Comptia CYSA+ CS0-003 Sybex Flashcards

_______ outline what information the organization will maintain and the length of time different categories of information will be retained prior to destruction.

Data retention policies

What Windows tools provide information on memory, CPU, and disk use?

Perfmon, Resource Monitor, and Task Manager

What is the current secure standard for providing HTTPS encryption?

TLS 1.2 or later

What switch technology provides for logical network segmentation?

VLANs

What service allows you to look up the registered owner of a domain name?

Whois

What service is responsible for resolving domain names to IP addresses?

DNS

What are the three key objectives of information security?

Confidentiality, integrity, and availability (CIA)

What type of device is designed to copy drives for forensic investigation, and then provide validation that the original drive and the content of the new drive match?

Forensic drive duplicator

What concept removes the trust that used to be placed in systems, services, and individuals inside security boundaries?

Zero-trust networking

In what type of attack does the attacker sends massive amounts of traffic from many different spoofed sources to a single target address?

Distributed denial of service (DDoS)

A _______ is often used when services or systems need to be exposed to lower trust areas.

DMZ or screened subnet

What are the common attack vectors for security incidents?

Common attack vectors for security incidents include external/removable media, attrition, the web, email, imperson improper usage, loss or theft of equipment, and other/unknown sources.

What is the first action that incident responders should take after identifying a potential incident?

Contain the damage

What type of vulnerability scan leverages read-only access to the scan target?

Credentialed scan

What activities should always occur to validate an incident recovery effort?

Verify user accounts, verify permissions, verify logging, and vulnerability scans

What is the focus of the recovery phase of incident response?

Restoring normal operations

What term is used to describe traffic sent to a command and control system by a PC that is part of a botnet?

Beaconing

What are the phases of incident response?

Preparation: Detection & Analysis: Containment, Eradication, Recovery: and Post-Incident Activity

What regulation requires vulnerability scanning for federal government agencies?

Federal Information Security Modernization Act (FISMA)

Where can forensic analysts turn to find information about logins, service start

stop events, and evidence of applications being run on a Windows system?/
Event logs

What type of software can you use to enumerate the services that are accepting network connections on a remote system without probing that system for vulnerabilities?

Port scanner

What are some common inhibitors to vulnerability remediation?

Memorandums of understanding, service-level agreement organizational governance, business process interruption, deg functionality, legacy systems, and proprietary systems

__________ is the steady accrual of additional rights over time as account owners change roles, positions, or responsibilities.

Privilege creep

In the _______ software development model, each phase follows sequentially and phases do not overlap.

Waterfall

What are the three types of system environments commonly used in organizations?

Development, Test, and Production

What type of data analysis looks for differences from expected behaviors?

Anomaly analysis

What type of threat consists of highly skilled and talented attackers focused on a specific objective?

Advanced persistent threat (APT)

What criteria should be used in prioritizing the remediation of vulnerabilities?

Criticality, difficulty, severity, and exposure

____________ is a time-consuming investigative task that often distracts incident responders and results in dead ends.

Identifying the attackers

What incident response metric measures the time from detection to assessing the event as an incident and activating the process?

Mean time to respond

Name three common system hardening practices.

Updating and patching the system
Removing unnecessary software and services
Restricting and logging administrative access
Controlling the creation of new accounts
Enabling logging and using appropriate monitoring
Using capabilities like disk encryption

What term is used to describe any observable occurrence in a system or network that relates to a security function?

Security event

____________ uses different techniques to allow developers to assess each others' code before release.

Code review

What type of controls include firewalls, intrusion detection and prevention systems, network segmentation, and authentication and authorization systems?

Technical (or logical) controls

What protocol is used to gather information about and manage network devices?

SNMP

What type of incident analysis uses a principle-based, systems approach for the identification of underlying causes associated with a particular set of risks?

Root cause analysis

What function is performed by Nessus and OpenVAS?

Vulnerability scanning

What is the TCP port for the HTTPS protocol?

443

At the conclusion of a cybersecurity incident response effort, CSIRT members should conduct a formal ____________ session.

Lessons learned

Risk exists at the intersection of _______ and _________.

Threats and vulnerabilities

What are the four phases of penetration testing?

Planning, Discovery, Attack, and Reporting

What term is used to describe an organization's willingness to tolerate risk?

Risk appetite

What are the three major factors used in multifactor authentication?

Something you know, something you have, and something you are

What type of system controls access to a network based on criteria such as time of day, location, device type, and system health?

Network access control (NAC)

What protocol is used to ensure that all security devices on a network have synchronized clocks?

NTP

What is the range of well-known ports?

0-1023

Once responders have contained the damage caused by an incident, they should move on to __________ and ________ steps.

Eradication and recovery

What type of controls include locks, fences, and other controls that control or limit physical access, as well as controls like fire extinguishers that can help to prevent harm to property?

Physical controls

What industry-standard system is used to assess the severity of security vulnerabilities?

