Test : CompTIA CySA+ (CS0-001)

Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for passwords. Simultaneously, there has been more compromised user accounts. What type of attack is most likely the cause of these happenings?

Options are :

  • SQL injection
  • Cross-site scripting (Correct)
  • Cross-site request forgery
  • Rootkit

Answer : Cross-site scripting

Explanation The best answer is cross-site scripting. This scenario is textbook for a cross-site scripting attack. The HTML code doesn’t perform input validation to remove scripts from that code so the attacker can create a popup window that collects passwords and uses that information to compromise accounts.

When unable to implement a required control, administrators may choose to make up for the gap by implementing a ____________.

Options are :

  • Compensating control (Correct)
  • Vulnerability
  • Remediation
  • Policy

Answer : Compensating control

Explanation Compensating controls seek to achieve the same objective as a control that the organization is unable to implement for some reason.

Nick has put the following command on a Linux system:

#echo example.com >> /etc/hosts.

What has he done?

Options are :

  • Added the system to the allowed hosts file
  • Routed traffic for the example.com domain to the local host (Correct)
  • Routed local host traffic to example.com
  • Overwritten the host file and deleted all data except this entry

Answer : Routed traffic for the example.com domain to the local host

Explanation The best option is that he routed traffic for the example.com domain to his local host. This is typically done to prevent a system from communicating with a malicious host or domain as well as preventing a user who lacks technical abilities to visit specific sites or domains.

Of all options listed below, which of the following is not typically included in the rules of engagement for a penetration test?

Options are :

  • Timing
  • Authorization
  • Scope
  • Authorized tools (Correct)

Answer : Authorized tools

Explanation The best answer listed here, for which item is NOT typically listed in the rules of engagement, is authorized tools. The rules of engagement typically list the timing, the authorization, and the scope of what can be used as well as what’s not allowed. Some rules of engagement may list authorized tools, but that’s not a common practice.

Jamie has completed the scoping document for a penetration test. The document includes the details of what tools, techniques, and targets are included in the test. What’s the next step?

Options are :

  • Port scan the target.
  • Get sign-off on the document. (Correct)
  • Begin passive fingerprinting.
  • Notify local law enforcement.

Answer : Get sign-off on the document.

Explanation The best answer is to get a sign-off document. While it may be that she wants to start immediately, she needs to go through the proper channels and sign-off on the scope, timing, and effort that the test required.

Amy notices that a server’s hostname is resolving to a cloudflare.com host. This came from a vulnerability scan. What does she know about her scan?

Options are :

  • It’s being treated like a DDoS attack
  • It’s scanning a CDN-hosted copy of the site (Correct)
  • It will not return useful information
  • Nothing can be determined about this site with this information

Answer : It’s scanning a CDN-hosted copy of the site

Explanation Cloudflare is a product of a distributed server. The information is stored in a CDN and all of the information Amy is seeking may not come from a CDN, so scanning a copy of the site won’t produce all of the information she’s seeking.

Rhonda is responsible for the design of data center and networks at her organization. She wants to establish a secure zone and a DMZ. If she wants to verify that user accounts and systems traffic in the DMZ can be logged while preventing negative impacts from infected workstations, which is the best design solution?

Options are :

  • Administrative virtual machines running on administrative workstations
  • Jump hosts (Correct)
  • Bastion hosts
  • SSH/RDP from administrative workstations

Answer : Jump hosts

Explanation The best option is a jump host – often referred to as a jump box. If a jump box exists, it’s easier to log administrative access and the jump box actually also performs the duties of an additional layer of protection. Bastion hosts are fully exposed to attacks; virtual machines can be useful but they make some auditing, etc more difficult and direct ssh and RDP require auditing of all workstations and could allow a system that’s been compromised to access the network.

When running an nmap scan, what is the default nmap scan type when nmap is not provided with a flag?

Options are :

  • A TCP FIN scan
  • A TCP connect scan
  • A TCP SYN scan (Correct)
  • A UDP scan

Answer : A TCP SYN scan

Explanation By default, nmap uses TCP SYN for a scan. If the user doesn’t have the correct privileges, it’ll use a TCP connect scan.

