CompTIA CySA+ CS0-003 Deck 6 Flashcards

Learn key concepts found in the CompTIA CySA+ CS0-003 Exam.

1
Q

(ISO)

A

International Organization for Standardization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

(ISO) International Organization for Standardization

A

Develops many standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27K series) and risk management (31K series).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

(OWASP)

A

Open Web Application Security Project

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

(OWASP) Open Web Application Security Project

A

A charity and community publishing a number of secure application development resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

(CIS)

A

Center for Internet Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

(CIS) Center for Internet Security

A

A not-for-profit organization (founded partly by SANS). It publishes the well-known “Top 20 Critical Security Controls” (or system design recommendations).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

(PCI DSS)

A

Payment Card Industry Data Security Standard

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

(PCI DSS) Payment Card Industry Data Security Standard

A

Information security standard for organizations that process credit or bank card payments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the name of the document designed to demonstrate an organization’s compliance with PCI DSS requirements?

A

Attestation of Compliance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Vulnerability Scanner

A

Hardware or software configured with a list of known weaknesses and exploits and can scan for their presence in a host OS or particular application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Fingerprinting

A

Identifying the type and version of an operating system (or server application) by analyzing its responses to network scans.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Static Analysis

A

The process of reviewing uncompiled source code either manually or using automated tools.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Dynamic Analysis

A

Software testing that examines code behavior during runtime. It helps identify potential security issues, potential performance issues, and other problems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Fuzzing

A

A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Reverse Engineering

A

The process of analyzing the structure of hardware or software to reveal more about how it functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What type of scanning describes indirect methods of assessment, such as inspecting traffic flows and protocols?

A

Passive Scanning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

______________describes the effort taken to more specifically identify details about a device.

A

Fingerprinting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

A configuration ____________details the recommended settings for services and policy configuration for a device or software operating in a specific role.

A

Baseline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Segmentation

A

Enforcing a security zone by separating a segment of the network from access by the rest of the network. This could be accomplished using firewalls or VPNs or VLANs. A physically separate network or host (with no cabling or wireless links to other networks) is referred to as air-gapped.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

(OT)

A

Operational technology

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

(OT) Operational technology

A

Communications network designed to implement an industrial control system rather than data networking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

(ICSs)

A

Industrial Control Systems

23
Q

(ICSs) Industrial Control Systems

A

Network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).

24
Q

(HMIs)

A

Human-Machine Interfaces

25
Q

(HMIs) Human-Machine Interfaces

A

Input and output controls on a PLC to allow a user to configure and monitor the system.

26
Q

Data Historian

A

Software that aggregates and catalogs data from multiple sources within an industrial control system.

27
Q

(SCADA)

A

Supervisory Control and Data Acquisition

28
Q

(SCADA) Supervisory Control and Data Acquisition

A

Type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas from a host computer.

29
Q

(PLCs)

A

Programmable Logic Controllers

30
Q

(PLCs) Programmable Logic Controllers

A

Type of processor designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems.

31
Q

(SCAP)

A

Security Content Automation Protocol

32
Q

(SCAP) Security Content Automation Protocol

A

A NIST framework that outlines various accepted practices for automating vulnerability scanning.

33
Q

(OVAL)

A

Open Vulnerability and Assessment Language

34
Q

(OVAL) Open Vulnerability and Assessment Language

A

An XML schema, maintained by MITRE, for describing system security state and querying vulnerability reports and information.

35
Q

(CPE)

A

Common Platform Enumeration

36
Q

(CPE) Common Platform Enumeration

A

Scheme for identifying hardware devices, operating systems, and applications developed by MITRE.

37
Q

(CVE)

A

Common Vulnerabilities and Exposures

38
Q

(CVE) Common Vulnerabilities and Exposures

A

Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.

39
Q

(CCE)

A

Common Configuration Enumeration

40
Q

(CCE) Common Configuration Enumeration

A

Scheme for provisioning secure configuration checks across multiple sources developed by MITRE and adopted by NIST.

41
Q

(CVSS)

A

Common Vulnerability Scoring System

42
Q

(CVSS) Common Vulnerability Scoring System

A

A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.

43
Q

What is the attack complexity identified in the following vector? CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

A

High

44
Q

What is the impact to integrity identified in the following vector? CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

A

High

45
Q

Physical (P), Local (L), Adjacent network (A), or Network (N) are all values for which base metric?

A

Attack Vector (AV)

46
Q

This describes when a vulnerability scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not.

A

False positive

47
Q

What type of vulnerability cannot be detected by vulnerability scanning tools?

A

Zero-Day

48
Q

The three categories in a CVSS score include impact, exploitability, and __________________.

A

Remediation

49
Q

What dashboards provide a live view of critical data and are composed of graphs, charts, status indicators, and other visual representations?

A

Vulnerability Reporting Dashboards

50
Q

What assessment measures the risk posed by a particular system, application, or individual vulnerability in terms of being successfully hacked or breached?

A

Risk Score

51
Q

Memorandum of Understanding (MoU)

A

Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.

52
Q

(MoU)

A

Memorandum of Understanding

53
Q

(SLA)

A
54
Q

(SLA) Service-Level Agreement

A

An agreement that sets the service requirements and expectations between a consumer and a provider.