CSNT 250 - CySA+

Ch.3 A security program alerts you of a failed login attempt to a secure system. On investigation, you learn a legitimate user accidentally had caps lock turned on. What kind of alert was it? Choose the best response.

False positive

Ch.6 After performing a vulnerability scan on a database server, you manually verify that each reported vulnerability exists on the server. What are you looking for? Choose the best response.

False positives

Ch.8 What kind of threats can executable analysis most effectively help you find? Choose the best response.

Fileless malware

Ch.1 While constructing threat models, you attempt to determine the risk of someone accessing confidential data in an executive's personal folder. Under the STRIDE model, what kind of threat is that? Choose the best response.

Information Disclosure

Ch.6 For an outside attacker, what reconnaissance method is much easier on wireless networks than wired ones? Choose the best response.

Packet capture

Ch.6 Your organization is expanding its use of AWS cloud infrastructure. After your team scans and hardens it, a red team will perform a penetration test while you defend it. Which of the following tools would be more useful to a red team member than to your blue team? Choose the best response.

Pacu

Ch.9 Which of the following is not true about privacy? Choose the best response.

Personal information is only PII when it is sufficient to identify a person.

Ch.4 You overhear the end of a conversation about a recent series of attacks against your organization. Your supervisor says email filters might help but the solution is going to have to rely partly on security awareness training for end users. What kind of vulnerability is most likely being discussed? Choose the best answer.

Phishing

Ch.6 As a penetration tester you want to get a username and password for an important server, but lockout and monitoring systems mean you'll be detected if you try brute force guessing. What techniques might directly find the credentials you need? Choose all that apply.

Phishing Packet capture Social engineering

Ch.2 What order are the steps of the Deming cycle? Choose the best response.

Plan, Do, Check, Act

Ch.4 In further analysis of the web application, you've discovered a hidden combination of commands any authenticated user can use to unlock a management console that gives administrative access to the application. What kind of vulnerability have you uncovered? Choose the best response.

Privilege escalation

Ch.2 You're using CMMI (Capability Maturity Model Integration) as a maturity model for application development. What maturity level are you at if you've just established organized testing and evaluation of security processes and controls for the application? Choose the best response.

Qualitatively Managed

Ch.4 What application vulnerability can be exploited by providing a series of normal data inputs with a specific sequence and timing? Choose the best response.

Race condition

Ch.5 Your organization has decided to outsource a few IT services to a cloud provider. They're hosted outside your enterprise network, but you want to centrally manage all authentication, encryption, activity logging, and other security policies for connections between local computers and the cloud. What security solution would address these issues? Choose the best response.

Security broker

Ch.1 You've found signs of unauthorized access to a web server, and on further review, the attacker exploited a software vulnerability you didn't know about. On contacting the vendor of the server software, you learn that it's a recently discovered vulnerability, but a hotfix is available pending the next software update. What kind of vulnerability did they exploit? Choose the best response.

Unknown

Ch.1 Match the script file formats with their scripting environments.

.bat - Windows Cmd Prompt .js - Javascript .ps1 - Windows PowerShell .py - Python Interpreter .sh - Unix Shell .rb - Ruby Interpreter

Ch.3 Order the steps of a complete risk assessment.

1. Identify assets at risk 2. Conduct a threat assessment 3. Analyze business impact 4. Evaluate threat possibility 5. Prioritize risks 6. Create a mitigation strategy

Ch.1 Order the steps of the Intelligence cycle.

1. Requirements 2. Collection 3. Analysis 4. Dissemination 5. Feedback

Ch.8 In the following log entry, what is the destination IP and port number? Choose the best response. Sep 3 15:12:20 192.168.99.1 Checkpoint: 3Sep2007 15:11:41 drop 192.168.99.1 >eth8 rule: 134; rule_uid: {11111111-2222-3333-BD17-711F536C7C33}; src: 192.168.99.195; dst: 192.168.56.10; proto: tcp; product: VPN-1 & FireWall-1; service: 3013; s_port: 1352;

192.168.56.10, port 3013

Ch.9 You're reviewing an automated password reset system. Which element is the most significant security risk? Choose the best response.

Users can verify their identities by answering challenge questions such as their childhood street or mother's maiden name.

