CompTIA CySA+ (CS0-003) - Domain 1

Ref:📕CompTIA CySA+ Study Guide: Exam CS0-003 (Sybex Study Guide) 3rd Edition

CySA+ (CS0-003) – Domain 1 – Security Operations

1 / 260

What is the main purpose of the tool Maltego?

A. To perform web application vulnerability scanning

B. To gather open-source intelligence and connect data points

C. To set up the Metasploitable virtual machines

D. To practice with the Metasploit tool

2 / 260

What is the purpose of Valid MAC Address Checking in identifying rogue devices on a network?

A. To validate the TCP/IP information of the network devices

B. To check the hardware (MAC) address of a device against a list of known devices

C. To identify irregular or unexpected behavior

D. To check the software information provided to the network devices

3 / 260

What is the purpose of nslookup command?

A. It blocks a specific IP address.

B. It converts domain names to IP addresses and vice versa.

C. It blocks a specific website.

D. It clears DNS cache.

4 / 260

What must be done during the data processing and analysis stage of handling threat intelligence data?

A. The data must be discarded if it is not in a format that existing systems can consume

B. The data must be entirely rewritten in a specific standard format

C. The data must be processed and analyzed to be consumed by the intended tools or processes

D. The data must be encrypted for security purposes

5 / 260

What is the core goal of Proactive Threat Hunting in cyberspace?

A. Just to identify a new type of threat

B. To reduce the attack surface area

C. To manage attack vectors and prepare for new threats

D. None of the above

6 / 260

What are some of the controls an organization may use in building a secure network?

A. Network access control (NAC) solutions

B. Developing new software

C. Increasing staff

D. Regular system updates

7 / 260

Why are penetration tests considered one of the best measures of an organization’s cybersecurity posture?

A. They are expensive to conduct

B. They allow cybersecurity analysts to monitor the ongoing effectiveness of security controls

C. They require highly skilled individuals and are time-consuming

D. They are typically performed by external consultants

8 / 260

What functionality does SIEM (Security Information and Event Management) tools provide?

A. They directly neutralize threats on endpoint systems.

B. They provide centralized logging, data gathering, reporting, and analysis capabilities to identify potential security issues.

C. They are deployed to endpoint systems to monitor for potential security issues.

D. They focus on using threat patterns and indicators of compromise for behavioral analysis.

9 / 260

Which factors play a critical role in assessing Threat Intelligence?

A. The font in which information is presented

B. Whether the data is presented in tables or graphs

C. Timeliness, relevance, and accuracy of the intelligence

D. Length and complexity of the threat report

10 / 260

What does the ’Notice’ principle mentioned in The Generally Accepted Privacy Principles (GAPP) state?

A. An organization should document its privacy practices in a policy

B. An organization should provide individuals access to their information in the organization’s records

C. An organization should notify individuals about its privacy practices and inform them of the type of information that it collects and how that information is used

D. An organization should obtain direct consent of individuals for the storage, use, and sharing of PII

11 / 260

According to the Generally Accepted Privacy Principles (GAPP), what does the term ’Disclosure’ denote?

A. The organization will maintain accurate and complete information.

B. The organization should provide individuals with access to any information about that individual.

C. The organization will disclose information to third parties only when consistent with notice and consent.

D. The organization will protect PII against unauthorized access.

12 / 260

What is one of the benefits of using virtualization as described in the text?

A. It allows organizations to save on hardware costs

B. It allows increased physical security measures

C. It decreases server downtime

D. It simplifies network configurations

13 / 260

What is a key feature of a zero trust security environment?

A. Trust is placed in systems, services, and individuals inside security boundaries.

B. The trust level of each action is not verified or validated.

C. The security design includes individual devices and applications, as well as user accounts.

D. Perimeters are defined clearly in a zero trust environment.

14 / 260

According to NIST, what at different categories of threats might an organization face in its threat identification process?

A. Adversarial, Accidental, Structural, and Environmental threats

B. Logical, Physical, Adversarial, and Accidental threats

C. Natural, Man-made, Adversarial, and Accidental threats

D. Viral, Accidental, Adversarial, and Environmental threats

15 / 260

What might be an example of a security incident that could be fully automated as a response action according to the text?

A. A brief interruption in the energy supply

B. A system on the local network starts emitting high volumes of traffic targeted at remote web servers

C. An employee unintentionally downloaded a file with a virus

D. The system backup failed

16 / 260

What does OpenID Connect provide in addition to the authorization token issued by OAuth?

A. A certificate

B. An encrypted password

C. An ID token

D. A digital signature

17 / 260

What is the main advantage of performing an internal footprinting exercise?

A. Total control over all systems.

B. Complete access to the knowledge that the organization has about itself.

C. Ability to change network topology.

D. Bypassing external security layers.

18 / 260

During the NIST attack process, what is an attacker’s goal after gaining initial access to a system?

A. Cool down and assess risks

B. Stop, being satisfied with partial access

C. Escalate their access until they gain complete administrative control

D. Disconnect to avoid detection

19 / 260

Which are some of the methods used in hardening system configurations to protect endpoints?

A. Disabling any unnecessary services or ports on the endpoints

B. Ensuring secure configuration settings exist on devices

C. Centrally controlling device security settings

D. All of the above

20 / 260

How can you check the Windows service status?

A. Using the Internet Explorer

B. Going to the Control Panel

C. Utilizing the Services administrative tool or command-line tools like the Service Controller application or PowerShell

D. Checking the task manager

21 / 260

What are the three facets of the AAA framework in Identity and Access Management?

A. Authentication, Adaptation, Authorization

B. Accounting, Authentication, Authorization

C. Authorization, Authentication, Agility

D. Accounting, Adaptation, Agility

22 / 260

What are the three main steps in using indicators of compromise (IOCs) according to the CySA+ exam outline?

A. Discovery, Verification, and Elimination

B. Detection, Response, and Prevention

C. Collection, Analysis, and Application

D. Acquisition, Interpretation, and Action

23 / 260

What is the main purpose of active reconnaissance in enumeration exercises?

A. To exploit vulnerabilities in the system

B. To gather information about systems, services, and vulnerabilities

C. To provide the targets for passive reconnaissance

D. To provide a defense mechanism against potential threats

24 / 260

What is one noteworthy difference between passive monitoring and active or router-based monitoring in terms of their effect on network traffic?

A. Passive monitoring adds more traffic to the network

B. Passive monitoring only deals with traffic sent between endpoints

C. Passive monitoring does not add additional traffic to the network

D. Passive monitoring immediately analyzes packets as they are sent

25 / 260

What is considered the final stage in the threat intelligence cycle?

A. Processing information

B. Collecting data

C. Creating requirements

D. Gathering feedback

26 / 260

What is the critical consideration when implementing system hardening practices based on standards like the CIS benchmark?

A. It is required to strictly stick to the benchmark without modifications

B. The changes and settings in the benchmark should not interfere with operational activities

C. The benchmark should be adopted without testing in real-world environments

D. The benchmark should be used for patching the system only

27 / 260

How does the MAC Address Vendor Information Checking method identify rogue devices on a network?

A. It checks the hardware address presented by the device against a list of known addresses.

B. It identifies devices based on their manufacturer’s vendor prefix.

C. It physically reviews the devices or checks wireless networks on-site.

D. It uses a tool like nmap to identify new devices.

28 / 260

Which of the following statements best describes the role of SOAR in an organization’s security posture?

A. SOAR is a single device used for network connectivity troubleshooting.

B. SOAR tools are used to facilitate packet capture across network connections.

C. SOAR platforms are used to integrate security tools and systems, automate security tasks, and provide response capabilities.

D. SOAR is focused only on incident management and monitoring.

29 / 260

Why might an organization choose to use proprietary threat intelligence?

A. To keep their threat data private

B. To sell or license their threat data and methods

C. To prevent threat actors from knowing about the data they are gathering

D. All of the above

30 / 260

What are some of the best practices for logging infrastructure as suggested in the CompTIA CySA+ study guide?

A. Unnecessary log information should be encouraged to provide abundant data.

B. Logs should only contain basic information with no context.

C. Logs should be protected to prevent any modification.

D. Logs should be kept decentralized for better accessibility.

31 / 260

What should be considered when analyzing security device logs?

A. Only consider logs from devices of known vendors.

B. Take into account the specific error codes and messages from each vendor.

C. Consider the type of event and matching identifiers in an entry.

D. Overlook other entries related to a identified entry.

32 / 260

What is the key difference between Agent-Based and Agentless NAC solutions?

A. Agent-Based solutions require special software, while Agentless solutions do not

B. Agent-Based solutions can only be used during specific times of day, while Agentless solutions can be used at any time

C. Agent-Based solutions restrict network access based on user role, while Agentless solutions do not

D. Agent-Based solutions require devices to be physically present in datacenter, while Agentless solutions do not

33 / 260

What is the role of Active Directory Federation Services (AD FS) in federated identity management?

