B.4 CompTIA CySA+ CS0-002 Certification Practice Exam
After having calculated the MD5 hash for a file, you need to compare it to the value provided by the vendor. You could examine each character to ensure it is correct, but PowerShell has a utility for comparing the strings. Which of the following would be an example of that command? Answer md5sum --check MD5SUM.txt "2b8efe1bee907243f22c16e14032a5ea" -eq "2b8efe1bee907243f22c16e14032a5ea" Get-FileHash -Compare -Algorithm MD5 "2b8efe1bee907243f22c16e14032a5ea" Get-Content .\MD5SUM.txt -eq "2b8efe1bee907243f22c16e14032a5ea"
"2b8efe1bee907243f22c16e14032a5ea" -eq "2b8efe1bee907243f22c16e14032a5ea"
Fred runs a small manufacturing shop. He produces consumer goods on his equipment. Suppose Fred has six stamp presses each valued at $35,000. At any given time, two of his presses might be out of service due to mechanical breakdowns or required upgrades. What is Fred's single loss expectancy? Answer $35,000 $70,000 $0 $105,000
$70,000
While reviewing the output of an Nmap scan on a segment on your network, you find the following output. Which host, identified by the IP address, is running something that has no encryption and is vulnerable to attack? Answer 192.168.122.84 192.168.122.107 192.168.122.172 192.168.122.199
192.168.122.107 The Telnet service running on 192.168.122.107 is not encrypted, and users might be logging in through it. Anyone capturing packets on that segment would see any Telnet login attempts with usernames and passwords. The other services are secured using various methods.
Your company has decided to use a Pentbox honeypot to learn which types of attacks may be targeting your site. They have asked you to install and configure the honeypot. You have already installed Pentbox. Which menu allows you to configure the honeypot? Answer 1- Cryptography tools 2- Network tools 3- Web 4- Ip grabber 5- Geolocation ip 6- Mass attack 7- License and contact
2- Network tools
While looking at your Security Onion appliance, you noticed that there was a significant increase in after-hours traffic on your network when all workstations were powered off and nobody else was in the office. Some of this traffic generated alerts in Kibana. Also, your web server was very slow to respond when you checked the website. With the information in the graph below, what might be the cause? (Select two.) Answer A web session hijacking event A BitTorrent client was in use A DDoS attack An ICMP flood attack A user was downloading a large file
A DDoS attack An ICMP flood attack
Which of the following BEST describes a honeypot? Answer Virtual honeypots can only simulate one entity on a single device. A honeypot's purpose is to look like a legitimate network resource. A honeypot is a substitute for an IDS or firewall and protects a system. A honeypot is a server- or client-based application that manipulates packets.
A honeypot's purpose is to look like a legitimate network resource.
The following image is of DHCP logs on a pfSense appliance. What is happening here? Answer There is not enough information here to describe what is happening. A host named kali is releasing and renewing its IP address with the appliance. A host named hn1 is renewing its IP address with the host on IP address 10.10.10.1. A host found on IP address 10.10.10.183 has their own DHCP server to perform an on-path (man-in-the-middle) attack.
A host named kali is releasing and renewing its IP address with the appliance.
There are two non-governmental sites that provide lists of valuable information for ethical hackers. Which of the following BEST describes the Full Disclosure site? Answer A list of standardized identifiers for known software vulnerabilities and exposures. A mailing list that often shows the newest vulnerabilities before other sources. A community-developed list of common software security weaknesses. A list searchable by mechanisms of attack or domains of attack.
A mailing list that often shows the newest vulnerabilities before other sources.
Which of the following BEST describes MAC spoofing? Answer A method of changing the MAC address of a network interface on a device within a network A method of attack intended to overflow the memory of a network switch, forcing the switch into open-fail mode. This causes it to function like a hub, broadcasting incoming data to all ports instead of to specific addresses. An attack where fake ARP messages are sent to a network, linking the IP address of an attacker's computer to the IP address of a legitimate computer on the network A method of monitoring network traffic by creating a duplicate of all traffic on a port and sending it to another device
A method of changing the MAC address of a network interface on a device within a network
Which of the following BEST describes a phishing attack? Answer This attack is used to intercept communications between an authorized user and the web server. A user is tricked into believing that a legitimate website is requesting their login information. An attacker alters the XSS to run a Trojan horse with the victim's web browser. In this attack, attackers use various weaknesses to hack into seemingly secure passwords.
A user is tricked into believing that a legitimate website is requesting their login information.