Ch.3 Your supervisor wants a systematic way to find missing or misconfigured security controls on your production network. Still, it's unfortunately full of critical services fragile enough to have problems when they receive excessive or non-standard traffic. Ideally, you should use the least intrusive method possible. Which of the following would you recommend? Choose the best response.

A credentialed vulnerability scan

Ch.4 According to firewall logs, exactly every ten minutes a host on your internal network is attempting to contact a foreign network domain that you've seen associated with criminal activity. What kind of attack is the most likely explanation? Choose the best response.

A malware infection on an internal workstation

Ch.5 This morning, your threat intelligence feeds reported a serious API vulnerability in the serverless architecture technologies used by your CSP. Your company utilizes several services from that provider. Which is most likely to be directly affected by the vulnerability or subsequent API changes? Choose the best response.

A microservice-based application developed in-house for inventory management

Ch.8 As part of improving email analysis, you've been asked to verify whether your email system is now DKIM compliant. What requirement is most important for the system to check for? Choose the best response.

A public key in a DNS TXT entry for each trusted server

Ch.8 You're reviewing a firewall log. Which of the following entries might merit closer investigation even if they only happen once? Select all that apply.

A successful attempt to log into the firewall interface by an unfamiliar internet address. A successful attempt to log into the firewall interface by an unfamiliar internet address.

Ch.2 For regulatory compliance, you're required to use unique user IDs for all computer access. There's one isolated critical system that doesn't support user-based access and must be used by multiple people. What might be a valid compensatory control? Choose the best response.

Using security cameras and a logbook to track access to the computer itself

Ch.1 Through your organization, you've seen a pattern of attacks of different types. Login attempts, malware, phishing emails, application exploits, and so on. None of the individual techniques are that exotic or hard to stop, but they're seemingly endless, and most seem to be the work of the same group of attackers. What kind of threat is this? Choose the best response.

APT - Advanced Persistent Threat

Ch.7 One of the router's interfaces just failed. When it reports the event to its Syslog server, what severity level would indicate it needs immediate attention, but that the router is not entirely unusable? Choose the best response.

Alert

Ch.8 An ordinarily quiet host has suddenly started to generate a lot of traffic, but due to the size of the network, it hasn't made much impact on overall network utilization. What kind of analytics would most likely highlight it as a potential problem? Choose the best response.

Anomaly analysis

Ch.6 You want to perform a vulnerability scan on a web application with a SQL backend. Which tool would be most appropriate? Choose the best response.

Arachni

Ch.4 Your organization purchases a variety of industrial systems with embedded computers. One of your vendors recently moved from ASIC-based logic to FPGAs in critical components. What new supply chain threats do you need to worry about? Choose the best response.

Attackers can reprogram FPGA configurations but cannot do so to an ASIC

Ch.2 A third-party team is going to formally examine your organization's overall security practices to make sure they meet regulatory compliance goals. Your organization may be fined if it fails. What would this verification process best be called? Choose the best response.

Audit

Ch.8 The documentation for your company's existing threat hunting program doesn't clearly describe the methodology for hypothesis development, but it speaks a lot about crown jewels analysis. What is its most likely methodology? Choose the best response.

Awareness-driven

Ch.4 You've been tracking unauthorized access to a web application. On examining the source code you find a hidden routine that allows access to any account using the password wrtsglz, regardless of the normal password associated with that account. What kind of vulnerability have you uncovered? Choose the best response.

Backdoor

Ch.3 Once a third-party penetration test begins, it's your job to secure the network and stop attacks before the penetration testers achieve their goal. What team are you on? Choose the best response.

Blue team

Ch.4 An attack on your web application began with a long string of numbers sent to a field that's only supposed to hold a four-digit variable. What kind of attack was it? Choose the best response.

Buffer overflow

Ch.4 You're testing an unknown program on a VM to make sure it isn't malware. Another security analyst suggests disabling the hypervisor's resource sharing features first. What kind of attack is this step meant to discourage? Choose the best response.

VM escape

Ch.1 Which of the following describe machine learning systems? Select all that apply.

By feeding unlabeled baseline data into the system, you can train it in what to expect. And You might find them used for anomaly-based intrusion detection.

Ch.4 You're evaluating vulnerabilities in a new line of construction vehicles. What technology is most likely to be relevant? Choose the best response.

