CompTIA CySA

A systems administrator installs a syslog server to capture and report events for wireless infrastructure. Following a requirement from the Chief Information Officer (CIO), recorded logging levels should include a status if an access point is unusable and if any immediate action is required. Which logging levels does the administrator evaluate and configure? (Select the two best options.) 2-Critical 4-Warning 0-Emergency 1-Alert

0-Emergency 1-Alert Logging levels are categories of severity used to categorize log events. With a syslog server in place, a log level defined as 0-Emergency indicates that a system is unusable. Each logging level has a numerical value that can sort and filter log events. A log level of 1-Alert informs that a system needs immediate attention. Logging levels refer to the severity or importance of a log message. A log level of 2-Critical defines a system that is experiencing critical conditions. Syslog uses eight logging levels, from the most severe (level 0) to the least severe (level 7). A log level of 4-Warning indicates system warning conditions.

A video production company has a server farm with graphics cards that allows the company to generate computer-generated imagery. Although the servers do not currently store any data and are not expensive, the company wants to ensure the security of its equipment. What is a compelling reason why the company should be proactive in preventing server vulnerabilities? A. Exploitability B. Low asset value C. High asset value D. Save power consumption

A. Exploitability Exploitability assesses the likelihood of an attacker weaponizing a vulnerability to achieve its objectives. A malicious actor can illicitly use unused resources to mine crypto. In contrast to a high-value asset, a low-value asset will have fewer implications when it goes down or gets attacked. One example is a system that monitors the power consumption of overhead lights in an office. An asset's value may influence its vulnerability score. Highly valuable assets, like those with far-reaching impacts if breached, may have little tolerance for vulnerabilities, skewing all scores into the high/critical range. If an attacker exploits the server farms, there may be excess power consumption, but excess power consumption is less of an issue than data loss or exfiltration.

A large multinational bank completed an upgrade of its device management, security practices, and user training. The next step in their project is to hire a third-party penetration testing company to attempt to breach their systems. The bank wants the vendor to approach it from the outside. What kind of penetration testing should the vendor conduct? A. External scan B. Internal scan C. Map scan D. Baseline scan

A. External scan The vendor should conduct an external scan. External scans focus on the view of devices and services from the "outside" of the network, broadly referring to the Internet, whereas internal scans focus on the view from the "inside." Internal scans protect systems from abuse from internal threats and provide layered security. This scenario is specific to outside attacks. A map, or discovery, scan identifies the devices connected to a network or network segment and would be irrelevant in an external attack. Discovery scans allow security teams to identify connected devices and uncover potential problems. Best practice configurations are available to use as a reference when hardening endpoints for baseline scans. An outside scan would not set up baseline configurations.

A systems administrator is researching active defense approaches. The administrator decides to install a honeypot to lure attackers away from assets of actual value. What is true of a honeypot? (Select the three best options.) A. Honeypots seek to redirect malicious traffic away from live production systems. B. Honeypots can provide an early warning regarding ongoing attacks. C. Honeypots help collect intelligence on the attackers and their techniques. D. Honeypots assist defensive teams in identifying and responding after an attack has taken place on critical systems.

A. Honeypots seek to redirect malicious traffic away from live production systems. B. Honeypots can provide an early warning regarding ongoing attacks. C. Honeypots help collect intelligence on the attackers and their techniques.

A system administrator is performing patchwork on their organization's system. The administrator realizes the maintenance window will close before they complete the patchwork. What action must the administrator take to abide by the change management policy? A. Rollback to the system's previous state B. Rollout earlier patches C. Rollback to a system's initial state D. Rollout system patches

A. Rollback to the system's previous state Change management policy dictates that patching must finish quickly enough to accommodate rollback plans if trouble occurs—without overrunning the maintenance window. Change management rollback is the process of undoing a system's changes to restore the system to an earlier, pre-change state. The appropriate terminology for a rollout of earlier patches is rollback. The organization performs rollouts during a maintenance window when they implement new patches. Rolling back to a system's initial state is possible but unadvisable because of security concerns. Simply rolling back to the previous state is the best course of action. Rolling out system patches is a task performed during open maintenance windows. Patch management teams rely on maintenance windows to complete patch rollouts.

A company has set up various virtual local area networks (VLANs) to protect access to sensitive data. The Security Operations (SecOps) team finished a recent vulnerability scan and found no issues. The Chief Information Security Officer (CISO) followed up with the SecOps team to see if they considered all VLANs during the scan. The CISO is thinking about what special consideration? A. Segmentation B. Sensitivity levels C. Scheduling D. Host performance

A. Segmentation Segmentation has performance and security benefits. Segmentation allows traffic to flow between networks divided into separate zones, represented by virtual LANs (VLANs) and Internet Protocol (IP) subnets. The data inventory describes the data in terms of what it contains, such as its classification and sensitivity. Identifying sensitive information may be helpful, but segmenting protects the data. Scheduling vulnerability scans is essential to maintaining a secure environment and is often required to maintain regulatory compliance. This scenario did not involve compliance or performance. Scanners often cause negative performance impacts on networks and hosts. This scenario did not involve compliance or performance.

A network administrator has received reports of intermittent connectivity issues. To diagnose the problem, the network administrator has decided to use tcpdump. Which of the following are the primary functionalities of using tcpdump in this scenario? (Select the two best options.) A. To monitor network performance and bandwidth usage B. To capture and analyze network packets for troubleshooting purposes C. To detect and prevent malicious activity on the network D. To implement network-based firewall rules

A. To monitor network performance and bandwidth usage B. To capture and analyze network packets for troubleshooting purposes In this scenario, the network administrator is using tcpdump to monitor network performance and bandwidth usage, and it can provide information that the network administrator can use in this scenario. The administrator is also using tcpdump to capture and analyze network packets for troubleshooting purposes, such as diagnosing network issues or analyzing network behavior. In this scenario, the administrator is not using tcpdump to detect and prevent malicious activity on the network, although the administrator can use it for this purpose if necessary. The administrator is not using tcpdump to implement network-based firewall rules, although tcpdump provides information that can create such rules.

A system technician reviews system logs from various devices and notices discrepancies between recorded events. The events between the systems are not synchronizing in the correct order. Which configuration should the technician analyze and adjust to ensure proper and accurate logging? (Select the two best options.) A.NTP B.GPS C.PKI D.SSL

A.NTP B.GPS Time drift or time discrepancies can cause the system to create logs with incorrect time stamps. A time source can provide accuracy by using the Network Time Protocol (NTP) on the systems. Global Positioning System (GPS) is a location-providing technology. GPS does have the ability to provide time synchronization to a system while providing location coordinates. Public key infrastructure (PKI) is a technology that provides a suite of tools designed to support public/private key management, integrity checks via digital signatures, and authentication. It does not provide time synchronization services. A secure socket layer (SSL) is an encryption technology. SSL inspection is useful in inspecting encrypted HTTPS traffic; however, it will not provide a solution for time synchronization.

A security analyst is monitoring the network traffic of a large organization. The analyst has noticed an unusual spike in network traffic and needs to determine the cause. What is the most likely explanation for the unusual spike in network traffic? A. Background traffic B. Distributed denial-of-service (DDoS) attack C. Network configuration issue D. Heightened user activity

B. Distributed denial-of-service (DDoS) attack A distributed denial-of-service (DDoS) attack is a type of cyber attack that uses multiple compromised devices to flood a target network with traffic, causing a denial of service. An unusual spike in network traffic could indicate a DDoS attack. While background traffic can contribute to network traffic spikes, it is unlikely to be the sole cause of an unusual spike in network traffic. While a network configuration issue could cause a spike in network traffic, it is unlikely to be the sole cause of an unusual spike in network traffic. While heightened user activity could contribute to a network traffic spike, it is unlikely to be the sole cause of an unusual spike in network traffic.

A security analyst at a large organization is investigating a recent cyber attack. The analyst needs to determine the most appropriate framework for analyzing the attacker's tactics, techniques, and procedures (TTPs). Which of the following frameworks would be the most appropriate for the security analyst to use? A. Cyber kill chain B. MITRE ATT&CK C. SANS D. National Institute of Standards and Technology (NIST)

B. MITRE ATT&CK MITRE ATT&CK is a comprehensive framework for analyzing and understanding the tactics, techniques, and procedures (TTPs) used by attackers in cyber attacks. While the cyber kill chain provides a detailed view of the different stages of an attack, it does not provide as much detail about the tactics, techniques, and procedures used by the attacker as MITRE ATT&CK. The SANS Institute Top 20 Critical Security Controls list the 20 most important security controls organizations should implement to protect against cyber attacks. It does not specialize in tactics, techniques, and procedures (TTPs). While the National Institute of Standards and Technology (NIST) provides a comprehensive view of information security, it does not provide a framework for analyzing tactics, techniques, and procedures (TTPs).

A security consultant identified a vulnerability in a web application that allows an attacker to execute arbitrary commands on the target system, potentially gaining full control over it. Which of the following web vulnerabilities best describes this scenario? A. Directory traversal B. Remote Code Execution (RCE) C. Structured Query Language (SQL) injection D. Server-Side Request Forgery (SSRF)

B. Remote Code Execution (RCE)

A support team is preparing for an upcoming maintenance window. What tasks should the support team accomplish during the proactive maintenance windows? (Select the three best options.) A. Implement untested patches B. Restart devices C. Analyze events D. Restore critical services after a backup test

B. Restart devices C. Analyze events D. Restore critical services after a backup test Devices are often restarted during maintenance windows to apply updates, reset connections, and refresh systems. This is a standard maintenance procedure aimed at ensuring that services run optimally post-maintenance. Analyzing events during maintenance is important for identifying irregularities that could indicate problems with the maintenance activities or potential security issues. This analysis is proactive and helps in ensuring the health and security of the IT environment. Restoring critical services after a backup test can be part of a proactive maintenance strategy. This helps in confirming that backup systems are functioning correctly and that critical services can be restored in case of a failure, ensuring business continuity. While patch implementation is a crucial task, it is not typically done during the maintenance window without prior testing. Patches should be tested thoroughly before the maintenance window to ensure they do not cause issues when applied.

A security consultant is using the dark web as a source of defensive open-source intelligence (OSINT). Which of the following should the consultant be aware of when using the dark web? (Select the three best options.) A. The dark web is protected by a single layer of encryption. B. The dark web serves as an operating platform for cybercrimes. C. Threat actors leverage the dark web for criminal activities. D. The dark web can pro

B. The dark web serves as an operating platform for cybercrimes. C. Threat actors leverage the dark web for criminal activities. D. The dark web can pro

A company hired a forensics team to determine how their systems got infected with a crypto locker virus. The team concluded that an employee opened a malicious attachment that installed a trojan virus, leading to the crypto locker virus taking over the network. Which Common Vulnerability Scoring System (CVSS) base metric would this affect? A. Scope B. User interaction C. Attack vector D. Integrity

B. User interaction User interaction revolves around whether an exploit of the vulnerability depends on some local user action, such as executing a file attachment. Scope indicates whether the exploit affects only the local security context or not. For example, a hypervisor vulnerability might allow an exploit from one Virtual Machine (VM) to another VM. The attack vectors include Physical(P), Local (L), Adjacent network (A), or Network (N). The scenario did not involve an attack vector. Integrity involves the extent to which the system's functionality gets changed or impaired. The scenario focused on how something happened.

A security analyst discovers that a new scheduled task is executing an unknown script regularly. Upon further investigation, it shows that the script includes cmdlets that are specific to a certain scripting language. What is the most efficient way for the analyst to identify potentially malicious activity related to this incident on the affected system? A. Review the output of JavaScript scripts B. Examine Python script execution history C. Analyze PowerShell logs D. Investigate Ruby script dependencies

C. Analyze PowerShell logs Analyzing PowerShell logs would be the most effective way to identify potentially malicious activity since the discovered script includes cmdlets unique to a certain language, which the analyst can infer as PowerShell. Reviewing the output of JavaScript scripts would not help identify the malicious activity related to the scripting language in question, as JavaScript does not use cmdlets specific to the discovered script. Examining Python script execution history would not provide insights into the malicious activity associated with the specific scripting language discovered in the investigation because Python does not utilize cmdlets like those found in the script. Ruby is a scripting language, but it does not use cmdlets like PowerShell. Thus, investigating Ruby script dependencies would not be directly useful in this context.

Legacy system constraints prevent the modification of a financial organization's critical application. However, the application does not meet a specific security requirement outlined in the organization's security policy. Which of the following should the organization implement to address the security requirement without modifying the application? A. Preventative B. Detective C. Compensating D. Corrective

C. Compensating Compensating controls are alternative security measures put in place to provide a similar level of protection when a primary control is ineffective. A compensating control can help address the security requirement without changing the application. Preventative controls prevent security incidents from occurring. They typically involve modifying the system or application to prevent threats, which is not feasible in this situation. Detective controls identify and detect security incidents as they occur. They do not provide an alternative means of protection when they cannot implement primary control. Corrective controls mitigate the impact of security incidents and restore systems to their normal state.

An employee is leaving a company. Due to their position within the business, the company needs to retain emails for seven years to maintain regulatory compliance. What should the company enable on the email? A. Data validation B. Data preservation C. Legal hold D. Data analysis

C. Legal hold A legal hold, or litigation hold, describes the notification received by an organization's legal team instructing them to preserve electronically stored information (ESI). Data validation techniques like mass storage devices are essential for digital evidence. Hashing validates data integrity. The company does not need to validate the data yet. Data preservation techniques focus on properly collecting, transferring, and storing digital evidence. As the data is digital or cloud-based, data preservation techniques are not yet needed. Security information and event management (SIEM) helps security analysts perform data and log analysis to detect and investigate security incidents. The scenario did not request an analysis of the data.

An IT director reviews a cyber security audit and learns that an old accounting server is significantly out of compliance. Rather than attempting repairs, the director concludes that decommissioning the server is the safest course of action. What is the risk management principle the IT director is following? A. Risk acceptance B. Risk mitigation C. Risk avoidance D. Risk transference

C. Risk avoidance The IT director is electing to follow risk avoidance because of the risk and cost of bringing the server into compliance. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover that a software application has numerous high-severity security vulnerabilities. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.

To improve security posture, an organization gathers information from varying sources to gain a larger picture of the threat landscape. What general approach is the organization implementing to achieve this level of reporting? A.Effective collaboration B.Automated trigger actions C.Threat feed combination D.Human engagement

C.Threat feed combination The combination of threat feeds from diverse sources gives a broader picture of the security landscape. The organization uses this approach for a greater level of reporting. Effective collaboration is important. Team members have varying skills that can be highly beneficial. However, this does not apply to the organization for acquiring data from feeds. A trigger action is a process where an event or other mechanism prompts the action of another process. This applies to automation configuration and not the general approach. The organization may utilize many techniques that reduce human engagement to improve security operations efficiency. However, this is not the general approach.

Blocking USBs would affect which metric on the Common Vulnerability Scoring System (CVSS)? A. User interaction B. Availability C. Scope D. Attack vectors

D. Attack vectors The policy references attack vectors. A local attack vector consists of the ability to manipulate the system with local access, such as by using a Universal Serial Bus (USB)-connected device. User interaction revolves around whether an exploit of the vulnerability depends on some local user action, such as executing a file attachment. Availability relates to the extent to which a system is unavailable. It does not relate to using a USB-connected device on a company computer. Scope indicates whether the exploit affects only the local security context or not. For example, a hypervisor vulnerability might allow an exploit from one Virtual Machine (VM) to another VM.

A security analyst has received a suspicious email that appears to be from a recognized address. The analyst needs to determine if the email is legitimate or not. Which of the following email analysis techniques would be the most appropriate for the security analyst to use in this scenario? A. Email Header Analysis B. Link and Attachment Analysis C. Sender Reputation Verification D. Domain-based Message Authentication (DMARC)

D. Domain-based Message Authentication (DMARC) DMARC combines two other email authentication protocols, SPF and DKIM. It allows the receiver to check that an email claimed to have come from a specific domain was indeed authorized by the owner of that domain. This can help verify the authenticity of the email. While email header analysis can provide valuable information about the origin and path of an email, it may not definitively prove the legitimacy of the email. While this technique can help identify malicious links or attachments in an email, it doesn't confirm the legitimacy of the sender. Verifying the reputation of the sender can be helpful but does not provide a foolproof method of determining the legitimacy of the email.

A mission-critical system is offline at an organization due to a zero-day attack. The associated software vendor plans to release a patch to remediate the vulnerability. Which of the following are important patch management considerations for this scenario? (Select the three best options.) A. A patch test environment B. Immediate push delivery of critical security patches C. A specific team responsible for reviewing vendor-supplied newsletters and security patch bulletins D. A routine schedule for the rollout of noncritical patches

A. A patch test environment B. Immediate push delivery of critical security patches C. A specific team responsible for reviewing vendor-supplied newsletters and security patch bulletins A patch test environment where technicians can install, test, and analyze urgent and important patches before deployment into production would be a vital consideration for this scenario. The organization should immediately push delivery of critical security patches at the earliest availability when mission-critical services are in question. A specific team or person responsible for reviewing vendor-supplied newsletters and security patch bulletins is necessary for this type of event. While creating a routine schedule for the rollout of noncritical patches has merit, it does not illustrate important patch management considerations in this example. A security analyst would address noncritical patches at a later time.

