1.part of an exercise set up by the information security officer, the IT staff must move some of the network systems to an off-site facility and redeploy them for testing. All staff members must ensur their respective systems can power back up and match their gold image. If they find a, inconsistencies, they must formally document the information. Which of the following BEST describes this test?
A. Walk through
B. Full interruption
C. Simulation
D. Parallel
2.A security manager has asked an analyst to
provide feedback on the results of a penetration lest. After reviewing the
results the manager requests information regarding the possible exploitation of
vulnerabilities Much of the following information data points would b MIDST
useful for the analyst to provide to the security manager who would then
communicate the risk factors to senior management? (Select TWO)
A. Probability
B. Adversary capability
C. Attack vector
D. Impact
E. Classification
F. Indicators of cornprornise
3.An organization suspects it has had a breach,
and it is trying to determine the potential impact. The organization knows the
following: * The source of the breach is linked to an IP located in a foreign
country. * The breach is isolated to the research and development servers. *
The hash values of the data before and after the breach are unchanged. * The
affected servers were regularly patched, and a recent scan showed no
vulnerabilities. Which 0 the following conclusions canb drawn with respect to
the threat and impact?
(Choose two.)
The confidentiality of the data is unaffected.
B. The threat is an APT.
C. The source IP of the threat has been spoofed.
D. The integrity of the data is unaffected.
E. The threat is an insider.
4.A security analyst has discovered suspicious
traffic and determined a host is connecting to a known malicious website. The
MOST appropriate action for the analyst to take would be lo implement a change
request to:
A. update the antivirus software
B. configure the firewall to block traffic to the domain
C. add the domain to the blacklist
D. create an IPS signature for the domain
5.Which of the following are components of the
intelligence cycle? (Select TWO.) A. Collection
B. Normalization
C. Response
D. Analysis
E. Correction
F. Dissension
6.A small electronics company decides to
use a contractor to assist with Me development of a new FPGA-based device.
Several of the development phases will occur off-site at the contractor's labs.
Whoh of the following is the main concern a security analyst should have with
this arrangement?
A. Making multiple trips between development
sites increases the chance of physical damage to the FPGAs.
B. Moving the FPGA& between development sites will
lessen the time that is available for security Mstng.
C. Development phases occurring at multiple
sites may produce change management issues. D. FPGA applimtions are easily
cloned, increasing Me possibility of intellectual property Meft.
7.A security analyst discovers a vulnerability
on an unpatched web server that is used for testing machine learning on Bing
Data sets. Exploitation of the vulnerability could cost the organization $1.5
million in lost productivity. The server is located on an isolated network
segment that has a 5% chance of being compromised. Which of the following is
the value of this risk?
A. $75.000
B. 5.300.000
C. $1.425 million D. SIB million
8.A security analyst conducted a risk assessment
on an organization's wireless network and identified a high-risk element in the
implementation of data confidentially protection. Which of the following is the
BEST technical security control to mitigate this risk?
A. Switch to RADIUS technology
B. Switch to TACACS+ technology.
C. Switch to 802 IX technology
D. Switch to the WPA2 protocol.
9. An analyst is reviewing the following output:
Which of the following was MOST likely used to
discover this?
A. Reverse engineet ng using a debugger
B. A static analysis vulnerability scan
C. A passive vulnerability scan
D. A web application vulnerability scan
10. An organisation is assessing risks so it can
prioritize its mitigation actions. Following are the risks and their
probability and impact:
Which of the following is the order of priority
for risk mitigation from highest to lowest?
A. A,B,C,D
B. A,D,B,C
C. B,C,A,D
D. C,B,D,A
11. A security analyst is build* a malware
analysis lab. The analyst wants to ensure malicious applications are not
capalate of escaping the virtual machines and pivoting to other networks. To
BEST mitigate this risk, the analyst should use.
A. an 802.11ac wireless bridge to create an air
gap.
B. a managed switch to segment the lab into a separate VLAN.
C. a firewall to isolate the lab network from
all other networks.
D. an unmanaged switch to segment the
environments from one another.
12. Approximately 100 employees at your company
have received a phishing email. As a security analyst you have been tasked with
handling this situation.
INSTRUCTIONS
Review the information provided and determine
the following:
1. How many employees clicked on the link in the
phishing email?
2. On how many
workstations was the malware installed?
3. What is the executable file name or the
malware?
A.
Mastered
13. Which of the following sets of
attributes BEST illustrates the characteristics of an insider threat frorn a
security perspective?
A. Unauthorized, unintentional, benign
B. Unauthorized, intentional, malicious
C. Authorized, intentional, rnalicious
D. Authorized, unintentional, benign
14. A threat feed notes malicious actors have
been infiltrating companies and exfiltration data to a specific set of domains
Management at an organization wants to know if it is a Ictim Which of the
following should the security analyst recommend to identity this behavior
without alerting any poterThal malicious actors?
A. Create an IPS rule to block these domains and
trigger an alert within the SIEM tool when these domains are requested
B. Add the domains to a DNS sinkhole and create an
alert m the SIEM toot when the domains are queried
C. Look up the IP addresses for these
domains and search firewall logs for any traffic being sent to those IPs over
port 443
Page 4 of 67
D. Query DNS logs with a SIEM tool for any hosts
requesting the malicious domains and create alerts based on this information
15. A Chief Information Security Officer (CISO)
is concerned the development team, which consists of contractors, has too much
access to customer data. Developers use personal workstations, giving the
company little to no visibility into the development activities. Which of the
following would be BEST to implement to alleviate the CISO, concern,
A. DLP
B. Encryption
C. Test data
D. NDA
16. A security analyst discovers accounts in
sensitive SaaS-based systems are not being removed in a timely manner when an
employee leaves the organization To BEST resolve the issue, the organization
should implement
A. federated authentication
B. role-based a4cess control.
C. manual account reviews
D. multifactor authentication.
17. A company recently experienced a break-in
whereby a number of hardware assets were stolen through unauthorized access at
the back of the building. Which of the following would BEST prevent this type
of theft from occurring in the future,
A. Motion detection
B. Perimeter fencing
C. Monitored security cameras
D. Badged entry
18. Welcome to the Enterprise Help Desk
System. Please work the ticket escalated to you in the desk ticket queue.
INSTRUCTIONS Clickon rneicl<et to see the ticket details Additional content
is available on tabs within the ticket First, select the appropriate issue from
the drop- down menu. Then, select the MOST likely root cause from second drop-down
menu If at any time you would like to bring back the initial state of the
simulation, please click the Reset All button
19. A company's marketing ernails are either
being found in a spam folder or not being delivered at all. The security
analyst investigates the issue and discovers the emails in question are being
sent on Isehalf of the company by a third party inlmarkeDngpartners.com Below
is the exiting SPP word:
A. Option A
B. Option B
C. Option C
D.
Option D
D. v=spf1 a mx include:mail.marketing.com
~all
20. A securi analyst is evaluating two
vulnerability management tools for possible use in an organization. The analyst
set up each of the tools according to the respective vendors inrtrucbons and
generated a report of vulnerabilities that ran against the same target server.
Tool P. reported the following:
Which of ...Sowing BEST describes the
method used by each tool, (Choose two.)
A. Tool A is agent based.
B. Tool A used fuzzing logic to test vulnerabilities.
C. Tool A is unauthenticated.
D. Tool B utilized machine learning technology.
E. Tool B is agent based.
F. Tool B is unauthenticated.
21. An information security analyst is
compiling data from a recent penetration test and reviews the Pages OP 07
following output :
The analyst wants. obtain more information
about the web-based services that are running on the target.
