CompTIA CySA+ Exam Questions

Page 8 of 53

141.

notskrnl.exe, smss.exe, and winlogon.exe are all examples of what category of software?

  • System processes

  • Firewalls

  • IPS/IDS

  • File managers

Correct answer: System processes

System processes perform core operating system functions. notskrnl.exe (Core NT Kernel Process), smss.exe (Session Manager), and winlogon.exe (Logon Process) are all examples of system processes on a Windows operating system. They are not firewalls, IPS/IDS (Intrusion Prevention System/Intrusion Detection System), or file managers. 

142.

A vulnerability scanner incorrectly identified normal network activity as an attack. This is an example of what type of scan result?

  • False positive

  • False negative

  • True positive

  • True negative

Correct answer: False positive

A false positive occurs when a scanner incorrectly identifies activity or results as a threat or vulnerability.

A false negative occurs when a scanner fails to identify a threat or vulnerability. 

The scanner was incorrect, so true positive and true negative do not apply. 

143.

What does the Linux dd command's "of" flag specify?

  • The destination file an input file will be copied to

  • The source file the dd command will copy

  • Network port

  • Network address

Correct answer: The destination file an input file will be copied to

dd is a Linux utility that is often used for cloning drives. The dd utility creates images in RAW format. The RAW format is a bit-by-bit format and bit-by-bit copies are an important aspect of effective forensics. Common flags used with the dd utility are:

  • "bs" to specify a block size (using the native block size for a device can significantly increase the speed of the copying process)
  • "if" to specify an input file that will be copied
  • "of" to specify an output file that the input file will be copied to 

144.

Charlie, a security analyst at Acme Inc., is creating a vulnerability report for a local area network. Where should Charlie list the IP addresses and hostnames of systems that are flagged as having a vulnerability?

  • Affected hosts

  • Vulnerability details 

  • Recurrence 

  • Prioritization 

Correct answer: Affected hosts

Common elements in a vulnerability report include:

  • Vulnerability details - Details such as a CVE (Common Vulnerabilities and Exposures) number and description
  • Affected hosts - IP addresses and hostname of systems found to be vulnerable 
  • Risk score - Details the risk severity in the context of the organization
  • Mitigation options - Ways to mitigate the vulnerability 
  • Recurrence - How often the vulnerability has reoccurred 
  • Prioritization - Context that helps prioritize which vulnerabilities should be addressed first

145.

What are the three key objectives of cybersecurity programs?

  • Confidentiality, integrity, and availability 

  • Encryption, networking, and threat detection

  • Risk mitigation, vulnerability management, and encryption

  • Confidentiality, privacy, and risk mitigation 

Correct answer: Confidentiality, integrity, and availability 

Confidentiality, Integrity, and Availability, also known as the CIA triad, are the three key objectives of modern cybersecurity programs.

The other answers include topics that are important to cybersecurity but are not the three key objectives CySA+ candidates should know for the exam. 

146.

Jie, a security analyst at Acme Inc., is looking for security configuration benchmarks for Windows 11 computers. What source is MOST likely to have the information Jie needs?

  • CIS website

  • Fast-flux DNS

  • NIST SP 800-88 documentation

  • Cyber Kill Chain

Correct answer: CIS website

CIS (The Center for Internet Security) is a nonprofit organization that focuses on security best practices. CIS maintains and provides security configuration benchmarks and hardening guides for different operating systems, including Windows 11 and multiple Linux distributions. 

Fast-flux DNS is when an attacker associates many IP addresses with a domain and quickly changes them.

NIST SP 800-88 defines three main types of media sanitization.

Lockheed Martin's Cyber Kill Chain is an attack framework.

147.

Jie is a software developer at Acme Inc. Jie just committed some code to make a small change to a program Acme Inc. maintains. Acme Inc. uses multiple different deployment environments for their software. Which environment will Jie's changes be deployed to FIRST? 

  • Development

  • QA

  • Test

  • Production

Correct answer: Development

Organizations typically use multiple different environments for software development. The most common environment types include:

  • Development - Where developers do their work (this environment sees the most frequent changes)
  • Test - Where testing occurs without direct impact to production
  • Production - The environment where end users use the live system

148.

"Asset Value × Exposure Factor" is the formula for which quantitative risk assessment value?

  • Single Loss Expectancy

  • Annualized Rate of Occurrence

  • Annualized Loss Expectancy

  • Return on Investment

Correct answer: Single Loss Expectancy

SLE is calculated as SLE = Asset Value × Exposure Factor. 

