CS0-002 Exam questions part 2
A security analyst has discovered that developers have installed browsers on all development servers in the company's cloud infrastructure and are using them to browse the Internet. Which of the following changes should the security analyst make to BEST protect the environment? A. Create a security rule that blocks Internet access in the development VPC B. Place a jumpbox in between the developers' workstations and the development VPC C. Remove the administrator's profile from the developer user group in identity and access management D. Create an alert that is triggered when a developer installs an application on a server
A. Create a security rule that blocks Internet access in the development VPC
A Chief Information Security Officer (CISO) is concerned developers have too much visibility into customer data. Which of the following controls should be implemented to BEST address these concerns? A. Data masking B. Data loss prevention C. Data minimization D. Data sovereignty
A. Data masking
The threat intelligence department recently learned of an advanced persistent threat that is leveraging a new strain of malware, exploiting a system router. The company currently uses the same device mentioned in the threat report. Which of the following configuration changes would BEST improve the organization's security posture? A. Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability B. Implement an IDS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability C. Implement an IPS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability D. Implement an IDS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
A. Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
ich of the following secure coding techniques can be used to prevent cross-site request forgery attacks? A. Input validation B. Output encoding C. Parameterized queries D. Tokenization
A. Input validation
A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integrating intelligence into hunt operations? A. It enables the team to prioritize the focus areas and tactics within the company's environment B. It provides criticality analyses for key enterprise servers and services C. It allows analysts to receive routine updates on newly discovered software vulnerabilities D. It supports rapid response and recovery during and following an incident
A. It enables the team to prioritize the focus areas and tactics within the company's environment
A pharmaceutical company's marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided.Which of the following data privacy standards does this violate? A. Purpose limitation B. Sovereignty C. Data minimization D. Retention
A. Purpose limitation
A security analyst is monitoring a company's network traffic and finds ping requests going to accounting and human resources servers from a SQL server. Upon investigation, the analyst discovers a technician responded to potential network connectivity issues. Which of the following is the BEST way for the security analyst to respond? A. Report this activity as a false positive, as the activity is legitimate. B. Isolate the system and begin a forensic investigation to determine what was compromised. C. Recommend network segmentation to management as a way to secure the various environments. D. Implement host-based firewalls on all systems to prevent ping sweeps in the future.
A. Report this activity as a false positive, as the activity is legitimate.
To validate local system-hardening requirements, which of the following types of vulnerability scans would work BEST to verify the scanned device meets security policies? A. SCAP B. SAST C. DAST D. DACS
A. SCAP
A security analyst is reviewing the following DNS logs as part of security-monitoring activities:Which of the following MOST likely occurred? A. The attack used an algorithm to generate command and control information dynamically Most Voted B. The attack attempted to contact www.google.com to verify Internet connectivity C. The attack used encryption to obfuscate the payload and bypass detection by an IDS D. The attack caused an internal host to connect to a command and control server
A. The attack used an algorithm to generate command and control information dynamically Most Voted
Question #227Topic 1 An organization's Chief Information Security Officer (CISO) has asked department leaders to coordinate on communication plans that can be enacted in response to different cybersecurity incident triggers. Which of the following is a benefit of having these communication plans? A. They can help to prevent the inadvertent release of damaging information outside the organization. B. They can help to limit the spread of worms by coordinating with help desk personnel earlier in the recovery phase. C. They can quickly inform the public relations team to begin coordinating with the media as soon as a breach is detected. D. They can help to keep the organization's senior leadership informed about the status of patching during the recovery phase.
A. They can help to prevent the inadvertent release of damaging information outside the organization.
A company's change management team has asked a security analyst to review a potential change to the email server before it is released into production. The analyst reviews the following change request:Which of the following is the MOST likely reason for the change? A. To reject email from servers that are not listed in the SPF record To reject email from email addresses that are not digitally signed. C. To accept email to the company's domain. D. To reject email from users who are not authenticated to the network.
A. To reject email from servers that are not listed in the SPF record
An analyst has been asked to provide feedback regarding the controls required by a revised regulatory framework. At this time, the analyst only needs to focus on the technical controls.Which of the following should the analyst provide an assessment of? A. Tokenization of sensitive data B. Establishment of data classifications C. Reporting on data retention and purging activities D. Formal identification of data ownership E. Execution of NDAs
A. Tokenization of sensitive data
A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called ג€packetCaptureג€. The capture must be as efficient as possible, and the analyst wants to minimize the likelihood that packets will be missed. Which of the following commands will BEST accomplish the analyst's objectives? A. tcpdump ג€"w packetCapture B. tcpdump ג€"a packetCapture C. tcpdump ג€"n packetCapture D. nmap ג€"v > packetCapture E. nmap ג€"oA > packetCapture
A. tcpdump ג€"w packetCapture
A company that uses email for all internal and external communications received a legal notice from a vendor that was disputing a contract award. The company needs to implement a legal hold on the email of users who were involved in the vendor selection process and the awarding of the contract. Which of the following describes the appropriate steps that should be taken to comply with the legal notice? A. Notify the security team of the legal hold and remove user access to the email accounts. B. Coordinate with legal counsel and then notify the security team to ensure the appropriate email accounts are frozen. C. Disable the user accounts that are associated with the legal hold and create new user accounts so they can continue doing business. D. Encrypt messages that are associated with the legal hold and initiate a chain of custody to ensure admissibility in future legal proceedings.
B. Coordinate with legal counsel and then notify the security team to ensure the appropriate email accounts are frozen.
A managed security service provider (MSSP) has alerted a user that an account was added to the local administrator group for the servers named EC2AMAZ-HG87B4 and EC2AMAZ-B643M2. A security analyst logs in to the cloud provider's graphical user interface to determine the IP addresses of the servers and sees the following data:Which of the following changes to the current architecture would work BEST to help the analyst to troubleshoot future alerts? A. Rename all hosts to the value listed in the instance ID field. B. Create a standard naming convention for all hostnames. C. Create an asset tag that identifies each instance by hostname. Most Voted D. Instruct the MSSP to add the platform name from the cloud console to all alerts.
B. Create a standard naming convention for all hostnames.
Which of the following attacks can be prevented by using output encoding? A. Server-side request forgery B. Cross-site scripting C. SQL injection D. Command injection E. Cross-site request forgery F. Directory traversal
B. Cross-site scripting
While reviewing log files, a security analyst uncovers a brute-force attack that is being performed against an external webmail portal. Which of the following would be BEST to prevent this type of attack from being successful? A. Create a new rule in the IDS that triggers an alert on repeated login attempts B. Implement MFA on the email portal using out-of-band code delivery C. Alter the lockout policy to ensure users are permanently locked out after five attempts D. Leverage password filters to prevent weak passwords on employee accounts from being exploited E. Configure a WAF with brute-force protection rules in block mode
B. Implement MFA on the email portal using out-of-band code delivery
Question #203Topic 1 An organization is upgrading its network and all of its workstations. The project will occur in phases, with infrastructure upgrades each month and workstation installs every other week. The schedule should accommodate the enterprise-wide changes, while minimizing the impact to the network. Which of the following schedules BEST addresses these requirements? A. Monthly vulnerability scans, biweekly topology scans, daily host discovery scans B. Monthly topology scans, biweekly host discovery scans, monthly vulnerability scans C. Monthly host discovery scans, biweekly vulnerability scans, monthly topology scans D. Monthly topology scans, biweekly host discovery scans, weekly vulnerability scans
B. Monthly topology scans, biweekly host discovery scans, monthly vulnerability scans
A security analyst needs to obtain the footprint of the network. The footprint must identify the following information:✑ TCP and UDP services running on a targeted system✑ Types of operating systems and versions✑ Specific applications and versionsWhich of the following tools should the analyst use to obtain the data? A. Prowler B. Nmap C. Reaver D. ZAP
B. Nmap
A financial institution's business unit plans to deploy a new technology in a manner that violates existing information security standards. Which of the following actions should the Chief Information Security Officer (CISO) take to manage any type of violation? A. Enforce the existing security standards and controls B. Perform a risk analysis and qualify the risk with legal C. Perform research and propose a better technology D. Enforce the standard permits
B. Perform a risk analysis and qualify the risk with legal
Question #226Topic 1 A security analyst is auditing firewall rules with the goal of scanning some known ports to check the firewall's behavior and responses. The analyst executes the following commands:The analyst then compares the following results for port 22:✑ nmap returns ג€Closedג€✑ hping3 returns ג€flags=RAג€Which of the following BEST describes the firewall rule? A. DNAT ג€"-to-destination 1.1.1.1:3000 B. REJECT with ג€"-tcp-reset C. LOG ג€"-log-tcp-sequence D. DROP
B. REJECT with ג€"-tcp-reset
While investigating an incident in a company's SIEM console, a security analyst found hundreds of failed SSH login attempts, which all occurred in rapid succession. The failed attempts were followed by a successful login on the root user. Company policy allows systems administrators to manage their systems only from the company's internal network using their assigned corporate logins. Which of the following are the BEST actions the analyst can take to stop any further compromise? (Choose two.) A. Add a rule on the affected system to block access to port TCP/22. B. Reset the passwords for all accounts on the affected system. C. Add a rule on the perimeter firewall to block the source IP address. D. Configure /etc/sshd_config to deny root logins and restart the SSHD service. E. Configure /etc/passwd to deny root logins and restart the SSHD service. F. Add a rule on the network IPS to block SSH user sessions. Hide Solution Discussion 7
B. Reset the passwords for all accounts on the affected system. D. Configure /etc/sshd_config to deny root logins and restart the SSHD service.
An analyst has received a notification about potential malicious activity against a web server. The analyst logs in to a central log collection server and runs the following command: ג€cat access.log.1 | grep ג€unionג€. The output shown below appears:<68.71.54.117> ג€" ג€" [31/Jan/2020:10:02:31 ג€"0400] ג€Get /cgi-bin/backend1.sh?id=%20union%20select%20192.168.60.50 HTTP/1.1ג€Which of the following attacks has occurred on the server? A. Cross-site request forgery B. SQL injection C. Cross-site scripting D. Directory traversal
B. SQL injection
A security analyst reviews a recent network capture and notices encrypted inbound traffic on TCP port 465 was coming into the company's network from a database server. Which of the following will the security analyst MOST likely identify as the reason for the traffic on this port? A. The server is configured to communicate on the secure database listener port. B. Someone has configured an unauthorized SMTP application over SSL C. A connection from the database to the web front end is communicating on the port D. The server is receiving a secure connection using the new TLS 1.3 standard
B. Someone has configured an unauthorized SMTP application over SSL
An organization's network administrator uncovered a rogue device on the network that is emulating the characteristics of a switch. The device is trunking protocols and inserting tagging values to control the flow of traffic at the data link layer. Which of the following BEST describes the attack? A. DNS pharming B. VLAN hopping C. Spoofing D. Injection attack
B. VLAN hopping
A security analyst receives a CVE bulletin, which lists several products that are used in the enterprise. The analyst immediately deploys a critical security patch.Which of the following BEST describes the reason for the analyst's immediate action? A. Nation-state hackers are targeting the region. B. A new vulnerability was discovered by a vendor. C. A known exploit was discovered. D. A new zero-day threat needs to be addressed. E. There is an insider threat.
C. A known exploit was discovered.
A company's Chief Information Security Officer (CISO) published an Internet usage policy that prohibits employees from accessing unauthorized websites. The IT department whitelisted websites used for business needs. The CISO wants the security analyst to recommend a solution that would improve security and support employee morale. Which of the following security recommendations would allow employees to browse non-business-related websites? A. Implement a virtual machine alternative. B. Develop a new secured browser. C. Configure a personal business VLAN. D. Install kiosks throughout the building.
C. Configure a personal business VLAN.
Which of the following would a security engineer recommend to BEST protect sensitive system data from being accessed on mobile devices? A. Use a UEFI boot password B. Implement a self-encrypted disk C. Configure filesystem encryption D. Enable Secure Boot using TPM
C. Configure filesystem encryption
A Chief Executive Officer (CEO) is concerned about the company's intellectual property being leaked to competitors. The security team performed an extensive review but did not find any indication of an outside breach. The data sets are currently encrypted using the Triple Data Encryption Algorithm. Which of the following courses of action is appropriate? A. Limit all access to the sensitive data based on geographic access requirements with strict role-based access controls. B. Enable data masking and reencrypt the data sets using AES-256. C. Ensure the data is correctly classified and labeled, and that DLP rules are appropriate to prevent disclosure. D. Use data tokenization on sensitive fields, reencrypt the data sets using AES-256, and then create an MD5 hash.
C. Ensure the data is correctly classified and labeled, and that DLP rules are appropriate to prevent disclosure.
A security analyst is handling an incident in which ransomware has encrypted the disks of several company workstations. Which of the following would work BEST to prevent this type of incident in the future? A. Implement a UTM instead of a stateful firewall and enable gateway antivirus. B. Back up the workstations to facilitate recovery and create a gold image. C. Establish a ransomware awareness program and implement secure and verifiable backups. D. Virtualize all the endpoints with daily snapshots of the virtual machines.
C. Establish a ransomware awareness program and implement secure and verifiable backups.
Which of the following sources would a security analyst rely on to provide relevant and timely threat information concerning the financial services industry? A. Real-time and automated firewall rules subscriptions B. Open-source intelligence, such as social media and blogs C. Information sharing and analysis membership D. Common vulnerability and exposure bulletins
C. Information sharing and analysis membership
Portions of a legacy application are being refactored to discontinue the use of dynamic SQL. Which of the following would be BEST to implement in the legacy application? A. Input validation B. SQL injection C. Parameterized queries D. Web-application firewall E. Multifactor authentication
C. Parameterized queries
A company's blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance? A. Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network. B. Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed. C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it. D. Review the current blocklist to determine which domains can be removed from the list and then update the ACLs and IPS signatures.
C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it.
A security analyst is concerned that a third-party application may have access to user passwords during authentication. Which of the following protocols should the application use to alleviate the analyst's concern? A. LDAPS B. MFA C. SAML D. SHA-1
C. SAML
Which of the following is the BEST way to gather patch information on a specific server? A. Event Viewer B. Custom script C. SCAP software D. CI/CD
C. SCAP software
A proposed network architecture requires systems to be separated from each other logically based on defined risk levels. Which of the following explains the reason why an architect would set up the network this way? A. To complicate the network and frustrate a potential malicious attacker B. To create a design that simplifies the supporting network C. To reduce the attack surface of those systems by segmenting the network based on risk D. To reduce the number of IP addresses that are used on the network
C. To reduce the attack surface of those systems by segmenting the network based on risk
A security engineer is reviewing security products that identify malicious actions by users as part of a company's insider threat program. Which of the following is the MOST appropriate product category for this purpose? A. SCAP B. SOAR C. UEBA D. WAF
C. UEBA
Employees of a large financial company are continuously being infected by strands of malware that are not detected by EDR tools. Which of the following is the BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites? A. MFA on the workstations B. Additional host firewall rules C. VDI environment D. Hard drive encryption E. Network access control F. Network segmentation
C. VDI environment
An analyst is searching a log for potential credit card leaks. The log stores all data encoded in hexadecimal. Which of the following commands will allow the security analyst to confirm the incident? A. cat log |xxd ג€"r ג€"p | egrep ג€"v '[0-9]{16}' B. egrep '(3[0-9]){16}' log C. cat log |xxd ג€"r ג€"p | egrep '[0-9]{16}' D. egrep '[0-9]{16}' log |xxd
C. cat log |xxd ג€"r ג€"p | egrep '[0-9]{16}'
An organization recently discovered that spreadsheet files containing sensitive financial data were improperly stored on a web server. The management team wants to find out if any of these files were downloaded by public users accessing the server. The results should be written to a text file and should include the date, time, and IP address associated with any spreadsheet downloads. The web server's log file is named webserver.log, and the report file name should be accessreport.txt. Following is a sample of the web server's log file:Which of the following commands should be run if an analyst only wants to include entries in which a spreadsheet was successfully downloaded? A. more webserver.log | grep *.xls > accessreport.txt B. more webserver.log > grep ג€*xlsג€ | egrep ג€"E 'success' > accessreport.txt C. more webserver.log | grep ג€"E ג€return=200 | xlsג€ > accessreport.txt D. more webserver.log | grep ג€"A *.xls < accessreport.txt
C. more webserver.log | grep ג€"E ג€return=200 | xlsג€ > accessreport.txt
Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity? A. Reverse engineering B. Application log collectors C. Workflow orchestration D. API integration E. Scripting
D. API integration
Question #163Topic 1 A security analyst is probing a company's public-facing servers for vulnerabilities and obtains the following output:Which of the following changes should the analyst recommend FIRST? A. Implement File Transfer Protocol Secure on the upload server B. Disable anonymous login on the web server C. Configure firewall changes to close port 445 on 124.45.23.112 D. Apply a firewall rule to filter the number of requests per second on port 80 on 124.45.23.108
D. Apply a firewall rule to filter the number of requests per second on port 80 on 124.45.23.108
An organization recently discovered a malware sample on an internal server. IoCs showed the malware sample was running on port 27573. The incident response team successfully removed the malware from the server, but the organization is now concerned about other instances of the malware being installed on another server. The following network traffic was captured after the known malware was assumed to be eradicated:Which of the following can the organization conclude? A. The malware was installed on servers 192.168.1.102, 192.168.1.103, and 192.168.1.104. B. Only the server at 192.168.1.103 has an indication of a possible compromise. C. Only the server at 192.168.1.104 has an indication of a possible compromise. D. Both servers 192.168.1.101 and 192.168.1.134 indicate a possible compromise. E. The server at 192.168.1.134 is exfiltrating data in 25KB files to servers throughout the organization. Hide Solution Discussion 1
D. Both servers 192.168.1.101 and 192.168.1.134 indicate a possible compromise.
A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful. Which of the following should the security analyst perform NEXT? A. Begin blocking all IP addresses within that subnet B. Determine the attack vector and total attack surface C. Begin a kill chain analysis to determine the impact D. Conduct threat research on the IP addresses
D. Conduct threat research on the IP addresses
A small marketing firm uses many SaaS applications that hold sensitive information. The firm has discovered terminated employees are retaining access to systems for many weeks after their end date. Which of the following would BEST resolve the issue of lingering access? A. Perform weekly manual reviews on system access to uncover any issues. B. Set up a privileged access management tool that can fully manage privileged account access. C. Implement MFA on cloud-based systems. D. Configure federated authentication with SSO on cloud provider systems.
D. Configure federated authentication with SSO on cloud provider systems.
An information security analyst is working with a data owner to identify the appropriate controls to preserve the confidentiality of data within an enterprise environment. One of the primary concerns is exfiltration of data by malicious insiders. Which of the following controls is the MOST appropriate to mitigate risks? A. Data deduplication B. OS fingerprinting C. Digital watermarking D. Data loss prevention
D. Data loss prevention
A security analyst is investigating malicious traffic from an internal system that attempted to download proxy avoidance as identified from the firewall logs, but the destination IP is blocked and not captured. Which of the following should the analyst do? A. Shut down the computer B. Capture live data using Wireshark C. Take a snapshot D. Determine if DNS logging is enabled E. Review the network logs
D. Determine if DNS logging is enabled
A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445. Which of the following should be the team's NEXT step during the detection phase of this response process? A. Escalate the incident to management, who will then engage the network infrastructure team to keep them informed. B. Depending on system criticality, remove each affected device from the network by disabling wired and wireless connections. C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses. D. Identify potentially affected systems by creating a correlation search in the SIEM based on the network traffic.
D. Identify potentially affected systems by creating a correlation search in the SIEM based on the network traffic.
A large organization wants to move account registration services to the cloud to benefit from faster processing and elasticity. Which of the following should be done FIRST to determine the potential risk to the organization? A. Establish a recovery time objective and a recovery point objective for the systems being moved B. Calculate the resource requirements for moving the systems to the cloud C. Determine recovery priorities for the assets being moved to the cloud-based systems D. Identify the business processes that will be migrated and the criticality of each one E. Perform an inventory of the servers that will be moving and assign priority to each one
D. Identify the business processes that will be migrated and the criticality of each one
A security analyst has discovered malware is spreading across multiple critical systems and is originating from a single workstations, which belongs to a member of the cyber-infrastructure team who has legitimate administrator credentials. An analysis of the traffic indicates the workstation swept the networking looking for vulnerable hosts to infect. Which of the following would have worked BEST to prevent the spread of this infection? A. Vulnerability scans of the network and proper patching. B. A properly configured and updated EDR solution. C. A honeypot used to catalog the anomalous behavior and update the IPS. D. Logical network segmentation and the use of jump boxes
D. Logical network segmentation and the use of jump boxes
A security analyst is scanning the network to determine if a critical security patch was applied to all systems in an enterprise. The organization has a very low tolerance for risk when it comes to resource availability. Which of the following is the BEST approach for configuring and scheduling the scan? A. Make sure the scan is credentialed, covers all hosts in the patch management system, and is scheduled during business hours so it can be terminated if it affects business operations. B. Make sure the scan is uncredentialed, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations. C. Make sure the scan is credentialed, has the latest software and signature versions, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations. D. Make sure the scan is credentialed, uses a limited plugin set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.
D. Make sure the scan is credentialed, uses a limited plugin set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.
A threat feed notes malicious actors have been infiltrating companies and exfiltrating data to a specific set of domains. Management at an organization wants to know if it is a victim. Which of the following should the security analyst recommend to identify this behavior without alerting any potential malicious actors? A. Create an IPS rule to block these domains and trigger an alert within the SIEM tool when these domains are requested. B. Add the domains to a DNS sinkhole and create an alert in the SIEM tool when the domains are queried C. Look up the IP addresses for these domains and search firewall logs for any traffic being sent to those IPs over port 443 D. Query DNS logs with a SIEM tool for any hosts requesting the malicious domains and create alerts based on this information
D. Query DNS logs with a SIEM tool for any hosts requesting the malicious domains and create alerts based on this information
An organization that uses SPF has been notified emails sent via its authorized third-party partner are getting rejected. A security analyst reviews the DNS entry and sees the following: v=spf1 ip4:180.10.6.5 ip4:180.10.6.10 include:robustmail.com ג€"allThe organization's primary mail server IP is 180.10.6.6, and the secondary mail server IP is 180.10.6.5. The organization's third-party mail provider is ג€RobustMailג€ with the domain name robustmail.com. Which of the following is the MOST likely reason for the rejected emails? A. SPF version 1 does not support third-party providers. B. The primary and secondary email server IP addresses are out of sequence. Most Voted C. An incorrect IP version is being used. D. The wrong domain name is in the SPF record.
D. The wrong domain name is in the SPF record.
While analyzing logs from a WAF, a cybersecurity analyst finds the following:ג€GET /form.php?id=463225%2b%2575%256e%2569%256f%256e%2b%2573%2574%2box3133333731,1223,1224&name=&state=ILג€Which of the following BEST describes what the analyst has found? A. This is an encrypted GET HTTP request B. A packet is being used to bypass the WAF C. This is an encrypted packet D. This is an encoded WAF bypass
D. This is an encoded WAF bypass
A company wants to outsource a key human-resources application service to remote employees as a SaaS-based cloud solution. The company's GREATEST concern should be the SaaS provider's: A. SLA for system uptime. B. DLP procedures. C. logging and monitoring capabilities. D. data protection capabilities.
D. data protection capabilities.
A threat intelligence analyst has received multiple reports that are suspected to be about the same advanced persistent threat. To which of the following steps in the intelligence cycle would this map? A. Dissemination B. Analysis C. Feedback D. Requirements E. Collection
E. Collection
A security analyst reviews SIEM logs and discovers the following error event:Which of the following environments does the analyst need to examine to continue troubleshooting the event? A. Proxy server B. SQL server C. Windows domain controller D. WAF appliance E. DNS server
E. DNS server
Which of the following BEST articulates the benefit of leveraging SCAP in an organization's cybersecurity analysis toolset? A. It automatically performs remedial configuration changes to enterprise security services B. It enables standard checklist and vulnerability analysis expressions for automation C. It establishes a continuous integration environment for software development operations D. It provides validation of suspected system vulnerabilities through workflow orchestration
It enables standard checklist and vulnerability analysis expressions for automation