CYSA+ - Questions Flashcards
During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap partition on the hard drive that needs to be checked. Which of the following should the analyst use to extract human-readable content from the partition?
A. strings
B. head
C. fsstat
D. dd
The dd (disk duplicator/destroyer) command is used in forensics for raw images of a system that can be used in tools like Autopsy or FTK for analysis. You can extract raw data with the command but it doesn’t mean that the extracted data is human-readable so it doesn’t mean it would work for the situation.
Selected Answer: A
Answer: strings
The strings command returns strings of printable characters in files. It’s mainly used for extracting text (strings) from non-text files like binary/data files and help us understand the contents of the files.
Binary files can contain non-printable characters which doesn’t work well with the terminal. We can assume printable characters means human-readable which works for the situation.
Other Info:
head - command that prints the first line(s) in a file
fsstat - command shows file system information
A consultant is evaluating multiple threat intelligence feeds to assess potential risks for a client. Which of the following is the BEST approach for the consultant to consider when modeling the client’s attack surface?
A. Ask for external scans from industry peers, look at the open ports, and compare information with the client.
B. Discuss potential tools the client can purchase to reduce the likelihood of an attack.
C. Look at attacks against similar industry peers and assess the probability of the same attacks happening.
D. Meet with the senior management team to determine if funding is available for recommended solutions.
C. Look at attacks against similar industry peers and assess the probability of the same attacks happening would be the best approach for the consultant to consider when modeling the client’s attack surface. By examining similar industry peers, the consultant can gain insight into what types of threats and attacks are most prevalent in that industry, and use that information to assess the potential risks for the client. This approach can help the consultant to identify which threats are most likely to impact the client and prioritize the resources needed to mitigate those
An analyst receives artifacts from a recent intrusion and is able to pull a domain, IP address, email address, and software version. Which of the following points of the Diamond Model of Intrusion Analysis does this intelligence represent?
A. Infrastructure
B. Capabilities
C. Adversary
D. Victims
Selected Answer: A
Per CompTIA, and makers of Diamond Model(https://www.comptia.org/blog/think-like-a-hacker-3-cybersecurity-models-used-to-investigate-intrusions):
Adversary: The persona of the individual or group attacking you
Infrastructure: IP addresses, domain names or email addresses
Capabilities: What the adversary can do (e.g., malware, exploits, manipulate infrastructure)
Victim: Can include people, services, network assets or information
While conducting a network infrastructure review, a security analyst discovers a laptop that is plugged into a core switch and hidden behind a desk. The analyst sees the following on the laptop’s screen:
[] [NBT-NS] Poisoned answer sent to 192.169.23.115 for name FILE-SHARE-A (service: File Server)
[] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A
[] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A
[SMBv2] NTLMv2-SSP Client : 192.168.23.115
[SMBv2] NTLMv2-SSP Username : CORP\jsmith
[SMBv2] NTLMv2-SSP Hash : F5DBF769CFEA7…
[] [NBT-NS] Poisoned answer sent to 192.169.23.24 for name FILE-SHARE-A (service: File Server)
[] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A
[] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A
[SMBv2] NTLMv2-SSP Client : 192.168.23.24
[SMBv2] NTLMv2-SSP Username : CORP\progers
[SMBv2] NTLMv2-SSP Hash : 6D093BE2FDD70A…
Which of the following is the BEST action for the security analyst to take?
A. Force all users in the domain to change their passwords at the next login.
B. Disconnect the laptop and ask the users jsmith and progers to log out.
C. Take the FILE-SHARE-A server offline and scan it for viruses.
D. Initiate a scan of devices on the network to find password-cracking tools.
Selected Answer: B
The output on the laptop looks like the authentication service has been poisoned, and 2 accounts have been compromised.
Requiring all users to change their passwords could be overkill, if there isn’t more to this output.
Though taking the server offline and scanning for viruses may be a good idea, this answer however does nothing to remediate the compromised accounts which would be my main concern given the scenario.
Disconnecting the laptop, and remediating the compromised hashes would be the best course of action for this in my opinion. As this would stop the poisoning, and prevent any unauthorized access from cracking the hashes.