Key metrics involved in many quantitative risk assessments include:

  • AV (Asset Value) - The value of the asset associated with the risk in question. This value is typically represented as a unit of currency (e.g., dollars or Euros). 
  • ARO (Annualized Rate of Occurrence) - The probability the risk will occur within a given year. A risk that is likely to occur twice a year will have an ARO of 2. A risk that is expected to occur once every ten years has an ARO of 0.1. 
  • EF (Exposure Factor) - The percentage of an asset that is expected to be lost or damaged if a risk manifests itself as an incident. A total loss would be 100%. Loss of half of an asset’s AV would be 50%.
  • SLE (Single Loss Expectancy) - The amount of financial loss expected if a risk actually occurs. SLE is calculated as SLE = AV × EF.
  • ALE (Annualized Loss Expectancy) - The amount of financial loss expected to be caused by a risk on a yearly basis. ALE is calculated as ALE = SLE × ARO. 

149.

What is the intended purpose of a DNS zone transfer?

  • Replicate DNS databases

  • Deploy a new website

  • Verify SSL certificates

  • Perform a reverse DNS lookup

Correct answer: Replicate DNS databases

The intended purpose of a DNS zone transfer is to replicate DNS records to other DNS servers. However, zone transfers are also useful sources of intelligence that can be used as part of reconnaissance. These two commands can be used to attempt to perform a zone transfer:

host -t axfr <domain> <DNS server>
dig axfr @<DNS server> <domain>

150.

Pulverization is an example of what type of media sanitization?

  • Destroy

  • Purge

  • Clear

  • Degauss

Correct answer: Destroy

NIST SP 800-88 defines three main types of media sanitization. They are:

  • Clear - Clearing uses standard logical techniques like read and write operations; clearing provides protection against basic noninvasive data recovery attempts
  • Purge - Purging uses state-of-the-art lab techniques, such as block erase and cryptographic erase, to sanitize media and make data recovery more difficult than clearing
  • Destroy - Destroying storage media makes data recovery infeasible; disintegration, pulverization, and incineration are examples of destruction techniques

Degaussing is a specific form of purging that uses magnetic fields to modify data on a storage device. 

151.

Lucian, a security engineer at Acme Inc., is setting up to clone a volume from another system. Lucian is using a Linux workstation to perform the work. Lucian is at the command prompt in an empty home directory and runs the command: 

mkdir ~/clone

What will this command do?

  • Create a "clone" directory in the home directory

  • Clone the drive

  • Delete the "clone" directory

  • Create a baseline image

Correct answer: Create a "clone" folder in the home directory

The command "mkdir" is used to create directories on Linux systems. The command "mkdir ~/clone" will attempt to create a "clone" directory in the user's home directory (signified by "~/").

152.

Which grep flag is used to return all the lines that do NOT match the string specified?

  • -v

  • -r

  • -i

  • -n

Correct answer: -v

The grep command is used to search files for patterns and return content that matches. The grep command supports different flags that modify its behavior. For example, the -i flag makes a grep search case insensitive (case sensitive is the default behavior). 

Other common grep flags include:

  • "-c" counts how many matches there are for a specific pattern
  • "-n" shows the line and line number for a match
  • "-v" shows all lines that are not a match
  • "-r" reads files under a directory recursively
  • "-e" searches a specified pattern(s)

153.

Ira, a penetration tester contracted by Acme Inc., runs an active vulnerability scan on an Acme Inc. network. Which of the following are TRUE about active scans?

Select all that apply.

  • They scan for open ports

  • They are likely to be blocked by firewalls

  • They typically scan all the systems in a given network range

  • They monitor network traffic for signs of vulnerabilites 

An active vulnerability scan aims to scan every system in a given range by scanning for open ports and vulnerable applications.

Active scans can be blocked by firewalls in the same way other network traffic can be blocked. Active scanners are also easier to detect because they proactively probe target systems (this is why active scans are described as "noisy").

Passive vulnerability scans monitor network traffic for signatures that suggest there are vulnerable apps and services on a network. Passive scans typically complement, but do not replace, active scans.

154.

Which of the following is a valid logging BEST practice? 

  • Logs should be protected from changes

  • Organizations should always use the highest logging level

  • Logs should only be transported via MQTTS

  • Organizations should always use the lowest logging level

Correct answer: Logs should be protected from changes

Log records should be immutable so they provide an accurate and reliable record of what actually occurred. Protecting log records from changes is an important part of maintaining their integrity. 

