Mike Chapple - CompTIA CySA+ Practice Tests

63 What advantage does a virtual desktop infrastructure have when addressing data theft?No data is stored locally on the endpoint deviceBuilt-in DLPAll data is encrypted at restAll data is stored locally on the endpoint device

64 Brandon is designing the hosting environment for containerized applications. Application group A has personally identifiable information, Application group B has health information with different legal requirements for handling, and Application group C has business sensitive data handling requirements. What is the most secure design for his container orchestration environment given the information he has?Run a single, highly secured container host with encryption for data at rest.Run a container host for each application group and secure them based on the data they contain.Run a container host for groups A and B, and a lower-security container host for group C.Run a container host for groups A and C, and a health information–specific container host for group B due to the health information it contains.

65 Local and domain administrator accounts, root accounts, and service accounts are all examples of what type of account?Monitored accountsPrivileged accountsRoot accountsUnprivileged accounts

66 Ned has discovered a key logger plugged into one of his workstations, and he believes that an attacker may have acquired usernames and passwords for all of the users of a shared workstation. Since he does not know how long the keylogger was in use or if it was used on multiple workstations, what is his best security option to prevent this and similar attacks from causing issues in the future?Multifactor authenticationPassword complexity rulesPassword lifespan rulesPrevent the use of USB devices

67 Facebook Connect, CAS, Shibboleth, and ADFS are all examples of what type of technology?Kerberos implementationsSingle sign-on implementationsFederation technologiesOAuth providers

68 Which of the following is not a common identity protocol for federation?SAMLOpenIDOAuthKerberos

69 Mei is designing her organization's datacenter network and wants to establish a secure zone and a DMZ. If Mei wants to ensure that user accounts and traffic that manage systems in the DMZ are easily auditable, and that all access can be logged while helping prevent negative impacts from compromised or infected workstations, which of the following solutions is Mei's best design option?Administrative virtual machines run on administrator workstationsA jump hostA bastion hostSSH or RDP from administrative workstations

70 The identity management system used by Greg's new employer provides rights based on his job as a system administrator. What type of access control system is this?RBACMACDACABAC

71 During a periodic audit of account privileges, Rhonda reviews the account rights in an Active Directory domain for every administrative user and removes any rights to directories or systems that should no longer be available to the administrative users. What type of review is this?Manual reviewIAM assessmentMandatory audit reviewDiscretional audit review

72 Naomi wants to enforce her organization's security policies on cloud service users. What technology is best suited to this?OAuthCASBOpenIDDMARC

73 Lucca wants to ensure that his Windows logs capture events for one month. What setting should he change in the settings to ensure this?Increase the size of the log file to 40480.Leave the log file as is.Change the setting to archive the log when full.Clear the log to start clean.

74 Elliott wants to encrypt data sent between his servers. What protocol is most commonly used for secure web communications over a network?TLSSSLIPSecPPTP

75 What occurs when a website's certificate expires?Web browsers will report an expired certificate to users.The website will no longer be accessible.The certificate will be revoked.All of the above.

76 What term is used to describe defenses that obfuscate the attack surface of an organization by deploying decoys and attractive targets to slow down or distract an attacker?An active defenseA honeyjarA bear trapAn interactive defense

77 The OWASP mobile application security checklist's cryptography requirements include a requirement that the application uses “proven implementations of cryptographic primitives.” What does this requirement mean, and why is it in the checklist?Only use basic cryptographic techniques to ensure that developers can understand themOnly use proven versions of cryptographic algorithms so that they will be secureOnly use in-house developed and tested cryptographic algorithms to avoid known vulnerabilitiesOnly use open source cryptographic techniques to ensure that their source code can be reviewed

78 Claire knows that a web application that her organization needs to have in production has vulnerabilities due to a recent scan using a web application security scanner. What is her best protection option if she knows that the vulnerability is a known SQL injection flaw?A firewallAn IDSA WAFDLPUse the following scenario to answer questions 79–81.Donna has been assigned as the security lead for a DevSecOps team building a new web application. As part of the effort, she has to oversee the security practices that the team will use to protect the application. Use your knowledge of secure coding practices to help Donna guide her team through this process.

79 A member of Donna's team recommends building a blacklist to avoid dangerous characters like ‘and tags. How could attackers bypass a blacklist that individually identified those characters?They can use a binary attack.They can use alternate encodings.They can use different characters with the same meaning.The characters could be used together to avoid the blacklist.

80 The design of the application calls for client-side validation of input. What type of tool could an attacker use to bypass this?An XSS injectorA web proxyA JSON interpreterA SQL injector

81 A member of Donna's security team suggests that output encoding should also be considered. What type of attack is the team member most likely attempting to prevent?Cross-site scriptingSQL injectionCross-site request forgeryAll of the above

82 What type of access control system uses information like age, title, organization ID, or security clearance to grant privileges?RBACMACDACABAC

83 Alex has deployed a new model of network connected Internet of Things (IoT) devices throughout his organization's facilities to track environmental data. The devices use a system on a chip (SOC) and Alex is concerned about potential attacks. What is the most likely exploit channel for SOCs in this environment?Physical attacksAttacks via an untrusted foundryAttacks against the operating system and softwareSide channel attacks

84 Nathan downloads a BIOS update from Dell's website, and when he attempts to install it on the PC, he receives an error that the hash of the BIOS does not match the hash stored on Dell's servers. What type of protection is this?Full-disk encryptionFirmware protectionOperating system protectionNone of the above

85 What practice is typical in a DevSecOps organization as part of a CI/CD pipeline?Automating some security gatesProgrammatic implementation of zero-day vulnerabilitiesUsing security practitioners to control the flow of the CI/CD pipelineRemoving security features from the IDE

86 Naomi wants to validate files that are uploaded as part of her web application. Which of the following is not a common technique to help prevent malicious file uploads or denial of service attacks?Using input validation to ensure only allowed file extensionsUploading all files to a third-party virus scanning platform like VirusTotalChecking the size of uploaded files against a maximum allowed file sizeChecking zip files for their structure and path before unzipping them

87 Valerie wants to prevent potential cross-site scripting attacks from being executed when previously entered information is displayed in user's browsers. What technique should she use to prevent this?A firewallA HIDSOutput encodingString randomization