CompTIA CySA+ CS0-003 Deck 6

Question 1

(ISO)

Answer 1

International Organization for Standardization

Question 2

(ISO) International Organization for Standardization

Answer 2

Develops many standards and frameworks governing the use of computers, networks, and telecommunications, including ones for information security (27K series) and risk management (31K series).

Question 3

(OWASP)

Answer 3

Open Web Application Security Project

Question 4

(OWASP) Open Web Application Security Project

Answer 4

A charity and community publishing a number of secure application development resources.

Question 5

(CIS)

Answer 5

Center for Internet Security

Question 6

(CIS) Center for Internet Security

Answer 6

A not-for-profit organization (founded partly by SANS). It publishes the well-known “Top 20 Critical Security Controls” (or system design recommendations).

Question 7

(PCI DSS)

Answer 7

Payment Card Industry Data Security Standard

Question 8

(PCI DSS) Payment Card Industry Data Security Standard

Answer 8

Information security standard for organizations that process credit or bank card payments.

Question 9

What is the name of the document designed to demonstrate an organization’s compliance with PCI DSS requirements?

Answer 9

Attestation of Compliance

Question 10

Vulnerability Scanner

Answer 10

Hardware or software configured with a list of known weaknesses and exploits and can scan for their presence in a host OS or particular application.

Question 11

Fingerprinting

Answer 11

Identifying the type and version of an operating system (or server application) by analyzing its responses to network scans.

Question 12

Static Analysis

Answer 12

The process of reviewing uncompiled source code either manually or using automated tools.

Question 13

Dynamic Analysis

Answer 13

Software testing that examines code behavior during runtime. It helps identify potential security issues, potential performance issues, and other problems.

Question 14

Fuzzing

Answer 14

A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds.

Question 15

Reverse Engineering

Answer 15

The process of analyzing the structure of hardware or software to reveal more about how it functions.

Question 16

What type of scanning describes indirect methods of assessment, such as inspecting traffic flows and protocols?

Answer 16

Passive Scanning

Question 17

______________describes the effort taken to more specifically identify details about a device.

Answer 17

Fingerprinting

Question 18

A configuration ____________details the recommended settings for services and policy configuration for a device or software operating in a specific role.

Answer 18

Baseline

Question 19

Segmentation

Answer 19

Enforcing a security zone by separating a segment of the network from access by the rest of the network. This could be accomplished using firewalls or VPNs or VLANs. A physically separate network or host (with no cabling or wireless links to other networks) is referred to as air-gapped.

Question 20

(OT)

Answer 20

Operational technology

Question 21

(OT) Operational technology

Answer 21

Communications network designed to implement an industrial control system rather than data networking.

Question 22

(ICSs)

Answer 22

Industrial Control Systems

Question 23

(ICSs) Industrial Control Systems

Answer 23

Network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).

Question 24

(HMIs)

Answer 24

Human-Machine Interfaces

Question 25

(HMIs) Human-Machine Interfaces

Answer 25

Input and output controls on a PLC to allow a user to configure and monitor the system.

Question 26

Data Historian

Answer 26

Software that aggregates and catalogs data from multiple sources within an industrial control system.

Question 27

(SCADA)

Answer 27

Supervisory Control and Data Acquisition

Question 28

(SCADA) Supervisory Control and Data Acquisition

Answer 28

Type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas from a host computer.

Question 29

(PLCs)

Answer 29

Programmable Logic Controllers

Question 30

(PLCs) Programmable Logic Controllers

Answer 30

Type of processor designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems.

Question 31

(SCAP)

Answer 31

Security Content Automation Protocol

Question 32

(SCAP) Security Content Automation Protocol

Answer 32

A NIST framework that outlines various accepted practices for automating vulnerability scanning.

Question 33

(OVAL)

Answer 33

Open Vulnerability and Assessment Language

Question 34

(OVAL) Open Vulnerability and Assessment Language

Answer 34

An XML schema, maintained by MITRE, for describing system security state and querying vulnerability reports and information.

Question 35

(CPE)

Answer 35

Common Platform Enumeration

Question 36

(CPE) Common Platform Enumeration

Answer 36

Scheme for identifying hardware devices, operating systems, and applications developed by MITRE.

Question 37

(CVE)

Answer 37

Common Vulnerabilities and Exposures

Question 38

(CVE) Common Vulnerabilities and Exposures

Answer 38

Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.

Question 39

(CCE)

Answer 39

Common Configuration Enumeration

Question 40

(CCE) Common Configuration Enumeration

Answer 40

Scheme for provisioning secure configuration checks across multiple sources developed by MITRE and adopted by NIST.

Question 41

(CVSS)

Answer 41

Common Vulnerability Scoring System

Question 42

(CVSS) Common Vulnerability Scoring System

Answer 42

A risk management approach to quantifying vulnerability data and then taking into account the degree of risk to different types of systems or information.

Question 43

What is the attack complexity identified in the following vector? CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Answer 43

High

Question 44

What is the impact to integrity identified in the following vector? CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Answer 44

High

Question 45

Physical (P), Local (L), Adjacent network (A), or Network (N) are all values for which base metric?

Answer 45

Attack Vector (AV)

Question 46

This describes when a vulnerability scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not.

Answer 46

False positive

Question 47

What type of vulnerability cannot be detected by vulnerability scanning tools?

Answer 47

Zero-Day

Question 48

The three categories in a CVSS score include impact, exploitability, and __________________.

Answer 48

Remediation

Question 49

What dashboards provide a live view of critical data and are composed of graphs, charts, status indicators, and other visual representations?

Answer 49

Vulnerability Reporting Dashboards

Question 50

What assessment measures the risk posed by a particular system, application, or individual vulnerability in terms of being successfully hacked or breached?

Answer 50

Risk Score

Question 51

Memorandum of Understanding (MoU)

Answer 51

Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.

Question 52

(MoU)

Answer 52

Memorandum of Understanding

Question 53

(SLA)

Question 54

(SLA) Service-Level Agreement

Answer 54

An agreement that sets the service requirements and expectations between a consumer and a provider.