CYSA+ 002 Flashcards

1
Q

An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.
Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?

A. FaaS
B. RTOS
C. SoC
D. GPS
E. CAN bus
A

Correct Answer: B
IoT devices also often run real-time operating systems (RTOS). These are either special purpose operating systems or variants of standard operating systems designed to process data rapidly as it arrives from sensors or other IoT components.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply.
Which of the following would BEST identify potential indicators of compromise?
A. Use Burp Suite to capture packets to the SCADA device’s IP.
B. Use tcpdump to capture packets from the SCADA device IP.
C. Use Wireshark to capture packets between SCADA devices and the management system.
D. Use Nmap to capture packets from the management system to the SCADA devices.

A

Correct Answer: C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?
A. Human resources
B. Public relations
C. Marketing
D. Internal network operations center
A

Correct Answer: B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization’s production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.
Which of the following would be the MOST appropriate to remediate the controller?
A. Segment the network to constrain access to administrative interfaces.
B. Replace the equipment that has third-party support.
C. Remove the legacy hardware from the network.
D. Install an IDS on the network between the switch and the legacy equipment.

A

Correct Answer: D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor’s labs.
Which of the following is the main concern a security analyst should have with this arrangement?
A. Making multiple trips between development sites increases the chance of physical damage to the FPGAs.
B. Moving the FPGAs between development sites will lessen the time that is available for security testing.
C. Development phases occurring at multiple sites may produce change management issues.
D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.

A

Correct Answer: D
Reference:
https://www.eetimes.com/how-to-protect-intellectual-property-in-fpgas-devices-part-1/#

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A security analyst is trying to determine if a host is active on a network. The analyst first attempts the following:

$ ping 192.168.1.4
PING 192.168.1.4 (192.168.1.4): 56 data bytes
192.168.1.4 ping statistics
4 packets transmitted, 0 packets received, 100.0% packet loss

The analyst runs the following command next:

$ sudo hping3 - 4 -n -i 192.168.1.4
HPING 192.168.1.4 (enl 192.168.1.4): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=192.168.1.4 ttl=64 id=32101 sport=0 flags=RA seq=0 win=0 rtt=0.4ms
len=46 ip=192.168.1.4 ttl=64 id=32102 sport=0 flags=RA seq=1 win=0 rtt=0.3ms
len=46 ip=192.168.1.4 ttl=64 id=22103 sport=0 flags=RA seq=2 win=0 rtt=0.4ms
len=46 ip=192.168.1.4 ttl=64 id=32104 sport=0 flags=RA seq=3 win=0 rtt=0.4ms
10.0.1.33 hpaing statistic
4 packets transmitted, 4 packets received, 0% packet loss

Which of the following would explain the difference in results?

A. ICMP is being blocked by a firewall.
B. The routing tables for ping and hping3 were different.
C. The original ping command needed root permission to execute.
D. hping3 is returning a false positive.

A

Correct Answer: A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A cybersecurity analyst is contributing to a team hunt on an organization’s endpoints.
Which of the following should the analyst do FIRST?
A. Write detection logic.
B. Establish a hypothesis.
C. Profile the threat actors and activities.
D. Perform a process analysis.

A

Correct Answer: B
Reference:
https://www.cybereason.com/blog/blog-the-eight-steps-to-threat-hunting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources.
Which of the following BEST describes this attack?
A. Injection attack
B. Memory corruption
C. Denial of service
D. Array attack

A

Correct Answer: B
Reference:
https://economictimes.indiatimes.com/definition/memory-corruption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application?
(Choose two.)
A. Parameterized queries
B. Session management
C. Input validation
D. Output encoding
E. Data protection
F. Authentication
A

Correct Answer: AC
Reference:
https://www.ptsecurity.com/ww-en/analytics/knowledge-base/how-to-prevent-sql-injection-attacks/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company’s server.
Which of the following is the FIRST step the analyst should take?
A. Create a full disk image of the server’s hard drive to look for the file containing the malware.
B. Run a manual antivirus scan on the machine to look for known malicious software.
C. Take a memory snapshot of the machine to capture volatile information stored in memory.
D. Start packet capturing to look for traffic that could be indicative of command and control from the miner.