A cyber security analyst has noticed some unusual network traffic occurring from a certain host. This host has been communicating with a known malicious server over an encrypted web tunnel on port 443. The analyst runs a full antivirus scan of the host with an updated antivirus signature file, but the antivirus doesn’t find any sign of an infection. What has MOST likely occurred to the host?

Options are :

  • Zero-day attack (Correct)
  • Known malware attack
  • Session hijack
  • Cookie stealing

Answer : Zero-day attack

Explanation Since the latest antivirus signatures were used and still found no signs of infection, it cannot be a known malware attack. Instead, this appears to be a zero-day attack because there is a clear sign of compromise (the web tunnel being established to a known malicious server) and the antivirus doesn’t yet have a signature for this indicator of compromise.

What version of web encryption should be used currently in order to avoid the security vulnerabilities from earlier versions?

Options are :

  • SSLv1
  • SSLv2
  • SSLv3
  • TLS (Correct)

Answer : TLS

Explanation No version of SSL should be used. Administrators should instead configure TLS.

What is NOT considered part of the Internet of Things?

Options are :

  • SCADA systems
  • ICS
  • Internet-connected television
  • A Windows 2016 server configured as a domain controller (Correct)

Answer : A Windows 2016 server configured as a domain controller

Explanation Supervisory control and data acquisition (SCADA) systems and industrial control systems (ICS) are examples of IoT implementations.

TRUE or FALSE: Analysts prioritizing vulnerabilities for remediation should consider the difficulty of remediation when assigning priorities.

Options are :

  • TRUE (Correct)

Answer : TRUE

Explanation Difficulty of remediation is one of the criteria that analysts should consider. They should also consider the criticality of the system and information, severity of the vulnerability, and exposure of the vulnerability.

What vulnerability involves leveraging access from a single virtual machine to other machines on the network?

Options are :

  • VM escape (Correct)
  • VM migration
  • VM reuse
  • VM vulnerability

Answer : VM escape

Explanation Virtual machine escape vulnerabilities are the most serious issue that may exist in a virtualized environment. In this attack, the attacker has access to a single virtual host and then leverages that access to intrude on the resources assigned to a different virtual machine.

A company wants to remediate vulnerabilities inside its web servers. An initial vulnerability scan was performed and the cyber security analysts are now reviewing the results. The cyber security analysts want to remove false positives before starting any remediation efforts in order to avoid wasting their time on issues that are not actual vulnerabilities. What is an indicator of something that is most likely a false positive?

Options are :

  • Reports show the scanner compliances plug-ins are not up-to-date
  • Any items labeled ‘low’ are considered informational only (Correct)
  • The scan result versions are different from the automated asset inventory
  • ‘HTTPS’ entries indicate the web page is encrypted securely

Answer : Any items labeled ‘low’ are considered informational only

Explanation When conducting a vulnerability assessment using a vulnerability scanner, it is common for the scanner to report some things are “low? priority or “for informational purposes only?. These are most likely false positives and can be ignored by the analyst when starting their remediation efforts.

Gary is interpreting a vulnerability scan report and finds a vulnerability in a system that has a CVSS access vector rating of A. What statement is correct based upon this information?

Options are :

  • The attacker must have physical or logical access to the affected system.
  • Exploiting the vulnerability requires the existence of specialized conditions.
  • The attacker must have access to the local network that the system is connected to. (Correct)
  • Exploiting the vulnerability does not require any specialized conditions.

Answer : The attacker must have access to the local network that the system is connected to.

Explanation The access vector explains what type of access that the attacker must have to a system or network and does not refer to the types of specialized conditions that must exist. In this case, the A rating refers to Adjacent Network, and the attacker must have access to the local network to exploit the vulnerability.

What requires that government agencies and other organizations' operating systems on behalf of government agencies comply with security standards?

Options are :

  • FISMA (Correct)
  • SOX

Answer : FISMA

Explanation The Federal Information Security Management Act (FISMA) requires that government agencies and other organizations' operating systems on behalf of government agencies comply with security standards.

TRUE or FALSE: Discovery scans provide organizations with an automated way to identify hosts on a network and build an asset inventory.

