Appendix A
Practice Exam

This appendix contains a full-length practice exam designed to be similar to the CompTIA Cybersecurity Analyst (CySA+) exam. The questions are balanced among the CySA+ domains, and the question content is similar to what you will find on the exam.

Our recommendation is that you save this exam until you have completed your first round of studying and then attempt the exam in a single sitting to simulate the real exam experience.

After grading your exam, you may use it to highlight areas of study that you should revisit before taking the real exam. You will find the answers and explanations to this exam listed in Appendix B.

Good luck with the practice test and best wishes for success on the CySA+ exam!

Exam Questions

Tom is preparing to build a credit card processing system. As he creates his design, he realizes that the operating environment will not allow him to include one of the PCI DSS required elements. What type of control should Tom discuss implementing?
1. Technical control
2. Operational control
3. Administrative control
4. Compensating control
Shane administers a Linux server running Apache. During the middle of his workday, tweets start to appear in his Twitter feed about compromises of Apache servers due to a flaw that had not been previously reported. What type of threat is this?
1. A local exploit
2. Advanced persistent threat
3. A zero-day exploit
4. A zero-knowledge threat
Juan is analyzing systems on his network for known indicators of compromise. What term best describes the work he is performing?
1. Threat hunting
2. Vulnerability scanning
3. Intrusion prevention
4. Data mining
Which one of the following controls may be used to attract the attention of intruders who gain access to a network segment so that they are distracted from high-value targets and may be monitored?
1. MAC
2. Honeypot
3. Intrusion prevention system
4. Rogue AP
While engaging in an attack, the attacker sends an email message to the targeted victim that contains malicious software as an attachment. What phase of the Cyber Kill Chain is occurring?
1. Weaponization
2. Delivery
3. Action on Objectives
4. Reconnaissance
Betsy receives many requests from IT staff members for remote access to internal systems through the DMZ. What type of system might Betsy place in the DMZ to accommodate these requests?
1. Jump box
2. Virtual machine
3. Honeypot
4. Firewall
Karen is configuring the host firewall on a web server that allows both encrypted and unencrypted web connections. It also must allow SSH access for users to securely drop off files. Which one of the following ports should not be open on the host firewall?
1. 22
2. 80
3. 443
4. 1433
Jacob has been tasked with using NetFlow to monitor network traffic flows in his organization, but the systems he is using are unable to keep up with the volume of data. What is his best option to deal with the traffic without adding new hardware while retaining visibility into the entire network?
1. Switch to RMON monitoring
2. Use flow sampling
3. Decrease the number of flows allowed for each user
4. Use packet shaping to reduce traffic rates to one that the flow collector can keep up with
Brooke is helping her organization implement a new cloud service. She is configuring the operating system on a server built in the cloud provider's environment. What cloud service model is in use?
1. PaaS
2. FaaS
3. SaaS
4. IaaS
Barry joins a hotel wireless network and opens a web browser. No matter which page he visits, he is redirected to a web page requesting him to provide his name and room number. What type of network access control is the hotel using?
1. In-band
2. Out-of-band
3. 802.1x
4. Agent-based
Charles has been asked to secure the wired network that is normally a suite of offices that will be temporarily used by a visiting team from another company. If he wants to continue to allow members of his team to use the jacks, what technical means can he use to do this while also verifying the security posture of the systems that connect?
1. NAC
2. MAC filtering
3. Port security
4. HIPS
Which one of the following components is built into most modern computer systems and is used to store disk encryption keys?
1. HSM
2. Trusted foundry
3. Root of trust
4. TPM
Which media disposition is typically the most expensive option from NIST's options in NIST SP 800-88?
1. Clearing
2. Purging
3. Destruction
4. Obliteration
What type of firewall is able to incorporate contextual information about the user and application when making permit/deny decisions?
1. NGFW
2. Perimeter firewall
3. Stateful inspection
4. Packet filter
During a network attack simulation exercise, which team is responsible for securing the targeted environment?
1. Red
2. White
3. Blue
4. Black
Laura is investigating a potential security breach within her organization. She believes that an attacker stole a file containing employee information. Which information security tenet would this attack violate?
1. Confidentiality
2. Integrity
3. Availability
4. Nonrepudiation
Which of the following incident response activities should not happen during the eradication phase of incident response?
1. Sanitization
2. Reconstruction/re-imaging
3. Secure disposal
4. Segmentation
Karen is conducting a risk analysis for her organization and identifies that one potential threat is a widespread power outage that disrupts service to her organization's datacenters. How should Karen classify this threat?
1. Accidental
2. Adversarial
3. Structural
4. Environmental
Which of the following is not a law?
