CYSA Exam Practice Test Questions And Answers
Verified 100% Correct
What are the phases of incident response? - ANSWER Preparation; Detection &
Analysis; Containment, Eradication, & Recovery; and Post-Incident Activity
What type of documents provide the detailed, tactical information that CSIRT members
need when responding to an incident? - ANSWER Procedures
What document serves as the cornerstone of an organization's incident response
program? - ANSWER Incident Response Policy
What type of threat consists of highly skilled and talented attackers focused on a
specific objective? - ANSWER Advanced Persistent Threat (APT)
What are the types of impact used to describe the scope of a security incident? -
ANSWER Functional impact, economic impact, and recoverability effort
What are the common attack vectors for security incidents? - ANSWER Common
attack vectors for security incidents include external/removable media, attrition, the web,
email, impersonation, improper usage, loss or theft of equipment, and other/unknown
sources.
What Linux command displays processes, memory utilization, and other detail about
running programs? - ANSWER Top or ps
What term is used to describe traffic sent to a command and control system by a PC
that is part of a botnet? - ANSWER Beaconing
What Windows tool provides information on memory, CPU, and disk use? - ANSWER
Perfmon
What protocol is used to gather information about and manage network devices? -
ANSWER SNMP
What Linux command allows you to list the files that are open by processes on a
system? - ANSWER lsof
What type of information is found in network flow data? - ANSWER Flow data provides
information about the source and destination IP address, protocol, and total data sent.
, What protocol is used to ensure that all security devices on a network have
synchronized clocks? - ANSWER NTP
What tool can administrators use to determine the maximum bandwidth available on a
network connection? - ANSWER iPerf
What is the purpose of FTK, EnCase, SIFT, and the Sleuth Kit (TSK)? - ANSWER
Forensic toolkits
What type of device is designed to copy drives for forensic investigation, and then
provide validation that the original drive and the content of the new drive match? -
ANSWER Forensic drive duplicator
Where can forensic analysts turn to find point-in-time information from prior actions on a
Windows system? - ANSWER Volume shadow copies
Where can forensic analysts turn to find information about logins, service start/stop
events, and evidence of applications being - ANSWER Event logs
What Linux utility is commonly used to clone drives in RAW format? - ANSWER dd
What type of device can ensure that attaching a drive to a forensic copy device or
workstation does not result in modifications - ANSWER Write blocker
What Linux kernel modules allow forensic access to physical memory? - ANSWER
fmem and LiME
What tool provides a list of USB devices that have been connected to a Windows
system? - ANSWER USB Historian
What is the first action that incident responders should take after identifying a potential
incident? - ANSWER Contain the damage
Network segmentation, isolation, and removal of affected systems are examples of
___________ strategies - ANSWER Containment
Once responders have contained the damage caused by an incident they should move
on to __________ and ________ steps. - ANSWER Eradication and recovery
At the conclusion of a cybersecurity incident response effort, CSIRT members should
conduct a formal ____________ session. - ANSWER Lessons learned
Verified 100% Correct
What are the phases of incident response? - ANSWER Preparation; Detection &
Analysis; Containment, Eradication, & Recovery; and Post-Incident Activity
What type of documents provide the detailed, tactical information that CSIRT members
need when responding to an incident? - ANSWER Procedures
What document serves as the cornerstone of an organization's incident response
program? - ANSWER Incident Response Policy
What type of threat consists of highly skilled and talented attackers focused on a
specific objective? - ANSWER Advanced Persistent Threat (APT)
What are the types of impact used to describe the scope of a security incident? -
ANSWER Functional impact, economic impact, and recoverability effort
What are the common attack vectors for security incidents? - ANSWER Common
attack vectors for security incidents include external/removable media, attrition, the web,
email, impersonation, improper usage, loss or theft of equipment, and other/unknown
sources.
What Linux command displays processes, memory utilization, and other detail about
running programs? - ANSWER Top or ps
What term is used to describe traffic sent to a command and control system by a PC
that is part of a botnet? - ANSWER Beaconing
What Windows tool provides information on memory, CPU, and disk use? - ANSWER
Perfmon
What protocol is used to gather information about and manage network devices? -
ANSWER SNMP
What Linux command allows you to list the files that are open by processes on a
system? - ANSWER lsof
What type of information is found in network flow data? - ANSWER Flow data provides
information about the source and destination IP address, protocol, and total data sent.
, What protocol is used to ensure that all security devices on a network have
synchronized clocks? - ANSWER NTP
What tool can administrators use to determine the maximum bandwidth available on a
network connection? - ANSWER iPerf
What is the purpose of FTK, EnCase, SIFT, and the Sleuth Kit (TSK)? - ANSWER
Forensic toolkits
What type of device is designed to copy drives for forensic investigation, and then
provide validation that the original drive and the content of the new drive match? -
ANSWER Forensic drive duplicator
Where can forensic analysts turn to find point-in-time information from prior actions on a
Windows system? - ANSWER Volume shadow copies
Where can forensic analysts turn to find information about logins, service start/stop
events, and evidence of applications being - ANSWER Event logs
What Linux utility is commonly used to clone drives in RAW format? - ANSWER dd
What type of device can ensure that attaching a drive to a forensic copy device or
workstation does not result in modifications - ANSWER Write blocker
What Linux kernel modules allow forensic access to physical memory? - ANSWER
fmem and LiME
What tool provides a list of USB devices that have been connected to a Windows
system? - ANSWER USB Historian
What is the first action that incident responders should take after identifying a potential
incident? - ANSWER Contain the damage
Network segmentation, isolation, and removal of affected systems are examples of
___________ strategies - ANSWER Containment
Once responders have contained the damage caused by an incident they should move
on to __________ and ________ steps. - ANSWER Eradication and recovery
At the conclusion of a cybersecurity incident response effort, CSIRT members should
conduct a formal ____________ session. - ANSWER Lessons learned
