CSA +

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Heavenlymixed86
H
Heavenlymixed86
Community Contributor
Quizzes Created: 1 | Total Attempts: 683
| Attempts: 684
SettingsSettings
Please wait...
  • 1/142 Questions

    Which of the following is MOST effective for correlation analysis by log for threat management?

    • PACP
    • SCAP
    • IPS
    • SIEM
Please wait...
About This Quiz

The CSA+ quiz assesses knowledge in cybersecurity, focusing on attack detection, system security, and preventive measures. It tests skills like traffic analysis, duties separation, log management, and secure access, crucial for IT security professionals.

Cybersecurity Quizzes & Trivia

Quiz Preview

  • 2. 

    After analyzing ad correlating  activity from multiple sensors, the security analyst has determined a group from a high-risk country is responsible for a sophisticated breach of the company network and continuous administration of target attacks for the past thee months. Until now, the attacks went unnoticed. This is an example of

    • Privilege escalation

    • Advanced persistent threat

    • Malicious insider threat

    • Spear phishing

    Correct Answer
    A. Advanced persistent threat
    Explanation
    The given scenario describes a situation where a security analyst has analyzed and correlated activity from multiple sensors and determined that a group from a high-risk country has successfully breached the company network and conducted targeted attacks for a prolonged period without being detected. This aligns with the characteristics of an advanced persistent threat (APT), which refers to a long-term, sophisticated attack by a skilled and persistent adversary. The fact that the attacks went unnoticed for three months further supports the idea of an APT, as they often employ stealthy tactics to evade detection.

    Rate this question:

  • 3. 

    The director of software development is concerned with recent web application security incidents, including the successful breach of a back-end database server. The director would like to work with the security team to implement a standardized was to design to build, build and test web applications and the services that support them. Which of the following meets this criteria?

    • OWASP

    • SANS

    • PHP

    • Ajax

    Correct Answer
    A. OWASP
    Explanation
    OWASP (Open Web Application Security Project) is the correct answer because it is an organization that provides resources, tools, and guidelines for web application security. The director's concern with recent security incidents aligns with OWASP's mission to improve the security of web applications. By working with the security team to implement OWASP's standardized design, build, and testing practices, the director can ensure that web applications and their supporting services are developed with security in mind. SANS is also a reputable organization that focuses on cybersecurity, but it does not specifically specialize in web application security like OWASP does. PHP and Ajax are programming languages and technologies, not comprehensive frameworks or guidelines for web application security.

    Rate this question:

  • 4. 

    An analyst is observing unusual network traffic from a workstation. The workstation is communication with a known malicious site overran encrypted tunnel. A full antivirus scan with an updates antivirus signature file does not show any sign of infection. Which of the following has occurred on the workstation?

    • Zero-day attack

    • Known malware attack

    • Sessions hijack

    • Cookie stealing

    Correct Answer
    A. Zero-day attack
    Explanation
    The correct answer is a zero-day attack. A zero-day attack refers to a cyber attack that exploits a previously unknown vulnerability in a computer application or system. In this scenario, the analyst is observing unusual network traffic from a workstation that is communicating with a known malicious site over an encrypted tunnel. Despite conducting a full antivirus scan with updated antivirus signatures, no signs of infection are found. This suggests that the attack is leveraging a vulnerability that is not yet known to the antivirus software, hence it is a zero-day attack.

    Rate this question:

  • 5. 

    The director of software development is concerned with recent web application security incidents, including the successful breach of a black-end database server. The director would like to work with the security team to implement a standardized way to design, build and test web applications and services that support them. Which of the following meets that criteria ?

    • OWASP

    • SANS

    • PHP

    • Ajax

    Correct Answer
    A. OWASP
    Explanation
    OWASP (Open Web Application Security Project) is the correct answer. OWASP provides a set of guidelines, tools, and resources for web application security. By working with the security team to implement OWASP, the director of software development can ensure that web applications and services are designed, built, and tested in a standardized and secure manner. OWASP focuses on identifying and mitigating common web application vulnerabilities, making it an appropriate choice for addressing the concerns raised by recent security incidents. SANS is a well-known organization that offers cybersecurity training and certifications, but it does not specifically focus on web application security. PHP and Ajax are programming languages and technologies, not comprehensive frameworks or guidelines for web application security.

    Rate this question:

  • 6. 

    Which of the following commands would a security analyst use to make a copy of an image for forensics use?

    • Dd

    • Wget

    • Touch

    • Rm

    Correct Answer
    A. Dd
    Explanation
    A security analyst would use the "dd" command to make a copy of an image for forensics use. The "dd" command is commonly used in Linux systems to create a bit-by-bit copy of a file or device. It can be used to clone disks, create disk images, or make backups. By using "dd", the security analyst can ensure that all data, including hidden or deleted information, is preserved in the copy, making it suitable for forensic analysis.

    Rate this question:

  • 7. 

    Management is concerned with administrator access from outside the network to a key server in the company. Specifically, firewall rules allow access to the server anywhere in the company. Which of the following would be an effective solution?