A

Correct Answer: D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An information security analyst is compiling data from a recent penetration test and reviews the following output:

Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-01 16:06 UTC
Nmap scan report for 10.79.95.173.rdns.datacenters.com (10.79.95.173)
Host is up (0.026s latency).
Not shown: 994 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
22/tcp
open ssh
SilverShield sshd (protocol 2.0)
80/tcp
open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
443/tcp
open https?
691/tcp open resvc?
5060/tcp open sip Barracuda NG Firewall (Status: 200 OK)
Nmap done: 1 IP address (1 host up) scanned in 158.22 seconds

The analyst wants to obtain more information about the web-based services that are running on the target.
Which of the following commands would MOST likely provide the needed information?

A. ping -t 10.79.95.173.rdns.datacenters.com
B. telnet 10.79.95.173 443
C. ftpd 10.79.95.173.rdns.datacenters.com 443
D. tracert 10.79.95.173

A

Correct Answer: D

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A compliance officer of a large organization has reviewed the firm’s vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties.
Which of the following would BEST satisfy the objectives defined by the compliance officer? (Choose two.)
A. Executing vendor compliance assessments against the organization’s security controls
B. Executing NDAs prior to sharing critical data with third parties
C. Soliciting third-party audit reports on an annual basis
D. Maintaining and reviewing the organizational risk assessment on a quarterly basis
E. Completing a business impact assessment for all critical service providers
F. Utilizing DLP capabilities at both the endpoint and perimeter levels

A

Correct Answer: AE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems.
As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue?
A. Copies of prior audits that did not identify the servers as an issue
B. Project plans relating to the replacement of the servers that were approved by management
C. Minutes from meetings in which risk assessment activities addressing the servers were discussed
D. ACLs from perimeter firewalls showing blocked access to the servers
E. Copies of change orders relating to the vulnerable servers

A

Correct Answer: C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised. When viewing the capture in a packet analyzer, the analyst sees the following:

11: 03:09.095091 IP 10.1.1.10.47787 > 128.50.100.3.53:48202+ A? michael.smith.334-54-2343.985-334-5643.1123-kathman-dr.ajgidwle.com.
11: 03:09.186945 IP 10.1.1.10.47788 > 128.50.100.3.53:49675+ A? ronald.young. 437-96-6523.212-635-6528.2426-riverland-st.ajgidwle.com.
11: 03:09.189567 IP 10.1.1.10.47789 > 128.50.100.3.53:50986+ A? mark.leblanc. 485-63-5278.802-632-5841.68951-peachtree-st.ajgidule.com.
11: 03:09.296854 IP 10.1.1.10.47790 > 128.50.100.3.53:51567+ A? gina.buras. 471-96-2354.313-654-9254.3698-mcghee-rd.ajgidwle.com.

Which of the following can the analyst conclude?
A. Malware is attempting to beacon to 128.50.100.3.
B. The system is running a DoS attack against ajgidwle.com.
C. The system is scanning ajgidwle.com for PII.
D. Data is being exfiltrated over DNS.

A

Correct Answer: C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

It is important to parameterize queries to prevent __________.
A. the execution of unauthorized actions against a database.
B. a memory overflow that executes code with elevated privileges.
C. the establishment of a web shell that would allow unauthorized access.
D. the queries from using an outdated library with security vulnerabilities.

A

Correct Answer: A
Reference:
https://stackoverflow.com/questions/4712037/what-is-parameterized-query

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:

Serveri
22/tcp open
80/tcp open
443/tcp open
Server2
PC1
PC2
3389/tcp open 80/tcp open 80/tcp open
53/udp open 443/tcp open 443/tcp open
1433/tcp open
Firewall ACL
10 permit tcp from:any to:serverl: www
15 permit udp from:lan-net to:any: dns
16 permit udp from any to:server2: dns
20 permit tcp from:any to server1:ssl
25 permit tcp from:lan-net to:any: www
26 permit tcp from:lan-net to:any:ssl
27 permit tcp from: any to pc2:mssql
30 permit tcp from:any to serverl:ssh
100 deny ip any any
Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?
A. PC1
B. PC2
C. Server1
D. Server2
E. Firewall
A