You have been asked to perform a penetration test for a company to see if any sensitive information can be captured by a potential hacker. You have used Wireshark to capture a series of packets. Using the tcp contains Invoice filter, you have found one packet. Using the captured information shown, which of the following is the name of the company requesting payment? Answer Lowes Wood Specialist ACME, Inc. The Home Depot
ACME, Inc.
During which phase of the Kill Chain framework does an intruder extract or destroy data? Answer Weaponization Action on Objectives Command and Control Exploitation
Action on Objectives
Why are endpoints a favorite target for malware attacks? Answer Because they are often the personal devices of employees Because they have a reputation for having strong security protocols Because they contain large financial databases Because they are often the end point of an attack
Because they are often the personal devices of employees
Which of the following connects a vehicle's ECUs together? Answer CAN VLAN HMI PLC
CAN
Which of the following is a best practice for implementing security patches? Answer Security patches should be tested and implemented in a sandbox before being applied to all active systems. Because patches are fixes to existing infrastructure, they do not need to be implemented using your organization's change management system. Security patches should be tested and implemented on a quarterly basis. Patches that are released by trusted vendors do not need to be tested.
Security patches should be tested and implemented in a sandbox before being applied to all active systems.
John installs patches against known vulnerabilities and cleans up out-of-date zones, files, users, and groups on his DNS server. Which BEST describes these defensive measures? Answer Server hardening Phishing Internal vulnerability testing Implementation
Server hardening
Which of the following tasks is being described? Sniff traffic between the target computer and server. Monitor traffic with the goal of predicting the packet sequence numbers. Desynchronize the current session. Predict the session ID and take over the session. Inject commands to target the server. Answer Session hijacking Cookie hijacking Passive hijacking Application hijacking
Session hijacking
Which of the following tools can be used to create botnets? Answer Shark, PlugBot, and Poison Ivy Poison Ivy, Targa, and LOIC Trin00, Targa, and Jolt2 Jolt2, PlugBot, and Shark
Shark, PlugBot, and Poison Ivy
Which IDS method searches for intrusion or attack attempts by recognizing patterns or identifying entities listed in a database? Answer Anomaly-analysis-based IDS Heuristics-based IDS Stateful-inspection-based IDS Signature-based IDS
Signature-based IDS
Which of the following configurations can be used with Windows Event Forwarding? (Select two.) Answer Source-destination subscriptions Collector-source subscriptions Source-collector subscriptions Collector-initiated subscriptions Collector-destination subscriptions Source-initiated subscriptions
Source-initiated subscriptions Collector-initiated subscriptions
Which of the following is a SIEM collection tool that's used to search and analyze large collections of data in multiple formats? Answer Burp Suite Security Onion Snort Splunk
Splunk
Which of the following frame (packet) subtrees would you expand in order to view the POST data that was captured by Wireshark? Answer The Internet Protocol Version 4 subtree would have the POST data. The HTML Form URL Encoded: subtree would have the POST data. The Transmission Control Protocol (TCP) subtree would have the POST data. The Hypertext Transfer Protocol subtree would have the POST data.
The HTML Form URL Encoded: subtree would have the POST data.
A document has arrived via email for a manager at your company, asking for payment on a service that was never given. When you spend some time researching this issue, you find that several other people have received the same or similar communications. After reviewing the information from a Wireshark packet sniff (a portion of which is shown here), you come to the conclusion that the email address is spoofed. How did you arrive at this conclusion? Answer The hex value "73 70 66 3d 66 61 69 6c" indicates the country of origin is outside of the company's. The "ARC-Authentication-Results" text does not show up for properly authenticated email messages. The IP address listed is 93.99.104.212, which is from the Czech Republic. The packet contains the text "spf=fail".
The packet contains the text "spf=fail".
Which of the following is a benefit of microservices? Answer They function independently of each other. If one service fails, the application can keep working. They increase security by eliminating the need to maintain multiple identities. They increase application access by reducing the need to individually log into each site separately. They decrease administrative costs by reducing the need to maintain duplicate sign-on credentials.
They function independently of each other. If one service fails, the application can keep working.
Which of the following BEST describes the purpose of the wireless attack type known as wardriving? Answer To trick a user into using the hacker's access point. To block a company's authorized wireless communications using radio noise or signals. To capture user's critical information, such as passwords or bank account numbers. To find information that will help breach a victim's wireless network.
To find information that will help breach a victim's wireless network.
