Download CompTIA CySA+ (D483) Questions and Complete Solutions Graded A+ and more Exams Business Management and Analysis in PDF only on Docsity!
CompTIA CySA+ (D483) Questions and
Complete Solutions Graded A+
Security Content Automation Protocol (SCAP) - Answer: A suite of interoperable specifications designed to standardize the formatting and naming conventions used to identify and report on the presence of software flaws, such as misconfigurations and/or vulnerabilities. SCAP Languages - Answer: * Open Vulnerability and Assessment Language (OVAL)
- Asset Reporting Format (ARF)
- Extensible Configuration Checklist Description Format (XCCDF) Nikto - Answer: Command line web server scanner that the security analyst can use to specifically identify vulnerabilities in web servers. It can quickly scan multiple web servers and provide comprehensive information on any detected vulnerabilities. Cybersecurity service-level objectives (SLOs) - Answer: Objectives that help measure and assess the effectiveness of security operations. Include:
- Mean Time to Detect (MTTD)
- Mean time to Recover (MTTR)
- Time to Patch. Threat modeling - Answer: The process of identifying and assessing the possible threat actors and attack vectors that pose a risk to the security of an app, network, or other system.
It is typically a collaborative process Technical Security Controls - Answer: A category of security control that is implemented as a system (hardware, software, or firmware). Examples include firewalls, antivirus software, and OS access control. Also called logical controls. Managerial Security Controls - Answer: Managerial controls focus on evaluating and managing risks at a broader organizational level. A category of security control that gives oversight of the information system. Operational Security Controls - Answer: Day-to-day procedures and guidelines implemented and followed by employees and IT staff. A category of security control that is implemented by people. Examples, security guards and training programs are operational controls rather than technical controls. Preventative Security Controls - Answer: A type of security control that acts before an incident to eliminate or reduce the likelihood that an attack can succeed. Detective Security Controls - Answer: A type of security control that acts during an incident to identify or record that it is happening. Corrective Security Controls - Answer: A type of security control that acts after an incident to eliminate or minimize its impact. Responsive Security Controls - Answer: A type of security control that serves to direct corrective actions after an incident has been confirmed.
· CSIRT
· Deep/Dark Web · Internal Sources · Government Bulletins Decoy Methods - Answer: · Active Defense - Using offensive actions to outmaneuver an adversary to make an attack harder to execute. · Honeypots - A host, network, or file set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration. Indicators of Attack (IoT) - Answer: Signs or clues indicating a malicious attack on a system or network is currently occurring. These include, but are not limited to, unusual network traffic, strange log file entries, or suspicious user account activity. Indicators of Compromise (IoC) - Answer: Suggest that a security incident may have occurred, such as traffic from an IP or domain associated with malicious activity. Identified in system and applications logs, network monitoring software, endpoint protection tools, and security information and event management (SIEM) platforms. Do not prove a successful attack or breach has occurred. JavaScript Object Notation (JSON) - Answer: An ideal choice for web applications due to its lightweight nature, ease of parsing in JavaScript environments, and efficient client-server communication over networks. Good for large data sets Secure Access Service Edge (SASE) - Answer: A networking and security architecture that provides secure access to cloud applications and services while reducing complexity. It
combines security services like firewalls, identity and access management, and secure web gateway with networking services such as SD-WAN. Benefits of a Zero Trust Architecture - Answer: Provides Better: · Security · Access controls · Compliance · Granularity Secure Access Service Edge (SASE) Features - Answer: · Aims to simplify the complexity of managing multiple network and security services by combining networking and security functions into a single cloud-hosted service. · Eliminates the need for dedicated hardware Federation - Answer: A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems. OpenID - Answer: An identity federation method that enables users to be authenticated on cooperating websites by a third-party authentication service. Security Assertion Markup Language (SAML) - Answer: An XML-based data format used to exchange authentication information between a client and a service. Simple Object Access Protocol (SOAP) - Answer: XML-based web services protocol that is used to exchange messages. Establishes connection for SAML sessions.
· Block - The user is prevented from copying the original file but retains access to it. · Quarantine - Access to the original file is denied to the user. · Tombstone - The original file is quarantined and replaced with one describing the policy violation and how the user can release it again. Logging Levels - Answer: · DEBUG: used for debugging purposes · INFO: used for informative messages · WARNING: used to indicate a potential problem · ERROR: used to indicate a serious problem · CRITICAL: used to indicate a critical problem Syslog Logging Levels - Answer: · 0 Emergency (emerg): system is unusable. · 1 Alert (alert): immediate action required. · 2 Critical (crit): critical conditions. · 3 Error (error): error conditions. · 4 Warning (warn): warning conditions. · 5 Notice (notice): normal but significant conditions. · 6 Informational (info): informational messages. · 7 Debug (debug): messages helpful for debugging. Application Programming Interface (API) - Answer: A set of functions and procedures that allow two or more applications to communicate with each other. Defines the types of calls or requests that can be made, how to make them, the data formats that should be used, and the conventions to follow.
