Graded Quiz: CompTIA CYSA+ Mock Exam :Cybersecurity Assessment: CompTIA Security+ & CYSA+ (IBM Cybersecurity Analyst Professional Certificate) Answers 2025

1. How does understanding network architecture help optimize log ingestion?

❌ Best storage solutions
✅ Efficient placement of log collectors and sensors
❌ Ensures logs are encrypted
❌ Reduces need for log analysis

Explanation: Proper placement reduces latency and ensures complete log capture.

2. SIEM feature used to correlate events?

✅ Event correlation
❌ Incident automation
❌ Dashboards
❌ Log aggregation

Explanation: Correlation connects events across sources to detect incidents.

3. Why understand OS file structure?

❌ Install more apps
❌ Store files in cloud
❌ Reduce antivirus need
✅ Identify/manage critical system files

4. Automate response to phishing in SOAR?

❌ Case management
❌ Threat intelligence sharing
✅ Playbook automation
❌ Incident reporting

5. Analyze suspicious file in controlled environment?

❌ Static analysis
✅ Dynamic analysis
❌ Hashing
❌ Network isolation

6. Why understand cloud network architecture?

❌ Store all data locally
❌ Install physical firewalls
❌ Reduce need for encryption
✅ Implement access controls & segmentation

7. Network architecture in Zero Trust?

❌ Devices on same network
❌ Reduce monitoring
❌ Location of security staff
✅ Segment network to limit lateral movement

8. Network architecture’s role in MFA?

❌ Physical server location
✅ Ensure secure communication between factors & servers
❌ Same network for users
❌ Reduce encryption need

9. Computer slow, unknown processes?

❌ Hardware upgrade
❌ Resource-heavy apps
✅ Malware or rootkit
❌ OS update

10. Many failed logins from many IPs?

❌ Normal
✅ Brute-force attack
❌ Users forgetting passwords
❌ Misconfigured authentication

11. Why architecture knowledge helps DLP?

❌ Install more physical devices
❌ Store all data locally
❌ Reduce encryption need
✅ Identify data flow & leakage points

12. Why understand architecture for PII protection?

❌ Store PII in cloud
❌ Reduce encryption
❌ More physical devices
✅ Identify & secure all PII storage/transmission points

13. IAM importance?

❌ Simplify UI
❌ Improve dashboard look
✅ Control access & authenticate users
❌ Speed up alerts

14. Negligent insider example?

❌ Planting surveillance (malicious)
❌ Selling info (malicious)
❌ DoS attack (malicious)
✅ Sharing sensitive info over unencrypted channels

15. Professional Insider?

✅ Recruited for espionage inside the organization
❌ Executive leaking info
❌ Consultant mishandling data
❌ Employee phished

16. Traffic on port 8080 unexpected — indicator?

❌ New app
❌ Legit update
✅ Rogue application bypassing controls
❌ Network scan

17. What is whaling?

❌ Target regular employees
❌ Marine activism
✅ Spear phishing targeting executives
❌ Stealing large datasets

18. Purpose of SEO poisoning?

✅ Pollute search results with harmful links
❌ Clean search engines
❌ Infect search engines
❌ Legit SEO

19. Workstations connecting to malicious IP — indicator?

❌ Routine scan
❌ Legit update
❌ Cloud sync
✅ Rogue process exfiltrating data

20. Large data to external server after hours?

❌ Idle workstations
❌ Updates
❌ Backups
✅ Unauthorized data exfiltration

21. Directory browsing enabled exposes what?

❌ SSL keys
✅ Structure & content of directories
❌ Financial records
❌ Email addresses

22. App making many outbound connections?

❌ Idle
❌ Updates
❌ Legit sync
✅ DDoS attack participation

23. New user accounts created after hours?

❌ Scheduled update
✅ Unauthorized account creation by attacker
❌ IT onboarding
❌ Routine maintenance

24. Why need operational controls?

❌ Prevent insider disclosure
❌ Limit physical access
❌ Auto compliance
✅ Fill gaps not covered by other controls

25. Unusual DNS queries — Wireshark shows?

❌ Legit update
✅ DNS tunneling (data exfiltration)
❌ Legit sync
❌ Scheduled scan

26. Which task ideal for automation?

❌ User support calls
❌ Suspicious graphics sorting
❌ Manual analysis
✅ Email header analysis & blocklist automation

27. Multiple login locations for same user?

❌ Routine tasks
❌ Traveling user
✅ Credential-stuffing / account compromise
❌ Profile update

