CySA+ (CS0-003) [Picture Deck] Flashcards
An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:
[IMAGE #1]
Which of the following tuning recommendations should the security analyst share?
A. Set an HttpOnly flag to force communication by HTTPS
B. Block requests without an X-Frame-Options header
C. Configure an Access-Control-Allow-Origin header to authorized domains
D. Disable the cross-origin resource sharing header
Correct Answer: C
This recommendation helps control which domains can access resources on the web server, enhancing security by preventing unauthorized cross-origin requests.
A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:
[IMAGE #2]
Which of the following scripting languages was used in the script?
A. PowerShell
B. Ruby
C. Python
D. Shell script
Correct Answer: A
The scripting language used in the script shown in the image is PowerShell. This can be identified by the use of cmdlets like
- Get-Content
- Get-ADUser
- Add-ADGroupMember
which are specific to PowerShell, as well as the syntax such as the foreach loop and the use of curly braces {}.
The analyst reviews the following endpoint log entry:
[IMAGE #4]
Which of the following has occurred?
A. Registry change
B. Rename computer
C. New account introduced
D. Privilege escalation
Correct Answer: C
Based on the log entry, it appears that a new user account was created. The log shows a command executed to add a new user with the username “invoke_u1” by the “Administrator” account.
The security team reviews a web server for XSS and runs the following Nmap scan:
[IMAGE #3]
Which of the following most accurately describes the result of the scan?
A. An output of characters > and “ as the parameters used m the attempt
B. The vulnerable parameter ID http://172.31.15.2/1.php?id-2 and unfiltered characters returned
C. The vulnerable parameter and unfiltered or encoded characters passed > and “ as unsafe
D. The vulnerable parameter and characters > and “ with a reflected XSS attempt
Correct Answer: D
The scan indicates that the web server reflects the characters ‘>’ and ‘”’ in the parameter ‘id’ at the URL
http://172.31.15.2/1.php?id=2
suggesting a potential XSS vulnerability.
Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:
[IMAGE #5]
Which of the following choices should the analyst look at first?
A. wh4dc-748gy.lan (192.168.86.152)
B. officerckuplayer.lan (192.168.86.22)
C. imaging.lan (192.168.86.150)
D. xlaptop.lan (192.168.86.249)
E. p4wnp1_aloa.lan (192.168.86.56)
Correct Answer: E
Based on the Nmap scan results, the analyst should look at E. p4wnp1_aloa.lan (192.168.86.56) first. The hostname “p4wnp1” is associated with a Raspberry Pi-based penetration testing tool, which could potentially be used for unauthorized activities on a corporate network. This makes it a high-priority target for further investigation.
An analyst is reviewing a vulnerability report for a server environment with the following entries:
[IMAGE #6]
Which of the following systems should be prioritized for patching first?
A. 10.101.27.98
B. 54.73.225.17
C. 54.74.110.26
D. 54.74.110.228
Correct Answer: D
Given this information, D (54.74.110.228) should be prioritized for patching first due to its high CVSS score and its status as a Crown Jewel, making it critically important to protect. Thanks for the correction!
A. Does not have an Exploit available.
B. Does not have an Exploit available.
C. While it does also have a high CVSS score, it is not listed as a Crown Jewel.
In this context, a Crown Jewel refers to a system or asset that is critically important to the organization’s operations. These systems are often essential for business continuity, contain highly sensitive data, or support key business functions. Because of their importance, vulnerabilities in Crown Jewel systems are prioritized for patching to ensure they remain secure and operational.
A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:
[IMAGE #7]
Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?
A. InLoud:
Cobain: Yes -
Grohl: No -
Novo: Yes -
Smear: Yes -
Channing: No
B. TSpirit:
Cobain: Yes -
Grohl: Yes -
Novo: Yes -
Smear: No -
Channing: No
C. ENameless:
Cobain: Yes -
Grohl: No -
Novo: Yes -
Smear: No -
Channing: No
D. PBleach:
Cobain: Yes -
Grohl: No -
Novo: No -
Smear: No -
Channing: Yes
Correct Answer: B
TSpirit should be patched first as it has ‘Yes’ for all three key metrics (Cobain, Grohl, Novo), indicating it is exploitable by malware, externally facing, and has an exploit proof of concept available.
A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:
[IMAGE #8]
Which of the following should be completed first to remediate the findings?
A. Ask the web development team to update the page contents
B. Add the IP address allow listing for control panel access
C. Purchase an appropriate certificate from a trusted root CA
D. Perform proper sanitization on all fields
Correct Answer: D
Based on the table provided, the most critical issue to address first is the acceptance of all user input on forms, which has a high impact and low complexity. Therefore, the best course of action would be:
D. Perform proper sanitization on all fields
This step is crucial to prevent various types of attacks, such as SQL injection, and ensures the security of the web server.
A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:
[IMAGE #12]
Which of the following log entries provides evidence of the attempted exploit?
A. Log entry 1
B. Log entry 2
C. Log entry 3
D. Log entry 4
Correct Answer: A
The log entry that provides evidence of an attempted exploit for a zero-day command injection vulnerability is:
A. Log entry 1
This entry contains an injected command (java.lang.Runtime@getRuntime().exec(“nslookup example.com”)) within a URL, which is indicative of an attempt at command injection. This type of attack involves executing arbitrary commands on the host system.