Webhooks - Answer: Allow real-time data transfer between two systems by sending a notification to the receiving system when specific events occur in the sending system. Useful to trigger automated actions such as an update. Plugins - Answer: Add-ins that help tailor the software product to more closely match the infrastructure being managed from one organization to another. Capability Maturity Model Integration (CMMI) - Answer: Describes five levels of maturity within the operational or software capabilities of an organization. Active Scanning - Answer: Directly interacting with a device or software to identify vulnerabilities. Passive Scanning - Answer: Identifies vulnerabilities without direct interaction with a device or software; usually done through network packet capture. Fingerprinting - Answer: looks to focus attention on an individual device to better understand its purpose, vendor, software versions, configuration details, and the existence of vulnerabilities Static Analysis vs. Dynamic Analysis - Answer: Static: The process of reviewing uncompiled source code Dynamic: Examines code behavior during runtime. Configuration Baseline - Answer: List of requirements regarding how a device, operating system, or software is configured to operate. Outlines the minimum set of requirements.
Common Vulnerabilities and Exposures (CVE) - Answer: A list of records where each item contains a unique identifier used to describe publicly known vulnerabilities Common Configuration Enumeration (CCE) - Answer: Similar to CVE, except focused on configuration issues which may result in a vulnerability. CVSS Ranges - Answer: None: 0 Low: 0.1 - 3. Medium: 4.0 - 6. High: 7.0 - 8. Critical: 9.0 - 10 Vulnerability Results - Answer: · False Positive - Incorrectly indicates that a vulnerability or misconfiguration is present when it is not. · True Positive - When a vulnerability scan correctly identifies a vulnerability. · False Negative - When a vulnerability scan incorrectly identifies that a vulnerability does not exist. · True Negative - Correctly indicates that a system or device does not have a vulnerability. Action Plans - Answer: Provide direction and focus, enabling organizations to achieve strategic goals and objectives. Action Plan Outcomes - Answer: · Establishing Security Policies · Training Staff · Software Patching · Compensating Controls · Configuration Management
Stages of the Incident Response Life Cycle - Answer: 1. Preparation - Make the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies the creation of incident response resources and procedures.
- Detection and Analysis - Determine whether an incident has taken place and assess how severe it might be (triage), followed by notification of the incident to stakeholders.
- Containment - Limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact on customers and business partners.
- Eradication and Recovery - Once the incident is contained, the cause can be removed and the system brought back to a secure state. The response process may have to iterate through multiple phases of detection, containment, and eradication to effect a complete resolution.
- Post-incident Activity - Analyze the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. This phase is very commonly referred to as lessons learned. The outputs from this phase feed back into a new preparation phase in the cycle. Incident Response Tests - Answer: · Tabletop Exercises - Bring together the personnel who would respond to an incident, often in a simulated setting, to test the effectiveness of their communication and response plans. · Mock Incidents - Scenario-based simulations that organizations create to test how the incident response plan actually works in practice. · Full Incident Simulations - Mock incidents that include the full set of people and organizations involved in responding to an incident Playbooks - Answer: Steps they need to take to respond to a security incident, such as the specific roles, processes, and procedures that security staff must follow. Guide communication with stakeholders and the public, as well as guide how to gather evidence and determine the incident's root cause.
Breach Types - Answer: · Data exfiltration · Insider Data Exfiltration · Device Theft/Loss · Accidental Data Breac · Integrity/Availability Incident Report Sections - Answer: · Executive Summary - Should provide a brief overview of the document, including the purpose, key points, and conclusion. It should include relevant background information to provide context for the rest of the document. · Impact - Describes how a security incident affects an organization's operations, data, personnel, or reputation and is typically measured in terms of costs, downtime, loss of customer trust, or other factors. · Scope - Identifies the magnitude of the incident and the resources needed to restore services. It operates as a measure to guide the prioritization and management of the resources necessary to ensure an efficient response. · Evidence - Any information collected during the investigation that can provide clues to help identify the attack and explain the circumstances surrounding it. · Recommendations - Include details regarding what to do in response to the incident. Some of the suggestions will be in direct response to containing the immediate damage, but others may focus on longer-term objectives. Packet Capture Tools - Answer: · Wireshark - An open-source graphical packet capture utility, with installer packages for most operating systems. The output is displayed in a three-pane view, with the top pane · Tcpdump - Command line packet capture utility for Linux, though a version of the program is available for Windows. The utility can display captured packets to the console and write capture data to pcap format files using the -w switch.
