CSA +

Approved & Edited by ProProfs Editorial Team

The editorial team at ProProfs Quizzes consists of a select group of subject experts, trivia writers, and quiz masters who have authored over 10,000 quizzes taken by more than 100 million users. This team includes our in-house seasoned quiz moderators and subject matter experts. Our editorial experts, spread across the world, are rigorously trained using our comprehensive guidelines to ensure that you receive the highest quality quizzes.

Learn about Our Editorial Process

| By Heavenlymixed86

Heavenlymixed86

Community Contributor

Quizzes Created: 1 | Total Attempts: 668

Questions: 142 | Attempts: 668 | Updated: Mar 22, 2023

Questions

Settings

Feedback

During the Quiz End of Quiz

Play as

Quiz Flashcard

Create your own Quiz

Questions and Answers

1.

A security analyst is conducting traffic analysis and observes an HTTP POST to a web server. The POST header is approximately 1,0000 bytes in length. During transmission, one byte is delivered every 10 seconds. Which of the following attacks is this traffic indicative of?
- A.
  
  Exfiltration
- B.
  
  Dos
- C.
  
  Buffer over flow
- D.
  
  SQL Injection
Correct Answer
A. Exfiltration

Explanation
The given scenario describes a situation where a large amount of data is being slowly transmitted over HTTP POST. This behavior is indicative of exfiltration, which refers to the unauthorized extraction of data from a network. In this case, the attacker is slowly sending the data to avoid detection and to successfully exfiltrate the information from the web server. This method allows the attacker to bypass security measures and transfer sensitive data without raising suspicion.

Rate this question:
2.

A small bank employs an administrator who manages configurations, preforms updates to servers, creates accounts, and reviews audit logs. The bank recently received a write up from a third-party preformed security assessment attributed to this administrator's job details. The insufficiency of which of the following controls was MOST likely to have caused citation.
- A.
  
  Mandatory Vacation
- B.
  
  Personnel screening
- C.
  
  Training and certification
- D.
  
  Separation of duties
Correct Answer
D. Separation of duties

Explanation
The insufficiency of separation of duties was most likely to have caused the citation. Separation of duties is a control measure that ensures that no single individual has complete control over a process or system. In this case, the administrator is responsible for multiple tasks such as managing configurations, performing updates, creating accounts, and reviewing audit logs. Without proper separation of duties, there is a higher risk of fraud, errors, and unauthorized activities going undetected. The third-party security assessment likely identified this lack of control as a potential vulnerability in the bank's security measures.

Rate this question:
3.

A security administrator determines several months after the first instance that a local privileged user has been routinely logging into a server interactively as "root" and browsing the internet. The administrator determines this by preforming an annual review of the security logs on that server. For which of the following security architecture area should the administrator recommend review and modification? (select two)
- A.
  
  Log aggregation and analysis
- B.
  
  Software assurance
- C.
  
  Encryption
- D.
  
  Acceptable use policies
- E.
  
  Password complexity
- F.
  
  Network isolation and separation
Correct Answer(s)
A. Log aggregation and analysis
D. Acceptable use policies

Explanation
The administrator should recommend a review and modification of the log aggregation and analysis process because it took several months to detect the unauthorized activity. This suggests that the logs were not being properly monitored or analyzed in a timely manner. Additionally, the administrator should recommend a review and modification of the acceptable use policies because the local privileged user was accessing the internet, which may be a violation of the organization's policy.

Rate this question:
4.

A cybersecurity analyst was hired to resolve a security issue within a company after it has been reported that many employee account passwords had been compromised. Upon investigating the incident, the cybersecurity analyst found that brute force attack was launched against the company. Which of the following remediation actions can the cybersecurity analyst recommend to the senior management to address these security issues?
- A.
  
  Prohibit password reuse writing a GPO
- B.
  
  Deploy multifactor authentication
- C.
  
  Require awareness training
- D.
  
  Implement DLP solution
Correct Answer
B. Deploy multifactor authentication

Explanation
The cybersecurity analyst can recommend deploying multifactor authentication as a remediation action to address the security issues. This is because multifactor authentication adds an extra layer of security by requiring users to provide multiple forms of identification, such as a password and a unique code sent to their mobile device, before accessing their accounts. This would help prevent unauthorized access even if the passwords are compromised through a brute force attack.

Rate this question:
5.

Management is concerned with administrator access from outside the network to a key server in the company. Specifically, firewall rules allow access to the server anywhere in the company. Which of the following would be an effective solution?
- A.
  
  Honeypot
- B.
  
  Jump Box
- C.
  
  Server hardening
- D.
  
  Anti-malware
Correct Answer
B. Jump Box

Explanation
A jump box is a secure computer that serves as an intermediary between external networks and the key server. It acts as a single access point for administrators, allowing them to connect to the jump box first and then access the key server. This setup adds an extra layer of security by reducing direct access to the key server from outside the network. It also allows for better monitoring and control over administrator access, as all connections are funneled through the jump box.

Rate this question:
6.

The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on which to base the security program. The CISO would like to achieve a certification showing the security program meets all the required best practices. Which of the following would be the BEST choice.
- A.
  
  OSSIM
- B.
  
  SDLC
- C.
  
  SANS
- D.
  
  ISO
Correct Answer
D. ISO

Explanation
ISO (International Organization for Standardization) would be the best choice for the CISO to base the security program on and achieve a certification showing that it meets all the required best practices. ISO provides internationally recognized standards for various aspects of business operations, including information security. By adopting ISO standards, the security program can ensure that it follows a comprehensive and systematic approach to managing information security risks, thereby demonstrating its commitment to best practices and compliance with industry standards.

Rate this question:
7.

Considering confidentiality and integrity, which of the following makes servers more secure than desktops?
- A.
  
  VLANs
- B.
  
  OS
- C.
  
  Trained operators
- D.
  
  Physical access restrictions
- E.
  
  Processing power
- F.
  
  Hard drive capacity
Correct Answer(s)
B. OS
D. Physical access restrictions

Explanation
The operating system (OS) plays a crucial role in enhancing the security of servers compared to desktops. Servers typically use specialized server operating systems that are designed with robust security features and protocols. These OSs offer better protection against unauthorized access, malware, and other security threats. Additionally, physical access restrictions, such as secure data centers and restricted entry, further enhance server security by preventing unauthorized individuals from physically accessing the server hardware.