Which of the following commands would MOST
likely provide the needed information?
A. ping 4 10.39.95.173.rtIns.datacenfers.com
B.felnet 1033.93.173 443
C. ftpd 10.79.95.173.rdns.datacenters.corn 443
D. tracert 10.79.95.173
22.A security analyst is reviewi the logs from
an internal chat server. The chat.log file is too large to
review manually, so the ana st wants to create a
shorter log file that only includes lines associated
with a user demonstrating anomalous activity.
Below is a snippet of the log:
Which of the following commands would work
BEST to achieve the desired result?
A. grep -v
chatter14 chat.log
B. grep -ipythonfun chat.log
C. grep -i javashark chat.log
D. grep -v javashark chat.log
E. grep -v pythonfun chat.log
F. grep -i chatter14 chat.log
Which of the following policies would state an
employee should not disable security safeguards, such as host firewalls and
antivirus on company systems?
A.Code of conduct policy
B.Account management policy
C.Password
policy
D.Acceptable use policy
An analyst is working with a network engineer to
resolve a vulnerability that was found in a piece of
legacy hardware, which is critical to the
operation of the organization's production line. The legacy
hardware dods not have third-party support, and
the OEM manufacturer of the controller is no longer
in operation. The analyst documents the
activities and verifies these actions prevent remote exploitation of the
vulnerability.
Which of the following would be the MOST
appropriate to remediate the controller?
A, Segment the network to constrain access to
administrative interfaces.
B. Replace the equipment that has third-party
support.
C. Remove the legacy hardware from the network.
D. Install an 1DS on the network between the
switch and the legacy equipment.
A large software company wants to move as source
control and deployment pipelines into a cloud-computing environment. Due to the
nature of the business management determines the recovery time objective needs
to be within one hour. Which of the following strategies would put the
company in the BEST position to achieve the
desired recovery time?
A. Establish an alternate site with active
replication to other regions
B, Configure a duplicate environment in the same
region and load balance between both instances
C. Set up every cloud component with duplicated
copies and auto scaling turned on
D. Create a duplicate copy on premises that can
be used for failover in a disaster situation
Which of the following BEST describes the
primary role ol a risk assessment as it relates to compliance
with risk-based frameworks?
A. It demonstrates the organization's mitigation of
risks associated with internal threats.
B. It serves as the basis for control
selection.
C. It prescribes technical control requirements.
D. Itis an input to the business impact
assessment.
A security analyst is reviewing the following
web server log
Which of the following BEST describes the
issue?
A. Directory traversal exploit
B. Cross-site scripting
C. SQL injection
D. Cross-site request forgery
Which of the following secure coding techniques
can be used to prevent cross-site request forgery
attacks?
A. Input validation
B. Output encoding
C. Parameterized queries
D. Tokenization
A large amount of confidential data was leaked
during a recent security breach. As part of a forensic investigation, the
security team needs to identify the various types of traffic that were captured
between two compromised devices.
Which of the following should be used to
identify the traffic?
A. Carving I
B. Disk imaging
C. Packet analysis
D. Memory dump
E. Hashing
An information security analyst observes
anomalous behavior on the SCADA devices in a power
plant. This behavior results in the industrial
generators overheating and destabilizing the power supply.
Which of the following would BEST identify
potential indicators of compromise?
A. Use Burp Suite to capture packets to the
SCADA device's IP.
B, Use tcpdump to capture packets from the SCADA
device IP.
C. Use Wireshark to capture packets between SCADA
devices and the management system.
D. Use Nmap to capture packets from the management system to the SCADA devices.
A cybersecurity analyst is contributing to a
team hunt on an organization's endpoints. Which of the following should the
analyst do FIRST?
A. Write detection logic.
B, Establish a hypothesis.
C. Profile the threat actors and activities.
D. Perform a process analysis.
During an incident, a cybersecurity
analyst found several entries in the web server logs that are related to an IP
with a bad reputation . Which of the following would cause the analyst to
further
review the incident?
A. Option A
B. Option B
C. Option C
D. Option D
E. Option E
E. BadReputationIp - - [2019-04-12
10:43Z] "GET /favicon.ico?src=../usr/share/icons" 200 19064
A security analyst is reviewing the following
log entries to identify anomalous activity
Which of the following attack types is
occurring?
A. Directory traversal
B. SQL injection
C. Buffer overflow
D. Cross-site scripting
Which of the following attacks can be prevented
by using output encoding?
A, Server-side request forgery
B. Cross-site sgripting
C. SQL injection
D. Command injection
E. Cross-site request forgery
F. Directory traversal
Which of the following roles is ultimately
responsible for determining the classification levels assigned to specific data
sets?
A. Data custodian
B. Data owner
C. Data processor
D. Senior management
A company's modem response team is handling a
threat that was identified on the network Security
analysts have as at remote sites. Which of the
following is the MOST appropriate next step in the
incident response plan?
A. Quarantine the web server
B. Deploy virtual firewalls
C. Capture a forensic image of the memory and
disk
D. Enable web server containerization
A network attack that is exploiting a
vulnerability in the SNMP is detected. Which of the following should the
cybersecurity analyst do FIRST].
A. Apply the required patches to remediate the
vulnerability.
B, Escalate the incident to senior management
for guidance.
C. Disable all privileged user accounts on the
network.
D. Temporarily block the attacking IP address.
A cybersecurity analyst needs to rearchitect the
network using a firewall and a VPN server to achieve
the highest level of security To BEST complete
this task, the analyst should place the:
A. firewall behind the VPN server
B. VPN server parallel to the firewall
C. VPN server behind the firewall
D. VPN on the firewall
Which of the following technologies can be
used to store digital certificates and is typically used in
highsecurity implementations where integrity is
paramount?
A. HSM
B, eFuse
C. UEFI
D. Self-encrypting drive
A security analyst is reviewing packet captures
from a system that was compromised. The system was
already isolated from the network, but it did
have network access for a few hours after being compromised. When viewing the
capture in a packet analyzer, the analyst sees the following:
Which of the following can the analyst conclude?
A. Malware is attempting to beacon to
128,50.100.3.
B. The system is running a DoS attack
against ajgidwle.com.
C. The system is scanning ajgidwle.com for PI
D. Data is being exfiltrated over DNS. Pf
A security administrator needs to create an IDS rule to alert on FTP login attempts by root.
Which of the following rules is the BEST solution?
A. Option A
B. Option B
C. Option C
D. Option D
A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault notification features. Which of the following should be done to prevent this issue from reoccurring?
A. Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes down, the other remains powered.
B. Install additional batteries in the SAN power supplies with enough capacity to keep the system powered on during maintenance operations.
C. Ensure power configuration is covered in the datacenter change management policy and have the SAN administrator review this policy.
D. Install a third power supply in the SAN so loss of any power intuit does not result in the SAN completely powering off.
A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk- based policy decision to review and enforce the vendor upgrade
before the end of life is reached. Which of the following risk actions has the security committee taken?
A. Risk exception
B. Risk avoidance
C. Risk tolerance
D. Risk acceptance
The display sequence is controlled in a Service Catalog Item using which of the following?A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application. Which of the following is a security concern when using a PaaS solution?
