Mike Chapple - CompTIA CySA+ Practice Tests

173 Lara has been assigned to assess likely issues with an embedded system used for building automation and control. Which of the following software assurance issues is least likely to be of concern for her organization?Lack of updates and difficulty deploying themLong life cycle for the embedded devicesAssumptions of network security where deployedUse of proprietary protocols

174 Lucca wants to prevent brute-force attacks from succeeding against a web application. Which of the following is not a commonly implemented solution to help reduce the effectiveness of brute-force attacks?Multifactor authenticationAccount lockoutsPassword reuseCAPTCHAs

175 Noam wants to ensure that he would know if the operating system, boot loader, and boot drivers of his PC were infected with malware. What type of boot process should he use to have it checked using a cryptographic hash?Manual boot hash comparisonSecure BootTPMbootsec

176 Jennifer uses an application to send randomized data to her application to determine how it responds to unexpected input. What type of tool is she using?A UAT toolA stress testing toolA fuzzerA regression testing tool

177 Isaac wants to securely handle passwords for his web application. Which of the following is not a common best practice for password storage?Use a dedicated password hash like bcrypt.Use a salt.Store passwords in an encrypted form.Set a reasonable work factor for your system.

178 Kristen wants to securely store passwords and knows that a modern password hashing algorithm is her best option. Which of the following should she choose?SHA-256bcryptMD5SHA-512

179 Liam wants to protect data at rest in an SaaS service. He knows that he needs to consider his requirements differently in his cloud environment than an on-premises environment. What option can he use to ensure that the data is encrypted when it is stored?Install a full-disk encryption tool.Install a column-level encryption.Select an SaaS service that supports encryption at rest.Hire an independent auditor to validate the encryption.

180 Faraj wants to use statistics gained from live analysis of his network to programmatically change its performance, routing, and optimization. Which of the following technologies is best suited to his needs?ServerlessSoftware-defined networkingPhysical networkingVirtual private networks (VPNs)

181 Elaine's team has deployed an application to a cloud-hosted serverless environment. Which of the following security tools can she use in that environment?Endpoint antivirusEndpoint DLPIDS for the serverless environmentNone of the above

182 Valerie is leading an effort that will use a formal Fagan inspection of code. Which phase in the Fagan inspection process includes finding actual defects?OverviewPreparationInspectionRework

183 Greg wants to prevent SQL injection in a web application he is responsible for. Which of the following is not a common defense against SQL injection?Prepared statements with parameterized queriesOutput validationStored proceduresEscaping all user-supplied input

184 While reviewing code that generates a SQL query, Aarav notices that the “address” field is appended to the query without input validation or other techniques applied. What type of attack is most likely to be successful against code like this?DoSXSSSQL injectionTeardrop

185 What type of assertion is made to an SP in a SAML authentication process?The user's passwordWho the user isWho the SP isWhat rights the user has

186 Megan wants to downgrade the firmware for a device she is working with, but when she attempts to do so, the device will not accept the older firmware. What type of hardware technology has she most likely encountered?A TPMA HSMeFuseA trusted foundry

187 Security screws are an example of what type of control?Anti-tamperDetectiveAnti-theftCorrective

188 What U.S. government program focuses on ensuring that integrated circuits have an assured chain of custody, a supply chain that can avoid disruption, and processes in place to protect chips from being modified or tampered with?Secure ForgeDMEATrusted foundryIC Protect

189 Michelle wants to acquire data from a self-encrypting drive. When is the data on the drive unencrypted and accessible?Data is unencrypted before the system boots.Data is unencrypted after the OS boots.Data is unencrypted only when it is read from the drive.Data is never unencrypted.

190 What term describes hardware security features built into a CPU?Atomic executionProcessor security extensionsProcessor control architectureTrusted execution

191 Angela wants to provide her users with a VPN service and does not want them to need to use client software. What type of VPN should she set up?IPsecAir gapVPCSSL/TLS

192 Lucca needs to explain the benefits of network segmentation to the leadership of his organization. Which of the following is not a common benefit of segmentation?Decreasing the attack surfaceIncreasing the number of systems in a network segmentLimiting the scope of regulatory compliance effortsIncreasing availability in the case of an issue or attack

193 Kubernetes and Docker are examples of what type of technology?EncryptionSoftware-defined networkingContainerizationServerless

194 Nathan is designing the logging infrastructure for his company and wants to ensure that a compromise of a system will not result in the loss of that system's logs. What should he do to protect the logs?Limit log access to administrators.Encrypt the logs.Rename the log files from their common name.Send the logs to a remote server.

195 After creating a new set of encryption keys for an SSH key, Allan inadvertently uploads them to GitHub as part the check-in process for software he is writing. What options does he have to fix this issue?He can modify the private key to fix the issue and then needs to re-upload it to GitHub.He needs to generate a keypair and replace it wherever it is in use.He needs to change the password for the keypair.He needs to modify the public key to fix the issue and then needs to re-upload it to GitHub.

196 What type of software testing most frequently happens during the development phase?Unit testingUser acceptance testingFuzzingStress testing

197 What are the four phases found in the spiral SDLC model?Design, User Story Identification, Build, and AnalysisIdentification, Design, Build, and EvaluationRequirement Gathering, Analysis, Design, and BuildUser Story Identification, User Story Design, User Co-Creation, and User Acceptance Testing

198 What is the primary concept behind DevSecOps versus DevOps?Development should occur before security operations.Device security is part of operations.Security should be part of the integrated application life cycle.Operations security requires developers to play the primary security role.Use the following diagram and scenario for questions 199–201.Amanda has been assigned to lead the development of a new web application for her organization. She is following a standard SDLC model as shown here. Use the model and your knowledge of the software development life cycle to answer the following questions.

199 Amanda's first task is to determine if there are alternative solutions that are more cost effective than in-house development. What phase is she in?DesignOperations and maintenanceFeasibilityAnalysis and requirements definition

200 What phase of the SDLC typically includes the first code analysis and unit testing in the process?Analysis and requirements definitionDesignCodingTesting and integration

201 After making it through most of the SDLC process, Amanda has reached point E on the diagram. What occurs at point E?DispositionTraining and transitionUnit testingTesting and integration

202 Ansel knows he wants to use federated identities in a project he is working on. Which of the following should not be among his choices for a federated identity protocol?OpenIDSAMLOAuthAuthman