CAN bus

Ch.1 Your SCAP-compliant vulnerability feed includes a long list of uniquely defined vulnerabilities. Which SCAP component is used to identify each vulnerability? Choose the best response.

CVE

Ch.3 You're likely to expand the scope of a web application in the future. What element of your risk management strategy will prevent new vulnerabilities from being introduced? Choose the best response.

Change management

Ch.8 Raw data collection left you with a vast mass of unstructured network data. What analysis technique can help you initially identify suspicious patterns for more in-depth analysis? Choose the best response.

Cluster analysis

Ch.7 You're configuring a router, and want it to check the properties of incoming traffic before passing it on. What will this require? Choose the best response.

Configuring ACLs

Ch.4 Your organization maintains a SCADA network. Your previous position was limited to parts of it that used DNP3 connections, but you're about to take over vulnerability management for Modbus systems as well. Which of the following are essential differences between the two? Select all that apply.

DNP3 is non-IP, but Modbus can use TCP/IP over Ethernet. and Secure Modbus must be applied through the entire network to be effective.

Ch.5 You just found an unexpected configuration change in a router's DHCP server. It now directs all connecting clients to use a non-standard, unauthorized DNS server. What kind of attack do you suspect? Choose the best response.

DNS poisoning

Ch.9 You're reviewing classification and user permissions for a newly deployed customer database. How would you best describe the role of the database administrator who configures user permissions within the database itself? Choose the best response.

Data custodian

Ch.1 Your intrusion detection system has rules to evaluate privileged operations from user accounts. You want to refine them by applying stricter standards when the user is logged on from a physical region with a lot of threat activity. What strategy are you using?. Choose the best response.

Data enrichment

Ch.2 While clearing space on an old server, you've found some files associated with a long inactive account. What policy would you most importantly check to find out whether it's appropriate for them to be deleted? Choose the best response.

Data retention policy

Ch.8 Order the steps of a threat hunt

Define a strategic purpose Collect raw data Form a hypothesis Build a testing plan Execute the plan Take remedial action Analyze results and generate feedback

Ch.6 A web server with access to customer PII has a severe vulnerability, which is going to be very time-consuming and expensive to fix. Fortunately, your company compliance officer verified that you could configure a WAF as a compensating control until you replace the server. In the meantime, how can you deal with the severe vulnerability appearing every time someone runs a scan? Choose the best response. Do nothing since the

Document it as a security exception.

Ch.2 Your company just created the root certificate for its CA. Its private key won't be needed very often, so it will be stored in a safe the rest of the time. What security procedure could you use to make sure that no single employee can open the safe and get the key? Choose the best response.

Dual control

Ch.4 In a recent physical penetration test, the red team was able to access the server room by gaining access to the utility room then cutting the main power. What kind of vulnerability did they most likely exploit? Choose the best response.

Fail-open locks

Ch.9 You're helping to secure a web application that allows low-level help desk personnel to access customer transactions and activities. For classification and privacy reasons, the screen must not display fields such as order details and contact information unless the individual user has clearance to view them. What kind of solution would be most appropriate? Choose the best response.

Dynamic masking

Ch.1 You've been tracking a new form of malware on your network. It seems to primarily work by attacking web browsers when they visit certain external websites. What parts of the network should your analysis focus on? Choose the best response.

Endpoints

Ch.5 You've taken the company Wi-Fi down for maintenance, but your phone still shows a network with the same SSID as available. What kind of attack do you suspect? Choose the best response.

Evil twin

Ch.3 Your organization has a legacy application that uses an outdated encryption standard to communicate with a variety of remote systems; however, newly enacted regulatory requirements specify a minimum of 128-bit AES for such links. Replacing it will be a big project, but you feel it's necessary; however, the CFO is reluctant to add new security expenditures this fiscal year. Which of the following arguments should you consider including in your report to the CFO? Select all that apply.

Financial penalties for failing a regulatory audit; Potential costs of an attacker cracking the existing encryption; A list of data breaches in your field of business caused by broken encryption

Ch.3 You've been charged with conducting a vulnerability scan. Which of the following actions are you likely to perform? Select all that apply.

Finding open ports; Passively testing security controls; identifying vulnerabilities

Ch.2 Your company is developing an application a private US-based hospital will use to give patients online access to their medical records. Regardless of what other data the application handles, what kind of compliance do you already know you need to research? Choose the best response.