    • Honeypot

    • Jump Box

    • Server hardening

    • Anti-malware

    Correct Answer
    A. Jump Box
    Explanation
    A jump box is a secure computer that serves as an intermediary between external networks and the key server. It acts as a single access point for administrators, allowing them to connect to the jump box first and then access the key server. This setup adds an extra layer of security by reducing direct access to the key server from outside the network. It also allows for better monitoring and control over administrator access, as all connections are funneled through the jump box.

    Rate this question:

  • 8. 

    As part of upcoming engagement for client, an analyst is configuring a penetration testing application to ensure the scan the scan complies with information defined in the SOW. Which of the following types of information should be considered based on traditionally found SOW?(select two)

    • Timing of the scan

    • Contents of the executive summary report

    • Excluded hosts

    • Maintenance windows

    • IPS configuration

    • Incident response policies

    Correct Answer(s)
    A. Timing of the scan
    A. Excluded hosts
    Explanation
    Based on traditionally found SOW (Statement of Work), the timing of the scan and excluded hosts are two types of information that should be considered when configuring a penetration testing application. The timing of the scan is important to ensure that it aligns with the client's schedule and does not disrupt their operations. Excluded hosts are also crucial to specify which systems should not be scanned during the testing process, such as critical infrastructure or sensitive systems that could be negatively impacted.

    Rate this question:

  • 9. 

    An Administrator has been investigating the way in which an actor has been exfiltrating confidential data from a web server to a foreign host. After a thorough review, the administrator determined the server's BIOS had been modified by rootkit installation. After removing the rootkit and flashing  the BIOS to a known good state, which of the following would BEST protect against future adversary to the BIOS, in case another rootkit is installed?

    • Anti-malware application

    • Host-based IDS

    • TPM data sealing

    • File integrity monitoring

    Correct Answer
    A. TPM data sealing
    Explanation
    TPM (Trusted Platform Module) data sealing would be the best choice to protect against future adversary to the BIOS. TPM is a hardware chip that securely stores cryptographic keys and provides secure storage and execution of sensitive information. Data sealing ensures that the data can only be accessed by the authorized system and cannot be tampered with. By sealing the BIOS data using TPM, even if another rootkit is installed, it would not be able to modify the BIOS without the authorized system's authentication. This provides a strong defense against future attacks on the BIOS.

    Rate this question:

  • 10. 

    The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on which to base the security program. The CISO would like to achieve a certification showing the security program meets all the required best practices. Which of the following would be the BEST choice.

    • OSSIM

    • SDLC

    • SANS

    • ISO

    Correct Answer
    A. ISO
    Explanation
    ISO (International Organization for Standardization) would be the best choice for the CISO to base the security program on and achieve a certification showing that it meets all the required best practices. ISO provides internationally recognized standards for various aspects of business operations, including information security. By adopting ISO standards, the security program can ensure that it follows a comprehensive and systematic approach to managing information security risks, thereby demonstrating its commitment to best practices and compliance with industry standards.

    Rate this question:

  • 11. 

    A security analyst has determined that the user interface on an embedded device is vulnerable to common SQL injections. The device is unable to be replaced, and the software cannot be upgraded. Which of the following should the security analyst recommend to ass addition security to this device?

    • The security analyst should recommend this device to be placed behind a WAF

    • The security analyst should recommend and IDS placed on the network segment

    • The security analyst should recommend this device regularly export the web logs to a SIEM system

    • The security analyst should recommend this device be included in regular vulnerability scans

    Correct Answer
    A. The security analyst should recommend this device to be placed behind a WAF
    Explanation
    Placing the device behind a Web Application Firewall (WAF) is the best recommendation to enhance security. A WAF can inspect and filter incoming traffic, detecting and blocking common SQL injection attacks before they reach the vulnerable user interface. It acts as a protective shield, preventing unauthorized access and reducing the risk of successful attacks. This solution is particularly useful when the device cannot be replaced or upgraded, as it adds an additional layer of security without requiring any changes to the device itself.

    Rate this question:

  • 12. 

    An administrator has been investigating the way in which an actor had been exfiltrating confidential data from a web server to a foreign host. After a thorough forensic review, the administrator determined the server's BIOS had been modified by rootkit installation. After removing the rootkit and flashing the BIOS to a known good state, which of the following would BEST protect against adversary access to the BIOS, in case another rootkit is installed?

    • Anti-malware application

    • Host-based IDS

    • TPM data sealing

    • File intergrity monitoring

    Correct Answer
    A. TPM data sealing
    Explanation
    TPM (Trusted Platform Module) data sealing would best protect against adversary access to the BIOS in case another rootkit is installed. TPM is a hardware-based security feature that stores cryptographic keys and provides secure storage and processing of sensitive information. By sealing the data with TPM, it ensures that the data can only be accessed or decrypted on the same system with the same TPM, preventing unauthorized access even if a rootkit is installed. Anti-malware applications, host-based IDS, and file integrity monitoring are important security measures but may not provide the same level of protection as TPM data sealing in this scenario.

