CYSA+ Practice Exam #1 question with complete solution 2022

CYSA+ Practice Exam #1 question with complete solution 2022While reviewing network flow logs, John sees that network flow on a particular segment suddenly dropped to zero. What is the most likely cause of this? A denial-of-service attack A link failure High bandwidth consumption Beaconing B. The sudden drop to zero is most likely to be an example of link failure. A denial-of- service attack could result in this type of drop but is less likely for most organizations. High bandwidth consumption and beaconing both show different traffic patterns than shown in this example. Charlotte is having a dispute with a co-worker over access to information contained in a database maintained by her co-worker's department. Charlotte insists that she needs the information to carry out her job responsibilities, while the co-worker insists that nobody outside the department is allowed to access the information. Charlotte does not agree that the other department should be able to make this decision, and Charlotte's supervisor agrees with her. What type of policy could Charlotte turn to for the most applicable guidance? Data classification policy Data retention policy Data ownership policy Acceptable use policy C. This is fundamentally a dispute about data ownership. Charlotte's co-worker is asserting that her department owns the data in question, and Charlotte disagrees. While the other policies mentioned may have some relevant information, Charlotte should first turn to the data ownership policy to see whether it reinforces or undermines her co-worker's data ownership claim. Frank is conducting the recovery process after his organization experienced a security incident. During that process, he plans to apply patches to all of the systems in his environment. Which one of the following should be his highest priority for patching? Windows systems Systems involved in the incident Linux systems Web servers B. During an incident recovery effort, patching priority should be placed upon systems that were directly involved in the incident. This is one component of remediating known issues that were actively exploited. Susan's organization suffered from a major breach that was attributed to an advanced persistent threat (APT) that used exploits of zero-day vulnerabilities to gain control of systems on her company's network. Which of the following is the least appropriate solution for Susan to recommend to help prevent future attacks of this type? Heuristic attack detection methods Signature-based attack detection methods Segmentation Leverage threat intelligence B. Signature-based attack detection methods rely on knowing what an attack or malware looks like. Zero-day attacks are unlikely to have an existing signature, making them a poor choice to prevent them. Heuristic (behavior) detection methods can indicate compromises despite the lack of signatures for the specific exploit. Leveraging threat intelligence to understand new attacks and countermeasures is an important part of defense against zero-day attacks. Building a well-designed and segmented network can limit the impact of compromises or even prevent them. During his investigation of a Windows system, Eric discovered that files were deleted and wants to determine whether a specific file previously existed on the computer. Which of the following is the least likely to be a potential location to discover evidence supporting that theory? Windows registry Master File Table INDX files Event logs D. The Windows registry, Master File Tables, and INDX files all contain information about files, often including removed or deleted files. Event logs are far less likely to contain information about a specific file location. As part of her duties as an SOC analyst, Emily is tasked with monitoring intrusion detection sensors that cover her employer's corporate headquarters network. During her shift, Emily's IDS alarms report that a network scan has occurred from a system with IP address 10.0.11.19 on the organization's WPA2 enterprise wireless network aimed at systems in the finance division. What data source should she check first? Host firewall logs AD authentication logs Wireless authentication logs WAF logs C. Since Emily's organization uses WPA2 enterprise, users must authenticate to use the wireless network. Associating the scan with an authenticated user will help incident responders identify the device that conducted the scan. Casey's incident response process leads her to a production server that must stay online for her company's business to remain operational. What method should she use to capture the data she needs? Live image to an external drive. Live image to the system's primary drive. Take the system offline and image to an external drive. Take the system offline, install a write blocker on the system's primary drive, and then image it to an external drive. A. Normally, forensic images are collected from systems that are offline to ensure that a complete copy is made. In cases like this where keeping the system online is more important than the completeness of the forensic image, a live image to an external drive using a portable forensic tool such as FTK Imager Lite, dd, or similar is the correct choice. During a routine upgrade, Maria inadvertently changes the permissions to a critical directory, causing an outage of her organization's RADIUS infrastructure. How should this threat be categorized using NIST's threat categories? Adversarial Accidental Structural Environmental B. Accidental threats occur when individuals doing their routine work mistakenly perform an action that undermines security. In this case, Maria's actions were an example of an accident that caused an availability issue. What does the nmap response "filtered" mean in port scan results? nmap cannot tell whether the port is open or closed. A firewall was detected. An IPS was detected There is no application listening, but there may be one at any time. A. When nmap returns a response of "filtered," it indicates that nmap cannot tell whether the port is open or closed. Filtered results are often the result of a firewall or other network device, but a response of filtered does not indicate that a firewall or IPS was detected. When nmap returns a "closed" result, it means that there is no application listening at that moment. Darcy is the security administrator for a hospital that operates in the United States and is subject to the Health Insurance Portability and Accountability Act (HIPAA). She is designing a vulnerability scanning program for the hospital's data center that stores and processes electronic protected health information (ePHI). What is the minimum scanning frequency for this environment, assuming that the scan shows no