CySA+ 2022 Questions and Answers with complete
solution
B. >>>1. The help desk informed a security analyst of a trend that is beginning to
develop regarding a suspicious email that has been reported by multiple users.
...
CySA+ 2022 Questions and Answers with complete
solution
B. >>>1. The help desk informed a security analyst of a trend that is beginning to
develop regarding a suspicious email that has been reported by multiple users. The
analyst has determined the email includes an attachment named invoice.zip that
contains the following files:
Locky.js
xerty.ini
xerty.lib
Further analysis indicates that when the .zip file is opened, it is installing a new version
of ransomware on the devices. Which of the following should be done FIRST to prevent
data on the company NAS from being encrypted by infected devices?
A. Disable access to the company VPN
B. Email employees instructing them not to open the invoice attachment
C. Set permissions on file shares to read-only
D. Add the URL included in the .js file to the company's web proxy filter
B. >>>2. A security analyst is reviewing the following log after enabling key-based
authentication.
Dec 21 11:00:57 comptia sshd[5657]: Failed password for root from 95.58.255.62 port
38980 ssh2
Dec 21 20:08:26 comptia sshd[5768]: Failed password for root from 91.205.189.15 port
38156 ssh2
Dec 21 20:08:30 comptia sshd[5770]: Failed password for nobody from 91.205.189.15
port 38556 ssh2
Dec 21 20:08:34 comptia sshd[5772]: Failed password for invalid user asterisk from
91.205.189.15 port 38864 ssh2
Dec 21 20:08:38 comptia sshd[5774]: Failed password for invalid user sjobeck from
91.205.18.15 port 39157 ssh2
Dec 21 20:08:42 comptia sshd[5776]: Failed password for root from 91.205.189.15 port
39467 ssh2
Given the above information, which of the following steps should be performed NEXT to
secure the system?
A. Disable anonymous SSH logins
B. Disable password authentication for SSH
C. Disable SSHv1
D. Disable remote root SSH logins
C. >>>3. A security analyst has noticed that a particular server has consumed over 1TB
of bandwidth over the course of the month. It has port 3333 open; however, there have
not been any alerts or notices regarding the server or its activities. Which of the
following did the analyst discover?A. APT
B. DDoS
C. Zero Day
D. False Positive
C. >>>4. A company has recently launched a new billing invoice website for a few key
vendors. The cybersecurity analyst is receiving calls that the website is performing
slowly and the pages sometimes time out. The analyst notices the website is receiving
millions of requests, causing the service to become unavailable. Which of the following
can be implemented to maintain the availability of the website?
A. VPN
B. Honeypot
C. Whitelisting
D. DMZ
E. MAC filtering
A. >>>5. An executive tasked a security analyst to aggregate past logs, traffic, and
alerts on a particular attack vector. The analyst was then tasked with analyzing the data
and making predictions on future complications regarding this attack vector. Which of
the following types of analysis is the security analyst MOST likely conducting?
A. Trend analysis
B. Behavior analysis
C. Availability analysis
D. Business analysis
C. >>>6. An incident response report indicates a virus was introduced through a remote
host that was connected to corporate resources. A cybersecurity analyst has been
asked for a recommendation to solve this issue. Which of the following should be
applied?
A. MAC
B. TAP
C. NAC
D. ACL
A. >>>7. A reverse engineer was analyzing malware found on a retailer's network and
found code extracting track data in memory. Which of the following threats did the
engineers MOST likely uncover?
A. POS malware
B. Rootkit
C. Key logger
D. RansomwareD.
E. >>>8. Based on the above information, which of the following should the system
administrator do? (Select TWO).
A. Verify the vulnerability using penetration testing tools or proof-of-concept exploits.
B. Review the references to determine if the vulnerability can be remotely exploited.
C. Mark the result as a false positive so it will show in subsequent scans
D. Configure a network-based ACL at the perimeter firewall to protect the MS SOL port
E. Implement the proposed solution by installing Microsoft patch 0316333.
D.
E. >>>A cybersecurity consultant is reviewing the following output from a vulnerability
scan against a newly installed MS SOL Server 2012 that is slated to go into production
in one week:
summary
The remote MS SQL server is vulnerable to the Hello overflow
Solution
Install Microsoft Patch Q316333 or disable the Microsoft SQL Server service or
use a firewall to protect the MS SQL port
References
MSB: MS02-043, MS02-056, MS02-061
CVE: CVE-2002-1123
BID: 5411
Other: IAVA 2002-B-0007
Based on the above information, which of the following should the system administrator
do? (Select TWO)
A. Verify the vulnerability using penetration testing tools or proof-of-concept exploits
B. Review the references to determine if the vulnerability can be remotely exploited
C. Mark the result as a false positive so it will show in subsequent scans
D. Configure a network-based ACL at the perimeter firewall to protect the MS SQL port
E. Implement the proposed solution by installing Microsoft patch Q316333
D. >>>9. Datacenter access is controlled with proximity badges that record all entries
and exits from the datacenter. The access records are used to identify which staff
members accessed the data center in the event of equipment theft. Which of the
following MUST be prevented in order for this policy to be effective?