    Rate this question:

  • 13. 

    A company has recently launched a new billing invoice for a few key vendors. The cybersecurity analyst is receiving calls that the website is preforming slowly and the pages sometimes time out. The analyst notices the website is receiving millions of a request, causing the services to become unavailable. Which of the following can be implemented to maintain the availability of the website?

    • VPN

    • Honeypot

    • Whitelisting

    • DMZ

    • MAC filtering

    Correct Answer
    A. Whitelisting
    Explanation
    Whitelisting can be implemented to maintain the availability of the website. By using whitelisting, the cybersecurity analyst can create a list of trusted IP addresses or domains that are allowed to access the website. This will block any unauthorized requests from reaching the website, reducing the load on the server and preventing it from becoming unavailable. Whitelisting ensures that only legitimate traffic is allowed, mitigating the impact of the millions of requests and improving the website's performance and availability.

    Rate this question:

  • 14. 

    A recent vulnerability scan found four vulnerabilities on an organization's public Internet-facing IP addresses. Prioritizing in order to reduce the risk of a breach to the organization, which of the following should be remediated FIRST?

    • A cipher that is known to be cryptographically weak

    • A website using a self-signed SSL certificate

    • A buffer overflow that allows remote code execution

    • An HTTP response that reveals an internal address

    Correct Answer
    A. A buffer overflow that allows remote code execution
    Explanation
    The buffer overflow that allows remote code execution should be remediated first because it poses the highest risk to the organization. A buffer overflow vulnerability can be exploited by an attacker to execute arbitrary code on the system, potentially gaining unauthorized access and control. This type of vulnerability is highly dangerous as it can lead to complete compromise of the system and sensitive data. Therefore, addressing this vulnerability promptly is crucial to minimize the risk of a breach.

    Rate this question:

  • 15. 

    A blue team hunted for identified a previously unknown malicious binary, for which they would like to analyze behavior. When preforming this analysis, the use of which of the following would provide the BEST protection against further downstream infection of assets?

    • Static analysis

    • Virtualization

    • Sandboxing

    • Fuzz testing

    Correct Answer
    A. Sandboxing
    Explanation
    Sandboxing would provide the best protection against further downstream infection of assets. Sandboxing involves running the malicious binary in a controlled environment, isolating it from the rest of the system. This prevents any potential harm or infection from spreading to other assets. By containing the binary within the sandbox, the blue team can analyze its behavior without risking the security of other assets on the network.

    Rate this question:

  • 16. 

    A cybersecurity analyst is conduction a security test to ensure the information regarding the web server is protected from disclosure. The cybersecurity analyst requested HTML file form the web server, and response came back as follows:​HTTP/1.1 404 Object Not Found​Server: Microsoft-IIS/5.0​Date: Tues, 19 Apr 2016 09;32;24 GMTContent-Type: text/htmlContent-Length: 111​<html><head><title>Site Not Found</title></head>​<body> No web site is configured at this address. </body></html>​Which of the following actions should be taken to remediate this security issue?

    • Set "Alowlatescanning" to 1 in the URLScan.ini configuration file

    • Set "Removeserverheader" to 1 in the URLScan.ini configuration file

    • Set "Enablelogging" to 0 in the URLScan.ini configuration file

    • Set Perprocesslogging" to 1 in the URLScan.ini configuration file

    Correct Answer
    A. Set "Removeserverheader" to 1 in the URLScan.ini configuration file
    Explanation
    The correct action to remediate this security issue is to set "Removeserverheader" to 1 in the URLScan.ini configuration file. This will remove the server header information from the response, which can help prevent potential attackers from gaining information about the web server and its vulnerabilities.

    Rate this question:

  • 17. 

    A cybersecurity analyst traced the source of an attack to compromised user credentials. Log analysis revealed that the attacker successfully authenticated from an unauthorized foreign country. Management asked the security analyst to research an implement a solution to help mitigate attacks based on compromised passwords. Which of the following should the analyst implement? 

    • Self -service password reset

    • Single sign-on

    • Context-based authentication

    • Password complexity

    Correct Answer
    A. Context-based authentication
    Explanation
    Context-based authentication should be implemented to help mitigate attacks based on compromised passwords. This type of authentication takes into account various contextual factors such as the user's location, device, and behavior patterns to determine if the login attempt is legitimate. By analyzing these factors, the system can detect suspicious activity, such as authentication from an unauthorized foreign country in this case, and prompt for additional verification or deny access altogether. This helps to enhance the security of the authentication process and prevent unauthorized access even if the attacker has compromised valid user credentials.

    Rate this question:

  • 18. 

    A recent audit has uncovered several coding errors and a lack of input validation being used on a public portal. Due to the nature of the portal and the severity of the errors, the portal is unable to be patched. Which of the following tools could be used to reduce the risk of being compromised?