[IMAGE #9]
A cryptocurrency service company is primarily concerned with ensuring the accuracy of the data on one of its systems. A security analyst has been tasked with prioritizing vulnerabilities for remediation for the system. The analyst will use the following CVSSv3.1 impact metrics for prioritization:
Which of the following vulnerabilities should be prioritized for remediation?
A. 1
B. 2
C. 3
D. 4
Correct Answer: D
Based on the CVSSv3.1 impact metrics provided in the image, the vulnerabilities should be prioritized based on their potential impact on confidentiality (C), integrity (I), and availability (A) of the system’s data.
Given the company’s primary concern is the accuracy of the data (integrity), the vulnerability with the highest impact on integrity should be prioritized.
-
Vulnerability 4 has an impact metric of C:L/I:H/A:L, indicating a high impact on integrity.
Therefore, the correct answer is D. 4.
Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the tables below:
[IMAGE #10]
[IMAGE #11]
Which of the following should the security analyst prioritize for remediation?
A. rogers
B. brady
C. brees
D. manning
Correct Answer: B
Based on the information provided:
- brady has the “inter.drop” vulnerability (Remote Code Execution) on an external network segment.
- rogers has both “slow.roll” (Denial of Service) and “inter.drop” vulnerabilities on an isolated VLAN.
- manning has the “inter.drop” vulnerability on an internal network segment.
- brees has the “inter.drop” vulnerability on an internal network segment.
Given that Remote Code Execution (RCE) is a critical vulnerability and brady is on an external network segment, it should be prioritized for remediation due to the higher risk of external attacks.
Answer: B. brady
An incident response team member is triaging a Linux server. The output is shown below:
[IMAGE #14]
Which of the following is the adversary most likely trying to do?
A. Create a backdoor root account named zsh.
B. Execute commands through an unsecured service account.
C. Send a beacon to a command-and-control server.
D. Perform a denial-of-service attack on the web server.
Correct Answer: A
Based on the provided image, the adversary is most likely trying to create a backdoor root account named zsh (Option A).
The unusual shell access given to the ‘nobody’ account, which typically does not have login shell access, suggests an attempt to establish persistent access with elevated privileges. This is a common tactic used to maintain unauthorized access to a system.
B. Execute commands through an unsecured service account.
- The logs and the /etc/passwd file do not indicate any activity related to executing commands through an unsecured service account. The unusual shell access given to the ‘nobody’ account is more indicative of an attempt to create a backdoor rather than exploiting an unsecured service account.
C. Send a beacon to a command-and-control server.
- There is no evidence in the logs or the /etc/passwd file that suggests communication with a command-and-control server. Typically, such activity would involve network traffic logs or specific indicators of compromise (IOCs) related to outbound connections, which are not present in the provided output.
D. Perform a denial-of-service attack on the web server.
- The logs show Java exception errors related to file upload and parsing requests, but there is no indication of a denial-of-service attack. A denial-of-service attack would likely result in logs showing repeated, high-volume requests or server resource exhaustion, which is not evident here.
The unusual shell access given to the ‘nobody’ account is the key indicator pointing towards the creation of a backdoor root account, making option A the most likely scenario.
Question #84
A security analyst is reviewing the following alert that was triggered by FIM on a critical system:
[IMAGE #13]
Which of the following best describes the suspicious activity that is occurring?
A. A fake antivirus program was installed by the user.
B. A network drive was added to allow exfiltration of data.
C. A new program has been set to execute on system start.
D. The host firewall on 192.168.1.10 was disabled.
Correct Answer: C
Based on the alert details from the image, the best description of the suspicious activity is:
C. A new program has been set to execute on system start.
This is indicated by the addition of a key in the registry path
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
which is typically used to set programs to run at startup.
A technician is analyzing output from a popular network mapping tool for a PCI audit:
[IMAGE #15]
Which of the following best describes the output?
A. The host is not up or responding.
B. The host is running excessive cipher suites.
C. The host is allowing insecure cipher suites.
D. The Secure Shell port on this host is closed.
Correct Answer: C
The output from the network mapping tool indicates that the host is allowing certain cipher suites, including some that are considered insecure. This is evident from the presence of accepted cipher suites like
TLS_RSA_WITH_AES_128_CBC_SHA, which are flagged as insecure.
Question #112
A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:
[IMAGE #16]
Which of the following vulnerability types is the security analyst validating?
A. Directory traversal
B. XSS
C. XXE
D. SSRF
Correct Answer: C
The code snippet in the image shows an XML DOCTYPE declaration with an ENTITY element attempting to access a system file (“/etc/shadow”). This indicates the security analyst is validating an XXE (XML External Entity) vulnerability.
Question #134
The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:
[IMAGE #18]
Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?
A. Vulnerability A
B. Vulnerability B
C. Vulnerability C
D. Vulnerability D
Correct Answer: A
Given that end users frequently click on malicious links sent via email, the analyst should be most concerned about Vulnerability A. This vulnerability has a network attack vector, low attack complexity, no authentication required, and user interaction is required. This makes it highly relevant to scenarios where users might click on malicious links, as it can be exploited over the network with minimal effort.