Cybersecurity Analyst (CSA+) Exam Study Guide

The Cybersecurity Analyst (CSA+) Exam Study Guide (exam code CS0–001)  provides 100% coverage of most exam objectives for the new CSA+ certification.

The CSA+ certification validates a candidate’s skills to configure and rehearse threat detection tools, perform data analysis, identify vulnerabilities with a objective of securing and protecting organizations systems.

Focus your review for the CSA+ CS0–001 study guide and reap the benefits of real-world examples used by experts, hands-on labs, insight concerning how to build your own cybersecurity toolkit, and review questions enable you to gauge knowing about it on each stage.

In addition, you access an interactive learning environment which includes electronic quizzes, a searchable glossary, and numerous bonus practice questions from several case studies and real world examples.

Fundamental Knowledge Areas

  • Computer Networks and Systems: Understanding the fundamentals of how computers and networks operate, including TCP/IP, DNS, HTTP/HTTPS, and more, is crucial. This includes both hardware and software aspects.

  • Operating Systems: Proficiency in various operating systems, such as Windows, Linux, and MacOS, since each has its own security features and vulnerabilities.

  • Cybersecurity Principles: Knowledge of cybersecurity principles, practices, and methods. This includes understanding threats, vulnerabilities, risk management, encryption, and access control models.

  • Threat Landscape: Familiarity with the types of threats (e.g., viruses, worms, Trojans, ransomware) and threat actors (e.g., hackers, state-sponsored attackers, insiders), and how they operate.

  • Security Technologies: Understanding of firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), antivirus software, and other security technologies.

  • Incident Response and Forensic Analysis: Knowing how to respond to security incidents, including evidence preservation, impact analysis, and mitigation strategies.

  • Legal and Ethical Considerations: Awareness of legal, regulatory, and ethical considerations in cybersecurity, including data protection laws and standards like GDPR, HIPAA, and PCI-DSS.

Free Learning Resources

  • Cybrary: Offers a wide range of free courses on cybersecurity topics, from beginner to advanced levels.

  • edX: Provides free and low-cost courses from universities and institutions around the world on cybersecurity and related fields.

  • Coursera: Offers courses on cybersecurity for free (auditing) from universities and companies. You only pay if you want a certification.

  • Open Security Training: Hosts free classes on various cybersecurity topics, including beginner and advanced levels.

  • Khan Academy: Provides free tutorials on cryptography, a fundamental concept in cybersecurity.

  • MIT OpenCourseWare: Offers free lecture notes, exams, and videos from MIT on information and computer security.

  • SANS Cyber Aces Online: Provides free courses on the basics of cybersecurity.

Getting Hands-On Experience

  • Capture The Flag (CTF) Competitions: Participate in online CTFs to gain hands-on experience in cybersecurity challenges. Websites like CTFtime can help you find competitions.

  • Virtual Labs: Use platforms like Hack The Box or TryHackMe to practice hacking skills in a legal and safe environment.

Staying Updated

Cybersecurity is a rapidly changing field, so staying updated with the latest threats, vulnerabilities, and technologies is crucial. Follow cybersecurity news sources, blogs, and forums to keep informed.

By combining theoretical knowledge with practical skills and staying current on industry trends, you’ll build a strong foundation for a career as a cybersecurity analyst.




Threat Management 27% – Cybersecurity Analyst (CSA+) Exam Study Guide

Given a scenario, apply

environmental reconnaissance techniques using appropriate

tools and processes.

1. Procedures/common tasks
  1. Topology discovery
  2. OS fingerprinting
  3. Service discovery
  4. Packet capture
  5. Log review
  6. Router/firewall ACLs review
  7. Email harvesting
  8. Social media profiling
  9. Social engineering
  10. DNS harvesting
  11. Phishing
2. Variables
  1. Wireless vs. wired
  2. Virtual vs. physical
  3. Internal vs. external
  4. On-premises vs. cloud
3. Tools
  1. NMAP
  2. Host scanning
  3. Network mapping
  5. Packet analyzer
  6. IDS/IPS
  8. Firewall rule-based and logs
  9. Syslog
  10. Vulnerability scanner

Given a scenario,

analyze the results of a

network reconnaissance.

1. Point-in-time data analysis
  1. Packet analysis
  2. Protocol analysis
  3. Traffic analysis
  4. Netflow analysis
  5. Wireless analysis
2. Data correlation and analytics
  1. Anomaly analysis
  2. Trend analysis
  3. Availability analysis
  4. Heuristic analysis
  5. Behavioral analysis
3. Data output
  1. Firewall logs
  2. Packet captures
  3. NMAP scan results
  4. Event logs
  5. Syslogs
  6. IDS report
4. Tools
  1. SIEM
  2. Packet analyzer
  3. IDS
  4. Resource monitoring tool
  5. Netflow analyzer

Given a network-based threat, implement or recommend the appropriate response and countermeasure.