A. The use of infrastructure-as-code capabilities leads to an increased attack surface.
B. Patching the underlying application server becomes the
responsibility of the client.
C. The application is unable to use encryption at the database level.
D. Insecure application programming interfaces can lead to data compromise.
A penetration tester used a professional directory to identify a network administrator and ID administrator for a client's company. Joe then emailed the network administrator, identifying himself as the ID administrator, and asked for a current password as part of a security exercise. Which of the following techniques were used in this scenario?
A. Enumeration and OS fingerprinting
B. Email harvesting and host scanning
C. Social media profiling and phishing
D. Network and host scanning
A small organization has proprietary software that is used internally. The system has not been well maintained and cannot be updated with the rest of the environment Which of the following is the BEST solution?
A. Virtualize the system and decommission the physical machine.
B. Remove it from the network and require air gapping.
C. Only allow access to the system via ajumpbox
D. Implement MFA on the specific system.
A security analyst is supporting an embedded software team. Which of the following is the BEST recommendation to ensure proper error handling at runtime?
A. Perform static code analysis.
B. Require application fuzzing.
C. Enforce input validation
D. Perform a code review
After a breach involving the exfiltration of a large amount
of sensitive data a security analyst is reviewing the following firewall logs
to determine how the breach occurred:
Which of the following IP addresses does the analyst need to investigate further?
A. 192.168.1.1
B. 192.168.1.10
C. 192.168.1.12
D. 192.168.1.193
A Chief Security Officer (CSO) is working on the communication requirements or an organization's incident response plan. In addition to technical response activities, which of the following is the main reason why communication must be addressed in an effective incident response program?
A. Public relations must receive information promptly in order to notify the community.
B. Improper communications can create unnecessary complexity and delay response actions.
C. Organizational personnel
must only interact with trusted members of the law enforcement community.
D. Senior leadership should act as the only voice for the incident response team when working with forensics teams.
Clients are unable to access a company's API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources. Which of the following would be BEST to protect the availability of the APIs?
A. IP whitelisting
B. Certificate-based authentication
C. Virtual private network
D. Web application firewall
Which of the following software assessment methods would be BEST for gathering data related to an application's availability during peak times?
A. Security regression testing
B. Stress testing
C. Static analysis testing
D. Dynamic analysis testing
E. User acceptance testing
A cybersecurity analyst is currently checking a newly deployed server that has an access control list
applied.
When conducting the scan, the analyst received the following
code snippet of results:
Which of the following describes the output of this scan?
A. The analyst has discovered a False Positive, and the status code is incorrect providing an OK message.
B. The analyst has discovered a True Positive, and the status code is
correct providing a file not found error message.
C. The analyst has discovered a True Positive, and the status code is incorrect providing a forbidden message.
D. The analyst has discovered a False Positive, and the status code is incorrect providing a server error message.
Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient. Which of the following controls would have MOST likely prevented this incident?
A. SSO
B. DLP
C. WAF
D. VDI
A contained section of a building is unable to connect to the Internet A security analyst. A security analyst investigates me issue but does not see any connections to the corporate web proxy However the analyst does notice a small spike in traffic to the Internet. The help desk technician verifies all users are connected to the connect SSID. but there are two of the same SSIDs listed in the network connections. Which of the following BEST describes what is occurring?
A. Bandwidth consumption
B. Denial of service
C. Beaconing
D. Rogue device on the network
A security analyst has been alerted to several emails that snow evidence an employee is planning malicious activities that involve employee Pll on the network before leaving the organization. The security analysis BEST response would be to coordinate with the legal department and:
A. the public relations department
B. senior leadership
C. law enforcement
D. the human resources department
A web-based front end for a business intelligence application uses pass-through authentication to authenticate users The application then uses a service account, to perform queries and look up data on a database. A security analyst discovers employees are accessing data sets they have not been authorized to use. Which of the following will fix the cause of the issue?
A. Change the security model to force the users to access the database
as themselves
B. Parameterize queries to prevent unauthorized SQL queries against the database
C. Configure database security logging using syslog or a SIEM
D. Enforce unique session IDs so users do not get a reused session ID
An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint. Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident?
A. Patching logs
B. Threat feed
C. Backup logs
D. Change requests
E. Data classification matrix
A company was recently awarded several large government contracts and wants todetermine its current risk from one specific APT. Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis?
A. Attack vectors
B. Adversary capability
C. Diamond Model of Intrusion Analysis
D. Kill chain
E. Total attack surface
A security architect is reviewing the options for performing input validation on incoming web form submissions. Which of the following should the architect as the MOST secure and manageable option?
A. Client-side whitelisting
B. Server-side whitelisting
C. Server-side blacklisting
D. Client-side blacklisting
A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization. Which of the following BEST describes the security analyst's goal?
A. To create a system baseline
B. To reduce the attack surface
C. To optimize system performance
D. To improve malware detection
A security analyst for a large pharmaceutical company was given credentials from a threat intelligence resources organisation for Internal users, which contain usernames and valid passwords for company accounts. Which of the following is the FIRST action the analyst should take as part of security operations monitoring?
A. Run scheduled antivirus scans on all employees' machines to look for malicious processes.
B. Reimage the machines of all users within the group in case of a malware infection.
C. Change all the user passwords to ensure the malicious actors cannot
use them.
D. Search the event logs for event identifiers that indicate Mimikatz was used.
Which of the following technologies can be used to house the entropy keys for task encryption on desktops and laptops?
A. Self-encrypting drive
B. Bus encryption
C. TPM
D. HSM
A security analyst is conducting a post-incident log analysis to determine which indicators can be used to detect further occurrences of a data exfiltration incident. The analyst determines backups were not performed during this time and reviews the following:
Which of the following should the analyst review to find out how the data was exfilltrated?
A. Monday's logs
B. Tuesday's logs
C. Wednesday's logs
D. Thursday's logs
The help desk noticed a security analyst that emails from a
new email server are not being sent out. The new email server was recently
added to the existing ones. The analyst runs the following command on the new
server.
Given the output, which of the following should the security analyst check NEXT?
A. The DNS name of the new email server
B. The version of SPF that is being used
C. The IP address of the new email server
D. The DMARC policy
A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch. Which of the following is the MOST appropriate threat classification for these incidents?
A. Known threat
B. Zero day
C. Unknown threat
D. Advanced persistent threat
A security team is implementing a new vulnerability management program in an environment that has a historically poor security posture. The team is aware of issues patch management in the environment and expects a large number of findings. Which of the following would be the MOST efficient way to increase the security posture of the organization in the shortest amount of time?
A. Create an SLA stating that remediation actions must occur within 30 days of discovery for all levels of vulnerabilities.
B. Incorporate prioritization levels into the
remediation process and address critical findings first.
C. Create classification criteria for data residing on different servers and provide remediation only for servers housing sensitive data.
D. Implement a change control policy that allows the security team to quickly deploy patches in the production environment to reduce the risk of any vulnerabilities found.
The inability to do remote updates of certificates, keys software and firmware is a security issue commonly associated with:
A. web servers on private networks.
B. HVAC control systems
C. smartphones
D. firewalls and UTM devices
A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firm's largest client. Which of the following is MOST likely inhibiting the remediation efforts?
A. The parties have an MOU between them that could prevent shutting down the systems
B. There is a potential disruption of the vendor-client relationship
C. Patches for the vulnerabilities have not been fully tested by the software vendor
D. There is an SLA with the client that allows
very little downtime
A security analyst is investigating malicious traffic from an internal system that attempted todownload proxy avoidance software as identified from the firewall logs but the destination IP is blocked and not captured. Which of the following should the analyst do?
