CYSA Exam Questions And Answers Verified 100%
Correct
A network attack that is exploiting a vulnerability in the SNMP is detected. Which of the
following should the cybersecurity analyst do FIRST?
A. Apply the required patches to remediate the vulnerability.
B. Escalate the incident to senior management for guidance.
C. Disable all privileged user accounts on the network.
D. Temporarily block the attacking IP address. - ANSWER Temporarily block the
attacking IP address.
As part of an exercise set up by the information security officer, the IT staff must move
some of the network systems to an off-site facility and redeploy them for testing. All staff
members must ensure their respective systems can power back up and match their
gold image. If they find any inconsistencies, they must formally document the
information. Which of the following BEST describes this test?
A. Walk through
B. Full interruption
C. Simulation
D. Parallel - ANSWER Parallel
A security analyst is reviewing the following log from an email security service.Which of
the following BEST describes the reason why the email was blocked?
A. The To address is invalid.
B. The email originated from the www.spamfilter.org URL.
C. The IP address and the remote server name are the same.
D. The IP address was blacklisted.
E. The From address is invalid. - ANSWER The IP address was blacklisted.
Which of the following roles is ultimately responsible for determining the classification
levels assigned to specific data sets?
A. Data custodian
B. Data owner
,C. Data processor
D. Senior management - ANSWER Data owner
A security analyst is reviewing the logs from an internal chat server. The chat.log file is
too large to review manually, so the analyst wants to create a shorter log file that only
includes lines associated with a user demonstrating anomalous activity. Below is a
snippet of the log:
A. grep -v chatter14 chat.log
B. grep -i pythonfun chat.log
C. grep -i javashark chat.log
D. grep -v javashark chat.log
E. grep -v pythonfun chat.log
F. grep -i chatter14 chat.log - ANSWER grep -v javashark chat.log
A Chief Information Security Officer (CISO) wants to upgrade an organization's security
posture by improving proactive activities associated with attacks from internal and
external threats. Which of the following is the MOST proactive tool or technique that
feeds incident response capabilities?
A. Development of a hypothesis as part of threat hunting
B. Log correlation, monitoring, and automated reporting through a SIEM platform
C. Continuous compliance monitoring using SCAP dashboards
D. Quarterly vulnerability scanning using credentialed scans - ANSWER Development
of a hypothesis as part of threat hunting
Which of the following software security best practices would prevent an attacker from
being able to run arbitrary SQL commands within a web application? (Choose two.)
A. Parameterized queries
B. Session management
C. Input validation
D. Output encoding
E. Data protection
F. Authentication - ANSWER Parameterized queries and Input validation
A security analyst received a SIEM alert regarding high levels of memory consumption
for a critical system. After several attempts to remediate the issue, the system went
down. A root cause analysis revealed a bad actor forced the application to not reclaim
memory. This caused the system to be depleted of resources.Which of the following
BEST describes this attack?
A. Injection attack
B. Memory corruption
C. Denial of service
D. Array attack - ANSWER Denial of service
, An information security analyst observes anomalous behavior on the SCADA devices in
a power plant. This behavior results in the industrial generators overheating and
destabilizing the power supply. Which of the following would BEST identify potential
indicators of compromise?
A. Use Burp Suite to capture packets to the SCADA device's IP.
B. Use tcpdump to capture packets from the SCADA device IP.
C. Use Wireshark to capture packets between SCADA devices and the management
system.
D. Use Nmap to capture packets from the management system to the SCADA devices.
- ANSWER Use tcpdump to capture packets from the SCADA device IP.
A large software company wants to move its source control and deployment pipelines
into a cloud-computing environment. Due to the nature of the business, management
determines the recovery time objective needs to be within one hour. Which of the
following strategies would put the company in the BEST position toachieve the desired
recovery time?
A. Establish an alternate site with active replication to other regions
B. Configure a duplicate environment in the same region and load balance between
both instances.
C. Set up every cloud component with duplicated copies and auto-scaling turned on.
D. Set up every cloud component with duplicated copies and auto-scaling turned off E.
Create a duplicate copy on premises that can be used for failover in a disaster
situation - ANSWER Establish an alternate site with active replication to other
regions
Which of the following is the MOST important objective of a post-incident review?
A. Capture lessons learned and improve incident response processes.
B. Develop a process for containment and continue improvement efforts.
C. Identify new technologies and strategies to remediate.
D. identify a new management strategy. - ANSWER Capture lessons learned and
improve incident response processes.
After receiving reports of high latency, a security analyst performs an Nmap scan and
observes the following output:Port State Service Version80/tcp open http Apache httpd
2.2.14111/udp open rpcbind443/tcp filtered https Apache httpd 2.2.142222/tcp open ssh
OpenSSH 5.3p1 Debian3306/tcp open mysql 5.5.40-Oubuntu0.14.1Which of the
following suggests the system that produced this output was compromised? A. Secure
shell is operating on a non-standard port.
B. There are no indicators of compromise on this system.
C. MySQL service id identified on a standard PostgreSQL port.
D. Standard HTTP is open on the system and should be closed. - ANSWER Secure
shell is operating on a non-standard port.