A software development company has concerns about the potential risks associated with insecure design in one of its new applications. Which of the following controls should a security expert recommend to mitigate these risks? A. Adopting a Secure Software Development Lifecycle (SSDLC) approach B. Implementing regular security audits C. Applying Content Security Policy (CSP) D. Employing Address Space Layout Randomization (ASLR)

A. Adopting a Secure Software Development Lifecycle (SSDLC) approach An SSDLC approach ensures that the expert considers and integrates security throughout the entire software development process. It helps identify and mitigate potential risks associated with insecure design early in development. Security audits are essential to maintaining a secure environment but do not directly address insecure design issues in the development process. CSP is a security feature that helps prevent cross-site scripting (XSS) and other code injection attacks but does not specifically address insecure design in software development. ASLR is a security technique that helps protect against memory-based attacks but does not directly address insecure design issues in the development process.

A network administrator is performing a quick network scan to identify all devices and services on the organization's network. The administrator does not require extra features but is required to use an open-source solution. Which of the following tools would be the most appropriate for the network administrator to use in this scenario? A. Angry IP B. Wireshark C. Nessus D. Traceroute

A. Angry IP Angry IP Scanner is a popular open-source network scanning and mapping tool. It can scan an entire network or a range of IP addresses to identify all connected devices and services. Wireshark is a popular tool for network protocol analysis and packet capture. The administrator would use Wireshark for capturing and analyzing network traffic, not for network scanning and mapping. Nessus is a commercial tool used for vulnerability scanning and assessment. The administrator would use Nessus for identifying vulnerabilities in connected devices and services, not for network scanning and mapping. Traceroute is a tool used for network troubleshooting. The administrator would use traceroute to trace the route of network packets from the source to the destination, not for network scanning and mapping.

A security analyst monitors a company's network for potential security threats. They notice some abnormal behavior in a business-critical application. Which type of activity is the analyst most likely observing? A. Anomalous activity B. Authorized activity C. Routine maintenance D. False positive

A. Anomalous activity Anomalous activity refers to any activity that deviates from the normal behavior of an application or system. In this scenario, the analyst is most likely observing anomalous activity in the business-critical application. Authorized activity is any activity that the organization permits and follows the established security policies. In this scenario, the unexpected activity in the application is not considered authorized. Routine maintenance is typically planned and expected, whereas the activity the analyst is observing is unexpected and deviates from the application's normal behavior. A false positive occurs when a system generates an alert for an event that is not actually a threat. In this scenario, the analyst is observing unexpected activity in the application, not a false alert.

An attacker is browsing social media accounts associated with a targeted organization. Why is the attacker using social media in this manner? (Select the three best options.) A. Attackers can use social media sites to find an organization's information. B. Attackers can leverage social media as a vector to launch attacks against targets. C. Attackers can use information from social media as a source of defensive OSINT. D. An attacker may find posts or user profiles that give away sensitive information.

A. Attackers can use social media sites to find an organization's information. B. Attackers can leverage social media as a vector to launch attacks against targets. D. An attacker may find posts or user profiles that give away sensitive information. Attackers can use social media sites, like Facebook and LinkedIn, to find an organization's information. Attackers can leverage social media as a vector to launch attacks against targets. An example of such a scenario would be impersonation. Attackers can impersonate trusted people to get a target to divulge information about an organization. Depending on how much an organization or an organization's employees choose to share publicly, an attacker may find posts or user profiles that give away sensitive information or simply act as another vector or target for the attacker to take advantage of. Attackers do not use information from social media as a source of defensive open-source intelligence (OSINT) because social media is an offensive source of OSINT.

Question A security analyst is conducting a penetration test using Nmap to assess the security posture of an organization's network. The analyst must automate this task on a non-Windows server for discovering open ports on multiple hosts and collecting more information about the discovered services before saving the results to a file. They would also like to avoid the need for installing additional software. Which scripting technique should the analyst use to accomplish this task efficiently? A. Bash B. JavaScript C. Python D. PowerShell

A. Bash Bash is most Linux-based systems' default command-line shell and scripting language. Given the Linux-based nature of the network described, Bash scripting would be the most suitable technique for automating tasks such as discovering open ports, collecting service information, and saving results to a file. JavaScript cannot execute system-level commands or automate tasks like port scanning and information gathering in the same way shell scripts can. While Python can automate tasks like port scanning and information gathering, using a shell script in this scenario is more efficient and better for integrating command-line tools. PowerShell can automate tasks, but it is less suitable for this scenario than a shell script, especially when working with command-line tools like Nmap in a non-Windows environment.

An engineer is considering appropriate risk responses using threat modeling. They are trying to understand which threat actors are in scope for their organization. How does threat modeling identify the principal risks and tactics, techniques, and procedures (TTPs) for which their system may be susceptible? (Select the three best options.) A. By evaluating the system from an attacker's point of view B. By evaluating a system from a neutral perspective C. Through using tools such as diagrams D. By analyzing the system from the defender's perspective

A. By evaluating the system from an attacker's point of view C. Through using tools such as diagrams D. By analyzing the system from the defender's perspective Threat modeling identifies the principal risks and tactics, techniques, and procedures (TTPs) for which a system may be susceptible through evaluating systems from an attacker's point of view. Diagrams can show how a security analyst can deconstruct a system into its functional parts to analyze each area for potential weaknesses. Analyzing systems from a defender's perspective is another way that threat modeling identifies the principal risks and tactics, techniques, and procedures (TTPs) to which a system may be susceptible. Evaluating systems from a neutral perspective is not a method used in threat modeling.

A computer emergency response team (CERT) is quickly reacting to an attack on the network infrastructure of a semiconductor manufacturer. What is true about a CERT? (Select the three best options.) A. CERTS mitigate cybercrime. B. CERTS work with local law enforcement. C. CERTS provide knowledge of trending attacks. D. CERTS publish a wide variety of information concerning threats.

A. CERTS mitigate cybercrime. B. CERTS work with local law enforcement. C. CERTS provide knowledge of trending attacks. A CERT aims to mitigate cybercrime and minimize damage by responding to incidents quickly. CERTs work with local law enforcement, federal agencies, and other organizations to help prevent cyberattacks. CERTs coordinate responses to major events like natural disasters or terrorist attacks. This allows CERTs to provide knowledge and information regarding trending and observed attacks. The government is responsible for protecting the country's constituents and the national infrastructure and publishing various information and advice regarding observed threats. For example, the Department of Homeland Security and the Cybersecurity and Infrastructure Agency publishes several types of cybersecurity guidance.

An employee believes someone breached their computer and leaked their sensitive financial information. What should a responding security team do to verify the claim's veracity? A. Collect evidence B. Determine the scope C. Setup a timeline D. Respond to recommendation

A. Collect evidence The security team should use an incident response playbook to guide communication with stakeholders and the public. The playbooks also explain how to gather evidence and determine the incident's root cause. Organizations use a risk analysis and impact assessment to determine and measure the scope of identified incidents in the organization. Determining a scope would occur after collecting evidence. The organization should develop a timeline for reporting and responding to incidents. The organization should also include a timeline for determining the cause of the incident, the recovery process, and the steps to prevent similar incidents in the future. Many sources can give a company recommendations when working to remediate an incident. Remediation would occur much after a scope.

A security analyst at a large organization is investigating a recent cyber attack. The analyst needs to determine the most comprehensive framework for analyzing the attack and understanding the different stages of the attack. Which of the following frameworks would be the most comprehensive for the security analyst to use in this scenario? A. Cyber kill chain B. Diamond model C. National Institute of Standards and Technology (NIST) D. SANS

A. Cyber kill chain The cyber kill chain is a comprehensive framework for analyzing and understanding the different stages of a cyber attack. The diamond model of intrusion analysis is a framework used to analyze and understand the different stages of a cyber attack. However, it is less comprehensive and detailed than the cyber kill chain. The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a set of cybersecurity standards and guidelines, but it does not provide a framework for analyzing the different stages of a cyber attack. The SANS Institute Top 20 Critical Security Controls is a list of the 20 most important security controls; however, it does not provide a framework for analyzing the different stages of a cyber attack.

A security engineer is trying to manage all the security logs the company collects from its various tools and services. The security engineer implements a security information and event management (SIEM) tool to accomplish this. What feature of the SIEM tool is the engineer trying to take advantage of? A. Data analysis B. Data validation C. Legal hold D. Data preservation

A. Data analysis One feature of security information and event management (SIEM) tools is the ability to perform data and log analysis to detect and investigate security incidents. Data validation techniques like mass storage devices are essential for digital evidence. The company needs to analyze the data to determine what risks may exist. A legal hold, or litigation hold, describes the notification received by an organization's legal team instructing them to preserve electronically stored information (ESI). The scenario needs more information to determine if a legal hold needs to occur. Data preservation techniques focus on properly collecting, transferring, and storing digital evidence.

For a criminal case, a company places the hard drives in an antistatic bag to ensure the safety of the data during transfer to the authorities. What is the purpose of the antistatic bag? A. Data preservation B. Data validation C. Chain of custody D. Data analysis

A. Data preservation Data preservation techniques include bags with antistatic shielding to reduce the possibility of damaged or corrupted data on the electronic media by electrostatic discharge (ESD). Data validation techniques like mass storage devices are essential for digital evidence. The scenario does not call for data validation. The chain of custody records evidence handling from collection through the presentation in court. The evidence can include hardware components, electronic data, or telephone systems. Chain of custody would most likely occur during data preservation, but the company did not transfer the data yet. Security information and event management (SIEM) helps security analysts perform data and log analysis to detect and investigate security incidents.

A security engineer reviews current vulnerabilities and notices that the entire company is open to exploitation. However, the exploit must use administrator credentials. Why would the engineer not worry about this exposure? A. Employee user accounts have limited access to change things on their devices. B. Employee user accounts have full access to change things on their devices. C. Non-IT employees know not to use the IT administrator credentials. D. The computers are not valuable.

A. Employee user accounts have limited access to change things on their devices. If a vulnerability requires administrator credentials and the affected users have limited or no permissions to make changes on their computers, the vulnerability cannot infect a device without a privilege escalation. Employee accounts should not have full rights to make changes to their computers. Some employees may need administrative credentials but should have separate credentials for that purpose. Regular employees should not have access to IT administrator credentials, as this would be a breach of access. Even if a computer is not valuable, the computer is still vulnerable to further exploits.

A web development company is working on an e-commerce website and wants to ensure that user-generated content, such as product reviews, does not introduce security vulnerabilities. Therefore, they follow secure coding best practices and implement output encoding to mitigate potential risks. What outcome can the company expect from correctly implementing output encoding? A. Encoding special characters in user-generated content B. Automatically validating user input before storing it in the database C. Protecting the application against SQL injection attacks D. Ensuring that user input is stored in a parameterized query

A. Encoding special characters in user-generated content The correct approach is to prevent cross-site scripting (XSS) attacks by encoding special characters in user-generated content. Output encoding ensures that special characters in user-generated content are safely encoded, preventing malicious scripts from executing by the browser. While input validation is important, output encoding specifically addresses the secure handling of user-generated content when displayed, not when stored. Output encoding focuses on preventing cross-site scripting (XSS) attacks, not structured query language (SQL) injection attacks. Parameterized queries protect against SQL injection attacks. Ensuring that the system stores user input in a parameterized query is a technique for preventing SQL injection attacks, not an outcome of output encoding.

A defense contractor has taken all their machines offline due to an 'unpatchable' vulnerability in the embedded Unified Extensible Firmware Interface (UEFI) boot subsystem. Due to the extremely sensitive data on their systems, the contractor cannot risk having their machines breached. What describes this kind of vulnerability? A. High asset value B. Low asset value C. False positive D. True negative

A. High asset value An asset's value may influence its vulnerability score. Highly valuable assets, like those with far-reaching impacts if breached, may have little tolerance for vulnerabilities, skewing all scores into the high/critical range. In contrast to a high-value asset, a low-value asset will have fewer implications when it goes down or gets attacked. One example is a system that monitors the power consumption of overhead lights in an office. A false positive occurs when a vulnerability scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not. A true negative occurs when a vulnerability scan correctly indicates that a system or device does not have a vulnerability.

A systems administrator is searching for potential vulnerabilities in the network. Which threat-hunting focus area should the administrator examine, as attackers often exploit it through connected systems or physical access? A. Isolated networks B. Misconfigured systems C. Business-critical assets D. Lateral movements

A. Isolated networks Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. However, attackers can still target these networks by exploiting vulnerabilities in connected systems or through physical access. Misconfigurations in IT systems can create vulnerabilities that attackers can exploit, but not through physical access. Business-critical asset hunting involves searching for vulnerabilities and threats that could impact these assets by searching for unauthorized access attempts, unusual traffic patterns, or suspicious activity that could indicate an attack. The process by which an attacker can move from one part of a computing environment to another is lateral movement. It is not a threat-hunting focus area.

A financial firm recently introduced a new email service for its employees. One of the main reasons for the new service was that the cloud provider has integrated tools to better control security and are tailored specifically for their industry. Why would this feature reduce the overall risk for the financial firm? A. It allows the firm to meet regulatory requirements. B. It allows the firm to cut costs. C. It allows the firm to get building insurance. D. It allows the firm to increase costs to cut taxable income.

A. It allows the firm to meet regulatory requirements. Being able to tailor the security practices for the industry can help companies meet regulatory requirements. Financial firms have specific laws and industry practices that firms must follow to prevent criminal prosecution. Implementing better, more secure systems is typically a costly solution. However, it may be possible to prevent lawsuits with more secure systems, which may be beneficial. Building insurance does not matter for the firm's email service security. Typically, insurance for buildings focuses more on safety and theft prevention features than emails of tenants. Cutting taxable income would be beneficial, but not in relation to security.

After a large retailer resolved an incident regarding its credit card processing service being down, management wanted a report describing what happened and identifying what changes will help mitigate future incidents. What kind of report can a company prepare that fulfills this need? A. Lessons learned B. Regulatory reporting C. Forensic analysis D. Law enforcement report

A. Lessons learned Lessons learned, and after-action reports are valuable sources of information to identify recommended changes. It could be that the teams responsible for incident response were slow to act, made mistakes, or needed to be more coordinated. The requirements for different types of breaches are found in the specific legal and regulatory requirements and often include relevant regulatory bodies. Including law enforcement when a breach or theft occurs may help in the return of stolen property or the arrest of malicious actors. Qualified forensic investigators who understand the legal circumstances and requirements surrounding digital forensics in this setting should perform investigations involving legal matters.

A security analyst is investigating a server issue where the memory utilization is consistently high. What is most likely the cause of the high memory consumption? A. Memory leaks B. Insufficient hard disk space C. Disk defragmentation D. Insufficient cache

A. Memory leaks Memory leaks occur when an application allocates memory but does not release it when it is no longer needed, causing high memory consumption over time. It is the most likely cause of high memory consumption. Insufficient hard disk space can cause slow performance, but it is not typically the cause of high memory consumption. Disk defragmentation is a process that optimizes the storage of files on a hard drive, not memory utilization. An insufficient cache can cause the operating system to use more memory to store data, but it is not typically the cause of high memory consumption.

A network security analyst is performing a penetration testing engagement for a client. The analyst needs to identify and exploit vulnerabilities in the client's network. Which of the following tools is most commonly used by security professionals for this purpose? A. Metasploit B. Nessus C. OpenVAS D. Angry IP scanner

A. Metasploit Metasploit is a widely used framework for penetration testing and exploiting vulnerabilities. It allows security professionals to test the security of a network by finding and exploiting vulnerabilities. Nessus is a vulnerability scanning tool that an analyst could use to identify potential vulnerabilities in a network. It is not for exploiting vulnerabilities. OpenVAS is a vulnerability scanning tool that an analyst could use to identify potential vulnerabilities in a network. It is not for exploiting vulnerabilities. Angry IP Scanner is a simple IP address and port scanner. It is not for exploiting vulnerabilities in a network.

An organization is experiencing issues related to high bandwidth consumption, which has led to network congestion and slower application performance. The organization needs to implement a combination of tools and techniques to help identify the causes of high bandwidth usage, monitor network traffic, and optimize bandwidth utilization. Which of the following options would be effective for addressing these issues? (Select the three best options.) A. Network traffic analyzer B. Network access control (NAC) C. Quality of service D. Compression

A. Network traffic analyzer C. Quality of service D. Compression A network traffic analyzer can help identify the causes of high bandwidth usage by monitoring network traffic, capturing packets, and providing insights into which devices, applications, or users consume the most bandwidth. By implementing quality of service (QoS), an organization can ensure that critical applications and services receive adequate bandwidth, while they assign less important traffic a lower priority. This approach helps to optimize bandwidth utilization and prevent network congestion. Data compression techniques can reduce the size of data transmitted over the network; thus, these techniques decrease bandwidth consumption. Network access control (NAC) is a security solution that helps organizations enforce policies for controlling access. The organization would not specifically use a NAC to address bandwidth consumption issues.