    • Web application firewall

    • Network firewall

    • Web proxy

    • Intrusion prevention system

    Correct Answer
    A. Web application firewall
    Explanation
    A web application firewall can be used to reduce the risk of being compromised in this scenario. A web application firewall is specifically designed to protect web applications from common attacks such as SQL injection, cross-site scripting, and other vulnerabilities. Since the audit has uncovered coding errors and a lack of input validation on the public portal, a web application firewall can help mitigate these risks by monitoring and filtering incoming and outgoing traffic to the application, blocking any malicious requests or attempts to exploit the vulnerabilities. This can help protect the portal and its users from potential attacks.

    Rate this question:

  • 19. 

    A cybersecurity analyst has received a report that multiple systems are experiencing slowness as a result of a DDoS attack. Which of the following would be the BEST action for the cybersecurity analyst to preform? 

    • Continue monitoring critical systems

    • Shut down all server interfaces

    • Inform management of the incident

    • Inform user regarding the affected systems

    Correct Answer
    A. Inform management of the incident
    Explanation
    The best action for the cybersecurity analyst to perform in this scenario is to inform management of the incident. By doing so, management can be made aware of the ongoing DDoS attack and can take appropriate actions to mitigate the attack and minimize its impact on the systems. This allows for a coordinated response and ensures that the necessary resources and measures are put in place to address the issue effectively.

    Rate this question:

  • 20. 

    During a routine review of firewall logs, an analyst identified that an address from the organizations server subnet had been conducted during nighttime house to a foreign IP address and had been sending between 150 and 500 megabytes of data each time. This had been going on for approximately one wee, and the affected server was taken offline for forensic review. Which of the following is MOST likely to drive up the incident's impact assessment?

    • PII of company employees and customers was exfiltrated

    • Raw financial information about the company was accessed

    • Forensic review of the server required fall-back on a less efficient service

    • IP addresses and other network-related configurations was exfiltrated

    • The local root password for the affected server was compromised

    Correct Answer
    A. PII of company employees and customers was exfiltrated
    Explanation
    The exfiltration of PII (Personally Identifiable Information) of company employees and customers is likely to drive up the incident's impact assessment. PII includes sensitive data such as names, addresses, social security numbers, and financial information. The unauthorized access and exfiltration of this data can lead to severe consequences, including identity theft, financial loss, and reputational damage for both the organization and the individuals affected. It would require extensive mitigation efforts, legal obligations, and potential financial liabilities to address the breach and protect the affected individuals.

    Rate this question:

  • 21. 

    A system Administrator has reviewed the following output#nmap server.local​Nmap scan report for server.localHost is up (0.3452345s latency)​Not shown: 997 closed ports​Port           State         Service22/tcp       open           'ssh​80tcp         open            http#nc server. local 80​220 server. local company SMTP server (postfix/2.3.3)      #nc server. local 22​SSH-2. 0-OpenSSH_7.1p2 Debian-2#​Which of the following can a system administrator infer from the above output

    • The company email server is running a non-standard port

    • The company email server has been compromised

    • The company is running a vulnerable SSH server

    • The company web server has been comprised

    Correct Answer
    A. The company email server is running a non-standard port
    Explanation
    The output shows that port 22 (SSH) and port 80 (HTTP) are open, but there is no mention of the email server running on any port. Therefore, the system administrator cannot infer anything about the company email server from this output.

    Rate this question:

  • 22. 

    During the post-seizure analysis of a workstation, the technician discovers a large archive on an image that forensic tools suite is unable to access. The technician Is prompted for authorization credentials when attempting to open the files manually. Which of the following tools would be MOST appropriate to use on the archive to gain access.

    • Hashing utility

    • Write blockers

    • Fuzzer

    • Password cracker

    Correct Answer
    A. Password cracker
    Explanation
    A password cracker would be the most appropriate tool to use on the archive in order to gain access. Since the technician is prompted for authorization credentials when attempting to open the files manually, it suggests that the archive is password protected. A password cracker is designed to systematically attempt different combinations of passwords until the correct one is found, allowing the technician to gain access to the files within the archive.

    Rate this question:

  • 23. 

    A cybersecurity analyst has identified a new mission-essential function that utilizes a public cloud-based system. The analyst needs to classify the information processed by the system with respect to the CIA. Which of the following should provide the CIA classification for the information?

    • The cloud provider

    • The data owner

    • The cybersecurity analyst

    • The system administrator

    Correct Answer
    A. The data owner
    Explanation
    The data owner should provide the CIA classification for the information because they are responsible for determining the sensitivity and importance of the data. They have the knowledge and authority to classify the information based on its confidentiality, integrity, and availability requirements. The data owner can assess the potential risks and impact of unauthorized access, modification, or loss of the data and make informed decisions regarding its classification.

    Rate this question:

  • 24. 

    A security analyst has been asked to remediate a server vulnerability.Once the analyst has located a patch for the vulnerability. Once the analyst has located a patch for the vulnerability, which of the following should happen NEXT?