1. HIPAA
2. PCI DSS
3. FERPA
4. SOX
Which of the following is not typically involved in the initial phases of a CSIRT activation?
1. Technical staff
2. CSIRT leader
3. Law enforcement
4. First responder
Which one of the following activities would not normally occur during the attack phase of a penetration test?
1. System browsing
2. Network reconnaissance
3. Escalating privileges
4. Gaining access
Bob is evaluating the risk to his organization from advanced persistent threat (APT) attackers. He assesses the likelihood of this risk occurring to be medium and the impact high. How would this risk be categorized under most organizations' risk evaluation matrices?
1. Low risk
2. Moderate risk
3. Semi-moderate risk
4. High risk
Which of the following is not a common network issue?
1. Bandwidth consumption
2. Beaconing
3. Link aggregation
4. Unexpected traffic
Richard wants to build DDoS detection capability into his network. Which of the following tools is not appropriate for that task?
1. Network bandwidth monitoring tools
2. IPS
3. Active performance monitoring tools
4. Network fuzzers
Which one of the following technologies is commonly used to integrate software as a service (SaaS) productivity platforms?
1. API
2. SOAR
3. SCAP
4. CI/CD
What concern may make active monitoring less attractive in some heavily used networks?
1. Active monitoring can't monitor busy networks.
2. Active monitoring bypasses IPSs.
3. Active monitoring consumes additional bandwidth.
4. Active monitoring requires SNMP to be enabled.
What security tool generated the output shown here?
1. Nessus
2. Traceroute
3. Nmap
4. Syslog
Which one of the following analysis techniques requires samples of known malicious activity to identify future instances of the same activity?
1. Signature analysis
2. Trend analysis
3. Behavioral analysis
4. Anomaly analysis
Fiona is investigating the misuse of her company's network and needs to capture network traffic for analysis. She wants to use a dedicated open source tool that is designed for packet capture and analysis. Which one of the following tools best meets her needs?
1. Nessus
2. Nmap
3. Wireshark
4. Nikto
Bill is analyzing a system that is experiencing strange symptoms. He would like a list of the open network connections on that system. Which one of the following tools would be helpful in this scenario?
1. Traceroute
2. Netstat
3. Tcpdump
4. Wireshark
Which of the following is not a reason to avoid imaging live systems?
1. The drive may be modified by the forensic tool.
2. The drive contents may change during the imaging process.
3. Unallocated space will not be included.
4. Capturing memory contents is more difficult.
Which incident response phase includes filing catch-up change requests in the organization's change control process?
1. Eradication
2. Containment
3. Recovery
4. Postincident activities
Brian is a new hire to his company as a threat hunter and he is beginning by developing scenarios of potential attacks. What threat hunting activity is Brian performing?
1. Reducing the attack surface area
2. Establishing the hypothesis
3. Profiling threat actors
4. Gathering evidence
Rodney's company wants to prevent phishing attacks from resulting in account compromise. Which of the following solutions will provide the most effective solution?
1. Implement context-aware authentication.
2. Use enhanced password requirements.
3. Add token-based authentication.
4. Set a shorter password lifespan.
The group of developers that Cynthia is part of tests each software component or function before integrating it into larger software modules. What is this process called?
1. Code segmentation
2. Unit testing
3. UAT
4. Fagan inspection
At what stage in the incident response process does a CSIRT move from primarily passive to primarily active work?
1. Preparation
2. Detection and Analysis
3. Containment, Eradication, and Recovery
4. Postincident Activity
Howard is analyzing the logs from his firewall and sees that the same IP address attempted blocked connections to the same server many different times. What is the most likely explanation for this activity?
1. Denial-of-service attack
2. Port scan
3. SQL injection
4. Cross-site scripting
Ron is reviewing Cisco router logs from his organization and would like an easy way to filter the logs down to those that are most critical. What Cisco log level represents an emergency situation?
1. 0
2. 1
3. 6
4. 7
Angela wants to search for rogue devices on her network. Which of the following techniques will best help her identify systems if she has a complete hardware and systems inventory?
1. MAC address vendor checking
2. Site surveys
3. Traffic analysis for unexpected behavior
4. MAC address verification
What type of control can be put in place and documented if an existing security measure is too difficult to implement or does not fully meet security requirements?
1. Cost limiting
2. Administrative
3. Compensating
4. Break-fix
What security tool generated the output shown here?
1. Wireshark
2. Nessus
3. Nmap
4. Nexpose
Tom would like to use nmap to perform service fingerprinting and wants to request banner information from scanned services. What flag should he use?
1. -oG
2. -sS
3. -b
4. -sV
Use the following scenario for questions 43–45.
Insecure, Inc. has experienced multiple data breaches over the past 6 months and has recently hired Cynthia, a new information security officer. Cynthia's first task is to review Insecure, Inc.'s defenses with the goal of identifying appropriate defenses to put in place.

