Domain 4.0 Security Operations
An organization is enhancing its security measures to combat email-based threats after being targeted in a whaling attack. Which email authentication method is specifically designed to detect and prevent the forgery of sender addresses in corporate email exchanges?
(not) DKIM
A system administrator has seen repeated positive vulnerability messages only to discover that no vulnerability exists. The vulnerability messages repeat daily for several days, causing the system administrators to ignore them. What can the system administrator do to combat false positives? (Select the two best options.)
Adjust scanner config based on log review Use different scanners
An organization wants to enhance its cybersecurity by implementing web filtering. The company needs a solution that provides granular control over web traffic, ensures policy enforcement even when employees are off the corporate network, and can log and analyze Internet usage patterns. Which of the following strategies BEST meets these requirements?
Agent-based filtering
A large multinational company uses a cloud-based document storage system. The system provides access to documents by considering a combination of factors: the user's department, geographic location, the document's sensitivity level, and the current date and time. For example, only the finance department of a specific region can access its financial reports, and they can do so only during business hours. Which access control model does the company MOST likely use to manage this complex access control?
Attribute-based access control
The IT department of a medium-sized company is exploring various mobile solutions to improve productivity and enable employees to work efficiently on their mobile devices. They aim to choose a solution ensuring data security and seamless integration with the existing infrastructure. The team has narrowed the options to three potential mobile solutions: MDM, MAM, and COPE. Each solution offers different features and functionalities, and the IT team is assessing which one BEST meets the company's needs. Which mobile solution focuses on securing and managing the applications installed on employees' mobile devices rather than the devices themselves?
MAM
A cybersecurity responder surreptitiously monitors the activities of a hacker attempting infiltration. During this time, the cybersecurity responder prepared a containment and eradication plan. This is an example of what type of threat hunting technique?
Maneuvering
A proprietary software remains mission-critical ten years after its in-house creation. The software requires an exception to the rules as it cannot use the latest in-use operating system (OS) version. How can the IT department protect this mission-critical software and reduce its exposure factor? (Select the two best options.)
Network segmentation Compensating controls
The chief information officer (CIO) wants to expand the company's ability to accurately identify vulnerabilities across the company. The CIO wants to be able to scan client PCs, mobile devices, servers, routers, and switches. What type of scanner are they looking to institute?
Network vulnerability scanner
A Security Operations Center (SOC) manager notices a significant increase in unclassified events on the incident handler's Security Information and Event Management (SIEM) dashboard. At the same time, someone or something raises the number of incidents. The manager investigates these incidents further to ensure efficient and timely incident response. Which combination of data sources would provide the MOST comprehensive view to support the manager's investigation?
OS-specific security logs, log files generated by applications and services running on hosts, and automated reports from the SIEM tool
A healthcare organization is preparing to decommission several servers containing sensitive patient information. The organization wants to ensure that it securely disposes of the data on these servers and properly documents this process. What should the organization primarily focus on to ensure secure data disposal and regulation compliance?
Obtain a certificate of destruction or sanitization from a third-party provider.
A cyber technician pulls logs on the new Apple iMacs to ensure the company's employees adhere to the policy. What log can provide the technician with the computer's attempted logins or denial when an employee attempts to access a file?
Operating system-specific security logs
The IT team of a large multinational corporation is working to improve the security of their remote access services. They plan to implement Remote Authentication Dial-In User Service (RADIUS) to enhance the authentication process for remote users. RADIUS provides a centralized authentication and authorization mechanism for users connecting from various locations. The IT team evaluated different authentication protocols alongside RADIUS to ensure a strong and secure remote access solution. Which choice of authentication protocols would be MOST appropriate to complement RADIUS for the company's remote access solution?
PEAP
During routine monitoring, an incident response analyst at a prominent corporation notices suspicious network activity on a server. The analyst can access various network data sources. Which data sources would provide the MOST relevant information for the analyst to investigate and identify the potential threat actor and tools used in this activity?
Packet captures
The IT department at a medium-sized company is exploring ways to enhance its authentication methods to improve security. They want to choose an authentication approach that balances security and user convenience. Which authentication method eliminates the need for passwords and provides a secure way of verifying a user's identity based on the device's hardware or software characteristics?
Passwordless authentication
A cyber team is responding to regulatory requirements after the organization falls victim to a breach. What remediation practice involves the application of updates to systems to fix known vulnerabilities?
Patching
A technician wants to implement automation within the team's workspace. How does complexity impact automation and orchestration?
Poorly planned strategies can make systems difficult to maintain.
A company has added several new assets and software to its system and is meeting to review its risk matrix. It wants to ensure risk management efforts focus on vulnerabilities most likely impacting its operations significantly. What is this commonly referred to as?
Prioritization
At a large company, the IT department manages user accounts and permissions for the organization's various systems. The IT team employs a well-structured provisioning and de-provisioning process to create, modify, and remove user accounts and assign permissions to minimize potential security risks. Which statements related to user account provisioning and permission assignments are correct? (Select the two best options.)
Provisioning and de-provisioning of user accounts involve creating, modifying, and removing user accounts to maintain appropriate access levels. The principle of least privilege guides the assignment of permissions, ensuring users have only the necessary access for their job roles.
The network security manager of a large corporation is planning to improve the efficiency of the company's Security Information and Event Management (SIEM) system. The SIEM system receives data from various sources, including Windows and Linux hosts, switches, routers, and firewalls. To make the data from different sources more consistent and searchable, which functionality should the manager focus on enhancing in the SIEM system?
Refine the log aggregation process in the SIEM system
A hacker successfully bypasses several protections and exfiltrates sensitive data. The company immediately begins recovery and takes steps to discover the initial problem that allowed the infiltration. This type of investigation is commonly referred to as what?
Root cause analysis
In a multinational corporation, employees across various departments regularly access many cloud-based applications to fulfill their tasks efficiently. The company's security team is grappling with managing user credentials securely and efficiently across these diverse platforms. They are actively looking to improve user authentication and streamline access to these applications while ensuring robust security measures are in place. In this scenario, what technology should the company implement to enable Single Sign-On (SSO) capabilities and ensure secure authentication across its diverse cloud-based applications?
SAML
After experiencing a catastrophic server failure in the headquarters building, what can the company use to monitor notable events such as port failure, chassis overheating, power failure, or excessive CPU utilization?
SNMP trap
In a medium-sized organization, the IT department manages a wide range of applications employees use. Recently, the IT security team identified a growing number of security incidents related to malware infections and unauthorized access to sensitive data. They suspect that certain applications may be the entry point for these attacks. To mitigate the risks, the team wants to implement a security measure that isolates applications from the rest of the system to prevent potential threats from spreading. They aim to achieve this without affecting the overall performance and usability of the applications. Which security measure should the IT security team consider implementing to isolate applications from the rest of the system, reduce the impact of potential security threats, and maintain optimal performance and usability?
Sandboxing
A tech company is in the process of decommissioning a fleet of old servers. It wants to ensure that sensitive data stored on these servers is fully eliminated and is not accessible in the event of unauthorized attempts. What primary process should the company implement before disposing or repurposing these servers?
Sanitizing the servers
A healthcare organization is retiring an old database server that housed sensitive patient information. It aims to ensure that this information is completely irretrievable. What key process should the organization prioritize before disposing of this server?
Secure destruction of all data stored on the server
A multinational company worries that its IT department is getting complacent regarding cybersecurity. The company begins working with an outside company to create an incident in a sandbox environment to gauge the IT department's response to a strong attack. This situation represents what type of testing scenario?
Simulation
The cybersecurity expert at a technology firm recommends adding another layer of protection to employee accounts. The expert suggests a physical device that users can insert into compatible systems to verify their identity alongside a password. Which authentication method is the cybersecurity expert recommending for the employees?
Smart Card
After a breach, an organization implements new multifactor authentication (MFA) protocols. What MFA philosophy incorporates using a smart card or key fob to support authentication?
Something you have
A technology firm's network security specialist notices a sudden increase in unidentified activities on the firm's Security Information and Event and Management (SIEM) incident tracking system. An unknown entity or process also increases the number of reported incidents. The specialist decides to investigate these incidents. Which combination of data sources would provide a balanced perspective to support the investigation?
System-specific security logs, which track system-level operations; logs generated by applications running on hosts; and real-time reports from the SIEM solution, summarizing incidents.
In a medium-sized tech company, employees have different roles and responsibilities requiring access to specific resources and data. The IT team is implementing security measures to control access effectively and reduce the risk of unauthorized activities. What security measure could the IT team implement in the tech company to control access effectively and minimize the risk of unauthorized activities?
The principle of least privilege to grant employees the minimum needed access based on job roles
A company plans to upgrade its wireless network infrastructure to improve connectivity and security. The IT team wants to ensure that the new network design provides adequate coverage, minimizes interference, and meets security standards. To achieve this, they conduct a site survey and create a heat map of the area. What is the primary purpose of conducting a site survey and creating a heat map for the company's wireless network upgrade?
To assess wireless signal coverage, identify dead zones, and optimize access point placement for the upgrade
In a small software development company, the development team has created a critical application that handles sensitive user data. The company's security policy mandates conducting a thorough application security assessment before deployment. To achieve this, the team employed a static code analysis tool, taking advantage of its primary feature. How can the development team utilize static code analysis in the critical application's software development process?
To identify potential security vulnerabilities in the application's source code
In a medium-sized company, the IT department manages access to various systems and resources for employees. The team wants to enhance the security posture by implementing better access controls. They use rule-based access controls and time-of-day restrictions to achieve this goal. What are the IT department's objectives in implementing rule-based access controls and time-of-day restrictions? (Select the two best options.)
To restrict access to critical systems during non-working hours to enhance security To define specific access rules based on employees' roles and responsibilities
An incident response analyst investigates a suspected network breach in the organization. With access to a Security Information and Event Management (SIEM) tool that aggregates and correlates data from multiple sources, which combination of data sources should the analyst primarily consider to trace the origin and pathway of the breach?
Trace the origin through logs of network-based vulnerability scanners, firewall logs, and OS-specific security logs
In a large corporate office, employees use various devices such as laptops, smartphones, and tablets that support both Bluetooth and Wi-Fi connectivity. The office implements strict security measures to protect sensitive data and ensure compliance with industry regulations. However, the IT team noticed some security concerns. What security risks is the IT team primarily concerned about regarding the use of Bluetooth and Wi-Fi in the corporate office?
Unauthorized access and data interception
A new system administrator has been working all morning typing in new vulnerability signatures to ensure the vulnerability scanner is current. The admin is utilizing common vulnerabilities and exposures (CVE) to obtain the information and the common vulnerability scoring system (CVSS) to find the fix. What should the new system admin have done? (Select the three best options.) A new system administrator has been working all morning typing in new vulnerability signatures to ensure the vulnerability scanner is current. The admin is utilizing common vulnerabilities and exposures (CVE) to obtain the information and the common vulnerability scoring system (CVSS) to find the fix. What should the new system admin have done? (Select the three best options.)
Updated via vulnerability feed Updated via the security content automation protocol Updated via the threat feed
An organization implemented a BYOD policy for employees to use their mobile devices for work-related tasks. The organization's IT department identified concerns about the security risks associated with BYOD. They determined that employees' mobile devices must meet the security requirements to protect sensitive company data. Considering the scenario, which of the following measures is the MOST effective way to enhance the security of employees' mobile devices under the BYOD policy?
Using MDM solutions to centrally control employees' mobile devices
A financial services company is decommissioning many servers that contain highly sensitive financial information. The company's data protection policy stipulates the need to use the most secure data destruction methods and comply with strict regulatory requirements. The company also has a significant environmental sustainability commitment and seeks to minimize waste wherever possible. What should the company's primary course of action be during this process?
Degaussing the servers, rendering the data irretrievable, followed by reselling or recycling the servers after certification
An organization needs to implement web filtering to bolster its security. The goal is to ensure consistent policy enforcement for both in-office and remote workers. Which of the following web filtering methods BEST meets this requirement?
Deploying agent-based web filtering
The network administrator of a small business needs to enhance the security of the business's wireless network. The primary goal is to implement Wi-Fi Protected Access 3 (WPA3) as the main security measure but recognize the need to adjust other wireless security settings to effectively complement WPA3 and create a robust network for all employees to access critical company resources securely. What considerations should the network administrator consider when implementing WPA3 and adjusting wireless security settings? (Select the two best options.)
Enabling media access control address filtering to restrict access to authorized devices Implementing 802.1X authentication for user devices
A security operations analyst at a financial institution analyzes an incident involving unauthorized transactions. The analyst suspects that a malware infection on one of the endpoints might have led to the unauthorized access. To identify the root cause and trace the activities of the suspected malware, which combination of data sources should the analyst primarily consider?
Endpoint logs, log files generated by the OS components of the affected host computer, and logs from the host-based intrusion detection system.
A senior security analyst is refining the incident response processes for a large organization that recently implemented a Security Information and Event Management (SIEM) system. During a simulation of a cybersecurity incident, the analyst observed that the SIEM system generated several alerts that were false positives, leading to unnecessary consumption of resources. On which step should the analyst focus to improve the efficiency of the alert response and remediation process?
Enhancing the validation and quarantine processes in the alert response
An IT auditor is responsible for ensuring compliance with best practice frameworks. The auditor conducts a compliance scan, using the security content automation protocol (SCAP), to measure system and configuration settings against a best practice framework. Which XML schema should the IT auditor use to develop and audit best practice configuration checklists and rules?
Extensible configuration checklist description format
A system admin is reviewing the company's environmental variables as there have been several new additions to workstations and servers. One of the primary environmental factors is the organization's IT infrastructure. What are two other environmental factors? (Select the two best options.)
External threat landscape Regulatory/compliance environment
A forensic analyst at an international law enforcement agency investigates a sophisticated cyber-espionage case. The analyst must uncover the timeline of document interactions, detect concealed or system-protected files, interpret categories of digital events, and trace digital breadcrumbs left behind during media uploads on social platforms. What combination of data sources would provide the MOST comprehensive information for this multifaceted investigation?
File metadata with extended attributes and network transaction logs
A global corporation has faced numerous cyber threats and is now prioritizing the security of its servers. The corporation's IT security expert recommends a strategy to improve server security. Which of the following options is likely to be the MOST effective?
Implement a secure baseline, consistently apply updates and patches, and adhere to hardening guidelines.
A chief security officer (CSO) is overseeing the deployment of a Security Information and Event Management (SIEM) system in a large organization with a mix of computer systems and network appliances. The CSO has concerns about the system resources that the data collection process on the individual computer systems utilizes. Which method should the CSO consider to minimize the resource usage on these systems while ensuring effective data collection for the SIEM system?
Implementing an agentless collection method on the computer systems
A company merged with another company and is reviewing and combining both companies' procedures for incident response. What should the joined companies have at the end of this preparation phase?
Incident response plan
A cyber architect explores various methods to assign needed access for newly-hired employees or employees who have transitioned to a new role. What are the benefits associated with user provisioning? (Select the two best options.)
It can create, modify, or delete individual user accounts. It can create, modify, or delete individual users' access rights across IT systems.
A security specialist is drafting a memorandum on secure data destruction for the organization after a recent breach. What benefit does the certification concept offer when evaluating appropriate disposal/decommissioning?
It refers to the documentation and verification of the data sanitization or destruction process.
In a medium-sized company, the IT security team implements Privileged Access Management (PAM) tools to enhance security measures. The team is considering using just-in-time (JIT) permissions to reduce the risk of unauthorized access to critical systems and sensitive data. JIT permissions allow users to obtain temporary access only when necessary, minimizing the exposure of privileged accounts. The team is aware that this approach can significantly improve security by limiting the window of opportunity for potential attackers. Which statement regarding JIT permissions and PAM tools are correct?
JIT permissions reduce unauthorized access risk by granting temporary access only when necessary.
A technician is modifying controls to increase security on messaging services. Which of the following options check to define rules for handling messages, such as moving messages to quarantine or spam, rejecting them outright, or tagging the message?
DMARC
Which of the following options is NOT a challenge typically encountered while implementing web filtering solutions in an enterprise?
Decrease in network latency
The IT security team at a large company is implementing more robust authentication measures to safeguard sensitive data and systems. The team is exploring multifactor authentication (MFA) options to bolster security. The company deals with highly confidential information and requires a robust solution. The team has narrowed the choices and is evaluating which aligns BEST with their security needs. Which multi-factor authentication method utilizes unique physical characteristics of individuals to verify their identity?
Biometrics
A technician is deploying centralized web filtering techniques across the enterprise. What technique employs factors such as the website's URL, domain, IP address, content category, or even specific keywords within the web content?
Block rules
An IT admin has been testing a newly released software patch and discovered an exploitable vulnerability. The manager directs the IT admin to immediately report to Common Vulnerability Enumeration (CVE), utilizing the common vulnerability scoring system (CVSS) to base the score for the vulnerability. What could happen if there are delays in completing the report? (Select the two best options.)
Can lead to delays in remediation Increase window of opportunity for attackers
An organization needs a solution for controlling and monitoring all inbound and outbound web content, analyzing web requests, blocking access based on various criteria, and offering detailed logging and reporting of web activity. Which of the following solutions is the MOST suitable in this situation?
Centralized web filtering
A company recently faced a security breach through its network switch. They learned that the attacker was able to access the switch using the default credentials. Which of the following steps should the company take to improve the security of the switch and avoid such breaches in the future?
Change the default credentials of the switch
An information security manager is fine-tuning a Security Information and Event Management (SIEM) system in a company that has recently reported a series of unauthorized account access attempts. The manager wants to ensure prompt detection of similar incidents for immediate investigation. Which approach should the manager consider to optimize the system's alerting capability?
Configuring the SIEM system to alert when multiple login failures for the same account occur within a specified time period
What action of the incident response process removes affected components from the larger environment?
Containment
A cyber group is reviewing its web filtering capabilities after a recent breach. Which centralized web-filtering technique groups websites into categories such as social networking, gambling, and webmail?
Content categorization
After a recent breach, an organization mandates increased monitoring of corporate email accounts. What can the organization use that mediates the copying of tagged data to restrict it to authorized media and services and monitors statistics for policy violations?
DLP
A cyber technician is enhancing application security capabilities for corporate email accounts following a breach. Which of the following options leverages encryption features to enable email verification by allowing the sender to sign emails using a digital signature?
DKIM