Which of the following tools enables security professionals to audit and validate the behavior of security devices? Answer TCP ACK scan MTU offset Traffic IQ Professional Fragmenting packets
Traffic IQ Professional
Heather wants to gain remote access to Randy's machine. She developed a program (which she hid inside a legitimate program) that she is sure Randy will install on his machine. Which of the following types of malware is she using? Answer Spyware Virus Trojan horse Worm
Trojan horse
Converting the word ATTACK to \u0041 \u0054 \u0054 \u0041 \u0043 \u004b is an example of what technique? Answer Encryption Unicode evasion Insertion attack Polymorphic code
Unicode evasion
You want to properly dispose of papers with sensitive content. You want to ensure that it's nearly impossible for a dumpster diver to put the information back together. What should you do? Answer Use the recycle bin Use an incinerator Use a crosscut shredder Use a strip-cut shredder
Use a crosscut shredder
You are verifying settings on a new Windows image that will be used for all computers in the office. As part of the Group Policy, a test is run to install software on a Windows machine, and the following pop-up is displayed for a regular user. What is the name of the Windows security feature that configures this pop-up to appear? Answer User Accounts Add, Edit, or Remove User Accounts Windows Defender Firewall User Account Control
User Account Control
How is probability determined using quantitative analysis? Answer Using the AV calculation Using the SLE calculation Using the ALE calculation Using the ARO calculation
Using the ARO calculation
Spencer is in charge of his company's websites and performing countermeasures. His company uses IIS. What is the BEST countermeasure for his situation? Answer Disable IIS. Hide IIS banner broadcast. Disable all Windows services. Disable Linux services.
Hide IIS banner broadcast.
Which of the following attack types overflows the server, causing it to not function properly? Answer ARP poisoning MAC spoofing Session hijacking DoS
DoS
Which of the following malware analysis techniques identifies unique malware programs by generating a hash for that program? Answer Obfuscation identification String searches Fingerprinting Disassembly
Fingerprinting
Which of the following is the process of determining the configuration of ACLs by sending a firewall TCP and UDP packets? Answer Firewalking Port scanning Packet filtering Banner grabbing
Firewalking
You are working on firewall evasion countermeasures and are specifically looking for a tool to expose TTL vulnerabilities. Which of the following tools would you use? Answer Tunneling KFSensor Firewalking Traffic IQ Professional
Firewalking
Each virtual machine created by a hypervisor is called a: Answer VDI Guest Thin client Zombie
Guest
What is the name of a computer on which a hypervisor runs to provide one or more virtual machines? Answer VDI VM Host Guest
Host
Which items are included in an acceptable use policy? (Select two.) Answer How information and network resources should be used How systems should be monitored Password length requirements Expectations for user privacy when using company resources Who is responsible for closing accounts upon termination
How information and network resources should be used Expectations for user privacy when using company resources
The following information about an incident should be provided to stakeholders: What caused the incident and which security measures have been taken. What was the incident's financial, systemic, and reputational impact. How have policies and procedures been updated because of the incident. Which report should be used to share this information? Answer Incident summary Lessons learned Change control Post-incident
Incident summary
Which of the following elements of penetration testing includes the use of web surfing, social engineering, dumpster diving, and social networking? Answer Maintaining access Information gathering techniques Permission and documentation Information types
Information gathering techniques
Dan wants to implement reconnaissance countermeasures to help protect his DNS service. Which of the following actions should he take? Answer Limit the sharing of critical information in press releases, annual reports, product catalogs, or marketing materials. Install patches against known vulnerabilities and clean up out-of-date zones, files, users, and groups. Review company websites to see which type of sensitive information is being shared. Implement policies that restrict the sharing of sensitive company information on employees' personal social media pages.
Install patches against known vulnerabilities and clean up out-of-date zones, files, users, and groups.
Which of the following has five layers of structure that include the Edge Technology, Access Gateway, Internet, Middleware, and Application layers? Answer IoT structure IoT systems IoT architecture IoT application areas and devices
IoT architecture
Which network-based Indicator of Compromise (IOC) could be present if you detect ongoing communication between two workstations on your network? Answer Beaconing Common protocol over nonstandard port Rogue device Irregular peer-to-peer communication
Irregular peer-to-peer communication
How can a legal hold be helpful in digital forensics? Answer It keeps a suspect from leaving the country. It restricts companies from doing business while under investigation. It protects data from being altered. It allows only investigators to manipulate evidence to test theories.
It protects data from being altered.
