CompTIA Cybersecurity CySA+ (CS0-001): Practice Test 1 of 2 - Results

CompTIA Cybersecurity CySA+ (CS0-001): Practice Test 1 of 2 - Results (This test consists of frequently tested questions and answers) Document Content and Description Below CompTIA Cybersecurity CySA+ (CS0-001): Practice Test 1 of 2 - Results (This test consists of frequently tested questions and answers) Which of the following statements best describes an audit file? A.It updates lists of scanned hosts, to avoid unnecessarily rescanning these hosts. B.It produces a list of vulnerabilities found on scanned hosts. C.It produces a list of the hosts that are scanned. D.It gives instructions used to assess the configuration of endpoints and network devices against a compliance policy. - 1D.It gives instructions used to assess the configuration of endpoints and network devices against a compliance policy. Explanation Correct Answer: An audit file in Nessus gives the scan instructions used to assess the configuration of endpoints and network devices against a compliance policy. Incorrect Answers: An audit file is used prior to the scan and does not produce any lists or results after a scan. Which of the following are two types of requirements in the SDLC model? A.Nonfunctional and performance requirements B.Functional and nonfunctional requirements C.Functional and performance requirements D.Functional and security requirements - B.Functional and nonfunctional requirements Explanation Correct Answer: Functional requirements describe what the software must do, and nonfunctional requirements describe how the software must do these things—or what the software must be like. Incorrect Answers: A.Performance requirements are nonfunctional requirements. Performance requirements dictate how well the software must function, which is a nonfunctional requirement.D.A security requirement defines the behaviors and characteristics a system must possess in order to achieve and maintain an acceptable level of security by itself, and in its interactions with other systems. Security requirements are also nonfunctional requirements. Which of the following is an effective way that attackers can use an organization's bandwidth to hide data exfiltration? A.By exfiltrating data during periods of low use. B.By hiding data exfiltration during periods of peak use. C.By attaching sensitive data to otherwise innocuous data while exfiltrating it. D.By downloading information quickly before getting caught - B.By hiding data exfiltration during periods of peak use. Explanation Correct Answer: Patient attackers can hide data exfiltration during periods of peak use by using a lowand-slow approach that can make them exceptionally difficult to detect if administrators are just looking at network traffic. Most attackers, however, will attempt to download sensitive information quickly and thus generate distinctive signals. Incorrect Answers: Each of these other methods will typically trigger alarms and alert administrators to data leaving the network. All of the following are common vulnerabilities that plague most systems within an organization, EXCEPT: A.Weak passwords B.Misconfigured firewall rules C.Missing patches or updates D.Need for compensating controls - D.Need for compensating controls Explanation Correct Answer: The need for compensating controls is not a vulnerability; it is actually a mitigation for vulnerabilities that are not adequately addressed. A compensating control is added to compensate for a weakness in an existing control, to make the control stronger. Incorrect Answers: All of these other choices are common vulnerabilities found in most organizations and affect a variety of systems.During a penetration test exercise, which type of team is responsible for defending the network against the penetration testers and simulated attacks? A.Red team B.Green team C.Blue team D.White team - C.Blue team Explanation Correct Answer: The blue team is the focus of the exercise, as they are defending the network being tested. Their response capabilities and procedures reflect how effective the penetration testing team, also known as the red team, is in its attacks. Incorrect Answers: The red team is the penetration testing team, the blue team the defenders, the white team is composed of the exercise planners and coordinators, and green team is not a valid answer. A large number of ARP queries might indicate which of the following type of attack? A.TCP SYN flood B.Cross-site scripting (XSS) attack C.Ping sweep D.Man-in-the-middle (MITM) attack - C.Ping sweep Explanation Correct Answer: A large amount of ARP queries could indicate that the organization's systems are being scanned, such as during a ping sweep, so the hosts' MAC addresses can be resolved to IP addresses. This is merely a reconnaissance activity designed to map out the network. Incorrect Answers: These other choices are active attacks not related to reconnaissance. D. A man-in-the-middle (MITM) attack involves an attacker