28. App modifying system files without auth?

❌ Maintenance
❌ Legit update
✅ Malicious program gaining persistence
❌ Legit software

29. Too many duplicate alarms — solution?

❌ REST
❌ API
❌ XDR
✅ SOAR

30. Prevent exposure of PII?

❌ PKI
❌ PAM
❌ IDS
✅ DLP

31. Discover & catalog new assets?

❌ Metasploit
✅ Nmap
❌ Wireshark
❌ Burp Suite

32. Identify internal vulnerabilities?

✅ Internal vulnerability scan
❌ Pen test
❌ External scan
❌ Compliance scan

33. Identify vulnerabilities an external attacker sees?

❌ Non-credentialed
✅ External scan
❌ Internal scan
❌ Credentialed

34. Assess internal security posture?

✅ Internal scan
❌ Pen test
❌ External scan
❌ Social engineering

35. Continuous baseline monitoring feature?

❌ Manual audits
❌ Real-time alerts
❌ Scheduled scans
✅ Continuous baseline assessment

36. Ben asks Chris to sign off on actions?

❌ Chain of custody
❌ Separation of duties
❶ Pair forensics (correct concept)
❌ Over-the-shoulder

Correct answer: Pair forensics

37. Mitigation for XSS?

❌ Disable cookies
❌ Cache
❌ Password policy
✅ Use WAF

38. Ensure systems updated — which process?

❌ Threat hunting
❌ Incident response
✅ Patch management
❌ Vulnerability scanning

39. Standardize system settings?

❌ Patch management
❌ Risk assessment
❌ Security auditing
✅ Configuration management

40. Prioritize vulnerabilities by impact?

❌ Mitigation
❌ Avoidance
✅ Risk assessment
❌ Transfer

41. SLO metric measuring vulnerability management speed?

❌ Uptime
❌ Incident frequency
❌ Customer satisfaction
✅ MTTR

42. Identify external-facing assets?

❌ Passive
❌ Reduction
✅ Edge discovery
❌ Pen testing

43. Protect sensitive stored data?

❌ Authentication
✅ Data protection
❌ Input validation
❌ Encoding

44. Prevent unauthorized access?

✅ Using secure APIs
❌ Disable logging
❌ Hardcode creds
❌ Ignore exceptions

45. Cyber Kill Chain phase gathering intelligence?

❌ Exploitation
❌ Weaponization
✅ Reconnaissance
❌ Delivery

46. MITRE ATT&CK element describing methods?

❌ Procedures
❌ Infrastructure
❌ Tactics
✅ Techniques

47. First step for chain of custody?

✅ Label drive with unique identifier
❌ Copy it
❌ Analyze immediately
❌ Store it

48. NIC in promiscuous mode?

❌ Speed up
✅ Capture all network traffic
❌ Only receive addressed traffic
❌ Disconnect

49. Purpose of post-incident phase?

❌ Notify stakeholders
✅ Document lessons learned & improve future response
❌ Contain
❌ Eradicate

50. Best time to schedule vulnerability scans?

✅ Off-peak hours
❌ Busy hours
❌ Random
❌ Before maintenance window

51. Benefit of effective communication in vulnerability mgmt?

✅ Timely mitigation
❌ Remove need for risk score
❌ Keep only IT aware
❌ Reduce scans

52. Benefit of reporting on vulnerabilities?

❌ Faster IR
❌ Identify updates
✅ Ensure compliance
❌ Reduce manual checks

53. Benefit of communicating patch plans?

❌ Manual patching
❌ Reduce vulnerabilities
✅ Ensure awareness of downtime & improvements
❌ Remove need for automation

54. Framework for prioritizing risks?

❌ OWASP
❌ ISO 31000
✅ NIST CSF
❌ CIS Top 20

55. Why include security awareness training?

❌ Automate patching
❌ Ensure software updated
❌ Monitor traffic
✅ Teach users to detect & respond to threats

56. Why update vulnerability mgmt plans?

❌ Comply with outdated policies
✅ Align security with current business needs
❌ Remove training
❌ Reduce scans

57. Why identify stakeholders in IR plan?

✅ Provide relevant information to all affected parties
❌ Avoid documentation
❌ Limit involvement
❌ Only inform IT

58. Benefit of MOU before incident?

❌ Reduce documentation
✅ Ensure rapid, coordinated response
❌ Remove post-incident needs
❌ Bypass SOPs