Rate this question:

0
3
8.

A system Administrator has reviewed the following output#nmap server.localNmap scan report for server.localHost is up (0.3452345s latency)Not shown: 997 closed portsPort State Service22/tcp open 'ssh80tcp open http#nc server. local 80220 server. local company SMTP server (postfix/2.3.3) #nc server. local 22SSH-2. 0-OpenSSH_7.1p2 Debian-2#Which of the following can a system administrator infer from the above output
- A.
  
  The company email server is running a non-standard port
- B.
  
  The company email server has been compromised
- C.
  
  The company is running a vulnerable SSH server
- D.
  
  The company web server has been comprised
Correct Answer
A. The company email server is running a non-standard port

Explanation
The output shows that port 22 (SSH) and port 80 (HTTP) are open, but there is no mention of the email server running on any port. Therefore, the system administrator cannot infer anything about the company email server from this output.

Rate this question:
9.

The security operations team is conducting a mock forensics investigation. Which of the following should be the FIRST action taken after a seizing a compromised workstation?
- A.
  
  Activate the escalation checklist
- B.
  
  Implement the incident response plan
- C.
  
  Analyze the forensic image
- D.
  
  Preform evidence acquisition
Correct Answer
B. Implement the incident response plan

Explanation
After seizing a compromised workstation, the first action should be to implement the incident response plan. This is because the incident response plan provides a systematic approach to handle security incidents and outlines the necessary steps to mitigate the impact of the compromise. By implementing the incident response plan, the security operations team can quickly and effectively respond to the incident, contain the compromise, and start the process of investigating and remediating the issue. Activating the escalation checklist, analyzing the forensic image, and performing evidence acquisition are important steps in the overall investigation process, but they should be done after implementing the incident response plan.

Rate this question:
10.

Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o. "followed by a company name, product name, and version. Which of the following would this string help an administrator identify?
- A.
  
  Operation systems
- B.
  
  Running services
- C.
  
  Installed software
- D.
  
  Installed hardware
Correct Answer
A. Operation systems

Explanation
The string "cpe:/o." followed by a company name, product name, and version indicates the operating systems installed on the scanned IP addresses. This information can help an administrator identify the specific operating systems being used by the devices on the network.

Rate this question:
11.

Which of the following BEST explains the purpose of data ownership policy?
- A.
  
  The policy should describe the roles and responsibilities between users and managers, and the management of specific data types
- B.
  
  The policy should establish the protocol for retaining information types based on regulatory or business needs
- C.
  
  The policy should document practices that users must adhere to in order to access data on the corporate network or internet
- D.
  
  The policy should outline the organizations administration of accounts for authorized to access the appropriate date
Correct Answer
A. The policy should describe the roles and responsibilities between users and managers, and the management of specific data types

Explanation
The purpose of a data ownership policy is to clearly define the roles and responsibilities between users and managers when it comes to data. It also aims to establish how specific data types should be managed. This policy ensures that everyone in the organization understands their obligations and the proper procedures for handling and protecting data.

Rate this question:

1
1
12.

An organization has recently recovered from an incident where a managed switch had been accessed and reconfigured without authorization by an insider. The incident response team is working on developing a lessons learned report with recommendations. Which of the following recommendations would be BEST to prevent the same attack from occurring in the future?
- A.
  
  Remove and replace the managed switch with a unmanaged one
- B.
  
  Implement a separate logical network segment for management interfaces
- C.
  
  Install and configure NAC servers to allow only authorized devices to connect to the network
- D.
  
  Analyze normal behaviors on the network and configure IDS to alert on deviations from normal
Correct Answer
B. Implement a separate logical network segment for management interfaces

Explanation
Implementing a separate logical network segment for management interfaces would be the best recommendation to prevent the same attack from occurring in the future. This would ensure that the management interfaces are isolated from the rest of the network, making it more difficult for unauthorized access and configuration changes to occur. By separating the management interfaces, any potential insider threat would have limited access and would not be able to easily compromise the switch. This recommendation would enhance the security of the network and prevent similar incidents from happening again.

Rate this question:
13.

A company has been a victim of multiple volumetric DoS attacks. Packet of the offending traffic shows the following09:23:45. 058939 IP 192.168.1.1:2562 > 170.43.30.4:0: Flags[ ], seq 1887775210:1887776670, win 512, length 146009:23:45. 058940 IP 192.168.1.1:2563 > 170.43.30.4:0: Flags[ ], seq 1887775211: 1887776671, win 512 length 146009:23:45. 058941 IP 192.168.1.1:2564 > 170.43.30.4:0: Flags[ ], seq 1887775212: 1887776672, win 512 length 146009:23:45. 058942 IP 192.168.1.1:2565 > 170.43.30.4:0: Flags[ ], seq 1887775213: 1887776673, win 512 length 1460_{Which of the following mitigation techniques is MOST effective against the above attack?}
- A.
  
  The company should contact the upstream ISP and ask that RFC 1918 traffic be dropped
- B.
  
  The company should implement a network-based sinkhole to drop all traffic coming from 192.168.1.1 at their gateway router
- C.
  
  The company should implement the following ACL at their gateway firewall: Deny IP HOST 192.168.1.1 170.43.30.0/24
- D.
  
  The company should enable the Dos resource starvation protection feature of the gateway NIPS
Correct Answer
A. The company should contact the upstream ISP and ask that RFC 1918 traffic be dropped

Explanation
The given packet shows that the source IP address is 192.168.1.1, which is a private IP address according to RFC 1918. Volumetric DoS attacks often involve spoofed IP addresses, including private IP addresses. By contacting the upstream ISP and asking them to drop RFC 1918 traffic, the company can effectively block the attack traffic that is using a private IP address as the source. This is the most effective mitigation technique in this scenario.

Rate this question:
14.

An organization uses common Vulnerability Scoring System (CVSS) scores to prioritize remediation of vulnerabilities. Management wants to modify the priorities based on a difficult factor so that vulnerabilities with lower CVSS scores may get higher priority if they are easier to implement with less risk to the system functionality. Management also wants to qualify the priority. Which of the following would achieve managements objective?
- A.
  