1. Network segmentation
  1. System isolation
  2. Jump box
2. Honeypot
3. Endpoint security
4. Group policies
5. ACLs
  1. Sinkhole
6. Hardening
  1. Mandatory Access Control (MAC)
  2. Compensating controls
  3. Blocking unused ports/services
  4. Patching
7. Network Access Control (NAC)
  1. Time-based
  2. Rule-based
  3. Role-based
  4. Location-based

Explain the purpose of

practices used to secure a

corporate environment.

1. Penetration testing
  1. Rules of engagement
  2. Timing
  3. Scope
  4. Authorization
  5. Exploitation
  6. Communication
  7. Reporting
2. Reverse engineering
  1. Isolation/sandboxing
  2. Hardware
  3. Source authenticity of hardware
  4. Trusted foundry
  5. OEM documentation
  6. Software/malware
  7. Fingerprinting/hashing
  8. Decomposition
3. Training and exercises
  1. Red team
  2. Blue team
  3. White team
4. Risk evaluation
  1. Technical control review
  2. Operational control review
  3. Technical impact and likelihood
  4. High
  5. Medium
  6. Low

Vulnerability Management 26% – Cybersecurity Analyst (CSA+) Exam Study Guide

Given a scenario, implement an information security vulnerability management process.

1. Identification of requirements
  1. Regulatory environments
  2. Corporate policy
  3. Data classification
  4. Asset inventory
  5. Critical
  6. Non-critical
2. Establish scanning frequency
  1. Risk appetite
  2. Regulatory requirements
  3. Technical constraints
  4. Workflow
3. Configure tools to perform scans according to specification
  1. Determine scanning criteria
  2. Sensitivity levels
  3. Vulnerability feed
  4. Scope
  5. Credentialed vs. non-credentialed
  6. Types of data
  7. Server-based vs. agent-based
  8. Tool updates/plug-ins
  9. SCAP
  10. Permissions and access
4. Execute scanning
5. Generate reports
  1. Automated vs. manual distribution
6. Remediation
  1. Prioritizing
  2. Criticality
  3. Difficulty of implementation
  4. Communication/change control
  5. Sandboxing/testing
  6. Inhibitors to remediation
  7. MOUs
  8. SLAs
  9. Organizational governance
  10. Business process interruption
  11. Degrading functionality
7. Ongoing scanning and continuous monitoring

Given a scenario, analyze the output resulting from a vulnerability scan.

1. Analyze reports from a vulnerability scan
  1. Review and interpret scan results
  2. Identify false positives
  3. Identify exceptions
  4. Prioritize response actions
2. Validate results and correlate other data points
  1. Compare to best practices or compliance
  2. Reconcile results
  3. Review related logs and/ or other data sources
  4. Determine trends

Compare and contrast common vulnerabilities found in the following targets within an organization.

1. Servers
2. Endpoints
3. Network infrastructure
4. Network appliances
5. Virtual infrastructure
  1. Virtual hosts
  2. Virtual networks
  3. Management interface
6. Mobile devices
7. Interconnected networks
8. Virtual Private Networks (VPNs)
9. Industrial Control Systems (ICSs)
10. SCADA devices

Cyber Incident Response 23% – Cybersecurity Analyst (CSA+) Exam Study Guide

Given a scenario, distinguish threat data or behavior to determine the impact of an incident.

1. Threat classification
  1. Known threats vs. unknown threats
  2. Zero day
  3. Advanced persistent threat
2. Factors contributing to incident severity and prioritization
  1. Scope of impact
  2. Downtime
  3. Recovery time
  4. Data integrity
  5. Economic
  6. System process criticality
  7. Types of data
  8. Personally Identifiable
  9. Information (PII)
  10. Personal Health Information (PHI)
  11. Payment card information
  12. Intellectual property
  13. Corporate confidential
  14. Accounting data
  15. Mergers and acquisitions

Given a scenario, prepare a toolkit and use appropriate forensics tools during an investigation.