A security analyst has to perform a thorough security assessment of a client's web infrastructure. The client has a large number of web servers, and the analyst needs to identify any vulnerabilities that may exist within them. To accomplish this task, the analyst needs a tool that can quickly scan multiple web servers and provide comprehensive information on any detected vulnerabilities. Given the following options, which tool best suits the security analyst's needs in this scenario? A. Nikto B. Metasploit C. Arachni D. Burp Suite

A. Nikto Nikto is a web server scanner that the security analyst can use to specifically identify vulnerabilities in web servers. It can quickly scan multiple web servers and provide comprehensive information on any detected vulnerabilities. Metasploit is a powerful tool for penetration testing. However, it may not be able to perform comprehensive web server security assessments. Arachni is another web application security scanner, but it may have a different level of support for web server security assessments that the security analyst needs in this scenario. Burp Suite is a powerful tool for web application security assessments. However, there may be better choices for the security analyst in this scenario as it may not be able to scan multiple web servers efficiently.

A security engineer is improving their company's security posture. During that process, they are looking to implement an industry-grade framework. The engineer is looking for one known for its practical information about application security. Which organization best fits this need and description? A. OWASP B. CIS C. PCI DSS D. ISO

A. OWASP The Open Web Application Security Project (OWASP) is a nonprofit foundation. OWASP is an international organization that provides unbiased, practical information about application security. The Center for Internet Security (CIS) benchmarks are a set of security configuration best practices. They provide a secure baseline configuration for various operating systems, applications, and hardware devices. Payment Card Industry Data Security Standard (PCI DSS) is a global data protection standard established and maintained by a consortium of payment card companies. PCI DSS identifies controls designed to prevent fraud, protect credit, and debit card data. The International Organization for Standardization (ISO) manages and publishes a cybersecurity framework called ISO 27k. Obtaining the ISO 27001 standard is not free of charge.

A web developer at a startup company is building a new web application. The developer wants to ensure that the application is secure from various types of attacks. Which of the following frameworks would be the most appropriate for the web developer to use? A. OWASP Web Security Testing Guide B. International Organization for Standardization (ISO) 27001/27002 C. Open Source Security Testing Methodology Manual (OSSTMM) D. Control Objectives for Information and related Technology (COBIT)

A. OWASP Web Security Testing Guide OWASP Web Security Testing Guide is a comprehensive guide for web application security testing. It provides guidelines, best practices, and resources for web developers to ensure that their applications are secure from various types of attacks. While International Organization for Standardization (ISO) 27001/27002 provides a comprehensive view of information security management, it may not be necessary or appropriate for a web application. While Open Source Security Testing Methodology Manual (OSSTMM) provides a systematic approach for security assessments, it may not be necessary or appropriate for a web application. While Control Objectives for Information and related Technology (COBIT) is a framework for IT governance and management, it does not provide specific guidance for web application security.

A support manager is giving essential security training to the help desk. Which control class is the support manager implementing? A. Operational B. Technical C. Detective D. Managerial

A. Operational Operational controls are primarily implemented and executed by people (as opposed to systems). For instance, security guards and training programs are examples of operational controls. Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. These are primarily executed by systems (hardware, software, or firmware). Detective controls are measures taken to detect and respond to incidents or vulnerabilities. These controls provide insight into anomalies or abnormal patterns in the environment. A managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.

A geographically diverse group of hackers commit fraud against a small company for commercial gain. What type of threat actor committed this fraud? A. Organized crime B. Hacktivist C. Nation-state D. Insider threat

A. Organized crime An organized crime gang can operate across the internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (against individuals and companies) and blackmail. Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. Nation-state actors have participated in many attacks, particularly on energy and electoral systems. The goals of nation-state actors are primarily espionage and strategic advantage. An insider threat arises from an actor to who an organization has identified and granted access.

A company's security team needs to assess the security posture of its Amazon Web Services (AWS) environment, focusing on both the reconnaissance and exploitation phases of a penetration testing engagement. The team requires a tool that can automate various attack scenarios and validate the effectiveness of its cloud security controls. Which of the following tools is best suited for this task? A. Pacu B. Zed Attack Proxy (ZAP) C. Tenable.io D. Suricata

A. Pacu Pacu is an open-source Amazon Web Services (AWS) exploitation framework for penetration testing engagements in AWS environments. It automates various attack scenarios and helps validate the effectiveness of cloud security controls. Zed Attack Proxy (ZAP) is an open-source web application security scanner that helps identify vulnerabilities in web applications. It is not specifically for Amazon Web Services (AWS) environment reconnaissance and exploitation. Tenable.io is a cloud-based vulnerability management platform that helps organizations identify and manage vulnerabilities in their infrastructure. It is not for Amazon Web Services (AWS) environment reconnaissance and exploitation. Suricata is an open-source network threat detection engine that provides intrusion detection (IDS), intrusion prevention (IPS), and network security monitoring (NSM) functionalities.

A project manager oversees a new device management system deployment with the added benefit of keeping devices current. What type of action would this system allow the company to accomplish? A. Patching B. Compensating controls C. Awareness training D. Changing business requirements

A. Patching Security patches released by developers are often the first line of defense against successfully exploiting software vulnerabilities. Device management systems can help automate and streamline the patching process. Compensating controls would be beneficial if the company found a device unable to receive patches. It is necessary to regularly test employees to ensure they have retained the information or developed the skills addressed in their training. The scenario does not require awareness training. The scenario did not involve changing business requirements. However, the company may have changed requirements before the project.

A security analyst is conducting an assessment of the network security of a large organization. The analyst must determine if any unauthorized devices and services are on the network. What type of scan/sweep would indicate to the security analyst that unauthorized devices and services are running on the network? A. Port scan B. Ping sweep C. TCP sweep D. UDP

A. Port scan By determining which ports are open using a port scan, the security analyst can determine what services or applications are running on the target device, and identify any unauthorized devices or services that may be present on the network. Ping sweeps can provide valuable information about the devices present on a network, but does not provide information about the services or applications running on the target devices. A transmission control protocol (TCP) sweep is a network scan used to determine which TCP ports are open on a target device. A user datagram protocol (UDP) sweep is a network scan used to determine which UDP ports are open on a target device.

A small retailer had its customers' credit card information breached. The retailer contracted a third party to help determine the scope of the breach. The contractor came back with a list of changes to make. What describes what the contractor gave them? A. Recommendations B. Incident declaration C. Timeline D. Scope

A. Recommendations When working to remediate an incident, many sources (such as vendors or manufacturer websites) can give a company recommendations. Incident declaration and escalation are critical components of incident response that recognize and officially declare an event as an incident. The company would have completed the step already. The organization should also develop a timeline for responding to incidents, including reporting and responding to them. Developing a timeline would occur much sooner in the process. Organizations use a risk analysis and impact assessment to measure the scope of identified incidents in the organization. A scope would happen before recommendations.

Which of the following are characteristics of an advanced persistent threat? (Select the three best options.) A. Remove evidence of the attack B. Target large organizations C. Spend little time gathering intelligence D. Develop highly specific exploits

A. Remove evidence of the attack B. Target large organizations D. Develop highly specific exploits One of the defining characteristics of an APT is anti-forensics, where the adversary removes evidence of the attack. APTs typically target large organizations, such as financial institutions, companies in healthcare, and other organizations that store large volumes of personally identifiable information (PII), especially when the PII describes important government and political figures. APTs spend considerable time gathering intelligence on their targets to develop highly specific exploits. APT groups often combine many different attack elements into a carefully planned and orchestrated attack that may unfold over several months or longer. APT threat groups can access considerable financial and personnel resources, including teams specializing in custom exploit development and execution. APTs spend considerable time gathering intelligence.

A defense contractor discovered that a competitor duplicated some of their products. While the contractor is afraid of losing revenue, the more significant concern is how the competitor was able to duplicate the product. What term describes how this situation occurred? A. Reverse engineering B. Internal scan C. Fuzzing D. External scan

A. Reverse engineering Using reverse engineering, a competitor can deconstruct software and/or hardware to determine how it functions. Reverse engineering aims to determine how much information is extractable from delivered software. Internal scans are also important to protect systems from abuse from internal threats and to provide layered security. A scan would not necessarily allow a competitor to steal intellectual property. Fuzzing is an unknown environment testing method of purposely inputting or injecting malformed data. In this scenario, the company has not lost data from malformed data inputted into a database. External scans focus on viewing devices and services from the "outside" of the network. Not enough information is in this scenario to determine if this was the root cause.

An organization is recently experiencing a series of security incidents, and a security analyst is investigating these incidents. The analyst needs to efficiently identify indicators of potentially malicious activity within the affected applications. What should the analyst focus on to effectively analyze and identify malicious activity within the application environment? A. Review application logs for unusual patterns or anomalies B. Conduct a full network vulnerability scan C. Perform a comprehensive penetration test D. Implement strict network access control policies

A. Review application logs for unusual patterns or anomalies Reviewing application logs for unusual patterns or anomalies is the most effective method for identifying indicators of potentially malicious activity within the affected applications. A vulnerability scan focuses on finding network device and configuration weaknesses rather than identifying suspicious patterns or anomalies in application logs. Penetration testing focuses on simulating attacks and testing defenses rather than examining application logs for evidence of suspicious activity. Focusing on network access control policies would not provide the analyst with the necessary insight into application logs to identify indicators of potentially malicious activity.

A CEO of a small corporation has decided to continue using a legacy system despite security concerns. This is an example of which risk management principle? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

A. Risk acceptance Risk acceptance means the company continues to operate without change after they evaluate an identified risk item, such as using a legacy system despite security concerns. The risk item could be in relation to software, hardware, or existing processes. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.

A systems administrator runs a scan on an application server and finds several vulnerabilities. The issues are not severe, and patches are available in each instance. The administrator decided to install the available patches. What risk management principle did they demonstrate? A. Risk mitigation B. Risk acceptance C. Risk avoidance D. Risk transference

A. Risk mitigation The system administrator is practicing risk mitigation by installing the patches and reducing the vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.

A security engineer is looking to improve the security of their email system. The system has a built-in reporting mechanism that shows what things they can do to improve overall security and suggested fixes with different percentages to show importance. What component of vulnerability reporting does this relate to? A. Risk score B. Prioritization C. Vulnerabilities D. Mitigation

A. Risk score The scenario describes a system that highlights potential improvements for security and assigns different percentages to show the importance of each suggested fix. These percentages, indicating importance, represent risk scores, which help measure the risk posed by a particular system, application, or individual vulnerability in terms of being successfully hacked or breached. The primary focus here involves assigning risk scores to vulnerabilities, quantifiably evaluating the risk. On the other hand, prioritization is a subsequent step that uses these risk scores, along with other factors, to determine the order for addressing vulnerabilities. Vulnerabilities refer to the weaknesses or gaps in a security program that can be exploited to gain unauthorized access to an asset. The scenario doesn't focus on identifying vulnerabilities but rather on the importance and recommendations for each. Mitigation pertains to the actions taken to lessen the risk, including applying patches, changing configurations, or implementing workarounds. While the scenario does touch on "suggested fixes", it doesn't delve deeply into mitigation methods.

A small business had inaccessible internet for several hours. Upon resolution of the situation, the owner requested an investigation into how the situation was possible and what the underlying cause of the problem was. Which kind of report is the owner requesting from the investigators? A. Root cause analysis B. Regulatory reporting C. Law enforcement D. Lessons learned

A. Root cause analysis Root cause analysis is an investigative technique used to identify the underlying cause of a problem. It is a systematic process used to determine the most fundamental cause of a problem and its consequences. The requirements for different types of breaches are found in the specific legal and regulatory requirements and often include relevant regulatory bodies. Including law enforcement when a breach or theft occurs may help in the return of stolen property or the arrest of malicious actors. Lessons learned, and after-action reports, are valuable sources of information to identify recommended changes. It could be that the teams responsible for incident response were slow to act, made mistakes, or needed to be more coordinated.

A small construction company had an inaccessible server for several days. Upon resolution of the access issue, the owner requested an investigation into how it was possible and the problem's underlying cause. Which kind of report is the owner requesting? A. Root cause analysis B. Law enforcement report C. Lessons learned D. Regulatory reporting

A. Root cause analysis Root cause analysis is an investigative technique used to identify the underlying cause of a problem. This systematic process can tell the organization the most fundamental cause of the inaccessible servers and the consequences of the issue. Including law enforcement when a breach or theft occurs may help in the return of stolen property or the arrest of malicious actors. Lessons learned, and after-action reports are valuable sources of information to identify recommended changes. It could be that the teams responsible for incident response were slow to act, made mistakes, or needed to be more coordinated. The requirements for different types of breaches are found in the specific legal and regulatory requirements and often include relevant regulatory bodies.

An attacker is planning to target a business-critical database for a large enterprise. What are some business-critical asset-hunting methods that security analysts use to protect systems? (Select the two best options.) A. Search for unauthorized access attempts B. Search for misconfigured systems C. Search for unusual traffic patterns D. Search for routine activity

A. Search for unauthorized access attempts B. Search for misconfigured systems D. Search for routine activity Attackers can use social media sites, like Facebook and LinkedIn, to find an organization's information. Attackers can leverage social media as a vector to launch attacks against targets. An example of such a scenario would be impersonation. Attackers can impersonate trusted people to get a target to divulge information about an organization. Depending on how much an organization or an organization's employees choose to share publicly, an attacker may find posts or user profiles that give away sensitive information or simply act as another vector or target for the attacker to take advantage of. Attackers do not use information from social media as a source of defensive open-source intelligence (OSINT) because social media is an offensive source of OSINT.

A security researcher has discovered a vulnerability in a web application that allows an attacker to make requests to internal or external resources on behalf of the web server. Which of the following web vulnerabilities best describes this scenario? A. Server-Side Request Forgery (SSRF) B. Cross-Site Request Forgery (CSRF) C. Cross-Site Scripting (XSS) D. Structured Query Language (SQL) injection

A. Server-Side Request Forgery (SSRF) Server-Side Request Forgery (SSRF) is a type of web vulnerability that allows an attacker to request internal or external resources on behalf of the web server. Cross-Site Request Forgery (CSRF) is a web vulnerability that allows attackers to trick authenticated users into performing unintended actions on a web application without their knowledge. It focuses on exploiting a user's existing authentication session rather than making requests on behalf of the web server. Cross-Site Scripting (XSS) is a type of web vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. Structured Query Language (SQL) injection is a web vulnerability allowing attackers to inject malicious SQL queries into an application's database by exploiting input validation flaws.

A password management software company had a data breach. The company released a statement detailing how and when the attack happened chronologically. What describes the process they completed prior to releasing the statement? A. Set up a timeline B. Incident declaration C. Respond to recommendations D. Determine the scope

A. Set up a timeline The organization should develop a timeline for reporting and responding to incidents. The organization should also include a timeline for determining the cause of the incident, the recovery process, and the steps to prevent similar incidents in the future. Incident declaration and escalation are critical components of incident response. A timeline would occur after an incident declaration. Many sources can give a company recommendations when working to remediate an incident. Remediation would occur toward the end of a timeline. Organizations use risk analysis and impact assessments to measure the scope of identified incidents in the organization. Scope would be part of the identification after the company prepares a timeline.

A security analyst is responsible for detecting and responding to security incidents in the organization. The security analyst has decided to implement a security orchestration, automation, and response (SOAR) platform. What is the primary purpose of using a SOAR platform in this scenario? A. To automate incident responses B. To provide real-time threat intelligence to security teams C. To store and manage security-related data D. To monitor and control access to sensitive information

A. To automate incident responses Automating incident responses is one of the key benefits of using a security orchestration, automation, and response (SOAR) platform. The security analyst can respond to incidents more quickly and effectively by automating routine and repetitive tasks. While providing real-time threat intelligence is a valuable feature of a security orchestration, automation, and response (SOAR) platform, it is not the primary purpose in this scenario. Storing and managing security-related data is an important aspect of using a security orchestration, automation, and response (SOAR) platform, but there are other purposes in this scenario. Monitoring and controlling access to sensitive information is critical to security operations, but there are other purposes for using a security orchestration, automation, and response (SOAR) platform in this scenario.

A security analyst is analyzing systems for potential misconfiguration. Misconfiguration hunting is an important focus area. What are some key items the analyst should search for while misconfiguration hunting? (Select the three best options.) A. Weak passwords B. Open ports C. Unpatched software D. Isolated networks

A. Weak passwords B. Open ports C. Unpatched software One key item to search for during misconfiguration hunting is weak passwords. An attacker can exploit weak passwords and gain control of a system. Another key item to look for while misconfiguration hunting is open ports. Open ports offer attackers potential exploits leading to system compromise. During misconfiguration hunting, it is crucial to search for unpatched software. Unpatched software is a common exploit used by cybercriminals. Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. Searching for isolated networks is not a component of misconfiguration hunting.

A team of software developers at a large corporation needs to exchange data between multiple systems. The data interchange format must support very complex, deeply nested data structures, provide extensive support for namespaces to avoid name conflicts, and must include a feature for defining custom markup languages. Which of the following data interchange formats would be the most appropriate for the software developers to use in this scenario? A. eXtensible Markup Language (XML) B. JavaScript Object Notation (JSON) C. Comma-Separated Values (CSV) D. Yet Another Markup Language (YAML)

A. eXtensible Markup Language (XML) eXtensible Markup Language (XML) excels in managing very complex, deeply nested data structures and uniquely supports extensive namespaces, crucial for integrating multiple data schemas. Additionally, its capability to define custom markup languages makes it the ideal choice for software developers in this specific scenario. JavaScript Object Notation (JSON) provides a simple and efficient representation of data. However, JSON may need help handling complex data structures and eXtensible Markup Language (XML). Comma-Separated Values (CSV) are easy to read and write. However, they have limited ability to store complex data structures and may not be an appropriate choice for software developers. Yet Another Markup Language (YAML) is a more human-readable alternative to JavaScript Object Notation (JSON).