A. Shut down the computer
B. Capture live data using Wireshark
C. Take a snapshot
D. Determine if DNS logging is enabled.
E. Review the network logs.
A security analyst received an email with the following key: Xj3XJ3LLc
A second security analyst received an email with following
key: 3XJ3xjcLLC
The security manager has informed the two analysts that the email they received
is a key that allows access to the company's financial segment for maintenance.
This is an example of:
A. dual control
B. private key encryption
C. separation of duties
D. public key encryption.
An analyst is searching a log for potential credit card leaks. The log stores all data encoded in hexadecimal.
Which of the following commands will allow the security analyst to confirm the incident?
A. cat log xxd -r -p | egrep ' [0-9] {16}
B. egrep '(3(0-9)) (16) ' log
C. cat log | xxd -r -p egrep '(0-9) (16)'
D. egrep ' (0-9) (16) ' log | xxdc
A team of security analysts has been
alerted to potential malware activity. The initial examination indicates one of
the affected workstations is beaconing on TCP port 80 to five IP addresses and
attempting to spread across the network over port 445. Which of the following
should be the team's NEXT step during the detection phase of this response
process?
A. Escalate the incident to
management, who will then engage the network infrastructure team to keep them
informed.
B. Depending on system criticality, remove
each affected device from the network by disabling
wired and wireless connections.
C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses.
D. Identify potentially affected systems by creating a correlation
search in the SIEM based on the network traffic.
Risk management wants IT to implement a solution thatwill permit an analyst to intercept, execute, and analyze potentially malicious files that are downloaded from the Internet.
Which of the following would BEST provide this solution?
A. File fingerprinting
B. Decomposition of malware
C. Risk evaluation
D. Sandboxing
During an investigation, an analyst discovers the following rule in an executive's email client: IF * TO <executive@anycompany.com> THEN mailto: <someaddress@domain.com> SELECT FROM 'sent' THEN DELETE FROM <executive@anycompany.qom> The executive is not aware of this rule.
Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident?
A. Check the server logs to evaluate which emails were sent to
<someaddress@domain.com>
B. Use the SIEM to correlate logging events from the email server and the domain server
C. Remove the rule from the email client and change the password
D. Recommend that management implement SPF and DKIM
An analyst performs a routine scan of a host using Nmap and receives the following output:
Which of the following should the analyst investigate FIRST?
A. Port 21
B. Port 22
C. Port 23
D. Port 80
As part of a review of modern response plans, which of the following is MOST important for an organization to understand when establishing the breach notification period?
A. Organizational policies I
B. Vendor requirements and contracts
C. Service-level agreements
D. Legal requirements
A forensic analyst took an image of a workstation that was involved in an incident To BEST ensure the image is not tampered with me analyst should use:
A. hashing
B. backup tapes
C. a legal hold
D. chain of custody.
A finance department employee has received a message that appears to have been sent from the Chief Financial Officer (CFO) asking the employee to perform a wife transfer Analysis of the email shows the message came from an external source and is fraudulent. Which of the following would work BEST to improve the likelihood of employees quickly recognizing fraudulent emails?
A. Implementing a sandboxing solution for viewing emails and attachments
B. Limiting email from the finance department to recipients on a pre-approved whitelist
C. Configuring email client settings to display all messages in plaintext when read
D. Adding a banner to incoming messages that identifies the messages as
external
A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities The type of vulnerability that should be disseminated FIRST is one that:
A. enables remote code execution that is being exploited in the wild.
B. enables data leakage but is not known to be in the environment
C. enables lateral movement and was reported as a proof of concept
D. affected the organization in the past but was probably contained and eradicated
An organization developed a comprehensive modern response policy Executive management approved the policy and its associated procedures. Which of the following activities would be MOST beneficial to evaluate personnel's familiarity with incident response procedures?
A. A simulated breach scenario evolving the
incident response team
B. Completion of annual information security awareness training by ail employees
C. Tabtetop activities involving business continuity team members
D. Completion of lessons-learned documentation by the computer security incident response team
E. External and internal penetration testing by a third party
A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system.
After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources.
Which of the following BEST describes this attack?
A. Injection attack
B. Memory corruption
C. Denial of service
D. Array attack
A cybersecurity analyst is responding to an incident. The company's leadership team wants to attribute the incident to an attack group. Which of the following models would BEST apply to the situation?
A. Intelligence cycle
B. Diamond Model of Intrusion Analysis
C. Kill chain
D. MITRE ATT&CK A
A security analyst is trying to determine if a host is active on a network. The analyst first attempts the following:
Which of the following would explain the difference in results?
A. ICMP is being blocked by a firewall.
B. The routing tables for ping and hping3 were different.
C. The original ping command needed root permission to execute.
D. hping3 is returning a false positive.
Which of the following types of policies is used to regulate data storage on the network?
A. Password
B. Acceptable use
C. Account management
D. Retention
Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?
A. Human resources
B. Public relations
C. Marketing
D. Internal network operations center
While analyzing logs from a WAF, a cybersecurity analyst finds the following:
Which of the following BEST describes what the analyst has found?
A. This is an encrypted GET HTTP request
B. A packet is being used to bypass the WAF
C. This is an encrypted packet
D. This is an encoded WAF bypass
In system hardening, which of the following types of vulnerability scans would work BEST to verify the scanned device meets security policies?
A. SCAP
B. Burp Suite
C. OWASP ZAP
D. Unauthenticated
A security analyst wants to identify which vulnerabilities a potential attacker might initially exploit if the network is compromised Which of the following would provide the BEST results?
A. Baseline configuration assessment
B. Uncredentialed scan
C. Network ping sweep
D. External penetration test
As part of a merger with another organization, a Chief Information Security Officer (CISO) is working with an assessor to perform a risk assessment focused on data privacy compliance. The CISO is primarily concerned with the potential legal liability and fines associated with data privacy. Based on the CISO's concerns, the assessor will MOST likely focus on:
A. qualitative probabilities.
B. quantitative probabilities.
C. qualitative magnitude.
D. quantitative magnitude.
A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is comptiA.org. The testing is successful, and the security technician is prepared to fully implement the solution.
Which of the following actions should the technician take to accomplish this task?
A. Add TXT @ "v=spf1 mx
include:_spf.comptiA.org all" to the DNS record.
B. Add TXT @ "v=spf1 mx include:_spf.comptiA.org all" to the email server.
C. Add TXT @ "v=spf1 mx include:_spf.comptiA.org +all" to the domain controller.
D. Add TXT @ "v=spf1 mx include:_spf.comptiA.org +all" to the web server.
https://blog.finjan.com/email-spoofing/
A security analyst was alerted to altile integrity monitoring event based on a change to thevhost-paymonts.conf file The output of the diff command against the known-good backupreads as follows
Which of the following MOST likely occurred?
A. The file was altered to accept payments without
charging the cards
B. The file was altered to avoid logging credit card information
C. The file was altered to verify the card numbers are valid.
D. The file was altered to harvest credit card numbers
An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets.
Which of the following should be considered FIRST prior to disposing of the electronic data?
A. Sanitization policy
B. Data sovereignty
C. Encryption policy
D. Retention standards
The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives:
*Reduce the number of potential findings by the auditors.
