CompTIA CySA+ - Chapter 3 - Review questions Flashcards

1
Q

Which of the following Linux command will show how much disk space is in use?

A. Top
B. df
C. lsof
D. ps

A

B
The df command will show you a system’s current disk utilization. Both the top command and the ps command will show you information about processes, CPU, and memory utilization, whereas lsof is a multifunction tool for listing open files.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What Windows tool provides detailed information, including information about USB host controllers, memory usage, disk transfers?

A. Statmon
B. Resmon
C. Perfmon
D. Winmon

A

C
Perfmon, or Performance Monitor, provides the ability to gather detailed usage statistics of many items in Windows. Resmon, or Resource Monitor, monitors CPU, Memory, and disk usage but does not provide information about things like USB host controllers and other detailed instrumentation. Statmon and winmon are not Windows built -in tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What type of network information should you capture to be able to provide a report about how much traffic systems in your network sent to remote systems?

A.Syslog data
B. WMI data
C. Resmon data
D. Flow data

A

D.
Flow data provides information about the source and destination IP address, protocol, and total data sent and would provide the detail needed. Syslog, WMI, and resin data are all system log information and would not provide this information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following technologies is best suited to prevent wired rogue dives from connecting to a network?
A. NAC
B. PRTG
C. Post security
D. NTP

A

A.
Network access control (NAC) can be set up to require authentication. Port security is limited to recognizing MAC addresses, making it less suited to preventing rogue devices. PRTG is a monitoring tool, and NTP is the Network Time Protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

As part of her job, Danielle sets an alarm to notify her team via email if her Windows server uses 80 percent of its memory and to send a text message if it reaches 90 percent utilization. What is this setting called?
A. A monitoring threshold
B. A present notification level
C. Page monitoring
D. Perfmon

A

A
A monitoring threshold is set to determine when an alarm or report action is taken. Thresholds are often set to specific values or percentages of capacity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Chris is reviewing a file that is part of an exploit package. He notes that there is a file that has content with curly brackets ({ }) around statements. What file type from the following list he most likely reviewing?
A. Plain text
B. JSON
C. XML
D. HTML

A

B
Chris is most likely reviewing a JSON file. HTML and XML typically use angle brackets (< and >) rather than curly brackets. Plain text does not use or required either.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What term describes a system sending heartbeat traffic to a botnet command-and-control server?
A. Beaconing
B. Zombie ping
C. CNCstatus
D. CNClog

A

A.
Beaconing activity (sometimes called heartbeat traffic) occurs when traffic is sent to a botnet command -and-control system. The other terms are made up.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Cameron wants to check if a file matches a known-good original. What technique can he use to do so?
A. Decrypt both the file and the original to compare them.
B. Use strings to compare the file content.
C. Hash both the file and original and compare the hashes.
D. Check the file size and creation date.

A

C.
Cameron should compare the hashes of the known-good original and the new file to see if they match. The files are not described as encrypted, so decrypting them won’t help. Strings can show text in binary files but won’t compare the files. File size and creation date are not guarantees of a file being the same .

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What can the MAC address of a rogue device tell you?
A. Its operating system version
B. The TTL of the device
C. What type of rogue it is
D. The manufacturer of the device

A

D.
Hardware vendor ID codes are part of MAC addresses and be checked for devices that have not had their MAC address changed. It is possible to change MAC addresses, so relying on only the MAC address is not recommended, but it can be useful to help identity what a rogue device might be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How can Jim most effectively locate a wireless rogue access point that is using complaints from employees in his building?
A. Nmap
B. Signal strength and triangulation
C. Connecting to the rogue AP
D. NAC

A

B.
Location a rogue AP is often best done by performing a physical survey and triangulating the likely location of the device by checking its signal strength. If the AP is plugged into the organization’s network, nmap may be able to find it, but connecting to it is unlikely to provide its location (or be safe!). NAC would help prevent the rogue device from connecting to an organizational network but won’t help locate it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following tools does not provide real time drive capacity monitoring for Windows?
A. Microsoft Configuration Manager
B. Resmon
C. SCOM
D. Perfmon

A

A
Microsoft Configuration Manager provides non-real-time reporting for disk space. Resmon, perfmon, and SCOM can all provide real-time reporting, which can help identify problems before they take a system down.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

One of the business managers in Geeta’s organization reports and she received an email with a link that appeared to be a link to the organization’s website. Fortunately, the manager noticed that the URL was different than usual. What technique best describes a link that is disguised to appear legitimate?