A. ADFS provides encryption services to third-party partner sites.

B. ADFS acts as a firewall between the user’s computer and the web application.

C. ADFS provides authentication and identity information as claims to third-party partner sites.

D. ADFS is utilized to block any non-microsoft application requests.

34 / 260

What are the possible features or functionalities of nmap, as discussed in the text?

A. Firewall evasion and network protection bypassing

B. Operating system fingerprinting

C. Service identification

D. All of the above

35 / 260

Which of the following statements best describes Tcpdump?

A. Tcpdump is a graphical packet capture and inspection tool specifically for Windows.

B. Tcpdump is a statistical analysis tool used for identifying network traffic patterns.

C. Tcpdump is a command-line packet capture tool commonly available on Linux systems.

D. Tcpdump is a user interface-focused tool exclusively for macOS systems.

36 / 260

Where are the Windows event logs stored by default?

A. %SystemRoot%System32Logs

B. %SystemRoot%WinevtLogs

C. %SystemRoot%SystemEventViewer

D. %SystemRoot%System32WinevtLogs

37 / 260

What is a risk in the context of cybersecurity risk analysis?

A. An outdated version of a service that could be exploited by an attacker

B. A threat or event that could exploit a vulnerability

C. A system, device, or process that is susceptible to attacks

D. A combination of a threat and a corresponding vulnerability

38 / 260

What information is typically included in the firewall logs?

A. The source and destination IP address, the port, and what action was taken on the traffic.

B. The size of the data transferred, the user who initiated the traffic, and the type of device used.

C. The user’s login credentials, the duration of the connection, and the content of the data transferred

D. The internet service provider’s information, the timestamp of the traffic, and the geographical location of the device

39 / 260

What is the main purpose of sandboxing systems?

A. To access other systems or applications

B. To check if an application has been used before

C. To detect malicious software based on its behavior

D. To watch the system and network for known pieces of code

40 / 260

Where does Linux typically store configuration information?

A. C:ProgramData

B. C: Program Files

C. /etc/ directory

D. ~/Library/Preferences

41 / 260

What is Beaconing activity in the context of CS0-003?

A. It’s a type of DDoS attack.

B. It’s a malicious activity sent to a Command & Control system.

C. It’s an encryption algorithm used in HTTPS traffic.

D. It’s a database activity monitoring system.

42 / 260

What is Secure Access Service Edge (SASE)?

A. A firewall service for centralized organizations.

B. A network architecture design leveraging SD-WAN and security functionality.

C. A datacenter-focused security model.

D. An antimalware tool primarily used in centralized environments.

43 / 260

What is the primary function of Windows resource monitor, resmon in system resource monitoring?

A. Provides energy usage data

B. Provides detailed data about disk and network activity

C. Provides visibility into the CPU, memory, disk, and network utilization for a system

D. Provides information about which accounts are logged in

44 / 260

What is the primary purpose of host enumeration in gathering organizational intelligence?

A. To identify unauthorized devices

B. To analyze network traffic

C. To create a map of an organization’s networks, systems, and other infrastructure

D. To implement penetration testing

45 / 260

Which of the following techniques is used to establish what normal network traffic looks like?

A. Bandwidth allocation

B. DNS filtering

C. Baselines

D. Firewall routing

46 / 260

According to the ’Choice and consent’ principle of the Generally Accepted Privacy Principles (GAPP), what should an organization do when handling Personally Identifiable Information (PII)?

A. The organization should document its privacy practices in a privacy policy.

B. The organization should obtain the direct consent of individuals for the storage, use, and sharing of PII.

C. The organization should provide individuals with access to any information about them in the organization’s records.

D. The organization will put business processes in place to ensure that it remains compliant with its privacy policy.

47 / 260

What steps do strong cybersecurity teams take to improve their efficiency?

A. Ignore standardization and rely on manual work

B. Minimize the use of automation and emphasize on individual work

C. Use standardization and automation to improve efficiency

D. Rely solely on automation and eliminating human interaction

48 / 260

What information can be gained from using the Whois server for a given IP address or domain?

A. Whois can provide information about the website’s popularity ranking.

B. Whois can provide the website’s content information.

C. Whois provides information about malware on the website.

D. Whois can resolve the IP address or domain and provide information about it including registration and contact information.

49 / 260

What can introduce complexity in the context of hybrid network architectures?

A. The combination of on-premises and cloud infrastructure

B. The requirement of securing each distinct environment

C. The inability to migrate services from on-premises datacenters to cloud services

D. The lack of on-site services and systems

50 / 260

Which of the following is NOT a common area of application and service monitoring?

A. Up/down: Is the service running?

B. Transactional logging: Information about the function of the service

C. User authentication: Is the user verified?

D. Performance: Does it respond quickly and as expected?

51 / 260

What tasks typically occur in the discovery phase of a penetration test?

A. Making physical contact with the target systems

B. Conducting reviews of publicly available material and scanning for system vulnerabilities

C. Installing malicious software on the target systems

D. Erasing digital footprints from previous activities

52 / 260

What is the main function of Information Sharing and Analysis Centers (ISACs)?

A. To provide cybersecurity training to individuals

B. To collect open-source intelligence from social media, blogs and forums

C. To share threat information, provide tools and assistance to their members

D. To solely conduct cyber threat investigations

53 / 260

Which of the following best describes a typical impersonation attack via email?

A. A user is tricked into visiting a fraudulent website and providing their credentials.

B. A virus is sent as a downloadable link in an email.

C. An email seemingly from a colleague or superior is received, asking to perform an unusual action for their benefit.

D. A user’s email account gets hijacked and used to send spam emails.

54 / 260

How can the underlying hardware architecture of systems impact security operations?

A. It determines the number of users that the system can handle

B. It influences the types of software that can run on the system, including potentially malicious software

C. It decides the storage capacity of the systems

D. It defines the speed at which data can be processed by the systems

55 / 260

Why is monitoring for data exfiltration considered challenging for organizations?

A. The prevalence of encrypted communications makes it hard to distinguish legitimate traffic from potential data exfiltration.

B. It requires a comprehensive understanding of the network, which is often not the case.

C. It’s difficult to monitor the movement of large amounts of data.

D. All of the above.

56 / 260

In the context of threat hunting, what are the purposes of tarpits and honeypots?

A. Tarpits are used to attract attackers with real data, while honeypots are used to monitor unused IP addresses

B. Tarpits are used to delay and confuse attackers by providing fake targets, while honeypots are vulnerable systems used to lure attackers

C. Tarpits and honeypots are both used to directly exploit and attack attacker’s tools

D. Tarpits are vulnerable systems used to lure attackers, while honeypots are used to delay and confuse attackers with fake targets

57 / 260

What does the process of federation in identity management systems imply?

A. It allows for the creation of multiple identities on a single system

B. It implies linking an identity and related attributes between multiple systems

C. It restricts identity usage to the originating service provider

D. It refers to the process of consistent attribute management across single identity system

58 / 260

What is the process ID of the core system process (NT kernel) in Windows?

A. 2

B. 4

C. 8

D. 10

59 / 260

Which tool can help by validating the access that a specific user or group has to objects like files, Registry keys, and services?

A. Tripwire

B. Sysinternals’s AccessChk

C. Central Management Suite

D. Linux Audit System

60 / 260

What does transactional logging in application and service monitoring entail?

A. It verifies if the service is running or not

B. It determines how quickly and efficiently a service is responding

C. It captures information about the function of a service such as user actions or performed actions

D. It logs information about the function or status of the service

61 / 260

Which is not part of the process of proactive threat hunting?

A. Profiling threat actors and activities

B. Establishing a hypothesis

C. Reduced team collaboration

D. Improving detection capabilities

62 / 260

What is one important prerequisite required in federation models that depend on verifiable identities?

A. Provisioning must occur when user requests access

B. A higher level of assurance about user’s identity claims

C. User must use a Google or LinkedIn account

D. The federation must be operated by the government or a high education institution

63 / 260

What information can be provided by a Whois query?

A. The office layout of a company

B. The social media accounts of a company

C. The history of domain ownership for a domain

D. The personal contact information of every employee

64 / 260

What is not a feature of the theHarvester information gathering tool?

A. Gathering email addresses

B. Searching through large datasets

C. Uncovering vulnerabilities in Internet-connected devices

D. Gathering domain information

65 / 260

What types of information are captured through transactional logging in application or service monitoring?

A. Information about whether the service is running or not

B. Information about the speed of the service

C. Information about the actions users take or actions performed by the service

D. Information about the access of other programs and humans

66 / 260

What is the key purpose of establishing a hypothesis in proactive threat hunting?

A. To profile threat actors and activities.

B. To reduce attack surface area.

C. To test and have actionable results based on the threat.

D. To improve detection capabilities.

67 / 260

Which of the following statements best describe the purpose and characteristics of system log files?

A. System log files always provide information needed for reconnaissance.

B. System log files are typically accessible without administrative system access.

C. System log files can provide information about system configuration, running applications, and existing users, but are typically secured.

D. System log files are irrelevant for troubleshooting.

68 / 260

Which of the following is a method to stop a DoS attack from a single system or network?

