The Cybersecurity Analyst (CSA+) Exam Study Guide (exam code CS0–001) provides 100% coverage of most exam objectives for the new CSA+ certification.
The CSA+ certification validates a candidate’s skills to configure and rehearse threat detection tools, perform data analysis, identify vulnerabilities with a objective of securing and protecting organizations systems.
Focus your review for the CSA+ CS0–001 study guide and reap the benefits of real-world examples used by experts, hands-on labs, insight concerning how to build your own cybersecurity toolkit, and review questions enable you to gauge knowing about it on each stage.
In addition, you access an interactive learning environment which includes electronic quizzes, a searchable glossary, and numerous bonus practice questions from several case studies and real world examples.
TOP
< Goto Top of Section – Cybersecurity Analyst (CSA+) Exam Study Guide Table of Contents: Table of contents. > | |||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Assessment Test Answer Key – Cybersecurity Analyst (CSA+) Exam Study Guide
Here are the answers to the test above.
The links provided for some of the terminology offer more valuable insight into the topic / word definition.
Spot any errors, have a better link suggestion? Tell us about it. Not interested in links that attempt to sell your overpriced products. After all that’s what this course is all about. :-)
1. After running an nmap scan of a system, you receive scan data that
indicates the following three ports are open:
What services commonly run on these ports?
A. SMTP, NetBIOS, MySQL
B. SSH, Microsoft DS, WINS
C. SSH, HTTPS, Oracle
D. FTP, HTTPS, MS-SQL
The answer is C. These three TCP ports are associated with SSH ( port 22), HTTPS (port 443), and Oracle databases ( port 1521).
Other ports mentioned in the potential answers are SMTP (port 25), NetBIOS (ports 137–139), MySQL (port 3306), WINS (port 1512), FTP (ports 20 and 21), and MS-SQL (ports 1433/1434).
2. Which of the following tools is best suited to querying data provided by
organizations like the American Registry for Internet Numbers (ARIN) as
part of a footprinting or reconnaissance exercise?
A. nmap
B. traceroute
C. regmon
D. whois
The answer is D. Regional Internet registries like ARIN are best queried either via their websites or using tools like whois.
Nmap is a useful port scanning utility, traceroute is used for testing the path packets take to a remote system, and regmon is an outdated Windows Registry tool that has been supplanted by Process Monitor.
3. What type of system allows attackers to believe they have succeeded
with their attack, thus providing defenders with information about their
attack methods and tools?
A. A honeypot
B. A sinkhole
C. A crackpot
D. A darknet
The answer is A. Honeypots are systems that are designed to look like attractive targets. When they are attacked, they simulate a compromise, providing defenders with a chance to see how attackers operate and what tools they use. DNS sinkholes provide false information to malicious software, redirecting queries about command and control systems to allow remediation. Darknets are segments of unused network space that are monitored to detect traffic—since legitimate traffic should never be aimed at the darknet, this can be used to detect attacks and other unwanted traffic. Crackpots are eccentric people—not a system you’ll run into on a network.
4. What cybersecurity objective could be achieved by running your
organization’s web servers in redundant, geographically separate
data centers?
A. Confidentiality
B. Integrity
C. Immutability
D. Availability
The answer is D. Availability = Redundant systems, particularly when run in multiple locations and with other protections to ensure uptime, can help provide availability.
5. Which of the following vulnerability scanning methods 1 will provide the
most accurate detail during a scan?
A. Black box
B. Authenticated
C. Internal view
D. External view
The answer is B. An authenticated, or credentialed, scan provides the most detailed view of the system. Blackbox assessments presume no knowledge of a system and would not have credentials or an agent to work with on the system. Internal views typically provide more detail than external views, but neither provides the same level of detail that credentials can allow.
6. In early 2017, a flaw was discovered in the Chakra JavaScript scripting
engine in Microsoft’s Edge browser 1 that could allow remote execution or
denial of service via a specifically crafted website. The CVSS 3.0 score for
this reads CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
What is the attack vector and the impact to integrity based on this rating?
