CYSA EXAM 2023
QUESTIONS AND
VERIFIED CORRECT
ANSWERS
The IT team reports the EDR software that is installed on laptops is using a large
amount of resources. Which of the following changes should a security analyst make to
the EDR to BEST improve performance without compromising security?
A. Quarantine the infected systems.
B. Disable on-access scanning.
C. Whitelist known-good applications.
D. Sandbox unsigned applications. - ANSWER Whitelist known-good applications
A security analyst is reviewing the following requirements for new time clocks that will
be installed in a shipping warehouse:The clocks must be configured so they do not
respond to ARP broadcasts.The server must be configured with static ARP entries for
each clock.Which of the following types of attacks will this configuration mitigate?
A. Spoofing
B. Overflows
C. Rootkits
D. Sniffing - ANSWER Spoofing
Which of the following sources would a security analyst rely on to provide relevant and
timely threat information concerning the financial services industry?
A. Real-time and automated firewall rules subscriptions
B. Open-source intelligence, such as social media and blogs
C. Information sharing and analysis memberships
D. Common vulnerability and exposure bulletins - ANSWER Information sharing and
analysis
An information security analyst discovered a virtual machine server was compromised
by an attacker. Which of the following should be the FIRST step to confirm and respond
to the incident?
A. Pause the virtual machine.
B. Shut down the virtual machine.
C. Take a snapshot of the virtual machine.
D. Remove the NIC from the virtual machine. - ANSWER Take a snapshot of the virtual
machine.
,As part of an organization's information security governance process, a Chief
Information Security Officer (CISO) is working with the compliance officer to update
policies to include statements related to new regulatory and legal requirements. Which
of the following should be done to BEST ensure all employees are appropriately aware
of changes to the policies?
A. Conduct a risk assessment based on the controls defined in the newly revised
policies.
B. Require all employees to attend updated security awareness training and sign an
acknowledgement.
C. Post the policies on the organization's intranet and provide copies of any revised
policies to all active vendors.
D. Distribute revised copies of policies to employees and obtain a signed
acknowledgement from them - ANSWER Require all employees to attend updated
security awareness training and sign an acknowledgement.
An analyst wants to identify hosts that are connecting to the external FTP servers and
what, if any, passwords are being used. Which of the following commands should the
analyst use?
A. Tcpdump -X dst port 21
B. ftp ftp.server -p 21
C. nmap -o ftp.server -p 21
D. telnet ftp.server 21 - ANSWER Tcpdump -X dst port 21
Employees of a large financial company are continuously being infected by strands of
malware that are not detected by EDR tools. Which of the following is the BEST security
control to implement to reduce corporate risk while allowing employees to exchange
files at client sites?
A. MFA on the workstations
B. Additional host firewall rules
C. VDI environment
D. Hard drive encryption
E. Network access control
F. Network segmentation - ANSWER VDI environment
While reviewing a packet capture. a security analyst discovers a recent attack used
specific ports communicating across non-standard ports and exchanged a particular set
of files. In addition, forensics determines the files contain malware and have a specific
callback domain within the files. The MOST appropriate action to take in this situation
would be to implement a change request for an IPS:
A. to block the callback domain and another signature hash to block the files
B. behavioral signature and update the blacklisting on the domain
C. rule to block the non-standard ports and update the blacklisting of the callback
domain
, D. signature for the callback domain and update the firewall settings to block the non-
standard ports - ANSWER rule to block the non-standard ports and update the
blacklisting of the callback domain
During a review of the vulnerability scan results on a server. an information security
analyst notices the following:The MOST appropriate action for the analyst to
recommend to developers is to charge the web server so:
A. It only accepts TLSv1.2
B. It only accepts ciphers suites using AES and SHA
C. It no longer accepts the vulnerable cipher suites
D. SSL/TLS is offloaded to a WAF and load balancer - ANSWER It no longer accepts
the vulnerable cipher suites
As part of a merger with another organization, a Chief Information Security Manager
(CISO) is working with an assessor to perform a risk assessment focused on data
privacy compliance. The CISO is primarily concerned with the potential legal liability and
fines associated with data privacy. Based on the CISO's concerns, the assessor will
MOST likely focus on:
A. qualitative probabilities
B. quantitative probabilities
C. qualitative magnitude
D. quantitative magnitude - ANSWER quantitative magnitude
concerned developers have too much visibility into customer data. Which of the
following controls should be implemented to BEST address these concerns?
A. Data masking
B. Data loss prevention
C. Data minimization
D. Data sovereignty - ANSWER Data masking
Which of the following will allow different cloud instances to share various types of data
with a minimal amount of complexity?
A. Reverse engineering
B. Application log collections
C. Workflow or orchestration
D. API integration
E. Scripting - ANSWER API integration
A security analyst is investigating an incident that appears that appears to have started
with SQL injection against a publicly available web application. Which of the following is
the FIRST step the analyst should take to prevent future attacks?
A. Modify the IDS rules to have a signature for SQL injection.
B. Take the server offline to prevent continue SQL injection.
C. Create a WAF rule in block mode for SQL injection.
D. Ask the developers to implement parameterized SQL queries. - ANSWER Ask the
developers to implement parameterized SQL queries.