Options are :

  • TRUE (Correct)

Answer : TRUE

Explanation Discovery scans provide organizations with an automated way to identify hosts on a network and build an asset inventory.

Which of the following types of data is subject to regulations in the United States that specify a minimum frequency of vulnerability scanning?

Options are :

  • Driver’s license numbers
  • Insurance records
  • Credit card data (Correct)
  • Medical records

Answer : Credit card data

Explanation Credit card data has to follow PCI DSS rules which specify all parameters dealing with scanning, data storage, etc. The other data is regulated, but not micromanaged, as such.

There are several unpatched servers that have undetected vulnerabilities because the vulnerability scanner does not have the latest set of signatures installed. The management team has directed the analysts to update their vulnerability scanners with the latest signatures at least 24 hours before conducting any scans, but the outcome of the scan remains the same. What is the BEST logical control to address the current failure?

Options are :

  • Configure a script to automatically update the scanning tool every 24 hours (Correct)
  • Have the analyst manually validate that the updates are being performed as directed
  • Test the vulnerability remediation in a sandbox before deploying
  • Configure vulnerability scans to run in credentialed mode

Answer : Configure a script to automatically update the scanning tool every 24 hours

Explanation Since the analysts appear to not be installing the latest vulnerability definitions per management’s direction, it is best to automate the process by using a script. The script will ensure that the latest definitions are downloaded and installed every 24 hours without any analyst intervention.

Lonnie is preparing to perform vulnerability scans against a set of workstations in his organization. He’s particularly concerned about system configuration settings. Which of the following scans will provide the best results?

Options are :

  • Unauthenticated scan
  • Credentialed scan (Correct)
  • External scan
  • Internal scan

Answer : Credentialed scan

Explanation Credentialed scans log into a system and retrieve configuration information. These are the most accurate results of all options listed. Unauthenticated scans rely on external resources for configuration settings which can be altered or incorrect. The network location of the scanner doesn’t have a direct impact on the ability to read the configuration information.

Your organization’s primary operating system vendor just released a critical patch for your servers. Your system administrators have recently deployed this patch and verified the installation was successful. The critical patch designed to remediate a vulnerability that can allow a malicious actor to remotely execute code on the server from over the Internet. However, you just ran a vulnerability assessment scan of the network and found that all of the servers are still being reported as having the vulnerability. Why is the scan report still showing a vulnerability even though the patch was installed by the system administrators?

Options are :

  • Your vulnerability assessment scan is returning false positives
  • The critical patch did not remediate the vulnerability (Correct)
  • You did not wait enough time after applying the patch before running the vulnerability assessment scan
  • You scanned the wrong IP range during your vulnerability assessment

Answer : The critical patch did not remediate the vulnerability

Explanation If the patch was installed properly (which the question states it was), then the only reasonable answer is that the critical patch was coded incorrectly and does not actually remediate the vulnerability. While most operating system vendors do test their patches prior to release, with extremely critical patches, sometimes they are rushed into release to the customers and the patch doesn’t actually remediate the vulnerability and a second patch will be required.

TRUE or FALSE: PCI DSS requires the use of an outside consultant to perform internal vulnerability scans.

Options are :

  • TRUE
  • FALSE (Correct)

Answer : FALSE

Explanation PCI DSS only requires that internal scans be conducted by “qualified personnel? and internal employees may be used.

Which type of attacker is considered to be sophisticated, highly organized, and typically sponsored by a nation-state?

Options are :

  • Script kiddies
  • Hacktivists
  • Advanced Persistent Threat (Correct)
  • Ethical hacker

Answer : Advanced Persistent Threat

Explanation Advanced Persistent Threat (APT) attackers are sophisticated and have access to financial and technical resources typically provided by a government.

TRUE or FALSE: When evaluating the functional impact of a security incident, an analyst should assign a rating of high in cases where the organization is not able to provide some critical services to any users.

Options are :

  • TRUE (Correct)

Answer : TRUE

Explanation High functional impact is defined as the organization is no longer able to provide some critical services to any users.

