Comptia Cysa+ Questions

A cybersecurity analyst receives a phone call from an unknown person with the number blocked on the caller ID. After starting conversation, the caller begins to request sensitive information. Which of the following techniques is being applied? A. Social engineering B. Phishing C. Impersonation D. War dialing

Which of the following is the main benefit of sharing incident details with partner organizations or external trusted parties during the incident response process? A. It facilitates releasing incident results, findings and resolution to the media and all appropriate government agencies B. It shortens the incident life cycle by allowing others to document incident details and prepare reports. C. It enhances the response process, as others may be able to recognize the observed behavior and provide valuable insight. D. It allows the security analyst to defer incident-handling activities until all parties agree on how to proceed with analysis.

The security analyst determined that an email containing a malicious attachment was sent to several employees within the company, and it was not stopped by any of the email filtering devices. An incident was declared. During the investigation, it was determined that most users deleted the email, but one specific user executed the attachment. Based on the details gathered, which of the following actions should the security analyst perform NEXT? A. Obtain a copy of the email with the malicious attachment. Execute the file on another user's machine and observe the behavior. Document all findings. B. Acquire a full backup of the affected machine. Reimage the machine and then restore from the full backup. C. Take the affected machine off the network. Review local event logs looking for activity and processes related to unknown or unauthorized software. D. Take possession of the machine. Apply the latest OS updates and firmware. Discuss the problem with the user and return the machine.

Which of the following tools should a cybersecurity analyst use to verify the integrity of a forensic image before and after an investigation? A. strings B. sha1sum C. file D. dd E. gzip

Given the following logs: Aug 18 11:00:57 comptia sshd[5657]: Failed password for root from 10.10.10.192 port 38980 ssh2 Aug 18 23:08:26 comptia sshd[5768]: Failed password for root from 18.70.0.160 port 38156 ssh2 Aug 18 23:08:30 comptia sshd[5770]: Failed password for admin from 18.70.0.160 port 38556 ssh2 Aug 18 23:08:34 comptia sshd[5772]: Failed password for invalid user asterisk from 18.70.0.160 port 38864 ssh2 Aug 18 23:08:38 comptia sshd[5774]: Failed password for invalid user sjobeck from 10.10.1.16 port 39157 ssh2 Aug 18 23:08:42 comptia sshd[5776]: Failed password for root from 18.70.0.160 port 39467 ssh2 Which of the following can be suspected? A. An unauthorized user is trying to gain access from 10.10.10.192. B. An authorized user is trying to gain access from 10.10.10.192. C. An authorized user is trying to gain access from 18.70.0.160. D. An unauthorized user is trying to gain access from 18.70.0.160.

A security analyst has been asked to review permissions on accounts within Active Directory to determine if they are appropriate to the user's role. During this process, the analyst notices that a user from building maintenance is part of the Domain Admin group. Which of the following does this indicate? A. Cross-site scripting B. Session hijack C. Privilege escalation D. Rootkit

In the last six months, a company is seeing an increase in credential-harvesting attacks. The latest victim was the chief executive officer (CEO). Which of the following countermeasures will render the attack ineffective? A. Use a complex password according to the company policy. B. Implement an intrusion-prevention system. C. Isolate the CEO's computer in a higher security zone. D. Implement multifactor authentication.

After a security breach, it was discovered that the attacker had gained access to the network by using a brute-force attack against a service account with a password that was set to not expire, even though the account had a long, complex password. Which of the following could be used to prevent similar attacks from being successful in the future? A. Complex password policies B. Account lockout C. Self-service password reset portal D. Scheduled vulnerability scans

A security analyst wants to capture data flowing in and out of a network. Which of the following would MOST likely assist in achieving this goal? A. Taking a screenshot. B. Analyzing network traffic and logs. C. Analyzing big data metadata. D. Capturing system image.