inserting himself into an active conversation. A cross-site scripting (XSS) attack is a web-based attack and does not involve generating ARP traffic. A TCP SYN flood involves sending a large amount of TCP segments with the synchronize (SYN) flag set but never completing the three-way TCP handshake. This causes a denial of service (DoS) condition for some hosts.A routine vulnerability scan conducted weekly on different network segments is most likely to be performed by which the following? A.Blue team B.Red team C.White team D.Green team - A.Blue team Explanation Correct Answer: A blue team consists of network defenders and security administrators, who would be responsible for routine security tasks such as patching and vulnerability scanning. Incorrect Answers: A red team is a penetration testing team, and a white team is responsible for planning and coordinating the penetration test. D.Finally, green team is an invalid answer. Which of the following best describes a situation in which a mitigation would be most likely to be selected to protect an asset from risk? A.An asset that has a value of $10,000, which might incur $9,000 worth of damage in a given risk scenario, but can be protected by a mitigation that costs $11,000 B.An asset that has a value of $10,000, which might incur $5000 worth of damage in a given risk scenario, but can be protected by a mitigation that costs $1000 (Correct) C.An asset that has a value of $10,000, which might incur $5000 worth of damage in a given risk scenario, but can be protected by a mitigation that costs $10,000 D.An asset that has a value of $10,000, which might incur $500 worth of damage in a given risk scenario, but can be protected by a mitigation that costs $1000 - B.An asset that has a value of $10,000, which might incur $5000 worth of damage in a given risk scenario, but can be protected by a mitigation that costs $1000 All of the following are metrics associated with the Common Vulnerability Scoring System (CVSS), EXCEPT: A.Security level B.TemporalC.Base D.Groups - A.Security level Explanation Correct Answer: Metrics associated with the Common Vulnerability Scoring System (CVSS) are groups, base, temporal, and environmental. Security level is not a metric in CVSS. Incorrect Answers: These other choices are all metrics associated with the Common Vulnerability Scoring System. Which authority reviews and certifies trusted foundry organizations? A.National Security Agency B.Department of Commerce C.National Institute for Standards and Technology D.Central Intelligence Agency - A.National Security Agency Explanation Correct Answer: The National Security Agency (NSA) is the centralized authority for computer and communications security that certifies trusted foundry organizations. Incorrect Answers: None of these other agencies is charged with certifying trusted foundry manufacturers. Your organization has recently purchased several routers from a distributor with whom you have never done business. At various times, each of the devices has behaved strangely, sending traffic to unknown hosts on the Internet, or not functioning as they have been configured. You suspect that they are counterfeit devices, and possibly compromised. What should you do in the future to ensure that this issue does not occur again? A.Source authenticity B.Device certification C.Firmware hashing D.Hardware reverse engineering - A.Source authenticity ExplanationCorrect Answer: Source authenticity means that you are verifying the distribution source, as well as the manufacturer of the product you are buying. This ensures that you are buying products that are not counterfeit, or compromised in any way. Incorrect Answers: C.Firmware hashing allows you to verify firmware upgrades for an existing device. D.Reverse engineering hardware is something that is done after the fact to determine how an attacker has compromised the device, from its manufacture through the final purchase and delivery. B.Device certification is a process from the manufacturer or an independent organization in which the product is verified as performing certain functions, or performs to a certain performance or security standard. This alone will not solve the problem of counterfeit or compromised devices, because they can be modified after they leave the manufacturer anywhere in the supply chain. You have just performed a vulnerability scan on a system and are reviewing the scan results. You want to immediately eliminate vulnerabilities that might not actually be present on the system. Which the following should you review first to ensure that you eliminate those types of vulnerabilities? A.False exceptions B.False negatives C.False plug-ins D.False positives - D.False positives Explanation Correct Answer: False positives are those types of vulnerabilities that may be reported by the scanner but actually either don't exist or are not vulnerabilities. An example might be a Windows patch is not present on a Linux box, but is reported as a