Correct Answer: E

17
Q

During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.
Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?
A. An IPS signature modification for the specific IP addresses
B. An IDS signature modification for the specific IP addresses
C. A firewall rule that will block port 80 traffic
D. A firewall rule that will block traffic from the specific IP addresses

A

Correct Answer: D

18
Q

A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following commands:

[root@www18 /tmp) # uptime
19:23:35 up 2:33, 1 user, load average: 87.22, 79.69, 72.17
[root@www18 /tmp] # crontab-1
* * *
* * /tmp/.t/t
[root@www18 /tmp) # ps ax | grep tmp
1325 ? Ss 0:00
/tmp/.t/t
[root@www18 /tmp]# netstat -anlp
tcp 0 0 0.0.0.0:22 172.168.0.0:* ESTABLISHED 1204/ sshd
0 127.0.0.1:631 0.0.0.0:* LISTEN
1214/cupsd
tcp 0
0 0.0.0.0:443 0.0.0.0:* LISTEN
1267/httpd
tcp 0

Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?
A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.
B. Examine the server logs for further indicators of compromise of a web application.
C. Run kill -9 1325 to bring the load average down so the server is usable again.
D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.

A

Correct Answer: B

19
Q

A Chief Information Security Officer (CISO) wants to upgrade an organization’s security posture by improving proactive activities associated with attacks from internal and external threats.
Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?
A. Development of a hypothesis as part of threat hunting
B. Log correlation, monitoring, and automated reporting through a SIEM platform
C. Continuous compliance monitoring using SCAP dashboards
D. Quarterly vulnerability scanning using credentialed scans

A

Correct Answer: A

20
Q

While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security.
To provide the MOST secure access model in this scenario, the jumpbox should be __________.
A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network.
B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate.
C. bridged between the IT and operational technology networks to allow authenticated access.
D. placed on the IT side of the network, authenticated, and tunneled into the ICS environment.

A

Correct Answer: A

21
Q

A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server.
Which of the following should be done to correct the cause of the vulnerability?
A. Deploy a WAF in front of the application.
B. Implement a software repository management tool.
C. Install a HIPS on the server.
D. Instruct the developers to use input validation in the code.

A

Correct Answer: B

22
Q

A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity. Below is a snippet of the log:

Line User
Time
36570 DEV12 02.01.13.151219
36571 JAVASHARK 02.01.13.151255
36572 DEV12 02.01.13.151325
36573 CHATTER14 02.01.13.151327
36574 PYTHONFUN 02.01.13.151330
36575 DEV99 02.01.13.151358
Command
KICK DEV27
JOIN #CHATOPS e 32 kk10
PART #CHATOPS
JOIN';CAT ../etc/config'
PRIVMSG DEV99 "?"
PRIVMSG PYTHONFUN "OK"
Result
OK
OK
OK
OK
OK
OK
Which of the following commands would work BEST to achieve the desired result?
A. grep -v chatter14 chat.log
B. grep -i pythonfun chat.log
C. grep -i javashark chat.log
D. grep -v javashark chat.log
E. grep -v pythonfun chat.log
F. grep -i chatter14 chat.log
A

Correct Answer: D

23
Q

An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC.
Which of the following is the BEST approach for supply chain assessment when selecting a vendor?
A. Gather information from providers, including datacenter specifications and copies of audit reports.
B. Identify SLA requirements for monitoring and logging.
C. Consult with senior management for recommendations.
D. Perform a proof of concept to identify possible solutions.

A

Correct Answer: B

24
Q

A security technician is testing a solution that will prevent outside entities from spoofing the company’s email domain, which is comptia.org. The testing is successful, and the security technician is prepared to fully implement the solution.
Which of the following actions should the technician take to accomplish this task?
A. Add TXT @ “v=spf1 mx include:_spf.comptia.org גˆ’all” to the DNS record.
B. Add TXT @ “v=spf1 mx include:_spf.comptia.org גˆ’all” to the email server.
C. Add TXT @ “v=spf1 mx include:_spf.comptia.org +all” to the domain controller.
D. Add TXT @ “v=spf1 mx include:_spf.comptia.org +all” to the web server.

A

Correct Answer: A
Reference:
https://blog.finjan.com/email-spoofing/