1. Forensics kit
  1. Digital forensics workstation
  2. Write blockers
  3. Cables
  4. Drive adapters
  5. Wiped removable media
  6. Cameras
  7. Crime tape
  8. Tamper-proof seals
  9. Documentation/forms
  10. Chain of custody form
  11. Incident response plan
  12. Incident form
  13. Call list/escalation list
2. Forensic investigation suite
  1. Imaging utilities
  2. Analysis utilities
  3. Chain of custody
  4. Hashing utilities
  5. OS and process analysis
  6. Mobile device forensics
  7. Password crackers
  8. Cryptography tools
  9. Log viewers

Explain the importance of communication during the incident response process.

1. Stakeholders
  1. HR
  2. Legal
  3. Marketing
  4. Management
2. Purpose of communication processes
  1. Limit communication to trusted parties
  2. Disclosure based on regulatory/ legislative requirements
  3. Prevent inadvertent release of information
  4. Secure method of communication
3. Role-based responsibilities
  1. Technical
  2. Management
  3. Law enforcement
  4. Retain incident response provider

Given a scenario, analyze common symptoms to select the best course of action to support incident response.

1. Common network-related symptoms
  1. Bandwidth consumption
  2. Beaconing
  3. Irregular peer-to-peer communication
  4. Rogue devices on the network
  5. Scan sweeps
  6. Unusual traffic spikes
2. Common host-related symptoms
  1. Processor consumption
  2. Memory consumption
  3. Drive capacity consumption
  4. Unauthorized software
  5. Malicious processes
  6. Unauthorized changes
  7. Unauthorized privileges
  8. Data exfiltration
​3. Common application-related symptoms
  1. Anomalous activity
  2. Introduction of new accounts
  3. Unexpected output
  4. Unexpected outbound communication
  5. Service interruption
  6. Memory overflows

Summarize the incident recovery and post-incident response process.

1. Containment techniques
  1. Segmentation
  2. Isolation
  3. Removal
  4. Reverse engineering
2. Eradication techniques
  1. Sanitization
  2. Reconstruction/reimage
  3. Secure disposal
3. Validation
  1. Patching
  2. Permissions
  3. Scanning
  4. Verify logging/communication to security monitoring
4. Corrective actions
  1. Lessons learned report
  2. Change control process
  3. Update incident response plan
5. Incident summary report

Security Architecture and Tool Sets 24% – Cybersecurity Analyst (CSA+) Exam Study Guide

Explain the relationship between frameworks, common policies, controls, and procedures.

1. Regulatory compliance
2. Frameworks
  1. NIST
  2. ISO
  3. COBIT
  4. SABSA
  5. TOGAF
  6. ITIL
​3. Policies
  1. Password policy
  2. Acceptable use policy
  3. Data ownership policy
  4. Data retention policy
  5. Account management policy
  6. Data classification policy
4. Controls
  1. Control selection based on criteria
  2. Organizationally defined parameters
  3. Physical controls
  4. Logical controls
  5. Administrative controls
5. Procedures
  1. Continuous monitoring
  2. Evidence production
  3. Patching
  4. Compensating control development
  5. Control testing procedures
  6. Manage exceptions
  7. Remediation plans
6. Verifications and quality control
  1. Audits
  2. Evaluations
  3. Assessments
  4. Maturity model
  5. Certification

Given a scenario, use data to recommend remediation of security issues related to identity and access management.

1. Security issues associated with context-based authentication
  1. Time
  2. Location
  3. Frequency
  4. Behavioral
2. Security issues associated with identities
  1. Personnel
  2. Endpoints
  3. Servers
  4. Services
  5. Roles
  6. Applications
3. Security issues associated with identity repositories
  1. Directory services
  2. TACACS+
4. Security issues associated with federation and single sign-on
  1. Manual vs. automatic provisioning/deprovisioning
  2. Self-service password reset
5. Exploits
  1. Impersonation
  2. Man-in-the-middle
  3. Session hijack
  4. Cross-site scripting
  5. Privilege escalation
  6. Rootkit

Given a scenario, review security architecture and make recommendations to implement compensating controls.

1. Security data analytics
  1. Data aggregation and correlation
  2. Trend analysis
  3. Historical analysis
2. Manual review
  1. Firewall log
  2. Syslogs
  3. Authentication logs
  4. Event logs
3. Defense in depth
  1. Personnel
  2. Training
  3. Dual control
  4. Separation of duties
  5. Third party/consultants
  6. Cross training
  7. Mandatory vacation
  8. Succession planning
  9. Processes
  10. Continual improvement
  11. Scheduled reviews
  12. Retirement of processes
  13. Technologies
  14. Automated reporting
  15. Security appliances
  16. Security suites
  17. Outsourcing
  18. Security as a Service
  19. Cryptography
  20. Other security concepts
  21. Network design
  22. Network segmentation

Given a scenario, use application security best practices while participating in the Software Development Life Cycle (SDLC).