A. Password reuse
B. Phishing
C. Social engineering
D. TailgatingA. >>>10. A security professional is analyzing the results of a network utilization report.
The report includes the following information:
IP Address Server Name Server Uptime Historical Current
172.20.20.58 web.srvr.03 30D 12H 52M 009S 41.3GB 37.2GB
172.20.1.215 dev.web.srvr.01 30D 12H 52M 009S 1.81GB 2.2GB
172.20.1.22 hr.dbprod.01 30D 12H 17M 009S 2.24GB 29.97GB
172.20.1.26 mrktg.file.srvr.02 30D 12H 41M 009S 1.23GB 0.34GB
172.20.1.28 accnt.file.srvr.01 30D 12H 52M 009S 3.62GB 3.57GB
172.20.1.30 R&D.file.srvr.01 1D 4H 22M 01S 1.24GB 0.764GB
Which of the following servers needs further investigation?
A. hr.dbprod.01
B. R&D.file.srvr.01
C. mrktg.file.srvr.02
D. web.srvr.03
A. >>>11. Several users have reported that when attempting to save documents in team
folders, the following message is received:
The File Cannot Be Copied or Moved - Service Unavailable
Upon further investigation, it is found that the syslog server is not obtaining log events
from the file server to which the users are attempting to copy files. Which of the
following is the MOST likely scenario causing these issues?
A. The network is saturated, causing network congestion
B. The file server is experiencing high CPU and memory utilization
C. Malicious processes are running on the file server
D. All the available space on the file server is consumed
C. >>>12. A security analyst has created an image of a drive from an incident. Which of
the following describes what the analyst should do NEXT?
A. The analyst should create a backup of the drive and then hash the drive.
B. The analyst should begin analyzing the image and begin to report findings
C. The analyst should create a hash of the image and compare it to the original drive's
hash
D. The analyst should create a chain of custody document and notify stakeholders
C. >>>13. After completing a vulnerability scan, the following output was noted:
CVE-2011-3389QID 42366 - SSLv3.- / TLSv1.0 Protocol weak CBC mode Server side vulnerability
Check with:
openssl s_client -connect qualys.jive.mobile.com:443 - tlsl -cipher
"AES:CAMELLA:SEED:3DES:DES"
Which of the following vulnerabilities has been identified?
A. PKI transfer vulnerability
B. Active Directory encryption vulnerability
C. Web application cryptography vulnerability
D. VPN tunnel vulnerability
C. >>>14. A cybersecurity analyst traced the source of an attack to compromised user
credentials. Log analysis revealed that the attacker successfully authenticated from an
unauthorized foreign country. Management asked the security analyst to research and
implement a solution to help mitigate attacks based on compromised passwords. Which
of the following should the analyst implement?
A. Self-service password reset
B. Single sign-on
C. Context-based authentication
D. Password complexity
A. >>>15. The director of software development is concerned with recent web
application security incidents, including the successful breach of a back-end database
server. The director would like to work with the security team to implement a
standardized way to design, build, and test web applications and the services that
support them. Which of the following meets the criteria?
A. OSASP
B. SANS
C. PHP
D. Ajax
C. >>>16. A network technician is concerned that an attacker is attempting to penetrate
the network, and wants to set a rule on the firewall to prevent the attacker from learning
which IP addresses are valid on the network. Which of the following protocols needs to
be denied?
A. TCP
B. SMTP
C. ICMP
D. ARP
A. >>>17. A system administrator has reviewed the following output:#nmap server.local
Nmap scan report for server.local (10.10.2.5)
Host is up (0.3452354s latency)
Not shown:997 closed ports
PORT STATE Service
22/tcp open ssh
80/tcp open http
#nc server.local 80
220 server.local Company SMTP server (Postfix/2.3.3)
#nc server.local 22
SSH-2.0-OpenSSH_7.1p2 Debian-2
#
Which of the following can a system administrator infer from the above output?
A. The company email server is running a non-standard port
B. The company email server has been compromised
C. The company is running a vulnerable SSH server
D. The company web server has been compromised
B.
C.
D. >>>18. Considering confidentiality and integrity, which of the following make servers
more secure than desktops? (Select THREE)
A. VLANs
B. OS
C. Trained operators
D. Physical access restriction
E. Processing power
F. Hard Drive capacity
A.
C. >>>19. A software assurance lab is performing a dynamic assessment of an
application by automatically generating and inputting different, random data sets to
attempt to cause an error/failure condition. Which of the following software assessment
capabilities is the lab performing AND during which phase of the SDLC should this
occur?
A. Fuzzing
B. Behavior modeling
C. Static code analysis
D. Prototyping phase
E. Requirements phaseF. Planning phase
A. >>>20. A cybersecurity analyst has been asked to follow a corporate process that will
be used to manage vulnerabilities for an organization. The analyst notices the policy
has not been updated in three years. Which of the following should the analyst check to
ensure the policy is still accurate?