An engineer is studying the hardware architecture of a company's various systems. The engineer can find the x86 architecture in which of the following items? (Select the three best options.) A.Desktops B.ARM-based Tablets C.Laptops D.Servers

A.Desktops C.Laptops D.Servers Advanced RISC Machines (ARM) and x86 are common architectures. The x86 architecture dominates desktops, laptops, and server computers, while the ARM architecture dominates smartphones, tablets, and single-board computers. Laptops fall under the scope of x86 architecture. Different architectures emphasize different characteristics, such as scalability, raw processing power, power management, and other features. The engineer would also find that servers use the x86 hardware architecture. While some tablets use x86 architecture (like certain models of Microsoft Surface), many other tablets, especially those running Android or iOS, use ARM-based architectures. Therefore, ARM-based Tablets is not the best option in the context of this question.

The success of a data security program at an organization relies on which factors from personnel within a security operations center (SOC)? (Select the two best options.) A.Effective collaboration B.Diverse threat feeds C.Automation accuracy D.Information sharing

A.Effective collaboration D.Information sharing Effective collaboration is important. Team members have varying skills that can benefit all involved in the program's success. Team members must be willing and able to share relevant information as needed. This will help to ensure the success of the program. The combination of threat feeds from diverse sources gives a broader picture of the security landscape. This is important to the SOC but is not personnel related. Automation is useful in improving accuracy in system interactions. By automating tasks within a process, there is the potential for efficiency. This is important but not personnel related.

A security engineer wants to implement Zero Trust architecture at their workplace. What key benefits would the engineer mention to their company for using a Zero Trust architecture? (Select the three best options.) A.Greater security B.Better access controls C.Improved governance and compliance D.Decreased granularity

A.Greater security B.Better access controls C.Improved governance and compliance Zero Trust architecture authenticates all users, devices, and applications and verifies before granting network access, thus, providing greater security. A Zero Trust architecture offers better access controls. For example, there are more stringent limits regarding who or what can access resources and from what locations users can access resources. A Zero Trust architecture provides improved governance and compliance. It requires limits on data access and greater operational visibility of user and device activity. Decreased granularity is not a key benefit of using a Zero Trust architecture. Zero Trust architecture offers increased granularity, granting users access to what they need when needed.

An organization looks to strengthen team coordination in a security operations center (SOC) without needing to rely on self-operating support . In doing so, which policies should management implement for team members to achieve this goal? (Select the three best options.) A.Information sharing B.Streamlined automation C.Communication protocols D.Effective collaboration

A.Information sharing C.Communication protocols D.Effective collaboration The security operations center (SOC) team must have strong communication skills to ensure successful coordination. This means that information should be prompt and articulate. This is a beneficial policy for the team. Team members must be willing and able to share relevant information. Documenting is important and beneficial to all on the team. Effective collaboration is important. Team members have varying skills that can be highly beneficial for all involved. Streamlined automation is a highly important function, but in this instance, the team is trying to work without relying on self-operating (automated) support.

A network engineer wants to simplify network and security services. How could Secure Access Service Edge (SASE) help to simplify these services for the engineer? A.It combines network and security functions into a single cloud-hosted service. B.It requires dedicated hardware. C.It offers elementary features. D.It blocks the remote manage of networks and systems.

A.It combines network and security functions into a single cloud-hosted service. Secure Access Service Edge (SASE) aims to simplify the complexity of managing multiple network and security services by combining networking and security functions into a single cloud-hosted service. SASE eliminates the need for dedicated hardware, which allows security teams to quickly adapt to changes while maintaining secure access to any user from any device. SASE also offers advanced features such as identity and access management, secure web gateways, and supports Zero Trust network access, all designed to protect an organization's data and applications while providing uninterrupted user access. SASE also facilitates remote management of networks and systems.

A group of security engineers looks to achieve high data enrichment while compiling threat information for review. Which solution will the engineers apply to achieve this goal? A.Using different data sources B.Using automation C.Identifying threat areas D.Improving accuracy

A.Using different data sources Data enrichment is the process of analyzing data from different sources to better understand the threat landscape. Using different sources for high data enrichment is essential to providing a well-rounded view of threat information. Automation can improve accuracy and reduce human involvement in a process. However, automation on its own will not ensure data enrichment. Identifying threat areas is an end result of gathering and analyzing information. Data enrichment will help provide relevant data sets. Automation is useful in improving accuracy in system interactions. By automating tasks within a process, there is the potential for efficiency and the benefit of no human error.

Question A security analyst at an organization receives an alert from their security information and event management (SIEM) system. Upon reviewing the log data, the analyst notices an increase in high-privilege actions within the network. What should the analyst prioritize when investigating this issue to identify the potential underlying cause? A. Investigate unusual network traffic patterns B. Analyze new user accounts C. Review application logs for unexpected behavior D. Examine recent file changes and modifications

B. Analyze new user accounts The analyst should prioritize analyzing newly created user accounts, as the increase in high-privilege actions may be in relation to the unauthorized introduction of new accounts with elevated permissions. While unusual network traffic patterns could indicate malicious activity, they are not directly related to the increase in high-privilege actions observed in this scenario. Reviewing application logs for unexpected behavior might be useful in detecting other types of incidents but does not directly address the increase in high-privilege actions. Examining recent file changes and modifications may help identify unauthorized access or modifications but do not directly focus on the observed increase in high-privilege actions.

A security operations center is responding to an alert that a team member found a USB thumb drive connected to a computer. The company has a policy that prohibits the use of USB thumb drives on the company's computers. What is this policy referencing in regard to the Common Vulnerability Scoring System (CVSS)? A. User interaction B. Attack vectors C. Scope D. Availability

B. Attack vectors The policy references attack vectors. A local attack vector consists of the ability to manipulate the system with local access, such as by using a Universal Serial Bus (USB)-connected device. User interaction revolves around whether an exploit of the vulnerability depends on some local user action, such as executing a file attachment. Scope indicates whether the exploit affects only the local security context or not. For example, a hypervisor vulnerability might allow an exploit from one Virtual Machine (VM) to another VM. Availability relates to the extent to which a system is unavailable. It does not relate to the use of a USB-connected device on a company computer.

A software development company is building a custom web application for a client that will process sensitive financial information. The client has specified that a software developer must thoroughly test the application for security vulnerabilities before it goes into production. The company has several security testing options but wants to use the tool that will provide the most comprehensive results. What tool should the company use in this instance? A. Nessus B. Burp Suite C. Metasploit D. Nmap

B. Burp Suite Burp Suite is a web application security testing tool that provides comprehensive features for identifying and mitigating security vulnerabilities. It would be the most appropriate tool for the software development company to use in this scenario. While Nessus is a well-known vulnerability scanner, it may not provide as comprehensive results as other options. Metasploit is a framework for penetration testing and can be useful in finding vulnerabilities, but it may not provide a complete picture of the application's security. Nmap is a network exploration tool and security scanner, but it may not have all the features needed for a thorough web application security assessment.

Given the recent adoption of new National Institute of Standards and Technology (NIST) guidelines, a company plans to adjust its policies to provide protection when circumstances prevent the use of primary security measures. Which provides this type of protection to the company? A. Patching B. Compensating controls C. Configuration management D. Awareness training

B. Compensating controls Many organizations use complicated and highly integrated systems that are extremely difficult to change, upgrade, and maintain. Compensating controls provide protection when circumstances prevent the use of primary security measures. Security patches released by developers are often the first line of defense against successfully exploiting software vulnerabilities. A compensating control may be beneficial if a device cannot get a security patch. Configuration management helps security teams ensure that systems remain consistent, compliant, and secure. The scenario did not involve the need for configuration management. Awareness training would be more helpful for the company to prevent user interaction risks.

A software development company has already included planning, implementation, testing, and maintenance stages in its software development lifecycle (SDLC). Which of the following stages did the company NOT include? (Select the two best options.) A. Testing B. Design C. Deployment D. Post-implementation review

B. Design C. Deployment During the design stage, the development team should incorporate security controls and best practices into the software architecture, taking into account the security requirements identified during the requirements analysis stage. Ensuring secure deployment is essential for the overall security of the software. The development team should consider secure configuration, vulnerability scanning, and implementing necessary security patches before deploying the application in a production environment. The company has already integrated security-focused activities into the implementation stage, which typically includes testing. While a post-implementation review can help identify areas for improvement in the software development lifecycle (SDLC), it does not directly contribute to integrating security-focused activities into the missing stages of the SDLC.

A network administrator at a small business is concerned about the increasing number of phishing attacks that are targeting the organization's employees. The administrator wants to implement a comprehensive solution to help protect the organization from these types of attacks. Which of the following solutions would be the most appropriate for the network administrator to use in this scenario? A. Sender Policy Framework (SPF) B. Domain-based Message Authentication, Reporting, and Conformance (DMARC) C. DomainKeys Identified Mail (DKIM) D. Transport Layer Security (TLS)

B. Domain-based Message Authentication, Reporting, and Conformance (DMARC) Domain-based Message Authentication, Reporting & Conformance (DMARC) is a comprehensive solution for protecting against phishing attacks. It builds on Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to provide a complete solution for preventing email spoofing. While Sender Policy Framework (SPF) provides a basic level of protection against email spoofing, it does not provide comprehensive protection against phishing attacks. While DomainKeys Identified Mail (DKIM) provides a basic level of protection against email spoofing, it does not provide comprehensive protection against phishing attacks. While Transport Layer Security (TLS) provides a basic level of protection for data in transit, it does not protect against phishing attacks.j

A financial services company has discovered that its web application suffers from broken access control issues. Which of the following controls should a security expert recommend to mitigate the risks associated with these issues? A. Implementing a Web Application Firewall (WAF) B. Employing Role-Based Access Control (RBAC) C. Enforcing password complexity requirements D. Adopting a Security Development Lifecycle (SDLC) approach

B. Employing Role-Based Access Control (RBAC) RBAC is a security model that restricts access to resources based on the roles assigned to users. Implementing RBAC can help fix broken access control issues by ensuring that users only have the appropriate level of access to the needed resources. While a WAF can help protect against various web application attacks, it does not address broken access control issues directly. Password complexity requirements help secure user accounts but do not address broken access control issues directly. Although an SDLC approach can help improve the overall security of a software product, it does not directly address broken access control issues in an existing application.

A systems administrator in charge of the company's antivirus software is going through alerts. The administrator sees two alerts: one for a suspicious login from the same Internet Protocol (IP) address as the corporate office and one for a suspicious login from a foreign country from an employee located at the corporate office. What type of scan result would the first alert be classified as? A. False negative B. False positive C. True positive D. True negative

B. False positive Regarding the first alert, since it is coming from the corporate office, it is most likely the administrator checking the report, resulting in a false positive. A false negative is when a vulnerability scan incorrectly identifies that a vulnerability does not exist. False negatives are the most concerning issue as they represent a failure of the scanning tool to report on a legitimate issue. A true positive is when a vulnerability scan correctly identifies a vulnerability. For example, a true positive would be when a scan correctly identifies the presence of default credentials on network equipment. A true negative can be when a vulnerability scan correctly indicates that a system or device does not have a vulnerability.

A small construction company investigated its server outage and found that an employee purposely disabled it. The company wants to investigate the server further to determine if the outage caused any losses. What kind of analysis can the company conduct? A. Root cause analysis B. Forensic C. Lessons learned D. Regulatory

B. Forensic Qualified forensic investigators who understand the legal circumstances and requirements surrounding digital forensics in the construction setting should perform the investigation in case of potential legal implications. Root cause analysis is an investigative technique used to identify the underlying cause of a problem. It is a systematic process used to determine the most fundamental cause of a problem and its consequences. Lessons learned, and after-action reports are valuable sources of information to identify recommended changes. It could be that the teams responsible for incident response were slow to act, made mistakes, or needed to be more coordinated. The requirements for different types of breaches are found in the specific legal and regulatory requirements and often include relevant regulatory bodies.

A software developer is working on a Linux-based application and encounters an unexpected issue in the code execution. The software developer needs a tool that can help them examine and debug the application, allowing them to inspect the runtime state and modify the program's execution flow. Which of the following tools is best suited for this task? A. Tcpdump B. GNU Debugger C. Wireshark D. Cuckoo

B. GNU Debugger The GNU Debugger is a widely used debugging tool for Linux-based applications. It allows developers to examine and debug applications, inspect the runtime state, and modify the program's execution flow. Tcpdump is a command-line network traffic analyzer that captures and displays network packets. It is not for debugging Linux-based applications like the GNU Debugger. Wireshark is a network protocol analyzer that allows users to capture and analyze network traffic in real time. However, it is not for debugging Linux-based applications like the GNU Debugger. Cuckoo Sandbox is an open-source automated malware analysis system that helps analyze suspicious files and URLs in a safe, isolated environment. It is not for debugging Linux-based applications like the GNU Debugger.

A healthcare organization is developing a web-based patient records system. During the testing phase, security analysts identified several injection flaws that could potentially compromise sensitive patient data. Which controls should the organization implement to mitigate the risks associated with injection flaws? A. Employ least privilege principles for database access B. Implement parameterized queries and input validation C. Use cookies to store user session data D. Disable security headers in the application

B. Implement parameterized queries and input validation Parameterized queries help prevent structured query language (SQL) injection attacks by separating user input from the query. Input validation ensures that user input is properly checked and sanitized before processing, reducing the risk of injection attacks. While least privilege principles are crucial for overall security, they do not directly address the risks associated with injection flaws and do not prevent injection attacks from occurring in the first place. Session management does not directly address injection flaws. Storing session data in cookies can introduce other security risks, such as session hijacking if cookies are not secured correctly. Disabling security headers can weaken the application's security posture by removing protections against attacks like clickjacking or cross-site scripting (XSS).

A security analyst is conducting a review of a server in a large organization. The analyst has noticed that the server's disk capacity is almost full. What is the most likely cause of high disk capacity consumption in this scenario? A. Insufficient cache B. Large data sets C. Disk fragmentation D. Disk corruption

B. Large data sets Storing large data sets can consume a significant amount of disk capacity, particularly if the data is in multiple locations or if a user improperly manages and archives the data. An insufficient cache can cause the operating system to use more disk space to store data. Disk fragmentation occurs when files are in multiple locations on a disk, causing the disk to slow down or become less efficient. However, it is not the most likely cause of high disk capacity consumption. Disk corruption occurs when data on the disk becomes corrupted, causing the disk to slow down or fail. However, it is not the most likely cause of high disk capacity consumption.

An executive from a large multinational bank had their work laptop stolen from their luggage while flying back from a business trip. Due to the sensitive nature of their work, who should they work with to try to get the stolen laptop back? A. Regulators B. Law enforcement C. Customers D. Legal

B. Law enforcement Law enforcement can help the executive with the return of the stolen laptop or the arrest of the people responsible. The requirements for different types of breaches are found in the specific legal and regulatory requirements and often include relevant regulatory bodies. Companies need to report data incidents to their customers. Reporting should be timely to allow customers to respond. Failing to report timely can harm a company's reputation. When an incident occurs, employees should report the issue to the company's legal department if it has one. The legal department can handle questions about who else the employee must notify in case of data loss or a breach.

A company suspects a former employee of damaging company information. The company hires a forensics company to investigate. Which of the following steps should be the forensics vendor's first priority to ensure the integrity of the information during the investigation? A. Data validation B. Legal hold C. Data analysis D. Data preservation

B. Legal hold The first priority should be to enact a legal hold, which involves the preservation of all relevant data and information related to the case. A legal hold is a communication issued as a result of current or anticipated litigation, audit, government investigation, or other such matter that suspends the normal disposal or processing of records. Data validation is a critical part of any investigation process and is used to ensure the integrity and authenticity of the data or evidence. However, it would typically come after a legal hold has been enacted, and the data has been preserved. Data analysis is an important step in the investigation but comes after the data has been legally held and validated. Data preservation is an essential component of the process to prevent any changes to the data during the investigation. But before this step, it is crucial to ensure a legal hold is in place to comply with legal requirements.

After a company resolved an incident, the management wanted a report describing what happened to identify what changes would help mitigate future incidents. What kind of report can a company prepare that fulfills this need? A. Regulatory reporting B. Lessons learned C. Law enforcement report D. Forensic analysis

B. Lessons learned Lessons learned, and after-action reports, are valuable sources of information to identify recommended changes. It could be that the teams responsible for incident response were slow to act, made mistakes, or needed to be more coordinated. The requirements for different types of breaches are found in the specific legal and regulatory requirements and often include relevant regulatory bodies. Including law enforcement when a breach or theft occurs may help in the return of stolen property or the arrest of malicious actors. Qualified forensic investigators who understand the legal circumstances and requirements surrounding digital forensics in this setting should perform investigations involving legal matters.