Cynthia knows that her new employers had two major breaches. Breach A occurred when an employee took home a USB external drive with sensitive customer information as well as corporate planning data for the following year. The employee left the drive in their car, and the car was broken into overnight. In the morning, the drive was gone. Insecure, Inc. is uncertain about the fate of the drive and is concerned that customer data as well as their top-secret plans to best their competitors may have been exposed.

Breach B was caused when Insecure, Inc.'s new web application was attacked by unknown attackers who used a SQL injection attack to insert new data into their e-commerce application. Insecure, Inc.'s website was quickly deluged with deal seekers, who put in hundreds of orders for Insecure's newly inexpensive products—the attackers had managed to change the price for almost every product they sold. Insecure, Inc. managed to cancel most of the orders before they shipped, but they have had to deal with angry customers since the event.

Using this information, your task is to help Cynthia recommend the best defensive strategy for each of the following questions.
Cynthia wants to ensure that data cannot be lost in the same way as the loss that occurred during Breach A. Which of the following would make a lost drive not a major concern?
1. Encrypt the drive with SHA1.
2. Encrypt the drive with AES256.
3. Encrypt the drive with DES.
4. Encrypt the drive with MD5.
If Cynthia wants to address the human side of the issues she has discovered, what solution would best help prevent future issues?
1. Policy and awareness training
2. Dual control and cross training
3. Cross training and an awareness program
4. Implementing a continuous improvement program
What technical solution can Cynthia use to detect and possibly stop both SQL injection attacks and denial-of-service attacks against her web applications?
1. An IDS
2. A PRNG
3. DLP
4. An IPS
Kevin ran a port scan on a system and determined that it is listening on port 1433. What type of server is Kevin most likely scanning?
1. Web server
2. Database server
3. AAA server
4. Email server
Phil ran a port scan on a server and discovered the following results:

Which one of the services running on this server can Phil be confident is using encryption?
1. SSH
2. HTTP
3. MySQL
4. SMTP
What requirement of shared authentication is a key differentiator from SSO?
1. It requires authentication for each site.
2. It uses the same authentication key for each site.
3. Shared authentication provides end-to-end encryption.
4. The shared authentication standard is an open standard.
NIST's data impact rating scale describes what category of data impact as “Sensitive personally identifiable information (PII) of taxpayers, employees, beneficiaries, etc., was accessed or exfiltrated”?
1. Confidentiality breach
2. Privacy breach
3. Proprietary breach
4. Integrity loss
Tara ran an nmap scan against a server and received the following results:

Of the services listed, which port is most unusual to find on a web server?
1. 53
2. 80
3. 443
4. 8080
What Windows tool provides detailed data, including counters, that can measure information about a system like energy consumption, disk usage, and network activity?
1. Winmon
2. Perfmon
3. Sysctl
4. Resmon
Kyle used nslookup to determine the IP address for nytimes.com and received the following results:
What is the IP address of the server that answered Kyle's request?
1. 172.30.0.2
2. 151.101.1.164
3. 151.101.65.164
4. 151.101.193.164
A part of his forensic investigation, Alex signs and notes in his log when the drive copy he prepared is transferred to legal counsel. What is this process known as?
1. Handoff documentation
2. Chain-of-custody tracking
3. Asset tracking
4. Forensic certification
Ryan uses the following command as part of his forensic image preparation:
```
 root@demo:~# md5sum image1.raw
 441fb68910e08fd0ed2db3bdb4e49233 image1.raw
```
What task has he performed?
1. Encryption
2. Image creation
3. Hashing
4. Secure wipe
Ryan uses the following command later in his forensic investigation and receives the response shown. What has occurred?
```
 root@demo:~# md5sum -c image1.md5 image1v2.md5
 image1.raw: FAILED
 md5sum: WARNING: 1 computed checksum did NOT match
 image1.raw: OK
```
1. The hash was miscalculated.
2. No hash was created.
3. The files are the same.
4. The files are different.
Ed is preparing an incident response report, and he discovers that some systems were not properly configured to use NTP. What critical element of incident reports may suffer based on this?
1. The root cause analysis
2. The chronology of events
3. The postrecovery validation report
4. The documentation of specific actions taken to remediate issues
Which one of the following criteria would normally be considered least important when making decisions about the scope of vulnerability scanning programs?
1. Regulatory requirements
2. Data classification
3. Operating system type
4. Corporate policy
Bernie is designing a PCI DSS–compliant vulnerability management program for his business. Who may conduct the internal scans required by the standard?
1. Scans must be conducted by an approved scanning vendor (ASV).
2. Scans must be conducted by an internal audit group or an ASV.
3. Scans must be conducted by a PCI DSS–certified individual.
4. Scans may be conducted by any qualified individual.
Which one of the following elements of the Security Content Automation Protocol (SCAP) provides a standard nomenclature for describing security-related software flaws?
1. CVSS
2. CPE
3. CVE
4. OVAL
Which of the following is not a Linux memory forensic tool?
1. fmem
2. LiME
3. The Volatility Framework
4. DumpIt
What step is missing from the vulnerability management life cycle shown here?
1. Assessment
2. Detection
3. Patching
4. Scanning
The NIST Cybersecurity framework includes three major measures. Which three major measures are included in the measures that allow an organization to evaluate which tier they are at?
1. Risk management process, integrated risk management program, external participation
2. Risk management program, risk tolerance, controls structure
3. Risk management process, incident response program, external data sources
4. Risk management program, vulnerability management program, external data sources
Bryan is preparing to conduct a vulnerability scan and wishes to use credentialed scanning for maximum effectiveness. What type of account should Bryan use to perform this scanning in a secure manner?
1. Domain administrator
2. Root user
3. Local administrator
4. Read-only user
Gary is the cybersecurity manager for a federal government agency subject to FISMA. He is evaluating the potential confidentiality impact of a system and decides that the unauthorized disclosure of information stored on the system could have a serious adverse impact on citizens served by his agency. How should Gary rate the confidentiality impact?
1. Low
2. Moderate
3. High
4. Critical
What major Kerberos-centric concern faces administrators of an Active Directory forest or domain if the AD server itself is compromised?
1. All Kerberos tickets will be invalidated.
2. Attackers can create a “golden ticket.”
3. There is no way to notify users of the issue.
4. Previously issued user tickets will be exposed.
Which of the following is not a common attack against LDAP servers?
1. Exploiting of insecure binding
2. Directory harvesting
3. LDAP injection
4. Silver ticket attacks
Oliver is developing a prioritization scheme for vulnerability remediation. Which one of the following is not generally accepted as an important criterion for prioritizing remediation?
1. Vulnerability severity
2. Age of vulnerability
3. Criticality of system
4. Difficulty of remediation
What regulatory schemes specifically require the use of vulnerability scanning?
1. FISMA and PCI DSS
2. PCI DSS and HIPAA
3. HIPAA and GLBA
4. GLBA and FISMA
What type of term describes review of code by running it?
1. The Run/Test method
2. Runtime inspection
3. Static code analysis
4. Dynamic code analysis
After completing a vulnerability scan, Bob received a report of a blind SQL injection vulnerability. Bob worked with the application developer to inspect the vulnerability and determined that the attack was not possible. What type of error occurred?
1. True positive
2. True negative
3. False positive
4. False negative
Which of the following types of staff are not frequently part of a CSIRT?
1. Technical subject matter experts
2. IT support staff
3. Legal counsel
4. Comptrollers
Which of the following is not well suited to identifying network scans and probes?
1. IPS
2. SNMP traps
3. Firewall
4. SIEM
Olivia has requested that her development team run their web application security testing tools against their web applications, despite the fact that they just installed the most recent patches. What is this type of testing called?
1. Regression testing
2. Patch state validation
3. WAV testing
4. HTTP checking
What type of testing directly targets error handing paths, particularly those that are rarely used or might otherwise be missed during normal testing?
1. Fuzzing
2. Mutation testing
3. Fault injection
4. Fagan inspection
Which of the following pieces of information does Windows not capture by default about USB devices when they are plugged in?
1. The capacity of the device
2. The device name
3. The device serial number
4. The unit's vendor ID
What type of process is shown here?
1. A Waterfall SDLC
2. Mutation testing
3. Dynamic code analysis
4. Fagan inspection
When searching a Windows system for forensic data, where can point-in-time details of prior actions taken on the machine sometimes be found?
1. The Windows Registry
2. Autorun keys
3. Hibernation files
4. Volume shadow copies
Harry identified the following vulnerability in one of his systems:
He would like to search network traffic to identify connection attempts that might have attempted to exploit this vulnerability. What port would traffic exploiting this vulnerability most likely use?
1. 22
2. 80
3. 443
4. 1521
Erik identified the following vulnerability in one of his systems:

What technique would be the most effective way to combat this vulnerability?
1. Firewall rule
2. Input validation
3. Honeypot
4. Patching
Bonnie ran a vulnerability scan against one of her servers and received a report that the server contains buffer overflow vulnerabilities in the operating system. Which one of the following would be the most effective defense?
1. Input validation
2. Firewall
3. Operating system patching
4. Intrusion prevention system
Which one of the following protocols would not generate a network vulnerability report if run on a production system?
1. SSLv2
2. SSLv3
3. TLS 1.1
4. All three would generate a vulnerability.
Ben identified the following vulnerability in one of his systems:

What technique would be the most effective way to combat this vulnerability?
1. Firewall rule
2. Input validation
3. Honeypot
4. Patching the operating system
Chelsea's
company runs an industrial control system (ICS) from a vendor that no longer provides support. The system has a newly discovered vulnerability to buffer overflow attacks. What would be the best way to defend this system?
1. Apply a patch
2. Rewrite the code
3. Place it on a segmented network
4. Use encryption
What component of a virtualized infrastructure is responsible for ensuring that software running on one virtualized system does not receive access to areas of memory that are reserved for use by another virtualized system?
1. Hypervisor
2. Virtual guest
3. Virtual host
4. Physical hardware
Frank received a phone call from a user who is traveling and accessing the Wi-Fi network at a hotel. The user tried to access a corporate website and received an error message that the certificate was invalid. No other users are receiving this error. What is the most likely explanation for this error message?
1. The company's website is using an expired certificate.
2. The company's website has an incorrect certificate installed.
3. The hotel uses a captive portal.
4. Another user on the hotel network is attempting to eavesdrop on the connection.