A. Unplugging the target system

B. Responding to all incoming requests

C. Blocking the system or network using a firewall

D. Increasing the available bandwidth

69 / 260

What is the importance of Profiling Threat Actors and Activities in proactive threat hunting?

A. It provides a hypothesis for testing based on threat consideration.

B. It helps in understanding who may be a threat, and why, as well as what their typical actions and processes are.

C. It combines multiple intelligence sources to provide a better view of threats.

D. It improves the detection capabilities continuously as threats improve their techniques and technology.

70 / 260

What is the Structured Threat Information Expression (STIX)?

A. It is a U.S. Department of Homeland Security’s regulated method to process threat information.

B. It is a XML language originally sponsored by the U.S Department of Homeland Security used for managing standardized threat information.

C. It is a protocol intended to allow cyber threat information to be communicated at the application layer.

D. It is an XML-based framework developed by Mandiant for managing threat information.

71 / 260

Which of the following describes the security measures needed in a serverless computing environment?

A. Only controls appropriate to cloud computing environments are required.

B. Only software development controls need to be applied.

C. Existing security measures for traditional servers apply.

D. Both controls appropriate to cloud computing environments and software development controls need to be applied.

72 / 260

Which of the following is an example of a compensating control given in the text?

A. Upgrading the operating system on retail POS terminals

B. Placing POS terminals on a segmented, isolated network and using intrusion prevention systems to monitor network traffic

C. Blocking an unpatched vulnerability from reaching the vulnerable host

D. Seeking out alternate financial resources to upgrade the POS software

73 / 260

An analyst needs to view the scheduled tasks and services within a Windows system. Which root key of the Windows Registry would the analyst need to access?

A. HKEY_CLASSES_ROOT (HKCR)

B. HKEY_LOCAL_MACHINE (HKLM)

C. HKEY_USERS (HKU)

D. HKEY_CURRENT_USER (HKCU)

74 / 260

In the data collection phase of the CompTIA CySA+ certification process, what action can occur as the requirements change?

A. The phase is discontinued

B. The phase may repeat

C. The data sources are changed

D. The threat intelligence sources are disregarded

75 / 260

What does the ’Use, retention, and disposal’ principle in GAPP indicate?

A. The organization must inform individuals of the type of information collected

B. The organization must obtain the direct consent of individuals for storage, use, and sharing of PII

C. The organization should only use information for identified purposes and may not use information collected for one stated purpose for any other nondisclosed purpose

D. The organization should provide individuals with access to any information about them in their records

76 / 260

What is the purpose of DomainKeys Identified Mail (DKIM) in email security?

A. It allows organizations to publish a list of their authorized email servers

B. It is used to determine whether an email message is authentic

C. It allows organizations to add content to messages to identify them as being from their domain

D. It is used to block important emails from smaller providers and organizations

77 / 260

What is an important step in proactive threat hunting that entails blocking paths attackers may take advantage?

A. Profiling Threat Actors and Activities

B. Reducing the Attack Surface Area

C. Establishing a Hypothesis

D. Bundling Critical Assets into Groups and Protection Zones

78 / 260

What is the primary philosophy used in reverse engineering?

A. Decomposition

B. Integration

C. Consolidation

D. Configuration

79 / 260

What are technical controls in the context of cybersecurity?

A. Actions like penetration testing and reverse engineering to analyze software

B. Devices, software, and settings that enforce confidentiality, integrity, and availability

C. Risk management strategies like risk acceptance and risk avoidance

D. The sets of technical and operational security controls that mitigate risks

80 / 260

What does the ’Up/down’ area of application and service monitoring in an organization operationally indicate?

A. The performance speed of the service

B. The service’s transaction log information

C. Whether the application or service is running or not

D. The logs about the function or status of the service

81 / 260

Which of the following BEST describe In-Band vs. Out-of-Band NAC solutions?

A. In-band NAC solutions require special software on devices while out-of-band solutions use a web browser for authentication.

B. In-band NAC solutions leverage the existing network infrastructure, out-of-band solutions use dedicated appliances.

C. Out-of-band NAC solutions use dedicated appliances in line with the network, in-band solutions leverage existing network infrastructure.

D. Both In-band and Out-of-band NAC solutions require devices to run special software for authentication.

82 / 260

Where does Linux typically maintain information about system state, events, and many other details?

A. In the /var/log directory

B. In the auth.log file

C. In application-specific directories

D. On the Ubuntu server

83 / 260

Why is it difficult to track down wireless rogues?

A. Because they do not use frequencies detectable by standard network devices

B. Because they use sophisticated encryption methods to mask their identity

C. Because they cannot easily be tracked to specific physical locations

D. Because they rapidly change network addresses to avoid detection

84 / 260

What is an example of a criteria used by Network Access Control (NAC) solutions based on a user’s role?

A. A user may be authorized to access the network only during specific time periods

B. A user may be assigned to particular network segments

C. A user may be granted or denied access to network resources based on their physical location

D. NAC solutions may use agents running on devices to obtain configuration information from the user’s device

85 / 260

Which of the following statements is correct about reverse engineering of software?

A. Compiled languages like Java and C/C++ are easier to reverse engineer.

B. Interpreted languages can’t be reverse engineered.

C. Reverse engineering of compiled code can be made possible with specialized programs called decompilers or with specialized environments monitoring how the software responds to different inputs.

D. Binary code is very easy to read and determine its functionality.

86 / 260

What does passwordless authentication typically rely on?

A. A username or user ID only

B. A password only

C. MFA

D. A single factor that is more secure

87 / 260

Which of the following methods can be used to stop a DoS attack originating from a single system or network?

A. Using an intrusion prevention system to block known attack traffic

B. Ignoring the attack as it will resolve itself

C. Increase the bandwidth of the network to handle the attack

D. Removing the target machine from the network entirely

88 / 260

Which of the following is considered an environmental threat in cybersecurity?

A. Accidental deletion of a critical disk volume by a system administrator

B. Malfunctions due to operational limits exceeded by equipment or software

C. Malware targeting specific types of organizations

D. Widespread telecommunications disruptions due to a natural disaster

89 / 260

Why is system monitoring useful for identifying security issues in servers and workstations?

A. It checks for host-related issues.

B. It only focuses on memory consumption.

C. It only pays attention to CPU utilization.

D. It only monitors network activities.

90 / 260

What is the function of Time of Day in NAC solutions?

A. It assigns users to particular network segments based on their role

B. It grants or denies access to network resources based on users’ physical location

C. It authorizes users to access the network only during specific time periods

D. It checks the health of the system to ensure security standards are met

91 / 260

What are some of the common threat actors as per the CompTIA CySA+ (CS0-003) exam objectives?

A. Nation-states, Hackers, Insider threats, Organized criminals

B. Nation-states, Hacktivists, Script kiddies, Organized criminals

C. Nation-states, Supply chains, Insider threats, Hackers

D. Nation-states, Ransomware groups, Hacktivists, Script kiddies

92 / 260

Which of the following is NOT a type of information included in network device logs?

A. Network device status

B. User’s personal browsing history

C. Traffic patterns

D. Events such as attacks or configuration issues

93 / 260

Which of the following is typically included when communicating the results of a penetration test?

A. Appendices specifying the results of various tests

B. Only the vulnerabilities exploited

C. The success of the attacker in gaining access but not the exploited vulnerabilities

D. Report on proposed security planning tools

94 / 260

What is one of the advantages of network segmentation or compartmentalization?

A. It increases the number of systems that are exposed to attackers

B. It disregards the scope of regulatory compliance efforts

C. It can help increase availability by limiting the impact of an issue or attack

D. It reduces the efficiency of a network

95 / 260

Which of the following is NOT a type of event log provided by Windows?

A. Application logs

B. Security logs

C. Setup logs

D. Backup logs

96 / 260

What are the roles of the Red, Blue and White team in a cybersecurity wargame?

A. White team: attackers. Blue team: defenders. Red team: coordinators

B. Red team: attackers. White team: defenders. Blue team: coordinators

C. Red team: attackers. Blue team: defenders. White team: coordinators

D. Blue team: attackers. Red team: defenders. White team: coordinators

97 / 260

Which of the following is not an example of Personally Identifiable Information (PII)?

A. Social Security numbers

B. Passport numbers

C. Driver’s license numbers

D. An individual’s favorite color

98 / 260

Which of the following methods can help analysts to sort through a great deal of security data?

A. Using a security information and event management (SIEM) tool

B. Ignoring the less significant events

C. Limiting the number of systems or services that generate log files

D. Reviewing fewer log files in order to consume less time

99 / 260

Which of the following is NOT a technique recommended for detecting bandwidth consumption issues?

A. Use of tools that utilize flow data to show network bandwidth trend information.

B. Monitoring tools that check for high usage levels and trigger alarms based on thresholds.

C. Use of real-time graphs to monitor bandwidth usage as it occurs.

D. Forcing high load situations to test network device capacity.

100 / 260

What does Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) logs contain when a rule is triggered?

