CYSA Exam 2 Questions And Answers Verified
100% Correct
As part of a government acquisitions program for the U.S. Department of Defense, Sean
is required to ensure that the chips and other hardware-level components used in the
switches, routers, and servers that he purchases do not include malware or other
potential attack vectors. What type of supplier should Sean seek out?
A TPM
An OEM provider
A trusted foundry
A gray-market provider - ANSWERC. Trusted foundries are part of the Department of
Defense's program that ensures that hardware components are trustworthy and have
not been compromised by malicious actors. A TPM is a hardware security module,
OEMs are original equipment manufacturers but may not necessarily have completed
trusted hardware sources, and gray-market providers sell hardware outside of their
normal or contractually allowed areas.
One of the servers that Adam is responsible for recently ran out of disk space. Despite
system-level alarms, the problem was not detected, resulting in an outage when the
server crashed. How would this issue be categorized if the NIST threat categorization
method was used as part of an after-action review?
Environmental
Adversarial
Accidental
Structural - ANSWERD. Resource exhaustion is a type of structural failure as defined
by the NIST threat categories. It might be tempting to categorize this as accidental
because Adam did not notice the alarms; however, accidental threats are specifically
caused by individuals doing routine work who undermine security through their actions.
In this case, the structural nature of the problem is the more important category.
Ben would like guidance on grouping information into varying levels of sensitivity. He
plans to use these groupings to assist with decisions around the security controls that
the organization will apply to storage devices containing that information. Which one of
the following policies is most likely to contain relevant information for Ben's
decisionmaking process?
Data retention policy
Data classification policy
Data encryption policy
,Data disposal policy - ANSWERB. While all of these policies may contain information
about data security, Ben is specifically interested in grouping information into categories
of similar sensitivity. This is the process of data classification. A data retention policy
would contain information on the data life cycle. An encryption policy would describe
what data must be encrypted and appropriate encryption techniques. A data disposal
policy would contain information on properly destroying data at the end of its life cycle.
Erin is attempting to collect network configuration information from a Windows system
on her network. She is familiar with the Linux operating system and would use the
ifconfig command to obtain the desired information on a Linux system. What equivalent
command should she use in Windows?
ipconfig
netstat ifconfig
netcfg - ANSWERA. The Windows equivalent to the Linux ifconfig command is
ipconfig. netstat displays information about open network connections rather than
network interface configuration. The ifconfig and netcfg commands do not exist on
Windows.
Lonnie ran a vulnerability scan of a server that he recently detected in his organization
that is not listed in the organization's configuration management database. One of the
vulnerabilities detected is shown here. What type of service is most likely running on
this server?
Window shows sections for 3 phpinfo information disclosure vulnerability, threat, and
impact, and options for first detected, last detected, vendor reference, user modified, et
cetera.
Database
Web
Time
Network management - ANSWERB. The PHP language is used for the development of
dynamic web applications. The presence of PHP on this server indicates that it is a web
server. It may also be running database, time, or network management services, but the
scan results provide no evidence of this.
Which CompTIA-defined phase of an incident response process includes scanning,
validating and updating permissions, and patching impacted machines?
Eradication
Validation
Recovery
, Reporting - ANSWERB. CompTIA includes patching, permissions, scanning, verifying
logging, and communicating to security monitoring systems in the validation stage. This
differs from the NIST standard, which groups activities into eradication and recovery
phases.
Which NIST attack vector classification best describes a distributed denial-of-service
attack?
Impersonation
Improper usage
Web
Attrition - ANSWERD. NIST describes attrition attacks as attacks that employ
bruteforce methods to compromise, degrade, or destroy systems, networks, or services.
A DDoS attack seeks to degrade or prevent access to systems, services, or networks.
Taylor is preparing to run vulnerability scans of a web application server that his
organization recently deployed for public access. He would like to understand what
information is available to a potential external attacker about the system as well as what
damage an attacker might be able to cause on the system. Which one of the following
scan types would be least likely to provide this type of information?
Internal network vulnerability scan
Port scan
Web application vulnerability scan
External network vulnerability scan - ANSWERA. An internal network vulnerability scan
will provide an insider's perspective on the server's vulnerabilities. It may provide useful
information, but it will not meet Taylor's goal of determining what an external attacker
would see.
