CYSA EXAM TEST QUESTIONS WITH 100% VERIFIED
SOLUTIONS
A security analyst has been asked to remediate a server vulnerability. Once the analyst
has located a patch for the vulnerability, which of the following should happen
NEXT?
A. Start the change control process.
B. Rescan to ensure the vulnerability still exists.
C. Implement continuous monitoring.
D. Begin the incident response process. - ANSWER A
A software assurance lab is performing a dynamic assessment on an application by
automatically generating and inputting different, random data sets to attempt to
cause an error/failure condition. Which of the following software assessment capabilities
is the lab performing AND during which phase of the SDLC should this occur? (Select
two.) A. Fuzzing
B. Behavior modeling
C. Static code analysis
D. Prototyping phase
E. Requirements phase
F. Planning phase - ANSWER AD
Law enforcement has contacted a corporation's legal counsel because correlated data
from a breach shows the organization as the common denominator from all indicators
of compromise. An employee overhears the conversation between legal counsel and
law enforcement, and then posts a comment about it on social media. The media then
starts contacting other employees about the breach. Which of the following steps
should be taken to prevent further disclosure of information about the breach?
A. Perform security awareness training about incident communication.
B. Request all employees verbally commit to an NDA about the breach.
C. Temporarily disable employee access to social media
D. Have law enforcement meet with employees. - ANSWER A
A recent vulnerability scan found four vulnerabilities on an organization's public
Internetfacing IP addresses. Prioritizing in order to reduce the risk of a breach to the
organization, which of the following should be remediated FIRST? A. A cipher that is
known to be cryptographically weak.
B. A website using a self-signed SSL certificate.
C. A buffer overflow that allows remote code execution.
D. An HTTP response that reveals an internal IP address. - ANSWER C
,A cybersecurity analyst has several SIEM event logs to review for possible APT activity.
The analyst was given several items that include lists of indicators for both IP addresses
and domains. Which of the following actions is the BEST approach for the analyst to
perform?
A. Use the IP addresses to search through the event logs.
B. Analyze the trends of the events while manually reviewing to see if any of the
indicators match.
C. Create an advanced query that includes all of the indicators, and review any of the
matches.
D. Scan for vulnerabilities with exploits known to have been used by an APT. -
ANSWER B
A system administrator has reviewed the following output:
Which of the following can a system administrator infer from the above output? A.
The company email server is running a non-standard port.
B. The company email server has been compromised.
C. The company is running a vulnerable SSH server.
D. The company web server has been compromised. - ANSWER A
An analyst finds that unpatched servers have undetected vulnerabilities because the
vulnerability scanner does not have the latest set of signatures. Management directed
the security team to have personnel update the scanners with the latest signatures at
least 24 hours before conducting any scans, but the outcome is unchanged. Which of
the following is the BEST logical control to address the failure? A. Configure a script
to automatically update the scanning tool.
B. Manually validate that the existing update is being performed.
C. Test vulnerability remediation in a sandbox before deploying.
D. Configure vulnerability scans to run in credentialed mode. - ANSWER A
A cybersecurity analyst has received an alert that well-known "call home" messages are
continuously observed by network sensors at the network boundary. The proxy firewall
successfully drops the messages. After determining the alert was a true positive, which
of the following represents the MOST likely cause? A. Attackers are running
reconnaissance on company resources.
B. An outside command and control system is attempting to reach an infected system.
C. An insider is trying to exfiltrate information to a remote network.
D. Malware is running on a company system. - ANSWER B
After scanning the main company's website with the OWASP ZAP tool, a cybersecurity
analyst is reviewing the following warning:
The analyst reviews a snippet of the offending code:
,Which of the following is the BEST course of action based on the above warning and
code snippet?
A. The analyst should implement a scanner exception for the false positive.
B. The system administrator should disable SSL and implement TLS.
C. The developer should review the code and implement a code fix.
D. The organization should update the browser GPO to resolve the issue. - ANSWER D
An alert has been distributed throughout the information security community regarding a
critical Apache vulnerability. Which of the following courses of action would ONLY
identify the known vulnerability?
A. Perform an unauthenticated vulnerability scan on all servers in the environment.
B. Perform a scan for the specific vulnerability on all web servers.
C. Perform a web vulnerability scan on all servers in the environment.
D. Perform an authenticated scan on all web servers in the environment. - ANSWER B
As part of an upcoming engagement for a client, an analyst is configuring a penetration
testing application to ensure the scan complies with information defined in the
SOW. Which of the following types of information should be considered based on
information traditionally found in the SOW? (Select two.)
A. Timing of the scan
B. Contents of the executive summary report
C. Excluded hosts
D. Maintenance windows
E. IPS configuration
F. Incident response policies - ANSWER AC
An organization wants to remediate vulnerabilities associated with its web servers. An
initial vulnerability scan has been performed, and analysts are reviewing the results.
Before starting any remediation, the analysts want to remove false positives to avoid
spending time on issues that are not actual vulnerabilities. Which of the following
would be an indicator of a likely false positive?