There are reports that hackers are using home thermostats to ping a national service provider without the provider's knowledge. Which of the following attacks is occurring from these devices? A. IoT B. DDoS C. MITM D. MIMO

Which of the following is the purpose of a SIEM solution? A. To provide real-time security analysis and alerts generated within the security system. B. To provide occasional updates on global security breaches C. To act as an attack vector D. To act as an intrusion prevention system

An actor with little to no knowledge of the tools they use to carry out an attack is known as which of the following? A. White hat B. Black hat C. Attack vector D. Script kiddie

Which one of the following does NOT accurately portray the attributes of an Advanced Persistent Threat (APT) attack? A. They often exploit unknown vulnerabilities B. They typically use freely available attacking tools to cut down on costs. C. They target large or government organization D. They use sophisticated means to gain access to highly valued resources

Which of the following are the Security intelligence data elements that assure quality of the data? (Choose three) A. Accuracy B. Proprietary C. Relevance D. Timeliness

The process of combing through collected data to gather relevant and accurate intelligence data is referred to as _____ according to the intelligence cycle. A. Collection B. Dissemination C. Feedback D. Analysis

Which of the following ports would you close if your sever does not host any DNS services? A. 22 B. 53 C. 443 D. 80

The Security team advises that there's a server running a legacy software supported by some of the applications within the organization. Upon review, management realizes the potential loss from the risk isn't great enough to warrant spending money to avoid it. This form of response is known as which of the following? A. Compensation Control B. Risk acceptance C. Risk avoidance D. Remediation

A critical vulnerability is between which range on CVSS? A. 4.0-7.0 B. 3.9-5.0 C. 0.0-10.0 D. 9.0-10.0

An attacker collects information about a target from sources such as LinkedIn, Twitter, and the target's website. This form of reconnaissance is known as which of the following? A. Active reconnaissance B. Passive reconnaissance C. Native reconnaissance D. None of the above options

When defining a scope to scan, which of the following should you use? (Choose two) A. An IP range B. A gateway C. A single IP D. A subnet mask only

Which of the following is NOT a factor that can inhibit remediation? A. Legacy Systems B. SLA C. MOU D. Employment Contract

Which of the following will define a scope to scan? Choose two. A. 192.168.10.1 B. 192.168.88.1/24 C. 127.0.0.1 D. 169.254.10.1

Your company is requesting you to assess the extent to which a client's data was compromised in an incident. What analysis are you required to perform? A. MOU B. IIA C. SLA D. PII

Which of the following would be used to de-authenticate devices connected to a wireless access point? A. -0 B. -c C. 5 D. -a

To prevent memory compromise and subsequent overflow attacks in operating systems, which OS feature must be available? A. UEFI B. Boot Security C. HIPS D. ASLR

Which firewall option would allow an administrator to permit an application into an organization's network? A. Whitelisting B. Filtering C. Port Security D. Blacklisting

The command "Mac Address Sticky" uses physical addresses to restrict and provide network access to the device. True or false?

Which of the following is a threat associated with operating in the cloud? A. Unsecure-Wi-Fi B. Malicious insider C. Bluejacking D. Evil Twin

Which of the following practices are likely to put corporate systems at risk? A. CIA B. Patching C. MDM D. BYOD

A unique feature of a hybrid cloud is the combination of a private and public cloud. True or false?

Which mobile security standard allows an organization to manage mobile devices? A. MDM B. BYOD C. SSH D. CAN bus

Which of the following are fundamentals of MFA? (Choose three) A. Something you have, such a one time pin B. Something you know, such as a password C. Something you do, such as a sport D. Something you are, such as biometrics

In which of the following can the attacker use ARP Poisoning to compromise systems? A. LAN B. Bluetooth C. WAN D. None of the above

Locking is an effective mitigative measure again race condition attacks. True or false?