  (CVSS Score)* Difficulty =Priority Where difficulty is a range from 0.1 to 1.0 with 1.0 being the easiest and lowest risk to implement
- B.
  
  (CVSS Score)* Difficulty =Priority Where difficulty is a range from 1 to 5 with 1 being the easiest and lowest risk to implement
- C.
  
  (CVSS Score)* Difficulty =Priority Where difficulty is a range from 1 to 10 with 10 being the easiest and lowest risk to implement
- D.
  
  (CVSS Score)*2)/Difficulty =Priority Where difficulty is a range from 1 to 5 with 5 being the easiest and lowest risk to implement
Correct Answer
C. (CVSS Score)* Difficulty =Priority Where difficulty is a range from 1 to 10 with 10 being the easiest and lowest risk to implement

Explanation
The correct answer is (CVSS Score)* Difficulty =Priority, where difficulty is a range from 1 to 10 with 10 being the easiest and lowest risk to implement. This formula allows management to modify the priorities based on a difficulty factor, giving higher priority to vulnerabilities with lower CVSS scores if they are easier to implement with less risk to the system functionality. By using a scale of 1 to 10 for difficulty, the organization can accurately qualify the priority of each vulnerability.

Rate this question:
15.

The director of software development is concerned with recent web application security incidents, including the successful breach of a black-end database server. The director would like to work with the security team to implement a standardized way to design, build and test web applications and services that support them. Which of the following meets that criteria ?
- A.
  
  OWASP
- B.
  
  SANS
- C.
  
  PHP
- D.
  
  Ajax
Correct Answer
A. OWASP

Explanation
OWASP (Open Web Application Security Project) is the correct answer. OWASP provides a set of guidelines, tools, and resources for web application security. By working with the security team to implement OWASP, the director of software development can ensure that web applications and services are designed, built, and tested in a standardized and secure manner. OWASP focuses on identifying and mitigating common web application vulnerabilities, making it an appropriate choice for addressing the concerns raised by recent security incidents. SANS is a well-known organization that offers cybersecurity training and certifications, but it does not specifically focus on web application security. PHP and Ajax are programming languages and technologies, not comprehensive frameworks or guidelines for web application security.

Rate this question:
16.

A security analyst has noticed that a particular server has consumed over 1TB of bandwidth over the course of a month. It has port 3333 open, however, there have not been any alerts or notices regarding the server or its archives. Which of the following did the analyst discover?
- A.
  
  APT
- B.
  
  DDos
- C.
  
  Zero day
- D.
  
  False positive
Correct Answer
C. Zero day

Explanation
The analyst discovered a zero day vulnerability on the server. A zero day vulnerability refers to a security flaw that is unknown to the software vendor and does not have a patch or fix available. This vulnerability allowed the server to consume a large amount of bandwidth without triggering any alerts or notices.

Rate this question:
17.

A company is running Microsoft on a file server. A vulnerability scan returned the following result:Vulnerable software installed: office 2007HKEY_LOCAL_MACHINE\Software\Microsoft\Windows|CurrentVersion|Installer|Userdata S-1-5-18\Products\000021095F01000000100000000F01FEC\InstallProperties -key exists The Office component Microsoft Office Excel Services is running an affected version - 12.0.6612.1000 HKEY_LOCAL_MACHINE\software\Microsoft\windows|CurrentVersion\Installer\UserData\S-1-5-18\ Products\000021095F01000000100000000F01FE\Patches\F6A389258DE016A46B54137BE2278095A - key does not exist patch { 52983A6F-OED8-4A61-B645-31B72E7208A9} is not installed Which of the following would provide the MOST efficient method of remediating this finding?
- A.
  
  Implement input validation on the server
- B.
  
  Install patches on the server
- C.
  
  Disable all unneeded services running on the server
- D.
  
  Run wireshark to determine what is accessing the server
Correct Answer
B. Install patches on the server

Explanation
The vulnerability scan has identified that the file server is running an affected version of Microsoft Office Excel Services. The scan also indicates that a specific patch is not installed on the server. Therefore, the most efficient method of remediation would be to install the missing patches on the server. This would help to address the vulnerability and ensure that the software is up to date with the necessary security fixes.

Rate this question:
18.

A security analyst is reviewing logs and discovers that a company-owned computer is issued to an employee is generation many alerts and warnings. The analyst continues to review the log evens and discovers that a non company-owned device from a different unknown IP address is generation the same events. The analyst informs the manger of these findings, and the manager explains that these activities are already known and part of an on going simulation. Given this scenario, which of the following roles are the analyst, the employee and the manager filing ?
- A.
  
  The analyst is the red team The employee is the blue team The manager is the white team
- B.
  
  The analyst is the white team The employee is the red team The manager is the blue team
- C.
  
  The analyst is the red team The employee is the white team The manager is the blue team
- D.
  
  The analyst is the blue team The employee is the red team The manager is the white team
Correct Answer
D. The analyst is the blue team The employee is the red team The manager is the white team

Explanation
In this scenario, the security analyst is reviewing logs and discovering that a non company-owned device is generating alerts and warnings on a company-owned computer issued to an employee. The analyst informs the manager about these findings and the manager explains that these activities are part of an ongoing simulation. Based on this information, the analyst is playing the role of the blue team, responsible for monitoring and defending the company's systems. The employee is playing the role of the red team, responsible for simulating attacks and identifying vulnerabilities. The manager is playing the role of the white team, responsible for overseeing and coordinating the simulation exercise.

Rate this question:

0
2
19.

The Chief Information Office (CIO) of a company has been receiving an increased amount of spam in the last month. The CIO has not signed up for any newsletter or given contact information to any venders during this time frame. Which of the following techniques would a cybersecurity analyst employ to duplicate an external actor's methods of uncovering the CIO's e-mail address (select two)
- A.
  
  Social media profiling
- B.
  
  Email harvesting
- C.
  
  Packet capture
- D.
  
  Service discovery
- E.
  
  DNS harvesting
Correct Answer(s)
A. Social media profiling
B. Email harvesting

Explanation
The correct answer is social media profiling and email harvesting. Social media profiling involves gathering information about an individual from their social media accounts, which could potentially reveal their email address. Email harvesting is the process of collecting email addresses from various sources, such as websites or online directories. Both techniques can be used by an external actor to uncover the CIO's email address without the CIO directly providing their contact information to any vendors or newsletters.