*Limit the scone of tbe audit te only devices used bhy the pavment-processing team for
The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives:
* Reduce the number of potential findings by the auditors.
* Limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations.
* Prevent the external-facing web infrastructure used by other teams from coming into scope.* Limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised.
Which of the following would be the MOST effective way for the security team to meet these objectives?
A. Limit the permissions to prevent other employees from accessing data owned by the business unit.
B. Segment the servers systems used by the
business unit from the rest of the network.
C. Deploy patches to all servers and workstations across the entire organization. Implement full-disk encryption on the laptops used by employees of the
D. payment-processing team.
A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output:
The analyst uses the vendor's website to confirm the oldest supported version is correct. Which of the following BEST describes the situation?
A. This is a false positive and the scanning plugin needs to be updated by the vendor
B. This is a true negative and the new computers have the correct version of the software
C. This is a true positive and the new computers were imaged with an old version of the software
D. This is a false negative and the new computers
need to be updated by the desktop team
A cybersecurity analyst is supporting an incident response effort via threat intelligence. Which of the following is the analyst MOST likely executing?
A. Requirements analysis and collection planning
B. Containment and eradication
C. Recovery and post-incident review
D. Indicator enrichment research pivoting
An information security analyst is working with a data owner to identify the appropriate controls to preserve the confidentiality of data within an enterprise environment One of the primary concerns is exfiltration of data by malicious insiders Which of the following controls is the MOST appropriate to mitigate risks?
A. Data deduplication
B. OS fingerprinting
C. Digital watermarking
D. Data loss prevention
A user receives
a potentially malicious email that contains
spelling errors and a PDF document. A
security analyst reviews
the email and decides to download the attachment to a Linux
sandbox for
review.
Which of the following commands
would MOST likely indicate if the email is malicious?
A.
sha256sum ~/Desktop/file.pdf
B.
file ~/Desktop/file.pdf
C.
strings ~/Desktop/file.pdf | grep "<script"
D.
cat < ~/Desktop/file.pdf | grep -i .exe
A security analyst is investigating an incident that appears to have started with SQL injection against a
publicly available web application. Which of the followinglis the FIRST step theanalyst shoild take to
prevent future attacks?
A. Modify
the IDS rules
to have a signature for SQL injection.
B. Take the server offline to prevent continued SQL injection attacks.
C. Create a WAF rule In block mode for SQL injection
D. Ask the developers to implement parameterized SQL queries.
An analyst has been asked to provide feedback regarding the control required by a revised regulatory
framework At this time, the analyst only needs to focus on the technical controls. Which of the following should the analyst provide an assessment of?
A. Tokenization of sensitive data
B. Establishment o' data classifications
C. Reporting on data retention and purging activities
D. Formal identification of data ownership
E. Execution of NDAs
During a routine log review, a security analyst has found the following commands that cannot be identified from the Bash history log on the root user.
Which of the following commands should the analyst investigate FIRST?
A. Line 1
B. Line
2
c. Line 3
D. Line 4
E. Line S
F. Line 6
An incident response team is responding to a breach of multiple systems that contain Pll and PHI.
Disclosing the incident to external entities should be based on:
A.
the responder's discretion
B. the public relations policy
C. the communication plan
D. senior management's guidance
A company
wants to establish a threat-hunting team.
Which of the following BEST
describes the
rationale for integration intelligence into hunt operations?
A.
It enables the team to prioritize the focus area and tactics
within the company's environment.
B. It provide critically analyses for key enterprise servers and services.
C. It allow analysis to receive updates on newly discovered software vulnerabilities.
D. It supports rapid response and recovery during and followed an incident.
An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce
staffing requirements. The organization has three environments: development, testing, and production. These environments have interdependencies but must remain relatively segmented.
Which of the following methods would BEST secure the company's infrastructure and be the simplest
to manage and maintain?
A. Create three separate cloud accounts for each environment. Configure account peering and security rules to allow access to and from each environment.
B. Create one cloud account with one VPC for all environments. Purchase a virtual firewall and create granular security rules.
C.
Create one cloud account and three separate
VPCs for each environment. Create security rules
to allow access
to and from each environment.
D. Create three separate cloud accounts for each environment and a single core account for network services. Route all traffic through the core account.
A security analyst received an alert from the SIEM indicating numerous login attempts from users
outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempts during the same time frame.
Which of the following is the MOST likely cause of this issue?
A. A password-spraying attack
was performed against the organization.
B. A DDoS attack was performed against the organization.
C. This was normal shift work activity; the SIEM's Al is learning.
D. Acredentialed external vulnerability scan was performed.
A company just chose a global software company based in Europe to implement a new supply chain
management solution. Which of the following would be the MAIN concern of the company?
A.
Violating national security
policy
B. Packet injection
C. Loss of intellectual property
D. International labor laws
A security analyst suspects a malware infection was caused by a user who downloaded malware after
clicking
http://<malwaresource>/A.php in a phishing email.
To prevent other computers frpm being infected by the same malware variation, the analyst should create a rule on the
A. email server that automatically deletes attached executables.
B. IDS to match the malware
sample.
C. proxy to block all connections to <malwaresource>.
D. firewall to block connection attempts to dynamic DNS hosts.
A security analyst discovered a specific series of IP addresses that are targeting an organization.
None of the attacks have been successful. Which of the following should the security analyst perform NEXT?
A. Begin blocking all IP addresses within that subnet.
B. Determine the attack vector and total attack surface.
C. Begin a kill chain analysis to determine the impact.
D. Conduct threat research on the IP addresses
An incident responder successfully acquired application binaries off a mobile device for later forensic analysis.
Which of the following should the analyst do NEXT?
A. Decompile each binary to derive the source code.
B. Perform a factory reset on the affected mobile device.
C. Compute SHA-256 hashes for each binary.
D. Encrypt the binaries using an authenticated AES-256 mode of operation.
E. Inspect the permissions manifests within each application.
An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any,
passwords are being used. Which of the following commands should the analyst use?
A. tcpdump -X dst port 21
B. ftp ftp.server -p 21
C. nmap -o ftp.server -p 21
D. telnet ftp.server 21
A security analyst has received reports of very slow, intermittent access to a public-facing corporate
server.
Suspecting the system may be compromised, the analyst runs the following
commands:
A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.
B.
Examine
the server logs for further indicators of compromise of a web application.
C. Run kill -9 1325 to bring the load average down so the server is usable again.
D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server
A security analyst is investigating a malware infection that occurred on a Windows system.The
system was not connected to a network and had no wireless capability Company policy prohibits
using portable media or mobile storage The security analyst is trying to determine which user caused
the malware to get onto the system Which of the following registry keys would MOST likely have this information?
A. HKEY_USERS\<user SID>\Software\Microsoft\Windows\CurrentVersion\Run
B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
C. HKEY_USERS\<user SID>\Software\Microsoft\Windows\explorer\MountPoints2
D. HKEY_USERS\<user SID>\Software\Microsoft\Internet Explorer\Typed URLs
E. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\iusb3hub
Chief Information Security Officer (CISO) is concerned developers have too much visibility into customer data. Which of the following controls should be implemented to BEST address these concerns?
A. Data masking
B. Data loss prevention
C. Data minimization
D. Data sovereignty
user reports to the security team that her browser began redirecting her to random sites while using her Windows laptop. Further, she reports that the OS shows the C: drive is out of space despite having plenty of space recently. She claims not to have downloaded anything. The security team obtains the laptop and begins to investigate, noting the following:
* File access auditing is turned off.