    • Start the change control process

    • Rescan to ensure the vulnerability still exists

    • Implement continuous monitoring

    • Begin the incident response process

    Correct Answer
    A. Start the change control process
    Explanation
    After locating a patch for the vulnerability, the next step should be to start the change control process. This process ensures that any changes made to the server, in this case, the implementation of the patch, are properly documented, reviewed, and approved. It helps maintain the integrity and stability of the system by ensuring that changes are made in a controlled and organized manner, minimizing the risk of introducing new vulnerabilities or causing disruptions.

    Rate this question:

  • 25. 

    While a threat intelligence analyst was researched an indicator of compromise on a search engine, the web proxy generated an alert the same indicator. The threat analyst states that related sites were not visited but were searched for in a search engine. Which of the following MOST likely happened in this solution?

    • The analyst is not using the standard approved browser

    • The analyst accidentally clicked related to the indicator

    • The analyst has prefetch enabled on the browser in use

    • The alert is unrelated to the analyst's search

    Correct Answer
    A. The analyst has prefetch enabled on the browser in use
    Explanation
    The correct answer is "The analyst has prefetch enabled on the browser in use." This means that the browser is preloading web pages in the background based on the analyst's search queries, even if the analyst did not actually visit those sites. This prefetching feature could have triggered the alert from the web proxy.

    Rate this question:

  • 26. 

    File integrity monitoring states the following files have been change. The following change has been made: Chmod 777 -Rv/usrWhich of the following may be occurring?

    • The ownership pf/ usr has been changed to the current user

    • Administrative functions have been locked from users

    • Administrative commanders have been made world readable/writable

    • The ownership of/usr has been changed to the root user

    Correct Answer
    A. Administrative commanders have been made world readable/writable
    Explanation
    The correct answer is that administrative commands have been made world readable/writable. This is indicated by the command "Chmod 777 -Rv/usr" which changes the permissions of the /usr directory to allow read, write, and execute access for all users. By making the administrative commands world readable/writable, any user can potentially modify or execute these commands, which can pose a security risk.

    Rate this question:

  • 27. 

    Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o. "followed by a company name, product name, and version. Which of the following would this string help an administrator identify?

    • Operation systems

    • Running services

    • Installed software

    • Installed hardware

    Correct Answer
    A. Operation systems
    Explanation
    The string "cpe:/o." followed by a company name, product name, and version indicates the operating systems installed on the scanned IP addresses. This information can help an administrator identify the specific operating systems being used by the devices on the network.

    Rate this question:

  • 28. 

    An executive tasked a security analyst to aggregate past lost, traffic and alerts on a particular vector. The analyst was then tasked with analyzing the data and making predictions on future complications regarding this attack vector. Which of the following types of analysis is the security analyst MOST likely con conditioning?  

    • Trend analysis

    • Behavior analysis

    • Availability analysis

    • Business analysis

    Correct Answer
    A. Trend analysis
    Explanation
    The security analyst is most likely conducting trend analysis. Trend analysis involves analyzing past data and identifying patterns or trends to make predictions about future outcomes. In this case, the analyst is aggregating past lost, traffic, and alerts on a specific attack vector and using that data to predict future complications related to that vector. This aligns with the concept of trend analysis, which focuses on identifying and analyzing patterns over time to make informed predictions.

    Rate this question:

  • 29. 

    An organization wants to harden its web servers. As part of this goal, leadership has directed that vulnerability scan be preformed and the security team should remediate the servers according to the industry best practices. The team has already chosen a vulnerability scanner and preformed the necessary scan, and now the team needs to prioritize the fixes. Which of the following would help to prioritize the vulnerabilities for remediation in accordance with the industries best practices?

    • CVSS

    • SLA

    • ITIL

    • OpenVAS

    • Qualys

    Correct Answer
    A. CVSS
    Explanation
    CVSS (Common Vulnerability Scoring System) is a widely recognized industry standard for assessing and prioritizing vulnerabilities. It provides a numerical score to each vulnerability based on its severity, impact, and exploitability. By using CVSS, the security team can prioritize the fixes based on the highest-scoring vulnerabilities, ensuring that the most critical issues are addressed first. This approach aligns with industry best practices and helps the organization effectively remediate the vulnerabilities on its web servers.

    Rate this question:

  • 30. 

    A technician is running an intensive vulnerability scan to detect which port are open to exploit. During the scan, several network resources are disables and production is affected. Which of the following sources would be used to evaluate which network service was interrupted?

    • Syslog

    • Network mapping

    • Firewall logs

    • NIDS

    Correct Answer
    A. Syslog
    Explanation
    Syslog is a standard protocol used for sending and receiving log messages in a network. It is commonly used to collect and store log data from various devices, including network devices and servers. In this scenario, when the technician is running the vulnerability scan and network resources are disabled, syslog can be used to evaluate which network service was interrupted. It can provide information about the events and activities happening in the network, including any errors or disruptions that occurred during the scan. By analyzing the syslog data, the technician can identify the specific network service that was affected and take appropriate actions to resolve the issue.

    Rate this question:

  • 31. 