vulnerability on the box. Incorrect Answers: False negatives are actual vulnerabilities that were not discovered during a scan. False plug-ins and false exceptions are terms that do not exist. Which one of the following report formats from Nessus is the most useful when importing data into analysis databases or specialized applications? A.Binary B.CSVC.PDF D.HTML - B.CSV Explanation Correct Answer: Comma Separated Value (CSV) format is a universally accepted textbased format that can be exported from and imported into most applications. Incorrect Answers: C.Not all applications accept PDF inputs, and then only as attached artifacts. Most applications cannot take data directly from PDF. D.Although HTML is sometimes used to generate reports for visual review, it is not a data format per se; it simply formats existing data for display. A.Not all applications can take direct binary data. Some SIEMs, for example, can only accept text-based data. Additionally, Nessus does not export its findings as binary data. Which of the following terms refers to a hardware vendor that can be counted on to produce trusted hardware? A.Trusted foundry B.Trusted producer C.Trusted vendor D.Trusted developer - A.Trusted foundry Explanation Correct Answer: A hardware manufacturer that produces trusted hardware that isn't considered counterfeit or has not been tampered with is referred to as a trusted foundry. Incorrect Answers: None of these other terms refers to a trusted hardware manufacturer. D.A trusted developer produces software, not hardware. C.A trusted vendor may sell various types of hardware or software, but does not manufacture them. Trusted producer is not a valid term. You are securing a sensitive network. You want to set up a solution on the network that doesn't allow malicious traffic to return to a potential attacker. In addition to rule sets onintrusion detection systems, which of the following solutions would prevent ICMP responses from returning to a potential attacker's host machine? A.Honeypot B.DMZ C.Black hole D.Honeynet - C.Black hole Explanation Correct Answer: A black hole is a device that is configured to receive any and all packets with a specific protocol and source or destination address, and not respond to them at all. Usually network protocols will indicate that there is a failure, but with black holes there's no response at all because the packets are silently logged and dropped. Incorrect Answers: A.A honeypot attracts malicious intruders away from sensitive hosts. D.A honey net is a network composed of several honeypots. B.A DMZ is a separated network zone that provides a layer of protection between two or more networks. You suspect that you have a malware infection on a limited number of hosts on the network. You want to test the suspected malware but keep it isolated from other hosts in the network. Which of the following is the best technique in which to test suspected malware? A.Test the malware on a sandbox, such as an isolated system or virtual machine, so you can monitor the malware's effects safely without it propagating. B.Test the malware in a preproduction environment to see how it interacts with your test network. C.Test the malware by installing it on noncritical hosts to monitor the effects. D.Test the malware by installing it on critical hosts, and be prepared to restore from a backup if it affects them. - A.Test the malware on a sandbox, such as an isolated system or virtual machine, so you can monitor the malware's effects safely without it propagating. ExplanationCorrect Answer: You should always test malware on an isolated system, which can be an isolated host or a virtual machine that in no way connects to other hosts or the network. Incorrect Answers: B. You do not want to test the malware on your preproduction environment, as it would be possible for the malware to eventually make it to the production network the next time you move upgraded or tested software or patches to the production network. C.You also do not want to test the malware by installing it on noncritical hosts, because the malware could propagate to critical ones. D.Finally, you do not want to test the malware on any critical hosts because of the downtime involved when you restore from a backup. Which of the following tools natively generates evidence in the E01 file format? A.The Sleuth Kit B.dd C.EnCase D.FTK Imager - C.EnCase Explanation Correct Answer: EnCase natively generates evidence in the E01 file format. Incorrect Answers: Although in some cases these utilities can read the EO1 file format, none of the other choices generates evidence in that format. B&A.D..Both dd and The Sleuth Kit generate evidence in a raw format, and FTK Imager has its own proprietary format. Which of the following types of tests is one in which the participants are defending real or simulated information systems against real (though friendly) attackers? A.Blue team B.Live-fire exercise (LFX) C.Red team D.Tabletop exercise (TTX) - B.Live-fire