A threat intelligence analyst is conducting a network reconnaissance and needs to gather information about the relationships between various entities on the target network. Which tool could the analyst use to accomplish this task? A. Wireshark B. Maltego C. OpenVAS D. Tcpdump

B. Maltego Maltego is a tool specifically designed for information gathering and visualizing the relationships between various entities. It can gather information about domains, IP addresses, and other network entities to help identify potential targets for a cyber attack. Wireshark is a packet analysis tool that analyzes network traffic. It is not specifically for information gathering and relationship mapping. OpenVAS is a vulnerability scanning tool that can identify vulnerabilities in networked systems. It is not specifically for information gathering or relationship mapping. Tcpdump is a packet capture tool that can capture and analyze network traffic. It is not specifically for information gathering or relationship mapping.

A company is trying to determine how to handle the fallout of an executive that was arrested for embezzlement. Even though their customer's money is secure, they want to ensure there is not a run on the bank for withdrawals. Who should they work with to release details to the public? A. Law enforcement B. Media C. Regulators D. Legal

B. Media The media can make or break a company's reputation during an incident response. Staying ahead of salacious rumors can help mitigate the risk of damaging a reputation. Including law enforcement when a breach or theft occurs may help in the return of stolen property or the arrest of malicious actors. The requirements for different types of breaches are found in the specific legal and regulatory requirements and often include relevant regulatory bodies. When an incident occurs, employees should report the issue to the company's legal department if it has one. The legal department can handle questions about who else the employee must notify in case of data loss or a breach.

A cybersecurity analyst wants to collect indicators of compromise (IoCs) to identify, investigate, and mitigate threats. What are some examples of IoCs that the analyst will be collecting? (Select the three best options.) A. Expected configuration changes B. Odd network patterns C. Unusual account behaviors D. Unfamiliar new files

B. Odd network patterns C. Unusual account behaviors D. Unfamiliar new files Odd network patterns are one of the many indicators of compromise (IoCs) that the cybersecurity analyst might collect. Other common forms of IoC include unusual outbound network traffic, logins occurring from unexpected geographic locations, and suspicious privileged user account behavior. Unusual account behavior is another example of an indicator of compromise (IoC) that the analyst might collect. If the analyst finds an unfamiliar new file on a system, it would also be an indicator of compromise (IoC). Expected configuration changes to a system are not an indicator of compromise (IoC). Unexpected configuration changes to a system would be an IoC.

A ticket came in about the badging system crashing after a recent vulnerability scan. The ticket response team found that a specific service on the system was incompatible with the software that ran the scan. What special considerations should the team take into account when choosing the specific software to avoid this situation? A. Segmentation B. Operations C. Scheduling D. Sensitivity leve

B. Operations Vulnerability scanning can, unfortunately, cause operational problems, such as negatively impacting a system's performance or causing services to crash. Segmentation has performance and security benefits. Segmentation would be useful as a remediation technique. Scheduling vulnerability scans is essential to maintaining a secure environment and is often required to maintain regulatory compliance. Scheduling scans will need to take into account negative impacts on operations. Having a clear view of data is the first step in protecting it. The data inventory describes the data in terms of what it contains, such as its classification and sensitivity. The scenario does not specify sensitivity issues.

A small vendor is working to sell their point-of-sale register product to a large pharmacy chain. Before the vendor can complete the sale, they must attest to their controls designed to prevent fraud and protect consumer financial data. Which industry framework should the vendor adopt in product planning and implementation? A. ISO B. PCI DSS C. CIS D. OWASP

B. PCI DSS Payment Card Industry Data Security Standard (PCI DSS) is a global data protection standard established and maintained by a consortium of payment card companies. PCI DSS identifies controls designed to prevent fraud, protect credit, and debit card data. The International Organization for Standardization (ISO) manages and publishes a cybersecurity framework called ISO 27k. Obtaining the ISO 27001 standard is not free of charge. The Center for Internet Security (CIS) benchmarks are a set of security configuration best practices. They provide a secure baseline configuration for various operating systems, applications, and hardware devices. The Open Web Application Security Project (OWASP) is a nonprofit foundation. OWASP is an international organization that provides unbiased, practical information about application security.

A system administrator is hardening a newly provisioned server with software patches and security updates. What functional security control is the system administrator performing? A. Detective B. Preventative C. Corrective D. Compensating

B. Preventative Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Implementing software patches and security updates are examples of preventative controls. The detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. A good example of a corrective control is a backup system that can restore data damaged during an intrusion. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

A security analyst in a large organization observes a recent spike in security incidents. To enhance the endpoint security strategy, an endpoint detection and response (EDR) solution is implemented. Which of the following best describes the key feature of EDR and how it helps the security analyst detect and respond to malicious activity in the organization's network? A. Automates security-related tasks B. Provides real-time visibility into endpoint activity C. Integrates with other security solutions D. Performs forensic analysis on endpoints

B. Provides real-time visibility into endpoint activity Providing real-time visibility into endpoint activity is the primary function of endpoint detection and response (EDR), allowing the analyst to detect and respond to malicious activity promptly and improve the overall security of the organization's network. Automating tasks may improve efficiency, but there are other functions of endpoint detection and response (EDR) when detecting and responding to malicious activity in real time. Integrating with other security solutions can provide a more comprehensive view of security-related activities. Performing a forensic analysis on endpoints focuses on a specific aspect of an endpoint detection and response (EDR) solution rather than describing the key feature that helps the security analyst detect and respond to malicious activity.

A software development company is building a custom application for a client that will collect and analyze moderate amounts of data to identify patterns and make predictions. The client has specified that the application must use a scripting language with many libraries and tools for machine learning. Which scripting language should the software developer use? A. C++ B. Python C. Java D. JavaScript

B. Python Python has a vast and well-established ecosystem for machine learning, with numerous libraries and tools available for tasks such as data analysis, visualization, and modeling. While C++ has some libraries and tools for machine learning, it is less versatile than the ecosystem in Python. While Java does have some libraries and tools for machine learning, it is not as well-suited for data-intensive applications as other programming languages, such as Python or R. JavaScript is a widely-used programming language commonly used for building web applications but is unsuitable for machine learning development.

A company has hired a security analyst to perform a comprehensive information gathering and reconnaissance phase of a penetration testing engagement. The analyst needs to use a tool that can automate gathering information about a target and performing reconnaissance on the target network. Which of the following tools is best suited for this task? A. Aircrack-ng B. Recon-ng C. Snort D. Metasploit

B. Recon-ng Recon-ng automates the reconnaissance and information-gathering process, making it an ideal choice for the given scenario. Aircrack-ng tool is primarily for assessing the security of wireless networks. While it is a valuable tool for its intended purpose, it does not cover the comprehensive information gathering and reconnaissance needed in the given scenario. Snort is an open-source intrusion detection system (IDS) and intrusion prevention system (IPS) tool. While it is a valuable tool for network security, it does not specialize in information gathering and reconnaissance like Recon-ng. Although Metasploit can be in the later stages of a penetration testing engagement, it is not specifically for the initial information gathering and reconnaissance phase.

A cybersecurity analyst is investigating a security incident and needs to search for specific patterns within large amounts of log data. Which programming tool or technique is most commonly used to identify patterns in text data and would be helpful for the analyst in this scenario? A. Python B. Regular expressions C. Shell script D. JavaScript

B. Regular expressions Regular expressions are a powerful tool for defining and searching for specific patterns in text data, making them the most appropriate choice for this scenario. Python can search and manipulate text data, but it is not the most common tool specifically for identifying patterns in text. Shell scripts can search and manipulate text data, but they are not the most common tool specifically for identifying patterns in text. JavaScript may be able to search and manipulate text data, but it is not the most common tool specifically for identifying patterns in text.

A security analyst monitors the performance of a large organization's server infrastructure. The analyst has noticed that one of the servers has an unusual amount of CPU consumption. How can the analyst determine the cause of the high CPU consumption? (Select the three best options.) A. Review firewall configuration B. Scan for malicious applications C. Monitor network traffic volume D. Monitor running processes

B. Scan for malicious applications C. Monitor network traffic volume D. Monitor running processes Scanning for malicious applications can help the analyst determine if a malicious application is causing high central processing unit (CPU) consumption. Monitoring network traffic volume can help the analyst determine if high network traffic is causing high CPU consumption. High network traffic can cause high CPU consumption if the server infrastructure is not able to handle the volume of traffic. Monitoring running processes can help the analyst determine if a specific process is causing high CPU consumption. A firewall configuration might cause high CPU consumption if it misconfigures. However, other factors such as malware, high network traffic, or resource-intensive applications are more likely causes of high CPU consumption.

During a morning standup meeting, the network operations manager reported a large spike in traffic that spawned dozens of end-user tickets. These tickets stated that the company shared drives were inaccessible. The security operations manager confirmed that the security team was running a vulnerability scan during that time. What should the security team consider when running a vulnerability scan? A. Sensitivity levels B. Scheduling C. Segmentation D. Host performance

B. Scheduling When running a vulnerability scan to identify system weaknesses, the team should consider scheduling the scan. Scheduling vulnerability scans is essential to maintaining a secure environment and is often required to maintain regulatory compliance. The data inventory describes the data in terms of what it contains, such as its classification and sensitivity. Having a clear view of data is the first step in protecting it. Segmentation has performance and security benefits. Segmentation would be a solution for protecting sensitive data. Scanners often cause negative performance impacts on networks and hosts. Not enough information is in the scenario to determine if a host had performance issues.

Someone with a casual interest in hacking techniques launches a random attack against a widely known enterprise using tools readily available online. What type of threat actor is likely behind this attack? A. Insider threat B. Script kiddie C. Organized crime D. Hacktivist

B. Script kiddie A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. An insider threat arises from an actor to an organization who has identified and granted access. An organized crime gang can operate across the Internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail. Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.

A security engineer suggests using a single pane of glass approach while monitoring a server farm and delegates the orchestration to several server administrators. To utilize this approach, the server administrators apply which solution? A.A series of automated messages configured as webhooks B.A customized and unified graphical user interface C.A set of functions within an API procedure D.Application add-ons that help to tailor a software package

B.A customized and unified graphical user interface A customized and unified graphical user interface is known as a single pane of glass. It will allow the administrators to view and manage an entire security posture from a single visual dashboard. An engineer can configure a series of automated messages as webhooks. These messages are sent from applications to other applications and do not provide a single pane of glass visual. A set of functions within an application programming interface (API) procedure would allow for applications to communicate and integrate with each other but not perform the desired view. Application add-ons can help to tailor and customize software products. While add-ons are useful, they alone do not enable a single pane of glass.

Data loss prevention (DLP) systems detect and prevent users from storing information on unauthorized systems or transmitting information over unauthorized networks. Which of the following are examples of DLP systems an organization can set for users? (Select the three best options.) A.Enforce the use of external media B.Implement clipboard privacy controls C.Use print blocking D.Restrict virtual desktop infrastructure (VDI) implementation

B.Implement clipboard privacy controls C.Use print blocking D.Restrict virtual desktop infrastructure (VDI) implementation DLP systems limit access to the clipboard and prevent users from placing sensitive data on the clipboard for use elsewhere. DLP systems can block printing. They can prevent the printing of sensitive information or controlled documents. This is particularly important in the healthcare industry. DLP systems can restrict virtual desktop infrastructure (VDI) implementations. Incorporating DLP features within the underlying VDI infrastructure is useful for organizations to protect all virtual desktops and govern how users can use and share data in the environment. Data loss prevention (DLP) systems usually block the use of external media. They do not enforce the use of removable devices.

A systems administrator is developing a plan for deploying Zero Trust architecture throughout the enterprise. What components of Zero Trust architecture should the administrator consider essential? (Select the three best options.) A.Increased granularity B.Network and endpoint security C.Identity and access management (IAM) D.Network segmentation

B.Network and endpoint security C.Identity and access management (IAM) D.Network segmentation

An engineer wants to automate threat response mechanisms by leveraging a solution that can act on threat-related events. Which solution does the engineer implement? A.API B.SOAR C.SOC D.SIEM

B.SOAR Security orchestration, automation, and response (SOAR) use technology to automate acting upon security threats. The engineer uses a SOAR approach to meet the specified goal. An application programming interface (API) is a set of functions and procedures that allow two or more applications to integrate. The engineer looks for a much broader overall solution. Security operations centers (SOC) are integral to the success of an organization's information security program. Utilizing a SOC will not help the engineer achieve the specified goal. Security information and event management (SIEM) automates the collection, analysis, and response to security-related data. The use of a SIEM will not be of help to the engineer.

An organization looks to utilize an approach with minimal human engagement in security scanning and reporting. What actions does the organization put in place to achieve this goal? (Select the three best options.) A.Effective communication B.Trigger actions C.Application integration D.Data enrichment

B.Trigger actions C.Application integration D.Data enrichment The organization can use trigger actions for methods such as webhooks. Webhooks are automatic messages that applications send to other applications when certain events occur. An application programming interface (API) is a set of functions and procedures that allow two or more applications to integrate and communicate. The organization can utilize this approach. Combining automatic threat feeds from diverse sources gives a broader picture of the security landscape with data enrichment. This is important to the organization's goal. To ensure successful coordination between team members, the organization will require strong communication skills. This is important but not applicable to the organization's goal.

An employee received an email impersonating the owner of the company. The employee followed the email's request and bought gift cards without verifying the legitimacy of the email. Due to this issue, the company decides to implement a new policy to mitigate this risk. What policy should the company implement? A. Compensating controls B. Patching C. Awareness training D. Configuration management

C. Awareness training It is necessary to regularly test employees to ensure they have retained the information or developed the skills addressed in their training. Training will help secure company resources by minimizing the risk of employees clicking things they should not. Compensating controls provide additional layers of security to protect against malicious or accidental breaches. The scenario looks to protect from user interaction risks. Security patches released by developers are often the first line of defense against successfully exploiting software vulnerabilities. Patching would not resolve a user interaction risk. Configuration management helps security teams ensure that systems remain consistent, compliant, and secure. Organizations can ensure their systems are up-to-date, reliable, and secure by implementing proper configuration management processes and tools.

A Chief Investment Officer (CIO) wants to compare their policies and practices to industry best practices. Which kind of scan can help the CIO understand what gaps they have? A. Map scan B. Fuzzing C. Baseline scan D. Internal scan

C. Baseline scan By running a baseline scan, the Chief Investment Officer (CIO) can identify gaps between the organization's current security posture and industry-standard security practices. A map, or discovery, scan identifies the devices connected to a network or network segment. Discovery scans allow security teams to identify connected devices but may not necessarily find gaps. Fuzzing is an unknown environment testing method using specialty software tools designed to identify problems and issues with an application by injecting malformed data into it. This scan would be more for SQL database testing. Internal scans protect systems from abuse from internal threats and provide layered security. This scan would be an example of something to use to identify internal vulnerabilities.

An implementation consultant is completing a project for a client implementing Microsoft Intune. Part of that mobile device management platform project is the requirement to implement baseline benchmarks for device policy. Which organization defines the best practice approaches to patching and hardening? A. OWASP B. ISO C. CIS D. PCI DS

C. CIS The Center for Internet Security (CIS) benchmarks are a set of security configuration best practices. They provide a secure baseline configuration for various operating systems, applications, and hardware devices. The Open Web Application Security Project (OWASP) is a nonprofit foundation. OWASP is an international organization that provides unbiased, practical information about application security. The International Organization for Standardization (ISO) manages and publishes a cybersecurity framework called ISO 27k. Obtaining the ISO 27001 standard is not free of charge. Payment Card Industry Data Security Standard (PCI DSS) is a global data protection standard established and maintained by a consortium of payment card companies. PCI DSS identifies controls designed to prevent fraud, protect credit, and debit card data.

A large corporation has established a team specifically tasked with responding to routine, non-emergency security incidents. Which of the following terms best describes this team? A. CERT B. Internal sources C. CSIRT D. Government bulletins

C. CSIRT A computer security incident response team (CSIRT) is a group responsible for responding to security incidents involving computer systems. A computer emergency response team (CERT) aims to mitigate cybercrime and minimize damage by responding to incidents quickly. It is important to consider that evidence regarding active threats, reconnaissance activities, and suspicious behavior exists internally or within the protected environment. Internal sources do not describe the team the corporation created. The government is responsible for protecting the country's constituents and the national infrastructure and publishing various information and advice regarding observed threats. For example, the Department of Homeland Security and the Cybersecurity and Infrastructure Agency publishes several types of cybersecurity guidance

An organization recently had an attack that resulted in system data loss. The system administrator must now restore the system with a data backup. What functional security control was the system administrator able to implement? A. Preventative B. Responsive C. Corrective D. Compensating

C. Corrective The system administrator used a corrective control after the attack. A good example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Responsive controls serve to direct corrective actions enacted after the organization confirms the incident. They often document these actions in a playbook. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

A financial organization is dealing with a sudden rise in security incidents. The security analyst has discovered a malware strain behind the incidents. To study its behavior and find a solution, the analyst decides to use a specific tool to isolate and analyze malware behavior. What tool is the analyst using? A. ScoutSuite B. Prowler C. Cuckoo D. Pacu

C. Cuckoo The analyst uses Cuckoo, a malware analysis tool, to isolate and execute the malware in a controlled environment, which allows the analyst to study its behavior and determine the best way to mitigate the threat. ScoutSuite is an open-source multi-cloud security-auditing tool, rather than a tool specifically designed to isolate and analyze malware behavior. Prowler is a tool for performing Amazon Web Services (AWS) security assessments. It checks for security best practices, vulnerabilities, and network configurations. Pacu is an Amazon Web Services (AWS) cloud environment exploitation framework. It provides a platform for security researchers to test and exploit vulnerabilities in AWS environments.