1. Best practices during software development
  1. Security requirements definition
  2. Security testing phases
  3. Static code analysis
  4. Web app vulnerability scanning
  5. Fuzzing
  6. Use interception proxy to crawl application
  7. Manual peer reviews
  8. User acceptance testing
  9. Stress test application
  10. Security regression testing
  11. Input validation
2. Secure coding best practices
  1. OWASP
  2. SANS
  3. Center for Internet Security
  4. System design recommendations
  5. Benchmarks

Compare and contrast the general purpose and reasons for using various cybersecurity tools and technologies.

1. Preventative
  1. IPS
  2. Sourcefire
  3. Snort
  4. Bro
  5. HIPS
  6. Firewall
  7. Cisco
  8. Palo Alto
  9. Check Point
  10. Antivirus
  11. Anti-malware
  12. EMET
  13. Web proxy
  14. Web Application Firewall (WAF)
  15. ModSecurity
  16. NAXSI
  17. Imperva
​2. Collective
  1. SIEM
  2. ArcSight
  3. QRadar
  4. Splunk
  5. AlienVault
  6. OSSIM
  7. Kiwi Syslog
  8. Network scanning
  9. NMAP
  10. Vulnerability scanning
  11. Qualys
  12. Nessus
  13. OpenVAS
  14. Nexpose
  15. Nikto
  16. Microsoft Baseline Security Analyzer
  17. Packet capture
  18. Wireshark
  19. tcpdump
  20. Network General
  21. Aircrack-ng
  22. Command line/IP utilities
  23. netstat
  24. ping
  25. tracert/traceroute
  26. ipconfig/ifconfig
  27. nslookup/dig
  28. Sysinternals
  29. OpenSSL
  30. IDS/HIDS
  31. Bro
3. Analytical
  1. Vulnerability scanning
  2. Qualys
  3. Nessus
  4. OpenVAS
  5. Nexpose
  6. Nikto
  7. Microsoft Baseline Security Analyzer
  8. Monitoring tools
  9. MRTG
  10. Nagios
  11. SolarWinds
  12. Cacti
  13. NetFlow Analyzer
  14. Interception proxy
  15. Burp Suite
  16. Zap
  17. Vega
4. Exploit
  1. Interception proxy
  2. Burp Suite
  3. Zap
  4. Vega
  5. Exploit framework
  6. Metasploit
  7. Nexpose
  8. Fuzzers
  9. Untidy
  10. Peach Fuzzer
  11. Microsoft SDL File/Regex Fuzzer
​5. Forensics
  1. Forensic suites
  2. EnCase
  3. FTK
  4. Helix
  5. Sysinternals
  6. Cellebrite
  7. Hashing
  8. MD5sum
  9. SHAsum
  10. Password cracking
  11. John the Ripper
  12. Cain & Abel
  13. Imaging
  14. DD
< Goto Top of Section – Cybersecurity Analyst (CSA+) Exam Study Guide Table of Contents: Table of contents. >

Assessment Test - Cybersecurity Analyst (CSA+) Exam Study Guide

The following assessment test helps to make sure that you have the knowledge that you should have before you tackle the Cybersecurity Analyst+ certification and will help you determine where you may want to spend more time. The answer key is in an expanding toggle below.

If you are new to Cybersecurity you might want to check the answer key below because it links off the ideology, and terminology to very appropriate links that further explain the specific term. Have fun and good-luck!

Assessment Test Answer Key – Cybersecurity Analyst (CSA+) Exam Study Guide

Here are the answers to the test above.

The links provided for some of the terminology offer more valuable insight into the topic / word definition.

Spot any errors, have a better link suggestion? Tell us about it.  Not interested in links that attempt to sell your overpriced products. After all that’s what this course is all about. :-)

1. After running an nmap scan of a system, you receive scan data that
indicates the following three ports are open:

22 / TCP
443 / TCP
1521 / TCP

What services commonly run on these ports?

B. SSH, Microsoft DS, WINS
C. SSH, HTTPS, Oracle

The answer is C. These three TCP ports are associated with SSH ( port 22), HTTPS (port 443), and Oracle databases ( port 1521).

Other ports mentioned in the potential answers are SMTP (port 25), NetBIOS (ports 137–139), MySQL (port 3306), WINS (port 1512), FTP (ports 20 and 21), and MS-SQL (ports 1433/1434).

2. Which of the following tools is best suited to querying data provided by
organizations like the American Registry for Internet Numbers (ARIN) as
part of a footprinting or reconnaissance exercise?