A. System, 9, 8
B. Browser, High
C. Network, High
D. None, High
The answer is C. When reading the CVSS 3.0 score, AV is the attack vector. Here, N means network. Confidentiality (C), Integrity (I), and Availability (A) are listed at the end of the listing, and all three are rated as High in this CVSS rating.
7. Ian is a security engineer tasked with performing vulnerability scans
for his organization. Ian encounters a false positive error in one of his scans. What should he do about this?
A. Verify that it is a false positive, and then document the exception
B. Implement a workaround
C. Update the vulnerability scanner
D. Use an authenticated scan, and then document the vulnerability
The answer is A. When Ian encounters a false positive error in his scans, his first action should be to verify it. This may involve running a more in-depth scan like an authenticated scan, but could also involve getting assistance from system administrators, checking documentation, or other validation actions. Once he is done, he should document the exception so that it is properly tracked. Implementing a workaround is not necessary for false positive vulnerabilities, and updating the scanner should be done before every vulnerability scan. Using an authenticated scan might help but does not cover all of the possibilities for validation he may need to use.
8. Which phase of the incident response process is most likely to include
gathering additional evidence such as information that would support
legal action?
A. Preparation
B. Detection and Analysis
C. Containment, Eradication, and Recovery
D. Post-Incident Activity and Reporting
The answer is C. The Containment, Eradication, and Recovery phase of an incident includes steps to limit damage and document what occurred, including potentially identifying the attacker and tools used for the attack. This means that information useful to legal actions is most likely to be gathered during this phase.
9. Which of the following descriptions explains an integrity loss?
A. Systems were taken offline, resulting in a loss of business income.
B. Sensitive or proprietary information was changed or deleted.
C. Protected information was accessed or exfiltrated.
D. Sensitive personally identifiable information was accessed or
exfiltrated.
The answer is B. Integrity breaches involve data being modified or deleted. Systems being taken offline is an availability issue, protected information being accessed might be classified as a breach of proprietary information, and sensitive personally identifiable information breaches would typically be classified as privacy breaches.
10. Which of the following techniques is an example of active monitoring?
A. Ping
B. RMON
C. Netflows
D. A network tap
The answer is C. Active monitoring sends traffic like pings to remote devices as part of the monitoring process. RMON and netflows are both examples of router-based monitoring, whereas network taps allow passive monitoring.
11. Ian’s monitoring detects regular traffic sent from a system that is
suspected to be compromised and participating in a botnet to a set of
remote IP addresses. What is this called?
A. Anomalous pings
B. Probing
C. Zombie chatter
D. Beaconing
The answer is C. Regular traffic from compromised systems to command and control nodes is known as beaconing. Anomalous pings could describe unexpected pings, but they are not typically part of botnet behavior, zombie chatter is a made-up term, and probing is part of scanning behavior in some cases.
12. Which of the following tools is NOT useful for monitoring memory
usage in Linux?
A. df
B. top
C. ps
D. free
The answer is A. The df command is used to show the amount of free and used disk space. Each of the other commands can show information about memory usage in Linux.
13. Which of the following tools cannot be used to make a forensic disk
image?
A. xcopy
B. FTK
C. dd
D. EnCase
The answer is A. FTK, EnCase, and dd all provide options that support their use for forensic disk image creation. Since xcopy cannot create a bitwise image of a drive, it should not be used to create forensic images.
14. During a forensic investigation, Ian is told to look for information in
slack space on the drive. Where should he look, and what is he likely to
find?
A. He should look at unallocated space, and he is likely to find file
fragments from deleted files.
B. He should look at unused space where files were deleted, and he is
likely to find complete files hidden there by the individual being
investigated.
C. He should look in the space reserved on the drive for spare blocks,
and he is likely to find complete files duplicated there.
D. He should look at unused space left when a file is written, and he
is likely to find file fragments from deleted files.
The answer is D. Slack space is the space left when a file is written. Since the space may have previously been filled by another file, file fragments are likely to exist and be recoverable. Unallocated space is space that has not been partitioned and could contain data, but looking there isn’t part of Ian’s task. The reserved space maintained by drives for wear leveling (for SSDs) or to replace bad blocks (for spinning disks) may contain data, but again, this was not part of his task.
