Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
CySA+ Domain 1
CompTIA CySA+ Domain 1: Security Operations Study Guide Q&As
| Question | Answer |
|---|---|
| What is the importance of time synchronization in log ingestion? | Ensures accurate correlation of events across multiple systems and accurate timestamps for forensic analysis and incident response |
| What are the different logging levels? | Debug, Info, Warning, Error, Critical - each capturing different severity of events |
| What is the Windows Registry? | A hierarchical database that stores configuration settings and options for the Windows operating system |
| What is system hardening? | The process of securing a system by reducing its attack surface through removing unnecessary services, applying security baselines, and configuring secure settings |
| What are configuration file locations? | Specific directories where system and application configuration files are stored, critical for security analysis and hardening |
| What is serverless computing? | A cloud computing execution model where the cloud provider manages the infrastructure, allowing developers to focus on code without managing servers |
| What security concerns exist with virtualization? | VM escape vulnerabilities, hypervisor security, resource isolation, and shared infrastructure risks |
| What is containerization? | A lightweight virtualization technology that packages applications and dependencies together, isolated from the host system |
| What is the difference between on-premises and cloud network architecture? | On-premises is locally managed infrastructure while cloud is remotely hosted and managed by a service provider |
| What is a hybrid network? | A network environment that combines both on-premises infrastructure and cloud-based services |
| What is network segmentation? | Dividing a network into smaller, isolated segments to improve security and limit lateral movement |
| What is Zero Trust? | A security model that requires strict identity verification for every person and device trying to access resources, regardless of location |
| What is SASE (Secure Access Service Edge)? | A cloud architecture model that combines network security functions with WAN capabilities to support secure access from any location |
| What is Software-Defined Networking (SDN)? | An approach to networking that uses software-based controllers to direct traffic and manage network resources |
| What is Multifactor Authentication (MFA)? | An authentication method requiring users to provide two or more verification factors to gain access |
| What is Single Sign-On (SSO)? | An authentication scheme that allows users to log in with a single set of credentials to access multiple applications |
| What is federation in identity management? | A system that allows users to access multiple systems or services using a single set of credentials managed by their home organization |
| What is Privileged Access Management (PAM)? | A security practice that safeguards accounts with elevated permissions through just-in-time access, session monitoring, and credential vaulting |
| What is passwordless authentication? | Authentication methods that don't require passwords, such as FIDO2, WebAuthn, security keys, or biometrics |
| What is a Cloud Access Security Broker (CASB)? | A security policy enforcement point placed between cloud service users and cloud applications to monitor activity and enforce security policies |
| What is Public Key Infrastructure (PKI)? | A framework for managing digital certificates, public keys, and the trust relationships needed for secure communications |
| What is SSL inspection? | The process of intercepting, decrypting, inspecting, and re-encrypting SSL/TLS encrypted traffic to detect threats |
| What is Data Loss Prevention (DLP)? | Technologies and processes that identify, monitor, and protect sensitive data through content inspection and policy enforcement |
| What is beaconing in network traffic? | Regular communication between a compromised system and a command and control server at consistent intervals |
| What are irregular peer-to-peer communications? | Unexpected direct connections between systems that don't normally communicate with each other |
| What are rogue devices on a network? | Unauthorized devices connected to a network that may pose security risks |
| What are network scans/sweeps? | Systematic probing of network addresses to discover hosts, services, or vulnerabilities |
| What are unusual traffic spikes? | Sudden increases in network traffic volume that deviate from established baselines |
| What is activity on unexpected ports? | Network communications using ports that aren't typically associated with the application or service in use |
| What is high processor consumption as an indicator? | Unusually high CPU usage that may indicate malware (like crypto-mining) or other malicious activity |
| What is abnormal memory consumption? | Unexpected increases in RAM usage that may indicate memory leaks or malicious activity like fileless malware |
| What is drive capacity consumption as an indicator? | Sudden decreases in available disk space that may indicate ransomware encryption or data staging for exfiltration |
| What are malicious processes? | Unauthorized or suspicious programs running on a system that may indicate compromise |
| What are unauthorized changes? | Modifications to system files, configurations, or settings without proper approval or change management |
| What is data exfiltration? | The unauthorized transfer of data from a system to an external location |
| What is abnormal OS process behavior? | System processes acting in ways that deviate from their normal patterns or relationships |
| What are file system changes or anomalies? | Unexpected creation, modification, or deletion of files that may indicate malicious activity |
| What are registry changes or anomalies? | Unexpected modifications to the Windows Registry that may indicate persistence mechanisms or other malicious activity |
| What are unauthorized scheduled tasks? | Tasks configured to run automatically without proper approval, often used for persistence |
| What is anomalous application activity? | Application behavior that deviates from normal patterns or expected functionality |
| What is the introduction of new accounts? | Creation of user accounts outside normal processes, potentially for maintaining unauthorized access |
| What is unexpected output from applications? | Applications producing results or responses that differ from normal operation |
| What is unexpected outbound communication? | Applications initiating network connections that aren't part of their normal behavior |
| What is a service interruption as an indicator? | Unexpected stoppage or disruption of services that may indicate denial of service or other attacks |
| What are social engineering attacks? | Psychological manipulation techniques that trick users into making security mistakes or giving away sensitive information |
| What are obfuscated links? | URLs that are deliberately disguised or encoded to hide their true destination |