CVSS

What incident response metric measures how long it took from the initial event that resulted in an incident to when it was detected?

Mean time to detect

What are the types of impact used to describe the scope of a security incident?

Functional impact, economic impact, and recoverability efforts

What type of vulnerability allows an attacker to place more data into an area of memory than is allocated for a specific purpose?

Buffer overflow

What is the range of registered ports?

1024-49151

What type of controls involve processes and procedures like those found in incident response plans, account creation and management, as well as awareness and training efforts?

Managerial controls

What is the core system process on a Windows system called?

The NT Kernel

_____________ are intended to stop an incident from occurring by taking proactive measures to stop the threat.

Preventive controls

What are the stages of the software development life cycle?

Planning, Requirements, Design, Development, Testing, Training, Transition, Ongoing Operations and Maintenance, End-of-Life Decommissioning

What are the common elements of an incident response report?

Executive summary, narrative, recommendations, timeline, image assessment, scope, and evidence

__________ are detailed, step-by-step processes that individuals and organizations must follow in specific circumstances.

Procedures

What is the most commonly used port scanner?

Nmap

What testing technique involves sending invalid or random data to an application to test its ability to handle unexpected data?

Fuzz testing or fuzzing

What is the term used to describe when a scanner reports a vulnerability that does not really exist?

False positive

What are the four types of firewalls?

Packet filters, stateful inspection firewalls, next-generation firewalls and web application firewalls

What is the purpose of Nikto and Arachni?

Web application scanning

What type of data analysis predicts threats based on existing data?

Trend analysis

What Windows Registry key contains system information including scheduled tasks and services?

HKEY_LOCAL_MACHINE (HKLM)

________ provide mandatory requirements describing how an organization will carry out its information security policies.

Standards

The _______ software development model is an iterative and incremental process.

Agile

Network segmentation, isolation, and removal of affected systems are examples of ___________ strategies.

Containment

What Windows Registry key contains information about the currently logged-in user?

HKEY_CURRENT_USER (HKCU)

What is the overall risk rating for a risk that has medium likelihood and high impact?

High

What are the three options available for the secure disposition of media containing sensitive information?

Clear, purge, and destroy

What incident response metric identifies the time required to resolve a problem?

Mean time to remediate

What are the three main roles in a federated identity management system?

Identity Provider (IDP), Relying Party (RP) or Service Provider (SP), Consumer

What are the CVSS score ranges?

Under CVSS version 3.1, 0.1-3.9 is low, 4.0-6.9 is medium, 7.0-8.9 high, and 9.0-10.0 is critical.

What type of device can ensure that attaching a drive to a forensic copy device or workstation does not result in modifications being made to drive, thus destroying the forensic integrity of the process?

Write blocker

Many exception processes require the use of ___________________ to mitigate the risk associated with exceptions to security standards.

Compensating controls

What is the purpose of FTK, EnCase, SIFT, and the Sleuth Kit (TSK)?

Forensic toolkits

_________ provide best practices and recommendations related to a given concept, technology, or task.

Guidelines

______ may be used to apply settings to many different Windows systems at the same time.

Group Policy Objects (GPOs)

What type of account should be used to perform credentialed vulnerability scans?

Read-only account

What are the three networks typically connected to a triple-homed firewall?

The Internet, an internal network, and a screened subnet (D

What elements are commonly found in a vulnerability management report?

Vulnerabilities, affected hosts, risk score, mitigation option recurrence, and prioritization information

What type of attack allows an attacker to run software of their choice on the targeted system?

Arbitrary code execution

The _______ phase of the SDLC includes actual coding of the application.

Development

________ are high-level statements of management intent.

Policies

What is used to describe specific metrics like time to remediate or patch, and are set by an organization or are defined as part of a service level agreement with a vendor or service?

Service level objectives (SLOs)

What Linux utility is commonly used to clone drives in RAW format?

Dd

What type of attack seeks to increase the level of access that an attacker has to a targeted system?

Privilege escalation

What regulation requires vulnerability scans for organizations involved in credit card processing?

PCI DSS

What type of information is found in network flow data?

Flow data provides information about the source and destination address, protocol, and total data sent.

What term is used to describe a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices?

Security incident

What technology provides an alternative to virtualizing an entire system, and instead permits applications to be run in their own environment with their own required components?

Containerization

What authorization technology allows users to share elements of their identity or account information while authenticating via the original identity provider?

OAuth

What NIST reference describes an incident handling process?

NIST SP 800-61

What document serves as the cornerstone of an organization's incident response program?

Incident response policy

What type of documents provide the detailed, tactical information that CSIRT members need when responding to an incident?

Procedures

What are the categories of stakeholders who should receive a vulnerability report?

1. Technical stakeholders
2. Security, audit, and compliance stakeholders
3. Security management and oversight systems
4. Executive or leadership staff

What is the TCP port for the HTTP protocol?

80

During the _______ phase of software development, security practitioners may be asked to participate in initial assessments or cost evaluations.

Feasibility