Rate this question:
20.

During the post-seizure analysis of a workstation, the technician discovers a large archive on an image that forensic tools suite is unable to access. The technician Is prompted for authorization credentials when attempting to open the files manually. Which of the following tools would be MOST appropriate to use on the archive to gain access.
- A.
  
  Hashing utility
- B.
  
  Write blockers
- C.
  
  Fuzzer
- D.
  
  Password cracker
Correct Answer
D. Password cracker

Explanation
A password cracker would be the most appropriate tool to use on the archive in order to gain access. Since the technician is prompted for authorization credentials when attempting to open the files manually, it suggests that the archive is password protected. A password cracker is designed to systematically attempt different combinations of passwords until the correct one is found, allowing the technician to gain access to the files within the archive.

Rate this question:
21.

Following a data compromise, a cybersecurity analyst noticed the following executed query:Select * from Users WHERE name = rick or 1=1Which of the following attacks occurred, and which of the following technical security controls would BEST reduce the risk of future impact from this attack
- A.
  
  Code encryption
- B.
  
  XSS attack
- C.
  
  Parameter validation
- D.
  
  Character blacklist
- E.
  
  Malicious code execution
- F.
  
  SQL injection
Correct Answer(s)
C. Parameter validation
F. SQL injection

Explanation
The executed query "Select * from Users WHERE name = rick or 1=1" indicates a SQL injection attack. In this attack, the attacker exploits a vulnerability in the application's input validation, allowing them to inject malicious SQL code into the query. Parameter validation is the best technical security control to reduce the risk of future impact from this attack. By properly validating and sanitizing user input, the application can prevent the injection of malicious SQL code and ensure that only valid parameters are used in the query. This helps to protect the database from unauthorized access and manipulation.

Rate this question:
22.

Which of the following is MOST effective for correlation analysis by log for threat management?
- A.
  
  PACP
- B.
  
  SCAP
- C.
  
  IPS
- D.
  
  SIEM
Correct Answer
D. SIEM

Explanation
SIEM (Security Information and Event Management) is the most effective option for correlation analysis by log for threat management. SIEM systems collect and analyze log data from various sources, such as network devices, servers, and applications, to identify and correlate security events. By analyzing log data, SIEM can detect patterns and anomalies that may indicate potential threats or security incidents. This helps organizations in threat management by providing real-time monitoring, alerting, and incident response capabilities. PACP (Passive Asset Categorization Protocol), SCAP (Security Content Automation Protocol), and IPS (Intrusion Prevention System) are not specifically designed for correlation analysis by log for threat management.

Rate this question:
23.

An analyst was testing the latest version of internally developed CRM system. The analyst created a basic user account. Using a few tools in Kali's latest distribution, the analyst was able to access configuration files, change permission on folders and groups, and delete and create new system objects. Which of the following techniques did the analyst use to preform these unauthorized services?
- A.
  
  Impersonation
- B.
  
  Privilege escalation
- C.
  
  Directory traversal
- D.
  
  Input injection
Correct Answer
B. Privilege escalation

Explanation
The analyst used privilege escalation to perform these unauthorized services. Privilege escalation refers to the act of gaining higher levels of access or permissions than originally granted. In this case, the analyst was able to access configuration files, change permissions, and manipulate system objects, indicating that they were able to elevate their privileges beyond what their basic user account should have allowed.

Rate this question:
24.

A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is the First thing the analyst must do to ensure the integrity of a hard drive while preforming the analysis?
- A.
  
  Make a copy of the hard drive
- B.
  
  Use write blockers
- C.
  
  Run rm -r command to create a hash
- D.
  
  Install it on a different machine and explore the content
Correct Answer
A. Make a copy of the hard drive

Explanation
To ensure the integrity of the hard drive while performing the analysis, the security analyst should make a copy of the hard drive. This is important because creating a copy ensures that the original evidence remains untouched and unaltered, allowing the analyst to work with the copy without compromising the integrity of the original data. By making a copy, any changes made during the analysis will only affect the duplicate, preserving the integrity of the original evidence.

Rate this question:

0
2
25.

A security analyst is preforming a static code of a review of a web application that includes a blog. The comment sections contain the following snippet:<script>var d = document.getElement ById ("userComment"). value; document. getElementById ("displayComment") .innerHTML =usercomment
- A.
  
  Cross-site request forgery
- B.
  
  SQL injection
- C.
  
  Cross-site scripting
- D.
  
  Session Hijacking
Correct Answer
C. Cross-site scripting

Explanation
The given snippet of code is vulnerable to cross-site scripting (XSS) attack. This is because the user input from the comment section is directly inserted into the HTML without proper validation or sanitization. An attacker can exploit this vulnerability by injecting malicious code into the comment section, which will then be executed by other users visiting the web application. This can lead to various attacks such as stealing sensitive information, hijacking user sessions, or defacing the website.

Rate this question:
26.

A security analyst is preforming a review of Active directory and discovers two new user accounts in the accounting department. Neither of the users has elevated permissions, but accounts in the group are given access to the company's sensitive financial management application by default. Which of the following is the BEST course of action?
- A.
  
  Follow the incident response plan for the introduction of new accounts
- B.
  
  Disable the user accounts
- C.
  
  Remove the accounts access privileges to sensitive information
- D.
  
  Monitor the outbound traffic from the application for signs of data exfiltration
- E.
  
  Confirm the accounts are valid and ensure role-bases permission are appropriate
Correct Answer
E. Confirm the accounts are valid and ensure role-bases permission are appropriate

Explanation
The best course of action in this scenario is to confirm the validity of the newly discovered user accounts and ensure that their role-based permissions are appropriate. This is important because the accounts have access to the company's sensitive financial management application by default, even though they do not have elevated permissions. By confirming their validity and reviewing their permissions, the security analyst can ensure that only authorized individuals have access to sensitive information and prevent any potential security breaches or unauthorized access.

Rate this question:
27.

Which of the following actions should occur to address any open issues while closing an incident involving various departments within the network
- A.
  
