CompTIA CySA+ Practice Test (CS0-003)

An Incident Response Plan (IRP) is the authoritative document that defines roles, communication paths, and step-by-step procedures for detecting, containing, eradicating, and recovering from security incidents. Having a well-defined IRP minimizes damage, reduces recovery time, and satisfies many regulatory requirements.

• Business Continuity Plan is also a plan, but its primary focus is on maintaining or quickly restoring mission-critical business operations after any disruptive event, not on the technical handling of a security incident.
• A Security Policy states high-level rules and objectives for protecting information assets; it does not provide detailed incident-handling procedures.
• A Playbook offers tactical, scenario-specific steps (for example, ransomware containment) and is typically a subset derived from the broader Incident Response Plan.

Prioritization and escalation are fundamental steps in vulnerability response and management. Using the risk management principles to assess the level of threat posed by each vulnerability is the best way to prioritize them, as it takes into account their potential impact on the organization and regulatory requirements. Patch requirement is an important consideration, but it should be assessed after determining the risk level. Scope of impact is part of the risk assessment rather than the first step. Asset criticality is only one aspect of the risk and does not provide a complete prioritization on its own.

Managerial controls relate to the policies and procedures that establish the organization's security management structure and the guiding principles for security practices. In this scenario, focusing on providing cybersecurity training to employees to reduce human error through improved understanding of security protocols is best aligned with implementing a managerial control. Technical controls are more related to hardware or software mechanisms that enforce security policies (e.g., firewalls, intrusion detection systems). Operational controls involve the day-to-day execution and implementation of security procedures (e.g., incident response processes), whereas preventative controls aim to avoid security incidents from occurring altogether (e.g., use of strong authentication mechanisms).

The correct answer is 'Data exfiltration attempts'. This scenario is indicative of potential unauthorized data transfer to external entities, often a sign of a compromised system where an attacker is extracting sensitive information. A significant increase in outbound traffic, particularly to foreign or unusual IP addresses during off-hours, is a common indicator of compromised systems involved in data exfiltration.

The incorrect options—'Routine backup processes', 'Authorized remote employee access', and 'Network performance testing'—although they may also cause traffic spikes, are less likely in this scenario given the unusual time and the connection to foreign IPs known to be outside normal communications. These activities would typically be planned, documented, and occur within known operational parameters.

Data enrichment is the process of enhancing, refining, or improving raw data. In the context of threat intelligence, this often means adding context or correlating threat data from multiple sources to provide more meaningful insights. By enriching data, a cybersecurity analyst can have a clearer understanding of the threats, leading to more effective decision-making and response actions. The incorrect options are tangential to the direct enhancement of the threat intelligence platform; while they may contribute to the overall security posture, they do not focus on the orchestration of threat intelligence data.

The correct answer is 'An attacker induces the server to make a request to an internal resource, which should not be accessible.' This depicts a classic SSRF attack, where the attacker is able to cause the server to perform an action on their behalf, often accessing internal resources that the attacker normally couldn't reach. SSRF exploits the trust that a server has in itself to erroneously execute internal interactions. The incorrect options do not describe SSRF vulnerabilities; a cross-site scripting (XSS) attack involves executing scripts in a victim's web browser rather than internal server requests. Buffer overflows are related to memory safety vulnerabilities, not SSRF. A SQL injection attack involves inserting malicious SQL queries via input fields, not manipulating server requests.

The Windows Registry is designed to store configuration settings and options on Microsoft Windows operating systems. It contains settings for both the operating system itself and the programs that run on Windows. Each option and setting is stored as a registry key, which can be edited to modify system behavior. Understanding the registry's role is essential for diagnosing system issues, implementing security measures, and managing system configurations.

The /etc/ssh/sshd_config file is the correct answer because it is the default location for the OpenSSH server configuration file on most Linux distributions. This file contains settings that dictate how the SSH server behaves, including security-relevant parameters such as allowed authentication methods and permitted users. Other directories mentioned may contain configuration files for different purposes or services, but not for the SSH server.

The Zed Attack Proxy (ZAP) is designed for web application security testing, with features specifically tailored to automatically discover vulnerabilities in web apps. One such feature is the active scanner, which probes for security weaknesses by sending modified requests to the application and analyzing the responses. It's important for test-takers to distinguish between various tool features and associate them with their correct functionalities.

Reflected cross-site scripting is the correct answer because it occurs when an application receives data in a request and includes that data in the immediate response in an unsafe way. In the scenario described, the web application reflects user input directly in the response, which is a classic example of a reflected cross-site scripting vulnerability. Persistent cross-site scripting requires the injected script to be stored on the server and then displayed in subsequent responses to any user visiting the affected page. Cross-site request forgery (CSRF) involves tricking a user into making a request to perform an action that they are authorized to perform, typically without their knowledge, which is not indicated in this scenario. Lastly, SQL injection occurs when an attacker is able to manipulate a SQL query through user input, which is unrelated to script injection reflected in web responses.

Creating a comprehensive inventory of business-critical assets is essential to effectively prioritize threat hunting efforts. Without a clear understanding of which assets are critical, it is difficult to allocate resources properly and may lead to inadequate protection of crucial systems. Keeping backups of crucial assets certainly helps in recovery, but it is not directly related to the initial step of threat hunting. Regularly updating all systems is a good security practice, but it does not directly influence the prioritization in threat hunting. Reviewing access logs continuously is important for detecting anomalies but again falls short in terms of prioritizing efforts on business-critical assets.

The Open Source Security Testing Methodology Manual (OSS TMM) promotes a standardized approach that enhances consistency and completeness in assessments. This ensures that methodologies are replicable and independently verifiable, enhancing the credibility and reliability of security assessments.

The correct answer is 'Notifications about emerging regulatory requirements for online data handling specific to the European market.' This answer is the most relevant because the e-commerce platform is now operating within the European Union, which means it is subject to EU data handling and privacy laws, such as the GDPR. Non-compliance could lead to significant fines and legal issues, along with reputational damage. As such, threats or changes regarding these laws are integral to the business operation and must be a priority. The other options, while potentially important, are less immediately relevant to the company's European operations: 'Detailed reports about mobile malware trends in Asia-Pacific regions' are geographically irrelevant; 'Algorithms for detecting anomalies in virtual private network (VPN) traffic' offer a security measure that could be globally relevant but doesn't have specific implications for the new EU operations; 'Broad threat landscape summaries for the retail sector in Q1' offer useful contextual information, but lack the immediacy and specificity required for prioritizing actions related to the business's geographic expansion.

A Security Information and Event Management (SIEM) system is the best tool for this scenario. SIEMs are specifically designed to collect, aggregate, and correlate log data from a wide variety of sources across an organization. This allows analysts to identify trends, patterns, and anomalies over extended periods, which is essential for detecting low-and-slow attacks like APTs. While EDRs provide deep endpoint visibility and packet capture tools analyze network traffic, only a SIEM provides the centralized, cross-source log correlation needed for this type of investigation. A vulnerability scanner is used for proactive scanning of security weaknesses, not for analyzing event logs of an active incident.

Indicators of Compromise (IoCs) are artifacts observed on a network or in an operating system that with high confidence indicate a computer intrusion. Understanding IoCs is vital for cybersecurity analysts as they allow for early detection of breaches and initiate a response. False positives, such as Anti-Virus Alerts, are sometimes mistaken for IoCs but they often require further investigation as they could also be indicative of a false alarm or benign activity. Unusual outbound traffic could be an IoC, but it is not a definitive indication on its own; it needs corroboration with other signs of compromise. Heightened data usage may raise suspicions but does not necessarily provide evidence of a breach.