Caleb is designing a playbook for zero-day threats as part of his incident response program. Which of the following items should not be in his plan?

Options are :

  • Segmentation
  • Patching (Correct)
  • Using threat intelligence
  • Whitelisting

Answer : Patching

Explanation The best answer would be patching. Patching is a great step to combat against many things, however, it doesn’t stop zero-day threats. If Caleb wants to specifically stop zero-day threats, or thwart them away even, he will need to use segmentation, whitelisting, and threat intelligence as well. This can best be accomplished by building a plan in advance and working through the plan.

What stage of an event is preservation of evidence typically handled?

Options are :

  • Preparation
  • Detection and analysis
  • Containment, eradication, and recovery (Correct)
  • Post-incident activity

Answer : Containment, eradication, and recovery

Explanation While incident responders are working on the incident, they also need to preserve forensic and incident information for future needs. Restoration is typically favored over analysis but taking time to create an image is more important for later in the investigation.

During the preparation phase of an organization's incident response process, Aaron gathered a laptop with useful software. The software included a sniffer, forensics tools, thumb drives and external hard drives, networking equipment, and a variety of cables. What type of equipment is this typically called?

Options are :

  • A grab bag
  • A jump kit (Correct)
  • A crash cart
  • A first responder kit

Answer : A jump kit

Explanation This type of kit is typically called a jump kit. This kit contains tools to be used for an incident response. Crash carts are systems set up typically in data centers/server rooms, like a keyboard, mouse, and monitor to easily/quickly connect to a server to work on it. First-responder kits are usually first-aid kits for medical emergencies. Grab bags contain multiple unrelated items, typically.

Paula is working on a report that describes the common attack models used by APT actors. Which of the following is a typical characteristic of an APT attack?

Options are :

  • They involve sophisticated DDoS attacks
  • They quietly gather information from compromised systems (Correct)
  • They rely on worms to spread
  • They use encryption to hold data hostage

Answer : They quietly gather information from compromised systems

Explanation APTs typically use emails to leverage the system and insert malware. These threats attempt to gain more access to the system with higher levels of privileges. They retrieve information and then use that while hiding their activities. DDoS, worms, and extortion are not typically a behavior of an APT.

Degaussing is an example of what type of media sanitization?

Options are :

  • Clearing
  • Purging (Correct)
  • Destruction
  • It isn’t a form of media sanitization

Answer : Purging

Explanation Degaussing is a form of purging. Degaussing uses magnets to remove data.

A cyber security technician has been running an intensive vulnerability scan to detect which ports might be open to exploitation. But, during the scan, one of the network services became disabled and this impacted the production server. What information source could be used to evaluate which network service was interrupted?

Options are :

  • Syslog (Correct)
  • Network mapping
  • Firewall logs
  • NIDS

Answer : Syslog

Explanation The syslog server is a centralized log management solution. By looking through the logs on the syslog server, the technician could determine which service failed on which server, since all the logs are retained on the syslog server from all of the network devices and servers.

What is NOT part of the security incident validation effort?

Options are :

  • Scanning
  • Sanitization (Correct)
  • Patching
  • Permissions

Answer : Sanitization

Explanation Patching, permissions, scanning, and verifying logging are the components of the security incident validation effort. Sanitization is a component of the security incident eradication effort.

Richard noticed that the forensic image he attempted to create has failed. What would be the most likely reason for the failure?

Options are :

  • Data was modified
  • The source disk is encrypted
  • The destination disk has bad sectors (Correct)
  • The data cannot be copied in RAW format

Answer : The destination disk has bad sectors

Explanation If he has verified that the source and the target media are both the same size, then a failure has probably happened because of bad media on the source drive or because of bad sectors on the target drive.

TRUE or FALSE: CSIRTs should sometimes include human resource team members.

Options are :

  • TRUE (Correct)

Answer : TRUE

Explanation CSIRTs include human resources team members when investigating incidents that may include employee malfeasance.

NIST describes four major phases in the incident response cycle. Which is not one of the four?

Options are :

  • Containment, eradication, and recovery
  • Notification and communication (Correct)
  • Detection and analysis
  • Preparation

Answer : Notification and communication

Explanation NIST identifies the following: preparation; detection and analysis; containment, eradication and recovery; and activity that occurs after the incident.