You are informed that the recently hired junior accountant within your organization has had her device compromised after clicking on a link within an email that was seemingly sent from the head of accounting department. What type of attack would the junior accountant been a victim of? A. Phishing attack B. SQL Injection C. DDOS attack D. MITM attack

Which security concerns are more easily implemented in the cloud? (Choose three) A. Data locality B. Physical security C. Customization D. Regulatory compliance E. API access

A Cloud Access Security Broker is a piece of software that does which of the following? A. Introduces new vulnerabilities B. Prices cloud services C. Sits between your Cloud and on-premises deployments D. Reduces security complexity

Hardware IDs (such as serial numbers) are often tagged onto assets by which method? A. A handwritten log B. They're not C. A physical tag or sticker D. An external database

Good change management includes which of the following features? (Choose three) A. Change identification B. Regulatory reporting C. Life-cycle tracking D. Review E. A shared spreadsheet

Network segmentation can mitigate the risk of a vulnerability spreading beyond its initial attack vector. True or false?

Which architecture represents a cloud deployment that's isolated from other public users of that same cloud infrastructure? A. Firewall B. Virtual private clouds (VPC) C. Serverless computing D. Software-defined networking (SDN)

Server virtualization introduces security vulnerabilities by sharing underlying hardware with other virtual machines. True or false?

Which feature of a system is shared by all containers running on that system? A. Memory space B. Disk space C. Operating system kernel D. Network ports

Which important access control feature is used by both RBAC and ABAC? A. Permissions assigned to roles B. Permissions assigned directly to users C. Principle of Least Privilege D. Permissions derived from attributes

Account credentials should be encrypted both in-transit and at-rest by default. True or false?

A username and password authentication scheme is considered "Multi-Factor Authentication" because the username and password represent the two different factors. True or false?

A Honeypot has which of the following features? (Choose three) A. Excludes any sensitive data B. An easy target C. Isolated from secure systems D. Automatically blocks known attack vectors

Documentation for software assurance come in which forms? A. Standard Operating Procedures and Information Assurance Plans B. Regulatory Oversight C. Stackoverflow Queries D. Continuous Integration / Continuous Deployment

Challenges for assuring mobile software include which of the following? (Choose three) A. Device Aesthetics B. Connectivity C. Physical Size D. Limited Resources E. User Education

Web applications are often exposed over the public internet and this introduces additional security concerns. True or false?

Which trait is mostly unique to firmware? A. Publicly available B. Deployed on the Web C. Easily assured D. Tight coupling to the hardware

Which stage of the SDLC should Software Assurance be introduced at? A. Every stage B. Design C. Testing D. Deployment

DevSecOps means integrating security assurance into the entire DevOps process and pipeline. True or false?

Which testing is the most discrete form of testing and often automated as part of a CI/CD pipeline? A. Unit Testing B. Integration Testing C. User Acceptance Testing D. Penetration Testing

You should classify all data input sources as which of the following? A. Trusted or Untrusted B. Public or Private C. High or Low D. Internal or External

Secure credentials are stored in which form? A. With two-way encryption B. They're never stored C. Plain text D. Salted and Hashed

SAST tools can review your code while it's executing to identify flaws or vulnerabilities. True or false?

Pros of dynamic analysis tools include which of the following? (Choose three) A. Provides a real-use view B. Are simple to configure and use C. Have a limited variety in options D. Captures information at a discrete level E. Identifies distinct flaws from SAST

SAML relies on which format for data transfer? A. XML B. Speech-to-Text C. CSV D. JSON

Which type of Root of Trust is hardwired into the PCB or system board of a system? A. USB Dongle B. Certificate Authority C. TPM D. HSM

An eFuse bit can only be written to a single time. True or false?

