CompTIA CySA+ (CS0-002) Practice Exam 3 Questions With Verified Answers

In which phase of the security intelligence cycle is information from several different sources aggregated into useful repositories? A.Collection B.Analysis C.Dissemination D.Feedback - Answer A.Collection (Correct) Explanation OBJ-1.2: The collection phase is usually implemented by administrators using various software suites, such as security information and event management (SIEM). This software must be configured with connectors or agents that can retrieve data from sources such as firewalls, routers, IDS sensors, and servers. The analysis phase focuses on converting collected data into useful information or actionable intelligence. The dissemination phase refers to publishing information produced by analysis to consumers who need to develop the insights. The final phase of the security intelligence cycle is feedback and review, which utilizes both intelligence producers' and intelligence consumers' input. This phase aims to improve the implementation of the requirements, collection, analysis, and dissemination phases as the life cycle is developed. You have just begun an investigation by reviewing the security logs. During the log review, you notice the following lines of code: What BEST describes what is occurring and what action do you recommend to stop it? A.The host is using the Windows Task Scheduler at 10:42 to run from the temp directory to create a remote connection to 123.12.34.12; you should recommend removing the host from the network B.The host (123.12.34.12) is a rogue device on the network; you should recommend removing the host from the network C.The host is beaconing to 123.12.34.12 every day at 10:42 by running from the temp directory; you should recommend removing the host from the network D.The host (123.12.34.12) is running from the temp directory at 10:42 using the auto cron job remotely; No recommendation is required since this is not malicious activity - Answer A.The host is using the Windows Task Scheduler at 10:42 to run from the temp directory to create a remote connection to 123.12.34.12; you should recommend removing the host from the network (Correct) Explanation OBJ-4.3: The code is setting up a task using Windows Task Scheduler (at). This task will run netcat () each day at the specified time (10:42). This is the netcat program and is being run from the c:temp directory to create a reverse shell by executing the command shell (-e ) and connecting it back to the attacker's machine at 172.16.34.12 over port 443. You are conducting threat hunting for an online retailer. Upon analyzing their web server, you identified that a single HTML response returned as 45 MB in size, but an average response is normally only 275 KB. Which of the following categories of potential indicators of compromise would you classify this as? A.Beaconing B.Introduction of new accounts C.Data exfiltration D.Unauthorized privilege - Answer C.Data exfiltration Explanation OBJ-3.3: If attackers use SQL injection to extract data through a Web application, the requests issued by them will usually have a larger HTML response size than a normal request. For example, if the attacker extracts the full credit card database, then a single response for that attacker might be 20 to 50 MB, where a normal response is only 200 KB. Therefore, this scenario is an example of a data exfiltration indicator of compromise. Based on the scenario, there is no evidence that a user is conducting a privilege escalation or using unauthorized privileges. There is also no evidence of a new account having been created or beaconing occurring over the network. Matt is creating a scoping worksheet for an upcoming penetration test for his organization. Which of the following techniques is NOT usually included in a penetration test? A.Reverse engineering B.Physical penetration attempts C.Denial-of-service attacks D.Social engineering - Answer C.Denial-of-service attacks (Correct) Explanation OBJ-5.2: A denial-of-service or DoS attack isn't usually included as part of a penetration test. This type of attack contains too much risk for an organization to allow it to be included in an assessment's scope. Social engineering, physical penetration attempts, and reverse engineering are all commonly included in a penetration test's scope. A penetration tester must limit the invasiveness of their assessment to the specific scope of the penetration test. What SCAP component provides a list of entries that contains an identification number, a description, and a public reference for each publicly known weakness in a piece of software? A.XCCDF B.CPE C.CVE D.CCE - Answer C.CVE (Correct) Explanation OBJ-3.4: The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Common Platform Enumeration (CPE) is a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets. he Common Vulnerabilities and Exposures (CVE) system provides - Answer a reference method for publicly known information-security vulnerabilities and exposures. XCCDF (extensible configuration checklist description format) is - Answer a language that is used in creating checklists for reporting results. The Common Configuration Enumeration (CCE) provides - Answer unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools Common Platform Enumeration (CPE) is - Answer a standardized method of describing and identifying classes of applications, operating systems, and hardware devices present among an enterprise's computing assets. Which of the following lists represents the NIST cybersecurity framework's four tiers, when ordered from least mature to most mature? A.Partial, Risk Informed, Managed, Adaptive (Incorrect) B.Partial, Risk Informed, Repeatable, Adaptive C.Partial, Managed, Risk Informed, Adaptive D.Partial, Repeatable, Risk Informed, Adaptive - Answer B.Partial, Risk Informed, Repeatable, Adaptive (Correct) Explanation OBJ-5.3: From least mature to most mature, the NIST cybersecurity framework is Partial (tier 1), Risk Informed (tier 2), Repeatable (tier 3), and Adaptive (tier 4). This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on! From least mature to most mature, the NIST cybersecurity framework is - Answer Partial (tier 1), Risk Informed (tier 2), Repeatable (tier 3), and Adaptive (tier 4). This question may seem beyond the scope of the exam. What command should a forensic analyst use to make a forensic disk image of a hard drive? A.touch B.wget C.dd (Correct) D.rm - Answer C.dd Explanation OBJ-4.4: The dd tool is used to make bit by bit copies of a disk, drive, or partition. Once the image is created using dd, a hash of the file should be made and placed into evidence to validate the integrity of the disk image that was created. This will ensure that no modification occurs between the collection and analysis of the disk image. The wget command is a command-line utility for downloading files from the Internet. The touch command is a standard command used in the UNIX/Linux operating system used to create, change, and modify timestamps of a file. The rm command is used to delete one or more files or directories. Which of the following are valid concerns when migrating to a serverless architecture? (SELECT THREE) A.Patching of the backend infrastructure B.Dependency on the cloud service provider C.Limited disaster recovery options D.Management of physical servers E.Protection of endpoint security F.Management of VPC offerings - Answer B.Dependency on the cloud service provider (Correct) C.Limited disaster recovery options (Correct) E.Protection of endpoint security (Correct) Explanation OBJ-2.1: Serverless is a modern design pattern for service delivery. With serverless, all the architecture is hosted within a cloud, but unlike "traditional" virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren't developed and managed as applications running on servers located within the cloud. Instead, the applications are developed as functions and microservices, each interacting with other functions to facilitate client requests. There is a heavy dependency on the cloud service provider in a serverless architecture system since all of the back-end infrastructure's patching and management functions are done by them. An organization using such an architecture would still need to prevent compromise of the user endpoints, though the cloud service provider does not manage these. Another concern with serverless architectures is that there are limited options for disaster recovery if service provisioning fails. Patching of backend infrastructure is eliminated because the infrastructure is eliminated with serverless architectures. Once migration is complete, there are no physical servers to manage, which reduces the workload on your system administration teams. Serverless is a - Answer modern design pattern for service delivery. With serverless, all the architecture is hosted within a cloud, but unlike "traditional" virtual private cloud (VPC) offerings, services such as authentication, web applications, and communications aren't developed and managed as applications running on servers located within the cloud. Your organization recently suffered a large-scale data breach. The hackers successfully exfiltrated the personal information and social security numbers of your customers from your network. The CEO notified law enforcement about the breach. They will assist with the investigation and conduct evidence collection so that the hackers can be brought up on charges. What actions should your organization take in response to this event? A.Block all employee access to social media from the company's network and begin monitoring your employee's email B.Require all employees to commit to an NDA about the data breach in writing C.Require all employees to commit to an NDA about the data breach verbally D.Ask a member of law enforcement to meet with your employees - Answer D.Ask a member of law enforcement to meet with your employees (Correct) Explanation OBJ-4.1: Since the data breach is now the subject of an active law enforcement investigation, your organization should request that a law enforcement agent speaks with your employees to give them clear guidance on what they should and should not say to people outside of the investigation. Additionally, the company's system administrators and analysts should not perform any actions on the network until they receive law enforcement guidance. This will ensure that the employees do not accidentally destroy and tamper with potential evidence of the crime. Your organization has recently been the target of a spearphishing campaign. You have identified