CompTIA CySA+ Practice Test (CS0-003)

The correct answer is 'An attacker induces the server to make a request to an internal resource, which should not be accessible.' This depicts a classic SSRF attack, where the attacker is able to cause the server to perform an action on their behalf, often accessing internal resources that the attacker normally couldn't reach. SSRF exploits the trust that a server has in itself to erroneously execute internal interactions. The incorrect options do not describe SSRF vulnerabilities; a cross-site scripting (XSS) attack involves executing scripts in a victim's web browser rather than internal server requests. Buffer overflows are related to memory safety vulnerabilities, not SSRF. A SQL injection attack involves inserting malicious SQL queries via input fields, not manipulating server requests.

The Windows Registry is designed to store configuration settings and options on Microsoft Windows operating systems. It contains settings for both the operating system itself and the programs that run on Windows. Each option and setting is stored as a registry key, which can be edited to modify system behavior. Understanding the registry's role is essential for diagnosing system issues, implementing security measures, and managing system configurations.

Indicators of Compromise (IoCs) are artifacts observed on a network or in an operating system that with high confidence indicate a computer intrusion. Understanding IoCs is vital for cybersecurity analysts as they allow for early detection of breaches and initiate a response. False positives, such as Anti-Virus Alerts, are sometimes mistaken for IoCs but they often require further investigation as they could also be indicative of a false alarm or benign activity. Unusual outbound traffic could be an IoC, but it is not a definitive indication on its own; it needs corroboration with other signs of compromise. Heightened data usage may raise suspicions but does not necessarily provide evidence of a breach.

The correct answer is 'Data exfiltration attempts'. This scenario is indicative of potential unauthorized data transfer to external entities, often a sign of a compromised system where an attacker is extracting sensitive information. A significant increase in outbound traffic, particularly to foreign or unusual IP addresses during off-hours, is a common indicator of compromised systems involved in data exfiltration.

The incorrect options—'Routine backup processes', 'Authorized remote employee access', and 'Network performance testing'—although they may also cause traffic spikes, are less likely in this scenario given the unusual time and the connection to foreign IPs known to be outside normal communications. These activities would typically be planned, documented, and occur within known operational parameters.

Creating a comprehensive inventory of business-critical assets is essential to effectively prioritize threat hunting efforts. Without a clear understanding of which assets are critical, it is difficult to allocate resources properly and may lead to inadequate protection of crucial systems. Keeping backups of crucial assets certainly helps in recovery, but it is not directly related to the initial step of threat hunting. Regularly updating all systems is a good security practice, but it does not directly influence the prioritization in threat hunting. Reviewing access logs continuously is important for detecting anomalies but again falls short in terms of prioritizing efforts on business-critical assets.

The correct answer is 'Notifications about emerging regulatory requirements for online data handling specific to the European market.' This answer is the most relevant because the e-commerce platform is now operating within the European Union, which means it is subject to EU data handling and privacy laws, such as the GDPR. Non-compliance could lead to significant fines and legal issues, along with reputational damage. As such, threats or changes regarding these laws are integral to the business operation and must be a priority. The other options, while potentially important, are less immediately relevant to the company's European operations: 'Detailed reports about mobile malware trends in Asia-Pacific regions' are geographically irrelevant; 'Algorithms for detecting anomalies in virtual private network (VPN) traffic' offer a security measure that could be globally relevant but doesn't have specific implications for the new EU operations; 'Broad threat landscape summaries for the retail sector in Q1' offer useful contextual information, but lack the immediacy and specificity required for prioritizing actions related to the business's geographic expansion.

Prioritization and escalation are fundamental steps in vulnerability response and management. Using the risk management principles to assess the level of threat posed by each vulnerability is the best way to prioritize them, as it takes into account their potential impact on the organization and regulatory requirements. Patch requirement is an important consideration, but it should be assessed after determining the risk level. Scope of impact is part of the risk assessment rather than the first step. Asset criticality is only one aspect of the risk and does not provide a complete prioritization on its own.

This statement is correct because SIEM systems are designed to aggregate, correlate, and analyze event logs from a variety of sources. They use complex algorithms and rules to detect patterns and anomalies that are indicative of security incidents, something that is difficult and time-consuming to achieve with manual analysis. SIEM systems provide a holistic view of an organization's information security, making threat detection more efficient and effective.

A tabletop exercise is a discussion-based session where team members meet to discuss their roles during an incident and walk through a realistic scenario in a non-threatening environment. This type of exercise is ideal for validating understanding of the updated incident response plan and the roles of new team members without the stress of an actual security incident.

An Incident Response Plan is crucial as it provides a pre-defined set of guidelines and procedures for managing and mitigating security incidents. It ensures that the response to an incident is conducted systematically and effectively, minimizing damage and reducing recovery time and costs. Other options are elements or tools that could be mentioned in the plan but are not plans themselves.

The /etc/ssh/sshd_config file is the correct answer because it is the default location for the OpenSSH server configuration file on most Linux distributions. This file contains settings that dictate how the SSH server behaves, including security-relevant parameters such as allowed authentication methods and permitted users. Other directories mentioned may contain configuration files for different purposes or services, but not for the SSH server.

Reflected cross-site scripting is the correct answer because it occurs when an application receives data in a request and includes that data in the immediate response in an unsafe way. In the scenario described, the web application reflects user input directly in the response, which is a classic example of a reflected cross-site scripting vulnerability. Persistent cross-site scripting requires the injected script to be stored on the server and then displayed in subsequent responses to any user visiting the affected page. Cross-site request forgery (CSRF) involves tricking a user into making a request to perform an action that they are authorized to perform, typically without their knowledge, which is not indicated in this scenario. Lastly, SQL injection occurs when an attacker is able to manipulate a SQL query through user input, which is unrelated to script injection reflected in web responses.

Managerial controls relate to the policies and procedures that establish the organization's security management structure and the guiding principles for security practices. In this scenario, focusing on providing cybersecurity training to employees to reduce human error through improved understanding of security protocols is best aligned with implementing a managerial control. Technical controls are more related to hardware or software mechanisms that enforce security policies (e.g., firewalls, intrusion detection systems). Operational controls involve the day-to-day execution and implementation of security procedures (e.g., incident response processes), whereas preventative controls aim to avoid security incidents from occurring altogether (e.g., use of strong authentication mechanisms).

Correlating time stamps across multiple systems and devices enables an analyst to construct a timeline of events, which is essential for understanding the sequence in which the incident occurred. This timeline can be compared against the known behavior of security threats to identify patterns and potential points of entry or areas of impact. This question tests knowledge of log analysis techniques. Other options, while potentially useful in other contexts, do not focus on the primary purpose of time stamp correlation in incident investigation.

Data enrichment is the process of enhancing, refining, or improving raw data. In the context of threat intelligence, this often means adding context or correlating threat data from multiple sources to provide more meaningful insights. By enriching data, a cybersecurity analyst can have a clearer understanding of the threats, leading to more effective decision-making and response actions. The incorrect options are tangential to the direct enhancement of the threat intelligence platform; while they may contribute to the overall security posture, they do not focus on the orchestration of threat intelligence data.