There is no one-size-fits-all standard for the right logging level for an organization. Organizations should choose the logging level that balances capturing information, avoiding "floods" of data that are not useful, and storage. 

MQTTS is a network protocol that devices may use to transmit data, but it is not a best practice to use MQTTS only for log transmission. 

155.

Which vulnerability scan perspective BEST represents the perspective of a malicious employee?

  • Internal scan

  • External scan

  • Agent-based scan

  • CIS scan

Correct answer: Internal scan

An internal scan is run within an organization's network. An internal scan provides a perspective comparable to those that an insider threat would have. A malicious employee is an example of an insider threat.

An external scan is run from outside the network, typically from the Internet. This perspective is comparable to that of outside threat actors. 

An agent-based scan is a type of scan that involves a special software agent running on the systems being scanned. 

CIS (The Center for Internet Security) is a nonprofit organization that focuses on security best practices. CIS maintains and provides security configuration benchmarks and hardening guides for different operating systems including Windows 11 and multiple Linux distributions. CIS scan is a distractor answer.

156.

Which of the following statements about OpenID is FALSE?

  • It supports authorization

  • It supports authentication

  • It is a federated identity technology.

  • Replay attacks are a potienal security risk when using OpenID

Correct answer: OpenID

OpenID is a federated identity technology that supports authentication. OpenID does not support authorization. Potential security risks related to OpenID include redirect manipulation, phishing, and replay attacks.

157.

Dani, a security analyst at Acme Inc., is analyzing a compromised server. The hard drive in the server is corrupt. Dani wants to find information such as file character counts and text content for files on the drive. Which file carving technique is BEST for this requirement? 

  • Content-based

  • Header-based

  • File structure-based

  • Windows-based

Correct answer: Content-based

File carving is a popular forensic analysis technique used when filesystems have issues and data cannot be easily recovered. File carving tools analyze data on a block-by-block basis and find indicators as to what was on a drive such as file headers or partially in-tact files. 

The three common types of file carving are: 

  • Header and footer-based carving that looks at header and footer data in files
  • Content-based carving that looks for information in files (e.g., text recognition)
  • File structure-based that looks at information related to file structures 

158.

What does this Cisco router ACL snippet do?

access-list deny tcp any any eq 22

  • Block traffic to the default SSH port 

  • Block traffic to the default Telnet port 

  • Allow traffic to the default FTP port

  • Allow traffic to the default Telnet port 

Correct answer: Block traffic to the default SSH port

Cisco ACL (Access Control List) rules are typically formatted as:

{permit | deny} <protocol> <address> <wildcard mask> <source port> <destination port>

"any" can be used to replace a network range that would have otherwise been specified with <address> <wildcard mask>.

Here is a breakdown of the ACL:

  • deny - Means to block traffic.
  • tcp - Indicates the traffic is TCP traffic.
  • any- Any source network.
  • any - Any source port.
  • 443 - The destination port.

TCP 22 is the default SSH port. 

159.

What BEST describes planning poker?

  • An estimation technique 

  • A design thinking methodology

  • A tabletop exercise

  • A stage in spiral development

Correct answer: An estimation technique 

Planning poker is an agile estimation technique where participants use estimation cards and reveal bids that represent the effort they think is required for a task. It is not a design thinking methodology.

Spiral is similar to waterfall, but it iterates through four stages (identification, design, build, and evaluation) multiple times. The spiral model heavily emphasizes risk assessment in software development.

Tabletop exercises, also known as TTX, are a specific type of role-playing activity that can help identify areas where cybersecurity posture can be improved. 

160.

Mahan, a network engineer at Acme Inc., creates separate VLANs for a guest network, administrative network, and datacenter network. This is an example of what type of proactive strategy? 

  • Network segmentation

  • RCA

  • Playbooking 

  • Waterfall policy

Correct answer: Network segmentation

Network segmentation is the logical isolation of networks that can help limit the spread of malware and attacker movement if a network device or node is compromised. Separating networks into smaller VLANs (Virtual Local Area Networks) is an example of network segmentation.

RCA (Root Cause Analysis) is not a proactive strategy. 

Playbooks are useful tools to create repeatable step-by-step incident response processes.

Waterfall methodology is a software development method where steps occur sequentially and one step is completed before the next begins.