Jenny is trying to detect unexpected output from the application she manages/monitors. What type of tool can be used to detect the output effectively?

Options are :

  • A log analysis tool
  • A behavior based analysis tool (Correct)
  • A signature based detection tool
  • Manual analysis

Answer : A behavior based analysis tool

Explanation The best answer is behavior-based analysis tools. These can be used to capture and analyze normal behavior and then alert when an anomaly occurs. This requires more on the setup side but on the long-term side, it requires less work and less manual monitoring.

Several years ago, the Stuxnet attack relied on engineers that took malware with them, crossing the air gap between networks. What type of threat uses this method?

Options are :

  • Email
  • Web
  • Removable media (Correct)
  • Attrition

Answer : Removable media

Explanation The best answer is removable media. Air gaps are design models that remove connections from one network to another network or other systems. The only way to cross an air gap is to have a physical device between these systems.

What is not a major category of security event indicator?

Options are :

  • Alerts
  • Logs
  • People
  • Databases (Correct)

Answer : Databases

Explanation The four major categories of security event indicator are alerts, logs, publicly available information, and people.

Who should coordinate incident-related communications with the media during an incident response?

Options are :

  • Cyber security analysts
  • Chief Technology Officer
  • Public Relations Officer (Correct)
  • Human Resources Officer

Answer : Public Relations Officer

Explanation Public relations staff should be included in incident response teams to coordinate communications with the general public and the media.

What provides the detailed, tactical information that CSIRT members need when responding to an incident?

Options are :

  • Procedures (Correct)
  • Guidelines
  • Policies
  • Instructions

Answer : Procedures

Explanation Procedures provide detailed, tactical information to the CSIRT. They represent the collective wisdom of team members and subject-matter experts.

During what phase of the incident response process does an organization assemble an incident response toolkit?

Options are :

  • Preparation (Correct)
  • Detection and analysis
  • Containment, eradication, and recovery
  • Post-incident activity

Answer : Preparation

Explanation Developing an incident response toolkit is a step completed during the preparation phase of incident response.

What tool is NOT useful for capturing or analyzing memory data for forensic analysis on a Windows machine?

Options are :

  • Fmem (Correct)
  • Volatility Framework
  • DumpIt
  • EnCase

Answer : Fmem

Explanation The Volatility framework, DumpIt, and EnCase all provide Windows memory capture for forensic use. Fmem and LiME are both Linux-only kernel modules that provide access to physical memory.

Richard’s company processes credit cards and they are required to be compliant with PCI-DSS. If his company has a breach of card data, what type of disclosure will they have to provide?

Options are :

  • Notification to local law enforcement
  • Notification to their acquiring bank (Correct)
  • Notification to federal law enforcement
  • Notification to Visa and Mastercard

Answer : Notification to their acquiring bank

Explanation Any organization that processes a credit card will be required to work with the banks being able to handle their card processing instead of working with the card providers. Notification to the bank is part of the response effort. Typically, law enforcement doesn’t have to be notified and the question only specifies two major credit card vendors, which aren’t directly related to the nature of the question, so the best option is notification to the acquiring bank.

Rhonda would like to build some scripts that detect malware beaconing behavior. Which one of the following isn’t a typical means of identifying malware behavior on a network?

Options are :

  • Persistence of the beaconing
  • Beacon protocol (Correct)
  • Beaconing interval
  • Removal of known traffic

Answer : Beacon protocol

Explanation The best option is beacon protocol. Unless she knows the protocol, filtering out beacons by protocol may cause Rhonda to miss the behavior. Attackers typically would like to avoid common analytical tools and use protocols that are less likely to attract attention, thus preventing them from being unmasked. Filtering network traffic and removing known network traffic are means of filtering traffic to identify beacons as well.

What security control provides Windows administrators with an efficient way to manage system configuration settings across a large number of devices?

Options are :

  • Patch management
  • GPO (Correct)
  • HIPS
  • Anti-malware

Answer : GPO

Explanation Patch management, host intrusion prevention systems (HIPS), and antimalware software are all good host security controls, but only Group Policy Objects (GPOs) provide the ability to configure settings across multiple Windows devices.