15. What type of system is used to contain an attacker to allow them to be
monitored?
A. A white box
B. A sandbox
C. A network jail
D. A VLAN
The answer is B. Sandboxes are used to isolate attackers, malicious code, and other untrusted applications. They allow defenders to monitor and study behavior in the sandbox without exposing systems or networks to potential attacks or compromise.
16. Ian’s manager has asked him to ensure that a compromised system
has been completely purged of the compromise. What is Ian’s best course
of action?
A. Use an antivirus tool to remove any associated malware
B. Use an antimalware tool to completely scan and clean the system
C. Wipe and rebuild the system
D. Restore a recent backup
The answer is C. The most foolproof means of ensuring that a system does not remain compromised is to wipe and rebuild it. Without full knowledge of when the compromise occurred, restoring a backup may not help, and both antimalware and antivirus software packages cannot always ensure that no remnant of the compromise remains, particularly if the attacker created accounts or otherwise made changes that wouldn’t be detected as malicious software.
17. What level of secure media disposition as defined by NIST SP-800-88
is best suited to a hard drive from a high-security system that will be
reused in the same company by an employee of a different level or job
type?
A. Clear
B. Purge
C. Destroy
D. Reinstall
The answer is B. NIST SP 800-88 defines three levels of action of increasing severity: clear, purge, and destroy. In this case, purging, which uses technical means to make data infeasible to recover, is appropriate for a high security device. Destruction might be preferable, but the reuse element of the question rules this out. Reinstallation is not an option in the NIST guidelines, and clearing is less secure.
18. Which of the following actions is not a common activity during the
recovery phase of an incident response process?
A. Reviewing accounts and adding new privileges
B. Validating that only authorized user accounts are on the systems
C. Verifying that all systems are logging properly
D. Performing vulnerability scans of all systems
The answer is A. The recovery phase does not typically seek to add new privileges. Validating that only legitimate accounts exist, that the systems are all logging properly, and that systems have been vulnerability scanned are all common parts of an incident response recovery phase.
19. A statement like “Windows workstations must have the current
security configuration template applied to them before being deployed” is
most likely to be part of which document?
A. Policies
B. Standards
C. Procedures
D. Guidelines
The answer is B. This statement is most likely to be part of a standard. Policies contain high-level statements of management intent; standards provide mandatory requirements for how policies are carried out, including statements like that provided in the question. A procedure would include the step-by-step process, and a guideline describes a best practice or recommendation.
20. Ian is concerned with complying with the U.S. federal law covering
student educational records. Which of the following laws is he attempting
to comply with?
A. HIPAA
B. GLBA
C. SOX
D. FERPA
The answer is D. The Family Educational Rights and Privacy Act (FERPA) requires educational institutions to implement security and privacy controls for student educational records. HIPAA covers security and privacy for healthcare providers, health insurers, and health information clearing houses; GLBA covers financial institutions; and SOX applies to financial records of publicly traded companies.
21. A fire suppression system is an example of what type of control?
A. Logical
B. Physical
C. Administrative
D. Operational
The answer is B. Fire suppression systems are physical controls. Logical controls are technical controls that enforce confidentiality, integrity, and availability. Administrative controls are procedural controls, and operational controls are not a type of security control as used in security design.
22. Ian is concerned that Bernie and Chris are conspiring to use their
access to defraud their organization. What personnel control will allow
Ian to review their actions to find any issues?
A. Dual control
B. Separation of duties
C. Background checks
D. Cross training
The answer is B. Ian should implement separation of duties in a way that ensures that Bernie and Chris cannot abuse their rights without a third party being involved. This will allow review of their actions and should result in any issues being discovered.
23. Ian wants to implement an authentication protocol that is well suited
to untrusted networks. Which of the following options is best suited to his
needs in its default state?
A. Kerberos
B. RADIUS
C. LDAP
D. TACACS+
The answer is A. Kerberos is designed to run on untrusted networks and encrypts authentication traffic by default. LDAP and RADIUS can be encrypted but are not necessarily encrypted by default (and LDAP has limitations as an authentication mechanism). It is recommended that TACACS+ be run only on isolated administrative networks.