A security analyst reviews a firewall log's source IP addresses to investigate an attack. These logs are a representation of what type of functional security control? A. Corrective B. Preventative C. Detective D. Compensating

C. Detective The detective control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Logs provide one of the best examples of detective-type controls. A good example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

A security engineer is demoing new antivirus software. The engineer installed a standardized imitation virus to see if the new software would catch it. The engineer found that the old antivirus software did not detect it, but the new one did. What is happening with the old antivirus software? A. False positive B. True positive C. False negative D. True negative

C. False negative The software did not detect the virus, resulting in a false negative. A false negative occurs when a vulnerability scan incorrectly identifies that a vulnerability does not exist. A false positive occurs when a vulnerability scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not. A true positive occurs when a vulnerability scan correctly identifies a vulnerability. For example, a true positive occurs when a scan correctly identifies the presence of default credentials on network equipment. A true negative occurs when a vulnerability scan correctly indicates that a system or device does not have a vulnerability.

A boutique crafts company would like to set up a new eCommerce website. They are checking out vendors who have put a high level of detail in the security practices and implementation. They want to test a specific vendor's system to verify that it is not vulnerable to malicious actors injecting malformed data into the checkout process. Which kind of scan or test can the company run with permission? A. Baseline scan B. Map scan C. Fuzzing D. Internal scan

C. Fuzzing Fuzzing is an unknown environment testing method using specialty software tools designed to identify problems and issues with an application by injecting malformed data into it. Best practice configurations are available to use as a reference when hardening endpoints for baseline scans. This scan would be a solution to protect a website. A map, or discovery, scan identifies the devices connected to a network or network segment. Discovery scans allow security teams to identify connected devices and uncover potential problems. This scan would not prevent the injection of malformed data into the platform. Internal scans protect systems from abuse from internal threats and provide layered security. This scan would be an example of a solution to protect a company.

A security analyst is reviewing an announcement from the Cybersecurity and Infrastructure Security Agency. Which source of defensive open-source intelligence (OSINT) does the agency represent? A. CERT B. Internal sources C. Government bulletins D. CSIRT

C. Government bulletins The government is responsible for protecting the country's constituents and the national infrastructure and publishing various information and advice regarding observed threats. For example, the Department of Homeland Security and the Cybersecurity and Infrastructure Agency publishes several types of cybersecurity guidance, including basic informational content and binding operational directives that federal agencies must implement. A computer emergency response team (CERT) aims to mitigate cybercrime and minimize damage by responding to incidents quickly. It is important to consider that evidence regarding active threats, reconnaissance activities, and suspicious behavior exists within the protected environment. A computer security incident response team (CSIRT) is a group responsible for responding to security incidents involving computer systems.

When associating CVSS with the Risk Rating Framework, which scenario is considered a true statement? A. If an attack is unlikely to occur but would cause critical impact, the overall risk rating would be considered moderate. B. If an attack is imminent but will have a somewhat effective impact on the organization's operation, the overall risk rating would be considered low. C. If an attack is likely to occur and would cause a critical impact to the company, the overall risk rating would be considered high or critical/severe. D. If an attack is likely and could cause mediocre impacts to the

C. If an attack is likely to occur and would cause a critical impact to the company, the overall risk rating would be considered high or critical/severe. When both the likelihood and impact are high (likely to occur and critical impact), this typically results in a high or critical/severe risk rating. This reflects the gravity and potential consequences of the risk in question. In the Risk Rating Framework, when the likelihood of an attack is low (unlikely to occur) and the impact is critical, the overall risk rating would be considered low, not moderate. The low likelihood reduces the overall risk even though the impact is critical. If the likelihood of an attack is high (imminent) and the impact is only somewhat effective, the overall risk rating would not be considered low. The high likelihood increases the overall risk, categorizing it as moderate or high. If the likelihood of an attack is high (likely to occur) and the impact is mediocre (not critical), the overall risk rating would not be considered low. The high likelihood increases the overall risk, which would be categorized as moderate, not low.

An e-commerce website has been identified as being susceptible to reflected cross-site scripting (XSS) attacks within its search functionality. The security team is tasked with recommending controls to mitigate this specific vulnerability. Which of the following recommendations is MOST appropriate to address the vulnerability? A. Encrypt sensitive data stored in the database B. Increase the session timeout duration C. Implement input validation and output encoding D. Restrict access to application source code

C. Implement input validation and output encoding Reflected XSS vulnerabilities occur when user input is incorporated directly into a web page without proper validation or encoding. Implementing input validation helps ensure that user input meets expected criteria, while output encoding prevents special characters in user input from being interpreted as code by a user's web browser. Encrypting sensitive data stored in the database is an important security measure for protecting data at rest. However, it does not address reflected XSS vulnerabilities, which exploit weaknesses in the way user input is handled and processed by a web application. While session management is important for security, it does not directly address reflected XSS vulnerabilities, which involve the injection of malicious scripts via URL parameters. Restricting access to application source code is important for preventing unauthorized access, code modifications, and intellectual property theft. However, it does not specifically address reflected XSS vulnerabilities, which focus on exploiting weaknesses in the handling of user input by a web application.

An employee was transporting an encrypted data backup to an offsite storage facility when a thief broke into the employee's car and stole the data. To whom should the employee report the incident first? A. Customers B. Regulators C. Law enforcement D. Legal

C. Law enforcement In the event of a physical theft, the primary and immediate action an employee should take is to report the incident to law enforcement. This facilitates the potential retrieval of the stolen items and ensures the incident is officially documented. Companies need to report data incidents to their customers. Reporting should be timely to allow customers to respond. Failing to report timely can harm a company's reputation. The requirements for different types of breaches are found in the specific legal and regulatory requirements and often include relevant regulatory bodies. Subsequent to alerting the authorities, the employee should then communicate with the company's legal department, if available. The legal team will provide guidance regarding further necessary notifications, potentially including customers or regulatory bodies.

A security analyst is examining an incident where an attacker exploited a web application to gain unauthorized access to files and resources on the server. The attacker manipulated user input to include external files or traverse the server's directory structure. Which of the following web vulnerabilities are most likely to be responsible for this scenario? (Select the two best options.) A. Server-Side Request Forgery (SSRF) B. Cross-Site Request Forgery (CSRF) C. Local File Inclusion (LFI) D. Remote File Inclusion (RFI)

C. Local File Inclusion (LFI) D. Remote File Inclusion (RFI)

A system administrator at a financial institution is investigating a report of unauthorized changes to one of the organization's systems conducted by accessing the company's intranet. The system administrator has reviewed the system logs and needs to determine the most likely cause of the changes. Which of the following is the most probable cause? A. Physical security breaches B. Misconfigured systems C. Malicious insiders D. Unsecured remote access

C. Malicious insiders Malicious insiders, such as employees or contractors with access to the network, may intentionally make unauthorized changes to the systems. Physical security breaches can lead to unauthorized access to systems, but the scenario mentions unauthorized changes, not unauthorized access. Misconfigured systems can lead to security vulnerabilities that attackers can exploit to make unauthorized changes. However, it is not the most likely cause in this scenario where the changes have already been made. Unsecured remote access can lead to unauthorized access to systems, but the scenario mentions unauthorized changes, not unauthorized access.

A security analyst monitors the network traffic of an enterprise environment. The analyst has noticed activity on an unexpected port and needs to determine the cause. What is the most likely explanation for the activity on the unexpected port? A. Distributed denial-of-service (DDoS) attack B. Phishing campaign C. Malware infection D. Unpatched software

C. Malware infection A malware infection can cause activity on unexpected ports as the malware communicates with its command-and-control server, exfiltrates data, or carries out other malicious activities. A distributed denial of service (DDoS) attack is a type of cyber attack that floods a target with traffic, rendering it unavailable. This type of attack does not typically cause unexpected port activity. A phishing campaign is a type of cyber attack that uses social engineering to trick victims into divulging sensitive information. This type of attack does not typically cause unexpected port activity. Unpatched software does not typically cause unexpected port traffic.

A large information technology department is preparing for an audit by their cyber security insurance company. While reviewing some vulnerability reports in their security information and event management (SIEM) tool, the department found critical vulnerabilities and steps to resolve them. In this type of report, what does this finding represent? A. Risk score B. Prioritization C. Mitigation D. Vulnerabilities

C. Mitigation Detailed vulnerability reports include recommended mitigations, such as identifying a patch or describing a workaround. These mitigations from the security information and event management tool can help better secure a company's equipment. While related, risk scores combine vulnerabilities found and their recommended mitigations to help aid administrators' remediation efforts. The company looked to mitigate issues. They may prioritize which vulnerabilities to deal with first. However, the scenario did not focus on that aspect. Vulnerabilities identified in an old report can reoccur in a future report despite being previously addressed. The company knows they have vulnerabilities. They are looking to resolve them.

A company's IT security team must perform a comprehensive vulnerability assessment on its network infrastructure to identify potential security weaknesses and misconfigurations. The team requires a tool to scan various systems, devices, and applications and provide detailed reports with actionable recommendations. What tool can accomplish this task? A. Burp Suite B. Splunk C. Nessus D. Snort

C. Nessus Nessus is a vulnerability scanning tool that supports scanning various types of systems, devices, and applications. The team can use Nessus to provide detailed reports with actionable recommendations. Burp Suite is a web application security testing tool that focuses on identifying vulnerabilities and security issues in web applications. It is not specifically used for comprehensive vulnerability assessments across the network infrastructure. Splunk is a powerful data analytics and log management platform that helps organizations gain insights from their data and monitor their infrastructure. It is not specifically used for comprehensive vulnerability assessments. Snort is an open-source intrusion detection and prevention system (IDPS) that monitors network traffic for malicious activities and potential security threats. It is not for comprehensive vulnerability assessments

A network administrator at a large business is performing a security assessment of the company's network infrastructure. The administrator must determine the most appropriate framework for conducting a comprehensive security assessment. Which of the following frameworks would be the most appropriate for the network administrator? A. National Institute of Standards and Technology (NIST) Cybersecurity Framework B. Federal Information Security Management Act (FISMA) C. Open Source Security Testing Methodology Manual (OSSTMM) D. International

C. Open Source Security Testing Methodology Manual (OSSTMM) Open Source Security Testing Methodology Manual (OSSTMM) is a comprehensive methodology for conducting a security assessment of a network infrastructure. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides guidelines for improving cybersecurity risk management processes and overall cybersecurity posture. It does not provide specific guidance on performing a comprehensive security assessment. Federal Information Security Management Act (FISMA) is a set of security standards for federal government agencies. It does not provide a comprehensive methodology for conducting a security assessment. International Organization for Standardization (ISO)27001/27002 is a set of international standards for information security management. While it provides a comprehensive view of information security management, it may be optional or appropriate for a small business environment.

A security analyst is conducting a vulnerability assessment for a client. The client's network has multiple operating systems and devices, and the analyst needs to determine if there are any security weaknesses that an attacker could exploit. What can the analyst use to identify vulnerabilities in the client's network and devices? A. Angry IP scanner B. Wireshark C. OpenVAS D. Nmap

C. OpenVAS The OpenVAS tool is an open-source vulnerability scanner that can identify vulnerabilities in multiple operating systems and devices, making it a suitable option for the security analyst. The Angry IP Scanner tool is for network scanning and is not specific to identifying vulnerabilities in a network. The Wireshark tool is for network analysis and is not specific to identifying vulnerabilities in a network. The Nmap tool is for network exploration and security auditing, but it is not as comprehensive as OpenVAS for identifying vulnerabilities in a network in multiple operating systems and devices.

The Security Operations (SecOps) completed a rollout of a next-generation antivirus solution that will better protect the company from known viruses and provide heuristic scanning for unknown viruses. After the implementation, the team received a flood of tickets complaining about computer sluggishness. What did the SecOps team fail to consider with the new antivirus and its effects on potential settings? A. Segmentation B. Sensitivity levels C. Performance D. Scheduling

C. Performance Scanners often cause negative performance impacts on networks and hosts. Scheduled scans performed against well-defined computer groups at different times of the day can mitigate these problems. Segmentation has performance and security benefits. This scenario intended to protect against performance issues, not protecting data. The data inventory describes the data in terms of what it contains, such as its classification and sensitivity. Sensitivity information is important but does not affect performance. Scheduling vulnerability scans is essential to maintaining a secure environment and is often required to maintain regulatory compliance. Vulnerability scans help identify system weaknesses that malicious actors may exploit.

A penetration tester is attempting to gain unauthorized access to a company's internal systems. They have identified a vulnerability in a low-privileged user account that the tester can exploit. Which of the following actions should the penetration tester focus on to achieve their objective of compromising sensitive systems within the network? A. Brute force attack B. Data exfiltration C. Privilege escalation D. Network scanning

C. Privilege escalation Privilege escalation refers to the act of an attacker gaining higher access privileges on a system or network than what they initially had, typically by exploiting a vulnerability or misconfiguration. While brute force attacks can help gain initial access, it does not help the penetration tester compromise sensitive systems after exploiting the vulnerability of the low-privileged user account. While data exfiltration might be a goal after compromising sensitive systems, it does not help the penetration tester achieve their objective of compromising those systems in the first place. While network scanning can be useful for identifying potential targets and vulnerabilities, it does not help the penetration tester compromise sensitive systems after exploiting the low-privileged user account vulnerability.

A large corporation's security operations center (SOC) team is processing a recent incident. The team refers to a playbook for guidance about the incident. What type of functional security control does the playbook represent? A. Corrective B. Preventative C. Responsive D. Compensati

C. Responsive Responsive controls serve to direct corrective actions enacted after the SOC team confirms the incident. The team often documents these actions in a playbook. An example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion. Preventative controls act to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. The compensating control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

Question A security analyst receives an alert from the organization's intrusion detection system (IDS) regarding unexpected output from a critical application. The analyst suspects that the application may be compromised. What should the analyst prioritize when investigating this issue to determine the cause of the unexpected output? A. Analyze network traffic for unusual patterns B. Check for unauthorized user account creation C. Review application logs for anomalies D. Investigate recent firewall rule changes

C. Review application logs for anomalies Reviewing application logs for anomalies can help the analyst identify the cause of the unexpected output. These logs often contain detailed information about the application's behavior and may reveal evidence of compromise or misconfiguration. Network traffic analysis may not provide the level of detail necessary to pinpoint the issue within the application itself. Checking for unauthorized user account creation is important for overall security, but it is not the most relevant factor in addressing the unexpected output from the application. Firewall rule changes may impact network communications but are less likely to be directly responsible for issues within the application's internal processing and output generation.

A cloud security team is looking for a multi-cloud security auditing tool that can assess the security posture of their Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP) environments. The cloud security team needs a tool that can provide a clear and concise view of potential security risks and misconfigurations. Which of the following tools is best suited for this task? A. Wazuh B. Aircrack-ng C. ScoutSuite D. Nikto

C. ScoutSuite ScoutSuite is an open-source multi-cloud security auditing tool that supports AWS, Azure, and GCP environments. It assesses the security posture of cloud environments and provides a concise view of potential security risks and misconfigurations. Wazuh is an open-source security monitoring and compliance management tool that helps organizations detect security threats, manage vulnerabilities, and maintain compliance with various standards. However, it is not for multi-cloud security auditing. Aircrack-ng focuses on key cracking, packet capture, and export data analysis. While it is a valuable tool for its intended purpose, it does not cover the multi-cloud security auditing needed in the given scenario. While Nikto is a valuable tool for web server security, it is not for multi-cloud security auditing like ScoutSuite.

An e-commerce company has recently experienced a series of phishing attacks targeting its employees. The company tasks the security team with implementing a solution to prevent email spoofing and protect against future phishing attempts. Which of the following technologies would be the most effective at achieving this goal? A. Two-factor authentication B. DNS-based Authentication of Named Entities (DANE) C. Sender Policy Framework (SPF) D. Public key infrastructure (PKI)

C. Sender Policy Framework (SPF) Sender Policy Framework (SPF) verifies the sender's authenticity of an email message. It helps to prevent email spoofing by verifying the sending domain and authorizing the user to send messages from that domain. Two-factor authentication adds an extra layer of security to a login process by requiring the user to provide two forms of authentication. It does not directly prevent spoofing emails. DNS-based Authentication of Named Entities (DANE) provides a mechanism for verifying the authenticity of a server's Transport Layer Security (TLS) certificate, although it does not protect against phishing attacks. While a public key infrastructure (PKI) provides a basic level of security for data in transit, it does not protect against phishing attacks.

Recent industry reports are pushing a data analytics company to implement better vulnerability scanning to prevent improper access and distribution of intellectual property. What should the company take into account when running the next scan to ensure proper classification of the data? A. Scheduling B. Host performance C. Sensitivity levels D. Segmentation

C. Sensitivity levels The data inventory describes the data in terms of what it contains, such as its classification and sensitivity. Having a clear view of data is the first step in protecting it. Scheduling vulnerability scans is essential to maintaining a secure environment and is often required to maintain regulatory compliance. This would not be a way to identify sensitive information. Scanners often cause negative performance impacts on networks and hosts. The scenario did not mention issues with performance. Segmentation has performance and security benefits. Segmentation would be beneficial to protect sensitive data but not identify it.

