Cysa+ Prep UPDATED ACTUAL Questions and CORRECT Answers
Which of the following is the software development
process by which function, usability, and scenarios are
tested against a known set of base requirements?
A. Security regression testing C. User acceptance testing
B. Code review
C. User acceptance testing
D. Stress testing
A security analyst is revising a company's MFA policy to
prohibit the use of short message service (SMS) tokens.
The Chief Information Oflcer has questioned this decision
and asked for justification. Which of the following should
the analyst provide as justification for the new policy? D. SMS is a cleartext protocol and does not support en-
A. SMS relies on untrusted, third-party carrier networks. cryption.
B. SMS tokens are limited to eight numerical characters.
C. SMS is not supported on all handheld devices in use.
D. SMS is a cleartext protocol and does not support en-
cryption.
During an incident response procedure, a security analyst
collects a hard drive to analyze a possible vector of com-
promise. There is a Linux swap partition on the hard drive
that needs to be checked. Which of the following should
the analyst use to extract human-readable content from
A. strings
the partition?
A. strings
B. head
C. fsstat
D. dd
A consultant is evaluating multiple threat intelligence
feeds to assess potential risks for a client. Which of the
following is the BEST approach for the consultant to con-
,sider when modeling the client's attack surface?
A. Ask for external scans from industry peers, look at the
open ports, and compare information with the client.
B. Discuss potential tools the client can purchase to reduce
C. Look at attacks against similar industry peers and assess
the likelihood of an attack.
the probability of the same attacks happening.
C. Look at attacks against similar industry peers and assess
the probability of the same attacks happening.
D. Meet with the senior management team to determine
if funding is available for recommended solutions.
A development team has asked users to conduct testing
to ensure an application meets the needs of the busi-
ness. Which of the following types of testing does this
describe?
A. Acceptance testing
A. Acceptance testing
B. Stress testing
C. Regression testing
D. Penetration testing
An analyst receives artifacts from a recent intrusion and
is able to pull a domain, IP address, email address, and
software version. Which of the following points of the Di-
amond Model of Intrusion Analysis does this intelligence
represent? A. Infrastructure
A. Infrastructure
B. Capabilities
C. Adversary
D. Victims
While conducting a network infrastructure review, a se-
curity analyst discovers a laptop that is plugged into
a core switch and hidden behind a desk. The analyst
sees the following on the laptop's screen:[*] [NBT-NS]
Poisoned answer sent to 192.169.23.115 for name
,FILE-SHARE-A (service: File Server)[*] [LLMNR] Poisoned
answer sent to 192.168.23.115 for name FILE-SHARE-A[*]
[LLMNR] Poisoned answer sent to 192.168.23.115
for name FILE-SHARE-A[SMBv2] NTLMv2-SSP Client
: 192.168.23.115[SMBv2] NTLMv2-SSP Username
: CORP\jsmith[SMBv2] NTLMv2-SSP Hash :
F5DBF769CFEA7...[*] [NBT-NS] Poisoned answer sent to
192.169.23.24 for name FILE-SHARE-A (service: File Serv-
er)[*] [LLMNR] Poisoned answer sent to 192.168.23.24
for name FILE-SHARE-A[*] [LLMNR] Poisoned answer
sent to 192.168.23.24 for name FILE-SHARE-A[SMBv2]
B. Disconnect the laptop and ask the users jsmith and
NTLMv2-SSP Client : 192.168.23.24[SMBv2] NTLMv2-SSP
progers to log out.
Username : CORP\progers[SMBv2] NTLMv2-SSP Hash :
6D093BE2FDD70A...Which of the following is the BEST
action for the security analyst to take?
A. Force all users in the domain to change their passwords
at the next login.
B. Disconnect the laptop and ask the users jsmith and
progers to log out.
C. Take the FILE-SHARE-A server offline and scan it for
viruses.
D. Initiate a scan of devices on the network to find pass-
word-cracking tools.
A Chief Executive Oflcer (CEO) is concerned the company
will be exposed to data sovereignty issues as a result
of some new privacy regulations. To help mitigate this
risk, the Chief Information Security Oflcer (CISO) wants
D. Geographic access requirements
to implement an appropriate technical control. Which of
the following would meet the requirement?
A. Data masking procedures
B. Enhanced encryption functions
, C. Regular business impact analysis functions
D. Geographic access requirements
Which of the following is a difference between SOAR and
SCAP?
A. SOAR can be executed faster and with fewer false pos-
itives than SCAP because of advanced heuristics.
B. SOAR has a wider breadth of capability using orchestra- B. SOAR has a wider breadth of capability using orchestra-
tion and automation, while SCAP is more limited in scope. tion and automation, while SCAP is more limited in scope.
C. SOAR is less expensive because process and vulnerabil-
ity remediation is more automated than what SCAP does.
D. SOAR eliminates the need for people to perform reme-
diation, while SCAP relies heavily on security analysts.
An organization is upgrading its network and all of its
workstations. The project will occur in phases, with infra-
structure upgrades each month and workstation installs
every other week. The schedule should accommodate the
enterprise-wide changes, while minimizing the impact to
the network. Which of the following schedules BEST ad-
dresses these requirements?
B. Monthly topology scans, biweekly host discovery scans,
A. Monthly vulnerability scans, biweekly topology scans,
monthly vulnerability scans
daily host discovery scans
B. Monthly topology scans, biweekly host discovery scans,
monthly vulnerability scans
C. Monthly host discovery scans, biweekly vulnerability
scans, monthly topology scans
D. Monthly topology scans, biweekly host discovery scans,
weekly vulnerability scans
While reviewing incident reports from the previous night,
a security analyst notices the corporate websites were
defaced with political propaganda. Which of the following
BEST describes this type of actor?