A. Information about the rule that was activated and the traffic that was captured and analyzed

B. Information about the user who triggered the rule

C. Information about the individual packets but not the entire conversation

D. Information limited to the network layer only

101 / 260

Why is it critical to have multiple good-quality, reliable threat feeds?

A. Because they can help in manual creation of detection rules

B. Because one feed may be faster or release information sooner than others

C. Because they can help in detecting the vulnerabilities announced by Microsoft

D. Because they can help in working with IDS and IPS vendors

102 / 260

Which of the following can be gained from analyzing network devices’ configuration files?

A. The network’s topography

B. Information about syslog and SNMP servers

C. Details about Terminal Access Controller Access Control System (TACACS)

D. All of the above

103 / 260

Which of the following tools can be used for detecting DoS and DDoS attacks?

A. Performance monitoring tools

B. Word processing software

C. Graphic design tools

D. Cooking recipe apps

104 / 260

Who is responsible for managing the global IP address space?

A. Domain name registrars

B. Regional Internet registries (RIRs)

C. Internet Assigned Numbers Authority (IANA)

D. Country code top-level domain (ccTLD) registries

105 / 260

Why are encryption and hashing critical to a layered security design?

A. They are only critical to network security.

B. Encryption keys and passphrases need to be stored securely.

C. They play role in data security alone.

D. They provide real time threat analysis.

106 / 260

What two specific commonly used packet capture tools are focused on in the CySA+ exam outline?

A. Wireshark and Tcpdump

B. Tcpdump and Netcat

C. Wireshark and Nmap

D. Tcpdump and Wireshark

107 / 260

What functionality do tools like Wazuh, Tripwire and AIDE provide for cybersecurity monitoring?

A. They provide real-time monitoring for website traffic.

B. They monitor filesystem changes in real-time, observing files, permissions, ownership, and file attributes.

C. They allow to encrypt data storage systems.

D. They provide a firewall service for the server.

108 / 260

What methods can be utilized to identify malware activity in network traffic when examining it using tools like Wireshark and tcpdump?

A. Only by examining packet contents

B. By examining packet lengths, destination IP addresses, and protocols

C. By behavior-based analysis, looking at traffic patterns that indicate unusual behavior

D. Only by examining abnormal traffic

109 / 260

What is the primary focus of ’Collection’ in the context of Indicators of Compromise (IOCs)?

A. Analyzing obtained data for signs of compromise

B. Applying the identified IOCs in the incident response process

C. Acquiring data that may indicate compromise using logs, tools, and other sources

D. Memorizing all potential IOCs

110 / 260

What do network device logs often contain?

A. Only messages accessible through console ports

B. Only data about traffic patterns and usage

C. Device activities, status, events, and sometimes log levels

D. Only information about system and user configuration

111 / 260

Which of the following security appliances and tools leverage centralized logging and data gathering along with reporting and analysis capabilities to identify potential security issues?

A. SIEM

B. EDR

C. Firewall

D. IPS

112 / 260

What factors should a cybersecurity analyst consider when evaluating an adversarial threat?

A. The capability of the threat actor, the intent of the threat actor, and the likelihood that the threat will target the organization

B. The range of effects that the threat might have on the organization

C. The possible exhaustion of resources or failure due to exceeding operational capability or age

D. Common natural environmental threats to their geographic region and how to appropriately prevent or counter human-made environmental threats

113 / 260

Which of the following is NOT a category of threats identified by NIST?

A. Adversarial threats

B. Reputational threats

C. Accidental threats

D. Environmental threats

114 / 260

Which of the following stages is not typically involved in the process of proactive threat hunting?

A. Establishing a Hypothesis

B. Improving Detection Capabilities

C. Reducing the Attack Surface Area

D. Implementing a Firewall

115 / 260

What is the primary purpose of a honeypot in cybersecurity?

A. To legitimately host sensitive data and services

B. To lure attackers into a controlled environment and learn about their intentions

C. To feed network blacklists by blocking all outbound activity

D. To detect and remediate botnet-infected systems

116 / 260

Which of the following file analysis techniques is not specifically listed in the CySA+ exam outline but is a common practice used by security practitioners?

A. Using SHA256 hashing

B. Using MD5 tools

C. Using the strings command in Linux

D. Using PowerShell in Windows

117 / 260

What is the final stage in the threat intelligence cycle?

A. Creation of better requirements

B. Continuous improvement

C. Intelligence Dissemination

D. Gathering feedback

118 / 260

Which General Accepted Privacy Principle (GAPP) signifies that an organization should collect Personally Identifiable Information (PII) only for the purposes identified in the notice and consented to by the individual?

A. Management

B. Notice

C. Collection

D. Security

119 / 260

What are the benefits of creating standardized processes for recurring activities?

A. Increases the amount of effort required to react to a task

B. Ensures different members of the team respond inconsistently in similar situations

C. Requires you to figure out what to do next every time the task comes up

D. Reduces the amount of effort required to react to a task and ensures team members respond consistently

120 / 260

Which of the following tools or methods can aid in identifying and responding to DoS and DDoS attacks?

A. Utilization of IDS or IPS with activated DoS or DDoS detection rules

B. Ignoring logs from firewalls, routers, and switches

C. Avoiding using a SIEM device to review and alarm about problem traffic

D. Disabling host level tools such as endpoint detection and response (EDR)

121 / 260

Which of the following is strongly associated with pattern recognition techniques in context of cybersecurity?

A. Relying on raw data to detect new viruses

B. Using advanced AI to identify potentially unwanted or malicious activity

C. Analyzing historical cybersecurity incidents

D. Identifying command-and-control (C&C) traffic

122 / 260

Which type of threat actor is often associated with advanced persistent threat (APT) organizations and usually have the resources of a country behind them?

A. Organized crime

B. Hacktivist

C. Nation-state actors

D. Script kiddies

123 / 260

What does the CompTIA CySA+ outline broadly describe as ’email analysis’?

A. General email analysis and review skills, email protection, antispam and antiphishing techniques

B. Techniques on how to effectively write emails

C. The history and development of email

D. Procedures on how to create an email account

124 / 260

What are the common methods for automating cybersecurity workflows?

A. Scripting and Integration

B. Gaming and Scripting

C. Integration and Gaming

D. None of the above

125 / 260

What utility do most managed networks utilize to send logs to a central server?

A. Simple Network Management Protocol (SNMP)

B. Network Device Configuration Utility

C. Simple Mail Transfer Protocol (SMTP)

D. syslog

126 / 260

Which area presents the greatest promise for future cybersecurity analytics tools according to the text?

A. The adoption of biometrics

B. The adoption of blockchain technology

C. The adoption of quantum computing

D. The continued adoption of machine learning techniques

127 / 260

What is the purpose of SSL Inspection in network security?

A. To monitor and analyze encrypted network traffic

B. To create additional encrypted traffic

C. To limit the use of SSL/TLS protocols

D. To control device bandwidth

128 / 260

What purpose does careful configuration management serve in the context of endpoint devices like computers and smartphones?

A. It enhances the processing speed of the devices

B. It ensures the devices remain secure and do not serve as the entry point for a security vulnerability on an enterprise network

C. It improves the user interface of the devices

D. It enhances the storage capacity of the devices

129 / 260

What is the main focus in the ’Collection’ of Indicators of Compromise (IOCs) in the context of CSyA+ exam?

A. Studying commonly found IOCs

B. Determining whether the gathered data implies any compromise

C. Gathering data using tools, logs and other sources that may suggest compromise

D. Applying IOCs to activate security procedures

130 / 260

What type of security solution can detect and stop attacks within an on-premises network architecture?

A. Firewalls

B. Intrusion prevention systems (IPSs)

C. Content filtering and caching devices

D. Network access control (NAC) technology

131 / 260

Why is product diversity sometimes used in network or system designs?

A. To save on costs associated with training and maintenance

B. To create a single point of failure in the system

C. To ensure that a vulnerability in one product does not make the entire system vulnerable to exploit

D. To promote vendor competition

132 / 260

What two factors should analysts consider when determining the likelihood of a risk occurring?

A. The likelihood that the threat source will initiate the risk and the state of the organization’s security controls

B. The potential impact of the risk on the organization and the effectiveness of the organization’s security controls

C. The type of threat source (adversarial, accidental, structural, or environmental) and the potential impact of the risk on the organization

D. The potential impact of the risk on the organization and the organization’s financial status

133 / 260

Which threat actor category is most likely to conduct sophisticated cyber attacks sponsored by a country for national interests?

A. Hacktivists

B. Organized Crime

C. Script Kiddies

D. Nation-state Actors

134 / 260

What are some of the uses of a port scanner as mentioned in the text?

A. For network inventory tasks

B. To listen to music

C. For food delivery

D. To play video games

135 / 260

What is the role of a network firewall in network security?

A. To manage the systems that connect directly to an organization’s network

B. To control the electronic perimeter of a network, much like a security guard controls the physical perimeter of a building

C. To grant access to confidential information to authorized personnel

D. To protect against intruders seeking to gain physical access to a facility

136 / 260

What does a file encoded in XML use to open and close statements, and how is it similar to other languages?