An e-commerce company recently suffered a data breach, and a security audit revealed several vulnerabilities in their web application. The company wants to improve its web application security by following secure coding best practices and enhancing session management. Which of the following actions should the company take to achieve this? A. Employ HTTPS for all data transmissions B. Utilize hard-coded credentials C. Use short session timeouts D. Disable input validation

C. Use short session timeouts Using short session timeouts is a secure coding best practice for session management. Short timeouts help prevent unauthorized access to a user's session by reducing the window of opportunity for an attacker to hijack the session. While employing HTTPS for all data transmissions is a good security practice, it does not directly relate to secure coding best practices or session management. Attackers can easily discover and exploit hard-coded credentials. Instead, the company should implement secure methods of storing and accessing credentials. Input validation is essential to prevent attacks, such as structured query language (SQL) injection and cross-site scripting. Therefore, disabling input validation would expose the application to security vulnerabilities.

A security analyst is performing a web application security assessment for a client to determine if any vulnerabilities exist in the web application and provide recommendations for remediation. Which tool is best suited for this task, considering its ability to identify security vulnerabilities and create and share custom scripts and plugins? A. Burp Suite Community Edition B. Aircrack-ng C. Zed Attack Proxy (ZAP) D. Metasploit

C. Zed Attack Proxy (ZAP) Zed Attack Proxy (ZAP) is a free, open-source web application security testing tool. It identifies security vulnerabilities in web applications and supports creating and sharing custom scripts and plugins. ZAP is a popular choice for web application security assessments. Burp Suite Community Edition is a popular web application security tool that offers limited functionality in comparison to Zed Attack Proxy (ZAP) when considering creating custom scripts and plugins. Aircrack-ng is a suite of tools for auditing wireless network security, but it is irrelevant for web application security testing. Metasploit is an open-source framework for developing, testing, and executing exploits, but it is not a unique tool for web application security testing.

A cloud architect advises an associate to consider a serverless platform for their new endeavor. What benefits would the architect highlight about a serverless platform? (Select the two best options.) A.Serverless platforms require the management of physical or virtual server instances. B.There are considerable management demands for file system security monitoring. C.There is no requirement to provision multiple servers for redundancy or load balancing. D.The service provider manages the underlying architecture.

C.There is no requirement to provision multiple servers for redundancy or load balancing. D.The service provider manages the underlying architecture. There is no requirement to provision multiple servers for redundancy or load balancing. As all of the processing is taking place within the cloud, there is little emphasis on the provision of a corporate network. The service provider manages the underlying architecture. Serverless platforms offer a software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances. Rather than requiring the management of physical or virtual server instances, serverless platforms eliminate the need to manage physical or virtual instances. With serverless computing, there is little to no management effort for software and patches, administration privileges, or file system security monitoring.

An engineer enables a lightweight data sharing technology for trigger-based message sharing between security software applications. What automation feature does the engineer implement? A.Add-ons B.APIs C.Webhooks D.Plugins

C.Webhooks The engineer will utilize webhooks in an automated messaging solution. They will implement webhooks to send automated messages from applications to other applications when certain events occur. The engineer can extend the functionality of many security tools with add-ons. In this case, the engineer uses an out-of-the-box solution for the required need. An application programming interface (API) is a set of functions and procedures that allow two or more applications to integrate. The engineer will use built-in functionality in this case. Plugins are additions that help to tailor a software product to match requirements more closely. In this case, the engineer will use built-in functionality.

A security analyst examines suspicious activity on a Linux-based server within the organization's network. The analyst uncovers a file containing an obfuscated script that utilizes system-level commands. Which technique should the analyst use to efficiently investigate potential malicious activities related to this incident on the affected system? A. Inspect the execution history of PowerShell scripts B. Examine Python script execution history C. Review JavaScript scripts output D. Analyze shell script logs

D. Analyze shell script logs Analyzing shell script logs would be the most effective way to investigate potential malicious activities related to this incident on the affected Linux-based system. The obfuscated script seems to be utilizing system-level commands, which is typical for shell scripts. PowerShell is primarily on Windows-based systems, while the affected server is Linux-based. Python would not help identify the malicious activities related to the discovered script, as the script appears to be using system-level commands, which are not typically associated with Python scripts. JavaScript is primarily used in web development and does not commonly utilize system-level commands like those in the script.

A software development company has launched a new e-commerce website for their client. The client has expressed concerns about the website's security and has asked the development team to ensure that the website is secure from any potential threats. The development team has decided to conduct a web application security assessment to address these concerns. Which of the following tools best suits this task, considering its ability to identify security vulnerabilities and support automated testing? A. Zed Attack Proxy (ZAP) B. Maltego C. Aircrack-ng D. Arachni

D. Arachni Arachni is an open-source, feature-rich, modular web application security testing framework. The team can use it to identify security vulnerabilities in web applications and provide support for automated testing. Zed Attack Proxy (ZAP) is a web application security scanner, but it may not have the same capabilities as Arachni for web application security testing. Maltego is a tool for open-source intelligence and forensics. While the team can use it for various security assessments, it is not specifically for web application security testing. Aircrack-ng is an open-source suite of tools for wireless network security testing. It is not specifically for web application security testing.

A security analyst is investigating a network intrusion incident. The analyst has noticed that the attacker is sending small, periodic signals to a remote server. What technique is the attacker using to communicate with the remote server? A. Man-in-the-middle Attack (MitM) B. SQL injection C. Cross-Site Request Forgery (CSRF) D. Beaconing

D. Beaconing Beaconing is a technique where an attacker sends small, periodic signals to a remote server to communicate with it. A man-in-the-middle (MitM) attack occurs when the attacker intercepts communication; it is not necessarily used to send small, periodic signals. Structured query language (SQL) injection occurs when an attacker injects malicious code into a vulnerable SQL query to manipulate a database. It is not typically used to send signals to a remote server. Cross-Site Request Forgery (CSRF) attacks manipulate a user's actions on a web application, but they do not involve sending small, periodic signals to a remote server.

A company recently hired a new Chief Information Security Officer (CISO) to help improve the company's security posture. This decision occurred after the company ran into the issue of siloed teams not working together to protect the security of their systems. What is the CISO's most important responsibility in this situation? A. Awareness training B. Configuration management C. Patching D. Changing business requirements

D. Changing business requirements Organizations are constantly growing, changing, and adapting, so leaders must be mindful of how this evolution impacts the cybersecurity program. As the organization changes, so must its security approaches and capabilities. It is necessary to regularly test employees to ensure they have retained the information or developed the skills addressed in their training. User training may be a result of changing business requirements. Configuration management helps security teams ensure that systems remain consistent, compliant, and secure. Configuration management may also be a result of a changing business requirement. Security patches released by developers are often the first line of defense against successfully exploiting software vulnerabilities.

To maintain a consistent, compliant, and secure state across systems in line with a new policy, which control should a systems administrator primarily focus on? A. Patching B. Compensating controls C. Awareness training D. Configuration management

D. Configuration management Configuration management is the primary control that ensures systems are consistently set up according to security and operational standards. By maintaining a known, compliant state across systems, administrators can prevent potential vulnerabilities due to misconfiguration or outdated setups. Security patches released by developers are often the first line of defense against successfully exploiting software vulnerabilities. A policy may be part of configuration management but not necessarily the sole concern in the scenario. Compensating controls provide additional layers of security to protect against malicious or accidental breaches. The scenario tries to avoid needing compensating controls. It is necessary to regularly test employees to ensure they have retained the information or developed the skills addressed in their training. Configuration management does not necessarily involve awareness training.

A security auditor discovered a vulnerability in a web application that allows an attacker to trick an authenticated user into performing unintended actions on the application without their knowledge. Which of the following web vulnerabilities best describes this scenario? A. Cross-Site Scripting (XSS) B. Server-Side Request Forgery (SSRF) C. Directory Traversal D. Cross-Site Request Forgery (CSRF)

D. Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) is a web vulnerability that allows an attacker to trick authenticated users into performing unintended actions on a web application without their knowledge. Cross-Site Scripting (XSS) is a type of web vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. Server-Side Request Forgery (SSRF) is a type of web vulnerability that allows an attacker to request internal or external resources on behalf of the web server. It does not directly involve tricking authenticated users into performing unintended actions without their knowledge. Directory Traversal is a type of web vulnerability that allows an attacker to access restricted directories and files on a web server by manipulating user input.

A security analyst at a financial institution has discovered that sensitive customer data was transferred outside of the organization's network. Which of the following is the most likely explanation for the data transfer? A. Data backup B. Data archiving C. Data replication D. Data exfiltration

D. Data exfiltration Data exfiltration refers to the unauthorized transfer of sensitive data from a secure network to an external location. Data backups refer to making a copy for safekeeping if the original data is lost or damaged. Data backups are within the organization's network, not outside. Data archiving refers to moving data not actively used to a separate storage location, typically for long-term retention. Data archiving is within the organization's network, not outside of it. Data replication refers to creating multiple copies of data for redundancy purposes, allowing for continued access to the data even if one copy is lost or damaged. Replication is within the organization's network, not outside.

A security incident response contractor is investigating a data breach for a client. After analyzing the breach, the contractor reports that only basic information such as usernames and emails were leaked. What does this investigation help the client do? A. Set up a timeline B. Incident declaration C. Respond to recommendations D. Determine the scope

D. Determine the scope Question A security incident response contractor is investigating a data breach for a client. After analyzing the breach, the contractor reports that only basic information such as usernames and emails were leaked. What does this investigation help the client do? Set up a timeline Incident declaration Respond to recommendations Determine the scope Organizations use risk analysis and impact assessments to measure the scope of identified incidents in the organization. The organization should develop a timeline for reporting and responding to incidents. The organization should also include a timeline for determining the cause of the incident, the recovery process, and the steps to prevent similar incidents in the future. Incident declaration and escalation are critical components of incident response. It is the process of recognizing and officially declaring an event as an incident. The declaration would happen first. When working to remediate an incident, many sources (such as vendors or manufacturer websites) can give a company recommendations. Remediation would occur after the scope.

An e-commerce platform has identified a stack overflow vulnerability in one of its critical applications. The organization has tasked a security analyst with suggesting effective controls to mitigate the risk associated with this vulnerability. Considering the nature of the vulnerability, which control should the analyst recommend? A. Implementing input validation and sanitization B. Enabling secure cookie flags C. Applying Content Security Policy (CSP) D. Employing Address Space Layout Randomization (ASLR)

D. Employing Address Space Layout Randomization (ASLR) ASLR is a security technique that randomizes the memory address locations where the system loads application code and data. This randomization makes it more challenging for attackers to exploit stack overflow vulnerabilities. Although input validation and sanitization are essential for preventing various attacks, such as injection attacks, they are not the most effective controls for mitigating stack overflow vulnerabilities. Secure cookie flags enhance the security of cookies transmitted between the client and server but do not directly address stack overflow vulnerabilities. CSP is a security feature that helps prevent cross-site scripting (XSS) and other code injection attacks but does not specifically target stack overflow vulnerabilities.

A security analyst observes a service interruption affecting a critical application within the organization. The analyst suspects that this could be due to malicious activity. What should the analyst prioritize when investigating this issue to determine the cause of the service interruption? A. Perform a penetration test on the application B. Review recent firewall rule changes C. Analyze user account creation logs D. Examine server logs for unusual activity

D. Examine server logs for unusual activity Examining server logs for unusual activity is the most appropriate action in this scenario, as these logs can provide valuable information on the events leading up to the service interruption. Penetration testing focuses on identifying weaknesses in the application's security posture rather than investigating an ongoing issue. Firewall rule changes may impact network communications but are less likely to be directly responsible for the application's service interruption. Analyzing user account creation logs can help identify unauthorized accounts, which could indicate compromise. However, it is not the most effective method for determining the specific cause of the service interruption.

A threat actor obtains and releases confidential information about a political candidate to the public domain. The information damages the person's candidacy and helps the opposing party. These actions were likely performed by which type of threat actor? A. Insider threat B. Script kiddie C. Organized crime D. Hacktivist

D. Hacktivist Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites. An insider threat arises from an actor to who the organization has identified and granted access. A script kiddie is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. An organized crime gang can operate across the internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (both against individuals and companies) and blackmail.

A rapidly growing tech startup faces potential cybersecurity threats due to its expanding user base. The CTO, alarmed by this, recognizes the importance of an incident response plan to safeguard the company's reputation and assets. Considering the heightened risks, which action should the tech startup prioritize to address potential security incidents? A. Focus only on post-incident analysis. B. Document potential breaches without containment. C. Directly proceed with detection without prior preparation. D. Harden systems and set up confidential communication lines.

D. Harden systems and set up confidential communication lines. Starting with system hardening and confidential communication channels ensures a foundation for the startup's security, allowing them to be more resilient to potential attacks. Solely focusing on post-incident activities neglects the proactive measures that can prevent incidents from happening or reduce their severity. Documentation is crucial, but merely documenting without efforts to contain or address incidents can lead to prolonged vulnerabilities and escalated damages. Ignoring the preparation phase means the startup isn't primed to tackle incidents. Proper preparation can prevent some incidents and make responding to others more effective.

A local city council tasked its Information Technology (IT) department to implement an international-scale cybersecurity framework. The requirement is coming from their cyber security insurance vendor. The vendor warned that this set of frameworks is not freely available. Which industry framework should the IT department investigate? A. CIS B. PCI DSS C. OWASP D. ISO

D. ISO The International Organization for Standardization (ISO) manages and publishes a cybersecurity framework called ISO 27k. Obtaining the ISO 27001 standard is not free of charge. The Center for Internet Security (CIS) benchmarks are a set of security configuration best practices. They provide a secure baseline configuration for various operating systems, applications, and hardware devices. Payment Card Industry Data Security Standard (PCI DSS) is a global data protection standard established and maintained by a consortium of payment card companies. PCI DSS identifies controls designed to prevent fraud, protect credit, and debit card data. The Open Web Application Security Project (OWASP) is a nonprofit foundation. OWASP is an international organization that provides unbiased, practical information about application security.

A software developer at a technology company needs a format to serialize and transmit data between a web application and a server. The format must be lightweight, easily parsed by web browsers, and efficient for frequent network requests. Which data interchange format should the developer use? A. eXtensible Markup Language (XML) B. Yet Another Markup Language (YAML) C. Comma-Separated Values (CSV) D. JavaScript Object Notation (JSON)

D. JavaScript Object Notation (JSON) JavaScript Object Notation (JSON) is an ideal choice for web applications due to its lightweight nature, ease of parsing in JavaScript environments, and efficient client-server communication over networks. It is especially well-suited for AJAX (Asynchronous JavaScript and XML) web applications, which often require quick and asynchronous data exchanges between clients and servers. XML, while flexible and widely used in web services, tends to be more verbose than JSON, which can lead to increased bandwidth usage and slower processing in web browsers. YAML is known for its human readability. It is often used in configuration files but is not typically used for data interchange between web applications and servers due to its verbosity compared to JSON. CSV is straightforward and useful for representing tabular data but lacks the ability to represent more complex, hierarchical data structures that are often needed in web applications. It also isn't natively parsed by JavaScript like JSON.

After handling a near loss of data, a medical facility decides to work with regulators to mitigate future risks. Who should the facility be communicating with? A. Law enforcement B. Regulators C. Customers D. Legal

D. Legal First and foremost, the facility should consult with its legal department or legal counsel. They will provide guidance on any potential liabilities or responsibilities and advise on the best steps to take moving forward. If there were any indications of malicious intent or activity, even if no data was lost, the facility might consider alerting law enforcement. This would be especially relevant if the near miss was due to an attempted cyber attack. As the medical facility has already decided to work with regulators to mitigate future risks, this remains a priority. Collaborating with regulators will ensure the facility meets all necessary guidelines and avoids potential future issues. Since no data was lost, immediate notification of customers may not be necessary. However, transparency and open communication are crucial for maintaining trust, so the facility might consider informing customers of the near miss and the steps taken to prevent actual data loss in the future.

A security engineer is looking to improve the security posture of their organization. One of the issues the security engineer finds is that they need to know what devices are on the network. What kind of scan can help the engineer get visibility into what is on the network? A. Baseline scan B. External scan C. Fuzzing D. Map scan

D. Map scan A map, or discovery, scan identifies the devices connected to a network or network segment. Discovery scans allow the security engineer to identify connected devices and uncover potential problems. Best practice configurations are available to use as a reference when hardening endpoints for baseline scans. A baseline would not be useful for identifying devices on a network. External scans focus on the view of devices and services from the "outside" of the network, broadly referring to the internet, whereas internal scans focus on the view from the "inside." Fuzzing is an unknown environment testing method using specialty software tools designed to identify problems and issues with an application by injecting malformed data.

Agents from a sovereign region in North Africa perform a cyber attack against the energy infrastructure of a neighboring republic. What type of threat actor does this scenario illustrate? A. Insider threat B. Organized crime C. Hacktivist D. Nation-state

D. Nation-state Nation-state actors have participated in many attacks, particularly on energy and electoral systems. The goals of nation-state actors are primarily espionage and strategic advantage. An insider threat arises from an actor to who an organization has identified and granted access. An organized crime gang can operate across the internet from different jurisdictions than its victims, increasing the complexity of prosecution. Organized crime will seek any opportunity for criminal profit, but typical activities are financial fraud (against individuals and companies) and blackmail. Hacktivist groups, such as Anonymous, WikiLeaks, or LulzSec, use cyber weapons to promote a political agenda. Hacktivists might attempt to obtain and release confidential information to the public domain, perform denial of service (DoS) attacks, or deface websites.