  Incident Response Plan
- B.
  
  Lesson learned report
- C.
  
  Reverse engineering process
- D.
  
  Chain of custody documentation
- E.
  
  None of the above
Correct Answer
E. None of the above

Explanation
The correct answer is "none of the above" because the actions mentioned in the options (Incident Response Plan, Lesson learned report, reverse engineering process, chain of custody documentation) do not directly address open issues while closing an incident involving various departments within the network. These options may be relevant in other stages of incident response or for different purposes, but they are not specifically focused on addressing open issues during the closure of an incident.

Rate this question:

0
2
28.

Following a security breach, a post-mortem was done to analyze the driving factors behind the breach. The cybersecurity analysis discussed potential impacts, mitigations, and remediation based on current events and emerging threat vectors to specific stakeholders. Which of the following is this considered to be?
- A.
  
  Threat intelligence
- B.
  
  Threat information
- C.
  
  Threat data
- D.
  
  Advanced persistent threat
Correct Answer
A. Threat intelligence

Explanation
The given scenario describes a post-mortem analysis conducted after a security breach. The analysis involves discussing potential impacts, mitigations, and remediation based on current events and emerging threat vectors. This process is known as threat intelligence, which refers to the collection, analysis, and dissemination of information about potential threats to an organization's security. It helps organizations understand the nature of the threats they face and make informed decisions to protect their systems and data.

Rate this question:
29.

An organization followed an SDLC process for vulnerability remediation from development (DEV) through staging (STG) to production (PROD). the organization found that this process took to long and provided no additional security value. Which of the following vulnerability management processes is the BEST approach for this organization?
- A.
  
  Remediate both DEV and STG concurrently, test and then remediate PROD
- B.
  
  Remediate DEV and test , remediate STG and test and the remediate PROD
- C.
  
  Remediate PROD first, skipping DEV and STG and test
- D.
  
  Remediate only STG and test, and the remediate PROD
Correct Answer
A. Remediate both DEV and STG concurrently, test and then remediate PROD

Explanation
The best approach for this organization would be to remediate both DEV and STG concurrently, test them, and then remediate PROD. This approach ensures that vulnerabilities are addressed in both the development and staging environments simultaneously, reducing the overall time taken for the remediation process. Additionally, testing after remediation in DEV and STG allows for verification of the effectiveness of the remediation measures before applying them to the production environment. This approach strikes a balance between efficiency and security value by addressing vulnerabilities at multiple stages of the SDLC.

Rate this question:
30.

Which of following represent the reasoning behind careful pf the timelines and time day boundaries for and time of boundaries for an authorized penetration test?
- A.
  
  To schedule personnel resources for test activates
- B.
  
  To determine frequency of team communication and reporting
- C.
  
  To mitigation unintended impacts to operation
- D.
  
  To avoid conflicts with real intrusions that may occur
- E.
  
  To ensure test have measure impact to operations
Correct Answer(s)
C. To mitigation unintended impacts to operation
D. To avoid conflicts with real intrusions that may occur

Explanation
The careful planning of timelines and time boundaries for an authorized penetration test is important to mitigate any unintended impacts to operations. By scheduling the test activities, personnel resources can be allocated efficiently. Additionally, determining the frequency of team communication and reporting ensures effective coordination and monitoring of the test. By avoiding conflicts with real intrusions that may occur, the test can be conducted without causing disruptions or confusion. Lastly, ensuring that the test has measured impact to operations helps in assessing the effectiveness of the test and identifying areas for improvement.

Rate this question:
31.

A new policy requires the security team to preform web applications and OS Vulnerability scan. All of the company's web applications use federated authentications and are accessible via a central portal. Which of the following should be implemented to ensure a more scan of the company's web applications, while at the same time reducing false positives?
- A.
  
  The vulnerability scanner should be configured to preform authenticated scans
- B.
  
  The vulnerability scanner should be installed on a web server
- C.
  
  The vulnerability scanner should implement OS and network service detection
- D.
  
  The vulnerability scanner should scan for know and unknown vulnrbilities
Correct Answer
A. The vulnerability scanner should be configured to preform authenticated scans

Explanation
To ensure a more accurate scan of the company's web applications and reduce false positives, the vulnerability scanner should be configured to perform authenticated scans. Authenticated scans allow the scanner to log in to the web applications using valid credentials, giving it a deeper understanding of the application's vulnerabilities and reducing the chances of false positives. By authenticating with the application, the scanner can access restricted areas and test functionalities that may not be available to anonymous users, providing a more comprehensive assessment of potential vulnerabilities.

Rate this question:
32.

An executive tasked a security analyst to aggregate past lost, traffic and alerts on a particular vector. The analyst was then tasked with analyzing the data and making predictions on future complications regarding this attack vector. Which of the following types of analysis is the security analyst MOST likely con conditioning?
- A.
  
  Trend analysis
- B.
  
  Behavior analysis
- C.
  
  Availability analysis
- D.
  
  Business analysis
Correct Answer
A. Trend analysis

Explanation
The security analyst is most likely conducting trend analysis. Trend analysis involves analyzing past data and identifying patterns or trends to make predictions about future outcomes. In this case, the analyst is aggregating past lost, traffic, and alerts on a specific attack vector and using that data to predict future complications related to that vector. This aligns with the concept of trend analysis, which focuses on identifying and analyzing patterns over time to make informed predictions.

Rate this question:
33.

During a review of security controls, an analyst was able to an external, unsecured FTP server from a workstation. The analyst was troubleshooting and reviewed the ACLs of the segment firewall the workstation is connected toBased on the ACL's above, which of the following explain why the able to connect to the FTP server?
- A.
  
  A FTP was explicitly allowed in seq 8 of the ACL
- B.
  
  FTP was allowed in seq 10 of ACL
- C.
  
  FTO was allowed as being included in seq and 4 of the ACL
- D.
  
  FTP was allowed as being outbound from seq 9 of the ACL
Correct Answer
A. A FTP was explicitly allowed in seq 8 of the ACL

Explanation
The analyst was able to connect to the FTP server because FTP was explicitly allowed in sequence 8 of the ACL.

Rate this question:
34.

A security analyst is to configure a vulnerability scan for a new segment on the network. Given the requirement to prevent credentials for traversing the network while still conducting a credential scan, which of the following is the BEST choice?
- A.
  