the website associated with the link in the spearphishing emails and want to deny access to it. Which of the following techniques would be the MOST effective in this situation? A.Containment B.Quarantine C.Application blocklist D.URL filter - Answer D.URL filter (Correct) Explanation OBJ-3.1: A URL filter can be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique but a blocking and filtering technique. Quarantine would be used against an infected machine, and it would not be effective against trying to block access to a given website across the entire organization. An application blocklist is used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL. A URL filter can - Answer be used to block a website based on its website address or universal resource locator (URL). This is not a containment technique but a blocking and filtering technique. An application blocklist is - Answer used to prevent an application from running, so this cannot be used to block a single malicious or suspicious website or URL. You just visited an e-commerce website by typing in its URL during a vulnerability assessment. You discovered that an administrative web frontend for the server's backend application is accessible over the internet. Testing this frontend, you discovered that the default password for the application is accepted. Which of the following recommendations should you make to the website owner to remediate this discovered vulnerability? (SELECT THREE) A.the username and default password B.Create an allow list for the specific IP blocks that use this application C.Require two-factor authentication for access to the application D.Require an alphanumeric passphrase for the application's default password E.Rename the URL to a more obscure name F.Conduct a penetration test against the organization's IP space - Answer A.the username and default password (Correct) B.Create an allow list for the specific IP blocks that use this application (Correct) C.Require two-factor authentication for access to the application (Correct) Explanation OBJ-3.2: First, you should change the username and default password since using default credentials is extremely insecure. Second, you should implement an allow list for any specific IP blocks with access to this application's administrative web frontend since it should only be a few system administrators and power users. Next, you should implement two-factor authentication to access the application since two-factor authentication provides more security than a simple username and password combination. You should not rename the URL to a more obscure name since security by obscurity is not considered a good security practice. You also should not require an alphanumeric passphrase for the application's default password. Since it is a default password, you can not change the password requirements without the vendor conducting a software update to the application. Finally, while it may be a good idea to conduct a penetration test against the organization's IP space to identify other vulnerabilities, it will not positively affect remediating this identified vulnerability. You are a cybersecurity analyst working for an accounting firm that manages the accounting for multiple smaller firms. You have successfully detected an APT operating in your company's network that appears to have been there for at least 8 months. In conducting a qualitative assessment of the impact, which of the following factors should be most prominently mentioned in your report to your firm's executives? (SELECT TWO) A.Recovery time B.Data integrity C.Economic D.Downtime E.Detection time - Answer B.Data integrity (Correct) C.Economic (Correct) Explanation OBJ-4.2: While all of the above options should be included in your report to management, due to the nature of your company's work, the economic impact on the business should be your top factor. This would include any possible liability and damage that will be done to the company's reputation. Data integrity would be the second most important factor to highlight in your report since an APT may have stolen significant amounts of money by altering your financial documentation and accounts' data integrity. Downtime, recovery time, and detection time are important for understanding the broader cybersecurity concern and remediation steps but are not going to be the primary concern for your accounting firm's executives. As a cybersecurity analyst, you often prioritize what will be highlighted to the executives and management. It is important to remember their perspective and priorities, which are usually focused on monetary cost/ROI and the business's longevity over the technical details an analyst usually focuses on. To be successful in this career field, you need to learn to speak both languages (the technical details when working with the system administrators and the business impact when discussing with management/executives). Riaan's company runs critical web applications. During a vulnerability scan, Riaan found a serious SQL injection vulnerability in one of their web applications. The system cannot be taken offline to remediate the vulnerability. Which of the following compensating controls should Riaan recommend using until the system can be remediated? A.Encryption B.WAF C.Vulnerability scanning