critical vulnerabilities? Every 30 days Every 90 days Every 180 days No scanning is required. D. Despite that vulnerability scanning is an important security control, HIPAA does not offer specific requirements for scanning frequency. However, Darcy would be well advised to implement vulnerability scanning as a best practice, and daily or weekly scans are advisable. During her review of incident logs, Laura discovers the initial entry via SSH on a front-facing bastion host (A) at 8:02 a.m. If the network that Laura is responsible for is designed as shown here, what is the most likely diagnosis if the second intrusion shows up on host B at 7:15 a.m.? Diagram shows Internet leads to firewall and vice versa, A-ssh bastion host leads to firewall and vice versa, stateful firewall ruleset leads to A-ssh bastion host and B - internal management system. Internal host B was previously compromised. Host A was compromised; then host B was compromised. Host B and host A are not both synchronized to NTP properly. An internal threat compromised host B and then host A. C. The likeliest issue is a problem with the NTP synchronization for both of the hosts, because of an improperly set time zone or another time issue. The ruleset only allows traffic initiated by host A, making it impossible for host B to be the source of a compromise of A. The other answers are possible, but the most likely issue is an NTP problem. Matt recently ran a vulnerability scan of his organization's network and received the results shown here. He would like to remediate the server with the highest number of the most serious vulnerabilities first. Which one of the following servers should be on his highest priority list? Table shows rows for server A, server B, server C, and server D, and pie chart shows vulnerabilities with markings for medium, low, and info. Server A Server B Server C Server D D. The most serious vulnerabilities shown in this report are medium-severity vulnerabilities. Server D has the highest number (8) of vulnerabilities at that severity level. 00:02 01:10 Frank has been tasked with conducting a risk assessment for the midsize bank that he works at because of a recent compromise of their online banking web application. Frank has chosen to use the NIST 800-30 risk assessment framework shown here. What likelihood of occurrence should he assign to breaches of the web application? Flow diagram shows step 1: prepare for assessment leads to step 2: conduct assessment, which leads to step 3: communicate results and vice versa, and step 4: maintain assessment. Low Medium High Cannot be determined from the information given C. When an event of the type that is being analyzed has occurred within the recent past (often defined as a year), assessments that review that event will normally classify the likelihood of occurrence as high since it has already occurred. Hank's boss recently came back from a CEO summit event where he learned about the importance of cybersecurity and the role of vulnerability scanning. He asked Hank about the vulnerability scans conducted by the organization and suggested that instead of running weekly scans that they simply configure the scanner to start a new scan immediately after the prior scan completes. How should Hank react to this request? Hank should inform the CEO that this would have a negative impact on system performance and is not recommended. Hank should immediately implement the CEO's suggestion. Hank should consider the request and work with networking and engineering teams on possible implementation. Hank should inform the CEO that there is no incremental security benefit from this approach and that he does not recommend it. C. The CEO's suggestion is a reasonable approach to vulnerability scanning that is used in some organizations, often under the term continuous scanning. He should consider the request and the impact on systems and networks to determine a reasonable course of action. Selah's organization suffers an outage of its point-to-point encrypted VPN because of a system compromise at its ISP. What type of issue is this? Confidentiality Availability Integrity Accountability B. This is an example of an availability issue. If data had been modified, it would have been an integrity issue, while exposure of data would have been a confidentiality issue. Accountability from the outsourced vendor isn't discussed in the question. Garrett is working with a database administrator to correct security issues on several servers managed by the database team. He would like to extract a report for the DBA that will provide useful information to assist in the remediation effort. Of the report templates shown here, which would be most useful to the DBA team? Window shows table with columns for title, type, and vulnerability data (host based, scan based). Qualys Top 20 Report Payment Card Industry (PCI) Technical Report Executive Report Technical Report D. The Technical Report will contain detailed information on a specific host and is designed for an engineer seeking to remediate the system. The PCI Technical Report would focus on credit card compliance issues, and there is no indication that this server is used for credit card processing. The Qualys Top 20 Report and Executive Report would contain summary information more appropriate for a management audience and would cover an entire network, rather than providing detailed information on a single system. Bob's Solarwinds network monitoring tools provide data about a system hosted in Amazon's AWS environment. When Bob checks his server's average response time, he sees the results shown here. Graph shows AMI (AWS) on time from 6:00 PM to 12:00 PM versus response time in milliseconds from 0 ms to 1500 ms versus percent packet loss from 0 percent to 100 percent with plots for average response time (AWS), percentile 95 percent, et cetera. What action should Bob take based on this information? He should increase the speed of his network link. He should check for scheduled tasks that the times he sees spike. He should ensure that his network card has the proper latency settings. He should perform additional diagnostics to determine the cause of the latency. D. Bob needs to perform additional diagnostics to determine the cause of the latency. Unfortunately for Bob, this chart does not provide enough information to determine why the maximum response time rises to high levels on a periodic basis. Since the events are not regularly timed, it is relatively unlikely that a scheduled task is causing the issue. Network cards do not have latency settings; latency is caused by network traffic, system response times, and similar factors. Increasing the speed of a network link may help with latency, but you do not have enough information to make that determination.