A. nmap B. traceroute
C. regmon
D. whois

The answer is D. Regional Internet registries like ARIN are best queried either via their websites or using tools like whois.

Nmap is a useful port scanning utility, traceroute is used for testing the path packets take to a remote system, and regmon is an outdated Windows Registry tool that has been supplanted by Process Monitor.

3. What type of system allows attackers to believe they have succeeded
with their attack, thus providing defenders with information about their
attack methods and tools?

A. A honeypot
B. A sinkhole
C. A crackpot
D. A darknet

The answer is A. Honeypots are systems that are designed to look like attractive targets. When they are attacked, they simulate a compromise, providing defenders with a chance to see how attackers operate and what tools they use. DNS sinkholes provide false information to malicious software, redirecting queries about command and control systems to allow remediation. Darknets are segments of unused network space that are monitored to detect traffic—since legitimate traffic should never be aimed at the darknet, this can be used to detect attacks and other unwanted traffic. Crackpots are eccentric people—not a system you’ll run into on a network.

4. What cybersecurity objective could be achieved by running your
organization’s web servers in redundant, geographically separate
data centers?

A. Confidentiality
B. Integrity
C. Immutability
D. Availability

The answer is D. Availability = Redundant systems, particularly when run in multiple locations and with other protections to ensure uptime, can help provide availability.

5. Which of the following vulnerability scanning methods   1 will provide the
most accurate detail during a scan?

A. Black box
B. Authenticated
C. Internal view
D. External view

The answer is B. An authenticated, or credentialed, scan provides the most detailed view of the system. Blackbox assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow.

6. In early 2017, a flaw was discovered in the Chakra JavaScript scripting
engine in Microsoft’s Edge browser  1 that could allow remote execution or
denial of service via a specifically crafted website. The CVSS 3.0 score for
this reads CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What is the attack vector and the impact to integrity based on this rating?

A. System, 9, 8
B. Browser, High
C. Network, High
D. None, High

The answer is C. When reading the CVSS 3.0 score, AV is the attack vector. Here, N means network. Confidentiality (C), Integrity (I), and Availability (A) are listed at the end of the listing, and all three are rated as High in this CVSS rating.

7. Ian is a security engineer tasked with performing vulnerability scans
for his organization. Ian encounters a false positive error in one of his scans. What should he do about this?

A. Verify that it is a false positive, and then document the exception
B. Implement a workaround
C. Update the vulnerability scanner
D. Use an authenticated scan, and then document the vulnerability

The answer is A. When Ian encounters a false positive error in his scans, his first action should be to verify it. This may involve running a more in-depth scan like an authenticated scan, but could also involve getting assistance from system administrators, checking documentation, or other validation actions. Once he is done, he should document the exception so that it is properly tracked. Implementing a workaround is not necessary for false positive vulnerabilities, and updating the scanner should be done before every vulnerability scan. Using an authenticated scan might help but does not cover all of the possibilities for validation he may need to use.

8. Which phase of the incident response process is most likely to include
gathering additional evidence such as information that would support
legal action?

A. Preparation
B. Detection and Analysis
C. Containment, Eradication, and Recovery
D. Post-Incident Activity and Reporting

The answer is C. The Containment, Eradication, and Recovery phase of an incident includes steps to limit damage and document what occurred, including potentially identifying the attacker and tools used for the attack. This means that information useful to legal actions is most likely to be gathered during this phase.

9. Which of the following descriptions explains an integrity loss?

A. Systems were taken offline, resulting in a loss of business income.
B. Sensitive or proprietary information was changed or deleted.
C. Protected information was accessed or exfiltrated.
D. Sensitive personally identifiable information was accessed or

The answer is B. Integrity breaches involve data being modified or deleted. Systems being taken offline is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information breaches would typically be classified as privacy breaches.

10. Which of the following techniques is an example of active monitoring?

A. Ping
C. Netflows
D. A network tap

The answer is C. Active monitoring sends traffic like pings to remote devices as part of the monitoring process. RMON and netflows are both examples of router-based monitoring, whereas network taps allow passive monitoring.

11. Ian’s monitoring detects regular traffic sent from a system that is
suspected to be compromised and participating in a botnet to a set of
remote IP addresses. What is this called?

A. Anomalous pings
B. Probing
C. Zombie chatter
D. Beaconing

The answer is C. Regular traffic from compromised systems to command and control nodes is known as beaconing. Anomalous pings could describe unexpected pings, but they are not typically part of botnet behavior, zombie chatter is a made-up term, and probing is part of scanning behavior in some cases.