Which of the following is the software development
process by which function, usability, and scenarios are
tested against a known set of base requirements?
A. Security regression testing C. User acceptance testing
B. Code review
C. User acceptance testing
D. Stress testing
A security analyst is revising a company's MFA policy to
prohibit the use of short message service (SMS) tokens.
The Chief Information Oflcer has questioned this decision
and asked for justification. Which of the following should
the analyst provide as justification for the new policy? D. SMS is a cleartext protocol and does not support en-
A. SMS relies on untrusted, third-party carrier networks. cryption.
B. SMS tokens are limited to eight numerical characters.
C. SMS is not supported on all handheld devices in use.
D. SMS is a cleartext protocol and does not support en-
cryption.
During an incident response procedure, a security analyst
collects a hard drive to analyze a possible vector of com-
promise. There is a Linux swap partition on the hard drive
that needs to be checked. Which of the following should
the analyst use to extract human-readable content from
A. strings
the partition?
A. strings
B. head
C. fsstat
D. dd
A consultant is evaluating multiple threat intelligence
feeds to assess potential risks for a client. Which of the
following is the BEST approach for the consultant to con-
,sider when modeling the client's attack surface?
A. Ask for external scans from industry peers, look at the
open ports, and compare information with the client.
B. Discuss potential tools the client can purchase to reduce
C. Look at attacks against similar industry peers and assess
the likelihood of an attack.
the probability of the same attacks happening.
C. Look at attacks against similar industry peers and assess
the probability of the same attacks happening.
D. Meet with the senior management team to determine
if funding is available for recommended solutions.
A development team has asked users to conduct testing
to ensure an application meets the needs of the busi-
ness. Which of the following types of testing does this
describe?
A. Acceptance testing
A. Acceptance testing
B. Stress testing
C. Regression testing
D. Penetration testing
An analyst receives artifacts from a recent intrusion and
is able to pull a domain, IP address, email address, and
software version. Which of the following points of the Di-
amond Model of Intrusion Analysis does this intelligence
represent? A. Infrastructure
A. Infrastructure
B. Capabilities
C. Adversary
D. Victims
While conducting a network infrastructure review, a se-
curity analyst discovers a laptop that is plugged into
a core switch and hidden behind a desk. The analyst
sees the following on the laptop's screen:[*] [NBT-NS]
Poisoned answer sent to 192.169.23.115 for name
,FILE-SHARE-A (service: File Server)[*] [LLMNR] Poisoned
answer sent to 192.168.23.115 for name FILE-SHARE-A[*]
[LLMNR] Poisoned answer sent to 192.168.23.115
for name FILE-SHARE-A[SMBv2] NTLMv2-SSP Client
: 192.168.23.115[SMBv2] NTLMv2-SSP Username
: CORP\jsmith[SMBv2] NTLMv2-SSP Hash :
F5DBF769CFEA7...[*] [NBT-NS] Poisoned answer sent to
192.169.23.24 for name FILE-SHARE-A (service: File Serv-
er)[*] [LLMNR] Poisoned answer sent to 192.168.23.24
for name FILE-SHARE-A[*] [LLMNR] Poisoned answer
sent to 192.168.23.24 for name FILE-SHARE-A[SMBv2]
B. Disconnect the laptop and ask the users jsmith and
NTLMv2-SSP Client : 192.168.23.24[SMBv2] NTLMv2-SSP
progers to log out.
Username : CORP\progers[SMBv2] NTLMv2-SSP Hash :
6D093BE2FDD70A...Which of the following is the BEST
action for the security analyst to take?
A. Force all users in the domain to change their passwords
at the next login.
B. Disconnect the laptop and ask the users jsmith and
progers to log out.
C. Take the FILE-SHARE-A server offline and scan it for
viruses.
D. Initiate a scan of devices on the network to find pass-
word-cracking tools.
A Chief Executive Oflcer (CEO) is concerned the company
will be exposed to data sovereignty issues as a result
of some new privacy regulations. To help mitigate this
risk, the Chief Information Security Oflcer (CISO) wants
D. Geographic access requirements
to implement an appropriate technical control. Which of
the following would meet the requirement?
A. Data masking procedures
B. Enhanced encryption functions
, C. Regular business impact analysis functions
D. Geographic access requirements
Which of the following is a difference between SOAR and
SCAP?
A. SOAR can be executed faster and with fewer false pos-
itives than SCAP because of advanced heuristics.
B. SOAR has a wider breadth of capability using orchestra- B. SOAR has a wider breadth of capability using orchestra-
tion and automation, while SCAP is more limited in scope. tion and automation, while SCAP is more limited in scope.
C. SOAR is less expensive because process and vulnerabil-
ity remediation is more automated than what SCAP does.
D. SOAR eliminates the need for people to perform reme-
diation, while SCAP relies heavily on security analysts.
An organization is upgrading its network and all of its
workstations. The project will occur in phases, with infra-
structure upgrades each month and workstation installs
every other week. The schedule should accommodate the
enterprise-wide changes, while minimizing the impact to
the network. Which of the following schedules BEST ad-
dresses these requirements?
B. Monthly topology scans, biweekly host discovery scans,
A. Monthly vulnerability scans, biweekly topology scans,
monthly vulnerability scans
daily host discovery scans
B. Monthly topology scans, biweekly host discovery scans,
monthly vulnerability scans
C. Monthly host discovery scans, biweekly vulnerability
scans, monthly topology scans
D. Monthly topology scans, biweekly host discovery scans,
weekly vulnerability scans
While reviewing incident reports from the previous night,
a security analyst notices the corporate websites were
defaced with political propaganda. Which of the following
BEST describes this type of actor?