59. Applying patch reduces what?

❌ Threat
❌ Remove vulnerability
❌ Remove threat
✅ Reduce vulnerability

60. Why include legacy systems in IR plans?

✅ Mitigate vulnerabilities in outdated systems
❌ Reduce audits
❌ Remove legacy systems
❌ Force updates

61. Why include proprietary systems?

❌ Reduce updates
❌ Remove proprietary systems
❌ Enforce open-source
✅ Address their unique vulnerabilities

62. Why identify stakeholders? (Duplicate)

✅ Provide relevant information to all involved

63. Purpose of simple incident declaration?

❌ Resolve without documentation
✅ Quickly identify & communicate an incident
❌ Limit responders
❌ Avoid senior management

64. Purpose of executive summary?

❌ Deep technical analysis
❌ List vulnerabilities
❌ Raw logs
✅ High-level overview for decision makers

65. Benefit of communicating impact?

❌ Remove reviews
❌ Ignore incident
✅ Ensure stakeholders understand severity & actions
❌ Remove IR teams

66. Why involve legal teams?

❌ Reduce documentation
❌ Fix tech quickly
✅ Ensure compliance & manage liabilities
❌ Avoid external communication

67. Industry best practices for web app security?

❌ Kill Chain
❌ MITRE
✅ OWASP Testing Guide
❌ Diamond Model

68. Benefit of communicating with law enforcement?

✅ Timely accurate info → enhances public safety

69. Why MTTD is critical?

❌ Time to repair
✅ Measures how fast an incident is detected
❌ Evaluate reviews
❌ Measure downtime

70. Immediate action for ransomware on server?

❌ Backup
❌ Remove ransomware
❌ Pay ransom
✅ Disconnect server from network

71. Essential post-incident activity?

❌ Increase budget
❌ Reward team
❌ Run simulation
✅ Review & update IR plan (lessons learned)

72. Next step after applying patch?

❌ Validation
❌ Rollback
❌ Implementation
✅ Testing

73. Common vulnerability scanning tool?

✅ Nessus
❌ Metasploit
❌ Wireshark
❌ Burp

74. IR phase limiting damage?

✅ Containment, Eradication, Recovery

75. Not usual criterion for containment strategy?

❌ Effectiveness
❌ Cost
❌ Evidence preservation
✅ Log records generated

76. Purpose of compliance audit?

❌ Monitor traffic
❌ Identify vulnerabilities
✅ Ensure adherence to policies & regulations
❌ Train employees

77. Removing Internet access but systems running?

❌ Eradication
❌ Removal
❌ Segmentation
✅ Isolation

78. Purpose of DMZ?

❌ Manage creds
❌ Encrypt traffic
❌ Store backups
✅ Isolate public-facing services

79. Common EDR feature?

❌ Segmentation
✅ Real-time monitoring
❌ User training
❌ Data masking

80. IR team overwhelmed — next step?

✅ Escalate to higher authority

81. Primary purpose of incident report?

❌ Archive
✅ Document incident & response
❌ Notify media
❌ Assign blame

82. Primary purpose of firewall?

❌ Manage creds
❌ Monitor traffic
❌ Encrypt
✅ Block unauthorized access

83. Common cloud security concern?

❌ Physical theft
✅ Data breaches
❌ Hardware failure
❌ Updates

84. Common risk assessment method?

❌ Encryption
✅ Vulnerability scanning
❌ User training
❌ Incident response

85. Not an issue with live imaging?

❌ Memory may change
❌ Malware evasion
❌ Unallocated space captured
✅ Imaging tool leaves remnant data (NOT a concern)

🧾 Summary Table (Q1–Q85)