12. Which of the following tools is NOT useful for monitoring memory
usage in Linux?

A. df
B. top
C. ps
D. free

The answer is A. The df command is used to show the amount of free and used disk space. Each of the other commands can show information about memory usage in Linux.

13. Which of the following tools cannot be used to make a forensic disk

A. xcopy
C. dd
D. EnCase

The answer is A. FTK, EnCase, and dd all provide options that support their use for forensic disk image creation. Since xcopy cannot create a bitwise image of a drive, it should not be used to create forensic images.

14. During a forensic investigation, Ian is told to look for information in
slack space on the drive. Where should he look, and what is he likely to

A. He should look at unallocated space, and he is likely to find file
fragments from deleted files.

B. He should look at unused space where files were deleted, and he is
likely to find complete files hidden there by the individual being

C. He should look in the space reserved on the drive for spare blocks,
and he is likely to find complete files duplicated there.

D. He should look at unused space left when a file is written, and he
is likely to find file fragments from deleted files.

The answer is D. Slack space is the space left when a file is written. Since the space may have previously been filled by another file, file fragments are likely to exist and be recoverable. Unallocated space is space that has not been partitioned and could contain data, but looking there isn’t part of Ian’s task. The reserved space maintained by drives for wear leveling (for SSDs) or to replace bad blocks (for spinning disks) may contain data, but again, this was not part of his task.

15. What type of system is used to contain an attacker to allow them to be

A. A white box
B. A sandbox
C. A network jail

The answer is B. Sandboxes are used to isolate attackers, malicious code, and other untrusted applications. They allow defenders to monitor and study behavior in the sandbox without exposing systems or networks to potential attacks or compromise.

16. Ian’s manager has asked him to ensure that a compromised system
has been completely purged of the compromise. What is Ian’s best course
of action?

A. Use an antivirus tool to remove any associated malware
B. Use an antimalware tool to completely scan and clean the system
C. Wipe and rebuild the system
D. Restore a recent backup

The answer is C. The most foolproof means of ensuring that a system does not remain compromised is to wipe and rebuild it. Without full knowledge of when the compromise occurred, restoring a backup may not help, and both antimalware and antivirus software packages cannot always ensure that no remnant of the compromise remains, particularly if the attacker created accounts or otherwise made changes that wouldn’t be detected as malicious software.

17. What level of secure media disposition as defined by NIST SP-800-88
is best suited to a hard drive from a high-security system that will be
reused in the same company by an employee of a different level or job

A. Clear
B. Purge
C. Destroy
D. Reinstall

The answer is B. NIST SP 800-88 defines three levels of action of increasing severity: clear, purge, and destroy. In this case, purging, which uses technical means to make data infeasible to recover, is appropriate for a high security device. Destruction might be preferable, but the reuse element of the question rules this out. Reinstallation is not an option in the NIST guidelines, and clearing is less secure.

18. Which of the following actions is not a common activity during the
recovery phase of an incident response process?

A. Reviewing accounts and adding new privileges
B. Validating that only authorized user accounts are on the systems
C. Verifying that all systems are logging properly
D. Performing vulnerability scans of all systems

The answer is A. The recovery phase does not typically seek to add new privileges. Validating that only legitimate accounts exist, that the systems are all logging properly, and that systems have been vulnerability scanned are all common parts of an incident response recovery phase.

19. A statement like “Windows workstations must have the current
security configuration template applied to them before being deployed” is
most likely to be part of which document?

A. Policies
B. Standards
C. Procedures
D. Guidelines

The answer is B. This statement is most likely to be part of a standard. Policies contain high-level statements of management intent; standards provide mandatory requirements for how policies are carried out, including statements like that provided in the question. A procedure would include the step-by-step process, and a guideline describes a best practice or recommendation.

20. Ian is concerned with complying with the U.S. federal law covering
student educational records. Which of the following laws is he attempting
to comply with?


The answer is D. The Family Educational Rights and Privacy Act (FERPA) requires educational institutions to implement security and privacy controls for student educational records. HIPAA covers security and privacy for healthcare providers, health insurers, and health information clearing houses; GLBA covers financial institutions; and SOX applies to financial records of publicly traded companies.

21. A fire suppression system is an example of what type of control?

A. Logical
B. Physical
C. Administrative
D. Operational

The answer is B. Fire suppression systems are physical controls. Logical controls are technical controls that enforce confidentiality, integrity, and availability. Administrative controls are procedural controls, and operational controls are not a type of security control as used in security design.

22. Ian is concerned that Bernie and Chris are conspiring to use their
access to defraud their organization. What personnel control will allow
Ian to review their actions to find any issues?