Tyler needs to implement a security control designed to detect fraudulent cases that happen, regardless of the presence of other security controls. Which of the following is best suited to meet his needs?

Options are :

  • Separation of duties
  • Least privilege
  • Dual control
  • Mandatory vacations (Correct)

Answer : Mandatory vacations

Explanation The best option is mandatory vacations. These are designed to make the individual take time away from the office to allow any fraudulent activity to be surfaced during their absence. The other options listed are designed to prevent fraud, not detect fraud.

The service desk has been receiving a large number of complaints from external users that a web application is responding slow to requests and frequently receives a “connection timed out? error when they attempt to submit information into the application. What software development best practice should have been implemented in order to have prevented this issue from occurring?

Options are :

  • stress testing (Correct)
  • regression testing
  • input validation
  • fuzzing

Answer : stress testing

Explanation Stress testing is a software testing activity that determines the robustness of software by testing beyond the limits of normal operation. Stress testing is particularly important for "mission critical" software, but is used for all types of software. This stress testing is an important component in the capacity management process of IT service management and is used to ensure adequate resources are available to support the needs of the end user once the service or application goes into the production environment.

What SDLC model emphasizes individuals and interactions over processes and tools, customer collaboration over contract negotiation, and working software over comprehensive documentation?

Options are :

  • Waterfall
  • Spiral
  • Agile (Correct)
  • RAD

Answer : Agile

Explanation The Agile Manifesto, the underlying document behind the Agile SDLC model, emphasizes individuals and interactions over the processes and tools that Spiral and Waterfall rely on. It also calls out working software, customer collaboration, and responding to change as key elements of the Agile process.

Of all the items listed, which element is least likely to be found in a data retention policy?

Options are :

  • Minimum retention period
  • Maximum retention period
  • Description of information needing to be retained
  • Classification of information (Correct)

Answer : Classification of information

Explanation Data retention policies highlight what information companies will maintain, the length of time they’ll maintain it, and the categories of information. Data classification would not be covered in the retention policy but in a classification policy.

Which party in a federation provides services to members of the federation?

Options are :

  • IdP
  • AP
  • RP (Correct)
  • IP

Answer : RP

Explanation Relying parties (RPs) provide services to members of a federation. An IdP, or identity provider, provides identities, makes assertions about those identities, and releases information about the identity holders. AP and IP are both not types of parties in a federation.

What secure coding practice helps to ensure characters like <, >, /, and ‘ are not accepted from the data provided by users?

Options are :

  • Risk assessment
  • User output validation
  • Error message management
  • User input validation (Correct)

Answer : User input validation

Explanation User input validation is a critical control in secure coding efforts. It seeks to remove dangerous inputs and makes sure that applications only receive the inputs that they expect and can handle.

You have been called into the Chief Technology Officer’s (CTO) office and been asked for a recommendation concerning network monitoring services for the company’s intranet. The CTO requests that your solution have the capability to monitor all traffic to and from the network’s gateway and have the ability to block certain types of content. What solution should you recommend?

Options are :

  • Setup of IP filtering on the internal and external interfaces of the gateway router
  • Installation of an IDS on the internal interface and a firewall on the external interface of the gateway router
  • Installation of a firewall on the internal interface and a NIDS on the external interface gateway router (Correct)
  • Installation of an IPS on both the internal and external interfaces of the gateway router

Answer : Installation of a firewall on the internal interface and a NIDS on the external interface gateway router

Explanation In order to meet the requirement to monitor all traffic to and from the network’s gateway, it is best to utilize a network intrusion detection system (NIDS) that monitors the external interface of the gateway router. In order to be able to block certain types of content, it is best to install a firewall on the internal interface, where ACLs can be established for those traffic types.

Which authentication protocol was designed by Cisco to provide authentication, authorization, and accounting services?