A network security analyst conducts a network security assessment for a large organization. The analyst needs to choose the most effective tool for identifying open ports and services on the network and determining the operating systems and applications running on the network devices. Which of the following tools is the best choice for the analyst? A. Nessus B. Angry IP scanner C. OpenVAS D. Nmap

D. Nmap Nmap is a popular open-source tool for network discovery, mapping, and security auditing. Its features include the ability to scan a large number of hosts, detect operating systems and applications, and perform vulnerability assessments. Nessus can identify vulnerabilities in operating systems, applications, and network devices. However, it may not be as efficient or effective as Nmap for identifying open ports and services on the network. Angry IP Scanner provides basic information about open ports and services but may not provide the same level of detail or accuracy as Nmap. OpenVAS is a powerful tool for vulnerability assessment, and it may not be as efficient or effective as Nmap for identifying open ports and services on the network.

An organization plans to conduct a security assessment and wants to utilize a comprehensive and open approach to guide the assessment process. Which of the following covers various security aspects, such as physical, information, and wireless security, making it the most appropriate choice for the organization's security assessment? A. Open Web Application Security Project (OWASP) Top Ten B. MITRE ATT&CK C. National Institute of Standards and Technology (NIST) Cybersecurity Framework D. Open Source Security Testing Methodology Manual (OSSTMM)

D. Open Source Security Testing Methodology Manual (OSSTMM) The Open Source Security Testing Methodology Manual (OSSTMM) covers various security aspects, such as physical, information, and wireless security, making it the most appropriate choice for the organization's security assessment. The Open Web Application Security Project (OWASP) Top Ten lists the most critical web application security risks but does not specifically focus on guiding the assessment process. MITRE ATT&CK is a knowledge base of tactics and techniques used by cyber adversaries. It is useful for understanding and detecting threats but does not specifically focus on guiding security testing and assessment. The NIST Cybersecurity Framework is a valuable resource for risk management. However, it is less comprehensive for security testing and assessment than OSSTMM.

A cybersecurity analyst is investigating a security incident and suspects that an attacker is using a specific programming language to execute commands on the target system. The target system is running on a Windows environment. Which programming language is most commonly associated with scripting and automating tasks in this context? A. Python B. Bash C. JavaScript D. PowerShell

D. PowerShell PowerShell is a task-based command-line shell and scripting language designed specifically for Windows environments. It is for scripting and automating tasks within Windows, making it the best choice for this scenario. Python is a versatile programming language used for various purposes, including scripting and automating tasks. However, it is not the most common language for Windows-based tasks and environments. Bash, or the Bourne Again SHell, is a Unix shell primarily for scripting and automating tasks in Unix and Linux environments, not Windows. JavaScript is not the most common language for automating tasks in a Windows environment.

A company wants to evaluate the security posture of its Amazon Web Services (AWS) infrastructure to ensure it adheres to industry best practices and compliance standards. What tool can the company use to automate the auditing process and generate reports for their cloud environment? A. Burp Suite B. Nessus C. Nmap D. Prowler

D. Prowler Prowler is an open-source security tool that helps organizations evaluate their Amazon Web Services (AWS) infrastructure and ensure it adheres to industry best practices and compliance standards. Burp Suite is a popular security testing tool that helps identify vulnerabilities in web applications; it is not for auditing Amazon Web Services (AWS) infrastructure and ensuring compliance with best practices. Although Nessus is a valuable tool for vulnerability management, it is not specifically for auditing Amazon Web Services (AWS) infrastructure and ensuring compliance with best practices. While Nmap is a valuable tool for scanning networks and identifying open ports, it is not specifically for auditing Amazon Web Services (AWS) infrastructure and ensuring compliance with best practices.

A medical facility is responding to a recent breach of patient data. An employee was transporting an encrypted data backup to an offsite storage facility when someone broke into their car. Even though the thief did not steal the data, the company feared compliance repercussions. Who should the company contact to avoid these repercussions? A. Customers B. Public Relations Department C. Law enforcement D. Regulators

D. Regulators The requirements for different types of breaches are found in the regulatory requirements and often include relevant regulatory bodies. Specifically, in this scenario, Health Insurance Portability and Accountability Act (HIPAA). Companies need to report data incidents to their customers. Reporting should be timely to allow customers to respond. Failing to report timely can harm a company's reputation. The Public Relations Department plays a vital role in managing communications and protecting the company's image. However, in a scenario involving a potential breach of patient data and compliance with regulations like HIPAA, the PR Department is not the primary entity to contact to avoid compliance repercussions. Including law enforcement when a breach or theft occurs may help in the return of stolen property or the arrest of malicious actors.

A security engineer is looking to improve the security of their email system. The system has a built-in reporting mechanism showing what can improve overall security and rates the current setup. What component of vulnerability reporting does this feature relate to? A. Prioritization B. Mitigation C. Vulnerabilities D. Risk score

D. Risk score Risk scores help measure the risk posed by a particular system, application, or individual vulnerability in terms of being successfully hacked or breached. Reports can analyze trends over time to understand where vulnerabilities are most prevalent and where to prioritize remediation efforts. Prioritization is typically integrated into a Risk Score to help admins determine which risk to remediate first. Mitigations are how the company resolves any risks. A risk score involves assessing the current landscape and determining what vulnerabilities may affect a company. While the company checked for vulnerabilities, the scenario did not focus directly on them.

The legal affairs team of an international conglomerate elects to assign certain risks to a third party. Which risk management principle are they implementing? A. Risk acceptance B. Risk avoidance C. Risk mitigation D. Risk transference

D. Risk transference Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party. Risk acceptance means the company continues to operate without change after they evaluate an identified risk item. The risk item could be in relation to software, hardware, or existing processes. Risk avoidance often means that the company stops risk-bearing activity. For instance, risk managers may discover a software application has numerous high-severity security vulnerabilities. Risk mitigation is when a company reduces exposure to risk items by implementing mitigating controls to ensure that technical business operations are safe.

A small information technology department is trying to reorganize and prioritize future projects. Senior management in the company now requires metrics to determine whether a project is worth implementing. What can the department use to benchmark its operations? A. Risk scores B. Configuration management C. Mitigation D. Service-level objectives

D. Service-level objectives Service level objectives (SLOs) are essential in any customer-oriented operation. SLOs provide a benchmark by which security operations can measure their performance and help ensure they meet leadership expectations. Risk scores help measure the risk posed by a particular system, application, or individual vulnerability in terms of being successfully hacked or breached. Configuration management tracks and controls changes in a system's configuration. It is a critical component of security governance and often works as the cornerstone of systems management. Detailed vulnerability reports include recommended mitigations, such as identifying a patch or describing a workaround. Some vulnerabilities require workarounds that are either permanent or temporary.

A security engineer installs a next-generation firewall on the perimeter of a network. This installation is an example of what type of security control class? A. Managerial B. Operational C. Detective D. Technical

D. Technical Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. The engineer would implement technical control as a system (hardware, software, or firmware). The managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. People primarily implement operational control rather than systems. For example, security guards and training programs are operational controls rather than technical controls. The detective control is a functional control that is not a security control class.

A software development team at a financial institution is working on a new online banking platform. They want to follow secure coding best practices and implement parameterized queries to prevent structured query language (SQL) injection attacks. Which of the following scenarios best demonstrates the correct use of parameterized queries for the company? A. Concatenating user input directly into the SQL query B. Validating user input using client-side JavaScript C. Replacing single quotes in user input with double quotes D. Using an SQL query with placeholders and binding user input to the placeholders

D. Using an SQL query with placeholders and binding user input to the placeholders Using an SQL query with placeholders and binding user input to them is the correct approach for implementing parameterized queries. Parameterized queries separate user input from the query, preventing SQL injection attacks. Concatenating user input directly into the SQL query is insecure, as it can expose the application to SQL injection attacks, allowing the attacker to execute malicious input as part of the SQL query. While input validation is essential, a malicious user can bypass client-side validation. Therefore, relying solely on client-side validation is insufficient to prevent SQL injection attacks. Replacing single quotes in user input with double quotes is not a comprehensive solution for preventing SQL injection attacks. Instead, parameterized queries offer a more robust defense against such attacks.

Despite recovering from a crypto locker virus a year ago, a small investment firm finds itself the target of a new attack. In this instance, the attacker gains access using a computer desktop scoped for removal over a year ago. What type of exposure does the firm see in this instance? A. Risk score B. Mitigation C. Prioritization D. Vulnerabilities

D. Vulnerabilities Vulnerabilities identified in an old report can reoccur in a future report despite being previously addressed. An incomplete or inaccurate asset inventory can often cause recurrence, especially if the firm manually completes vulnerability reports. Risk scores help measure the risk posed by a particular system, application, or individual vulnerability in terms of being successfully hacked or breached. The scenario did not discuss risks. Detailed vulnerability reports include recommended mitigations, such as identifying a patch or describing a workaround. Some vulnerabilities require workarounds that are either permanent or temporary. In the scenario, the company did not (apparently) prioritize finding all devices that were vulnerable, leading to the reoccurrence. However, the scenario focuses on the issue at hand, not past mistakes.

A company is forced to disable the pre-boot management engine on all of its computers due to a flaw with no available patch, making the vulnerability exploitable. Which type of vulnerability does this describe? A. False positive B. False negative C. Low value D. Zero-day

D. Zero-day A zero-day vulnerability represents an exploitable vulnerability with no available patch. This vulnerability often goes undetected. Infecting the pre-boot management engine can cause a potentially unpatchable attack vector for a malicious actor. A false positive occurs when a vulnerability scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not. A false negative occurs when a vulnerability scan incorrectly identifies that a vulnerability does not exist. In contrast to a high-value asset, a low-value asset will have fewer implications when it goes down or gets attacked. This scenario does not focus on the value of the assets.

A new software development organization looks to provide a security solution for an existing security product. In doing so, developers at the organization utilize which technology from the existing product's toolkit to provide an integrated solution? A.SOAR B.SOC C.SIEM D.API

D.API An application programming interface (API) is a set of functions and procedures that allow two or more applications to integrate. Developers can use the existing product's toolkit for integration. Security orchestration, automation, and response (SOAR) is a process of using technology to automate identifying, analyzing, and responding to security threats. Using SOAR does not apply to developers. Security operations centers (SOC) are integral to the success of an organization's information security program. Utilizing a SOC will not help the developers achieve their goals. Security information and event management (SIEM) automates the collection, analysis, and response to security-related data. The use of a SIEM will not be of help to the developers.

An automation engineer utilizes an application programming interface (API) to enable communications between software applications. The engineer configures systems this way to minimize which management approach? A.Extended functionality B.Information relevancy C.Trigger actions D.Human engagement

D.Human engagement An engineer may utilize many techniques to reduce human engagement to improve security operations efficiency. Such solutions include application programming interfaces (APIs) and automation. Many security tools can have their functionality extended. An engineer may accomplish this by using third-party add-ons and plugins. Information relevancy pertains to the collection of data for analysis. Using a single pane of glass and other approaches, such as data enrichment, can elevate information relevancy. A trigger action is a process where an event or other mechanism prompts the action of another process. Alerts and logs are elements that respond to triggers.

What computing environment can an administrator use to install multiple independent operating systems on a single hardware platform and run them simultaneously? A.Container B.Serverless computing C.Microservices D.Virtualization

D.Virtualization A computing environment where an administrator can install multiple independent operating systems on a single hardware platform and run them simultaneously is virtualization. The administrator would not use a container in this situation. A container is an operating system virtualization deployment containing everything the system requires to run a service, application, or microservice. Serverless computing is a software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances. Microservices is a software architecture where components of the solution are highly decoupled services that are not dependent on a single platform type or technology.

A cloud consultant is investigating cloud deployment types for a client. The client requires both onsite and offsite infrastructure. Which of the following deployment types should the consultant recommend to their client? Public Hybrid Microservices Private

Hybrid The consultant should recommend a hybrid cloud deployment model. A hybrid cloud would allow the client to combine resources in a public and private cloud. It is a type of cloud computing that combines a private cloud with a public cloud. Public cloud is for public access and geared toward those without the budget, resources, or desire to build and manage a private cloud or data center. Microservices is a software architecture where components of the solution are highly decoupled services not dependent on a single platform type or technology. It is not a type of cloud deployment. An organization would design, build, and manage a private cloud in-house using its own hardware and software.

A cyber security consultant is examining security control classes for an Infrastructure as a Service (IaaS) provider. The classes measure how effectively assets are protected. Which security control class would the consultant examine to gain oversight of the information system? A. Technical B. Managerial C. Operational D. Detective

Managerial The managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. Firewalls, antivirus software, and operating system (OS) access control models are examples of technical controls. The consultant would implement technical controls as a system (hardware, software, or firmware). The consultant would primarily implement operational control rather than systems. For example, security guards and training programs are operational controls rather than technical controls. The detective control is a functional control that is not a security control class.

A security analyst needs a data loss prevention (DLP) solution to prevent users from transferring data without authorization. What components typically make up DLP solutions? (Select the three best options.) Policy servers USB devices Endpoint agents Network agents

Policy servers Endpoint agents Network agents Data loss prevention solutions (DLP) commonly utilize policy servers to configure classification, confidentiality, privacy rules, and policies. It also logs incidents and compiles reports. Endpoint agents enforce policy on client computers, even when they do not connect to the network. DLP solutions typically use network agents as a component of their systems to scan communications at network borders and interface with web and messaging servers to enforce the policy. USB devices are not typical components of DLP solutions. Instead, USB devices often facilitate the unauthorized transference of data. Email, instant messaging, and social media are other methods users can use to transfer data improperly.

A support technician examines the Windows registry for a host on a local area network (LAN). The technician uses which subkey to find username information for accounts used on a computer? SAM SECURITY DEFAULT SYSTEM

SAM The Windows registry is a database for storing operating system, device, and software application configuration information. The support technician can use the Security Accounts Manager (SAM), which stores username information for accounts on the current computer. SECURITY does not store username information for accounts. Instead, SECURITY is the subkey that links to the security database of the domain the current user logged onto. DEFAULT is the subkey that contains settings for the LocalSystem account profile, not username information for accounts on the current computer. SYSTEM does not store username information for accounts. Instead, SYSTEM is the subkey that contains settings for drivers and file systems.

A systems administrator is setting up single sign-on (SSO) for a company. What are some of the primary benefits of SSO to an organization? (Select the two best options.) SSO allows users to access multiple systems using only a single set of credentials. SSO allows users to access multiple websites using only a single set of credentials. SSO dramatically reduces usability. SSO eliminates the risk of breached credentials.

SSO allows users to access multiple systems using only a single set of credentials. SSO allows users to access multiple websites using only a single set of credentials. It allows users to access multiple systems using only a single set of credentials. With single sign-on (SSO), a user authenticates once using designated credentials and can access different resources seamlessly. SSO allows users to access multiple websites using only a single set of credentials. SSO dramatically improves usability. In light of SSO providing powerful, seamless access to a wide range of sensitive systems and data using only a single set of credentials, the administrator should multifactor authentication methods and SSO together to prevent attackers from easily stealing and abusing credentials. While SSO dramatically improves usability, it comes with the risk that an attacker can use breached credentials to access a wide array of resources.

After provisioning a server, a support technician conducts system hardening. Why is system hardening such a vital practice? (Select the three best options.) System hardening eliminates monitoring software. System hardening reduces the attack surface of a system. System hardening includes disabling unnecessary services. System hardening involves patching the operating system.

System hardening reduces the attack surface of a system. System hardening includes disabling unnecessary services. System hardening involves patching the operating system. The purpose of system hardening is to reduce the attack surface of a system. Hardening involves enabling or disabling specific features and restricting access to sensitive areas of the system, such as protected operating system files, windows registry, configuration files, and logs. System hardening includes making many changes to a system, such as disabling unnecessary services. Best-practice hardening configurations can be very complex. Patching the operating system is one of many procedures that can take place while hardening a system. System hardening does not eliminate monitoring software. Installing monitoring software to protect against malware and intrusions is a component of system hardening.

A support manager is deploying multifactor authentication (MFA) in a corporate office. What is true of MFA? (Select the three best options.) Using at least two of the three factors of authentication is called multifactor authentication (MFA). MFA can use multiple authentication factors combined with authentication attributes. When using MFA, abusing authentication becomes far more simplified. With MFA in place, a username and password can be breached but are unusable without the additional factor.

Using at least two of the three factors of authentication is called multifactor authentication (MFA). MFA can use multiple authentication factors combined with authentication attributes. With MFA in place, a username and password can be breached but are unusable without the additional factor. Multifactor authentication (MFA) uses at least two of the three authentication factors. MFA can use multiple authentication factors combined with authentication attributes such as gait analysis and geo-location to improve its rigor further. With MFA in place, an attacker can breach a username and password, but these items are unusable without the additional factor. When using MFA, abusing authentication becomes far more complex. When the MFA requires a password and a token-generated PIN or a fingerprint scan, abusing authentication becomes many, many factors more complicated.