UEFI provides the necessary functionality for which system level process? A. Secure Boot B. Boot Loaders C. BIOS D. Anti-virus software

Which boot process validates each successive piece of software as they start and halts if invalid software is discovered? A. Measured Boot B. UEFI C. Secure Boot D. Bus Encryption

Which types of data are TEEs used to secure? (Choose three) A. DRM Controls B. Payment/PCI Data C. Virus or Malware Definitions D. Biometric Data E. OS Versioning

Match the two types of keys with their purpose. 1. User password to unlock the drive 2. Private key used to secure data A. Authentication Key B. Data Encryption Key

Which of the following would be a part of heuristic analysis? (Choose two) A. Code analysis of unexecuted files B. Observing patterns in attack vectors on an institution C. Observing code execution in a sandbox D. Noting relationships between network traffic and malware

Which type of security log would be most useful in order to determine the centrally cached web sites? A. Syslog Server log B. Windows Security Event Log C. Proxy Server Syslog D. Proxy Server Log

Which command-line tool is used to send the results of an onscreen command to a text file? A. > B. | C. \ D. <

Which of the following is the most basic initial function of a SIEM system? A. Correlation via rules B. Log aggregation dashboard C. Artificial Intelligence D. Security Orchestration and Automation Response

Which log is associated with tracking both successful and failed authentication attempts on a Linux operating system? A. auth.log B. faillog C. security event log D. syslog

Which type of network analysis decodes the content of packets to see the application data moving through the network? A. Flow Analysis B. DNS Analysis C. Protocol Analysis D. Packet Analysis

Which form of email security infrastructure specifically focuses on digital signatures of outbound email from a mail server? A. DNS B. DMARC C. DKIM D. SPF

Which type of email-related concern escalates most of the other security concerns? A. Embedded links B. Forwarder redirection C. Social engineering D. Attachments

Which type of impact is best described as the impact to the data within a company? A. Local B. Organizational C. Total D. Immediate

Which permissions would let someone view and launch a file that used memory triggering a CPU process? (Choose two) A. Delete B. Permissions C. Read D. Write E. Execute

Which of the following are the best candidates for a blacklist? (Choose two) A. Firewalls B. Network ACLs C. Malware D. Malicious traffic patterns E. Permissions

Regarding firewall passwords, which of the following typically cause the greatest vulnerabilities? (Choose two) A. Config files B. Updates C. Zones D. Defaults E. Rules

When IPS traffic is allowed through to the network when it should have been blocked, it's referred to as which of the following? A. False negative B. False positive C. Out-of-band enforcement D. Baseline

Which of the following are likely areas of management in a Data Loss Prevention system? (Choose three) A. Printing B. Permissions C. Email D. Software E. User Authentication

Which location is typical for an EDR agent installation? A. Firewall B. Virtual Server C. Router D. Switch

Which element of a NAC topology best describes a layer 2 switch? A. Authentication Server B. Supplicant C. Internet of Things D. Authenticator

Which security infrastructure element is added in order to redirect endpoints to a new destination? A. Sinkhole B. Sandbox C. Honeynet D. Honeypot

Which of the following is the most valuable resource in proactive threat management? A. Firewalls B. People C. Artificial Intelligence D. Intrusion Detection Systems

Why do we need to learn about current threats in order to develop an accurate hypothesis to investigate? (Choose three) A. Procedures B. Policies C. Titles D. Techniques E. Tactics

Which type of advanced persistent threat actor is known for having large resources and wanting to affect disruption in a foreign country? A. Hacktivist B. Cyber Criminal C. Nation State D. Cyber-Terrorist

Order the threat hunting step appropriately. A. Envision the Attack B. Keep Learning C. Look for Attacks D. Know Thyself

Which of the following is associated most with network controls rather than endpoint controls? A. Change defaults B. Deny all ports and protocols C. Containerization D. Desired State Configuration

Which of the following is the most valid definition of an attack vector? A. A method of attack B. Exploited vulnerabilities C. Agents of potential harm to an enterprise D. Malware

Which of the following is the most accurate description of a system that gathers vast quantities of data through neural networks? A. Machine Learning B. Artificial Intelligence C. Deep Learning D. Natural Intelligence

Which security protocol is associated with public key infrastructure (PKI) as it applies to automation? A. Common Platform Enumeration (CPE) B. Extensible Configuration Checklist Description Format (XCCDF) C. Trust Model for Security Automation Data (TMSAD) D. Open Vulnerability Language (OVAL)