  Install agents on the endpoints to preform the scan
- B.
  
  Provide each endpoint with the vulnerability scanner credentials
- C.
  
  Encrypt all traffic between the scanner and the endpoint
- D.
  
  Deploy scanners with the administrator privileges on each end point
Correct Answer
A. Install agents on the endpoints to preform the scan

Explanation
Installing agents on the endpoints to perform the scan is the best choice because it allows the vulnerability scan to be conducted without the credentials traversing the network. By installing agents on the endpoints, the scan can be performed locally on each endpoint without the need for credentials to be transmitted across the network. This ensures that the credentials remain secure and reduces the risk of them being intercepted or compromised during the scan.

Rate this question:
35.

A company invested 10 percent of its entire annual budget in security technologies. The Chief information officer (CIO) is convinced that, without his investment, the company will risk being the next victim of the same cyber attacks its competitors experiences 3 months ago. However, despite this investment, users are sharing their usernames and passwords with their coworkers to get jobs done. Which of the following will eliminate the risk introduced by this practice
- A.
  
  Invest in and implement a solution to ensure non-repudiation
- B.
  
  Force a daily password change
- C.
  
  Send an email asking users not to share their credentials
- D.
  
  Run a report on all users sharing their credentials and alert their management of further actions
Correct Answer
A. Invest in and implement a solution to ensure non-repudiation

Explanation
Investing in and implementing a solution to ensure non-repudiation will eliminate the risk introduced by users sharing their usernames and passwords. Non-repudiation ensures that the actions of a user cannot be denied or falsely attributed to someone else. By implementing this solution, the company can track and authenticate user actions, making it impossible for users to share their credentials without being identified. This will discourage the practice of sharing usernames and passwords, thereby reducing the risk of unauthorized access and potential cyber attacks.

Rate this question:

0
1
36.

Creating a lessons learned report following an incident will help an analyst to communicate which of the following information.
- A.
  
  Root cause analysis of the incident and the impact it had on the organization
- B.
  
  Outline of the detailed reverse engineering step for management to review
- C.
  
  Performance data from the impacted sever and endpoints to report management
- D.
  
  Enhancements to the policies and practice that will improve business responses
- E.
  
  Lists of IP addresses, applications and assets
Correct Answer(s)
A. Root cause analysis of the incident and the impact it had on the organization
D. Enhancements to the policies and practice that will improve business responses

Explanation
Creating a lessons learned report following an incident will help an analyst communicate the root cause analysis of the incident and the impact it had on the organization. This report will provide valuable insights into the factors that led to the incident and the consequences it had on the organization's operations. Additionally, the report will also highlight enhancements to the policies and practices that can be implemented to improve the organization's response to similar incidents in the future.

Rate this question:

1
0
37.

Which of the following has occurred
- A.
  
  This is normal network traffic
- B.
  
  123.120.110.212 is infected with a Trojan
- C.
  
  172.29.0.109 is infected with a work
- D.
  
  172.29.0.109 is infected with a Trojan
Correct Answer
B. 123.120.110.212 is infected with a Trojan
38.

A company has recently launched a new billing invoice for a few key vendors. The cybersecurity analyst is receiving calls that the website is preforming slowly and the pages sometimes time out. The analyst notices the website is receiving millions of a request, causing the services to become unavailable. Which of the following can be implemented to maintain the availability of the website?
- A.
  
  VPN
- B.
  
  Honeypot
- C.
  
  Whitelisting
- D.
  
  DMZ
- E.
  
  MAC filtering
Correct Answer
C. Whitelisting

Explanation
Whitelisting can be implemented to maintain the availability of the website. By using whitelisting, the cybersecurity analyst can create a list of trusted IP addresses or domains that are allowed to access the website. This will block any unauthorized requests from reaching the website, reducing the load on the server and preventing it from becoming unavailable. Whitelisting ensures that only legitimate traffic is allowed, mitigating the impact of the millions of requests and improving the website's performance and availability.

Rate this question:
39.

As part of the SDLC, software developers are testing the security of a new web application by inputting large amounts of random data. Which of the following types of testing is being preformed?
- A.
  
  Fuzzing
- B.
  
  Regression testing
- C.
  
  Stress testing
- D.
  
  Input validation
Correct Answer
A. Fuzzing

Explanation
The correct answer is fuzzing. Fuzzing is a type of testing where software developers input large amounts of random data into a system to test its security. This is done to identify vulnerabilities and potential issues in the application. Fuzzing helps to uncover unexpected behavior and can be an effective technique for finding security flaws in software.

Rate this question:

1
0
40.

A reverse engineer was analyzing malware found on a retailers network and found code extracting data in memory. Which of the following threats did the engineer MOST likely uncover?
- A.
  
  POS malware
- B.
  
  Rootkit
- C.
  
  Key logger
- D.
  
  Ransomware
Correct Answer
A. POS malware

Explanation
The reverse engineer most likely uncovered POS malware. POS malware refers to malicious software that is specifically designed to target point-of-sale systems, such as those used by retailers. This type of malware is used to steal sensitive data, such as credit card information, from the retailer's network. The fact that the engineer found code extracting data in memory suggests that the malware was specifically designed to target and extract information from the point-of-sale system.

Rate this question:
41.

A cybersecurity analyst has received an alert that well-known "call home" messaged are continuously observed by network sensors at network boundary. The proxy firewall successfully drops the messages. After determining the alert was a true positive, which of the following represents the MOST likely causes?
- A.
  
  Attackers are running reconnaissance on company resources
- B.
  
  Commands are attempting to reach a system infected with a botnet trojan
- C.
  
  An insider is trying to exfiltrate information to a remote network
- D.
  
  Malware is running on a company system
Correct Answer
B. Commands are attempting to reach a system infected with a botnet trojan

Explanation
The correct answer is "Commands are attempting to reach a system infected with a botnet trojan." This is the most likely cause because the alert indicates that "call home" messages are continuously observed by network sensors, which suggests that a system infected with a botnet trojan is receiving commands from a remote network. The proxy firewall successfully drops these messages, indicating that it is effectively blocking the communication between the infected system and the remote network.

Rate this question:
42.

