CYSA+ Practice Exam #1 UPDATED ACTUAL Questions and CORRECT
Answers
Systems involved in the incident
While reviewing network flow logs, John sees that network
flow on a particular segment suddenly dropped to zero.
What is the most likely cause of this?
A denial-of-service attack
A link failure
High bandwidth consumption
Beaconing
Charlotte is having a dispute with a co-worker over access
to information contained in a database maintained by her
co-worker's department. Charlotte insists that she needs
the information to carry out her job responsibilities, while
the co-worker insists that nobody outside the department
is allowed to access the information. Charlotte does not
agree that the other department should be able to make
this decision, and Charlotte's supervisor agrees with her.
What type of policy could Charlotte turn to for the most
applicable guidance?
Data classification policy
Data retention policy
Data ownership policy
Acceptable use policy
Frank is conducting the recovery process after his or-
ganization experienced a security incident. During that
process, he plans to apply patches to all of the systems
in his environment. Which one of the following should be
his highest priority for patching?
Windows systems
,B. The sudden drop to zero is most likely to be an
exampleof link failure. A denial-of- service attack could
result in this type of drop but is less likely for most
organizations. High bandwidth consumption and
beaconing both show different traflc patterns than
shown in this example.
C. This is fundamentally a dispute about data
ownership.Charlotte's co-worker is asserting that her
department owns the data in question, and Charlotte
disagrees. Whilethe other policies mentioned may have
some relevant information, Charlotte should first turn to
the data own- ership policy to see whether it reinforces
or undermines her co-worker's data ownership claim.
B. During an incident recovery effort, patching priority
should be placed upon systems that were directly
involvedin the incident. This is one component of
remediating known issues that were actively exploited.
, Linux systems
Web servers
B. Signature-based attack detection methods rely on
Susan's organization suffered from a major breach that knowing what an attack or malware looks like. Zero-day
was attributed to an advanced persistent threat (APT) that attacks are unlikely to have an existing signature, making
used exploits of zero-day vulnerabilities to gain control of them a poor choice to prevent them.
systems on her company's network. Which of the follow-
ing is the least appropriate solution for Susan to recom- Heuristic (behavior) detection methods can indicate com-
mend to help prevent future attacks of this type? promises despite the lack of signatures for the specific
exploit. Leveraging threat intelligence to understand new
Heuristic attack detection methods attacks and countermeasures is an important part of de-
Signature-based attack detection methods fense against zero-day attacks.
Segmentation
Leverage threat intelligence Building a well-designed and segmented network can
limit the impact of compromises or even prevent them.
During his investigation of a Windows system, Eric dis-
covered that files were deleted and wants to determine
whether a specific file previously existed on the computer.
Which of the following is the least likely to be a potential D. The Windows registry, Master File Tables, and INDX
location to discover evidence supporting that theory? files all contain information about files, often including
removed or deleted files. Event logs are far less likely to
Windows registry contain information about a specific file location.
Master File Table
INDX files
Event logs
As part of her duties as an SOC analyst, Emily is tasked
with monitoring intrusion detection sensors that cover her
employer's corporate headquarters network. During her C. Since Emily's organization uses WPA2 enterprise, users
shift, Emily's IDS alarms report that a network scan has must authenticate to use the wireless network. Associating
occurred from a system with IP address 10.0.11.19 on the
organization's WPA2 enterprise wireless network aimed at
, systems in the finance division. What data source should
she check first?
the scan with an authenticated user will help incident
Host firewall logs
responders identify the device that conducted the scan.
AD authentication logs
Wireless authentication logs
WAF logs
Casey's incident response process leads her to a pro-
duction server that must stay online for her company's
business to remain operational. What method should she A. Normally, forensic images are collected from systems
use to capture the data she needs? that are offline to ensure that a complete copy is made. In
cases like this where keeping the system online is more
Live image to an external drive. important than the completeness of the forensic image, a
Live image to the system's primary drive. live image to an external drive using a portable forensic
Take the system offline and image to an external drive. tool such as FTK Imager Lite, dd, or similar is the correct
Take the system offline, install a write blocker on the choice.
system's primary drive, and then image it to an external
drive.
During a routine upgrade, Maria inadvertently changes
the permissions to a critical directory, causing an outage
of her organization's RADIUS infrastructure. How should
B. Accidental threats occur when individuals doing their
this threat be categorized using NIST's threat categories?
routine work mistakenly perform an action that under-
mines security. In this case, Maria's actions were an ex-
Adversarial
ample of an accident that caused an availability issue.
Accidental
Structural
Environmental
What does the nmap response "filtered" mean in port A. When nmap returns a response of "filtered," it indi-
scan results? cates that nmap cannot tell whether the port is open or
closed. Filtered results are often the result of a firewall
nmap cannot tell whether the port is open or closed. or other network device, but a response of filtered does
Answers
Systems involved in the incident
While reviewing network flow logs, John sees that network
flow on a particular segment suddenly dropped to zero.