Which of the following is an element of Security Orchestration Automation and Response (SOAR)? (Choose two) A. Perform action steps with integrated systems B. Examine log for patterns C. Collect incoming data streams D. Capture network traffic

How do APIs allow for better security automation? A. Provide a language for scripting B. Ensure automatic updates C. Identify end users D. Read and write to software systems configurations and data

Which of the following enables malware detection software to quickly recognize new variants of a strain of malware? (Choose two) A. Centralized malware databases B. String hashes C. File hashes D. Deep learning

You're a security analyst wanting to incorporate third-party up-to-date security information into the context of machine learning that's already using content from your SIEM. Which process should be used? A. Data Deduplication B. Data Enrichment C. Data Mining D. Data Cleansing

Which of the following is the best description of a methodology involving regular small incremental changes over the lifespan of a piece of software? A. Continuous Delivery B. Continuous Integration C. Continuous Deployment D. Security Automation

An incident response process is a methodology providing guidance on handling of cyber threats and breaches. True or false?

According to the NIST framework, what are the four objectives of incident response? (Choose four) A. Preparation B. Classification C. Containment, eradication, and recovery D. Detection and analysis E. Post-incident activity

A junior network analyst is monitoring network usage when he notices a huge usage on outbound network traffic. The traffic usage indicates a recent spiked bandwidth that has not been recorded. How would the analyst categorize this information? A. Employees downloading torrents B. Timed out connections C. Potential indicator of compromise D. Packet loss

Which of the following are categories of alerts? Choose all that apply. A. Informational B. Partial C. Medium D. Critical

Which of the following is NOT a post incident activity? A. Lesson learned report B. Incident response planning C. Evidence retention D. Incident summary report

A company has been sued by a client concerned about his personal information after a breach. The company would like to coordinate this process using the right channel. Which entity would the company appoint to correspond with the aggrieved client? A. Legal B. Human resources C. Law enforcement D. Public relations

Which of the following indicates the presence of a rogue device on the network? A. Processor Consumption B. Evil Twin C. Registry Changes D. Memory Consumption

The process by which intrusion detection and prevention systems store hash values and compare them to detect changes is known as which of the following? A. File Security Check B. File Compromise Check C. File Test Check D. File Integrity Check

Which of the following represents the correct syntax for returning 10 times the output of captured traffic? A. Sudo tcpdump -1 eth0 -c 10 B. Sudo tcpdump -c eth0 -i 10 C. Sudo eth0 -1 10 -c eth0 D. Sudo tcpdump -i eth0 -c 10

You are only interested viewing SSH traffic on a specific network interface, which Wireshark feature would help achieve that? A. Analyze B. Capture C. Filter D. View

Which of the following are examples of a hash function? (Choose two) A. SHA256 B. MD5 C. CertUtil D. Cain and Abel

Your organization's Chief Information Officer requests you to record the handling process of all the devices and evidence used during a forensic investigation. Which document would you formulate to carry out the exercise? A. Legal hold B. Chain of custody C. Case study D. Service level agreement

Why is it important to determine the business impact of an exploited vulnerability when planning risk mitigation? A. It determines the risk magnitude B. It determines the risk probability C. It determines the membership of the white tabletop team D. It determines the security controls implemented

Which security tool would best be described as the specific how-to documentation for mitigating risk? A. Control B. Procedure C. Framework D. Policy

Which standard is used to standardize the level of security provided when housing credit card information? A. HIPAA B. PCI DSS C. ISO 27001 D. FISMA

Which control helps to ensure data privacy by ensuring that as little data as feasible is initially collected? A. Data Minimization B. Retention Policy C. Data Sovereignty D. Classification

Which control is used to hide data by relocating actual private data and then providing a pointer for the software to track down that securely held data when needed? A. Tokenization B. Digital Rights Management (DRM) C. Data Masking D. Deidentification