CYSA UPDATED ACTUAL Questions and CORRECT Answers
An analyst is performing penetration testing and vulnera-
bility assessment activities against a new vehicle automa-
tion platform. Which of the following is MOST likely an CAN Bus
attack vector that is being utilized as part of the testing
and assessment?
A cyber-incident response analyst is investigating a sus-
pected cryptocurrency miner on a company's server. Start packet capturing to look for traflc that could be
Which of the following is the FIRST step the analyst should indicative of command and control from the miner.
take?
A security analyst is investigating a malware infection
that occurred on a Windows system. The system was not
connected to a network and had no wireless capability
Company policy prohibits using portable media or mobile HKEY_USERS\<user SID>\Software\Microsoft\Win-
storage The security analyst is trying to determine which dows\explorer\MountPoints2
use caused the malware to get onto the system Which of
the following registry keys would MOST likely have this
information?
Which of the following MOST accurately describes an
An HSM can be networked based or a removable USB
HSM?
A security analyst is investigating malicious traflc from an
internal system that attempted to download proxy avoid-
ance software as identified from the firewall logs but the Shut down the computer
destination IP is blocked and not captured. Which of the
following should the analyst do?
Which of the following technologies can be used to house
the entropy keys for disk encryption on desktops and Self-encrypting drive
laptops?
A developer wrote a script to make names and other Pll
Data loss prevention or Data masking
data unidentifiable before loading a database export into
, the testing system Which of the following describes the
type of control that is being used
A security analyst receives an alert that highly sensitive
information has left the company's network Upon investi- Shut down the servers as soon as possible, move them to
gation, the analyst discovers an outside IP range has had a clean environment, restart, run a vulnerability scanner
connections from three servers more than 100 times m to find weaknesses determine the root cause, remediate,
the past month The affected servers are virtual machines and report
Which of the following is the BEST course of action?
A security analyst is investigating a compromised Linux
server. The analyst issues the ps command and receives
the following output.
A. strace /proc/1301
1301 ? Ss 0:00 ./usr/sbin/sshd -D
Which of the following commands should the administra-
tor run NEXT to further analyze the compromised system?
A small organization has proprietary software that is used
internally. The system has not been well maintained and Virtualize the system and decommission the physical ma-
cannot be updated with the rest of the environment Which chine.
of the following is the BEST solution?
Which of the following attacks can be prevented by using
Cross-site scripting
output encoding?
A security analyst is responding to an incident on a web
server on the company network that is making a large
Run an anti-malware scan on the system to detect and
number of outbound requests over DNS. Which of the
eradicate the current threat
following is them FIRST step the analyst should take to
evaluate this potential indicator of compromise?
An information security analyst is compiling data from a
recent penetration test and reviews the following output:
443/tcp open https? telnet 10.79.95.173 443
The analyst wants to obtain more information about the
web-based services that are running on the target.
2/8
An analyst is performing penetration testing and vulnera-
bility assessment activities against a new vehicle automa-
tion platform. Which of the following is MOST likely an CAN Bus
attack vector that is being utilized as part of the testing
and assessment?
A cyber-incident response analyst is investigating a sus-
pected cryptocurrency miner on a company's server. Start packet capturing to look for traflc that could be
Which of the following is the FIRST step the analyst should indicative of command and control from the miner.
take?
A security analyst is investigating a malware infection
that occurred on a Windows system. The system was not
connected to a network and had no wireless capability
Company policy prohibits using portable media or mobile HKEY_USERS\<user SID>\Software\Microsoft\Win-
storage The security analyst is trying to determine which dows\explorer\MountPoints2
use caused the malware to get onto the system Which of
the following registry keys would MOST likely have this
information?
Which of the following MOST accurately describes an
An HSM can be networked based or a removable USB
HSM?
A security analyst is investigating malicious traflc from an
internal system that attempted to download proxy avoid-
ance software as identified from the firewall logs but the Shut down the computer
destination IP is blocked and not captured. Which of the
following should the analyst do?
Which of the following technologies can be used to house
the entropy keys for disk encryption on desktops and Self-encrypting drive
laptops?
A developer wrote a script to make names and other Pll
Data loss prevention or Data masking
data unidentifiable before loading a database export into
, the testing system Which of the following describes the
type of control that is being used
A security analyst receives an alert that highly sensitive
information has left the company's network Upon investi- Shut down the servers as soon as possible, move them to
gation, the analyst discovers an outside IP range has had a clean environment, restart, run a vulnerability scanner
connections from three servers more than 100 times m to find weaknesses determine the root cause, remediate,
the past month The affected servers are virtual machines and report
Which of the following is the BEST course of action?
A security analyst is investigating a compromised Linux
server. The analyst issues the ps command and receives
the following output.
A. strace /proc/1301
1301 ? Ss 0:00 ./usr/sbin/sshd -D
Which of the following commands should the administra-
tor run NEXT to further analyze the compromised system?
A small organization has proprietary software that is used
internally. The system has not been well maintained and Virtualize the system and decommission the physical ma-
cannot be updated with the rest of the environment Which chine.
of the following is the BEST solution?
Which of the following attacks can be prevented by using
Cross-site scripting
output encoding?
A security analyst is responding to an incident on a web
server on the company network that is making a large
Run an anti-malware scan on the system to detect and
number of outbound requests over DNS. Which of the
eradicate the current threat
following is them FIRST step the analyst should take to
evaluate this potential indicator of compromise?
An information security analyst is compiling data from a
recent penetration test and reviews the following output:
443/tcp open https? telnet 10.79.95.173 443
The analyst wants to obtain more information about the
web-based services that are running on the target.
2/8