exercise (LFX)Explanation Correct Answer: A live-fire exercise (LFX) is one in which the participants are defending real or simulated information systems against real (though friendly) attackers. Incorrect Answers: D. A tabletop exercise is merely a procedural and documentation review. C.A red team is a penetration testing team. A.A blue team is a computer network defense team. Your software development team has developed an application that is currently being examined for security issues. During testing activities, the security team finds that potential users would be able to circumvent security controls and access more data than they should from the application. The security team believes that the cause for this is faulty data that the user can enter into the system. Which the following does the development team need to focus its attention on to resolve this issue? A.Input validation B.Encryption C.Parameter validation D.Authentication - A.Input validation Explanation Correct Answer: Input validation involves checking the user's potential input to ensure that it meets the requirements of the data fields. This means that input should be checked against character type and length, and restricted to only the type of data being requested. Incorrect Answers: C.Parameter validation involves validating data that does not come from the user, but from the system. D.Authentication would not prevent faulty data from being entered into the system. Authentication only controls who is able to access an application and its data. B.Encryption would not prevent faulty data from being entered into the system either. Encryption only ensures that the transmission of data is secured.The Windows registry location HKLMSoftwareMicrosoftWindowsCurrentVersionRun is an example of what type of item that is of interest to forensics investigators? A.Autorun locations B.Most recently used (MRU) lists C.Protected storage D.Previously logged-in users - A.Autorun locations Explanation Correct Answer: HKLMSoftwareMicrosoftWindowsCurrentVersionRun is an example of a registry entry that shows an autorun location. It lists programs that are designed to start up immediately and automatically when Windows starts. Malware often starts from this location. Incorrect Answers: The other registry location do not list any of these items. You are tasked with performing an external penetration test against an organization. In preparation for the test, you gather information about the organization, its infrastructure, its people, and so forth. What additional key piece of planning do you need to ensure you have in place before the test begins? A.DNS names B.Formal written authorization C.Network diagram D.IP address space - B.Formal written authorization Explanation Correct Answer: Above all else, you must have formal written authorization from the organization in order to perform a penetration test on it. This written authorization protects you from legal liability and ensures that details such as the schedule, scope, and limitations are spelled out clearly for both the organization and the test team. Incorrect Answers: Depending on the type of test, you may or may not receive technical details regarding the target organization, such as IP address space, DNS information, and infrastructure diagrams. They are not necessarily critical to the test, but the authorization is. Which of the following analysis techniques involves examining past data to predict future patterns?A.Trend analysis B.Historical analysis C.Statistical analysis D.Regression analysis - A.Trend analysis Explanation Correct Answer: Trend analysis involves looking at past data to predict future trends or patterns. Incorrect Answers: B.Historical analysis involves looking at previous data and making adjustments to current baselines based on past performance. C&D.Regression and statistical analyses are simply other analysis techniques. Which of the following are advantages to using cloud computing to enhance endpoint protection? (Choose two.) A.Corrupted data can be backed up to the cloud in the event of a malware infection. B.Rapid file reputation determination and behavioral analysis. C.Increased likelihood of malware transmitted to hosts from data stored in the cloud. D.Automatic sharing of threat data across the infrastructure to minimize security risks. - D.Automatic sharing of threat data across the infrastructure to minimize security risks. B.Rapid file reputation determination and behavioral analysis. Explanation Correct Answers: Cloud computing provides rapid file reputation determination and behavioral analysis, as well as threat data sharing across the entire infrastructure quickly, in order to prevent security incidents and lower risk. Incorrect Answers: A.Corrupted data should not be backed up to the cloud, as you risk maintaining corrupted data that will later be reintroduced back into the system. C.Additionally, an increased likelihood of malware being transmitted to hosts from cloud sto