Mike Chapple - CompTIA CySA+ Practice Tests

146 What can Brandon do to create a hardware-based basis for trusted computing?Only use in-house computing rather than cloud computing.Use a hardware root of trust like a TPM module and Secure Boot methods.Manually inspect hardware periodically to ensure that no keyloggers or other unexpected hardware is in place.Only use signed drivers.

147 Brandon needs to deploy containers with different purposes, data sensitivity levels, and threat postures to his container environment. How should he group them?Segment containers by purposeSegment containers by data sensitivitySegment containers by threat modelAll of the above

148 What issues should Brandon consider before choosing to use the vulnerability management tools he has in his non-container-based security environment?Vulnerability management tools may make assumptions about host durability.Vulnerability management tools may make assumptions about update mechanisms and frequencies.Both A and BNeither A nor B

149 Timing information, power consumption monitoring, electromagnetic emanation monitoring, and acoustic monitoring are all examples of what types of attacks against SOCs, embedded systems, and other platforms?Trusted foundry attacksSide-channel attacksPrimary channel attacksUntrusted foundry attacks

150 What key functionality do enterprise privileged account management tools provide?Password creationAccess control to individual systemsEntitlement management across multiple systemsAccount expiration tools

151 Amira wants to deploy an open standard–based single sign-on (SSO) tool that supports both authentication and authorization. What open standard should she look for if she wants to federate with a broad variety of identity providers and service providers?LDAPSAMLOAuthOpenID Connect

152 Nathaniel wants to use an access control system that takes into account information about resources like the resource owner, filename, and data sensitivity. What type of access control system should he use?ABACDACMACRBAC

153 What secure processing technique requires an operation to be complete before the memory locations it is accessing or writing to can be used by another process?Trusted executionAtomic executionAnti-tamperBus encryption

154 Betty wants to review the security logs on her Windows workstation. What tool should she use to do this?Secpol.mscEvent ViewerLog ViewerLogview.msc

155 What type of attack is the use of query parameterization intended to prevent?Buffer overflowsCross-site scriptingSQL injectionDenial-of-service attacks

156 Isaac is configuring syslog on a Linux system and wants to send the logs in a way that will ensure that they are received. What protocol should he specify to do so?UDPHTTPHTTPSTCP

157 Bob wants to deploy a VPN technology with granular access controls for applications that are enforced at the gateway. Which VPN technology is best suited to this requirement?IKE VPNsTLS VPNsX.509 VPNsIPsec VPNs

158 What type of attack is output encoding typically used against?DoSXSSXMLDDoS

159 Alaina wants to identify only severe kernel issues on a Linux system, and she knows that log levels for the kernel range from level 0 to level 7. Which of the following levels is the most severe?Level 1, KERN_ALERTLevel 2, KERN_CRITLevel 4, KERN_WARNINGLevel 7, KERN_DEBUGUse the following scenario for questions 160–162.Scott has been asked to select a software development model for his organization and knows that there are a number of models that may make sense for what he has been asked to accomplish. Use your knowledge of SDLC models to identify an appropriate model for each of the following requirements.

160 Scott's organization needs basic functionality of the effort to become available as soon as possible and wants to involve the teams that will use it heavily to ensure that their needs are met. What model should Scott recommend?WaterfallSpiralAgileRapid Application Development

161 A parallel coding effort needs to occur; however, this effort involves a very complex system and errors could endanger human lives. The system involves medical records and drug dosages, and the organization values stability and accuracy over speed. Scott knows the organization often adds design constraints throughout the process and that the model he selects must also deal with that need. What model should he choose?WaterfallSpiralAgileRapid Application Development

162 At the end of his development cycle, what SDLC phase will Scott enter as the new application is installed and replaces the old code?User acceptance testingTesting and integrationDispositionRedesign

163 Sofía wants to ensure that the ICs in the new device that her commercial consumer products company is releasing cannot be easily reverse engineered. Which technique is not an appropriate means of meeting her requirement?Use a trusted foundry.Encase the IC in epoxy.Design the chip to zeroize sensitive data if its security encapsulation fails.Design the chip to handle out of spec voltages and clock signals.

164 Charles is reviewing the certificate properties for the certificate for www.comptia.organd notices that the DNS name readsDNS name = *.comptia.org DNS name = comptia.orgWhat type of certificate is in use?A multidomain certificateA wildcard certificateA mismatched certificateAn invalid certificate

165 Alaina wants to implement a modern service-oriented architecture (SOA) that relies on HTTP-based commands, works well in limited bandwidth environments, and can handle multiple data formats beyond XML. What should she build her SOA in?SOAPWaterfallRESTCAVE

166 The OWASP Session Management Cheatsheet advises that session IDs are meaningless and recommends that they should be used only as an identifier on the client side. Why should a session ID not have additional information encoded in it like the IP address of the client, their username, or other information?Processing complex session IDs will slow down the service.Session IDs cannot contain this information for legal reasons.Session IDs are sent to multiple different users, which would result in a data breach.Session IDs could be decoded, resulting in data leakage.

167 Nia's honeynet shown here is configured to use a segment of unused network space that has no legitimate servers in it. What type of threats is this design particularly useful for detection?Zero-day attacksSQL injectionNetwork scansDDoS attacks

168 Bounds checking, removing special characters, and forcing strings to match a limited set of options are all examples of what web application security technique?SQL injection preventionInput validationXSS preventionFuzzing

169 Abigail is performing input validation against an input field and uses the following regular expression:^(AA|AE|AP|AL|AK|AS|AZ|AR|CA|CO|CT|DE|DC|FM|FL|GA|GU| HI|ID|IL|IN|IA|KS|KY|LA|ME|MH|MD|MA|MI|MN|MS|MO|MT|NE| NV|NH|NJ|NM|NY|NC|ND|MP|OH|OK|OR|PW|PA|PR|RI|SC|SD|TN| TX|UT|VT|VI|VA|WA|WV|WI|WY)$What is she checking with the regular expression?She is removing all typical special characters found in SQL injection.She is checking for all U.S. state names.She is removing all typical special characters for cross-site scripting attacks.She is checking for all U.S. state name abbreviations.

170 Adam is testing code written for a client-server application that handles financial information and notes that traffic is sent between the client and server via TCP port 80. What should he check next?If the server stores data in unencrypted formIf the traffic is unencryptedIf the systems are on the same networkIf usernames and passwords are sent as part of the traffic

171 Nick wants to prevent unauthorized firmware from being installed on devices that his organization manufacturers. What technique should he use to provide an effective security layer?Encrypted firmwareSigned firmwareBinary firmwareNone of the above

172 A web server and a web browser are examples of what type of platform?EmbeddedFirmwareClient-serverSOC