A. Dual control
B. Separation of duties
C. Background checks
D. Cross training

The answer is B. Ian should implement separation of duties in a way that ensures that Bernie and Chris cannot abuse their rights without a third party being involved. This will allow review of their actions and should result in any issues being discovered.

23. Ian wants to implement an authentication protocol that is well suited
to untrusted networks. Which of the following options is best suited to his
needs in its default state?

A. Kerberos

The answer is A. Kerberos is designed to run on untrusted networks and encrypts authentication traffic by default. LDAP and RADIUS can be encrypted but are not necessarily encrypted by default (and LDAP has limitations as an authentication mechanism). It is recommended that TACACS+ be run only on isolated administrative networks.

24. Which software development life cycle model uses linear development
concepts in an iterative, four-phase process?

A. Waterfall
B. Agile
D. Spiral

The answer is D. The Spiral model uses linear development concepts like those used in Waterfall but repeats four phases through its life cycle:  requirements gathering, design, build, and evaluation.

1) Defending Against Cybersecurity Threats - Quiz

1) Defending Against Cybersecurity Threats - Quiz Essentials

  • The three objectives of cybersecurity are confidentiality, integrity, and availability. Confidentiality ensures that unauthorized individuals are not able to gain access to sensitive information. Integrity ensures that there are no unauthorized modifications to information or systems, either intentionally or unintentionally. Availability ensures that information and systems are ready to meet the needs of legitimate users at the time those users request them.
  • Cybersecurity risks result from the combination of a threat and a vulnerability.
  • A vulnerability is a weakness in a device, system, application, or process that might allow an attack to take place. A threat in the world of cybersecurity is an outside force that may exploit a vulnerability.
  • Cybersecurity threats may be categorized as adversarial, accidental, structural, or environmental.
  • Adversarial threats are individuals, groups, and organizations that are attempting to deliberately undermine the security of an organization. Accidental threats occur when individuals doing their routine work mistakenly perform an action that undermines security.
  • Structural threats occur when equipment, software, or environmental controls fail due to the exhaustion of resources, exceeding their operational capability or simply failing due to age.
  • Environmental threats occur when natural or man-made disasters occur that are outside the control of the organization.
  • Networks are made more secure through the use of network access control, firewalls, and segmentation.
  • Network access control (NAC) solutions help security professionals achieve two cybersecurity objectives: limiting network access to authorized individuals and ensuring that systems accessing the organization’s network meet basic security requirements.
  • Network firewalls sit at the boundaries between networks and provide perimeter security.
  • Network segmentation uses isolation to separate networks of differing security levels from each other.
  • Endpoints are made more secure through the use of hardened configurations, patch management, Group Policy, and endpoint security software.
  • Hardening configurations includes disabling any unnecessary services on the endpoints to reduce their susceptibility to attack, ensuring that secure configuration settings exist on devices and centrally controlling device security settings.
  • Patch  management ensures that operating systems and applications are not susceptible to known vulnerabilities.
  • Group Policy allows the application of security settings to many devices simultaneously, and endpoint security software protects against malicious software and other threats.
  • Penetration tests provide organizations with an attacker’s perspective on their security.
  • The NIST process for penetration testing divides tests into four phases: planning, discovery, attack, and reporting.
  • The results of penetration tests are valuable security planning tools, since they describe the actual vulnerabilities that an attacker might exploit to gain access to a network.
  • Reverse engineering is an attempt to determine how hardware and software functions internally.
  • Sandboxing is an approach used to detect malicious software based on its behavior rather than its signatures.
  • Other reverse engineering techniques are difficult to perform, are often unsuccessful, and are quite time-consuming.

Good luck on the quiz below...




Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats?


The three primary objectives of cybersecurity professionals are confidentiality, integrity, and availability.

Carol is preparing to conduct a cybersecurity risk assessment for her organization. If Carol chooses to follow the standard process proposed by NIST, which one of the following steps would come first?


The NIST risk assessment process says that organizations should identify threats before identifying vulnerabilities or determining the likelihood and impact of risks.

Which one of the following threat categories require that cybersecurity analysts consider the following: capability, intent, and targeting of the threat source?


Adversarial threat analysis requires examining the capability of the threat source, the intent of the threat source, and the likelihood that the threat will target the organization.

Jimbose is assessing the security of several database servers at his datacenter and realizes that one of them is missing a critical Oracle security patch. What type of situation has Jimbose detected?


In this scenario, Jimbose identified a deficiency in the security of his web server that renders it vulnerable to attack.

This is a security vulnerability.

Jimbose has not yet identified a specific risk because he has not identified a threat (such as a hacker) that might exploit this vulnerability.

