Skip to main content

CompTIA Cybersecurity Analyst (CySA+)

CompTIA Cybersecurity Analyst (CySA+) focuses on incident detection, prevention, and response through continuous security monitoring. It validates a professional's expertise in vulnerability management and the use of threat intelligence to strengthen organizational security. Achieving the symbol COMP_CYSA marks an individual as a proficient security analyst capable of mitigating modern cyber threats.




---------- Question 1
A security analyst is reviewing logs in the SIEM and identifies a series of unusual PowerShell executions on a critical application server. The logs show the use of the -EncodedCommand flag followed by a long Base64 string. Upon decoding, the script appears to be performing memory injection into a legitimate system process. Which of the following is the most likely indicator of malicious activity being observed, and what should be the analysts immediate technical response using scripting or tools?
  1. The activity indicates a fileless malware attack attempting to evade detection; the analyst should use a PowerShell script to suspend the suspicious process and dump the memory for forensic analysis.
  2. The activity represents a standard administrative update task using obfuscation; the analyst should ignore the alert and update the SIEM baseline to prevent future false positives from this server.
  3. The activity is a clear sign of a rogue device on the network backbone; the analyst should use Wireshark to capture all traffic from the rogue MAC address and block it at the core switch.
  4. The activity suggests an authorized IAM configuration change; the analyst should check the change management database and approve the script to run across all other production servers.

---------- Question 2
A security analyst is tasked with providing a weekly update on the organization's vulnerability status to the Compliance Officer. The officer is specifically interested in how the organization is meeting its Service Level Objectives for patching. Which of the following pieces of information is most critical for this report, and how should an exception for a critical vulnerability be handled in the documentation?
  1. The list of every single vulnerability found by the scanner; exceptions should be deleted from the report to avoid confusing the compliance officer.
  2. The percentage of vulnerabilities remediated within the defined SLO timeframe; exceptions should be formally documented with a business justification and a sunset date.
  3. The average amount of time an analyst spends on each vulnerability scan; exceptions should be mentioned verbally during the weekly meeting but not written down.
  4. The total cost of the vulnerability scanning software license; exceptions should be handled by the IT manager without involving the compliance department.

---------- Question 3
During a tabletop exercise, the IT and security teams are practicing their response to a simulated ransomware outbreak. One of the key objectives is to verify the effectiveness of the communication plan and the technical recovery procedures. Which component of the incident management life cycle is being addressed when the team evaluates the time it takes to restore systems from backups and identifies gaps in the existing playbooks?
  1. The Preparation phase, by creating and refining incident response plans and training staff before a real incident occurs.
  2. The Containment phase, by isolating the affected systems to prevent the ransomware from spreading to the rest of the production network.
  3. The Eradication phase, by identifying the root cause of the ransomware and removing all traces of the malware from the infected hosts.
  4. The Post-Incident Activity phase, by conducting a lessons learned session to improve future response efforts and update the security metrics.

---------- Question 4
An incident response team has just concluded a major security incident involving a SQL injection attack that led to a data breach. The Lead Analyst is now preparing the final incident report for the executive leadership team. Which of the following sections is most critical to include in the executive summary to help non-technical stakeholders understand the business impact and prevent future occurrences?
  1. A detailed list of the specific SQL queries used by the attacker
  2. The full hexadecimal dump of the intercepted network traffic
  3. A high-level overview of the root cause and a summary of the lessons learned
  4. The source code of the script used to automate the data exfiltration

---------- Question 5
An incident response team is investigating a complex intrusion. They have identified that the attacker used a zero-day exploit to gain access to a web server, used a custom tool to dump credentials from memory, and then moved laterally to a database server. Which of the following frameworks would be most useful for the team to use when categorizing the attacker's specific TTPs and identifying potential mitigation strategies for each stage of the attack?
  1. The Diamond Model of Intrusion Analysis to map the relationship between the adversary and the infrastructure.
  2. MITRE ATT&CK framework to identify and categorize the specific techniques used for initial access, credential access, and lateral movement.
  3. The OSSTMM methodology to provide a scientific metric for the operational security of the database server.
  4. The OWASP Testing Guide to perform a follow-up assessment of the web application's security vulnerabilities.

