Mike Chapple - CompTIA CySA+ Practice Tests

298 Which one of the following types of data is subject to regulations in the United States that specify the minimum frequency of vulnerability scanning?Driver's license numbersInsurance recordsCredit card dataMedical records

299 Chang is responsible for managing his organization's vulnerability scanning program. He is experiencing issues with scans aborting because the previous day's scans are still running when the scanner attempts to start the current day's scans. Which one of the following solutions is least likely to resolve Chang's issue?Add a new scanner.Reduce the scope of the scans.Reduce the sensitivity of the scans.Reduce the frequency of the scans.

300 Trevor is working with an application team on the remediation of a critical SQL injection vulnerability in a public-facing service. The team is concerned that deploying the fix will require several hours of downtime and that will block customer transactions from completing. What is the most reasonable course of action for Trevor to suggest?Wait until the next scheduled maintenance window.Demand that the vulnerability be remediated immediately.Schedule an emergency maintenance for an off-peak time later in the day.Convene a working group to assess the situation.

301 While conducting a vulnerability scan of his organization's datacenter, Annika discovers that the management interface for the organization's virtualization platform is exposed to the scanner. In typical operating circumstances, what is the proper exposure for this interface?InternetInternal networksNo exposureManagement network

302 Bhanu is scheduling vulnerability scans for her organization's datacenter. Which one of the following is a best practice that Bhanu should follow when scheduling scans?Schedule scans so that they are spread evenly throughout the day.Schedule scans so that they run during periods of low activity.Schedule scans so that they all begin at the same time.Schedule scans so that they run during periods of peak activity to simulate performance under load.

303 Kevin is concerned that an employee of his organization might fall victim to a phishing attack and wishes to redesign his social engineering awareness program. What type of threat is he most directly addressing?Nation-stateHacktivistUnintentional insiderIntentional insider

304 Alan recently reviewed a vulnerability report and determined that an insecure direct object reference vulnerability existed on the system. He implemented a remediation to correct the vulnerability. After doing so, he verifies that his actions correctly mitigated the vulnerability. What term best describes the initial vulnerability report?True positiveTrue negativeFalse positiveFalse negative

305 Gwen is reviewing a vulnerability report and discovers that an internal system contains a serious flaw. After reviewing the issue with her manager, they decide that the system is sufficiently isolated and they will take no further action. What risk management strategy are they adopting?Risk avoidanceRisk mitigationRisk transferenceRisk acceptance

306 Thomas discovers a vulnerability in a web application that is part of a proprietary system developed by a third-party vendor and he does not have access to the source code. Which one of the following actions can he take to mitigate the vulnerability without involving the vendor?Apply a patchUpdate the source codeDeploy a web application firewallConduct dynamic testing

307 Kira is using the aircrack-ng tool to perform an assessment of her organization’s security. She ran a scan and is now reviewing the results. Which one of the following issues is she most likely to detect with this tool?Insecure WPA keySQL injection vulnerabilityCross-site scripting vulnerabilityMan-in-the-middle attack

308 Walt is designing his organization’s vulnerability management program and is working to identify potential inhibitors to vulnerability remediation. He has heard concern from functional leaders that remediating vulnerabilities will impact the ability of a new system to fulfill user requests. Which one of the following inhibitors does not apply to this situation?Degrading functionalityOrganizational governanceLegacy systemsBusiness process interruption

EXAM OBJECTIVES COVERED IN THIS CHAPTER:

2.1 Given a scenario, apply security solutions for infrastructure management.Cloud vs. on-premisesAsset managementSegmentationNetwork architectureChange managementVirtualizationContainerizationIdentity and access managementCloud access security broker (CASB)HoneypotMonitoring and loggingEncryptionCertificate managementActive defense

2.2 Explain software assurance best practices.PlatformsSoftware development lifecycle (SDLC) integrationDevSecOpsSoftware assessment methodsSecure coding best practicesStatic analysis toolsDynamic analysis toolsFormal methods for verification of critical softwareService-oriented architecture

2.3 Explain hardware assurance best practices.Hardware root of trusteFuseUnified Extensible Firmware Interface (UEFI)Trusted FoundrySecure processingAnti-tamperSelf-encrypting driveTrusted firmware updatesMeasured boot and attestationBus encryption

1 What purpose does a honeypot system serve when placed on a network as shown in the following diagram?It prevents attackers from targeting production servers.It provides information about the techniques attackers are using.It slows down attackers like sticky honey.It provides real-time input to IDSs and IPSs.

2 A tarpit, or a system that looks vulnerable but actually is intended to slow down attackers, is an example of what type of technique?A passive defenseA sticky defenseAn active defenseA reaction-based defense

3 As part of a government acquisitions program for the U.S. Department of Defense, Sean is required to ensure that the chips and other hardware level components used in the switches, routers, and servers that he purchases do not include malware or other potential attack vectors. What type of supplier should Sean seek out?A TPMAn OEM providerA trusted foundryA gray-market provider

4 Susan needs to test thousands of submitted binaries. She needs to ensure that the applications do not contain malicious code. What technique is best suited to this need?SandboxingImplementing a honeypotDecompiling and analyzing the application codeFagan testing

5 Manesh downloads a new security tool and checks its MD5. What does she know about the software she downloaded if she receives the following message:root@demo:~# md5sum -c demo.md5 demo.txt: FAILED md5sum: WARNING: 1 computed checksum did NOT matchThe file has been corrupted.Attackers have modified the file.The files do not match.The test failed and provided no answer.

6 Tracy is designing a cloud infrastructure for her company and wants to generate and store encryption keys in a secure way. What type of technology should she look for as part of her infrastructure as a service vendor's portfolio?TPMHSMUEFIVPC

7 Aziz needs to provide SSH access to systems behind his datacenter firewall. If Aziz's organization uses the system architecture shown here, what is the system at point A called?A firewall-hopperAn isolated systemA moat-protected hostA jump box

8 Charles wants to provide additional security for his web application, which currently stores passwords in plaintext in a database. Which of the following options will best prevent theft of the database resulting in exposed passwords?Encrypt the database of plaintext passwordsUse MD5 and a saltUse SHA-1 and a saltUse bcrypt

9 What type of protected boot process is illustrated in the following diagram?Measured bootTPMRemote attestationSigned BIOS

10 An access control system that relies on the operating system to constrain the ability of a subject to perform operations is an example of what type of access control system?A discretionary access control systemA role-based access control systemA mandatory access control systemA level-based access control system