24. Which software development life cycle model uses linear development
concepts in an iterative, four-phase process?
A. Waterfall
B. Agile
C. RAD
D. Spiral
The answer is D. The Spiral model uses linear development concepts like those used in Waterfall but repeats four phases through its life cycle: requirements gathering, design, build, and evaluation.
Which one of the following objectives is not one of the three main objectives that information security professionals must achieve to protect their organizations against cybersecurity threats?
Answer:
The three primary objectives of cybersecurity professionals are confidentiality, integrity, and availability.
Carol is preparing to conduct a cybersecurity risk assessment for her organization. If Carol chooses to follow the standard process proposed by NIST, which one of the following steps would come first?
Answer:
The NIST risk assessment process says that organizations should identify threats before identifying vulnerabilities or determining the likelihood and impact of risks.
Which one of the following threat categories require that cybersecurity analysts consider the following: capability, intent, and targeting of the threat source?
Answer:
Adversarial threat analysis requires examining the capability of the threat source, the intent of the threat source, and the likelihood that the threat will target the organization.
Jimbose is assessing the security of several database servers at his datacenter and realizes that one of them is missing a critical Oracle security patch. What type of situation has Jimbose detected?
Answer:
In this scenario, Jimbose identified a deficiency in the security of his web server that renders it vulnerable to attack.
This is a security vulnerability.
Jimbose has not yet identified a specific risk because he has not identified a threat (such as a hacker) that might exploit this vulnerability.
Which one of the following is an example of an operational security control?
Answer:
Penetration tests are an example of an operational security control. Encryption software, network firewalls, and antivirus software are all examples of technical security controls.
Lindsey is conducting a cybersecurity risk assessment and is considering the impact that a failure of her city’s power grid might have on the organization. What type of threat is she considering?
Answer:
Widespread infrastructure failures, such as those affecting the power grid or telecommunications circuits, are considered man-made disasters and fall under the category of environmental threats.
Jean would like to deploy consistent security settings to all of his Windows systems simultaneously. What technology can he use to achieve this goal?
Answer:
Administrators (Jean) may use Group Policy Objects (GPOs) to control a wide variety of Windows settings and create different policies that apply to different classes of system.
What type of firewall provides the greatest degree of contextual information and can include information about users and applications in its decision-making process?
Answer:
Next-generation firewalls (NGFWs) incorporate contextual information about users, applications, and business processes in their decision-making process.
When performing 802.1x authentication, what protocol does the authenticator use to communicate with the authentication server?
Answer:
The Remote Access Dial-In User Service (RADIUS) is an authentication protocol used for communications between authenticators and the authentication server during the 802.1x authentication process.
Bernie is responding to a security incident that compromised his organization’s web servers. He does not believe that the attackers modified or stole any information, but they did disrupt access to the organization’s website . What cybersecurity objective did this attack violate?
Answer:
In availability attacks, the attacker disrupts access to information or a service by legitimate users. In this attack, the attacker disrupted access to the organization’s website, violating the principle of availability.
Benjamin is participating in a cybersecurity wargame exercise. His role is to attempt to break into adversary systems. What team is Benjamin on?
Answer:
Benjamin would be on the red team. Red team plays the role of the attacker and uses reconnaissance and exploitation tools to attempt to gain access to the protected network.
Jessica’s organization has a Bring Your Own Device (BYOD) policy, and she would like to ensure that devices connected to the network under this policy have current antivirus software. What technology can best assist her with this goal?
Answer:
Network access control (NAC) solutions are able to verify the security status of devices before granting them access to the organization’s network.
Devices not meeting minimum security standards may be placed on a quarantine network until they are remediated.
During what phase of a penetration test should the testers obtain signed written authorization to conduct the test?
Answer:
During the planning phase of a penetration test, the testers should confirm the timing, scope, and authorization for the test signed and in writing.
Moses is configuring a jump box server that system administrators will connect to from their laptops. Which one of the following ports should definitely NOT be open on the jump box?
Answer:
Port 23, used by the Telnet protocol, is unencrypted and insecure.