A Chief Executive Officer (CEO) is concerned the company will be exposed to data sovereignty issues as a result of some new privacy regulations. To help mitigate this risk, the Chief Information Security Officer (CISO) wants to implement an appropriate technical control. Which of the following would meet the requirement?
A. Data masking procedures
B. Enhanced encryption functions
C. Regular business impact analysis functions
D. Geographic access requirements
Selected Answer: D
Data Sovereignty means that data is subject to the laws and regulations of the geographic location where that data is collected and processed. Data sovereignty is a country-specific requirement that data must remain within the borders of the jurisdiction where it originated. At its core, data sovereignty is about protecting sensitive, private data and ensuring it remains under the control of its owner.
You’re only worried about that if you’re in multiple locations. Hence the best answer is D.
https://www.virtru.com/blog/gdpr-data-sovereignty-matters-globally
Which of the following is a difference between SOAR and SCAP?
A. SOAR can be executed faster and with fewer false positives than SCAP because of advanced heuristics.
B. SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope.
C. SOAR is less expensive because process and vulnerability remediation is more automated than what SCAP does.
D. SOAR eliminates the need for people to perform remediation, while SCAP relies heavily on security analysts.
Selected Answer: B
I think this was supposed to be a very easy question if you know and understand what these two things are. But these are very different things. But I’ll do my best to spell it out.
SOAR is used to automatically detect known bad traffic and implement a series of preapproved steps to alleviate the need of more workers. There are many tools that perform this function.
https://www.fortinet.com/resources/cyberglossary/what-is-soar
Tool Examples:
https://geekflare.com/best-soar-tools/
SCAP automates vulnerability management and policy compliance evaluation. It was developed by RHEL and the US Gov’t to automate the implementation of STIGs. It scans for those STIGs/VULNs and will patch them automatically based on the defined rules implemented. It was originally a single tool that is now a suite that covers different areas of concern.
https://www.youtube.com/watch?v=5PA9r9oaHUY
Ultimately, SOAR is a conceptualization that many tools are built for while SCAP is a Tool Suite that has a much smaller scope and almost completely different purpose.
An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from an Nmap scan of a web server:
Port State Service
21/tcp Open FTP
80/tcp Open HTTP
443 /tcp Open HTTPS
1443/tcp Open Database
Which of the following ports should be closed?
A. 21
B. 80
C. 443
D. 1433
Selected Answer: D
question asks for a “WEB SERVER”, so you may need to use FTP to download and upload files. Also, http and https are must for web server. Do not think it like http is not secure, so it should be closed. No, this is not how the system works in real life. HTTP and HTTPS are used by companies by providing reliable secure configurations on HTTP. There is one port left 1433 SQL DATABASE server. You do not need that on web server. Remember, you may need FTP on web server when you are dealing with files download/upload.
While reviewing incident reports from the previous night, a security analyst notices the corporate websites were defaced with political propaganda. Which of the following BEST describes this type of actor?
A. Hacktivist
B. Nation-state
C. Insider threat
D. Organized crime
Selected Answer: A
CompTIA CySA Study Guide Page 104: Hacktivists are activists who use hacking as a means to a political orphilosophical end.
A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify:
A. detection and prevention capabilities to improve.
B. which systems were exploited more frequently.
C. possible evidence that is missing during forensic analysis.
D. which analysts require more training.
E. the time spent by analysts on each of the incidents.
Selected Answer: A
“an incident” = so not B…. Diamond Model has nothing to do with tracking training or time tracked, so not D or E.
I was think C because the Diamond model is very evidence based, but it states forensics. That’s likely outdated unless harddrives were kept.
But A seems like a decent possibility as Diamond Model also focuses on enumerating the adversary and developing countermeasures.
An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which of the following attack vectors is the vulnerability MOST likely targeting?
A. SCADA
B. CAN bus
C. Modbus
D. IoT
Selected Answer: B
Answer is B.