While analyzing a packet capture in Wireshark, Chris finds the packet shown here.
Which of the following is he unable to determine from this packet?
Window shows programming codes with sections for Internet protocol version 4,
differentiated services field, transmission control protocol, et cetera.
That the username used was gnome
That the protocol used was FTP
That the password was gnome123
That the remote system was 137.30.120.40 - ANSWERA. FTP sends the username in
a separate packet. Chris can determine that this was an FTP connection, that the
password was gnome123, and that the FTP server was 137.30.120.40.
Cynthia's review of her network traffic focuses on the graph shown here. What occurred
, in late June?
Graph shows month of 2016-July versus range in megabits/second from 0 to 3,000.
Beaconing
High network bandwidth consumption
A denial-of-service attack
A link failure - ANSWERB. The spike shown just before July appears to be out of the
norm for this network since it is almost four times higher than normal. Cynthia may want
to check to see what occurred during that time frame to verify whether it was normal
traffic for her organization.
Ron arrived at the office this morning to find a subpoena on his desk requesting
electronic records in his control. What type of procedure should he consult to determine
appropriate next steps, including the people he should consult and the technical
process he should follow?
Evidence production procedure
Monitoring procedure
Data classification procedure
Patching procedure - ANSWERA. Evidence production procedures describe how the
organization will respond to subpoenas, court orders, and other legitimate requests to
produce digital evidence.
Monitoring procedures describe how the organization will perform security monitoring
activities, including the possible use of continuous monitoring technology.
Data classification procedures describe the processes to follow when implementing the
organization's data classification policy.
Patching procedures describe the frequency and process of applying patches to
applications and systems under the organization's care.
Ben is attempting to determine what services a Windows system is running and decides
to use the netstat -at command to list TCP ports. He receives the output shown here.
The system is most likely running which services?
Table shows active connections with columns for proto, local address, foreign address,
state, and offload state.
A plain-text web server, Microsoft file sharing, and a secure web server
SSH, email, and a plain-text web server
100% Correct
As part of a government acquisitions program for the U.S. Department of Defense, Sean
is required to ensure that the chips and other hardware-level components used in the
switches, routers, and servers that he purchases do not include malware or other
potential attack vectors. What type of supplier should Sean seek out?
A TPM
An OEM provider
A trusted foundry
A gray-market provider - ANSWERC. Trusted foundries are part of the Department of
Defense's program that ensures that hardware components are trustworthy and have
not been compromised by malicious actors. A TPM is a hardware security module,
OEMs are original equipment manufacturers but may not necessarily have completed
trusted hardware sources, and gray-market providers sell hardware outside of their
normal or contractually allowed areas.
One of the servers that Adam is responsible for recently ran out of disk space. Despite
system-level alarms, the problem was not detected, resulting in an outage when the
server crashed. How would this issue be categorized if the NIST threat categorization
method was used as part of an after-action review?
Environmental
Adversarial
Accidental
Structural - ANSWERD. Resource exhaustion is a type of structural failure as defined
by the NIST threat categories. It might be tempting to categorize this as accidental
because Adam did not notice the alarms; however, accidental threats are specifically
caused by individuals doing routine work who undermine security through their actions.
In this case, the structural nature of the problem is the more important category.
Ben would like guidance on grouping information into varying levels of sensitivity. He
plans to use these groupings to assist with decisions around the security controls that
the organization will apply to storage devices containing that information. Which one of
the following policies is most likely to contain relevant information for Ben's
decisionmaking process?
Data retention policy
Data classification policy
Data encryption policy
,Data disposal policy - ANSWERB. While all of these policies may contain information
about data security, Ben is specifically interested in grouping information into categories
of similar sensitivity. This is the process of data classification. A data retention policy
would contain information on the data life cycle. An encryption policy would describe
what data must be encrypted and appropriate encryption techniques. A data disposal
policy would contain information on properly destroying data at the end of its life cycle.