Connections should not be permitted to the jump box on unencrypted ports.
The services running on ports 22 (SSH), 443 (HTTPS), and 3389 (RDP) all use encryption.
James is configuring a new device that will join his organization’s wireless network. The wireless network uses 802.1x authentication. What type of agent must be running on the device for it to join this network?
Answer:
Any device that wishes to join an 802.1x network must be running an 802.1x supplicant that can communicate with the authenticator before joining the network.
Which step occurs first during the attack phase of a penetration test?
Answer:
After the completion of the discovery phase, penetration testers first seek to gain access to a system on the targeted network (Iot devices included. so in theory you can get your banking information hacked from your home network via a vulnerability of your smart bulb.) and then may use that system as the launching point for additional attacks.
Angel would like to implement a specialized firewall that can protect against SQL injection, cross-site scripting, and similar attacks. What technology should she choose?
Answer:
Web application firewalls (WAFs) are specialized firewalls designed to protect against web application attacks, such as SQL injection and cross-site scripting.
Which one of the following techniques might be used to automatically detect and block malicious software that does not match known malware signatures?
Answer:
Sandboxing is an approach used to detect malicious software based on its behavior rather than its signatures. Sandboxing systems watch systems and the network for unknown pieces of code and, when they detect an application that has not been seen before, immediately isolate that code in a special environment known as a sandbox where it does not have access to any other systems or applications.
This is a vast topic, and takes a lot of time to complete in its entirety, correctness, testing, and off-site links for beginner study.
We at MiltonMarketing.com believe education should always be FREE. Our content will always be FREE.
Having said that, we are human, we do have lives outside the digital world and your voluntary support would be appreciated. Buy us a cup of coffee.
Related Videos:
Related Posts:
How can I learn and practice for the exam for CompTIA Cybersecurity Analyst certification?
Top Tools for Ethical hacking in 2020
Should I buy a Dell Alienware laptop?
Cybersecurity Analyst (CSA+) Exam Study Guide
Who is this Android App Development course for?
CompTIA Security+ Certification Guide – Introduction
Free online cybersecurity training resources
Computer Science Curriculum From Minecraft
WiFi Password Hacking for Beginners
Where automotive cyber security is headed
Mastering Gephi Network Visualization
Russia ‘successfully tests’ its unplugged internet
IoT devices pose a significant cybersecurity risk than most realize
Machine learning algorithms explained
Computer Programming Business Requirements Analysis
Cybersecurity burnout: 10 most stressful parts of the job
What does your car know about you? We hacked a Chevy to find out
How to Spy on Competitors with Python & Data Studio
Security experts say health care industry is prized target for cyber criminals
Cynet Provides Security Responders with Free IR Tool for incident response
Are financial advisers prepared for cyber attacks?
It’s Almost Impossible to Tell if Your iPhone Has Been Hacked
What is Nmap?
Nmap (Network Mapper) is a network scanner created by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses.
Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection, and other features. Nmap can adapt to network conditions including latency and congestion during a scan.
Nmap started as a Linux utility and was ported to other systems including Windows, macOS, and BSD. It is most popular on Linux, followed by Windows.
Nmap features include:
- Fast scan (nmap -F [target]) – Performing a basic port scan for fast result.
- Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP and/or ICMP requests or have a particular port open.
- Port scanning – Enumerating the open ports on target hosts.
- Version detection – Interrogating network services on remote devices to determine application name and version number.
- Ping Scan – Check host by sending ping requests.
- TCP/IP stack fingerprinting – Determining the operating system and hardware characteristics of network devices based on observations of network activity of said devices.
- Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua programming language.
Nmap can provide further information on targets, including reverse DNS names, device types, and MAC addresses.
Typical uses of Nmap:
- Auditing the security of a device or firewall by identifying the network connections which can be made to, or through it.
- Identifying open ports on a target host in preparation for auditing.
- Network inventory, network mapping, maintenance and asset management.
- Auditing the security of a network by identifying new servers.
- Generating traffic to hosts on a network, response analysis and response time measurement.
- Finding and exploiting vulnerabilities in a network.
- DNS queries and subdomain search