Solution Manual for
CompTIA CySA+ Guide to Cybersecurity Analyst (CS0 -002) by Mark Ciampa
Chapters 1-12
Chapter 1
Table of Contents
Review Questions............................................................................................................... 1
Case Projects ..................................................................................................................... 8
Case Project 1-1 Rootkits........................................................................................................................... 8
Case Project 1-2 Heap Overflow ................................................................................................................ 9
Case Project 1-3 Document Object Model XSS........................................................................................ 10
Case Project 1-4 Real-Time Operating System (RTOS) ............................................................................ 10
Case Project 1-5 On the Job .................................................................................................................... 11
Security for Life 1: KrebsOnSecurity ....................................................................................12
Grading Rubric for Security for Life ......................................................................................................... 12
Reflection 1: Social Media Profiling .....................................................................................13
Grading Rubric for Reflection .................................................................................................................. 14
Review Questions
1. Which of the following is FALSE about rootkits?
a. A rootkit is malware that can hide the presence of other malware.
b. Rootkits continue to be used extensively and their usage has not diminished.
c. Rootkits can be used to hide its own presence.
d. Rootkits cannot be detected by either an OS or common antimalware scanning software.
Answer: b. Rootkits continue to be used extensively and their usage has not diminished.
Explanation: The risks of rootkits in OSs are significantly diminished today due to protections built into
modern OS software. These protections include preventing unauthorized kernel drivers from loading,
stopping modifications to certain kernel areas used by rootkits to hide, and preventing rootkits from
modifying the bootloader program.
,2. What is the goal of a buffer overflow attack?
a. To change the address in the buffer to the attacker’s malware code
b. To cause the computer to function erratically
c. To steal data stored in RAM
d. To link to an existing rootkit
Answer: a. To change the address in the buffer to the attacker’s malware code
Explanation: A buffer overflow attack occurs when a process attempts to store data in RAM beyond the
boundaries of a fixed-length storage buffer, and this extra data overflows into the adjacent memory
locations. Because the storage buffer typically contains the “return address,” an attacker can overflow
the buffer with a new address pointing to the attacker’s malware code.
3. Which area of computer memory is dynamic memory for the programmer to allocate as necessary?
a. Text
b. Stack
c. Heap
d. Data
Answer: c. Heap
Explanation: The heap is dynamic memory for the programmer to allocate as necessary.
4. Jan is explaining to his colleague the reasons why a web application infrastructure is a tempting
target for attackers. Which of the following is NOT a reason Jan would give?
a. A successful compromise could impact all web users who access the web server.
b. An attack could provide a pathway into the enterprise’s network infrastructure.
c. An attack on a web application infrastructure is considered the easiest attack to create.
d. The multiple elements in a web application infrastructure provide for a range of
vulnerabilities that can be used as different attack vectors.
Answer: c. An attack on a web application infrastructure is considered the easiest attack to create.
Explanation: A web application attack is not the easiest attack to create.
5. Which of the following is FALSE about a cross-site scripting (XSS) attack?
, a. The underlying web application that accepts the malicious code becomes the vehicle to
deliver the malicious script to every user’s browser when he or she accesses that site.
b. An attacker attempts to execute malicious scripts in the victim’s web browser by directly
injecting it into the user’s web browser.
c. XSS is essentially a client-side code injection attack using a web application.
d. The term cross-site scripting refers to an attack using scripting that originates on one site (the
web server) to impact another site (the user’s computer).
Answer: b. An attacker attempts to execute malicious scripts in the victim’s web browser by directly
injecting it into the user’s web browser.
Explanation: An attacker attempts to execute malicious scripts in the victim’s web browser but not by
directly injecting it into the user’s web browser. Rather, the attacker inputs that malicious code on a
website that accepts user input. The underlying web application that accepts the malicious code then
becomes the vehicle to deliver the malicious script to every user’s browser when they access that site.
6. Ricardo is reviewing the different types of XSS attacks. Which attack only impacts the user who
entered the text on the website?
a. Reflected XSS
b. Persistent XSS
c. Document Object Model XSS
d. Universal XSS
Answer: a. Reflected XSS
Explanation: In a Reflected XSS attack, the user enters input into a web application that is then
immediately displayed back (“reflected”) to that user to initiate the attack.
7. What is the goal of a SQL injection attack?
a. To corrupt data in the database
b. To manipulate a NoSQL database
c. To extract data from a database
d. To inject malware that will infect the web browsers of subsequent users
Answer: c. To extract data from a database
Explanation: The goal of a SQL injection attack is to exfiltrate data from a SQL database.
, 8. Bette is researching how a session hijacking attack could occur. Which of the following would she NOT
find as a means for the attack to occur?
a. MITM
b. XSS
c. Guessing the session ID
d. MVFL
Answer: d. MVFL
Explanation: This is fictitious and does not exist.
9. Which of the following is FALSE about a password spraying attack?
a. It takes one or a small number of commonly used passwords in attempts to break into an
account.
b. Because it is spread across many different accounts, it is much less likely to raise any alarms.
c. It is considered as the optimal means for breaking into accounts.
d. It is a type of targeted guessing.
Answer: c. It is considered as the optimal means for breaking into accounts.
Explanation: Although password spraying may result in occasional success, it is not considered the
optimal means for breaking into accounts.
10. Why is credential stuffing effective?
a. Because users repeat their passwords on multiple accounts
b. Because it can circumvent all known password security protections
c. Because it is the fastest known password cracking attack
d. Because it is the oldest and most reliable attack on passwords
Answer: a. Because users repeat their passwords on multiple accounts
Explanation: Because users repeat their passwords on multiple accounts, attackers use these passwords
in their attacks with a high probability of success and this is known as credential stuffing.