A. It uses angle brackets and it is similar to JSON

B. It uses curly brackets and it is similar to JavaScript

C. It uses angle brackets and it is similar to HTML

D. It uses square brackets and it is similar to HTML

137 / 260

What security software is considered a minimum requirement to enforce an organization’s security objectives on endpoint systems?

A. Host intrusion prevention systems

B. Antivirus software

C. Host-based firewall software

D. Centralized management system

138 / 260

What is an important piece of information router and firewall configuration files and logs provide, that can assist in topological mapping?

A. They indicate the firewall’s power usage

B. They identify the geographical location of physical routers

C. They identify where systems are based on traffic allowed through or blocked

D. They provide the email addresses of network administrators

139 / 260

What is one of the rapidly emerging areas of automation in cyber security?

A. SOAR automation

B. Incident response

C. Incident investigation

D. Application of tribal knowledge

140 / 260

Which of the following best describes the main difference between privacy and security according to the passage?

A. Privacy is about protecting data from unauthorized disclosure, modification, and denial of access, while security is about how an organization uses and shares information.

B. Security is about protecting the organization’s data, while privacy is about how an organization uses and shares information collected about individuals.

C. Privacy solely depends on regulatory standards, while security solely depends on ethical considerations.

D. Security extends to include ways an organization uses and shares information, while privacy only covers protection against unauthorized access.

141 / 260

In the context of Patch Management, why is it important for system administrators to maintain current security patch levels on all operating systems and applications?

A. It helps to discover new vulnerabilities.

B. It offers the possibility to develop new patches

C. It elevates the likelihood that the organization will be targeted by attackers.

D. It reduces the time window in which attackers could exploit a known vulnerability.

142 / 260

What is the primary role of a Cloud Access Security Broker (CASB) tool?

A. To facilitate data migration between clouds

B. To terminate active cloud sessions

C. To enforce security policies when cloud resources and services are used

D. To configure and maintain other cloud security tools

143 / 260

What is the function of the -sV flag in nmap scanning?

A. It runs a vulnerability assessment scan

B. It grabs banners and performs other service version validation steps

C. It scans for services running on nonstandard ports

D. It changes the protocol version for the scan

144 / 260

Why is it necessary to obtain permission from appropriate authorities before conducting active reconnaissance?

A. To ensure that the scans do not trigger security alarms or fill logs of the devices being scanned.

B. To avoid legal repercussions and ensure compliance with terms of use with your Internet service provider.

C. To prevent any unintended impact on system and network administration.

D. All of the above.

145 / 260

What does the ’Monitoring and enforcement’ principle under the Generally Accepted Privacy Principles (GAPP) advocate for?

A. PII should be protected against unauthorized access

B. The organization should obtain the direct consent of individuals for the storage, use, and sharing of PII

C. The organization should provide individuals with access to any information about that individual in the organization’s records

D. The organization will have business processes in place to ensure that it remains compliant with its privacy policy

146 / 260

What is typically involved in planning for intelligence requirements in the first phase of the intelligence cycle?

A. Assess what cyber security tools are commercially available

B. Assess what security breaches or compromises have been faced

C. Assess what marketing strategies could enhance your organization’s public image after a breach

D. Assess what competitors’ threat intelligence strategies are

147 / 260

What is the potential risk of setting an overly detailed log level, like log level 7, in network device log files?

A. It can reduce the size of the log files

B. It can produce an overwhelming flood of detail that isn’t usually useful

C. It can increase the speed of the data capture process

D. It can restrict the availability of important information

148 / 260

What is Proactive Threat Hunting in the context of Integrated Intelligence?

A. It is a process where only known threats are dealt with.

B. A routine checking of network for lingering threats.

C. Searching for threats proactively by establishing hypothesis about a new threat and investigating the threat.

D. It is a process that involves waiting for a threat to occur and then responding to it.

149 / 260

What is Netflow’s primary purpose?

A. To monitor network traffic by collecting IP traffic information

B. To enhance network speed

C. To create firewall rules and security policies

D. To enable network sharing between devices

150 / 260

What does a probable (70-89) confidence level indicate in ThreatConnect’s rating system for threat feed?

A. The threat is confirmed by independent sources or through direct analysis.

B. The assessment relies on logical inference, but does not directly confirm the threat.

C. The assessment is possible but not the most likely option.

D. The assessment has been confirmed to be inaccurate or incorrect.

151 / 260

Why is monitoring for bulk account creation or atypical account creation important in maintaining cybersecurity?

A. It helps detect and identify potentially malicious account creations

B. It alleviates the need for logging and monitoring accounts

C. It is specifically mentioned in the CySA+ exam outline

D. It ensures that all accounts are cloud-hosted

152 / 260

What is meant by ’impossible travel’ in the context of User Behavior Analysis?

A. A user traveling to a location that is physically inaccessible

B. Logging into an account from locations that can’t reasonably be explained by travel between those locations

C. A user’s refusal to use standard modes of transportation

D. A user who travels more frequently than their job role requires

153 / 260

What are the three important aspects to be finalized during the planning phase of a penetration test?

A. Scope, Timing, and Tools

B. Timing, Scope, and Authorization

C. Tools, Resources, and Scope

D. Authorization, Personnel, and Resources

154 / 260

Which of the following can be used to protect a Windows registry on servers with infrequent changes?

A. Use of application allow lists

B. Use of agent-based tools

C. Use of malware scanning tools

D. Use of VPN

155 / 260

What protocol does Ping communications use?

A. Hypertext Transfer Protocol (HTTP)

B. Transmission Control Protocol (TCP)

C. Internet Control Message Protocol (ICMP)

D. User Datagram Protocol (UDP)

156 / 260

What are the five key areas where threat intelligence sharing is used in security operations?

A. Risk Management, Vulnerability Management, Security Engineering, Incident Response, Detection and Monitoring

B. Risk Management, Penetration Testing, Vulnerability Management, Incident Response, Key Management

C. Risk Management, Security Engineering, Incident Response, Patch Management, Detection and Monitoring

D. Risk Management, Network Hardening, Vulnerability Management, Incident Response, Database Security

157 / 260

What can help to protect the application logs from modification or deletion by an attacker, according to the text?

A. Sending them to a non-centralized location

B. Keeping them in the /var/log directory

C. Keeping them in an application-specific directory or file

D. Sending critical application logs to a central log collection and/or analysis service

158 / 260

What is one of the challenges when it comes to making use of open source threat intelligence?

A. Finding publically available sources

B. Deciding which sources to use and ensuring they are reliable and current

C. Locating the dark web

D. Finding community-driven collections

159 / 260

Which of the following statements best describes Passive Discovery?

A. Passive discovery always provides all the information needed to fully identify targets

B. Passive discovery relies on performing your own probes on the organization, systems, or network

C. Passive discovery relies on logs and other existing data, which may not provide all the information needed to fully identify targets

D. Passive discovery always keeps up-to-date information

160 / 260

What is a DNS zone transfer primarily used for?

A. It is used primarily for gathering detailed information on an organization’s network setup.

B. It is used to filter out suspicious domains.

C. It is used to replicate DNS databases between DNS servers.

D. It is used to transfer a domain from one registrar to another

161 / 260

What does the ’Access’ principle suggest in the Generally Accepted Privacy Principles (GAPP)?

A. It ensures the protection of PII against unauthorized access

B. It implies the organization should provide individuals with access to their information in the organization’s records at their request.

C. It stands for the prevention of unauthorized disclosure of information

D. It is about maintaining accurate and complete information about individuals.

162 / 260

What is a commonly used tool in social engineering attacks such as phishing?

A. Encrypted Links

B. Obfuscated Links

C. Illuminate Links

D. Directed Links

163 / 260

In the context of network events, how is an incident typically classified?

A. As a discovery of suspicious or unexpected network traffic

B. As a violation of a security policy, unauthorized use or access, denial of service, or other malicious actions

C. As observable events like an email or a file download

D. As a notification that occurs due to an event

164 / 260

What is a common method for identifying rogue devices on a network?

A. Valid MAC Address Checking

B. Creating a password-based firewall

C. Purchase of new network hardware

D. Frequent system updates

165 / 260

What may be the possible reason for a device to be completely denied network access or placed on a special quarantine network in a NAC solution?

A. The device has been used beyond business hours

B. The device is physically present in the datacenter

C. The device has an incorrectly configured host firewall, outdated virus definitions, or missing security patches

D. The device cannot communicate with the authentication servers

166 / 260

What are the elements a complete data loss prevention (DLP) system targets?

A. Data in motion, data at rest and data in use

B. Data within databases only

C. Data within incoming network traffic

D. Data within client emails only

167 / 260

Which of the following best represents an example of automated enrichment of incident response data?

A. A human analyst manually researching the source address of the attack

B. An automated workflow performing reconnaissance on the source address of the attack

C. A team leader planning a strategic response to an incident

D. A cybersecurity analyst manually appending report in the tracking system

168 / 260

What is one security risk associated with SDN-WANs?