A. Threat intelligence reports
B. Technical constraints
C. Corporate minutes
D. Governing regulations
A. >>>21. A security analyst has been asked to remediate a server vulnerability. Once
the analyst has located a patch for the vulnerability, which of the following should
happen NEXT?
A. Start the change control process
B. Rescan to ensure the vulnerability still exists
C. Implement continuous monitoring
D. Begin the incident response process
A. >>>22. Law enforcement has contacted a corporations legal counsel because
correlated data from a breach shows the organization as the common denominator from
all indicators of compromise. An employee overhears the conversation between legal
counsel and law enforcement, and then posts a comment about it on social media. The
media then starts contacting other employees about the breach. Which of the following
steps should be taken to prevent further disclosure of information about the breach?
A. Security awareness about incident communication channels
B. Request all employees verbally commit to an NDA about the breach
C. Temporarily disable employee access to social media
D. Law enforcement meeting with employees
B. >>>23. An organization has recently recovered from an incident where a managed
switch had been accessed and reconfigured without authorization by an insider. The
incident response team is working on developing a lessons learned report with
recommendations. Which of the following recommendations will BEST prevent the
same attack from occurring in the future?
A. Remove and replace the managed switch with an unmanaged one.
B. Implement a separate logical network segment for management interfaces.
C. Install and configure NAC services to allow only authorized devices to connect to the
network
D. Analyze normal behavior on the network and configure the IDS to alert on deviation
from normal.B. >>>24. A cybersecurity analyst has several log files to review. Instead of using grep
and cat commands, the analyst decides to find a better approach to analyze the logs.
Given a list of tools, which of the following would provide a more efficient way for the
analyst to conduct a timeline analysis, do keyword searches, and output a report?
A. Kali
B. Splunk
C. Syslog
D. OSSIM
A.
B. >>>25. Which of the following are essential components within the rules of
engagement for a penetration test? (Select TWO)
A. Schedule
B. Authorization
C. List of system administrators
D. Payment terms
E. Business justification
B.
C. >>>26. An ATM in a building lobby has been compromised. A security technician has
been advised that the ATM must be forensically analyzed by multiple technicians.
Which of the following items in a forensic tool kit would likely be used FIRST? (Select
TWO)
A. Drive adapters
B. Chain of custody form
C. Write blockers
D. Crime tape
E. Hashing utilities
F. Drive imager
B. >>>27. A threat intelligence analyst who works for a technology firm received this
report from a vendor.
"There has been an intellectual property theft campaign executed against organizations
in the technology industry. Indicators for this activity are unique to each intrusion. The
information that appears to be targeted is R&D data. The data exfiltration appears to
occur over months via uniform TTPs. Please execute a defensive operation regarding
this attack vector."
Which of the following combinations suggests how the threat should MOST likely be
classified and the type of analysis that would be MOST helpful in protecting against this
activity?
A. Polymorphic malware and secure code analysis
B. Insider threat and indicator analysisC. APT and behavioral analysis
D. Ransomware and encryption
A. >>>28. A security analyst is attempting to configure a vulnerability scan for a new
segment on the network. Given the requirement to prevent credentials from traversing
the network while still conducting a credentialed scan, whcih of the following is the
BEST choice?
A. Install agents on the endpoints to perform the scan
B. Provide each endpoint with vulnerability scanner credentials
C. Encrypt all of the traffic between the scanner and the endpoint
D. Deploy scanners with administrator privileges on each endpoint
B. >>>29. An HR employee began having issues with a device becoming unresponsive
after attempting to open an email attachment. When informed, the security analyst
became suspicious of the situation, even though there was not any unusual behavior on
the IDS or any alerts from the antivirus software. Which of the following BEST describes
the type of threat in this situation?
A. Packet of death
B. Zero-day malware
C. PII exfiltration
D. Known virus
A. >>>30. An application development company released a new version of its software
to the public. A few days after the release, the company is notified by end users that the
application is notably slower, and older security bugs have reappeared in the new
release. The development team has decided to include the security analyst during their
next development cycle to help address the reported issues. Which of the following
should the security analyst focus on to remedy the existing reported problems?
A. The security analyst should perform security regression testing during each
application development cycle
B. The security analyst should perform end user acceptance security testing during
each application development cycle
C. The security analyst should perform secure coding practices during each application
life cycle
D. The security analyst should perform application fuzzing to locate application
vulnerabilities during each application development cycle
A. >>>31. A technician is running an intensive vulnerability scan to detect which ports
are open to exploit. During the scan, several network services are disabled and
production is affected. Which of the following sources would be used to evaluate which
network service was interrupted?
A. SyslogB. Network mapping
C. Firewall logs
D. NIDS
E. >>>32. Given the following output from a Linux machine:
file2cable -i eth0 -f file.pcap
Which of the following BEST describes what a security analyst is trying to accomplish?
A. The analyst is attempting to measure bandwidth utilization on interface eth0
B. The analyst is attempting to capture traffic on interface eth0
C. The analyst is attempting to replay captured data from a PCAP file
D. The analyst is attempting to capture traffic for a PCAP file
E. The analyst is attempting to use a protocol analyzer to monitor network traffic
[Show More]