker might include a script as part of a parameterized URL sent to the server.
Persistent XSS, sometimes called stored XSS, occurs when an attacker is able to store (persist) malicious code on a web server. The code then executes when the user accesses or interacts with the affected portion of the website.
Improper error handling occurs when an error message reveals information that an end user or attacker should not see. For example, a stack trace may reveal detailed information a threat actor can use to help compromise a system.
Race conditions are timing-related errors that occur when an application attempts multiple operations at the same time.
178.
Bola, a penetration tester at Acme Inc., is using the traceroute command to check connectivity between different endpoints. What value can Bola use to infer network topology as traceroute data is collected?
-
TTL values
-
jFlow data
-
SNMP data
-
md5sum output
Correct answer: TTL values
Information from traceroute and TTL (Time to Live) responses enable scanning tools and testers map networks by quantifying "hops" between different network devices.
jFlow and SNMP data is not included in traceroute responses.
md5sum is a Linux utility that generates MD5 sums based on a file that is provided as input. The output of the command is "<md5 hash value> <file name>", where <md5 hash value> is the MD5 hash and <file name> is the name of the input file.
179.
An Acme Inc. database server is flagged as affected by a high-severity vulnerability. A patch is available to address the vulnerability. Because business processes require a two-week approval and testing process for patches to be applied to production system, Alex, a systems administrator at Acme Inc., deploys a firewall with rules designed to limit the probability of a threat actor exploiting the vulnerability. In this scenario, the approval process is an example of what cybersecurity concept?
-
Inhibitor to remediation
-
Indicator of compromise
-
Threat actor
-
Compensating control
Correct answer: Inhibitor to remediation
An inhibitor to remediation is something that delays or prevents an organization from patching or resolving a security issue. In this question, the approval process is an example of organizational governance as an inhibitor to remediation because it delays the patch.
The firewall with rules designed to limit the probability of a threat actor exploiting the vulnerability is a compensating control.
An IoC (Indicator of Compromise) is evidence that suggests malicious activity may have occurred.
180.
Quinn, a systems administrator at Acme Inc., needs to map a server's public IP address to a private IP address. What technology is BEST for this task?
-
NAT
-
Modbus
-
EDR
-
In-band NAC
Correct answer: NAT
NAT (Network Address Translation) is typically managed by a firewall and enables a public IP address and private internal IP address of a resource to be mapped. NAT can help avoid internal IP address exposure.
The Modbus protocol is common in industrial communications and is often used to enable communication between PLCs (Programmable Logic Controllers) and different sensors and serial devices.
EDR (Endpoint Detection and Response) tools are a category of security tools focused on detecting and responding to threats on endpoints such as personal computers. EDR solutions typically include threat detection, behavioral analysis, alert notification, and threat neutralization features.
In-band NAC (Network Access Control) refers to approaches to NAC where a NAC appliance sits inline between devices requesting access and the network resources that can be accessed. Out-of-band NAC solutions use authentication servers that are not inline between devices requesting access and the network resources that can be accessed. 802.1X uses an out-of-band approach to NAC.