During a penetration test, a red team was able to collect the following dat via phone:OS: WindowsIP: 172.16.12.9Password: ApplesAV: NortonWhich of the following threat vectors enables this collection ?
- A.
  
  Phishing
- B.
  
  OS fingerprinting
- C.
  
  Keylogging
- D.
  
  Social engineering
Correct Answer
A. Phishing

Explanation
The red team was able to collect the data via phone, which suggests that they were able to trick or deceive someone into providing the information. Phishing is a common method used to trick individuals into revealing sensitive information such as passwords or personal details. It involves sending fraudulent emails or messages that appear to be from a legitimate source, in order to trick the recipient into providing the requested information. In this case, the red team was likely able to collect the data by using phishing techniques to deceive the target into revealing their OS, IP, password, and AV information.

Rate this question:
43.

Which of the following principles describes how a security analyst should communicate during an incident?
- A.
  
  The communication should be limited to trusted parties only
- B.
  
  The communication should be limited to security staff only
- C.
  
  The communication should come from law enforcement
- D.
  
  The communication should be limited to management only
Correct Answer
B. The communication should be limited to security staff only

Explanation
The principle that describes how a security analyst should communicate during an incident is that the communication should be limited to security staff only. This means that the analyst should only share information and updates about the incident with other members of the security team who are directly involved in managing and resolving the incident. By limiting communication to trusted and knowledgeable individuals within the security staff, sensitive information is kept confidential and the incident response process can be effectively coordinated without unnecessary distractions or potential leaks of information.

Rate this question:

1
0
44.

A web application has a newly discovered vulnerability in the authentication method used to validate known company users. the user ID of Admin with a password "password" grand elevated access to the application over the internet. Which of the following is the BEST method to discover the vulnerability before a production deployment?
- A.
  
  Manual peer review
- B.
  
  User acceptance testing
- C.
  
  Input validation
- D.
  
  Stress test the application
Correct Answer
A. Manual peer review

Explanation
A manual peer review involves having experienced individuals review the code and logic of the web application. This can help identify vulnerabilities and potential weaknesses in the authentication method. Since the vulnerability has already been discovered, a manual peer review can help identify and fix the issue before the application is deployed in a production environment. User acceptance testing, input validation, and stress testing may also be helpful in identifying vulnerabilities, but a manual peer review is considered the best method in this scenario.

Rate this question:

0
1
45.

A security analyst of a small regional back has received an alert that nation states are attempting financial institutions via phishing campaigns. Which of the following techniques would the analyst recommend as a proactive measure to defend against this type of threat?
- A.
  
  Honeypot
- B.
  
  Location-based NAC
- C.
  
  System isolation
- D.
  
  Mandatory access control
- E.
  
  Bastion host
Correct Answer
B. Location-based NAC

Explanation
Location-based Network Access Control (NAC) would be recommended as a proactive measure to defend against phishing campaigns by nation states. This technique allows the security analyst to restrict access to the network based on the location of the user or device. By implementing location-based NAC, the analyst can ensure that only authorized users within the region or area are allowed access to the network, reducing the risk of unauthorized access from nation state actors attempting phishing attacks. This helps to strengthen the overall security posture of the small regional bank and mitigate the potential impact of such threats.

Rate this question:
46.

A security analyst wants to scan the network for active hosts. Which of the following characteristics can help to differentiate between a virtual and physical host?
- A.
  
  Reserved MACs
- B.
  
  Host IPs
- C.
  
  DNS routing tables
- D.
  
  Gateway settings
Correct Answer
A. Reserved MACs

Explanation
Reserved MACs can help differentiate between a virtual and physical host. In virtual environments, MAC addresses are often generated dynamically, whereas physical hosts typically have fixed, reserved MAC addresses assigned to their network interface cards (NICs). By examining the MAC addresses of the hosts on the network, the security analyst can identify those with reserved MACs as physical hosts, while hosts with dynamically generated MACs are likely to be virtual machines.

Rate this question:
47.

A recent audit has uncovered several coding errors and a lack of input validation being used on a public portal. Due to the nature of the portal and the severity of the errors, the portal is unable to be patched. Which of the following tools could be used to reduce the risk of being compromised?
- A.
  
  Web application firewall
- B.
  
  Network firewall
- C.
  
  Web proxy
- D.
  
  Intrusion prevention system
Correct Answer
A. Web application firewall

Explanation
A web application firewall can be used to reduce the risk of being compromised in this scenario. A web application firewall is specifically designed to protect web applications from common attacks such as SQL injection, cross-site scripting, and other vulnerabilities. Since the audit has uncovered coding errors and a lack of input validation on the public portal, a web application firewall can help mitigate these risks by monitoring and filtering incoming and outgoing traffic to the application, blocking any malicious requests or attempts to exploit the vulnerabilities. This can help protect the portal and its users from potential attacks.

Rate this question:
48.

A cybersecurity analyst is reviewing the following outputs:root@kali!# hping3 -s -p 80 192.168.1.19HPING 192.168.1.19 (eth0 192.168.1.19) : s set, 40 headers + 0 data bytesLen=46 ip=192.168.1.19 ttl_64 DF id+28319 sport=80 flags=RA seq=0 win=0 rtt=0. 6 msroot@kali!# hping3 -s -p 80 192.168.1.19HPING 192.168.1.19 (eth0 192.168.1.19) : s set, 40 headers + 0 data bytesLen=46 ip=192.168.1.19 ttl_64 DF id+28319 sport=8080 flags=RA seq=0 win=29200 rtt-11.9Which of the following can the analyst infer from the above output?
- A.
  
  The remote host is redirection port 80 to port 8080
- B.
  
  The remote host is running a service on port 8080
- C.
  
  The remote host's firewall is dropping packets for port 80
- D.
  
  The remote host is running a webserver on port 80
Correct Answer
B. The remote host is running a service on port 8080

Explanation
The analyst can infer from the output that the remote host is running a service on port 8080. This is indicated by the presence of the "sport=8080" in the output, which suggests that the remote host is actively listening on port 8080 and responding to the hping3 packets sent to that port.

Rate this question:
49.

