TEST BANK CompTIA CySA+ Guide to Cybersecurity Analyst (CS0-002) 2E
Module 1 - Enterprise Threats and Vulnerabilities
1. Nik, a cybersecurity analyst, has been asked to examine an employee's iPhone that is exhibiting strange
behavior. After looking through the phone, he finds that the user apparently has been able to upload third-party
apps that are not in the App Store. Which of the following has most likely occurred with this phone?
a. Rooting
b. Jailbreaking
c. Clapping
d. Raking
ANSWER: b
FEEDBACK: a. Incorrect. Rooting is a term associated with modifying the operating system or
firmware of an Android device, not an iPhone.
b. Correct. Jailbreaking is the term for modifying an iPhone so it can load third-
party apps that are not in the App Store.
c. Incorrect. Clapping is a made-up term for the purposes of this scenario.
d. Incorrect. Raking is a made-up term for the purposes of this scenario.
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
LEARNING OBJECTIVES: CIAM.CYSA.22.1.1 - Identify different types of common attacks
ACCREDITING STANDARDS: CIAM.CYSA.22.1.5 - Explain the threats and vulnerabilities associated with specialized
technology.
TOPICS: Threats and Vulnerabilities of Specialized Technology
KEYWORDS: Bloom's: Apply
2. Gabe, a penetration tester, has gained physical access to a company's facilities and planted devices behind
several printers that will send him copies of all documents sent to those printers. Which of the following has
Gabe executed?
a. MITM attack
b. Replay attack
c. XSS
d. XSRF
ANSWER: a
FEEDBACK: a. Correct. A man-in-the-middle attack actively intercepts or eavesdrops on
communications. By planting a device behind printers, Gabe can capture the
data going to the printer and send it outside of the network for later analysis.
b. Incorrect. A replay attack resends captured data to a system in order to
perform some other action. In this scenario, Gabe is only capturing the data
and sending it outside of the network for analysis.
c. Incorrect. Cross-site scripting does not involve planting devices in an
organization.
d. Incorrect. Cross-site request forgery does not involve planting devices in an
Page 1
, organization.
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
LEARNING OBJECTIVES: CIAM.CYSA.22.1.1 - Identify different types of common attacks
ACCREDITING STANDARDS: CIAM.CYSA.22.1.7 - Given a scenario, implement controls to mitigate attacks and
software vulnerabilities.
TOPICS: Types of Attacks
KEYWORDS: Bloom's: Apply
3. Lakia has been hired as a penetration tester for a large organization. She finds that one of the branch offices is
still running WEP and quickly cracks the key to gain access to the network. As she is capturing network packets
while sitting in the company's parking lot, she sees a couple of tokens that users send to an HTTP-based website
to log in. Which of the following types of attacks might she be able to perform with this information?
a. XSS
b. Session hijacking
c. XSRF
d. Rootkit attack
ANSWER: b
FEEDBACK: a. Incorrect. Cross-site scripting does not involve capturing the session token of
a user.
b. Correct. Session hijacking is an attack in which a threat actor attempts to
impersonate a user by using his session token.
c. Incorrect. Cross-site request forgery does not involve capturing the session
token of a user.
d. Incorrect. A rootkit is a type of malware that can hide its presence or the
presence of other malware on a computer by accessing lower layers of the
operating system or even using undocumented functions to make alterations.
It does not involve capturing the session token of a user.
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
LEARNING OBJECTIVES: CIAM.CYSA.22.1.1 - Identify different types of common attacks
ACCREDITING STANDARDS: CIAM.CYSA.22.1.7 - Given a scenario, implement controls to mitigate attacks and
software vulnerabilities.
TOPICS: Types of Attacks
KEYWORDS: Bloom's: Apply
4. Monica wants to implement more security around the login function that her company's website uses to allow
Page 2
,customers to interact with the organization. One of the tasks on her to-do list is to prevent brute force attacks.
Which of the following might help Monica achieve this goal?
a. Analyze the geolocation where the user is logging in.
b. Analyze the frequency of attempted logins.
c. Analyze the source IP address of the user attempting to log in and ensure that it matches the normal
IP address the user logs in from.
d. Analyze the type of device the user is attempting to log in from.
ANSWER: b
FEEDBACK: a. Incorrect. Nothing in the scenario mentions that users should only be able to
log in from certain locations.In a highly mobile world, someone can easily log
in from one location and then log in again a few hours later from thousands of
miles away.
b. Correct. By analyzing the frequency of attempted logins, Monica might be
able to detect whether a brute force attack is being performed by a password
cracking program.
c. Incorrect. Users should be able to log in from any device anywhere in the
world, as there is not a given requirement to limit the user to connecting from
certain networks.
d. Incorrect. Nothing in the scenario states that users are only able to connect
from certain types of devices.
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
LEARNING OBJECTIVES: CIAM.CYSA.22.1.1 - Identify different types of common attacks
ACCREDITING STANDARDS: CIAM.CYSA.22.1.7 - Given a scenario, implement controls to mitigate attacks and
software vulnerabilities.
