TestOut - CompTIA CySA+ Practice Questions 7.3.18
Which of the following malware analysis techniques identifies unique malware programs by generating a hash for that program? A. Fingerprinting B. Disassembly C. String searches D. Obfuscation identification
A. Fingerprinting Explanation Fingerprinting is the process of identifying unique malware programs by generating a hash for that program. Disassembling malware is the process of decompiling malware code to break it down to raw code. This technique is part of the reverse engineering process. String searching is the process of scanning code for plaintext strings. Plaintext strings can indicate the purpose and function of malware. Identifying obfuscation and packing is the process of identifying packers and obfuscation methods.
What is the MOST important consideration for sandboxing activities when performing malware analysis? A. Physical or logical isolation of the sandbox host from the main network B. Patch management C. Convenient sandbox capabilities D. Virtualization
A. Physical or logical isolation of the sandbox host from the main network Explanation The sandbox host used for malware analysis should be physically or logically isolated from the main network. Malware analysis should be the only purpose for the host. Virtualization offers convenient sandbox capabilities, but a threat actor can design exploits to target virtual machines and hypervisors. Convenience is not the key to sandboxing. Instead, an isolated virtual platform is an important consideration for sandboxing activities. Sandbox host patch management is less important than isolating the host in the network to prevent the spread of malware. In this case, isolation is most important.
Which of the following are the general types of persistence IoCs? (Select two.) A. Use of hypervisor to run unauthorized software B. Change or anomaly in the registry C. Use of a host file for a pharming attack D. An unauthorized scheduled task E. Installation of a DNS or a web server on a host machine
B. Change or anomaly in the registry D. An unauthorized scheduled task Explanation Persistence is a mechanism that is executed when a host restarts, a user logs off, or another user logs into the system. There are two general types of persistence IoCs: - Change or anomaly in the registry - An unauthorized scheduled task The following are examples of the unauthorized use of software: - Use of hypervisor to run unauthorized software - Installation of a DNS or a web server on a host machine - Use of a host file for a pharming attack
Mary has been receiving text messages that contain links to malicious websites. Which type of attack is Mary a victim of? A. Simjacker B. Agent Smith attack C. SMiShing D. SS7 vulnerability
C. SMiShing Explanation SMiShing is a phishing attack that uses text messages. The goal is to get users to click on a malicious link that directs them to the attacker's malicious website or malware. An Agent Smith attack allows an attacker to steal data or money from a victim by using fake malicious apps. The Signaling System 7 (SS7) communication protocol is used to communicate on a different cellular network, such as when roaming. An attacker may be able to exploit vulnerabilities in this protocol to carry out an on-path attack. A simjacker attack allows an attacker to take control of a device's SIM card. This attack works by sending an SMS message to the victim. This message contains hidden SIM instructions that are supported by the device's S@T browser. This browser is an application that resides on the SIM card and not the phone itself. Because the SMS message is sent to the SIM card, the user doesn't actually see anything, and he or she does not need to take any action for the attack to work.
Which method of malware analysis includes matching signatures, analyzing code without executing it, disassembly, and string searching? A. A Reverse analysis B. Dynamic analysis C. Static analysis D. Host integrity monitoring
C. Static analysis Explanation Static analysis is signature-based and includes analyzing code without executing it. It also includes disassembly and string searches. Dynamic analysis is behavior-based and includes executing malware in a controlled environment and monitoring it closely. Reverse engineering incorporates both static and dynamic analysis. Host integrity monitoring is part of dynamic analysis. It involves taking a snapshot of the system before and after malware is executed.
File system and registry changes can indicate or suggest a security breach, or attack has occurred. An attacker may change critical system configuration stored in system files or registry keys to change or disable essential security settings or store malware and scripts. Which of the following are signs that might indicate a security breach or attack on a file system? (Select two.) A. Installation of DNS server or a web server on a host machine. B. Use of a hypervisor to run unauthorized software. C. The removal of temp files or deleting log entries. D. Use of a host file for a pharming attack. E. The creation of new files or folders in unexpected locations or with unusual names.