| What is Wireshark used for? | A network protocol analyzer that captures and interactively browses network traffic with advanced filtering capabilities |
| What is tcpdump? | A command-line packet analyzer used to capture and display network traffic |
| What is a SIEM system? | Security Information and Event Management - collects, analyzes, and correlates security event data from multiple sources |
| What is SOAR? | Security Orchestration, Automation, and Response - platforms that automate security operations tasks and workflows |
| What is EDR? | Endpoint Detection and Response - security solutions that monitor endpoint activities and facilitate incident response |
| What is WHOIS? | A query and response protocol used to look up information about domain registration and ownership |
| What is AbuseIPDB? | A database of reported IP addresses used for malicious activities |
| What is the "strings" tool used for? | A utility that extracts readable text characters from binary files to help identify file contents |
| What is VirusTotal? | An online service that analyzes files and URLs for malware using multiple antivirus engines and detection techniques |
| What is Joe Sandbox? | An automated malware analysis system that executes suspicious files in isolated environments |
| What is Cuckoo Sandbox? | An open-source automated malware analysis system that observes malware behavior in isolated environments |
| What is pattern recognition in security? | Identifying recurring patterns in data that may indicate specific types of attacks or threat actor behaviors |
| What is command and control (C2) traffic? | Communications between compromised systems and attacker-controlled servers used to issue commands and exfiltrate data |
| How do you interpret suspicious commands? | By analyzing command syntax, parameters, obfuscation techniques, and intended actions in the context of normal operations |
| What information is found in email headers? | Routing information, authentication results, timestamps, and metadata about the email's journey |
| What is email impersonation? | Attempts to make an email appear to come from a trusted source by mimicking display names, domains, or content styles |
| What is DKIM? | DomainKeys Identified Mail - an email authentication method that adds a digital signature to verify the sender's domain |
| What is DMARC? | Domain-based Message Authentication, Reporting, and Conformance - an email authentication policy framework that builds on SPF and DKIM |
| What is SPF? | Sender Policy Framework - an email authentication method that specifies which mail servers are authorized to send email for a domain |
| What is file hashing in security analysis? | Creating a unique digital fingerprint of a file to identify it or compare it against known good or bad files |
| What is abnormal account activity? | User account behavior that deviates from established patterns or baselines |
| What is impossible travel in user behavior analysis? | Login events from geographically distant locations in a timeframe that would make physical travel impossible |
| What is an Advanced Persistent Threat (APT)? | Sophisticated, targeted cyber attacks carried out by well-resourced groups that maintain long-term access to networks |
| Who are hacktivists? | Individuals or groups who hack systems to promote a political agenda or social cause |
| What is organized crime in cybersecurity? | Criminal groups that conduct cyber attacks primarily for financial gain |
| What are nation-state threat actors? | Government-sponsored groups that conduct cyber operations for espionage, sabotage, or other strategic objectives |
| What is a script kiddie? | An unskilled individual who uses existing tools and scripts to attack systems without understanding the underlying techniques |
| What is an intentional insider threat? | An employee or contractor who deliberately misuses their access to harm the organization |
| What is an unintentional insider threat? | An employee or contractor who accidentally causes security incidents through mistakes or negligence |
| What is a supply chain threat? | Attacks that target less-secure elements in the supply chain to compromise the ultimate target |
| What are Tactics, Techniques, and Procedures (TTPs)? | The patterns of activities and methods associated with specific threat actors or groups |
| What factors affect threat intelligence confidence levels? | Timeliness (recency), relevancy (applicability to your environment), and accuracy (reliability of the source) |
| What are open source threat intelligence sources? | Publicly available information sources like social media, blogs, forums, government bulletins, and CERT advisories |
| What are closed source threat intelligence sources? | Proprietary or restricted information sources like paid feeds, information sharing organizations, and internal sources |
| How is threat intelligence used in incident response? | To identify attack patterns, understand attacker capabilities, and inform response strategies |
| How is threat intelligence used in vulnerability management? | To prioritize patching based on actively exploited vulnerabilities and attacker preferences |
| What are Indicators of Compromise (IoCs)? | Observable artifacts that suggest a system has been compromised, such as file hashes, IP addresses, or domain names |
| What is active defense? | Proactive security measures that detect, analyze, and mitigate threats before they cause significant damage |
| What is a honeypot? | A decoy system designed to attract attackers to study their techniques and divert them from legitimate targets |
| What types of tasks are suitable for automation? | Repeatable tasks that don't require human judgment or interaction, such as log collection, routine scanning, and alert triage |
| What is the role of team coordination in security automation? | Ensuring proper handoffs between automated and manual processes, defining escalation paths, and maintaining oversight |
| How does SOAR improve security operations? | By automating routine tasks, orchestrating responses across multiple tools, and standardizing incident handling |
| What is data enrichment in threat intelligence? | Adding context and additional information to raw threat data to make it more actionable |
| What is threat feed combination? | Integrating multiple sources of threat intelligence while deduplicating and resolving conflicts |
| How can security operations minimize human engagement? | Through alert prioritization, automated triage, and focusing human analysts on complex decisions requiring judgment |
| What is an API in security tool integration? | Application Programming Interface - a set of rules that allows different applications to communicate with each other |
| What are webhooks? | User-defined HTTP callbacks that are triggered by specific events in a web application |
| What are plugins in security tools? | Software components that add specific features to existing security applications |
| What is a "single pane of glass" in security operations? | A unified dashboard or interface that consolidates information from multiple security tools into one view |
Created by:
anapaulaseidel
Popular Computers sets