A. They do not provide API control.

B. They introduce availability and integrity risks as traffic flows through multiple paths.

C. They prevent blended infrastructures.

D. They do not support OpenFlow.

169 / 260

What are the two cybersecurity objectives achieved through Network Access Control (NAC)?

A. Limiting network access to authorized individuals and ensuring that systems accessing the organization’s network meet basic security requirements.

B. Assuring that all systems are updated regularly and verifying that all users have appropriate access credentials.

C. Protecting the network from external threats and maintaining an updated database of all network users.

D. Guaranteeing network uptime and preventing unauthorized access to sensitive data.

170 / 260

Which of the following is NOT a method for identifying rogue devices?

A. Valid MAC Address Checking

B. MAC Address Vendor Information Checking

C. Network Scanning

D. Traffic Light Analysis

171 / 260

Which of the following is NOT a valid advantage of Single Sign-On (SSO) systems?

A. Reduces the occurrence of password reuse

B. Lowers the likelihood of credential exposure on third-party sites

C. Diminishes the potential cost savings from fewer password resets and support calls

D. It offers a single point of access to multiple systems or services

172 / 260

Which of the following is NOT a principle outlined by the Generally Accepted Privacy Principles (GAPP)?

A. Organizations should document privacy practices in a privacy policy

B. Organizations should provide individuals with access to their own information

C. Organizations should sell collected PII to third-party vendors

D. Organizations should protect PII against unauthorized access

173 / 260

What protocol and port number does DNS typically use?

A. TCP/UDP port 22

B. TCP/UDP port 53

C. TCP port 80

D. UDP port 67

174 / 260

Why should organizations perform penetration tests periodically, despite the barriers?

A. It bolsters an organization’s security controls

B. It is a method for the cybersecurity analysts to monitor the effectiveness of security controls

C. It is not expensive to conduct

D. It does not require highly skilled individuals and is not time-consuming

175 / 260

Why might you need to use a tool that targets wireless networks or account for virtual systems that are not visible outside of a virtual host’s firewall during mapping and scanning?

A. Because the network is wireless or the systems and network devices are virtual

B. Because the network service agreement restricts the use of certain tools

C. Because the system runs on proprietary software

D. Because the network is wired

176 / 260

What does the grep command do while performing a security analysis?

A. It is used to launch a cyber attack

B. It helps in preventing potential cyber threats

C. It performs string searches on text

D. It is used to code a complex program

177 / 260

What is a potential method to prevent DNS brute-force attacks?

A. Ignoring DNS queries

B. Using an IDS or IPS with a rule that will prevent DNS brute-force attacks

C. Increasing the speed at which queries are sent

D. Sending queries from one centralized system

178 / 260

What does the command ’nc -l -p 37337 -e cmd .exe’ in netcat or nc .exe do?

A. It deletes all files on port 37337

B. It opens a remote shell on port 37337 which connects to cmd.exe

C. This command installs a new software on port 37337

D. It blocks all incoming connections on port 37337

179 / 260

What are the unique features of Cuckoo Sandbox as mentioned in the text?

A. Only analyzes malicious files

B. Cannot be self-hosted

C. Analyzes more than malware, including Microsoft Office files, PDFs, and malicious websites

D. Doesn’t analyze network traffic

180 / 260

Which of the following methods is used to identify new devices on a network?

A. Traffic Analysis

B. Network Scanning

C. Site Surveys

D. Valid MAC Address Checking

181 / 260

Where do most Windows applications usually store their error logs?

A. In the Windows Application log

B. In the /var/log directory

C. In an application-specific location on Linux

D. In the Windows Event Viewer

182 / 260

Which of the following is true about Angry IP Scanner?

A. It provides service names and service identification information.

B. It does not require Java to function.

C. It automatically configures the ports to be scanned.

D. It does not provide detailed identification for services and operating systems.

183 / 260

Why is time synchronization between systems and services important for cyber security?

A. It allows for better bandwidth utilization

B. It ensures that events and incidents appear in the correct order and at the right times in logs

C. It increases the overall performance of the network

D. It helps in faster data transmission between servers

184 / 260

What does a Linux dhcpd.conf file provide information about?

A. List of blocked IP addresses

B. Information about hosts and the network they are accessing

C. Logs of all the failed login attempts

D. Passwords of all the users

185 / 260

Which of the following is NOT a common feature of port scanning tools based on the text given?

A. Host discovery

B. Service version identification

C. Port redirection

D. Operating system identification

186 / 260

What kind of data does active monitoring typically gather?

A. availability, routes, packet delay or loss, and bandwidth

B. IP addresses, hostnames, and user data

C. TCP pings and only basic up/down information

D. Data about network mnemonic memory

187 / 260

What are wired rogue devices and how can they be prevented on a network?

A. Devices connected without permission which can be prevented by removing them

B. Devices connected by an attacker which can be prevented by MAC address limiting technology or via NAC

C. Devices connected by an employee without following the process, prevention can be accomplished by regularly checking physical devices

D. Devices connected to unauthenticated networks, can be prevented by total network shutdown

188 / 260

Which of the following is NOT a common type of authentication factor or method associated with Multifactor Authentication (MFA)?

A. Knowledge factors

B. Possession factors

C. Biometric factors

D. Habitual factors

189 / 260

Which of the following is NOT a publicly available resource for standards and guidelines on penetration testing?

A. OSSTMM

B. Penetration Testing Execution Standard

C. National Institute of Standards and Technology (NIST) Special Publication 800-115

D. Cybersecurity Framework 101

190 / 260

What does ’router-based monitoring’ provide information about?

A. Only information about the router itself

B. Only the flow of traffic on the network

C. Both the flow of traffic on the network and the status of the network device

D. Neither the flow of traffic on the network nor the status of the network device

191 / 260

Which of the following tools and techniques is not discussed in the text provided to determine malicious activity?

A. DNS and IP reputation

B. Packet capture

C. Social engineering

D. Log analysis and correlation

192 / 260

Which of the following is NOT a step in proactive threat hunting?

A. Establishing a Hypothesis

B. Profiling Threat Actors and Activities

C. Negotiating with Threat Actors

D. Improving Detection Capabilities

193 / 260

What type of threats are defined as failures of equipment, software, or environmental controls due to factors such as aging, exhaustion of resources, or exceeding operational capabilities?

A. Adversarial threats

B. Accidental threats

C. Structural threats

D. Environmental threats

194 / 260

When investigating a potentially compromised service, what are the common areas that need to be monitored?

A. Efficiency, transactional logs, and user actions

B. Up/down status, performance, transactional logging, and service logging

C. Error reports, user actions, and service status

D. Performance, file changes, and error logs

195 / 260

Why is it critical for organizations to centralize logs and use tools for processing and analyzing logs?

A. To deal with the sheer volume of logs and find meaningful data

B. To reduce the cost of storage

C. To limit the number of logs generated

D. To avoid configuring logging sources

196 / 260

What does the ’Performance’ category in application and service monitoring refer to?

A. Whether the service is operational

B. How quickly and predictably the service responds

C. Logs about the function or status of the service

D. Information about the function of the service, such as user actions

197 / 260

Which of the following is not part of the three complementary cybersecurity objectives?

A. Confidentiality

B. Recovery

C. Integrity

D. Availability

198 / 260

What is the main function of a web application firewall (WAF)?

A. It operates at the application layer to filter out attacks against desktop applications

B. It operates at the network layer to filter out attacks against web applications

C. It operates at the application layer to filter out attacks against web applications

D. It operates at the presentation layer to filter out attacks against web applications

199 / 260

What is a possible criteria for a NAC solution to make a network admission decision, as it relates to a user’s physical position?

A. Adding location-based advertisements

B. Allowing access to the datacenter network only for systems physically present in the datacenter

C. Prohibiting access to the datacenter network for systems physically present in the datacenter

D. Automatically geo-tagging every user’s location for demographic research

200 / 260

Which of the following is often the first indicator of an attack or compromise according to this passage?

A. Unexpected outbound communication

B. Introduction of new accounts

C. Anomalous activity

D. Service interruption

201 / 260

What is an ’accidental threat’ in the context of cybersecurity risk assessment?

A. Threats from natural or human-made disasters that are outside the control of the organization.

B. Threats from individuals, groups, and organizations that deliberately undermine the security of an organization.

C. Threats that occur when individuals inadvertently perform an action in their routine work that undermines security.

D. Threats due to equipment, software, or environmental controls failing due to the exhaustion of resources, exceeding their operational capability or simply failing due to age.

202 / 260

What are the two key characteristics of processes that are suitable for automation according to the CompTIA CySA+ material?

A. They are both repeatable and require human interaction

B. They are unpredictable and require human interaction

C. They are unpredictable and do not require human interaction

D. They are both repeatable and do not require human interaction

203 / 260

What can you discern about a remote host’s operating system through packet capturing?

A. Its installed applications

B. Its uptime

C. Its operating system

D. Its MAC address

204 / 260

What is an important aspect of the proactive threat hunting process?

