1) Laura needs to check on CPU, disk, network, and power usage on a Mac. What GUI tool can she use to check these? a) Resource Monitor b) System Monitor c) Activity Monitor d) Sysradar 2) Nara is reviewing event logs to determine who has accessed a workstation after business hours. When she runs secpol.msc on the Windows system she is reviewing, she sees the following settings. What important information will be missing from her logs? c01uf022.png a) Login failures b) User IDs from logins c) Successful logins d) Times from logins 3) Profiling networks and systems can help to identify unexpected activity. What type of detection can be used once a profile has been created? a) Dynamic analysis b) Anomaly analysis c) Static analysis d) Behavioral analysis 4) Singh is attempting to diagnose high memory utilization issues on a macOS system and notices a chart showing memory pressure. What does memory pressure indicate for macOS when the graph is yellow and looks like the following image? c01uf023.png a) Memory resources are available. b) Memory resources are available but being tasked by memory management processes. c) Memory resources are in danger, and applications will be terminated to free up memory. d) Memory resources are depleted, and the disk has begun to swap. 5) Saanvi needs to verify that his Linux system is sending system logs to his SIEM. What method can he use to verify that the events he is generating are being sent and received properly? a) Monitor traffic by running Wireshark or tcpdump on the system. b) Configure a unique event ID and send it. c) Monitor traffic by running Wireshark or tcpdump on the SIEM device. d) Generate a known event ID and monitor for it. 6) Maria wants to understand what a malware package does and executes it in a virtual machine that is instrumented using tools that will track what the program does, what changes it makes, and what network traffic it sends while allowing her to make changes on the system or to click files as needed. What type of analysis has Maria performed? a) Manual code reversing b) Interactive behavior analysis c) Static property analysis d) Dynamic code analysis 7) Alyssa is analyzing a piece of malicious code that has arrived in her organization and finds that it is an executable file. She uses specialized tools to retrieve the source code from the executable files. What type of action is she taking? a) Sandboxing b) Reverse engineering c) Fingerprinting d) Darknet analysis 8) A major new botnet infection that uses a peer-to-peer command-and-control process has been released. Latisha wants to detect infected systems but knows that peer-to-peer communication is irregular and encrypted. If she wants to monitor her entire network for this type of traffic, what method should she use to catch infected systems? a) Build an IPS rule to detect all peer-to-peer communications that match the botnet's installer signature. b) Use beaconing detection scripts focused on the command-and-control systems. c) Capture network flows for all hosts and use filters to remove normal traffic types. d) Immediately build a network traffic baseline and analyze it for anomalies. 9) While investigating a compromise, Jack discovers four files that he does not recognize and believes may be malware. What can he do to quickly and effectively check the files to see whether they are malware? a) Submit them to a site like VirusTotal. b) Open them using a static analysis tool. c) Run strings against each file to identify common malware identifiers. d) Run a local antivirus or antimalware tool against them. 10) Brian's network suddenly stops working at 8:40 a.m., interrupting videoconferences, streaming, and other services throughout his organization, and then resumes functioning. When Brian logs into his PRTG console and checks his router's traffic via the primary connection's redundant network link, he sees the following graph. What should Brian presume occurred based on this information? c01uf024.png a) The network failed and is running in cached mode. b) There was a link card failure, and the card recovered. c) His primary link went down, and he should check his secondary link for traffic. d) PRTG stopped receiving flow information and needs to be restarted. 11) Adam works for a large university and sees the following graph in his PRTG console when looking at a yearlong view. What behavioral analysis could he leverage based on this pattern? c01uf025.png a) Identify unexpected traffic during breaks like the low point at Christmas. b) He can determine why major traffic drops happen on weekends. c) He can identify top talkers. d) Adam cannot make any behavioral determinations based on this chart. 12) Samantha is preparing a report describing the common attack models used by advanced persistent threat actors. Which of the following is a typical characteristic of APT attacks? a) They involve sophisticated DDoS attacks. b) They quietly gather information from compromised systems. c) They rely on worms to spread. d) They use encryption to hold data hostage. 