A. Reports show the scanner compliance plug-in is out-of-date.
B. Any items labeled 'low' are considered informational only.
C. The scan result version is different from the automated asset inventory.
D. 'HTTPS' entries indicate the web page is encrypted securely. - ANSWER B
Company A permits visiting business partners from Company B to utilize Ethernet ports
available in Company A's conference rooms. This access is provided to allow partners
the ability to establish VPNs back to Company B's network. The security architect for
Company A wants to ensure partners from Company B are able to gain direct Internet
access from available ports only, while Company A employees can gain access to the
Company A internal network from those same ports. Which of the following can be
employed to allow this?
, A. ACL
B. SIEM
C. MAC
D. NAC
E. SAML - ANSWER D
After reviewing the following packet, a cybersecurity analyst has discovered an
unauthorized service is running on a company's computer.
Which of the following ACLs, if implemented, will prevent further access ONLY to the
unauthorized service and will not impact other services?
A. DENY TCP ANY HOST 10.38.219.20 EQ 3389
B. DENY IP HOST 10.38.219.20 ANY EQ 25
C. DENY IP HOST192.168.1.10 HOST 10.38.219.20 EQ 3389
D. DENY TCP ANY HOST 192.168.1.10 EQ 25 - ANSWER A
The new Chief Technology Officer (CTO) is seeking recommendations for network
monitoring services for the local intranet. The CTO would like the capability to monitor
all traffic to and from the gateway, as well as the capability to block certain content.
Which of the following recommendations would meet the needs of the organization?
A. Recommend setup of IP filtering on both the internal and external interfaces of
the gateway router.
B. Recommend installation of an IDS on the internal interface and a firewall on the
external interface of the gateway router.
C. Recommend installation of a firewall on the internal interface and a NIDS on the
external interface of the gateway router.
D. Recommend installation of an IPS on both the internal and external interfaces of
the gateway router. - ANSWER C
While a threat intelligence analyst was researching an indicator of compromise on a
search engine, the web proxy generated an alert regarding the same indicator. The
threat intelligence analyst states that related sites were not visited but were searched
for in a search engine. Which of the following MOST likely happened in this
situation?
A. The analyst is not using the standard approved browser.
B. The analyst accidently clicked a link related to the indicator.
C. The analyst has prefetch enabled on the browser in use.
D. The alert in unrelated to the analyst's search. - ANSWER C
Which of the following remediation strategies are MOST effective in reducing the risk of
a network-based compromise of embedded ICS? (Select two.)
A. Patching
B. NIDS
C. Segmentation
SOLUTIONS
A security analyst has been asked to remediate a server vulnerability. Once the analyst
has located a patch for the vulnerability, which of the following should happen
NEXT?
A. Start the change control process.
B. Rescan to ensure the vulnerability still exists.
C. Implement continuous monitoring.
D. Begin the incident response process. - ANSWER A
A software assurance lab is performing a dynamic assessment on an application by
automatically generating and inputting different, random data sets to attempt to
cause an error/failure condition. Which of the following software assessment capabilities
is the lab performing AND during which phase of the SDLC should this occur? (Select
two.) A. Fuzzing
B. Behavior modeling
C. Static code analysis
D. Prototyping phase
E. Requirements phase
F. Planning phase - ANSWER AD
Law enforcement has contacted a corporation's legal counsel because correlated data
from a breach shows the organization as the common denominator from all indicators
of compromise. An employee overhears the conversation between legal counsel and
law enforcement, and then posts a comment about it on social media. The media then
starts contacting other employees about the breach. Which of the following steps
should be taken to prevent further disclosure of information about the breach?
A. Perform security awareness training about incident communication.
B. Request all employees verbally commit to an NDA about the breach.
C. Temporarily disable employee access to social media
D. Have law enforcement meet with employees. - ANSWER A
A recent vulnerability scan found four vulnerabilities on an organization's public
Internetfacing IP addresses. Prioritizing in order to reduce the risk of a breach to the
organization, which of the following should be remediated FIRST? A. A cipher that is
known to be cryptographically weak.
B. A website using a self-signed SSL certificate.
C. A buffer overflow that allows remote code execution.
D. An HTTP response that reveals an internal IP address. - ANSWER C
,A cybersecurity analyst has several SIEM event logs to review for possible APT activity.
The analyst was given several items that include lists of indicators for both IP addresses
and domains. Which of the following actions is the BEST approach for the analyst to
perform?
A. Use the IP addresses to search through the event logs.
B. Analyze the trends of the events while manually reviewing to see if any of the
indicators match.
C. Create an advanced query that includes all of the indicators, and review any of the
matches.
D. Scan for vulnerabilities with exploits known to have been used by an APT. -
ANSWER B
A system administrator has reviewed the following output:
Which of the following can a system administrator infer from the above output? A.
The company email server is running a non-standard port.