A. Disregarding new data or tools

B. Watching cyber attacks unfold without action

C. Ignoring the latest techniques and technologies of threats

D. Continuously improving detection capabilities

205 / 260

What method did the hacker in the case study use to continue his exploits throughout other member sites in the federation?

A. He exploited SQL injection vulnerabilities

B. He replaced the SSH Daemon running on the systems and captured other members’ credentials

C. He used a DDoS attack to overwhelm the network

D. He manipulated the DNS settings of the federation’s network

206 / 260

What is the main goal of organized crime threat actors in cyberspace?

A. To disrupt supply chains

B. To achieve political or philosophical ends

C. To gain financially

D. To test their hacking skills

207 / 260

What does the ’Quality’ principle of the Generally Accepted Privacy Principles (GAPP) represent?

A. Ensures the organization maintains accurate and complete information.

B. Ensures that PII will be protected against unauthorized access.

C. It requires the organization to obtain the direct consent of individuals for the storage, use, and sharing of PII.

D. It mandates the organization will disclose information to third parties only when consistent with notice and consent.

208 / 260

Which of the following are the three major areas of focus for threat hunting called out in the CySA+ exam outline?

A. Configurations and misconfigurations, Isolated networks, and Business-critical assets and processes

B. Configurations and misconfigurations, Employee behaviors, and Business-critical assets and processes

C. Business-critical assets and processes, Employee behaviors, and Networks

D. Configurations and misconfigurations, Isolated networks, and Employee behaviors

209 / 260

What is a common technique used by malware to hide abnormal behavior in operating system processes?

A. Name rogue processes with similar names to legitimate operating system components

B. Change the startup logo of the operating system

C. Delete unused files in the operating system

D. Run multiple instances of the operating system

210 / 260

What is the function of bundling critical assets into groups and protection zones as a part of proactive threat hunting?

A. It helps in organizing different threats based on their severity

B. It aids in managing attack surface area, threat hunting, and response activities because each asset doesn’t need to be individually assessed or managed as a unique item.

C. It assists in distinguishing between non-critical and critical assets

D. It acts as a step to improve detection capabilities

211 / 260

What is the main difference between the focus of privacy controls and the focus of security goals?

A. Privacy focuses on ways an organization can protect its own information while security focuses on ways an organization can use and share collected information about individuals.

B. Privacy focuses on ways an organization can classify its data while security focuses on the ways an organization can protect its data.

C. Privacy focuses on the ways an organization can use and share collected information about individuals, while security focuses on ways an organization can protect its own information.

D. There is no difference, privacy and security share the same focus.

212 / 260

What can the Group Policy Object (GPO) mechanism be used for in a system?

A. To define groups of administrative settings and apply them to selected systems

B. Can only be used to enforce Windows Firewall settings

C. Only applies settings to all systems in the enterprise

D. Can be used to allow all inbound connections.

213 / 260

What purpose does SAML serve in web applications and services?

A. It is used to manage application dependencies.

B. It enables single sign-on and facilitates authentication and authorization data exchange.

C. It serves to manage web service API endpoints.

D. It used for securing data transmission via encryption.

214 / 260

How are script kiddies described in the context of cyber threat actors?

A. They are nation-state actors with advanced tools and capabilities.

B. They are hackers who use hacking as a means to a political or philosophical end.

C. They are malicious actors who use preexisting tools, often in relatively unsophisticated ways.

D. They are insiders posing threats from within the organization.

215 / 260

What is the correct order of the steps in the threat intelligence life cycle?

A. Threat Intelligence Dissemination – Gathering Feedback – Threat Data Analysis – Threat Data Collection – Requirements Gathering

B. Threat Data Collection – Requirements Gathering – Threat Data Analysis – Threat Intelligence Dissemination – Gathering Feedback

C. Requirements Gathering – Threat Data Collection – Threat Data Analysis – Threat Intelligence Dissemination – Gathering Feedback

D. Gathering Feedback – Threat Intelligence Dissemination – Threat Data Analysis – Threat Data Collection – Requirements Gathering

216 / 260

What is the primary function of Endpoint Detection and Response (EDR) tools?

A. They help in centralizing data logging and reporting.

B. They are used to detect potential security issues, attacks, and compromises on endpoint systems.

C. They perform data encryption on all endpoints.

D. They assist in the implementation of network firewalls.

217 / 260

What are the four major technologies that serve as the core of federated identity for current federations?

A. SAML, AD FS, OAuth, and OpenID Connect

B. SSL, DNS, HTTP, and OpenID Connect

C. SAML, RSA, OAuth, and AD FS

D. SAML, OAuth, Firewalls, and OpenID Connect

218 / 260

Which of the following best describes hacktivists as a threat actor in cybersecurity?

A. Hacktivists are malicious actors who use preexisting tools and tend to operate in a relatively unsophisticated manner.

B. Hacktivists are activists who use hacking as a means to a political or philosophical end, and their capabilities can vary greatly.

C. Hacktivists are typically sponsored by a nation-state and are associated with advanced persistent threat organizations.

D. Hacktivists are threat actors that may intentionally or unintentionally pose a threat due to their trusted position within an organization.

219 / 260

What is a key security consideration for containerization platforms?

A. They must enforce isolation between containers

B. They must require unique operating systems for each container

C. They must be resource-hungry, similar to a virtual machine

D. They must prevent containers from being portable across operating systems and hardware platforms

220 / 260

What command can be used to list scheduled tasks from the Windows command line?

A. schtasks | more

B. dir | more

C. echo %PATH%

D. type /etc/crontab

221 / 260

Which of the following best describes operating system fingerprinting?

A. The process of identifying a device by comparing responses to TCP and UDP packets sent to remote hosts.

B. A method to identify printers and other networked devices.

C. Identification of a device by monitoring its network traffic and checking device logs.

D. A technique to identify a device’s software, services, and operating system uniquely.

222 / 260

What is the principle that Privileged Access Management (PAM) relies on?

A. Maximum privilege

B. Optimum privilege

C. Least privilege

D. Most privilege

223 / 260

Which of the following methods can help detect malicious files and behavior and allow responses that can immediately stop attacks?

A. Microsoft Endpoint Manager

B. Antivirus and antimalware tools

C. Endpoint detection and response (EDR)

D. Software and file block listing

224 / 260

What is the purpose of hashing in determining the identity or modification of compiled code?

A. To provide encryption for the source code

B. To compute a unique fingerprint for each file and compare the output values

C. To track changes to the source code version

D. To provide a proof of concept for a vulnerability

225 / 260

How is the security of federated identities primarily handled from an identity provider (IDP) perspective?

A. They must provide services to members of the federation and handle all related data securely.

B. They are required to make decisions about attribute release and provide validation information about their identity claims to the IDP.

C. They must provide identities, make assertions about them to relying parties, and release information to these parties about identity holders.

D. They solely depend on a third-party security service to manage all aspects of identity protection.

226 / 260

Which of the following options describes one of the information that can be gathered using netstat?

A. Prediction of the future network behaviour

B. Active malware programs running on the system

C. Names of all the users currently logged in

D. Active TCP and UDP connections, filtered by each of the major protocols

227 / 260

What is a potential security concern when using automatic email forwarding in an organization?

A. It consumes too much server bandwidth.

B. Attackers who have compromised an account can use it to send all received emails elsewhere.

C. It leads to slower transmission of emails.

D. It can cause errors when organizing emails.

228 / 260

What functionality does Recon-ng provide in terms of information gathering?

A. It can only gather quantitative data about a target.

B. It uses open-source intelligence (OSINT) gathering with help from tools like hacker target.

C. It is limited to passive information gathering.

D. It solely relies on the functionality it shares with Metasploit.

229 / 260

What type of information can proxy logs provide?

A. Source and destination IP address, source and destination port, the amount of traffic that was sent

B. Shop logs and transaction data

C. Social media activity

D. Web browsing history

230 / 260

What are the four parties that OAuth flows recognize in the authorization framework?

A. Service providers, consumers, users, applications

B. Servers, clients, users, providers

C. Clients, resource owners, resource servers, authorization servers

D. Third-party services, authorization providers, users, servers

231 / 260

Why does the use of cloud services require a different security approach compared to on-premises systems?

A. Cloud services are more complex systems

B. Cloud service providers don’t provide any security

C. The underlying environment provided by cloud service providers is not typically accessible

D. Cloud services are only used by large organizations with sensitive data

232 / 260

What methods might malicious actors use to conceal data exfiltration activities?

A. Using encryption

B. Sending through DNS requests

C. Sending it via commonly used channels like HTTPS

D. All of the above

233 / 260

What piece of information can a scanning tool use to guess about the network topology?

A. TTL of the packets it receives

B. Memory capacity of the system

C. Number of users on the network

D. Type of operating system used on the network

234 / 260

Why is it vital to understand how your network is designed and what devices exist on it?

A. To troubleshoot technical issues

B. To manage software installations

C. To secure the network

D. To perform regular maintenance

235 / 260

What is the purpose of drive capacity monitoring?