    A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel. Unfortunately, the company's asset inventory is not current. Which of the following techniques would a cybersecurity analyst perform to find all affected servers within an organization ?

    • A manual log review from data sent to syslog

    • An OS fingerprinting scan across all hosts

    • A packet capture of data traversing the server network

    • A service discovery scan on the network

    Correct Answer
    A. An OS fingerprinting scan across all hosts
    Explanation
    An OS fingerprinting scan across all hosts would be performed by a cybersecurity analyst to find all affected servers within an organization. OS fingerprinting is a technique used to identify the operating system running on a particular device by analyzing its network behavior and characteristics. By conducting an OS fingerprinting scan across all hosts, the analyst can identify the operating systems of the servers and determine if they are vulnerable to the critical vulnerability in the kernel mentioned in the threat intelligence feed. This scan helps in identifying the affected servers and taking appropriate actions to mitigate the vulnerability.

    Rate this question:

  • 32. 

    Which of the following BEST describes the offensive participants in a tabletop exercise?

    • Red team

    • Blue team

    • Systems administrators

    • Security analysts

    • Operations team

    Correct Answer
    A. Red team
    Explanation
    A tabletop exercise is a simulation of a real-life scenario where participants play different roles to test and improve their response to a potential incident. The offensive participants in a tabletop exercise are commonly referred to as the "Red team." Their role is to act as the attackers, attempting to exploit vulnerabilities and breach the system's security. The Red team's objective is to identify weaknesses in the system and provide valuable insights into potential threats and vulnerabilities. They help organizations assess their security measures and develop effective strategies to enhance their overall defense capabilities.

    Rate this question:

  • 33. 

    A security analyst is creating baseline system images to remediate vulnerabilities found in different operation systems. Each image needs to be scanned before its deployed. The security analyst must ensure the configurations match industry standard benchmarks and the process can be repeated frequently. Which of the following vulnerability options would BEST create the process requirements? 

    • Utilizing an operating system SCAP plugin

    • Utilizing an authorized credential scan

    • Utilizing an non-credential scan

    • Utilizing a known malware plugin

    Correct Answer
    A. Utilizing an operating system SCAP plugin
    Explanation
    Utilizing an operating system SCAP plugin would be the best option to create the process requirements. SCAP (Security Content Automation Protocol) is a standardized method for assessing and managing the security configuration of computer systems. By using an operating system SCAP plugin, the security analyst can ensure that the system configurations match industry standard benchmarks. Additionally, the process can be repeated frequently to continuously monitor and remediate vulnerabilities in the system images. This option provides a comprehensive and efficient approach to scanning and remediating vulnerabilities in different operating systems.

    Rate this question:

  • 34. 

    An HR employee began having issues with a device becoming unresponsive after attempting to open an e-mail attachment. When informed the security analyst became suspicious of the situation, even though there were not an unusual behavior on the IDS or any alert from the antivirus software. Which of the following BEST describes the type of threat in this situation?

    • Packet of death

    • Zero-day malware

    • PII exfiltration

    • Known virus

    Correct Answer
    A. Zero-day malware
    Explanation
    In this situation, the HR employee experienced issues with a device becoming unresponsive after attempting to open an email attachment. The security analyst became suspicious because there were no unusual behavior on the IDS or any alert from the antivirus software. This suggests that the threat is a zero-day malware, which refers to a type of malicious software that exploits vulnerabilities in software or systems that are unknown to the software developers or security community. Since there were no prior alerts or detection for this malware, it falls under the category of a zero-day threat.

    Rate this question:

  • 35. 

    A small bank employs an administrator who manages configurations, preforms updates to servers, creates accounts, and reviews audit logs. The bank recently received a write up from a third-party preformed security assessment attributed to this administrator's job details. The insufficiency of which of the following controls was MOST likely to have caused citation. 

    • Mandatory Vacation

    • Personnel screening

    • Training and certification

    • Separation of duties

    Correct Answer
    A. Separation of duties
    Explanation
    The insufficiency of separation of duties was most likely to have caused the citation. Separation of duties is a control measure that ensures that no single individual has complete control over a process or system. In this case, the administrator is responsible for multiple tasks such as managing configurations, performing updates, creating accounts, and reviewing audit logs. Without proper separation of duties, there is a higher risk of fraud, errors, and unauthorized activities going undetected. The third-party security assessment likely identified this lack of control as a potential vulnerability in the bank's security measures.

    Rate this question:

  • 36. 

    An organization has recently recovered from an incident where a managed switch had been accessed and reconfigured without authorization by an insider. The incident response team is working on developing a lessons learned report with recommendations. Which of the following recommendations would be BEST to prevent the same attack from occurring in the future?

    • Remove and replace the managed switch with a unmanaged one

    • Implement a separate logical network segment for management interfaces

    • Install and configure NAC servers to allow only authorized devices to connect to the network

    • Analyze normal behaviors on the network and configure IDS to alert on deviations from normal

    Correct Answer
    A. Implement a separate logical network segment for management interfaces
    Explanation
    Implementing a separate logical network segment for management interfaces would be the best recommendation to prevent the same attack from occurring in the future. This would ensure that the management interfaces are isolated from the rest of the network, making it more difficult for unauthorized access and configuration changes to occur. By separating the management interfaces, any potential insider threat would have limited access and would not be able to easily compromise the switch. This recommendation would enhance the security of the network and prevent similar incidents from happening again.