13) While reviewing system logs, Charles discovers that the processor for the workstation he is reviewing has consistently hit 100 percent processor utilization by the web browser. After reviewing the rest of the system, no unauthorized software appears to have been installed. What should Charles do next? a) Review the sites visited by the web browser when the CPU utilization issues occur. b) Check the browser binary against a known good version. c) Reinstall the browser. d) Disable TLS. 14) Barb wants to detect unexpected output from the application she is responsible for managing and monitoring. What type of tool can she use to detect unexpected output effectively? a) A log analysis tool b) A behavior-based analysis tool c) A signature-based detection tool d) Manual analysis 15) Greg suspects that an attacker is running an SSH server on his network over a nonstandard port. What port is normally used for SSH communications? a) 21 b) 22 c) 443 d) 444 16) Amanda is reviewing the security of a system that was previously compromised. She is searching for signs that the attacker has achieved persistence on the system. Which one of the following should be her highest priority to review? a) Scheduled tasks b) Network traffic c) Running processes d) Application logs 17) Brendan is reviewing a series of syslog entries and notices several with different logging levels. Which one of the following messages should he review first? a) Level 0 b) Level 1 c) Level 5 d) Level 7 18) You are looking for operating system configuration files that are stored on a Linux system. Which one of the following directories is most likely to contain those files? a) /bin b) / c) /etc d) /dev 19) Which one of the following is not a standard Windows system process? a) SERVICES.EXE b) MALWARESCAN.EXE c) WINLOGIN.EXE d) LSASS.EXE 20) Which one of the following computer hardware components is responsible for executing instructions found in code? a) RAM b) CPU c) SSD d) HDD 21) You are deciding where to place a web server in an on-premises network architecture. The server will be accessible by the general public. Which one of the following network zones would be the most appropriate? a) Intranet subnet b) Internet subnet c) Screened subnet d) Database subnet 22) Matthew is reviewing a new cloud service offering that his organization plans to adopt. In this offering, a cloud provider will create virtual server instances under the multitenancy model. Each server instance will be accessible only to Matthew's company. What cloud deployment model is being used? a) Hybrid cloud b) Public cloud c) Private cloud d) Community cloud 23) In a zero-trust network architecture, what criteria is used to make trust decisions? a) Identity of a user or device b) IP address c) Network segment d) VLAN membership 24) Lynn's organization is moving toward a secure access service edge (SASE) approach to security. Which one of the following technologies is least likely to be included in a SASE architecture? a) NGFW b) CASB c) Hypervisor d) WAN 25) Which one of the following technologies would not commonly be used as part of a passwordless authentication approach? a) Shadow file b) Windows Hello c) Smartphone app d) Biometrics 26) During their organization's incident response preparation, Manish and Linda are identifying critical information assets that the company uses. Included in their organizational data sets is a list of customer names, addresses, phone numbers, and demographic information. How should Manish and Linda classify this information? a) PII b) Intellectual property c) PHI d) PCI DSS 27) Randy received a complaint from an end user that links from a legitimate site are being removed from email messages. After examining several of those links, he notes that they all have a common domain: http://bit.ly/3.H9CaOv, http://bit.ly/3.VswDqG, http://bit.ly/3.XLwMXT What is the reason these links were blocked? a) This is a malicious domain. b) This is a URL redirection domain. c) This is obscene content. d) This is a false positive. 28) Derek sets up a series of virtual machines that are automatically created in a completely isolated environment. Once created, the systems are used to run potentially malicious software and files. The actions taken by those files and programs are recorded and then reported. What technique is Derek using? a) Sandboxing b) Reverse engineering c) Malware disassembly d) Darknet analysis 29) Which one of the following attackers generally only uses code written by others with minor modifications? a) Nation-state actor b) Hacktivist c) Script kiddie d) Insider 30) Tanya is creating an open-source intelligence operation for her organization. Which one of the following sources would she be least likely to use in this work? a) Web server logs b) Dark websites c) Government bulletins d) Social media 31) What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals? a) DHS b) SANS c) CERTS d) ISACs 32) Which one of the following teams is least likely to be the recipient of threat intelligence data? a) Incident