* When clearing up disk space to make the laptop functional, files that appear to be cached web page:
are immediately created in a temporary directory, filling up the available drive space.
* All processes running appear to be legitimate processes for this user and machine.
* Network traffic spikes when the space is cleared on the laptop.
* No browser is open.
Which of the following initial actions and tools would provide the BEST approach to determining
what is happening?
A. Delete the temporary files, run an Nmap scan, and utilize Burp Suite.
B.
Disable the network
connection, check Sysinternals Process Explorer, and review netstat
output.
C. Perform a hard power down of the laptop, take a dd image, and analyze with FTK.
D. Review logins to the laptop, search Windows Event Viewer, and review Wireshark captures.
A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets. Which of the following is the BEST example of the level of sophistication this threat actor is using?
A. Social media accounts attributed to the threat actor
B. Custom malware attributed to the threat actor from prior attacks
C. Email addresses and phone numbers tied to the threat actor
D. Network assets used in previous attacks attributed to
the threat actor
E. IP addresses used by the threat actor for command and control
A security analyst has a sample of malicious software and needs to know what the sample does? The analyst runs the sample in a carefully controlled and monitored virtual machine to observe the software behavior. Which of the following malware analysis approaches is this?
A. White box testing
B. Fuzzing
C. Sandboxing
D. Static code analysis
An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome?
A. Duplicate all services in another instance and load balance between the instances.
B. Establish a hot site with active replication to another region within the same cloud provider.
C. Set up a warm disaster recovery site with the same
cloud provider in a different region
D. Configure the systems with a cold site at another cloud provider that can be used for failover.
A security analyst needs to assess the web server versions on a list of hosts to determine which are running a vulnerable version of the software and output that list into an XML file named Webserverlist.xml. The host list is provided in a file named werbserverlist.txt. Which of the following Nmap commands would BEST accomplish this goal?
A. Option A
B. Option B
C. Option C
D. Option D
An analyst identifies multiple instances of node-to-node communication between several endpoints within the 10.200.2.0/24 network and a user machine at the IP address 10.200.2.5. This user machine at the IP address 10.200.2.5 is also identified as initiating outbound communication during atypical business hours with several IP addresses that have recently appeared on threat feeds. Which of the following can be inferred from this activity?
A. 10.200.2.0/24 is infected with ransomware.
B. 10.200.2.0/24 is not routable address space.
C. 10.200.2.5 is a rogue endpoint.
D. 10.200.2.5 is exfiltrating data.
Which of the following would a security engineer recommend to BEST protect sensitive system data from being accessed on mobile devices?
A. Use a UEFI boot password.
B. Implement a self-encrypted disk.
C. Configure filesystem encryption
D. Enable Secure Boot using TPM
Which of the following BEST articulates the benefit of leveraging SCAP in an organization's cybersecurity analysis toolset?
Which of the following BEST articulates the benefit of leveraging SCAP in an organization's cybersecurity analysis toolset?
A. It automatically performs remedial configuration changes to enterprise security services
B. It enables standard checklist and vulnerability
analysis expressions for automation
C. It establishes a continuous integration environment for software development operations
D. It provides validation of suspected system vulnerabilities through workflow orchestration
A web developer wants to create a new web part within the company website that aggregates sales from individual team sites. A cybersecurity analyst wants to ensure security measurements are implemented during this process. Which of t e following remediation actions should the analyst take to implement a vulnerability management process?
A. Personnel training
B. Vulnerability scan
C. Change management
D. Sandboxing
The help desk provided a security analyst with a screenshot of a user's desktop:
For which of the following is aircrack-ng being used?
A. Wireless access point discovery
B. Rainbow attack
C. Brute-force attack
D. PCAP data collection
Which of the following is the BEST way to share incident-related artifacts to provide non- repudiation?
A. Secure email
B. Encrypted USB drives
C. Cloud containers
D. Network folders
Which of the following will allow different cloud instances to share various types of data with aminimal amount of complexity?
A. Reverse engineering
B. Application log collectors
C. Workflow orchestration
D. API integration
E. Scripting
An analyst is reviewing a list of vulnerabilities, which were reported from a recent vulnerability scan of a Linux server.
Which of the following is MOST likely to be a false positive?
A. OpenSSH/OpenSSL Package Random Number Generator Weakness
B. Apache HTTP Server Byte Range DoS
C. GDI+ Remote Code Execution Vulnerability (MS08-052) D. HTTP TRACE / TRACK Methods Allowed (002-1208)
E. SSL Certificate Expiry
A malicious hacker wants to gather guest credentials on a hotel 802.11 network. Which of the following tools is the malicious hacker going to use to gain access to information found on the hotel network?
A. Nikto
B. Aircrak-ng
C. Nessus
D. tcpdump
During routine monitoring, a security analyst discovers several suspicious websites that are communicating with a local host. The analyst queries for IP 192.168.50.2 for a 24-hour period:
To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and.
A. DST 138.10.2.5.
B. DST 138.10.25.5.
C. DST 172.10.3.5.
D. DST 172.10.45.5.
E. DST 175.35.20.5.
🙂ذا كله سؤال واحد
Because some clients
have reported unauthorized activity on their accounts, security analyst is
reviewing network packet captures from the company's API server. A portion of a
capture file is shown below:
POST /services/v1_0/Public/Members.svc/soap
<s:Envelope+xmlns:s="http://schemas.s/soap/envelope/
"><s:Body><GetIPLocation+xmlns="http://tempuri.org/">
<request+xmlns:a="http://schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/XMLSchem a- instance
"></s:Body></s:Envelope> 192.168.1.22 -- api.somesite.com 200 0 1006 1001 0 192.168.1.22 POS T/services/v1_0/Public/Members.svc/soap
<<a:Password>Password123</a:Password><a:ResetPasswordToken+i:nil="true"/>
<a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/><a:Username>somebody@compan yname.com
192.168.5.66 - - api.somesite.com 200 0 11558 1712 2024 192.168.4.89
POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="
http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.o rg/ ">
<a:IPAddress>516.7.446.605</a:lPAddress><a:ZipCode+i:nil="true"/></request></GetIPLocation></s :Body><
192.168.1.22 - - api.somesite.com 200 0 1003 1011 307 192.168.1.22
POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s=" http://schemas.xmlsoap.org/soap/envelope/ http://tempuri.org/">
<request+xmlns:a="http://schemas.datacontract.org/2004/07/somesite.web+xmlns:i=" http://www.w3.org/2001/XMLSchema-instance
<a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</a:ApiToken><a:ImpersonateUs erl d>0<
<a:Networkld>4</a:Networkld><a:Providerld>"1=1</a:Providerld><a:Userld>13026046</a:Userld><la'Authe
192.168.5.66 -- api.somesite.com 200 0 1378 1209 48 192.168.4.89
Which of the following
MOST likely explains how the clients' accounts were compromised?
A. The clients' authentication tokens were
impersonated and replayed.
B. The clients'
usernames and passwords were transmitted in cleartext.
C. An XSS scripting
attack was carried out on the server.
D. A SQL injection
attack was carried out on the server.
An organization has not had an incident for several months. The Chief Information Security Officer (CISO) wants to move to a more proactive stance for security investigations. Which of the following would BEST meet that goal?