You entered your password on a website and are sent a code to your cell phone. Which of the following is this an example of? Answer SP MFA IDP SSO
MFA
As you gather evidence for an investigation, you need to make a copy of a hard disk drive that includes all visible files as well as any unallocated space. It needs to include any deleted files, metadata, or timestamps. Which of the following options would be BEST for this task? Answer Use string searches to find all needed information before copying the drive. Hash the drive. Make a forensic copy of the drive. Make a logical copy of the drive.
Make a forensic copy of the drive.
Which layer in the IoT architecture covers the processes that happen in the cloud? Answer Edge Technology Internet Access Gateway Middleware
Middleware
What are the policies organizations use to maintain security on mobile devices called? Answer Mobile application management Mobile device management Security management Bring Your Own Device
Mobile device management
While adding a new admin to the pfSense security appliance, you double-check that you have completed all of the changes necessary for them to work with the appliance. What else should you do before you continue? Answer Check the This user cannot login box. Put in an expiration date for the account. Customize the UI because the default view doesn't give access to all tools. Move the admins group entry to the Member Of box.
Move the admins group entry to the Member Of box.
Which of the following sends you an alert when an automated port scan is detected? Answer Network intrusion system Antivirus software Network device logs System logs
Network intrusion system
URL and DNS monitoring, flow and packet analysis, and DGA monitoring are all methods to secure data in which of the following areas? Answer Heuristics Trend analysis Endpoint monitoring Network monitoring
Network monitoring
Which of the following BEST describes a high-value asset? Answer An offline asset that halts production. A missing asset that goes unnoticed. An asset that costs over $10,000. An asset used only by the CEO.
An offline asset that halts production.
You are concerned about protecting your network from network-based attacks on the internet. Specifically, you are concerned about attacks that have not yet been identified or that do not have prescribed protections. Which type of device should you use? Answer Antivirus scanner Signature-based IDS Anomaly-based IDS Host-based firewall Network-based firewall
Anomaly-based IDS
Which layer in the iOS stack is responsible for defining an app's appearance, its use of multitasking, and touch-based input? Answer Media Cocoa Touch Core Services Application
Cocoa Touch
Which of the following BEST describes the process of using prediction to gain session tokens in an Application level hijacking attack? Answer Obtain a user's HTTP cookies to collect session IDs embedded within the file to gain access to a session. Collect several session IDs that have been used before and then analyze them to determine a pattern. Convince the victim system that you are the server so you can hijack a session and collect sensitive information. Review a user's browsing history to enter a previously used URL to gain access to an open session.
Collect several session IDs that have been used before and then analyze them to determine a pattern.
Most SIEM implementations start by installing which tool on network devices? Answer Intrusion detection system Log file Collection agent Dashboard
Collection agent
Restoring data from backup is an example of which type of security control? Answer Compensating Physical Deterrent Corrective
Compensating
Which of the following cloud security controls includes backups, space availability, and continuity of services? Answer Computation and storage Protecting information Trusted computing Administrative tasks
Computation and storage
Which of the following is a mathematical algorithm that takes a data string or message and creates a fixed-sized bit array? Answer Phlashing Parameterization Rainbow tables Cryptographic hash function
Cryptographic hash function
Which of the following is an email authentication tool that relies on an email's encrypted digital signature to verify its authenticity? Answer UEFI DKIM SPF SEIM
DKIM
Which of the following tools allows domain owners to notify receivers that emails have been authenticated, provides feedback about the legitimacy of emails sent on their domain, and applies instructions for emails that failed authentication? Answer DMARC SPF DKIM Maltego
DMARC
Which type of breach happens when an attacker removes or transfers data from your system to another? Answer Insider data breach Data integrity and availability Data exfiltration Accidental data breach
Data exfiltration
Which of the following is the process of obfuscating data by changing it into random characters? Answer Data privacy Data masking Encryption Tokenization
Data masking
When decommissioning assets, which of the following MUST be recycled? Answer Notebook batteries RFID tags Routers CRT monitors Hard disks
Notebook batteries CRT monitors
You are the security technician for your organization. You need to perform diagnostics on a vehicle's subsystems for security purposes. Which of the following would you use to access the vehicle's subsystems? Answer Wi-Fi ODB-II Network port Bluetooth
ODB-II
Where should VM administration occur? Answer On the virtual machine On the hypervisor On the hypervisor and virtual machine On the host machine
On the hypervisor and virtual machine
Which of the following HTTP request/response types is used to request that the web server send data using HTML forms? Answer HEAD POST GET TRACE