Erin is attempting to collect network configuration information from a Windows system
on her network. She is familiar with the Linux operating system and would use the
ifconfig command to obtain the desired information on a Linux system. What equivalent
command should she use in Windows?
ipconfig
netstat ifconfig
netcfg - ANSWERA. The Windows equivalent to the Linux ifconfig command is
ipconfig. netstat displays information about open network connections rather than
network interface configuration. The ifconfig and netcfg commands do not exist on
Windows.
Lonnie ran a vulnerability scan of a server that he recently detected in his organization
that is not listed in the organization's configuration management database. One of the
vulnerabilities detected is shown here. What type of service is most likely running on
this server?
Window shows sections for 3 phpinfo information disclosure vulnerability, threat, and
impact, and options for first detected, last detected, vendor reference, user modified, et
cetera.
Database
Web
Time
Network management - ANSWERB. The PHP language is used for the development of
dynamic web applications. The presence of PHP on this server indicates that it is a web
server. It may also be running database, time, or network management services, but the
scan results provide no evidence of this.
Which CompTIA-defined phase of an incident response process includes scanning,
validating and updating permissions, and patching impacted machines?
Eradication
Validation
Recovery
, Reporting - ANSWERB. CompTIA includes patching, permissions, scanning, verifying
logging, and communicating to security monitoring systems in the validation stage. This
differs from the NIST standard, which groups activities into eradication and recovery
phases.
Which NIST attack vector classification best describes a distributed denial-of-service
attack?
Impersonation
Improper usage
Web
Attrition - ANSWERD. NIST describes attrition attacks as attacks that employ
bruteforce methods to compromise, degrade, or destroy systems, networks, or services.
A DDoS attack seeks to degrade or prevent access to systems, services, or networks.
Taylor is preparing to run vulnerability scans of a web application server that his
organization recently deployed for public access. He would like to understand what
information is available to a potential external attacker about the system as well as what
damage an attacker might be able to cause on the system. Which one of the following
scan types would be least likely to provide this type of information?
Internal network vulnerability scan
Port scan
Web application vulnerability scan
External network vulnerability scan - ANSWERA. An internal network vulnerability scan
will provide an insider's perspective on the server's vulnerabilities. It may provide useful
information, but it will not meet Taylor's goal of determining what an external attacker
would see.
While analyzing a packet capture in Wireshark, Chris finds the packet shown here.
Which of the following is he unable to determine from this packet?
Window shows programming codes with sections for Internet protocol version 4,
differentiated services field, transmission control protocol, et cetera.
That the username used was gnome
That the protocol used was FTP
That the password was gnome123
That the remote system was 137.30.120.40 - ANSWERA. FTP sends the username in
a separate packet. Chris can determine that this was an FTP connection, that the
password was gnome123, and that the FTP server was 137.30.120.40.
Cynthia's review of her network traffic focuses on the graph shown here. What occurred
, in late June?
Graph shows month of 2016-July versus range in megabits/second from 0 to 3,000.
Beaconing
High network bandwidth consumption
A denial-of-service attack
A link failure - ANSWERB. The spike shown just before July appears to be out of the
norm for this network since it is almost four times higher than normal. Cynthia may want
to check to see what occurred during that time frame to verify whether it was normal
traffic for her organization.
Ron arrived at the office this morning to find a subpoena on his desk requesting
electronic records in his control. What type of procedure should he consult to determine
appropriate next steps, including the people he should consult and the technical
process he should follow?
Evidence production procedure
Monitoring procedure
Data classification procedure
Patching procedure - ANSWERA. Evidence production procedures describe how the
organization will respond to subpoenas, court orders, and other legitimate requests to
produce digital evidence.
Monitoring procedures describe how the organization will perform security monitoring
activities, including the possible use of continuous monitoring technology.
Data classification procedures describe the processes to follow when implementing the
organization's data classification policy.
Patching procedures describe the frequency and process of applying patches to
applications and systems under the organization's care.
Ben is attempting to determine what services a Windows system is running and decides
to use the netstat -at command to list TCP ports. He receives the output shown here.
The system is most likely running which services?
Table shows active connections with columns for proto, local address, foreign address,
state, and offload state.
A plain-text web server, Microsoft file sharing, and a secure web server
SSH, email, and a plain-text web server