HIPAA - The Health Insurance Portability and Accountability Act

Ch.7 You want a system that can recognize and block an unauthorized network scan. What option should you use? Choose the best response.

IPS

Ch.5 As part of a cloud transition, your team is examining IaC approaches for cloud orchestration. You've been asked to tell a less technical stakeholder the relative advantages of immutable infrastructure over mutable. Which of the following might you say? Select all that apply.

Immutable infrastructure scales more easily. and Immutable infrastructure is less prone to configuration drift.

Ch.7 ACLs are based on which assumption? Choose the best response.

Implicit Deny

Ch.9 You've been asked to assist in the secure deployment of a new software-defined data center. Which of the following plan elements might be a problem? Select all that apply.

In-band controls using SNMPv1 The developers are inexperienced with IaC and NetDevOps.

Ch.4 An IDS sends you an alert with a form input to a web application. When you view the packet, the form input itself reads 1' OR '1'='1. What kind of attack does this most likely indicate? Choose the best response.

Injection

Ch.9 You're helping to evaluate a NAC system for remote access to a high-security network. Client systems should have their security postures monitored at all times, even when not connected to the network. When they are connected, each request to the network will be evaluated to make sure it conforms with network policies. What kind of solution would meet these needs? Choose the best response.

Inline NAC with a persistent agent

Ch.3 Your manager wants you to plan a vulnerability scanning program using agent-based credentialed scanning. What does that likely mean, compared to the alternatives? Choose the best response.

It will be hard to set up and maintain, generate little network traffic, and find many vulnerabilities.

Ch.6 You researched an authentication system vulnerability last month, and while it had a severe impact in theory, no demonstrated code could exploit it. Last week a security researcher demonstrated exploit code. How will this affect the vulnerability's CVSS score? Choose the best response.

It will change the Temporal metrics.

Ch.6 When scanning the local subnet with Zenmap you're about to try an Intense scan, but a coworker suggests you run Intense scan, no ping instead. If you take that advice, what will the likely result be? Choose the best response.

It will take longer but probably find more hosts and services.

Ch.9 Your secure ICS network is isolated enough to prevent any direct logins from the main corporate network, but you want to manage a device on the ICS network from your personal workstation. What technology can you configure to do so? Choose the best response.

Jump box

Ch.9 You're evaluating a new system that uses Security-Enhanced Linux to handle classified government information. What kind of access control model should you expect it to use? Choose the best response.

MAC

Ch.2 What policy document generally describes mutual goals between organizations? Choose the best response.

MOU - Memorandum of Agreement

Ch.3 After running a vulnerability scan, you learn that a few of the identified vulnerabilities don't actually exist on the system. What should you do? Choose the best response.

Mark them as false positives

Ch.6 You think attackers are using packet sniffers on your Wi-Fi network. The network is using strong WPA2 encryption, but what can the attackers still learn without the key? Choose all valid responses.

Most active hosts SSIDs MAC addresses

Ch.2 Your company is contracting with a US Federal agency, and you have to make sure your solutions are compatible with their policy framework. Which framework are you most likely to need to learn? Choose the best response.

NIST 800 series (National Institute of Standards and Technology)

Ch.7 You want to gather statistics about the network traffic between a particular webserver and its back end database server. What protocol would be most useful for that purpose? Choose the best response.

NetFlow

Ch.7 You're checking a host for active network connections and listening ports. Which of the following tools would suit your purposes? Choose the best response.

Netstat

Ch.6 You're mapping a network and looking for rogue devices and services. Which tool are you most likely to use? Choose the best response.

Nmap

Ch.3 Your latest vulnerability scan uncovered a serious and time-critical vulnerability. Still, you can't fix it immediately because the company change management process mandates a review period before making the necessary changes. What kind of remediation problem are you having? Choose the best response.

Organizational governance

Ch.1 For your new security consulting position, you're helping a hospital secure its HR database. It includes employee records such as contact information, employment history, and bank account numbers. What would this information be classified as? Choose the best response.

PII - Personally Identifiable Information

Ch.9 Which of the following statements about data retention policies are true? Select all that apply.

PII may have to be deleted on the request of its subject no matter how old it is. Financial data should be stored for at least three years, and longer depending on its type. Written data retention policies can reduce legal liabilities.