A. An obfuscated link
B. A symbolic link
C. A phishing link
D. A decoy link

A

A.
Obfuscated links take advantage of tricks, including using alternate encoding, typos, and long URLs that contain legitimate links wrapped in longer malicious links. Symbolic links are a pointer used by Linux operating systems to point to an actual file using a filename and link. Phishing links and decoy links are not common terms.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Angela wants to review the syslog o a Linux system. What directory should she check to find it on most Linux distributions
A. /home/log
B. /var/log
C. /Log
D. /Var/Syslog

A

B.
The syslog file is found in /var/log on most Linux hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is a key differentiator between SIEM and a SOAR

A. SIEM does not provide a dashboard.
B. A SOAR provides automated response capabilities.
C. SOAR does not provide log aggregation.
D SIEM provides log analysis.

A

B
SOAR tools focus on orchestration and response. SIEM tools typically do not focus on automated response. Both leverage log analysis and aggregation and will provide dashboards and reporting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Laura wants to review headers in an email that one of her staff is suspicious of. What should she not have that person do if she wants to preserve the headers.

A. She shouldn’t have them print the email.
B. She shouldn’t have them reply to the email.
C. She shouldn’t have them forward the email to her.
D. She shouldn’t have them download the email.

A

C
Forwarding an email will remove the headers and replace them with new headers on the forwarded email- but not the original. Laura should use a “view headers” or “view original email” option if it exists to view and analyze the headers. Printing, replying, or downloading an email will not impact the headers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which if the following option is not a valid way to check the staff of a service in Windows?

A. Use sc at the command line.
B. Use service – status at the command line.
C. Use services.msc.
D. Query service status using PowerShell.

A

B
The service – status command is a linux command. Windows services status can be queried using sc, the Services snap-in for the Microsoft Management Console (MMC), or via a PowerShell query.

17
Q

Avid has been asked to identify unexpected traffic on her organization’s network. Which of the following is not a technique she should use?

A. Protocol analysis
B. Heuristics
C. Baselining
D Beaconing

A

D
Protocol analysis, using heuristic (behavior)-based detection capabilities, and building a network traffic baseline are all common techniques used to identity unexpected network traffic. Beaconing occurs when a system contacts a botnet command-and-control (C&C) system, and it is likely to be a source of unexpected traffic.

18
Q

Sofia suspects that a system in her datacenter may be sending beaconing traffic to a remote system. Which of the following is not a useful tool to help verify her suspicions?

A. Flows
B. A protocol analyzer
C. SNMP
D. An IDS or IPS

A

C
SNMP will not typically provide specific information about a system’s network traffic that would allow you to identify outbound connections. Flows, sniffers (protocol analyzers), and an IDA or IPS can all provide a view that would allow the suspect traffic to be captured,

19
Q

Susan wants to use an email security protocol to determine the authenticity of an email. Which of the following options will ensure that there organization’s email server can determine if it should accept email from a sender?

A. DMARC
B. SPF
C. DKIM
D POP3

A

A
DMARC (Domain-Based Message Authentication, Reporting, and Conformance) is a protocol that combines SPF and DKIM to prove that a sender is who they claim to be. DKIM validates that a domain is associated with a message, whereas SPF lists the servers that are authorized to send from your domain. POP3 is an email protocol but does not perform the function described.

20
Q

Juan wants to see a list of processes along with their CPU utilization in the interactive format. What built-in Linux tool should he use?

A. df
B. top
C. tail
D. Cpugrep

A

B
The top command in Linux provides an interactive interface to view CPU utilization, memory usage, and other details for running processes.

df shows disk usage,

tail displays the end of a file, and
cpugrep is a made up command.