#1 - CySA+ - Practice Exam (PDF)

Faaahhh 🗣️

Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory?

Submite cmd.exe to VirusTotal.

What does EDR use to capture data for analysis and storage in a central database?

Software agents thru endpoint detection and response system(s).

What technology is most commonly used to protect data in transit for modern web applications?

Transport Layer Security (TLS).

NIST defines five major types of threat information in NIST SP 800‐150, “Guide to Cyber Threat Information Sharing.”

1. Indicators, which are technical artifacts or observables that suggest an attack is imminent, currently underway, or compromise may have already occurred

2. Tactics, techniques, and procedures that describe the behavior of an actor

3. Security alerts like advisories and bulletins

4. Threat intelligence reports that describe actors, systems, and information being targeted and the methods being used

5. Tool configurations that support collection, exchange, analysis, and use of threat information

Which of these should Frank seek out to help him best protect the midsize organization he works for against unknown threats?

The more effort Frank puts into staying up to date with information by collecting threat information (5), monitoring for indicators (1), and staying up‐to‐date on security alerts (3), the stronger his organization’s security will be. Understanding specific threat actors may become relevant if they specifically target organizations like Frank’s, but as a midsize organization, Frank’s employer is less likely to be specifically targeted directly.

As part of her threat‐hunting activities, Olivia bundles her critical assets into groups. Why would she choose to do this?

To leverage the similarity of threat profiles.

Abul wants to identify typical behavior on a Windows system using a built‐in tool to understand memory, CPU, and disk utilization. What tool can he use to see both real‐time performance and over a period of time?

Windows Resource Monitor (Resmon.exe).

Sara has been asked to explain to her organization how an endpoint detection and response (EDR) system could help the organization. Which of the following functions is not a typical function for an EDR system?

Cloud and networks data collection and central analysis.

Ben is reviewing network traffic logs and notices HTTP and HTTPS traffic originating from a workstation. What TCP ports should he expect to see this traffic sent to under most normal circumstances?

80 and 443.

When reviewing network flow logs, John sees that network flow on a particular segment sudenly drops to zero. Why?

A link failure.

During his investigation of a Windows system, Eric discovered that files were deleted and

he wants to determine whether a specific file previously existed on the computer. Which of

the following is the least likely to be a potential location to discover evidence supporting

that theory?

A. Windows registry

B. Master File Table

C. INDX files

D. Event logs

Event logs.

What does the Nmap response “filtered” mean in port scan results?

It cannot tell whether the port is open or closed.

During her review of incident logs, Deepa discovers the initial entry via SSH on a front-­ facing

bastion host (A) at 8:02 a.m. If the network that Deepa is responsible for is designed as

shown here, what is the most likely diagnosis if the second intrusion shows up on host B at

7:15 a.m.?

Neither host B nor host A are synchronized to NTP properly.

Hank’s boss recently came back from a CEO summit event where he learned about the

importance of cybersecurity and the role of vulnerability scanning. He asked Hank about

the vulnerability scans conducted by the organization and suggested that instead of running

weekly scans that they simply configure the scanner to start a new scan immediately after the

prior scan completes. How should Hank react to this request?

A. Hank should inform the CEO that this would have a negative impact on system

performance and is not recommended.

B. C. Hank should immediately implement the CEO’s suggestion.

Hank should consider the request and work with networking and engineering teams on

possible implementation.

D. Hank should inform the CEO that there is no incremental security benefit from this

approach and that he does not recommend it.

…consider the request and work with networking and engineering teams on possible implementation.

Alex notices the traffic shown here during a Wireshark packet capture. What is the host with

IP address 10.0.2.11 most likely doing?

Synchronize-based port scanning.

Jake is building a forensic image of a compromised drive using the dd command with its

default settings. He finds that the imaging is going very slowly. What parameter should he

adjust first?

block size command.

APT?

Advanced Persistent Threat.

Mike’s Nmap scan of a system using the command nmap 192.168.1.100 does not return

any results. What does Mike know about the system if he is sure of its IP address, and why?

There are no TCP services reachable on Nmap’s default 1000 TCP ports?