QUESTIONS AND
VERIFIED CORRECT
ANSWERS
The IT team reports the EDR software that is installed on laptops is using a large
amount of resources. Which of the following changes should a security analyst make to
the EDR to BEST improve performance without compromising security?
A. Quarantine the infected systems.
B. Disable on-access scanning.
C. Whitelist known-good applications.
D. Sandbox unsigned applications. - ANSWER Whitelist known-good applications
A security analyst is reviewing the following requirements for new time clocks that will
be installed in a shipping warehouse:The clocks must be configured so they do not
respond to ARP broadcasts.The server must be configured with static ARP entries for
each clock.Which of the following types of attacks will this configuration mitigate?
A. Spoofing
B. Overflows
C. Rootkits
D. Sniffing - ANSWER Spoofing
Which of the following sources would a security analyst rely on to provide relevant and
timely threat information concerning the financial services industry?
A. Real-time and automated firewall rules subscriptions
B. Open-source intelligence, such as social media and blogs
C. Information sharing and analysis memberships
D. Common vulnerability and exposure bulletins - ANSWER Information sharing and
analysis
An information security analyst discovered a virtual machine server was compromised
by an attacker. Which of the following should be the FIRST step to confirm and respond
to the incident?
A. Pause the virtual machine.
B. Shut down the virtual machine.
C. Take a snapshot of the virtual machine.
D. Remove the NIC from the virtual machine. - ANSWER Take a snapshot of the virtual
machine.
,As part of an organization's information security governance process, a Chief
Information Security Officer (CISO) is working with the compliance officer to update
policies to include statements related to new regulatory and legal requirements. Which
of the following should be done to BEST ensure all employees are appropriately aware
of changes to the policies?
A. Conduct a risk assessment based on the controls defined in the newly revised
policies.
B. Require all employees to attend updated security awareness training and sign an
acknowledgement.
C. Post the policies on the organization's intranet and provide copies of any revised
policies to all active vendors.
D. Distribute revised copies of policies to employees and obtain a signed
acknowledgement from them - ANSWER Require all employees to attend updated
security awareness training and sign an acknowledgement.
An analyst wants to identify hosts that are connecting to the external FTP servers and
what, if any, passwords are being used. Which of the following commands should the
analyst use?
A. Tcpdump -X dst port 21
B. ftp ftp.server -p 21
C. nmap -o ftp.server -p 21
D. telnet ftp.server 21 - ANSWER Tcpdump -X dst port 21
Employees of a large financial company are continuously being infected by strands of
malware that are not detected by EDR tools. Which of the following is the BEST security
control to implement to reduce corporate risk while allowing employees to exchange
files at client sites?
A. MFA on the workstations
B. Additional host firewall rules
C. VDI environment
D. Hard drive encryption
E. Network access control
F. Network segmentation - ANSWER VDI environment
While reviewing a packet capture. a security analyst discovers a recent attack used
specific ports communicating across non-standard ports and exchanged a particular set
of files. In addition, forensics determines the files contain malware and have a specific
callback domain within the files. The MOST appropriate action to take in this situation
would be to implement a change request for an IPS:
A. to block the callback domain and another signature hash to block the files
B. behavioral signature and update the blacklisting on the domain
C. rule to block the non-standard ports and update the blacklisting of the callback
domain
, D. signature for the callback domain and update the firewall settings to block the non-
standard ports - ANSWER rule to block the non-standard ports and update the
blacklisting of the callback domain
During a review of the vulnerability scan results on a server. an information security
analyst notices the following:The MOST appropriate action for the analyst to
recommend to developers is to charge the web server so:
A. It only accepts TLSv1.2
B. It only accepts ciphers suites using AES and SHA
C. It no longer accepts the vulnerable cipher suites
D. SSL/TLS is offloaded to a WAF and load balancer - ANSWER It no longer accepts
the vulnerable cipher suites
As part of a merger with another organization, a Chief Information Security Manager
(CISO) is working with an assessor to perform a risk assessment focused on data
privacy compliance. The CISO is primarily concerned with the potential legal liability and
fines associated with data privacy. Based on the CISO's concerns, the assessor will
MOST likely focus on:
A. qualitative probabilities
B. quantitative probabilities
C. qualitative magnitude
D. quantitative magnitude - ANSWER quantitative magnitude
concerned developers have too much visibility into customer data. Which of the
following controls should be implemented to BEST address these concerns?
A. Data masking
B. Data loss prevention
C. Data minimization
D. Data sovereignty - ANSWER Data masking
Which of the following will allow different cloud instances to share various types of data
with a minimal amount of complexity?
A. Reverse engineering
B. Application log collections
C. Workflow or orchestration
D. API integration
E. Scripting - ANSWER API integration
A security analyst is investigating an incident that appears that appears to have started
with SQL injection against a publicly available web application. Which of the following is
the FIRST step the analyst should take to prevent future attacks?
A. Modify the IDS rules to have a signature for SQL injection.
B. Take the server offline to prevent continue SQL injection.
C. Create a WAF rule in block mode for SQL injection.
D. Ask the developers to implement parameterized SQL queries. - ANSWER Ask the
developers to implement parameterized SQL queries.