TOPICS: Types of Attacks
KEYWORDS: Bloom's: Apply
5. Frank is analyzing the logs on a server and sees a number of failed attempts using different user accounts.
Upon further analysis, he sees that the same password is used for each of the accounts where access was
attempted. Which of the following types of attacks has he just discovered on this server?
a. Credential stuffing
b. Session hijacking
c. Man-in-the-middle
d. Password spraying
ANSWER: d
FEEDBACK: a. Incorrect. Credential stuffing is when an attacker has discovered a list of
stolen passwords that have been posted online by threat actors and then
uses those passwords across a variety of platforms. Since people commonly
re-use the same password on multiple platforms, this gives attackers a high
Page 3
, probability of success in gaining access to a user’s account.
b. Incorrect. Session hijacking occurs when a threat actor takes over an existing
user session. This does not require logging in.
c. Incorrect. Man-in-the-middle attacks do not require logging in, but rather
intercept communications between a user and a system.
d. Correct. Password spraying attacks take one or a small number of commonly
used passwords and then use that same password when trying to log in to
several user accounts.
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
LEARNING OBJECTIVES: CIAM.CYSA.22.1.1 - Identify different types of common attacks
ACCREDITING STANDARDS: CIAM.CYSA.22.1.7 - Given a scenario, implement controls to mitigate attacks and
software vulnerabilities.
TOPICS: Types of Attacks
KEYWORDS: Bloom's: Remember/Understand
6. Myleene is analyzing the log files of a publicly available web application that she is responsible for. She sees
a number of failed login attempts that have an apostrophe as part of the email address. Which of the following
types of attack attempts has she most likely discovered?
a. Buffer overflow attack
b. XML injection
c. SQL injection
d. Integer overflow attack
ANSWER: c
FEEDBACK: a. Incorrect. In a buffer overflow attack, a process attempts to store data in
memory addresses that are beyond the boundaries of a fixed-length storage
buffer.
b. Incorrect. Many applications use XML or JSON to structure the data being
passed back and forth between various microservices or APIs. By
manipulating the XML it is possible to modify the data in the backend
database if no input validation or sanitization is performed.
c. Correct. In an SQL injection attack, attackers commonly will use the login
portal for web applications with apostrophes included in the username (or
email) boxes and / or in the password fields. . If the input is not being
sanitized, this could modify the SQL statement that is being passed to the
relational database.
d. Incorrect. In an integer overflow attack, the attacker attempts to write a
number that is larger than the number allowed for a given field of input in an
application
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
Page 4
Module 1 - Enterprise Threats and Vulnerabilities
1. Nik, a cybersecurity analyst, has been asked to examine an employee's iPhone that is exhibiting strange
behavior. After looking through the phone, he finds that the user apparently has been able to upload third-party
apps that are not in the App Store. Which of the following has most likely occurred with this phone?
a. Rooting
b. Jailbreaking
c. Clapping
d. Raking
ANSWER: b
FEEDBACK: a. Incorrect. Rooting is a term associated with modifying the operating system or
firmware of an Android device, not an iPhone.
b. Correct. Jailbreaking is the term for modifying an iPhone so it can load third-
party apps that are not in the App Store.
c. Incorrect. Clapping is a made-up term for the purposes of this scenario.
d. Incorrect. Raking is a made-up term for the purposes of this scenario.
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
LEARNING OBJECTIVES: CIAM.CYSA.22.1.1 - Identify different types of common attacks
ACCREDITING STANDARDS: CIAM.CYSA.22.1.5 - Explain the threats and vulnerabilities associated with specialized
technology.
TOPICS: Threats and Vulnerabilities of Specialized Technology
KEYWORDS: Bloom's: Apply
2. Gabe, a penetration tester, has gained physical access to a company's facilities and planted devices behind
several printers that will send him copies of all documents sent to those printers. Which of the following has
Gabe executed?
a. MITM attack
b. Replay attack
c. XSS
d. XSRF
ANSWER: a
FEEDBACK: a. Correct. A man-in-the-middle attack actively intercepts or eavesdrops on
communications. By planting a device behind printers, Gabe can capture the
data going to the printer and send it outside of the network for later analysis.
b. Incorrect. A replay attack resends captured data to a system in order to
perform some other action. In this scenario, Gabe is only capturing the data
and sending it outside of the network for analysis.
c. Incorrect. Cross-site scripting does not involve planting devices in an
organization.
d. Incorrect. Cross-site request forgery does not involve planting devices in an
Page 1
, organization.
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
LEARNING OBJECTIVES: CIAM.CYSA.22.1.1 - Identify different types of common attacks
ACCREDITING STANDARDS: CIAM.CYSA.22.1.7 - Given a scenario, implement controls to mitigate attacks and
software vulnerabilities.