Q#	Correct Answer	Key Concept
1	Efficient placement of log collectors and sensors	Network-aware log ingestion
2	Event correlation	SIEM event linking
3	Identify and manage critical system files	OS file-structure knowledge
4	Playbook automation	SOAR automated response
5	Dynamic analysis	Sandboxing behavior observation
6	Implement adequate access controls & segmentation	Cloud network security
7	Segment network to limit lateral movement	Zero Trust effectiveness
8	Ensure secure communication between factors & servers	MFA deployment considerations
9	Presence of malware or a rootkit	Resource-hogging processes indicator
10	A brute-force attack	Multiple failed logins from many IPs
11	Identify critical data flow paths & leakage points	DLP architecture role
12	Identify & secure all PII storage/transmission points	PII protection
13	Control access & ensure proper authentication	IAM importance
14	Sharing sensitive info over unencrypted channels	Negligent insider example
15	Recruited for espionage inside the organization	Professional insider
16	Rogue application attempting to bypass security controls	Unexpected port traffic indicator
17	Specialized spear phishing aimed at executives (whaling)	Targeted executive attacks
18	Pollute search results with harmful links	SEO poisoning intent
19	Rogue application attempting to exfiltrate data	Connections to malicious IP
20	Exfiltrating data to unauthorized external server	Large off-peak data transfers
21	Structure & content of web directories	Directory browsing exposure
22	Application part of a DDoS attack	High outbound connections
23	Unauthorized account creation by attacker	New accounts outside business hours
24	Supplement areas other controls cannot address	Need for operational controls
25	DNS tunneling used for data exfiltration	Unusual DNS queries
26	Email header analysis & blocklist automation	Tasks ideal for automation
27	Credential-stuffing / account compromise	Multiple geo login attempts
28	Malicious program attempting to gain persistence	Unauthorized system modifications
29	SOAR	Reduce duplicate alarms (automation)
30	DLP	Prevent PII exposure
31	Nmap	Asset discovery/cataloging
32	Internal vulnerability scan	Identify internal weaknesses
33	External scan	Scan for attacker-visible vulnerabilities
34	Internal scan	Assess internal posture
35	Continuous baseline assessment	Real-time compliance monitoring
36	Pair forensics	Joint validation/sign-off during forensics
37	Web Application Firewall (WAF)	Mitigate XSS
38	Patch management	Keep systems updated
39	Configuration management	Standardize system settings
40	Risk assessment	Prioritize vulnerabilities by impact
41	Mean Time to Repair (MTTR)	SLO metric for remediation speed
42	Edge discovery	Find external-facing assets
43	Data protection	Secure sensitive stored data
44	Using secure APIs	Prevent unauthorized access
45	Reconnaissance	Information-gathering phase
46	Techniques	MITRE ATT&CK methods
47	Label the hard drive with a unique identifier	Chain of custody first step
48	Capture all network traffic	Promiscuous NIC mode
49	Document lessons learned & improve response	Post-incident activity goal
50	During off-peak hours	Schedule scans to minimize disruption
51	Timely mitigation of identified vulnerabilities	Communication benefit
52	Ensure compliance with policies and standards	Reporting benefit
53	Ensure stakeholders aware of downtime & improvements	Patch plan communication
54	NIST Cybersecurity Framework (NIST CSF)	Prioritize risks by impact
55	Educate employees to recognize/respond to threats	Security awareness training
56	Align security measures with current business operations	Update action plans
57	Provide relevant info to all affected parties	Identify stakeholders
58	Ensure rapid and coordinated response	Benefit of MOU
59	Reduced the vulnerability	Applying a patch effect
60	Identify & mitigate vulnerabilities in outdated systems	Include legacy systems in IR
61	Address unique vulnerabilities of proprietary systems	Include proprietary systems in IR
62	Provide relevant information to all parties affected	(Duplicate) Stakeholder identification
63	Quickly identify & communicate an incident	Simple incident declaration purpose
64	High-level overview for stakeholders and decision-makers	Executive summary purpose
65	Ensure stakeholders understand severity & necessary actions	Communicate incident impact
66	Comply with legal requirements & manage liabilities	Involve legal teams
67	OWASP Testing Guide	Web app security best practices
68	Timely/accurate info sharing enhances public safety	Communicate with law enforcement
69	Measures how quickly an organization can identify incidents	Importance of MTTD
70	Disconnect the infected server from the network	Immediate ransomware action
71	Review & update IR plan based on lessons learned	Post-incident resilience
72	Testing	Next step after applying a patch
73	Nessus	Common vulnerability scanner
74	Containment, Eradication, and Recovery	Active damage-limiting phase
75	Log records generated by the strategy (not customary)	Containment evaluation criterion
76	Ensure adherence to policies and regulations	Compliance audit purpose
77	Isolation	Quarantine VLAN strategy
78	Isolate public-facing services	Purpose of DMZ
79	Real-time monitoring	Common EDR feature
80	Escalate to a higher authority	When initial team is overwhelmed
81	Document the incident and response	Purpose of incident report
82	Block unauthorized access	Primary purpose of firewall
83	Data breaches	Common cloud concern
84	Vulnerability scanning	Common risk assessment method
85	Imaging tool leaves remnant data (NOT usually an issue)	Live imaging potential issues