Which one of the following is an example of an operational security control?


Penetration tests are an example of an operational security control. Encryption software, network firewalls, and antivirus software are all examples of technical security controls.

Lindsey is conducting a cybersecurity risk assessment and is considering the impact that a failure of her city’s power grid might have on the organization. What type of threat is she considering?


Widespread infrastructure failures, such as those affecting the power grid or telecommunications circuits, are considered man-made disasters and fall under the category of environmental threats.

Jean would like to deploy consistent security settings to all of his Windows systems simultaneously. What technology can he use to achieve this goal?


Administrators (Jean) may use Group Policy Objects (GPOs) to control a wide variety of Windows settings and create different policies that apply to different classes of system.

What type of firewall provides the greatest degree of contextual information and can include information about users and applications in its decision-making process?


Next-generation firewalls (NGFWs) incorporate contextual information about users, applications, and business processes in their decision-making process.

When performing 802.1x authentication, what protocol does the authenticator use to communicate with the authentication server?


The Remote Access Dial-In User Service (RADIUS) is an authentication protocol used for communications between authenticators and the authentication server during the 802.1x authentication process.

Bernie is responding to a security incident that compromised his organization’s web servers. He does not believe that the attackers modified or stole any information, but they did disrupt access to the organization’s website . What cybersecurity objective did this attack violate?


In availability attacks, the attacker disrupts access to information or a service by legitimate users. In this attack, the attacker disrupted access to the organization’s website, violating the principle of availability.

Benjamin is participating in a cybersecurity wargame exercise. His role is to attempt to break into adversary systems. What team is Benjamin on?


Benjamin would be on the red team. Red team plays the role of the attacker and uses reconnaissance and exploitation tools to attempt to gain access to the protected network.

Jessica’s organization has a Bring Your Own Device (BYOD) policy, and she would like to ensure that devices connected to the network under this policy have current antivirus software. What technology can best assist her with this goal?


Network access control (NAC) solutions are able to verify the security status of devices before granting them access to the organization’s network.

Devices not meeting minimum security standards may be placed on a quarantine network until they are remediated.

During what phase of a penetration test should the testers obtain signed written authorization to conduct the test?


During the planning phase of a penetration test, the testers should confirm the timing, scope, and authorization for the test signed and  in writing.

Moses is configuring a jump box server that system administrators will connect to from their laptops. Which one of the following ports should definitely NOT be open on the jump box?


Port 23, used by the Telnet protocol, is unencrypted and insecure.

Connections should not be permitted to the jump box on unencrypted ports.

The services running on ports 22 (SSH), 443 (HTTPS), and 3389 (RDP) all use encryption.

James is configuring a new device that will join his organization’s wireless network. The wireless network uses 802.1x authentication. What type of agent must be running on the device for it to join this network?


Any device that wishes to join an 802.1x network must be running an 802.1x supplicant that can communicate with the authenticator before joining the network.

Which step occurs first during the attack phase of a penetration test?


After the completion of the discovery phase, penetration testers first seek to gain access to a system on the targeted network (Iot devices included. so in theory you can get your banking information hacked from your home network via a vulnerability of your smart bulb.) and then may use that system as the launching point for additional attacks.

Angel would like to implement a specialized firewall that can protect against SQL injection, cross-site scripting, and similar attacks. What technology should she choose?


Web application firewalls (WAFs) are specialized firewalls designed to protect against web application attacks, such as SQL injection and cross-site scripting.

Which one of the following techniques might be used to automatically detect and block malicious software that does not match known malware signatures?


Sandboxing is an approach used to detect malicious software based on its behavior rather than its signatures. Sandboxing systems watch systems and the network for unknown pieces of code and, when they detect an application that has not been seen before, immediately isolate that code in a special environment known as a sandbox where it does not have access to any other systems or applications.

Connected through code, Choose Your Platform!

About the Author: Bernard Aybout

In the land of bytes and bits, a father of three sits, With a heart for tech and coding kits, in IT he never quits. At Magna's door, he took his stance, in Canada's wide expanse, At Karmax Heavy Stamping - Cosma's dance, he gave his career a chance. With a passion deep for teaching code, to the young minds he showed, The path where digital seeds are sowed, in critical thinking mode. But alas, not all was bright and fair, at Magna's lair, oh despair, Harassment, intimidation, a chilling air, made the workplace hard to bear. Management's maze and morale's dip, made our hero's spirit flip, In a demoralizing grip, his well-being began to slip. So he bid adieu to Magna's scene, from the division not so serene, Yet in tech, his interest keen, continues to inspire and convene.