Maltego - Answer: Scanning/Intelligence tool specifically designed for gathering public information and visualizing the relationships between various entities. Whois - Answer: A look-up service that provides information about a domain name or IP address. It queries domain registry databases for the name, address, email address, phone number, and other information about the person or entity associated with a domain name or IP address. AbuseIPDB - Answer: · Very popular website used by analysts to investigate suspicious traffic. · Used to identify malicious network traffic or suspicious emails by submitting an IP address to the platform's database search tool. VirusTotal - Answer: Provides a free service designed to inspect files and URLs using over 70 antimalware scanners and domain blocklisting services. The website provides a comprehensive report describing any malicious content, including the type of malware, malware names provided by various antimalware vendors, indicators, file hashes, different file names observed in the wild, relationships to domains, IP addresses and files, behavioral characteristics, and community discussion. Joe Sandbox - Answer: Malware analysis platform that inspects executable files, suspicious URLs, and many other features. It offers easy access to behavior analysis, signature detection, and sandboxing technology to identify and analyze malicious files in a safe and controlled environment. Cuckoo - Answer: Free, open-source malware analysis tool that allows security researchers to analyze and detect advanced malware threats. Cloud-based Sandbox Environments - Answer: · Joe Sandbox · CrowdStrike's Hybrid Analysis · Cuckoo
· Victim - This element represents the organization or individual the adversary has targeted, such as government agencies, businesses, or individuals. Victims vary in size, industry type, and defensive capabilities. Email Process - Answer: · When an email is created, the mail user agent (MUA) creates an initial header and forwards the message to a mail delivery agent (MDA). · The MDA should check that the sender is authorized to issue messages from the domain. Assuming the email is not being delivered locally at the same domain, the MDA adds or amends its own header and then transmits the message to a message transfer agent (MTA). · The MTA routes the message to the recipient, using DNS to locate the recipient's MTA, with the message passing via one or more additional MTAs, such as SMTP servers operated by ISPs or mail security gateways. Each MTA adds information to the header. Mail User Agent (MUA) > Mail Delivery Agent (MDA) > Message Transfer Agent (MTA) Email Sender Fields - Answer: · Display from - The sender's email address. This is the field displayed by an email client as the "From" field. It is submitted using a From: header in the message body. · Envelope from - A return address for use if the email is rejected by the recipient MTA. The value of this field is submitted using the MAIL FROM SMTP command and is officially designated as RFC5321.MailFrom. The mail client normally hides this field. It can take various labels, including return-path. · Received from/by - A list of the MTAs that processed the email. Each MTA identifies itself and the server that sent the message. If an adversary is spoofing a domain, the true origin of the message is likely to be revealed by examining this list of servers. When starting a session with another SMTP server, a server identifies itself using the HELO/EHLO string. Sender Policy Framework (SPF) - Answer: Verifies the senders domain and authorizing the user to send messages from that domain.
Detects forged sender addresses in emails. DomainKeys Identified Mail (DKIM) - Answer: Verifies message content Provides a cryptographic authentication mechanism for DNS records and supplements SPF. Domain-based Message Authentication, Reporting, and Conformance (DMARC) - Answer: Combines two other email authentication protocols, SPF and DKIM. Verifies the authenticity of embedded links by checking the sender's domain against the DMARC record. Abnormal Account Activity Examples - Answer: · A user account for an employee with well- defined working hours being used during the night · A user account provisioned to only work on desktop computers being used on a server computer · A user account created on a local computer or created by a user without authorization to create accounts · An account being added to a group unexpectedly or added by an unauthorized individual Abnormal Behavior Patterns - Answer: · Evidence of communication with known malicious IP addresses or domain names
· Social Media · Media and Document Files Rogue Machine Detection - Answer: · Visual inspection of ports/switches · Network mapping/host discovery · Wireless monitoring · Packet sniffing and traffic flow · NAC and intrusion detection Shell - Answer: Where the attacker opens a listening port that exposes the command prompt on the local host and connects to that port from a remote host. Reverse Shell - Answer: Where the attacker opens a listening port on the remote host and causes the infected host to connect to it. Typically used to exploit organizations that have not configured outbound traffic filtering at the firewall. Free command - Answer: Linux command that outputs a summary of memory utilization. It retrieves this information from /proc/meminfo and displays information about physical and swap memory. Top command - Answer: Linux command that creates a scrollable, real-time table of every running process. The table includes process ID, user, CPU percentage used, memory percentage used, execution time, and information about each process. Detecting Excessive Processor and Memory Consumption - Answer: · Use Task Manager in Windows · Use the Free/Top command in Linux
Windows Process Analysis Tools - Answer: · Process Monitor · tasklist · PE Explorer Common IoCs Associated with Account Usage - Answer: Unauthorized sessions Failed Logons New Accounts Guest Account Usage Off-hours Usage Vulnerability Scanner (Actual Tools) - Answer: · Nessus · OpenVAS · Qualys · Nmap Nessus - Answer: One of the best-known commercial vulnerability scanners. The product is free to use for home users but paid for on a subscription basis for enterprises. OpenVAS - Answer: Open-source software, originally developed from the Nessus codebase prior to when Nessus became commercial software. Qualys - Answer: Cloud-based, proprietary vulnerability scanner. Users install sensors at various points in their network, which can include cloud locations, and the sensors upload data to the cloud platform for analysis. Nmap - Answer: Popular open-source tool for network discovery, mapping, and security auditing. Its features include the ability to scan a large number of hosts, detect operating systems and applications, and perform vulnerability assessments.