D.IPS - Answer B.WAF (Correct) Explanation OBJ-3.2: WAF (web application firewall) is the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. Vulnerability scanning could only be used to detect the issue. Therefore, it is a detective control, not a compensating control. Encryption would not be effective in stopping an SQL injection. An intrusion prevention system (IPS) is designed to protect network devices based on ports, protocols, and signatures. It would not be effective against an SQL injection and is not considered a compensating control for this vulnerability. WAF (web application firewall) is - Answer the best option since it can serve as a compensating control and protect against web application vulnerabilities like an SQL injection until the application can be fully remediated. You are analyzing the logs of a forensic analysts workstation and see the following: What does the bs=1M signify in the command list above? A.Sets the beginning sector B.Sends output to a blank sector C.Removes error messages and other incorrect data D.Sets the block size - Answer D.Sets the block size (Correct) Explanation OBJ-4.4: The dd command is used in forensic data acquisition to forensically create a bit by bit copy of a hard drive to a disk image. The bs operator sets the block size when using the Linux dd command. This question may seem beyond the scope of the exam. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on! Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? A.PaaS B.SaaS C.MSSP D.IaaS - Answer C.MSSP (Correct) Explanation OBJ-2.1: A managed security service provider (MSSP) provides security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Security as a service or a managed service provider (MSP) would be better suited for this role. This question may seem beyond the exam scope. Still, the objectives allow for "other examples of technologies, processes, or tasks about each objective may also be included on the exam although not listed or covered" in the objectives' bulletized lists. The exam tests the equivalent of 4 years of hands-on experience in a technical cybersecurity job role. The content examples listed in the objectives are meant to clarify the test objectives and should not be construed as a comprehensive listing of this examination's content. Therefore, questions like this are fair game on test day. That said, your goal isn't to score 100% on the exam; it is to pass it. Don't let questions like this throw you off on test day. If you aren't sure, take your best guess and move on! A managed security service provider (MSSP) provides - Answer security as a service (SECaaS). IaaS, PaaS, and SaaS (infrastructure, platform, and software as a service) do not include security monitoring as part of their core service offerings. Jason has installed multiple virtual machines on a single physical server. He needs to ensure that the traffic is logically separated between each virtual machine. How can Jason best implement this requirement? A.Install a virtual firewall and establish an access control list B.Create a virtual router and disable the spanning tree protocol C.Configure a virtual switch on the physical server and create VLANs D.Conduct system partitioning on the physical server to ensure the virtual disk images are on different partitions - Answer C.Configure a virtual switch on the physical server and create VLANs Explanation OBJ-2.1: A virtual switch is a software application that allows communication between virtual machines. A virtual local area network (VLAN) is a hardware-imposed network segmentation created by switches. This solution provides a logical separation of each virtual machine through the use of VLANs on the virtual switch. You are conducting a review of a VPN device's logs and found the following URL being accessed: Based upon this log entry alone, which of the following most likely occurred? A.An XML injection attack caused the VPN server to return the password file B.The passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted C.An SQL injection attack caused the VPN server to return the password file D.The passwd file was downloaded using a directory traversal attack - Answer B.The passwd file was downloaded using a directory traversal attack if input validation of the URL was not conducted (Correct) Explanation OBJ-3.3: The exact string used here was the attack string used in CVE- to compromise thousands of VPN servers worldwide using a directory traversal approach. However, its presence in the logs does not prove that the attack was successful, only that it was attempted. To verify that the attacker successfully downloaded the passwd file, a cybersecurity analyst would require additional information and correlation. If the server utilizes proper input validation on URL entries, then the directory traversal would be prevented. As no SQL or XML language elements are present, this is not an SQL or XML injection attack. You were conducting a forensic analysis of an iPad backup and discovered that only some of the information is within the backup file. Which of the following best explains why some of the data is missing? A.The backup is a differential backup B.The backup was interrupted C.The backup is stored in iCloud. D.The backup is encrypted - Answer A.The backup is a differential backup