Mike Chapple - CompTIA CySA+ Practice Tests

36 Olivia's security team has identified potential malicious code that has been uploaded to a webserver. If she wants to review the code without running it, what technique should she use?Dynamic analysisFagan analysisRegression analysisStatic analysis

37 Olivia's next task is to test the code for a new mobile application. She needs to test it by executing the code and intends to provide the application with input based on testing scenarios created by the development team as part of their design work. What type of testing will Olivia conduct?Dynamic analysisFagan analysisRegression analysisStatic analysis

38 After completing the first round of tests for her organization's mobile application, Olivia has discovered indications that the application may not handle unexpected data well. What type of testing should she conduct if she wants to test it using an automated tool that will check for this issue?Fault injectionFagan testingFuzzingFailure injection

39 Which one of the following characters would not signal a potential security issue during the validation of user input to a web application?<`>$

40 The Open Web Application Security Project (OWASP) maintains a listing of the most important web application security controls. Which one of these items is least likely to appear on that list?Implement identity and authentication controlsImplement appropriate access controlsObscure web interface locationsLeverage security frameworks and libraries

41 Kyle is developing a web application that uses a database backend. He is concerned about the possibility of an SQL injection attack against his application and is consulting the OWASP proactive security controls list to identify appropriate controls. Which one of the following OWASP controls is least likely to prevent a SQL injection attack?Parameterize queriesValidate all inputEncode dataImplement logging and intrusion detection

42 Jill's organization has adopted an asset management tool. If she wants to identify systems on the network based on a unique identifier per machine that will not normally change over time, which of the following options can she use for network-based discovery?IP addressHostnameMAC addressNone of the above

43 Barcodes and RFID tags are both frequently used for what asset management practice?Asset dispositionAsset taggingAsset acquisitionAsset lifespan estimation

44 What type of secure boot process is shown in the following image?Remote attestationMeasured bootLogged loaderUEFI

45 Ian has been asked to deploy a secure wireless network in parallel with a public wireless network inside his organization's buildings. What type of segmentation should he implement to do so without adding additional costs and complexity?SSID segmentationLogical segmentationPhysical segmentationWPA segmentation

46 Barbara has segmented her virtualized servers using VMware to ensure that the networks remain secure and isolated. What type of attack could defeat her security design?VLAN hopping802.1q trunking vulnerabilitiesCompromise of the underlying VMware hostBGP route spoofing

47 What major issue would Charles face if he relied on hashing malware packages to identify malware packages?Hashing can be spoofed.Collisions can result in false positives.Hashing cannot identify unknown malware.Hashing relies on unencrypted malware samples.

48 Noriko wants to ensure that attackers cannot access his organization's building automation control network. Which of the following segmentation options provides the strongest level of assurance that this will not happen?Air gapVLANsNetwork firewallsHost firewalls

49 What type of network device is most commonly used to connect two or more networks to forward traffic between them?A switchA firewallA routerAn IPSUse the following scenario for questions 50–53.Angela is a security practitioner at a mid-sized company that recently experienced a serious breach due to a successful phishing attack. The company has committed to changing their security practices across the organization and has assigned Angela to determine the best strategy to make major changes that will have a significant impact right away.

50 Angela's company has relied on passwords as their authentication factor for years. The current organizational standard is to require an eight-character, complex password, and to require a password change every 12 months. What recommendation should Angela make to significantly decrease the likelihood of a similar phishing attack and breach in the future?Increase the password length.Shorten the password lifespan.Deploy multifactor authentication.Add a PIN to all logins.

51 Angela has decided to roll out a multifactor authentication system. What are the two most common factors used in MFA systems?Location and knowledgeKnowledge and possessionKnowledge and biometricKnowledge and location

52 As part of the investigation after the breach, Angela's team noticed that some staff were using organizational resources after hours when they weren't supposed to be logged in. What type of authentication model could she deploy to use information about an employee's role and work hours to manage when they can be logged in?Location factorsBiometric factorsContext based authenticationMultifactor authentication

53 Angela's multifactor deployment includes the ability to use text (SMS) messages to send the second factor for authentication. What issues should she point to?VoIP hacks and SIM swappingSMS messages are logged on the recipient's phonesPIN hacks and SIM swappingVoIP hacks and PIN hacks

54 Keith needs to manage digital keys, and he wants to implement a hardware security module in his organization. What U.S. government standard are hardware security modules often certified against?PCI-DSSHSM-2015FIPS 140-2CA-Check

55 What purpose does the OpenFlow protocol serve in software-defined networks?It captures flow logs from devices.It allows software-defined network controllers to push changes to devices to manage the network.It sends flow logs to flow controllers.It allows devices to push changes to SDN controllers to manage the network.

56 What type of access control system relies on the operating system to control the ability of subjects to perform actions on objects through a set of policies controlled by a policy administrator?RBACMACDACABAC

57 What term is used to describe an isolated pool of cloud resources for a specific organization or user allocated inside of a public cloud environment?VPNVPCCDACCA

58 Rick's security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits and attack tools. What type of environment has Rick set up?A tarpitA honeypotA honeynetA blackhole

59 Kalea wants to prevent DoS attacks against her serverless application from driving up her costs when using a cloud service. What technique is not an appropriate solution for her need?Horizontal scalingAPI keysSetting a cap on API invocations for a given timeframeUsing timeouts

60 What is the purpose of change management in an organization?Ensuring changes are scheduledEnsuring changes are documentedEnsuring that only approved changes are madeAll of the above

61 What is the key difference between virtualization and containerization?Virtualization gives operating systems direct access to the hardware, whereas containerization does not allow applications to directly access the hardware.Virtualization lets you run multiple operating systems on a single physical system, whereas containerization lets you run multiple applications on the same system.Virtualization is necessary for containerization, but containerization is not necessary for virtualization.There is not a key difference; they are elements of the same technology.

62 Which software development methodology is illustrated in the diagram?SpiralRADAgileWaterfall