response b) Vulnerability management c) Risk management d) Human resources 33) The ATT&CK framework defines which of the following as “the specifics behind how the adversary would attack the target”? a) The threat actor b) The targeting method c) The attack vector d) The organizational weakness 34) Kevin is trying to identify security processes that may be suitable for automation. Which one of the following characteristics best identifies those processes? a) Human interaction required b) Repeatable c) High criticality d) Low sensitivity 35) Brian is selecting a CASB for his organization, and he would like to use an approach that interacts with the cloud provider directly. Which CASB approach is most appropriate for his needs? a) Inline CASB b) Outsider CASB c) Comprehensive CASB d) API-based CASB 36) Sherry is deploying a zero-trust network architecture for her organization. In this approach, which one of the following characteristics would be least important in validating a login attempt? a) User identity b) IP address c) Geolocation d) Nature of requested access 37) Lisa wants to integrate with a cloud identity provider that uses OAuth 2.0, and she wants to select an appropriate authentication framework. Which of the following best suits her needs? a) OpenID Connect b) SAML c) RADIUS d) Kerberos 38) Which lookup tool provides information about a domain's registrar and physical location? a) nslookup b) host c) WHOIS d) traceroute 39) Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information? a) Vulnerability feed b) IoC c) TTP d) RFC 40) A PIN is an example of what type of authentication factor? a) Something you know b) Something you are c) Something you have d) Something you set 41) Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own datacenter but also leverages an IaaS provider for hosting its web services and an SaaS email system. What term best describes the type of cloud environment this organization uses? a) Public cloud b) Dedicated cloud c) Private cloud d) Hybrid cloud 42) What type of malware is characterized by spreading from system to system under its own power by exploiting vulnerabilities that do not require user intervention? a) Trojan horse b) Virus c) Logic bomb d) Worm 43) Which of the following threat actors typically has the greatest access to resources? a) Nation-state actors b) Organized crime c) Hacktivists d) Insider threats 44) Which one of the following information sources would not be considered an OSINT source? a) DNS lookup b) Search engine research c) Port scans d) WHOIS queries 45) Gabby's organization captures sensitive customer information, and salespeople and others often work with that data on local workstations and laptops. After a recent inadvertent breach where a salesperson accidentally sent a spreadsheet of customer information to another customer, her organization is seeking a technology solution that can help prevent similar problems. What should Gabby recommend? a) IDS b) FSB c) DLP d) FDE 46) Ben is using the sudo command to carry out operations on a Linux server. What type of access is he using? a) Service access b) Unauthorized access c) User access d) Privileged access 47) When Lucca wants to test a potentially malicious file, he uploads it to a third-party website. That website places the software in a secured testing environment, documents what it does, and then uses antimalware tools to try to identify it. What is that type of secure testing environment called? a) A software jail b) A sandbox c) A litterbox d) A root dungeon 48) Valerie's organization recently fell victim to a scam where an attacker emailed various staff members from an account that appeared to belong to a senior vice president in the organization. The email stated that the vice president was out of the office and needed iTunes gift cards to purchase an application that she needed to accomplish her work. The email asked that the individual immediately purchase an iTunes gift card and send it back via email so that the vice president could continue her work. Valerie wants to prevent this type of attack from succeeding in the future. What should she recommend as an appropriate preventative measure? a) Require the organization to use digital signatures for all email. b) Require the use of DKIM. c) Require the use of SPF and DMARC. d) Implement awareness training including simulated phishing attacks. 49) Which of the following measures is not commonly used to assess threat intelligence? a) Timeliness b) Detail c) Accuracy d) Relevance 50) Sara has been asked to explain to her organization how an endpoint detection and response (EDR) system could help the organization. Which of the following functions is not a typical function for an EDR system? a) Endpoint data collection and central analysis b) Automated responses to threats c) Forensic analysis to help with threat response and detection d) Cloud and network data collection and central analysis

CySA+ Chapter 1c

by
Print
Embed

Leaderboard

Visual style

Options

Switch template

Continue editing: ?