TOPICS: Types of Attacks
KEYWORDS: Bloom's: Apply
3. Lakia has been hired as a penetration tester for a large organization. She finds that one of the branch offices is
still running WEP and quickly cracks the key to gain access to the network. As she is capturing network packets
while sitting in the company's parking lot, she sees a couple of tokens that users send to an HTTP-based website
to log in. Which of the following types of attacks might she be able to perform with this information?
a. XSS
b. Session hijacking
c. XSRF
d. Rootkit attack
ANSWER: b
FEEDBACK: a. Incorrect. Cross-site scripting does not involve capturing the session token of
a user.
b. Correct. Session hijacking is an attack in which a threat actor attempts to
impersonate a user by using his session token.
c. Incorrect. Cross-site request forgery does not involve capturing the session
token of a user.
d. Incorrect. A rootkit is a type of malware that can hide its presence or the
presence of other malware on a computer by accessing lower layers of the
operating system or even using undocumented functions to make alterations.
It does not involve capturing the session token of a user.
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
LEARNING OBJECTIVES: CIAM.CYSA.22.1.1 - Identify different types of common attacks
ACCREDITING STANDARDS: CIAM.CYSA.22.1.7 - Given a scenario, implement controls to mitigate attacks and
software vulnerabilities.
TOPICS: Types of Attacks
KEYWORDS: Bloom's: Apply
4. Monica wants to implement more security around the login function that her company's website uses to allow
Page 2
,customers to interact with the organization. One of the tasks on her to-do list is to prevent brute force attacks.
Which of the following might help Monica achieve this goal?
a. Analyze the geolocation where the user is logging in.
b. Analyze the frequency of attempted logins.
c. Analyze the source IP address of the user attempting to log in and ensure that it matches the normal
IP address the user logs in from.
d. Analyze the type of device the user is attempting to log in from.
ANSWER: b
FEEDBACK: a. Incorrect. Nothing in the scenario mentions that users should only be able to
log in from certain locations.In a highly mobile world, someone can easily log
in from one location and then log in again a few hours later from thousands of
miles away.
b. Correct. By analyzing the frequency of attempted logins, Monica might be
able to detect whether a brute force attack is being performed by a password
cracking program.
c. Incorrect. Users should be able to log in from any device anywhere in the
world, as there is not a given requirement to limit the user to connecting from
certain networks.
d. Incorrect. Nothing in the scenario states that users are only able to connect
from certain types of devices.
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
LEARNING OBJECTIVES: CIAM.CYSA.22.1.1 - Identify different types of common attacks
ACCREDITING STANDARDS: CIAM.CYSA.22.1.7 - Given a scenario, implement controls to mitigate attacks and
software vulnerabilities.
TOPICS: Types of Attacks
KEYWORDS: Bloom's: Apply
5. Frank is analyzing the logs on a server and sees a number of failed attempts using different user accounts.
Upon further analysis, he sees that the same password is used for each of the accounts where access was
attempted. Which of the following types of attacks has he just discovered on this server?
a. Credential stuffing
b. Session hijacking
c. Man-in-the-middle
d. Password spraying
ANSWER: d
FEEDBACK: a. Incorrect. Credential stuffing is when an attacker has discovered a list of
stolen passwords that have been posted online by threat actors and then
uses those passwords across a variety of platforms. Since people commonly
re-use the same password on multiple platforms, this gives attackers a high
Page 3
, probability of success in gaining access to a user’s account.
b. Incorrect. Session hijacking occurs when a threat actor takes over an existing
user session. This does not require logging in.
c. Incorrect. Man-in-the-middle attacks do not require logging in, but rather
intercept communications between a user and a system.
d. Correct. Password spraying attacks take one or a small number of commonly
used passwords and then use that same password when trying to log in to
several user accounts.
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
LEARNING OBJECTIVES: CIAM.CYSA.22.1.1 - Identify different types of common attacks
ACCREDITING STANDARDS: CIAM.CYSA.22.1.7 - Given a scenario, implement controls to mitigate attacks and
software vulnerabilities.
TOPICS: Types of Attacks
KEYWORDS: Bloom's: Remember/Understand
6. Myleene is analyzing the log files of a publicly available web application that she is responsible for. She sees
a number of failed login attempts that have an apostrophe as part of the email address. Which of the following
types of attack attempts has she most likely discovered?
a. Buffer overflow attack
b. XML injection
c. SQL injection
d. Integer overflow attack
ANSWER: c
FEEDBACK: a. Incorrect. In a buffer overflow attack, a process attempts to store data in
memory addresses that are beyond the boundaries of a fixed-length storage
buffer.
b. Incorrect. Many applications use XML or JSON to structure the data being
passed back and forth between various microservices or APIs. By
manipulating the XML it is possible to modify the data in the backend
database if no input validation or sanitization is performed.
c. Correct. In an SQL injection attack, attackers commonly will use the login
portal for web applications with apostrophes included in the username (or
email) boxes and / or in the password fields. . If the input is not being
sanitized, this could modify the SQL statement that is being passed to the
relational database.
d. Incorrect. In an integer overflow attack, the attacker attempts to write a
number that is larger than the number allowed for a given field of input in an
application
POINTS: 1
QUESTION TYPE: Multiple Choice
HAS VARIABLES: False
Page 4