    Rate this question:

  • 37. 

    A security analyst wants to scan the network for active hosts. Which of the following characteristics can help to differentiate between a virtual and physical host?

    • Reserved MACs

    • Host IPs

    • DNS routing tables

    • Gateway settings

    Correct Answer
    A. Reserved MACs
    Explanation
    Reserved MACs can help differentiate between a virtual and physical host. In virtual environments, MAC addresses are often generated dynamically, whereas physical hosts typically have fixed, reserved MAC addresses assigned to their network interface cards (NICs). By examining the MAC addresses of the hosts on the network, the security analyst can identify those with reserved MACs as physical hosts, while hosts with dynamically generated MACs are likely to be virtual machines.

    Rate this question:

  • 38. 

    Which of the following are essential components within the rules of engagement for penetration test? (select two)

    • Schedule

    • Authorization

    • List of system administrators

    • Payment terms

    • Business justification

    Correct Answer(s)
    A. Schedule
    A. Authorization
    Explanation
    The schedule is an essential component within the rules of engagement for a penetration test because it outlines the timeframe in which the test will be conducted, ensuring that it is conducted within a specified time period. Authorization is also essential as it ensures that the penetration test is conducted with proper permission from the organization, ensuring legal and ethical compliance. The other options, such as the list of system administrators, payment terms, and business justification, are not directly related to the rules of engagement for a penetration test.

    Rate this question:

  • 39. 

    A cyber security analyst has several log files to review. Instead of using grep and cat commands, the analyst decides to find a better approach to analyze the logs. Given the list of tools, which of the following would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output?

    • Kali

    • Splunk

    • Syslog

    • OSSM

    Correct Answer
    A. Splunk
    Explanation
    Splunk would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output. Splunk is a powerful log management and analysis tool that allows the analyst to easily search, analyze, and visualize log data from various sources. It provides advanced search capabilities, real-time monitoring, and customizable dashboards, making it an ideal choice for efficiently analyzing log files.

    Rate this question:

  • 40. 

    A security analyst is reviewing IDS logs and notices the following entry:​(where [email protected] and passwords=' or 20==20')​Which of the following attacks is occurring?

    • Cross-site scripting

    • Header manipulation

    • SQL injection

    • XML injection

    Correct Answer
    A. SQL injection
    Explanation
    The given entry in the IDS logs indicates a SQL injection attack. In this attack, the attacker is attempting to exploit a vulnerability in the system by manipulating the SQL query. The use of the "or 20==20" statement in the passwords field suggests that the attacker is trying to bypass the authentication mechanism by injecting a condition that always evaluates to true. This type of attack can allow the attacker to gain unauthorized access to the database and potentially extract or modify sensitive information.

    Rate this question:

  • 41. 

    A system administrator who was using an account with elevated privileges deleted a large amount of log files generate by a virtual hypervisor in order to free up disk. These logs are needed by security team to analyze the health of the virtual machines. Which of the following compensating controls would help prevent this from reoccurring? (select two)

    • Succession planning

    • Separation of duties

    • Mandatory vacation

    • Personnel training

    • Job rotation

    Correct Answer(s)
    A. Separation of duties
    A. Personnel training
    Explanation
    Separation of duties would help prevent this from reoccurring by ensuring that the system administrator with elevated privileges does not have the ability to delete log files. Personnel training would also help by educating the system administrator on the importance of the log files and the potential consequences of deleting them.

    Rate this question:

  • 42. 

    Which of the following is a feature if virtualization that can potentially create a singe point of failure?

    • Sever consolidation

    • Load balancing hypervisors

    • Fast server provisioning

    • Running multiple OS instances

    Correct Answer
    A. Sever consolidation
    Explanation
    Sever consolidation is a feature of virtualization that can potentially create a single point of failure. When multiple servers are consolidated onto a single physical server, if that server fails, it can result in the failure of all the consolidated servers. This is because all the virtual machines are running on the same physical hardware, and if that hardware fails, it can lead to a complete system outage. Therefore, sever consolidation can introduce a single point of failure in virtualized environments.

    Rate this question:

  • 43. 

    A company that is hiring a penetration tester want to exclude social engineering from the list of authorized activities. Which of the following documents should include these details?

    • Acceptable use policy

    • Service level agreement

    • Rules of engagement

    • Memorandum of understanding

    • Master service agreement

    Correct Answer
    A. Rules of engagement
    Explanation
    The "Rules of engagement" document should include the details of excluding social engineering from the list of authorized activities. This document outlines the scope, objectives, and limitations of the penetration testing engagement. It specifies what actions are allowed and what are not allowed during the testing process. By including the exclusion of social engineering in the "Rules of engagement," the company clearly communicates its expectations to the penetration tester and ensures that they adhere to the desired testing boundaries.