Ch.5 You're helping a software development team choose a secure cloud-based solution. The team wants to develop custom web applications but prefer the development environment itself to be provided by the hosting service. What kind of service model should you evaluate? Choose the best response.

PaaS

Ch.1 A coworker detects a potential social engineering attack because the return email address is a domain associated with scammers. What kind of threat indicator is this? Choose the best response.

Reputational

Ch.5 Which of the following user practices make password stuffing attacks more effective? Choose the best response.

Reusing the same password on multiple systems

Ch.3 Your company has long maintained an email server, but it's insecure and unreliable. You're considering just outsourcing email to an external company that provides secure cloud-based email services. What risk management strategy are you employing? Choose the best response.

Risk transference

Ch.9 You're evaluating NAC solutions. One feature you need is to make sure that when sales users join the network remotely, they'll automatically be joined to the Sales network and given access to its resources. What kind of solution should you look for? Choose the best response.

Role-based

Ch.3 While conducting a penetration test, you've exploited an application flaw to get temporary access on a proxy server. Part of your goal is to use that server as a pivot. Which of the following steps directly achieve that goal? Select all that apply.

Running a network scan from that server; Creating a tunnel through the proxy server to the internal network

Ch.7 In Event Viewer, you're told to look for events matching the following criteria. "Event ID: 4672; Task Category: Special Logon; Keywords: Audit Success". Which log should you look in first? Choose the best response.

Security

Ch.5 An attacker remotely stole data from a server using an employee's account. According to the employee, he couldn't have done it: While he did log in that day, he was almost immediately disconnected with a message about unplanned server downtime. Assuming the employee is telling the truth, what kind of attack took place? Choose the best response.

Session hijacking

Ch.9 You require your users to log on using a user name, password, and rolling 6-digit code sent to a keyfob device. They are then allowed computer, network, and email access. What type of authentication have you implemented? Select all that apply.

Single sign-on Multi-factor authentication

Ch.7 You want to take some proactive actions against a new family of malware that's been spreading around. It has spyware and botnet functions, and infected computers connect to external servers. You have a list of the domain names the malware contacts. What security tool would help you to recognize that malware on your network? Choose the best response.

Sinkhole

Ch.6 For business reasons, your company isn't at all secretive about its WHOIS information. What reconnaissance type does this make easier for attackers? Choose the best response.

Social engineering

Ch.7 The management interface for your firewall has some known vulnerabilities, so you're worried that someone already on the network could log onto the firewall and change its settings. Which of the following methods could reduce that threat? Choose the best response.

Switch to out-of-band management

Ch.9 Your company is considering joining an identity federation with several others providing related services. Which of the following are most likely correct? Select all that apply.

The federation will make it easier to implement single sign-on between your services. A security compromise by one member can compromise the entire federation. You should consider a trusted third party that certifies all federation members, depending on the number of members in the federation.

Ch.7 A Linux server is behaving sluggishly, and you want to know what process is using all the CPU and memory usage. Which of the following tools would suit your purposes? Choose the best response.

Top

Ch.8 Which of the following are examples of point-in-time data analysis? Select all that apply.

Traffic Analysis Packet analysis

Ch.7 You have a critical server configured as an SNMP agent, in part so you can tell remotely when one particularly fragile service on it crashes again. What kind of PDU should the server immediately send to the SNMP manager when the service fails? Choose the best response.

Trap

Ch.3 You're asked to generate a vulnerability report that shows the number and types of vulnerabilities and fixes you've encountered every month in the last year. What kind of report would that be? Choose the best response.

Trend report

Ch.2 You're writing a policy document using a rather minimalist template. What kinds of information would you put in the "Scope" section? Select all that apply.

Who is affected by the policy And What systems and data the policy protects

Ch.4 What application attacks directly target the database programs sitting behind web servers? Choose all that apply.

XML injection and SQL injection

Ch.9 Which of the following are examples of context-based authentication? Select all that apply.

You must complete a two-factor authentication process the first time you sign in from a new physical location. You must complete a two-factor authentication process the first time you sign in from a new physical location.

Ch.6 You're targeting a DNS server during a penetration test, as part of network mapping. What kind of attack could you attempt to get all the server's data with a single request? Choose the best response.

Zone transfer