CompTIA CySA+ Practice Test (CS0-003)

The MITRE ATT&CK framework categorizes threats based on tactics, techniques, and procedures (TTPs) used by adversaries, not solely based on the attacker's objectives. Tactics describe why an adversary performs an action, techniques describe how they accomplish those goals, and procedures are specific implementations.

Using a search engine to gather information about the company's web presence is an essential step in edge discovery but does not provide a comprehensive view of the exposed services and network entry points. The correct answer, Using a domain name enumeration tool, is the correct choice because such tools gather DNS records, subdomains, and host information that reveal the structure of the organization's internet-facing assets, which is crucial for properly assessing the attack surface. Reviewing internal network configurations would not provide visibility into external-facing assets. Conducting an employee survey would not directly identify technical assets and exposed services and is, therefore, not the correct method for edge discovery in this context.

Edge discovery in vulnerability management refers to the process of identifying and mapping the boundaries of a network, including all entry and exit points, to ensure that all assets and potential vulnerabilities are accounted for. This helps in establishing a secure perimeter and understanding the full attack surface.

A buffer overflow vulnerability can impact the integrity of a system’s data by allowing unauthorized modifications. When a buffer overflow occurs, excess data can overwrite adjacent memory, potentially leading to corrupted data and unanticipated changes. This can compromise the accuracy and trustworthiness of the data stored in the system.

Changes to the Windows Registry that redirect any default document or file paths to unknown or unexpected executables are suspicious and could indicate the presence of malware or unauthorized tampering. Attackers may use such tactics to execute malicious code when a user attempts to open a file. True configurations of this nature are seldom benign and should be thoroughly investigated.

The correct choice is comprehensive patch management. Maintaining an up-to-date patching regime ensures that all known vulnerabilities are mitigated promptly, helping the organization stay compliant with PCI DSS Requirement 6.1. Configuring web application firewalls (WAFs) and conducting regular security training are important, but they do not directly satisfy the requirement to protect systems and applications from newly discovered vulnerabilities.

A disaster recovery plan is primarily designed to restore critical systems and data after a disruption. This process involves specific steps to recover and bring systems back to their normal operating state, ensuring minimal impact on the organization's functions.

To comply with the standard governing the security of payment transaction environments, organizations are required to run both internal and external vulnerability scans on a quarterly basis and additionally after any significant change in the network. This practice helps in the timely identification and remediation of vulnerabilities to protect sensitive customer payment information. Scanning every two years is not frequent enough, and limiting activity to external scans neglects potential internal security threats. While annual penetration tests are also required, they are distinct from vulnerability scanning and do not substitute the need for more frequent scans. Relying solely on preventative measures like firewalls does not fulfill the mandated scanning requirements.

A compensating control is a security measure that acts as an alternative to the primary control to mitigate risks. It is designed to address a specific vulnerability or risk when primary controls are not feasible or sufficient. This may include additional monitoring, policy changes, or technical solutions.

Implementing session timeouts helps ensure that sessions do not remain active indefinitely. This reduces the risk of session hijacking where an attacker can take control of an unattended session that remains active for an extended period of time. Limiting session duration is a fundamental security best practice in session management. While encrypting session IDs and using HTTP cookies with secure flags are also important, they do not directly address the issue of indefinite session duration.

The 'scope' of a cybersecurity incident refers to the boundaries and extent of an incident's impact. Understanding what systems, data, and operations were affected helps in formulating an effective response.

Input validation is the correct answer because it directly mitigates remote code execution vulnerabilities by ensuring that only properly formatted data is accepted by the web application. By validating all input, the application can prevent malicious data that could be used in an exploit from entering the system and being executed. While input validation by itself might not fully mitigate all remote code execution risks, it is the most effective single control among the given options. Patch management is important, but it does not prevent exploitation of zero-days or unpatched vulnerabilities. Firewalls and IDS/IPS are boundary defense mechanisms that do not directly address the specific coding issues that allow for remote code execution. Session management is important for user session security but does not prevent remote code execution.

Prowler is an open-source security tool designed to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening, and forensics readiness. It is well-known for its comprehensive checks against industry standards like the CIS benchmarks for AWS. Option B incorrectly mentions web application vulnerabilities, which is not the specific focus of Prowler, and Options A and D are not actual functionalities of Prowler.

The best explanation for this anomaly is that the terminated employee's credentials have likely been compromised. Since the login attempts are occurring from a foreign country shortly after the employee's departure, it's improbable that they would be traveling there and trying to access the company's systems. The other options do not align as closely with the scenario provided, as social engineering and hardware failure would not explain login attempts from a foreign location, and a distributed denial-of-service attack does not relate directly to unauthorized access to a user account.

Ensuring availability involves maintaining system uptime while addressing vulnerabilities. Implementing a WAF rule can block exploit attempts related to the vulnerability, allowing the application to continue operating safely until the vulnerability is fully addressed. Taking the application offline would significantly impact availability. Patching is important but should be done only after appropriate testing to avoid unplanned downtime. Monitoring traffic alone doesn't prevent exploitation.