    Rate this question:

  • 44. 

    A security audit revealed that port 389 has been used instead of 636 when connection to LDAP for the authentication of users. The remediation recommended by the audit was to switch the port to 636 whenever technically possible. Which of the following is the best response?

    • Correct the audit. This finding is a well-known positive; the services that typically run on 389 and 636 are identical

    • Change all devices and servers that support it to 636; as encrypted services run by default on 636

    • Change all devices and servers that support It to 636, as 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks

    • Correct the audit. This finding is accurate, but the correct remediation is to update keys on each of the servers to match port 636

    Correct Answer
    A. Change all devices and servers that support it to 636; as encrypted services run by default on 636
    Explanation
    The correct answer is to change all devices and servers that support it to port 636 because encrypted services run by default on this port. This ensures that the authentication of users is done securely and reduces the risk of unauthorized access or data breaches. Using port 636 also aligns with the recommended remediation from the security audit, which aims to improve the overall security posture of the system.

    Rate this question:

  • 45. 

    A reverse engineer was analyzing malware found on a retailers network and found code extracting data in memory. Which of the following threats did the engineer MOST likely uncover?

    • POS malware

    • Rootkit

    • Key logger

    • Ransomware

    Correct Answer
    A. POS malware
    Explanation
    The reverse engineer most likely uncovered POS malware. POS malware refers to malicious software that is specifically designed to target point-of-sale systems, such as those used by retailers. This type of malware is used to steal sensitive data, such as credit card information, from the retailer's network. The fact that the engineer found code extracting data in memory suggests that the malware was specifically designed to target and extract information from the point-of-sale system.

    Rate this question:

  • 46. 

    A software patch has been released to remove vulnerabilities from company software. A security analyst has been tasked with testing the software to ensure the vulnerabilities have been remediated and the application is still functioning properly. Which of the following test should be preformed NEXT?

    • Fuzzing

    • User acceptance testing

    • Regression testing

    • Penetration testing

    Correct Answer
    A. Regression testing
    Explanation
    Regression testing should be performed next. Regression testing is a type of software testing that is conducted to ensure that changes or fixes made to the software have not introduced new defects or caused any existing functionality to break. In this case, since a software patch has been released to remove vulnerabilities, regression testing would help verify that the vulnerabilities have indeed been remediated and that the application is still functioning properly after the patch has been applied.

    Rate this question:

  • 47. 

    A security analyst is preforming a review of Active directory and discovers two new user accounts in the accounting department. Neither of the users has elevated permissions, but accounts in the group are given access to the company's sensitive financial management application by default. Which of the following is the BEST course of action?

    • Follow the incident response plan for the introduction of new accounts

    • Disable the user accounts

    • Remove the accounts access privileges to sensitive information

    • Monitor the outbound traffic from the application for signs of data exfiltration

    • Confirm the accounts are valid and ensure role-bases permission are appropriate

    Correct Answer
    A. Confirm the accounts are valid and ensure role-bases permission are appropriate
    Explanation
    The best course of action in this scenario is to confirm the validity of the newly discovered user accounts and ensure that their role-based permissions are appropriate. This is important because the accounts have access to the company's sensitive financial management application by default, even though they do not have elevated permissions. By confirming their validity and reviewing their permissions, the security analyst can ensure that only authorized individuals have access to sensitive information and prevent any potential security breaches or unauthorized access.

    Rate this question:

  • 48. 

    As part of the SDLC, software developers are testing the security of a new web application by inputting large amounts of random data. Which of the following types of testing is being preformed?

    • Fuzzing

    • Regression testing

    • Stress testing

    • Input validation

    Correct Answer
    A. Fuzzing
    Explanation
    The correct answer is fuzzing. Fuzzing is a type of testing where software developers input large amounts of random data into a system to test its security. This is done to identify vulnerabilities and potential issues in the application. Fuzzing helps to uncover unexpected behavior and can be an effective technique for finding security flaws in software.

    Rate this question:

  • 49. 

    A technician is running an intensive vulnerability scan to detect which port are open to exploit. During the scan, network services are disabled and production is affected. Which of the following sources would be used to evaluate which network service was interrupted?

    • Syslog

    • Network mapping

    • Firewall logs

    • NIDS

    Correct Answer
    A. Syslog
    Explanation
    Syslog is a protocol used for collecting and sending system log messages. It can provide valuable information about events and activities happening on a network. In this scenario, when network services are disabled and production is affected during the vulnerability scan, syslog can be used to evaluate which network service was interrupted. Syslog messages can help identify any errors or disruptions that occurred during the scan, allowing the technician to pinpoint the specific network service that was affected.

    Rate this question:

Quiz Review Timeline (Updated): Mar 22, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 22, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Oct 11, 2017
    Quiz Created by
    Heavenlymixed86
Back to Top Back to top
Advertisement
×

Wait!
Here's an interesting quiz for you.

We have other quizzes matching your interest.