POST
During which phase of the incident response life cycle do you reinforce your systems, policies, and procedures to ensure that your resources are well secured? Answer Containment Post-incident feedback Preparation Post-incident activity
Preparation
Using a fictitious scenario to persuade someone to perform an action or give information they aren't authorized to share is called which of the following? Answer Pretexting Preloading Impersonation Footprinting
Pretexting
An employee not authorized to release news to the press speaks to a reporter about upcoming management changes. Which sharing policy BEST explains why this shouldn't happen? Answer Internet Printed materials Company social media Employee social media
Printed materials
Which of the following information sharing policies addresses the sharing of critical information in press releases, annual reports, product catalogs, and marketing materials? Answer Employee social media Printed materials Company social media Internet
Printed materials
As you review your network's storage shares to ensure permissions have been securely defined, you come across the following list of users and permissions set to a share on one of your key storage locations. Two of the regular users should have Read and Write permissions (Bob Barker and Jennifer Banks). The two other individuals should not (Joseph Lange and Bob Marley), who were both given access during a specific project but should've had their Write permissions removed afterward. What is it called when permissions are given for a task but then never removed when they are no longer required? Answer Privilege creep Account elevation Privilege elevation SAM database creep
Privilege creep The answer is privilege creep, which is the gradual accumulation of permissions beyond what a person requires to do their job.
What does the hashing of log files provide? Answer Confidentiality, preventing unauthorized file access. Protection from altered or overwritten log files. Proof that the files have not been altered. Sequencing of files and log entries to recreate a timeline of events.
Proof that the files have not been altered.
Jack, a security analyst, needs a web-based scanner for his enterprise-level employer. It's imperative that the data be encrypted while in motion and at rest and that only the scanner workers reside on-premises. Which application BEST suits his needs? Answer OpenVAS Nessus Professional Nikto Qualys
Qualys Qualys Vulnerability Management is a cloud-based service that keeps an organization's data in a private virtual database.
Which of the following occurs during the deployment phase of the IT asset life cycle? Answer Applying updates and patches Determining asset replacement needs Determining asset cost Recording of asset tag information
Recording of asset tag information
Which of the following is a data protection approach that seeks to protect data at the file level? Answer Central policy Privilege escalation Data loss prevention Rights management
Rights management
Some Remote Access Trojans (RATs) install a web server to allow access to the infected machine. Others use a custom application that is run on the remote machine, such as ProRAT. Once infected with this custom application, which other types of infections are possible with this tool installed? (Select two.) Answer Rootkit Network enumeration DDoS attack Ransomware SYN attack
Rootkit Ransomware
Which of the following needs to be configured so a firewall knows which traffic to allow or block? Answer VPN Rules Bastion host NAT
Rules
Tom, a security analyst, is notified by Karen, an employee, that her work iPad has some setting changes and a new app that she didn't download. What is the first step Tom should take? Answer Look through the event log for suspicious events. Ask Karen to turn off the device. Search online for any new known malware threats that match the indicators of compromise (IOCs). Run an antivirus software scan on Karen's device and scan the entire network.
Run an antivirus software scan on Karen's device and scan the entire network.
Which of the following tools allows a domain owner to specify email servers that can send an email in the domain, and which servers are not allowed to send emails? Answer DKIM Phishing Maltego SPF
SPF
During which phase of the Kill Chain framework is malware code encapsulated into commonly used file formats, such as PDF files, image files, or Word documents? Answer Delivery Command and Control Weaponization Exploitation
Weaponization
You have configured your pfsense firewall to block URLs using DNS. You have selected the block lists that work best for your company's needs. You have tested on your machine and traffic to those sites in the list are blocked as expected. As you walk through your office several months later, you notice that a user is on a site that is supposed to be blocked. What might explain this? Answer The DNS cache on the user's local machine contains the information for that site. The service has stopped and is no longer functioning. Your firewall allows DNS requests to outside DNS servers. The user has hacked your firewall to allow their traffic through.
Your firewall allows DNS requests to outside DNS servers.
A compromised computer that is used by an attacker to conduct malicious activities, like DDoS attacks, is known as a _________? Answer Zombie device Keylogger Trojan IoT device
Zombie device
When scanning a Linux machine for running applications, you see the following output. Which kill signal should you use to clean up the offending process? Answer kill SIGTERM kill -1 kill -9 kill -15
kill -9