A. Root-cause analysis
B. Active response
C. Advanced antivirus
D. Information-sharing community
E. Threat hunting
A security analyst recently discovered two unauthorized hosts on the campus's wireless network segment from a man-in-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?
A. Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network
B. Change the SSID, strengthen the passcode, and
implement MAC filtering on the wireless router.
C. Enable MAC filtering on the wireless router and create a whitelist that allows devices on the network
D. Conduct a wireless survey to determine if the wireless strength needs to be reduced.
Employees of a large financial company are continuously being Infected by strands of malware that are not detected by EDR tools. Which of the following is the BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites?
A. MFA on the workstations
B. Additional host firewall rules
C. VDI environment
D. Hard drive encryption
E. Network access control
F. Network segmentation
During a cyber incident, which of the following is the BEST course of action?
A. Switch to using a pre-approved, secure, third-party communication system.
B. Keep the entire company informed to ensure transparency and integrity during the incident.
C. Restrict customer communication until the severity of the breach is confirmed.
D. Limit communications to pre-authorized parties to
ensure response efforts remain confidential.
Which of me following BEST articulates the benefit of leveraging SCAP in an organization's cybersecurity analysis toolset?
A. It automatically performs remedial configuration changes lo enterprise security services
B. It enables standard checklist and vulnerability
analysis expressions for automaton
C. It establishes a continuous integration environment for software development operations
D. It provides validation of suspected system vulnerabilities through workflow orchestration
During a cyber incident, which of the following is the BEST course of action?
A. Switch to using a pre-approved, secure, third-party communication system.
B. Keep the entire company informed to ensure transparency and integrity during the incident. C. Restrict customer communication until the severity of the breach is confirmed.
D. Limit communications to pre-authorized parties to
ensure response efforts remain confidential.
Which of the following BEST articulates the benefit of leveraging SCAP in an organization's cybersecurity analysis toolset?
A. It automatically performs remedial configuration changes lo enterprise security services
B. It enables standard checklist and vulnerability
analysis expressions for automaton
C. It establishes a continuous integration environment for software development operations
D. It provides validation of suspected system vulnerabilities through workflow orchestration
An organization has not had an incident for several month. The Chief information Security Officer (CISO) wants to move to proactive stance for security investigations. Which of the following would BEST meet that goal?
A. Root-cause analysis
B. Active response
C. Advanced antivirus D. Information-sharing community
E. Threat hunting
For machine learning to be applied effectively toward security analysis automation, it requires.
A. relevant training data.
B. a threat feed API.
C. a multicore, multiprocessor system.
D. anomalous traffic signatures.
A developer wrote a seript to make names and other Pll data unidentifiable before loading a database export into the testing system Which of the following describes the type of control that is being used?
A. Data encoding
B. Data masking
C. Data loss prevention
D. Data classification
A security analyst has received information from a third-party intelligence-sharing resource that indicates employee accounts were breached.
Which of the following is the NEXT step the analyst should take to address the issue?
A. Audit access permissions for all employees to ensure least privilege.
B. Force a password reset for the impacted employees and
revoke any tokens.
C. Configure SSO to prevent passwords from going outside the local network.
D. Set up privileged access management to ensure auditing is enabled.
Which of the following technologies can be used to house the entropy keys for disk encryption on desktops and laptops?
A. Self-encrypting drive
B. Bus encryption
C. TPM
D. HSM
A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet. Which of the following solutions would meet this requirement?
A. Establish a hosted SSO.
B. Implement a CASB.
C. Virtualize the server.
D. Air gap the server.
An employee in the billing department accidentally sent a spreadsheet containing payment card data to a recipient outside the organization the employee intended to send the spreadsheet to an internal staff member with a similar name and was unaware of the mistake until the recipient replied to the message in addition to retraining the employee, which of the following would prevent this from happening in the future?
A. Implement outgoing filter rules to quarantine messages that contain card data
B.
Configure the outgoing mail filter to allow attachments only to addresses on
the whitelist
C. Remove all external recipients from the employee's address book
D. Set the outgoing mail filter to strip spreadsheet attachments from all messages.
A security analyst is reviewing a suspected phishing campaign that has targeted an organization. The organization has enabled a few email security technologies in the last year: however, the analyst believes the security features are working. The analyst runs the following command:
> dig domain._domainkey.comptia.orq TXT
Which of the following email protection technologies is the analyst MOST likely validating?
A. SPF
B. DNSSEC
C. DMARC
D. DKIM
A security analyst, who is working for a company that utilizes Linux servers, receives the following results from vulnerability scan:
Which of the following is MOST likely false positive?
A. ICMP timestamp request remote date disclosure
B. Windows SMB service enumeration via \srvsvc
C. Anonymous FTP enabled
D. Unsupported web server detection
A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats. Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?
A. Development of a hypothesis as part of threat hunting
B. Log correlation, monitoring, and automated reporting through a SIEM platform
C. Continuous compliance monitoring using SCAP dashboards
D. Quarterly vulnerability scanning using credentialed scans
Which of the following MOST accurately describes an HSM?
A.
An HSM is a low-cost solution for encryption.
B. An HSM can be networked based or a removable USB
C. An HSM is slower at encrypting than software
D. An HSM is explicitly used for MFA
A cybersecurity analyst has access to several threat feeds and wants to organize them while simultaneously comparing intelligence against network traffic. Which of the following would BEST accomplish this goal?
A. Continuous integration and deployment
B. Automation and orchestration
C.
Static and dynamic analysis
D. Information sharing and analysis
A
cyber-incident response analyst is investigating a suspected cryptocurrency
miner on a company's server.
Which of the following is the FIRST step the
analyst should take?
A. Create a full disk image of the server's
hard drive to look for the file containing the malware.
B. Run a manual antivirus scan on the machine
to look for known malicious software.
C. Take memory
snapshot of the machine to capture volatile information stored in memory.
D. Start packet capturing to look for traffic that could
be indicative of command and control from the miner.
A security analyst
needs to reduce the overall attack surface. Which of the following
infrastructure changes should the analyst recommend?
A. Implement a
honeypot.
B. Air gap
sensitive systems.
C. Increase the network segmentation.
D. Implement a
cloud-based architecture.
A cybersecurity analyst is dissecting an
intrusion down to the specific techniques and wants to organize them in a
logical manner. Which of the following frameworks would BEST apply in this
situation?
A. Pyramid of Pain
B.
MITRE ATT&CK
C. Diamond Model of Intrusion
Analysts
D. CVSS v3.0
A security analyst scanned an
internal company subnet and discovered a host with the following Nmap output.
A. Port 22
B.
Port 135
C. Port 445
D. Port 3389
Answer
port 135
A security analyst working in the
SOC recently discovered which hosts visited a specific set of domains and IPs
and became infected with malware. Which of the following is the MOST
appropriate action to take in the situation?
A. implement an IPS signature for
the malware and update the blacklisting for the associated domains and IPs
B. Implement an IPS signature for
the malware and another signature request to Nock all the associated domains
and IPs
C.
Implement a change request to the firewall setting to not allow traffic to and
from the IPs and domains
D. Implement an IPS signature for
the malware and a change request to the firewall setting to not allow traffic
to and from the IPs and domains
Which of the following is the MOST
important objective of a post-incident review?
A.
Capture lessons learned and improve incident response processes
B. Develop a process for containment
and continue improvement efforts
C. Identify new technologies and
strategies to remediate
D. Identify a new management
strategy
Bootloader
malware was recently discovered on several company workstations. All the
workstations run Windows and are current models with UEFI capability. Which of
the following UEFI settings is the MOST likely cause of the infections?
A. Compatibility mode
B. Secure boot
mode
C. Native mode
D. Fast boot
mode
An
organization that handles sensitive financial information wants to perform
tokenization of data to enable the execution of recurring transactions. The
organization is most interested in a secure, built-in device to support its
solution. Which of the following would MOST likely be required to perform the
desired function?
A.
TPM
B.
eFuse
C.
FPGA
D.
HSM
E.
UEFI
A security analyst has discovered
trial developers have installed browsers on all development servers in the
company's cloud infrastructure and are using them to browse the Internet. Which
of the following changes should the security analyst make to BEST protect the
environment?
A.
Create a security rule that blocks Internet access in the development VPC
B. Place a jumpbox m between the
developers' workstations and the development VPC
C. Remove the administrator profile
from the developer user group in identity and access management
D. Create an alert that is triggered when a
developer installs an application on a server
A team of security analysis has been alerted
to potential malware activity. The initial examination indicates one of the affected
workstations of beaconing on TCP port 80 to five IP addresses and attempting to
spiead across the network over port 445. Which of the following should be the
team's NEXT step during the detection phase of this response process?
A.
Escalate
the incident to management ,who will then engage the network infrastructure
team to keep them informed
B.
Depending
on system critically remove each affected device from the network by disabling
wired and wireless connections
C.
Engage the engineering team to block SMB traffic
internally and outbound HTTP traffic to the five IP addresses Identify
potentially affected systems by creating a correlation
D.
Identify potentially
affected system by creating a correlation search in the SIEM based on the
network traffic.
A pharmaceutical company's marketing
team wants to send out notifications about new products to alert users of
recalls and newly discovered adverse drug reactions. The team plans to use the
names and mailing addresses that users have provided. Which of the following
data privacy standards does this violate?
A.
Purpose limitation
B. Sovereignty
C. Data minimization
D. Retention
The Chief Executive Officer (CEO) of
a large insurance company has reported phishing emails that contain malicious
links are targeting the entire organza lion Which of the following actions
would work BEST to prevent against this type of attack?
A. Turn on full behavioral analysis
to avert an infection
B. Implement an EOR mail module that
will rewrite and analyze email links.
C. Reconfigure the EDR solution to
perform real-time scanning of all files
D.
Ensure EDR signatures are updated every day to avert infection.
E. Modify the EDR solution to use
heuristic analysis techniques for malware.
As part of a review of incident
response plans, which of the following is MOST important for an organization to
understand when establishing the breach notification period?
A. Organizational policies
B. Vendor requirements and contracts
C. Service-level agreements
D.
Legal requirements
An information security analyst on a
threat-hunting team Is working with administrators to create a hypothesis
related to an internally developed web application The working hypothesis is as
follows:
-
Due to the
nature of the industry, the application hosts sensitive data associated with
many clients and Is a significant target
-
The platform Is most likely vulnerable to poor
patching and Inadequate server hardening, which expose vulnerable services.
-
The application is likely to be targeted with
SQL injection attacks due to the large number of reporting capabilities within
the application.
As a result, the systems
administrator upgrades outdated service applications and validates the endpoint
configuration against an industry benchmark. The analyst suggests developers
receive additional training on implementing identity and access management, and
also implements a WAF to protect against SQL injection attacks .Which of the
following BEST represents the technique in use?
A. Improving detection capabilities
B. Bundling critical assets
C. Profiling threat actors and
activities
D.
Reducing the attack surface area
A security analyst is reviewing a
web application. If an unauthenticated user tries to access a page in the
application, the user is redirected to the login page. After successful
authentication, the user is then redirected back to the original page. Some
users have reported receiving phishing emails with a link that takes them to
the application login page but then redirects to a fake login page after
successful authentication. Which of the following will remediate this software
vulnerability?
A.
Enforce unique session IDs for the application.
B. Deploy a WAF In front of the web
application.
C. Check for and enforce the proper
domain for the redirect.
D. Use a parameterized query to
check the credentials.
E. Implement email filtering with
anti-phishing protection.
A critical server was compromised by
malware, and all functionality was lost. Backups of this server were taken;
however, management believes a logic bomb may have been injected by a rootkit.
Which of the following should a security analyst perform to restore
functionality quickly?
A. Work backward, restoring each
backup until the server is clean
B. Restore the previous backup and
scan with a live boot anti-malware scanner
C.
Stand up a new server and restore critical data from backups
D. Offload the critical data to a
new server and continue operations
Ransomware is identified on a
company's network that affects both Windows and MAC hosts. The command and
control channel for encryption for this variant uses TCP ports from 11000 to
65000. The channel goes to good1. Iholdbadkeys.com, which resolves to IP
address 72.172.16.2. Which of the following is the MOST effective way to
prevent any newly infected systems from actually encrypting the data on
connected network drives while causing the least disruption to normal Internet
traffic?
A
Block all outbound traffic to web host good1 iholdbadkeys.com at the border
gateway.
B. Block all outbound TCP
connections to IP host address 172.172.16.2 at the border gateway. C. Block all
outbound traffic on TCP ports 11000 to 65000 at the border gateway.
D. Block all outbound traffic on TCP
ports 11000 to 65000 to IP host address 172.172.16.2 at the border gateway.
A hybrid control is one that :
A. is implemented differently on individual systems.
B. is implemented at the enterprise and system levels.
C. has operational and technical components.
D. authenticates using passwords and hardware tokens.
A system's authority to operate (ATO) is set to expire in four days. Because of other activities and limited staffing, the organization has neglected to start reauthentication activities until now. The
cybersecurity group just performed a vulnerability scan with the partial set of results shown below:
Based on the scenario and the output from the vulnerability scan, which of the following should the
security team do with this finding?
A.Remediate
by going to the web config file, searching for the enforce HTTP validation
setting,
and manually updating to the correct setting.
B.Accept this risk for now because this is a "high" severity, but testing will require more than the four days available, and the system ATO needs to be competed.
C. lgnore it. This is false positive, and the organization needs to focus its efforts on other findings.
D. Ensure HTTP validation is enabled by rebooting the server.
A security analyst is reviewing vulnerability scan results and notices new workstations are being
flagged as having outdated antivirus signatures. The analyst observes the following plugin output:
Antivirus installed on the remote host:
Installation path: C/\Program Files\AVProduct\Win32\
Product Engine: 14.12.101
Engine Version: 3.5.71
Scanner does not currently have information about AVProduct version 3.5.71. It may no longer be
supported.
The engine version is out of date. The oldest supported version from the vendor is 4.2.11.
The analyst uses the vendor's website to confirm the oldest supported version is correct.
Which of the following BEST describes the situation?
A. This is a false positive, and the scanning plugin needs to be updated by the vendor.
B. This is a true negative, and the new computers have the correct version of the software.
C. This is a true positive, and the new computers were imaged with an old version of the software.
D.
This is a false negative, and the new computers need to be updated by the
desktop team.
A bad actor bypasses authentication and reveals all records in a database through an SQL
injection.
Implementation of which of the following would work BEST to prevent similar attacks in the future?
A. Strict input validation
B. Blacklisting
C. SQL patching
D. Content filtering
E. Output encoding
ليست هناك تعليقات:
إرسال تعليق