11. What is the goal of a directory traversal attack?
CompTIA CySA+ Guide to Cybersecurity Analyst (CS0 -002) by Mark Ciampa
Chapters 1-12
Chapter 1
Table of Contents
Review Questions............................................................................................................... 1
Case Projects ..................................................................................................................... 8
Case Project 1-1 Rootkits........................................................................................................................... 8
Case Project 1-2 Heap Overflow ................................................................................................................ 9
Case Project 1-3 Document Object Model XSS........................................................................................ 10
Case Project 1-4 Real-Time Operating System (RTOS) ............................................................................ 10
Case Project 1-5 On the Job .................................................................................................................... 11
Security for Life 1: KrebsOnSecurity ....................................................................................12
Grading Rubric for Security for Life ......................................................................................................... 12
Reflection 1: Social Media Profiling .....................................................................................13
Grading Rubric for Reflection .................................................................................................................. 14
Review Questions
1. Which of the following is FALSE about rootkits?
a. A rootkit is malware that can hide the presence of other malware.
b. Rootkits continue to be used extensively and their usage has not diminished.
c. Rootkits can be used to hide its own presence.
d. Rootkits cannot be detected by either an OS or common antimalware scanning software.
Answer: b. Rootkits continue to be used extensively and their usage has not diminished.
Explanation: The risks of rootkits in OSs are significantly diminished today due to protections built into
modern OS software. These protections include preventing unauthorized kernel drivers from loading,
stopping modifications to certain kernel areas used by rootkits to hide, and preventing rootkits from
modifying the bootloader program.
,2. What is the goal of a buffer overflow attack?
a. To change the address in the buffer to the attacker’s malware code
b. To cause the computer to function erratically
c. To steal data stored in RAM
d. To link to an existing rootkit
Answer: a. To change the address in the buffer to the attacker’s malware code
Explanation: A buffer overflow attack occurs when a process attempts to store data in RAM beyond the
boundaries of a fixed-length storage buffer, and this extra data overflows into the adjacent memory
locations. Because the storage buffer typically contains the “return address,” an attacker can overflow
the buffer with a new address pointing to the attacker’s malware code.
3. Which area of computer memory is dynamic memory for the programmer to allocate as necessary?
a. Text
b. Stack
c. Heap
d. Data
Answer: c. Heap
Explanation: The heap is dynamic memory for the programmer to allocate as necessary.
4. Jan is explaining to his colleague the reasons why a web application infrastructure is a tempting
target for attackers. Which of the following is NOT a reason Jan would give?
a. A successful compromise could impact all web users who access the web server.
b. An attack could provide a pathway into the enterprise’s network infrastructure.
c. An attack on a web application infrastructure is considered the easiest attack to create.
d. The multiple elements in a web application infrastructure provide for a range of
vulnerabilities that can be used as different attack vectors.
Answer: c. An attack on a web application infrastructure is considered the easiest attack to create.
Explanation: A web application attack is not the easiest attack to create.
5. Which of the following is FALSE about a cross-site scripting (XSS) attack?
, a. The underlying web application that accepts the malicious code becomes the vehicle to
deliver the malicious script to every user’s browser when he or she accesses that site.
b. An attacker attempts to execute malicious scripts in the victim’s web browser by directly
injecting it into the user’s web browser.
c. XSS is essentially a client-side code injection attack using a web application.
d. The term cross-site scripting refers to an attack using scripting that originates on one site (the
web server) to impact another site (the user’s computer).
Answer: b. An attacker attempts to execute malicious scripts in the victim’s web browser by directly
injecting it into the user’s web browser.
Explanation: An attacker attempts to execute malicious scripts in the victim’s web browser but not by
directly injecting it into the user’s web browser. Rather, the attacker inputs that malicious code on a
website that accepts user input. The underlying web application that accepts the malicious code then
becomes the vehicle to deliver the malicious script to every user’s browser when they access that site.
6. Ricardo is reviewing the different types of XSS attacks. Which attack only impacts the user who
entered the text on the website?
a. Reflected XSS
b. Persistent XSS
c. Document Object Model XSS
d. Universal XSS
Answer: a. Reflected XSS
Explanation: In a Reflected XSS attack, the user enters input into a web application that is then
immediately displayed back (“reflected”) to that user to initiate the attack.
7. What is the goal of a SQL injection attack?
a. To corrupt data in the database
b. To manipulate a NoSQL database
c. To extract data from a database
d. To inject malware that will infect the web browsers of subsequent users
Answer: c. To extract data from a database
Explanation: The goal of a SQL injection attack is to exfiltrate data from a SQL database.
, 8. Bette is researching how a session hijacking attack could occur. Which of the following would she NOT
find as a means for the attack to occur?
a. MITM
b. XSS
c. Guessing the session ID
d. MVFL
Answer: d. MVFL
Explanation: This is fictitious and does not exist.
9. Which of the following is FALSE about a password spraying attack?
a. It takes one or a small number of commonly used passwords in attempts to break into an
account.
b. Because it is spread across many different accounts, it is much less likely to raise any alarms.
c. It is considered as the optimal means for breaking into accounts.
d. It is a type of targeted guessing.
Answer: c. It is considered as the optimal means for breaking into accounts.
Explanation: Although password spraying may result in occasional success, it is not considered the
optimal means for breaking into accounts.
10. Why is credential stuffing effective?
a. Because users repeat their passwords on multiple accounts
b. Because it can circumvent all known password security protections
c. Because it is the fastest known password cracking attack
d. Because it is the oldest and most reliable attack on passwords
Answer: a. Because users repeat their passwords on multiple accounts
Explanation: Because users repeat their passwords on multiple accounts, attackers use these passwords
in their attacks with a high probability of success and this is known as credential stuffing.
11. What is the goal of a directory traversal attack?