B. The company email server has been compromised.
C. The company is running a vulnerable SSH server.
D. The company web server has been compromised. - ANSWER A
An analyst finds that unpatched servers have undetected vulnerabilities because the
vulnerability scanner does not have the latest set of signatures. Management directed
the security team to have personnel update the scanners with the latest signatures at
least 24 hours before conducting any scans, but the outcome is unchanged. Which of
the following is the BEST logical control to address the failure? A. Configure a script
to automatically update the scanning tool.
B. Manually validate that the existing update is being performed.
C. Test vulnerability remediation in a sandbox before deploying.
D. Configure vulnerability scans to run in credentialed mode. - ANSWER A
A cybersecurity analyst has received an alert that well-known "call home" messages are
continuously observed by network sensors at the network boundary. The proxy firewall
successfully drops the messages. After determining the alert was a true positive, which
of the following represents the MOST likely cause? A. Attackers are running
reconnaissance on company resources.
B. An outside command and control system is attempting to reach an infected system.
C. An insider is trying to exfiltrate information to a remote network.
D. Malware is running on a company system. - ANSWER B
After scanning the main company's website with the OWASP ZAP tool, a cybersecurity
analyst is reviewing the following warning:
The analyst reviews a snippet of the offending code:
,Which of the following is the BEST course of action based on the above warning and
code snippet?
A. The analyst should implement a scanner exception for the false positive.
B. The system administrator should disable SSL and implement TLS.
C. The developer should review the code and implement a code fix.
D. The organization should update the browser GPO to resolve the issue. - ANSWER D
An alert has been distributed throughout the information security community regarding a
critical Apache vulnerability. Which of the following courses of action would ONLY
identify the known vulnerability?
A. Perform an unauthenticated vulnerability scan on all servers in the environment.
B. Perform a scan for the specific vulnerability on all web servers.
C. Perform a web vulnerability scan on all servers in the environment.
D. Perform an authenticated scan on all web servers in the environment. - ANSWER B
As part of an upcoming engagement for a client, an analyst is configuring a penetration
testing application to ensure the scan complies with information defined in the
SOW. Which of the following types of information should be considered based on
information traditionally found in the SOW? (Select two.)
A. Timing of the scan
B. Contents of the executive summary report
C. Excluded hosts
D. Maintenance windows
E. IPS configuration
F. Incident response policies - ANSWER AC
An organization wants to remediate vulnerabilities associated with its web servers. An
initial vulnerability scan has been performed, and analysts are reviewing the results.
Before starting any remediation, the analysts want to remove false positives to avoid
spending time on issues that are not actual vulnerabilities. Which of the following
would be an indicator of a likely false positive?
A. Reports show the scanner compliance plug-in is out-of-date.
B. Any items labeled 'low' are considered informational only.
C. The scan result version is different from the automated asset inventory.
D. 'HTTPS' entries indicate the web page is encrypted securely. - ANSWER B
Company A permits visiting business partners from Company B to utilize Ethernet ports
available in Company A's conference rooms. This access is provided to allow partners
the ability to establish VPNs back to Company B's network. The security architect for
Company A wants to ensure partners from Company B are able to gain direct Internet
access from available ports only, while Company A employees can gain access to the
Company A internal network from those same ports. Which of the following can be
employed to allow this?
, A. ACL
B. SIEM
C. MAC
D. NAC
E. SAML - ANSWER D
After reviewing the following packet, a cybersecurity analyst has discovered an
unauthorized service is running on a company's computer.
Which of the following ACLs, if implemented, will prevent further access ONLY to the
unauthorized service and will not impact other services?
A. DENY TCP ANY HOST 10.38.219.20 EQ 3389
B. DENY IP HOST 10.38.219.20 ANY EQ 25
C. DENY IP HOST192.168.1.10 HOST 10.38.219.20 EQ 3389
D. DENY TCP ANY HOST 192.168.1.10 EQ 25 - ANSWER A
The new Chief Technology Officer (CTO) is seeking recommendations for network
monitoring services for the local intranet. The CTO would like the capability to monitor
all traffic to and from the gateway, as well as the capability to block certain content.
Which of the following recommendations would meet the needs of the organization?
A. Recommend setup of IP filtering on both the internal and external interfaces of
the gateway router.
B. Recommend installation of an IDS on the internal interface and a firewall on the
external interface of the gateway router.
C. Recommend installation of a firewall on the internal interface and a NIDS on the
external interface of the gateway router.
D. Recommend installation of an IPS on both the internal and external interfaces of
the gateway router. - ANSWER C
While a threat intelligence analyst was researching an indicator of compromise on a
search engine, the web proxy generated an alert regarding the same indicator. The
threat intelligence analyst states that related sites were not visited but were searched
for in a search engine. Which of the following MOST likely happened in this
situation?
A. The analyst is not using the standard approved browser.
B. The analyst accidently clicked a link related to the indicator.
C. The analyst has prefetch enabled on the browser in use.
D. The alert in unrelated to the analyst's search. - ANSWER C
Which of the following remediation strategies are MOST effective in reducing the risk of
a network-based compromise of embedded ICS? (Select two.)
A. Patching
B. NIDS
C. Segmentation