C. The removal of temp files or deleting log entries. E. The creation of new files or folders in unexpected locations or with unusual names. Explanation The creation of new files or folders in unexpected locations or with unusual names can be a sign of an attack. Removing temp files, clearing temp folders, or deleting log entries can be a sign that an attacker is trying to cover their tracks and remove evidence of their actions. The following are examples of unauthorized use of software: - Use of hypervisor to run unauthorized software. - Installation of a DNS or a web server on a host machine. - Use of a host file for a pharming attack.
Mobile device attacks can be devastating to the device and the data stored on it. Which of the following common attacks allows the attacker to steal data or money from the victim? A. Simjacker B. SS7 C. Smishing D. Agent Smith
D. Agent Smith Explanation The Agent Smith attack allows the attacker to steal data or money from the victim. Smishing is a phishing attack that uses text messages. The goal is to get users to click on a malicious link that may direct them to the attacker's malicious website or download malware. The signaling system 7 (SS7) communication protocol is used to communicate on a different cellular network, such as when roaming. This attack exploits vulnerabilities in the SS7 protocol, allowing an on-path attack in which the attacker can steal login credentials, steal sensitive data on the device, or bypass two-factor authentication. A simjacker attack allows the attacker to take control of a device's SIM card. This attack works by sending an SMS message to the victim.
Which of the following mobile security concerns is characterized by malicious code that specifically targets mobile devices? A. Phishing attacks B. Lost and stolen devices C. Unsecure applications D. Malicious websites
D. Malicious websites Explanation Malicious or compromised websites are often used to launch web or network attacks. An attacker can design a website to easily determine which type of device is being used and then use malicious code that specifically targets mobile devices. Phishing and other social engineering attacks are often more productive on mobile device users, but these attacks are not characterized by malicious code that specifically targets mobile devices. Data loss can occur when a mobile device is lost or stolen, but this is not characterized by malicious code that specifically targets mobile devices. Unsecure applications are a security concern since mobile apps may not have the same security protections as a browser, but they are not characterized by malicious code that specifically targets mobile devices.
File fingerprinting, scanning, string searches, and disassembly are all used to identify malware. When these techniques are used, what is the identifying information called? A. Malware registry keys B. Malware IP address C. Malware event logs D. Malware signature
D. Malware signature Explanation A malware's signature is found by identifying markers in its code. These are often found through file fingerprinting, scanning, string searching, and disassembly. Event logs can be analyzed to find malware, but they are not the name of the identifying markers in malicious software code. Registry keys can be one of the markers of malicious software code, but they are not the name of the identifying markers in general. Malware IP addresses can be one of the markers of malicious software code, but they are not the name of the identifying markers in general.
As a sales representative for your company, you are in an airline lounge waiting for your next flight. To make the best use of your time, you decide to connect to the internet from your tablet to do some additional research about the company you will be contacting. You search for and connect to a Wi-Fi access point with the same name as the access point provided by the airline. However, it does not require a passcode, which the airline has instructed you to use to make the connection. You suspect that it might be a rogue access point. Which of the following vulnerability vectors does this type of attack fall under? A. Unsecured apps B. Device C. Database D. Network
D. Network Explanation In this scenario, the type of vulnerability attack you suspect falls under the network vector. Network vulnerabilities that exist in the mobile network include Wi-Fi with weak encryption, rogue access points, packet sniffing, and on-path attacks. The device vulnerability vector includes browser-based: (Phishing and Clickjacking), phone (SMiShing and Application-based vulnerabilities), and system OS (weak passwords and rooting/jailbreaking) attacks. Database vulnerabilities include SQL injection, privilege escalation, data dumping, and OS command execution. Unsecured apps is a mobile device vulnerability concern (not an attack vector). These apps may not have the same security protections as a browser, and the mobile device platform's app store can be a vulnerability.