A security analysis is concerned that employees may attempt to exfiltrate data prior to tendering their resignations. Unfortunately, the company cannot purchase a data loss prevention (DLP) system. which of the following recommendations should the security analyst make to provide defense-in depth against data loss? (select three)
- A.
  
  Prevent users from accessing email and file-sharing via web proxy
- B.
  
  Prevent flash drives from connection to USB ports using Group Policy
- C.
  
  Prevent users from copying data from workstation to workstation
- D.
  
  Prevent internet access on laptops unless connected to the network in the office or via VPN
- E.
  
  Prevent users from bein able to use the copy and paste functions
Correct Answer(s)
A. Prevent users from accessing email and file-sharing via web proxy
B. Prevent flash drives from connection to USB ports using Group Policy
D. Prevent internet access on laptops unless connected to the network in the office or via VPN

Explanation
The security analyst should recommend preventing users from accessing email and file-sharing via web proxy, as this would restrict their ability to send sensitive data outside the network. They should also suggest preventing flash drives from connecting to USB ports using Group Policy, as this would prevent employees from easily copying data onto portable storage devices. Additionally, the analyst should recommend preventing internet access on laptops unless connected to the network in the office or via VPN, as this would limit the potential for data exfiltration through unauthorized internet connections.

Rate this question:
50.

An organization wants to harden its web servers. As part of this goal, leadership has directed that vulnerability scan be preformed and the security team should remediate the servers according to the industry best practices. The team has already chosen a vulnerability scanner and preformed the necessary scan, and now the team needs to prioritize the fixes. Which of the following would help to prioritize the vulnerabilities for remediation in accordance with the industries best practices?
- A.
  
  CVSS
- B.
  
  SLA
- C.
  
  ITIL
- D.
  
  OpenVAS
- E.
  
  Qualys
Correct Answer
A. CVSS

Explanation
CVSS (Common Vulnerability Scoring System) is a widely recognized industry standard for assessing and prioritizing vulnerabilities. It provides a numerical score to each vulnerability based on its severity, impact, and exploitability. By using CVSS, the security team can prioritize the fixes based on the highest-scoring vulnerabilities, ensuring that the most critical issues are addressed first. This approach aligns with industry best practices and helps the organization effectively remediate the vulnerabilities on its web servers.

Rate this question:

Quiz Review Timeline +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

Current Version
Mar 22, 2023

Quiz Edited by
ProProfs Editorial Team
Oct 11, 2017

Quiz Created by
Heavenlymixed86

CSA +

​A security analyst is conducting traffic analysis and observes an HTTP POST to a web server. The POST header is approximately 1,0000 bytes in length. During transmission, one byte is delivered every 10 seconds. Which of the following attacks is this traffic indicative of?

Management is concerned with administrator access from outside the network to a key server in the company. Specifically, firewall rules allow access to the server anywhere in the company. Which of the following would be an effective solution?

Considering confidentiality and integrity, which of the following makes servers more secure than desktops?

The security operations team is conducting a mock forensics investigation. Which of the following should be the FIRST action taken after a seizing a compromised workstation?

Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o. "followed by a company name, product name, and version. Which of the following would this string help an administrator identify?

Which of the following BEST explains the purpose of data ownership policy?

A security analyst has noticed that a particular server has consumed over 1TB of bandwidth over the course of a month. It has port 3333 open, however, there have not been any alerts or notices regarding the server or its archives. Which of the following did the analyst discover?

Following a data compromise, a cybersecurity analyst noticed the following executed query:​Select * from Users WHERE name = rick or 1=1​Which of the following attacks occurred, and which of the following technical security controls would BEST reduce the risk of future impact from this attack

Which of the following is MOST effective for correlation analysis by log for threat management?

A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is the First thing the analyst must do to ensure the integrity of a hard drive while preforming the analysis?

A security analyst is preforming a static code of a review of a web application that includes a blog. The comment sections contain the following snippet:<script>​var d = document.getElement ById ("userComment"). value; document. getElementById ("displayComment") .innerHTML =usercomment

Which of the following actions should occur to address any open issues while closing an incident involving various departments within the network

Which of following represent the reasoning behind careful pf the timelines and time day boundaries for and time of boundaries for an authorized penetration test?

A security analyst is to configure a vulnerability scan for a new segment on the network. Given the requirement to prevent credentials for traversing the network while still conducting a credential scan, which of the following is the BEST choice?

Creating a lessons learned report following an incident will help an analyst to communicate which of the following information.

Which of the following has occurred

As part of the SDLC, software developers are testing the security of a new web application by inputting large amounts of random data. Which of the following types of testing is being preformed?

A reverse engineer was analyzing malware found on a retailers network and found code extracting data in memory. Which of the following threats did the engineer MOST likely uncover?

During a penetration test, a red team was able to collect the following dat via phone:​OS: WindowsIP: 172.16.12.9​Password: ApplesAV: Norton​Which of the following threat vectors enables this collection ?

Which of the following principles describes how a security analyst should communicate during an incident?

A security analyst of a small regional back has received an alert that nation states are attempting financial institutions via phishing campaigns. Which of the following techniques would the analyst recommend as a proactive measure to defend against this type of threat?

A security analyst wants to scan the network for active hosts. Which of the following characteristics can help to differentiate between a virtual and physical host?

A recent audit has uncovered several coding errors and a lack of input validation being used on a public portal. Due to the nature of the portal and the severity of the errors, the portal is unable to be patched. Which of the following tools could be used to reduce the risk of being compromised?

A security analyst is conducting traffic analysis and observes an HTTP POST to a web server. The POST header is approximately 1,0000 bytes in length. During transmission, one byte is delivered every 10 seconds. Which of the following attacks is this traffic indicative of?

Following a data compromise, a cybersecurity analyst noticed the following executed query:Select * from Users WHERE name = rick or 1=1Which of the following attacks occurred, and which of the following technical security controls would BEST reduce the risk of future impact from this attack

A security analyst is preforming a static code of a review of a web application that includes a blog. The comment sections contain the following snippet:<script>var d = document.getElement ById ("userComment"). value; document. getElementById ("displayComment") .innerHTML =usercomment

During a penetration test, a red team was able to collect the following dat via phone:OS: WindowsIP: 172.16.12.9Password: ApplesAV: NortonWhich of the following threat vectors enables this collection ?