---------- Question 6
During the incident response reporting phase, an analyst must explain the lessons learned from a recent phishing campaign that led to several account takeovers. The analyst notes that the lack of multi-factor authentication (MFA) on legacy systems was a primary factor. Which of the following should be included in the communication to stakeholders to ensure proper escalation and support for future security projects?
  1. A technical walkthrough of how the phishing email successfully bypassed the spam filters
  2. A clear action plan that includes the implementation of compensating controls for the legacy systems
  3. A request for additional budget to hire more analysts to manually monitor the email gateway
  4. A detailed list of the employees who clicked on the phishing link to facilitate disciplinary actions

---------- Question 7
A senior security analyst is preparing a final report for a high-profile data breach incident. The report needs to be distributed to various stakeholders, including the legal department, the IT operations team, and the executive leadership. How should the analyst structure the report to ensure that all parties receive the information they need to perform their respective roles?
  1. Create a single, highly technical document that includes all raw log data and forensic images so that everyone has access to the same level of detail.
  2. Develop a multi-part report that includes an executive summary for leadership, a detailed technical root cause analysis for IT, and a compliance impact summary for legal.
  3. Publish the report on the company's public-facing website to ensure maximum transparency and to show the customers that the company is taking the breach seriously.
  4. Send a brief email to all stakeholders stating that the incident has been resolved and that no further action is required from any department at this time.

---------- Question 8
Following a successful containment of a network intrusion, the security team is working on the incident response reporting and communication. They are specifically focused on the lessons learned and relevant metrics. Which of the following actions best demonstrates a commitment to improving the organizations security posture through the incident management life cycle?
  1. Deleting all records of the incident to protect the companys reputation
  2. Creating a summary of the incident for the CEO with no technical details
  3. Conducting a formal meeting to review what went well and what failed
  4. Resetting all user passwords and requiring bi-weekly changes from now on

---------- Question 9
A vulnerability management team is conducting a scan on a critical banking application that handles sensitive financial transactions. Due to the high sensitivity of the system, the team is concerned about potential downtime. They decide to use an agent-based, credentialed scan during a specific maintenance window. Which of the following best explains the advantage of using a credentialed, agent-based scan over an uncredentialed, network-based scan in this specific scenario?
  1. Agent-based scans are entirely passive and do not interact with the host operating system, ensuring no performance impact.
  2. Credentialed scans provide deeper visibility into the host, including installed software versions and registry settings, while agents reduce network bandwidth usage.
  3. Uncredentialed scans are better at finding zero-day vulnerabilities in the web application scanner output.
  4. Network-based scanners are more effective at analyzing cloud assessments and static code vulnerabilities.

---------- Question 10
A cybersecurity analyst is tasked with evaluating the Tactics, Techniques, and Procedures of a specific threat actor known for targeting financial institutions with ransomware. The analyst notices that the actor consistently uses living-off-the-land techniques, specifically utilizing PowerShell for lateral movement. Which of the following tools or techniques would be most effective for detecting this malicious activity within the host environment while minimizing false positives from legitimate administrative scripts?
  1. Implementing strict IAM policies that prevent any user from executing scripts on their local workstations regardless of their role.
  2. Enabling PowerShell Script Block Logging and using a SIEM to search for specific suspicious keywords and obfuscation patterns.
  3. Running a full VirusTotal scan on every PowerShell executable found on the network to check for known malicious file signatures.
  4. Using Wireshark to monitor all encrypted traffic on port 443 to identify if any PowerShell commands are being transmitted to external servers.

Are they useful?
Click here to get 510 more questions to pass this certification at the first try! Explanation for each answer is included!

Follow the below LINKEDIN channel to stay updated about 89+ exams!

Comments

Post a Comment

Popular posts from this blog

Microsoft Certified: Azure Fundamentals (AZ-900)

The Microsoft Certified: Azure Fundamentals (AZ-900) is the essential starting point for anyone looking to validate their foundational knowledge of cloud services and how those services are provided with Microsoft Azure. It is designed for both technical and non-technical professionals ---------- Question 1 A new junior administrator has joined your IT team and needs to manage virtual machines for a specific development project within your Azure subscription. This project has its own dedicated resource group called dev-project-rg. The administrator should be able to start, stop, and reboot virtual machines, but should not be able to delete them or modify network configurations, and crucially, should not have access to virtual machines or resources in other projects or subscription-level settings. Which Azure identity and access management concept, along with its appropriate scope, should be used to grant these specific permissions? Microsoft Entra ID Conditional Access, applied at...
Post a Comment
Read more

Google Associate Cloud Engineer

The Google Associate Cloud Engineer (ACE) certification validates the fundamental skills needed to deploy applications, monitor operations, and manage enterprise solutions on the Google Cloud Platform (GCP). It is considered the "gatekeeper" certification, proving a candidate's ability to perform practical cloud engineering tasks rather than just understanding theoretical architecture.  ---------- Question 1 Your team is developing a serverless application using Cloud Functions that needs to process data from Cloud Storage. When a new object is uploaded to a specific Cloud Storage bucket, the Cloud Function should automatically trigger and process the data. How can you achieve this? Use Cloud Pub/Sub as a message broker between Cloud Storage and Cloud Functions. Directly access Cloud Storage from the Cloud Function using the Cloud Storage Client Library. Use Cloud Scheduler to periodically check for new objects in the bucket. Configure Cloud Storage to directly ca...
Post a Comment
Read more