A. To prevent the drive or volume from filling up and causing an outage

B. To constantly keep the drive or volume clean

C. Only for resource management

D. Only for optimizing drive performance

236 / 260

Which of the following statements about Mandatory Access Control (MAC) is NOT true?

A. In MAC, administrators set all the security permissions.

B. In MAC, end users have the authority to modify security permissions.

C. MAC systems are generally used in highly sensitive government and military applications.

D. Security-Enhanced Linux (SELinux) is a system that enforces MAC.

237 / 260

What are some of the common network problems that can be tracked once visibility into the network’s bandwidth and device status is obtained?

A. Beaconing and device incompatibility

B. Unexpected traffic and VPN failures

C. Bandwidth consumption and link failure

D. Connection failures and cloud misconfigurations

238 / 260

Which of the following best describes the term ’Insider threats’ as highlighted in the provided passage?

A. Threats posed by malicious actors outside an organization who attack its supply chain.

B. Threats that involve attackers using preexisting tools, often in relatively unsophisticated ways.

C. Threats that come from employees or other trusted individuals inside an organization.

D. Threats posed by activists who use hacking as a means to a political or philosophical end.

239 / 260

Which of the following behaviors are often included in network scans, making them easily detectable?

A. Random testing of service ports

B. Connecting to a single IP address in a network

C. Repeated requests to services that are not active

D. Isolated requests to services that are active

240 / 260

What is an important element in performing email analysis to prevent phishing attacks?

A. Reviewing the subject line

B. Checking the email’s sender

C. Looking at the embedded links

D. Identifying the layout of the email

241 / 260

Why is the knowledge of APT’s Tactics, Techniques, and Procedures (TTP) valuable?

A. It is needed for academics and cyber crime research.

B. It defines the function and authority scope of cybersecurity professionals.

C. It is essential for successfully countering APT activity.

D. It is useful for ethical hacking teaching courses.

242 / 260

What does reverse engineering hardware often involve?

A. Removing and replacing physical components

B. Attempting to duplicate the hardware

C. Operating the hardware in a controlled environment and observing its response to inputs

D. Disassembling the hardware to its base components

243 / 260

According to the CompTIA CySA+ exam objectives, what are some of the attributes often associated with nation-state threat actors?

A. Limited access to resources and lower level technical capabilities

B. Focused primarily on financial gain and ransomware attacks

C. Utilizing preexisting tools and displaying a lack of sophistication

D. Access to extensive resources, sponsored by countries, and often associated with advanced persistent threat organizations

244 / 260

Which of the following describes the application of Indicators of Compromise (IOCs)?

A. Gathering data that may indicate an imminent breach or compromise

B. Determining if a user is performing their tasks normally based on usual activities

C. Using analysis insights to activate security responses or integration with threat intelligence services

D. Memorizing all types of IOCs so you can instantly recognize possible compromises.

245 / 260

Why are Distributed Denial-of-Service (DDoS) attacks challenging to detect and stop?

A. Because they come from many systems or networks at once

B. Because they only come from one system or network

C. Because they are not usually part of a botnet

D. Because they are uncommon and rare

246 / 260

Which of the following methods is NOT used for identifying rogue devices?

A. Valid MAC Address Checking

B. MAC Address Vendor Information Checking

C. Traffic Analysis

D. Encryption Analysis

247 / 260

What method did the U.S. government use to compromise Cisco routers, according to NSA documents revealed by Edward Snowden?

A. They tampered with the routers during initial manufacturing

B. They intercepted packages in transit and inserted covert firmware

C. They hacked into the routers after they reached the customer

D. They installed surveillance software at the Cisco factory

248 / 260

Why do penetration testers use packet capture tools during their testing?

A. To capture additional data

B. To reduce the data generated during port and vulnerability scanning.

C. To slow down the scan process

D. To correct problems during the scan

249 / 260

What type of information can be included in threat feeds?

A. IP addresses, hostnames, and domains

B. Only proprietary information from commercial services

C. Only open-source intelligence information

D. Only information from government and public sources

250 / 260

What does a system named “AD4” suggest in the context of DNS entries?

A. It is a Linux-based system

B. It is a target for Active Directory-based exploits and Windows Server-specific scans

C. It is an indication of an email server

D. It is a sign of a web host

251 / 260

What is a specific use of network flow data in cybersecurity?

A. To determine the physical location of the server

B. To identify unexpected communications to remote command-and-control systems

C. To encrypt data being sent over the network

D. To authenticate users accessing network resources

252 / 260

What are some of the risks associated when an organization fails to renew its domain name?

A. It can cause internal system failures

B. It can lead to reputational damage

C. It can result in someone else registering the domain and potentially gaining access to sensitive information

D. It can cause a drop in website traffic

253 / 260

Which of the following steps can be used to troubleshoot service and application failures?

A. Trying to start or restart the service

B. Ignoring the service’s log message or error messages

C. Checking a service’s network traffic

D. Running a system-wide antivirus scan

254 / 260

What is one of the command-line flags used in nmap and what is its function?

A. The -sV flag, used for service version detection

B. The -r flag, used for rotating IP addresses

C. The -a flag, used for activating firewall bypass

D. The -x flag, used for extracting system information

255 / 260

How can you check the status of Linux services on a system?

A. Using the command: check [servicename] status

B. Using the command: service [servicename] status

C. Restarting the service

D. Using the command: /etc/init.d/check status

256 / 260

Which component of Public Key Infrastructure (PKI) is responsible for verifying that entities requesting certificates are who they claim to be?

A. Certificate Authority (CA)

B. Registration Authority (RA)

C. Certificate Management System

D. Certificate Revocation List (CRL)

257 / 260

In a network with different levels of trust zone, what’s the function of a jump box?

A. It allows anyone to access the internal network without authentication.

B. It acts as a secure transition point between the corporate network and the sensitive data center network.

C. It directly connects untrusted devices to the company systems.

D. It replaces the need for firewalls.

258 / 260

What tool can be used to convert IP addresses to domain names, or vice versa, on Windows, Linux, and macOS systems?

A. Whois

B. DNS

C. Nslookup

D. Traceroute

259 / 260

What does Cardholder Data (CHD) consist of?

A. Primary account number, cardholder’s name, and bank account number

B. CVV, primary account number, and the cardholder’s name

C. Primary account number, the cardholder’s name, and the expiration date

D. Bank account number, the cardholder’s name, and the expiration date

260 / 260

Which command can you use to change the default PowerShell execution policy that blocks the running of PowerShell scripts?

A. set-pol ./allsigned

B. set-pol IntenetSigned

C. Set-ExecutionPolicy RemoteSigned

D. Change-Policysigned hello.ps1

Your score is

Dowload the FREE OFFLINE Version of this Test Bank

Boost your cybersecurity skills! Click to download the CompTIA CySA+ Anki deck.

Enhance Your Cyber Security Skills with Our Free CompTIA CySA+ (CS0-003) Domain 1: Security Operations Practice Test!

Are you preparing for a career transition into IT or aiming to enhance your IT skills? Our free CompTIA CySA+ (CS0-003) Domain 1: Security Operations practice test is here to help you succeed. This test mirrors the actual exam format, boosting your confidence and readiness.

Key Features

Realistic Exam Simulation:

Experience the actual CompTIA CySA+ exam format, helping you get accustomed to the test environment.

Comprehensive Explanations:

Each question comes with detailed explanations, allowing you to learn from your mistakes and deepen your understanding.

Identify Weak Areas:

Pinpoint your weaknesses and focus your study efforts where they are needed most.

Completely Free:

Access our high-quality practice test at no cost and start preparing for your CompTIA CySA+ certification today.

Why Choose Our Practice Test?

Expertly Crafted:

Created by industry professionals with extensive experience in cybersecurity.

Career Advancement:

Passing the CompTIA CySA+ certification can open doors to new job opportunities in the IT field.

Convenient and Accessible:

No registration required. Take the test online anytime, anywhere.

Free Anki Deck Download

Download our free Anki Deck, reviewed by industry expert Josh Madakor, who has extensive experience in IT and cybersecurity, including work with Microsoft and government sectors. Learn more about Anki on the official site.

Prepare yourself for the CompTIA CySA+ (CS0-003) certification exam by mastering Security Operations. Ideal for those looking to enhance their cybersecurity skills, achieve certification, and advance their careers in IT. For more information, visit the CompTIA CySA+ official site.

Don’t wait—start mastering Domain 1: Security Operations for the CompTIA CySA+ (CS0-003) exam today with our free practice test!

CompTIA CySA+ (CS0-003) – Domain 1 – Security Operations

Dowload the FREE OFFLINE Version of this Test Bank

Enhance Your Cyber Security Skills with Our Free CompTIA CySA+ (CS0-003) Domain 1: Security Operations Practice Test!

Key Features

Why Choose Our Practice Test?

Free Anki Deck Download

Explore our other free practice tests:

Related Posts

The Affordable, Hands-On Josh Madakor IT Course that gets Results!

The Affordable, Hands-On Cyber Security that gets Results!

JOIN OUR

NEWSLETTER