Vehicles and Drones (CAN Bus)
Automobiles and unmanned aerial vehicles (UAV), or drones, contain sophisticated electronics to control engine and power systems, braking and landing, and suspension/stability. Modern vehicles are increasingly likely to have navigation and entertainment systems, plus driver-assist or even driverless features, where the vehicle’s automated systems can take control of steering and braking. The locking, alarm, and engine immobilizer mechanisms are also likely to be part of the same system. Each of these subsystems is implemented as an electronic control unit (ECU), connected via one or more controller area network (CAN) serial communications buses. The principal external interface is an Onboard Diagnostics (OBD-II) module. The OBD-II also acts as a gateway for multiple CAN buses
An internally developed file-monitoring system identified the following excerpt as causing a program to crash often: char filedata[100]; fp = fopen(access.log, r); srtcopy (filedata, fp); printf (%s\n, filedata);
Which of the following should a security analyst recommend to fix the issue?
A. Open the access.log file in read/write mode.
B. Replace the strcpy function.
C. Perform input sanitization.
D. Increase the size of the file data butter.
Selected Answer: B
The code snippet provided shows that the program is reading data from the “access.log” file and then copying it into a buffer using the “strcpy” function. However, the size of the buffer is fixed at 100 bytes, which could cause a buffer overflow if the data in the file is larger than 100 bytes. This can lead to a crash or other security vulnerabilities.
To fix this issue, the security analyst should recommend replacing the “strcpy” function with a safer alternative, such as “strncpy” or “memcpy,” which take a size parameter to ensure that only a certain number of bytes are copied to the buffer. Additionally, the size of the buffer should be increased to accommodate larger files if necessary
A help desk technician inadvertently sent the credentials of the company’s CRM in cleartext to an employee’s personal email account. The technician then reset the employee’s account using the appropriate process and the employee’s corporate email, and notified the security team of the incident. According to the incident response procedure, which of the following should the security team do NEXT?
A. Contact the CRM vendor.
B. Prepare an incident summary report.
C. Perform postmortem data correlation.
D. Update the incident response plan.
Selected Answer: C
The security team should perform postmortem data correlation next after receiving notification of the incident from the help desk technician.
Postmortem data correlation is an activity that involves analyzing data from various sources (such as logs, alerts, reports, etc.) to identify root causes, impacts, indicators of compromise (IoCs), lessons learned, and recommendations for improvement after an incident
Postmortem data correlation can help the security team to Determine how the incident occurred and how it was detected and resolved, Assess the scope and severity of the incident and its effects on confidentiality, integrity, and availability, Identify any gaps or weaknesses in security controls or processes that contributed to the incident, Develop action plans or remediation strategies to prevent recurrence or mitigate future incidents
Another explenation is selected Answer: B
Incident Responce Phase: Preparation>Detection and analysis>Containment>Eradication and Recovery>Post-incident Activity.
It is imperative to document the incident. This phase is very commonly referred to as lessons learned…
all phases were accomplished to Eradication and Recovery so next step is 5.
A company’s blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance?
A. Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network.
B. Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed.
C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it.
D. Review the current blocklist to determine which domains can be removed from the list and then update the ACLs and IPS signatures.
Selected Answer: C
Correct option is C.
Statement: Review the current clocklist the prioritize it based on the level of threat severity. Add the domains with the highest severity of the blocklist and remove the lower-severity threats from it.
Explanation:
Since Adding domains with the highest severity of the blocklist will help in better configuration management and reduce risks of security breaches and outages and can also be sometimes very cost effective.
The steering committee for information security management annually reviews the security incident register for the organization to look for trends and systematic issues. The steering committee wants to rank the risks based on past incidents to improve the security program for next year. Below is the incident register for the organization:
Which of the following should the organization consider investing in FIRST due to the potential impact of availability?
A. Hire a managed service provider to help with vulnerability management
B. Build a warm site in case of system outages
C. Invest in a failover and redundant system, as necessary
D. Hire additional staff for the IT department to assist with vulnerability management and log review
Selected Answer: C
The key word is availability, so in that case it would have to be B or C. You can’t be available for business with no storage or ways to access it if the primary goes down. Although I do agree that they do need to do some kind of company change to looking at their logs, this question seems to be leaning towards storage.