Options are :

  • CHAP
  • TACACS+ (Correct)
  • Kerberos

Answer : TACACS+

Explanation Cisco’s TACACS+ is an extension to TACACS, the Terminal Access Controller Access Control System. RADIUS and Kerberos are both authentication protocols but were not designed by Cisco. CHAP is the Challenge-Handshake Authentication Protocol.

Charlotte is working on troubleshooting a network issue that involves connectivity. She would like to determine the path where packets flow when following her from her system to a remote host. What tool is best to assist with this task?

Options are :

  • ping
  • netstat
  • tracert (Correct)
  • ipconfig

Answer : tracert

Explanation Tracert traces a route that a packet of data takes and helps with troubleshooting points of concern.

Your organization wants to update its Acceptable User Policy (AUP) to incorporate its newly implemented password standard that requires the sponsored authentication of guest wireless devices. What should be added to the AUP to support this new requirement?

Options are :

  • Sponsored guest passwords must be at least 14 characters in length, contain uppercase and lowercase letters, and contain at least 2 symbols
  • Wireless infrastructure should use open authentication standards
  • Guests using the wireless network should provide valid identification when registering their wireless devices (Correct)
  • Network authentication of all guest users should occur using 802.1x backed by a RADIUS server

Answer : Guests using the wireless network should provide valid identification when registering their wireless devices

Explanation Sponsored authentication of guest wireless devices requires a guest user to provide valid identification when registering their wireless devices and an employee to validate their need for access (thereby “sponsoring? the guest).

An organization uses Acunetix for software testing. Which of the issues is Acunetix most likely to detect?

Options are :

  • Cross-site scripting (Correct)
  • Lexical scoping errors
  • Buffer overflows
  • Insecure data storage

Answer : Cross-site scripting

Explanation Acunetix is a vulnerability scanner and of all the flaws listed, cross-site scripting would be detected by the scanner.

Marie would like to deploy EMET (Microsoft Enhanced Mitigation Experience Toolkit) to secure her organization’s systems. She wants to use this tool to prevent buffer overflow attacks from specific applications. Which feature would best assist with this?

Options are :

  • DLP
  • ASLR (Correct)
  • EMEA
  • DEP

Answer : ASLR

Explanation ASLR (address space layout randomization) rearranges the memory locations into a random order to prevent attacks that rely on specific memory location. DEP prevents the execution of malware that’s loaded into the data space of memory.

A cyber security analyst needs to pick a tool in order to be able to identify open ports and services on a host along with the version of the application that is associated with the ports and services. They have decided to choose a command line tool. What tool should they choose?

Options are :

  • ping
  • nmap (Correct)
  • netstat
  • Wireshark

Answer : nmap

Explanation Nmap sends specially crafted packets to the target host(s) and then analyzes the responses to determine the open ports and services running on those hosts. In addition, nmap can determine the versions of the applications being used on those ports and services. Nmap is a command line tool for use on Linux, Windows, and OS X systems.

What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase?

Options are :

  • Development
  • Training and Transition (Correct)
  • Operations and Maintenance
  • Disposition

Answer : Training and Transition

Explanation The Training and Transition phase ensures that end users are trained on the software and that the software has entered general use. Because of these activities, this phase is sometimes called the acceptance, installation, and deployment phase.

Jason is designing an authentication system upgrade for his organization. The organization currently only uses password-based authentication and has been suffering a series of phishing attacks. Jason would like  to achieve multi-factor authentication in the new system design. Which one of the following  authentication techniques would be most appropriate to add to the current password-based system? 

Options are :

  • PIN
  • Security questions
  • Smartcard (Correct)
  • Password complexity

Answer : Smartcard

Explanation The best option would be a smartcard. Passwords are something you know as is a PIN. The goal is multifactor, so using something you have along with something you know creates a multifactor environment. You know a password and you have a smartcard.

What should a vulnerability report include if a cybersecurity analyst wants it to reflect the assets scanned accurately?

Options are :

  • Processor utilization
  • Virtual hosts (Correct)
  • Organizational governance
  • Log disposition

Answer : Virtual hosts

Explanation Vulnerability reports should include not just physical hosts but also virtual hosts. A common mistake of new cyber security analysts is to only include physical hosts, thereby missing a large number of assets on the network.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions