Comp

Which of the following is a primary vector for attacking applications?

Faulty input validation

A quantitative assessment of risk attempts to assign concrete values to the elements of risk. Which formula is representative of calculating a Single Loss Expectancy (SLE)?

AV (Asset Value) x EF (Exposure Factor) = SLE (Single Loss Expectancy)

Considering the software development lifecycle, which feature concurrently runs in phases?

Agile

A systems engineer suspects a new type of malware has impacted the company network. Which threat hunting approach does the engineer utilize in an attempt to find the origin of the malware? Select all that apply.

Analyze network traffic Identify the method of execution

A security engineer works for a global manufacturing company and is responsible for the security of thousands of host systems. The engineer documents a risk analysis plan and implements asset criticality. Analyze the solutions and identify which one the engineer implements.

Prioritize systems for scanning and remediation

A small business has experienced a security breach. A forensics investigation team follows documented procedures during a review of the breach. Currently, the team is in the first phase. Which process is characteristic of this phase?

Secure the scene to prevent contamination of evidence.

Capability refers to a threat actor's ability to craft novel exploit techniques and tools. Which capability can exploit supply chains to introduce vulnerabilities in proprietary and open-source products?

advanced

A security consultant works for a manufacturing company and practices privilege management. In doing so, the consultant reviews control types and focuses on using clearance levels. Which control type does the security consultant focus on?

mandatory access control

netflow

ipfix itef standard

An IT administrator identifies a service interruption on a server through system and application log files and alerts. Which issues may be causing the problem? Select all that apply.

An attack may have disabled a service.An adversary is preventing services from running.Malware may have compromised an authorized service.

A security engineer deploys a Security Information and Event Management (SIEM) solution in an organization. A variety of approaches are available to the engineer. Evaluate the methods and determine which the engineer uses to push updates via the syslog protocol.

Listener/collector

dropper/downloader

The first step for malware is to run lightweight shellcode on the victim system. This requires local administrative privileges unless the system is very poorly configured.

Which of the following solutions relates to segmentation-based containment?

VLANs,ACLs

Which of the given XSS attacks exploits a vulnerability on the client-side?

Document Object Model (DOM)

A security director for a financial institution incorporates strict vendor policies for the acquiring of hardware and software. Which established method does the director utilize as a secure supply chain?

Trusted foundry

In software development, which process is a compliance-testing process to ensure that the security system meets the requirements of a framework?

Verification

You use deidentification on sensitive data so that one group within a company can receive the data for analysis without unnecessary risks to privacy. The approach you use substitutes character strings for random characters. Which approach do you use?

Data masking

When considering a threat's motivation, questioning what an attacker stands to gain is helpful in determining which factor?

LIKELIHOOD

Engineers at a company feel that a rogue server system exists on a corporate network. Through investigating, the engineers determine that one of two types of a malicious server exist. Compare the device types and conclude which two types might be the problem. Select all that apply.

Honeypot Virtual Machine

Regarding risk identification and assessment, which of the following identifies changes that could affect risk management processes?

Monitor

Management hires a consultant to work on systems security issues in the organization. Prior to allowing the consultant in the facility, management puts in place an agreement for protection of data assets. Which agreement does the IT manager utilize?

Non-disclosure agreement (NDA)

A developer needs to review some code before compiling it. Which approach does the developer use?

Static code analysis

SOC

Security Operations Center-MONITOR ND PROTECT CRITICAL INFORMATION ASSETS

Which system type utilizes a Real-time operating system (RTOS)?

Embedded

A systems engineer utilizes the hping3 command to perform penetration testing. The engineer tries different tests to gather information. Evaluate the options and identify which hping3 command tools are useful. Select all that apply.

Traceroute Fragmentation

Actions on objectives

Once the attacker has enough permissions to assets of interest, he or she will use tools to covertly copy or modify the data or target system, depending on his or her motive.

Management at a financial firm assigns a cybersecurity task force to investigate a compromised server. The task force focuses on searching for account-based Indicators of Compromise (IoC). Which areas do members of the task force focus on? Select all that apply.

Unauthorized sessions Off hours usage Failed logons

The IT department at a medium-sized manufacturer, deals with cyber threats daily. In response to the growing level of malicious activity, the IT manager establishes guidelines based on the security intelligence lifecycle. Which phase of the lifecycle does the IT manager use to distribute information to executives?

dissemination

Common Configuration Enumeration

identifies with configuration best practice statements

CISO

Chief Information Security Officer

CSIRT

Computer Security Incident Response Team

port security

A switch feature that limits the number of allowed MAC addresses on a port, with optional limits based on the actual values of the MAC addresses.

An IT analyst utilizes software to visualize the incidence of types of events and show how the number or frequency of those events changes over time. For reporting purposes, the analyst focuses on statistical deviation. Review the possibilities and conclude which approach the analyst employs?

Acquire the sum of all values, divided by the number of samples

An engineer learns a new security threat mitigation technique. The technique maps an IP address to a non-existent host, and is useful in stopping denial of service attacks. Traffic heading to these IPs can be captured for analysis or discarded. Considering the given strategies, which does this technique relate to? Select all that apply.

Black hole sinkhole

A network administrator routinely reviews firewall logs for pertinent information. From the logs, the firewall provides a great deal of insight into potential threats. Evaluate the given choices, and determine which area of security intelligence the firewall provides.

Connections permitted or denied

Which systems implementation enforces resource separation at the operating system level?

Containerization

A systems engineer configures a data loss prevention (DLP) service in the organization to prevent data copying. Which remediation method blocks access to the original file?

Quarantine

Which solution describes and outlines certain rules an individual must follow to use a particular service or resource?

Acceptable use policy

A technology specialist attempts the recovery of a maliciously deleted folder of important data. The specialist uses file carving to try to retrieve the missing data. How does carving handle the data retrieval process?

By analyzing the disk at sector page/level

A security specialist configures an internal email system with enhanced spoofing protection. The approach specifies an alignment mechanism that verifies that the domain identified in the header from field, matches the domain in the envelope from field. Which solution does the specialist implement?

Domain-based Message Authentication, Reporting, and Conformance

An organization collects data by consent at a website. Which of the following approaches dictates the specific use of this data?

Purpose limitation

Strengthen access

The RAT is used to identify and infect other systems, possibly of higher value.the next step might be to obtain domain administrator privileges and then compromise the permissions on a file server for a different user group.

The Lockheed Martin kill chain identifies phases of an attack on systems. Evaluate the given descriptions and determine which one relates to Exploitation.

Weaponized code executed on a target system.

The security intelligence lifecycle includes the process of identifying anomalies that may point to a potential problem. In which phase does this activity take place?

analysis

Management at a large legal firm, establishes a policy that warns of legal penalties for the unauthorized access to any internal computer system. Considering security controls and their functions, which does management put in place?

deterrent

a chief information security officer wants to upgrade an organization security posture by improving proactive activities associated with attacks from internal and external threats.which of the following is the most proactive tool or technique that feeds incident response capabilities?

development of a hypothesis as part of threat hunting

An attacker compromises an Active Directory domain by using an attack that grants administrative access to domain controllers for all members of the domain. Which attack type does the attacker utilize to accomplish this specific action?

golden ticket

Dissemination

risk management and security engineering incident response Vulnerability management detection and monitoring

A large technology company hosts hundreds of servers in a datacenter. The company invests a great deal of money into a risk prevention plan to protect the systems. One such solution is insurance that protects the hardware and the data. Which specific risk response strategy does the company utilize in this instance?

risk transference(assigning risk to a third party

snort output formats

syslog CSV tcpdump

A security engineer analyzes network traffic flow collected from a database. The engineer uses the IP Flow Information Export (IPFIX) IETF standard as a resource for data collection, and notices a pattern in the data traffic for specific IP addresses at night. Evaluate the terminology and conclude what the IT engineer records.

Flow record

kill chain

Reconnaissance weaponization Delivery exploitation installation command and control actions on objective

Which application type uses a generic client and standard network protocol?

Web

An IT administrator documents defensive capabilities mapped to each stage of an adversary's kill chain in a courses of action (CoA) matrix. The matrix uses defensive capabilities adapted from US military doctrine. The administrator focuses on degrading options. Consider the approaches and determine which is in line with the administrator's work.

Reduce an adversary' capabilities

The CIO of a financial datacenter creates a threat assessment matrix. Which factor helps to identify threats as they relate to specific industries?

Relevancy

Management institutes a policy to keep archived data on-hand for a period of time. Which policy type does management create?

Retention

A cybersecurity specialist needs to acquire the contents of memory from a compromised Windows server. Live acquisition of the contents is the goal; however, the specialist discovers this approach is not possible. Evaluate the given reasons and conclude why live acquisition is not possible.

This approach requires a kernel mode driver to function.

DGA

To avoid using hard-coded IP ranges, malware has switched to domains that are dynamically generated using an algorithm, usually referred to as

maintain access

he malware will install some type of remote access Trojan (RAT) to give the adversary a C&C mechanism over the victim machine.

Common Weakness Enumeration

identifies flaws in the design and development of software that could potentially lead to vulnerabilities.

Responder

is a man-in-the-middle type of tool that exploits name resolution on Windows networks. Responder intercepts requests and returns the attacker's host IP as the name record.

stix domain objects

observed data indicator incident ttp campaign threats actors course of action

Modern malware with APT-like capabilities will complete a typical attack in several stages. Evaluate the possibilities and determine which stage an attacker uses to modify target data.

Action on objectives

Concealment

An attacker may choose to maintain access but put the tools into a dormant mode to avoid detection or may choose to try to eradicate any sign that the system was ever infected

A security expert is responsible for maintaining systems security at an organization. As part of this directive, the expert reviews password policies for up-to-date best practices. Upon reviewing the policies, the expert decides to stop the enforcement of certain rules. Evaluate the options and determine which rules NOT to enforce. Select all that apply.

Complexity Hints Aging

An attacker tests usernames and passwords at online sites. What is the attacker practicing?

Credential stuffing

A network admin implements a cloud-based data repository that spans the globe. Which issue is a legal concern in the implementation across these locations?

Data sovereignty

When considering secure software development, which phase features "white box" source code analysis?

Implementation

A security analyst puts measures in place to harden systems. Before doing so, the analyst utilizes third-party configuration baselines. The analyst focuses efforts on the top five Center for Internet Security (CIS) controls. Control number one is of particular interest. Of the basic CIS controls, which one should be the priority?

Inventory of hardware assets

A cybersecurity specialist determines that there is a breach in a system at a large financial firm. Using an order of volatility approach, the specialist carefully performs data acquisition procedures to capture evidence. Evaluate the components and determine what component the specialist should be the most careful of when capturing evidence.

GPU cache

A client asks a security analyst to construct a security plan for a small business. The resulting plan outlines several suggested controls. One such control is the placement of a security guard outside of a high-profile datacenter. Evaluate the control classes and determine which one the analyst specifies.

operational

Fast-flux DNS

method used by malware to hide the presence of C &C networks by continually changing the host ip addresses in domain records

threat actor types

nation state organized crime hacktivist

security firm establishes an office in a new building. In the office, security analysts monitor and manage client systems for security concerns. The office functions as which type of facility?

security operations center

An engineer implements the Johari window to classify threats into quadrants. Which quadrant represents risks identified, but discarded?

unknown knowns

Which of the following formats are typically produced by cyber threat intelligence? Select all that apply.

Narrative reports data feeds

An attacker compromises a user's online website account for a large retailer. What method details the process of harvesting an account's cached credentials when the user logs in to a single sign-on (SSO) system?

Pass the hash

An enterprise security architecture (ESA) framework is a list of activities and objectives undertaken to mitigate risks. Which approach do most ESA frameworks utilize?

Perspective

A security specialist creates incident response procedures for a company. The company has the plan divided into phases, as defined by NIST. The specialist creates an acceptable use policy. Which phase does the specialist contribute to?

Preparation

An online retailer experiences a malware attack that impacts a product ordering system. When a customer places an order, that order maintains a pending status for two hours during payment processing on a separate system. Internal staff reveal that due to the lack of a backup, only the pending orders are recoverable. Using a business impact analysis approach, determine what metric the two hours represents.

Recovery point objective (RPO)

There are different levels of data confidentiality following military usage. Which level defines data that is too valuable to allow any risk of its capture?

Secret

A systems administrator is configuring security in an Active Directory domain. Which Microsoft Windows feature does the admin plan to utilize when deploying a group policy to a variety of Windows versions in order to whitelist a system location?

Software Restriction Policies (SRP)

Which analysis tool can a security engineer use to inspect the way a process executes under an extreme processing load?

Stress test

Which major privacy-related standard helps protect the privacy of an individual's financial information?

The Gramm-Leach-Bliley Act (GLBA)

An attack has compromised a virtualized server. Security experts perform forensic activity as part of a recovery effort. The experts conclude that the attack deleted a virtual machine image as part of the malicious activity. Experts now face a difficult recovery. Evaluate the given challenges and determine which one is likely.

The attack widely fragmented the image across the host file system.

Metrics that express system availability governs business impact analysis. Considering the different metrics available, which of the following describes a recovery time objective (RTO)?

The period following a disaster that an individual IT system may remain offline.

An IT engineer looks to deploy a Security Information and Event Management (SIEM) program. The effective deployment of a SIEM program involves which of the following considerations when it comes to tracking flagged events?

Ticketing process

Nontransparent Proxy

that the client must be configured with the server address to use it

An executive at an organization receives an email stating that financial data for the organization requires updating. Acting on suspicion, the executive asks IT to investigate. IT staff use which approach in their investigation?

Analyze the message Internet header

A network manager has many devices to configure and maintain. Considering an abstracted model about how the network functions, which plane handles routing?

Data

Which of the given choices defines encrypted data in persistent storage media?

Data at rest

An admin implements the use of trusted firmware for workstations in an organization. As part of the process, the admin wishes to evaluate all system boot logs. Which capability does this feature require?

Measured boot

A security firm hires a new cybersecurity analyst. The CIO mentions that he hired the candidate due to having exceptional soft skills. Which relevant skills to the position does the CIO refer to? Select all that apply.

creative thinking problem solving

The IT security engineer at a large auto dealership implements tools to monitor and detect attempted attacks that are specific and relevant to the organization. Evaluate the varying approaches and determine which one the engineer utilizes when implementing such tools

Acquiring information about attacks suffered by organizations working in similar industries.

An IT firm provides security services for many business clients. As part of an overall security monitoring package, the firm provides trend analysis as it relates to systems behavior. Which area does staff use to create a baseline and regular measurements?

Host metrics

Which of the following best describes a race condition?

It is typically found where multiple threads are attempting to write a variable or object at the same memory location.

ISACS

information sharing and analysis centers mandated by governments in critical industries highly specific threat information critical infrastructure aka healthcare, financial,aviation

A technology firm configures a backup system that protects several Windows servers. The backup runs a full job once over the weekend, and differential jobs, daily, during the week. Which security function does the backup system perform?

Corrective

When considering cybersecurity, system process criticality relates to which statement?

The documentation of all systems within an organization

A specialized system requires elevated security requirements from other systems on the network. To accomplish this, the admin uses a VLAN for the system. Considering the generalized goal of the technique, what does the isolation achieve?

Virtual segmentation