Correct
A network attack that is exploiting a vulnerability in the SNMP is detected. Which of the
following should the cybersecurity analyst do FIRST?
A. Apply the required patches to remediate the vulnerability.
B. Escalate the incident to senior management for guidance.
C. Disable all privileged user accounts on the network.
D. Temporarily block the attacking IP address. - ANSWER Temporarily block the
attacking IP address.
As part of an exercise set up by the information security officer, the IT staff must move
some of the network systems to an off-site facility and redeploy them for testing. All staff
members must ensure their respective systems can power back up and match their
gold image. If they find any inconsistencies, they must formally document the
information. Which of the following BEST describes this test?
A. Walk through
B. Full interruption
C. Simulation
D. Parallel - ANSWER Parallel
A security analyst is reviewing the following log from an email security service.Which of
the following BEST describes the reason why the email was blocked?
A. The To address is invalid.
B. The email originated from the www.spamfilter.org URL.
C. The IP address and the remote server name are the same.
D. The IP address was blacklisted.
E. The From address is invalid. - ANSWER The IP address was blacklisted.
Which of the following roles is ultimately responsible for determining the classification
levels assigned to specific data sets?
A. Data custodian
B. Data owner
,C. Data processor
D. Senior management - ANSWER Data owner
A security analyst is reviewing the logs from an internal chat server. The chat.log file is
too large to review manually, so the analyst wants to create a shorter log file that only
includes lines associated with a user demonstrating anomalous activity. Below is a
snippet of the log:
A. grep -v chatter14 chat.log
B. grep -i pythonfun chat.log
C. grep -i javashark chat.log
D. grep -v javashark chat.log
E. grep -v pythonfun chat.log
F. grep -i chatter14 chat.log - ANSWER grep -v javashark chat.log
A Chief Information Security Officer (CISO) wants to upgrade an organization's security
posture by improving proactive activities associated with attacks from internal and
external threats. Which of the following is the MOST proactive tool or technique that
feeds incident response capabilities?
A. Development of a hypothesis as part of threat hunting
B. Log correlation, monitoring, and automated reporting through a SIEM platform
C. Continuous compliance monitoring using SCAP dashboards
D. Quarterly vulnerability scanning using credentialed scans - ANSWER Development
of a hypothesis as part of threat hunting
Which of the following software security best practices would prevent an attacker from
being able to run arbitrary SQL commands within a web application? (Choose two.)
A. Parameterized queries
B. Session management
C. Input validation
D. Output encoding
E. Data protection
F. Authentication - ANSWER Parameterized queries and Input validation
A security analyst received a SIEM alert regarding high levels of memory consumption
for a critical system. After several attempts to remediate the issue, the system went
down. A root cause analysis revealed a bad actor forced the application to not reclaim
memory. This caused the system to be depleted of resources.Which of the following
BEST describes this attack?
A. Injection attack
B. Memory corruption
C. Denial of service
D. Array attack - ANSWER Denial of service
, An information security analyst observes anomalous behavior on the SCADA devices in
a power plant. This behavior results in the industrial generators overheating and
destabilizing the power supply. Which of the following would BEST identify potential
indicators of compromise?
A. Use Burp Suite to capture packets to the SCADA device's IP.
B. Use tcpdump to capture packets from the SCADA device IP.
C. Use Wireshark to capture packets between SCADA devices and the management
system.
D. Use Nmap to capture packets from the management system to the SCADA devices.
- ANSWER Use tcpdump to capture packets from the SCADA device IP.
A large software company wants to move its source control and deployment pipelines
into a cloud-computing environment. Due to the nature of the business, management
determines the recovery time objective needs to be within one hour. Which of the
following strategies would put the company in the BEST position toachieve the desired
recovery time?
A. Establish an alternate site with active replication to other regions
B. Configure a duplicate environment in the same region and load balance between
both instances.
C. Set up every cloud component with duplicated copies and auto-scaling turned on.
D. Set up every cloud component with duplicated copies and auto-scaling turned off E.
Create a duplicate copy on premises that can be used for failover in a disaster
situation - ANSWER Establish an alternate site with active replication to other
regions
Which of the following is the MOST important objective of a post-incident review?
A. Capture lessons learned and improve incident response processes.
B. Develop a process for containment and continue improvement efforts.
C. Identify new technologies and strategies to remediate.
D. identify a new management strategy. - ANSWER Capture lessons learned and
improve incident response processes.
After receiving reports of high latency, a security analyst performs an Nmap scan and
observes the following output:Port State Service Version80/tcp open http Apache httpd
2.2.14111/udp open rpcbind443/tcp filtered https Apache httpd 2.2.142222/tcp open ssh
OpenSSH 5.3p1 Debian3306/tcp open mysql 5.5.40-Oubuntu0.14.1Which of the
following suggests the system that produced this output was compromised? A. Secure
shell is operating on a non-standard port.
B. There are no indicators of compromise on this system.
C. MySQL service id identified on a standard PostgreSQL port.
D. Standard HTTP is open on the system and should be closed. - ANSWER Secure
shell is operating on a non-standard port.