What is the most likely cause of this?
A denial-of-service attack
A link failure
High bandwidth consumption
Beaconing
Charlotte is having a dispute with a co-worker over access
to information contained in a database maintained by her
co-worker's department. Charlotte insists that she needs
the information to carry out her job responsibilities, while
the co-worker insists that nobody outside the department
is allowed to access the information. Charlotte does not
agree that the other department should be able to make
this decision, and Charlotte's supervisor agrees with her.
What type of policy could Charlotte turn to for the most
applicable guidance?
Data classification policy
Data retention policy
Data ownership policy
Acceptable use policy
Frank is conducting the recovery process after his or-
ganization experienced a security incident. During that
process, he plans to apply patches to all of the systems
in his environment. Which one of the following should be
his highest priority for patching?
Windows systems
,B. The sudden drop to zero is most likely to be an
exampleof link failure. A denial-of- service attack could
result in this type of drop but is less likely for most
organizations. High bandwidth consumption and
beaconing both show different traflc patterns than
shown in this example.
C. This is fundamentally a dispute about data
ownership.Charlotte's co-worker is asserting that her
department owns the data in question, and Charlotte
disagrees. Whilethe other policies mentioned may have
some relevant information, Charlotte should first turn to
the data own- ership policy to see whether it reinforces
or undermines her co-worker's data ownership claim.
B. During an incident recovery effort, patching priority
should be placed upon systems that were directly
involvedin the incident. This is one component of
remediating known issues that were actively exploited.
, Linux systems
Web servers
B. Signature-based attack detection methods rely on
Susan's organization suffered from a major breach that knowing what an attack or malware looks like. Zero-day
was attributed to an advanced persistent threat (APT) that attacks are unlikely to have an existing signature, making
used exploits of zero-day vulnerabilities to gain control of them a poor choice to prevent them.
systems on her company's network. Which of the follow-
ing is the least appropriate solution for Susan to recom- Heuristic (behavior) detection methods can indicate com-
mend to help prevent future attacks of this type? promises despite the lack of signatures for the specific
exploit. Leveraging threat intelligence to understand new
Heuristic attack detection methods attacks and countermeasures is an important part of de-
Signature-based attack detection methods fense against zero-day attacks.
Segmentation
Leverage threat intelligence Building a well-designed and segmented network can
limit the impact of compromises or even prevent them.
During his investigation of a Windows system, Eric dis-
covered that files were deleted and wants to determine
whether a specific file previously existed on the computer.
Which of the following is the least likely to be a potential D. The Windows registry, Master File Tables, and INDX
location to discover evidence supporting that theory? files all contain information about files, often including
removed or deleted files. Event logs are far less likely to
Windows registry contain information about a specific file location.
Master File Table
INDX files
Event logs
As part of her duties as an SOC analyst, Emily is tasked
with monitoring intrusion detection sensors that cover her
employer's corporate headquarters network. During her C. Since Emily's organization uses WPA2 enterprise, users
shift, Emily's IDS alarms report that a network scan has must authenticate to use the wireless network. Associating
occurred from a system with IP address 10.0.11.19 on the
organization's WPA2 enterprise wireless network aimed at
, systems in the finance division. What data source should
she check first?
the scan with an authenticated user will help incident
Host firewall logs
responders identify the device that conducted the scan.
AD authentication logs
Wireless authentication logs
WAF logs
Casey's incident response process leads her to a pro-
duction server that must stay online for her company's
business to remain operational. What method should she A. Normally, forensic images are collected from systems
use to capture the data she needs? that are offline to ensure that a complete copy is made. In
cases like this where keeping the system online is more
Live image to an external drive. important than the completeness of the forensic image, a
Live image to the system's primary drive. live image to an external drive using a portable forensic
Take the system offline and image to an external drive. tool such as FTK Imager Lite, dd, or similar is the correct
Take the system offline, install a write blocker on the choice.
system's primary drive, and then image it to an external
drive.
During a routine upgrade, Maria inadvertently changes
the permissions to a critical directory, causing an outage
of her organization's RADIUS infrastructure. How should
B. Accidental threats occur when individuals doing their
this threat be categorized using NIST's threat categories?
routine work mistakenly perform an action that under-
mines security. In this case, Maria's actions were an ex-
Adversarial
ample of an accident that caused an availability issue.
Accidental
Structural
Environmental
What does the nmap response "filtered" mean in port A. When nmap returns a response of "filtered," it indi-
scan results? cates that nmap cannot tell whether the port is open or
closed. Filtered results are often the result of a firewall
nmap cannot tell whether the port is open or closed. or other network device, but a response of filtered does
