FINAL
wo different organizations are merging and throughout the acquisition process, all data on the virtualized file server must be shared by the respective departments of both the organizations. These organizations consider data ownership to determine which of the following?
Which user will have access to which data
Ed, Barb, and Sophia are cybersecurity analysts in an XYZ company. The company is conducting a cybersecurity exercise designed to test the effectiveness of its security controls. For conducting the cybersecurity exercise, participants have been divided into different teams to perform different functions. The team led by Ed is responsible for facilitating the exercise and arbitrating rules disputes. Barb's team is responsible for securing the systems in the exercise environment and defending the systems against attacks. Sofia's team is conducting offensive operations and attempting to break into the systems protected by Barb's team. Which of the following terms best describes the role that Ed's team is playing in the exercise?
White team
Alex works as an application developer in an organization. He wants to prohibit software that is not expressly allowed by his organization's desktop management team from being installed on workstations. Which type of tool should Alex use to accomplish his task in the given scenario?
Whitelisting
Bob's manager has asked him to ensure that a compromised system has purged of the compromise. What is Bob's best course of action to ensure this?
Wipe and rebuild the compromised system.
Alice works as a security analyst in an organization. During her data acquisition process, she wants to copy a drive without modifying it even accidentally by the copying process. Which type of device should she use to ensure that this modification does not happen?
Write blocker
A vulnerability is discovered in an application. Before a patch is available, this vulnerability is used to gain access to sensitive data. What type of vulneraWhich of the following is not a purging activity? ability is being described in the given scenario?
Zero-day
Jake is building a forensic image of a compromised drive using the dd command with its default settings. He finds out that the imaging process is very slow. Which of the following flags should he adjust first to resolve the issue in the given scenario?
bs
Greg works as a cybersecurity analyst in an organization. He recently conducted an assessment of his organization's security controls and discovered a potential control gap that the organization does not use full-disk encryption on laptops. Which type of control gap exists in this scenario?
Preventive
Shelly works as a risk analyst in an organization. She is writing a document that describes the steps that incident response teams will follow on the basis of the first notice of a potential incident. Which type of document is she creating in the given scenario?
Procedure
Karen works as a security analyst in an organization. She is responding to a security incident that resulted from an intruder stealing files from a government agency. These files contained unencrypted information about protected critical infrastructure. In which of the following category, can Karen rate the information impact of this loss from intruder stealing?
Proprietary breach
Which of the following Open Web Application Security Project (OWASP) best practices is satisfied using TLS to protect application traffic?
Protect data
Which of the following activities applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques?
Purge
Asa works as a customer executive in an organization. She believes that her organization is using data, which was collected from customers for technical support, for commercial and marketing purposes without the customer's permission. Which principle is most likely being violated in the given scenario?
Purpose limitation
Harry is a security analyst for the ABC project. He is working with his project team to prioritize identified risks within the ABC project. He and his team are prioritizing risks for further analysis or action by assessing and combining the probability of the occurrence and impact of the risk by substituting subjective judgment for objective data. Which of the following is Harry performing in the given scenario?
Qualitative risk assessment
Taylor is reviewing the results of a security assessment and evaluating potential risk treatment strategies. To prioritize response actions, she uses cost-based metrics to identify the exposure factor of the weakness identified. Which of the following is she performing to review the results in the given scenario?
Quantitative risk assessment
In which format does the dd utility is used to clone drives?
RAW
Which of the following flaw types is an application that needs to take action on an object that may be sensitive to what is occurring or has occurred to that object?
Race condition
Rena works as an employee in a company. She is facing an issue that her system's screen becomes blank with a message requesting payment or else her hard drive will be formatted. Which of the following types of malware is on Rena's system?
Ransomware
Ed, Barb, and Sophia are cybersecurity analysts in the Golden Dome enterprise. The enterprise is conducting a cybersecurity exercise designed to test the effectiveness of its security controls. For conducting the cybersecurity exercise, participants have been divided into different teams to perform different functions. The team led by Ed is responsible for facilitating the exercise and arbitrating rules disputes. Barb's team is responsible for securing systems in the exercise environment and defending systems against attacks. Sofia's team is conducting offensive operations and attempting to break into systems protected by Barb's team. Which of the following terms best describes the role that Sofia's team playing in the exercise?
Red team
Curt is conducting a forensic analysis of a Windows system and needs to determine whether a program was set to run automatically. Which of the following locations should he check to determine the program setting given in the scenario?
Registry
A user is responding to a security incident and determines that an attacker is using the Internet on systems on the user's network to attack a third party. Which of the following containment approaches will prevent the user's system from being used by the attacker in the given scenario?
Removal
After observing an attacker on the wireless connection of a system, a user decides to detach the Internet connection entirely, leaving the system running but inaccessible from outside the quarantine VLAN. Which strategy is the user pursuing to accomplish his goals in the given scenario?
Removal
Jamie works as a security worker in an organization. After a major compromise in an organization, he needs to conduct a forensic examination of the compromised systems. Which containment method should Jamie use to ensure that he can fully investigate systems that were involved while minimizing the risk to his organization's other production systems?
Removal
Jen works as a Windows server administrator in an organization. She identified a missing patch on a Windows server that might allow an attacker to gain remote control of her system. After consulting with her manager, Jen applied the patch on the Windows server where the patch was missing. From a risk management perspective, what has she done by applying a patch in the given scenario?
Removed the vulnerability
Kathleen works as a project manager in an organization. She wants to build a public API for modern service-oriented architecture. Which of the following models is likely Kathleen's best choice to build this architect in the given scenario?
Representational State Transfer (REST)
Which of the following is not a purging activity?
Resetting a device to a factory state
Which of the following is a process of discovering the technological principles of a device, an object, or a system through analysis of its structure, function, and operation?
Reverse engineering
Which of the following actions is not a common activity during the recovery phase of an incident response process?
Reviewing accounts and adding new privileges
Grace works as a risk analyst in an organization. She recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. After considering a variety of approaches, including the expensive insurance policy for securing data, she decided not to take any additional action. Which of the following risk management strategies is being used by Grace in the given scenario?
Risk acceptance
James during a code review notices a security risk that may result in hundreds of hours of rework. The security team has classified these issues as low risks. So, the management has decided that the code will not be rewritten. The given scenario is an example of which of the following risk response techniques?
Risk acceptance
Rio is a risk manager for a large-scale company. The company recently evaluated the risks of mudslides in the Texas's region for the company's project. Due to these risks, the company determined that the cost of responding to risks is greater than the benefits of any controls, which the company could implement. So, as a risk manager, Rio chose not to take any action at this time. What risk strategy did Rio pursue in the given scenario?
Risk acceptance
A company is considering services it can successfully provide to its customers. One of the services, however, is deemed to be difficult to offer with a high Risk transferencedegree of certainty of success. The organization has decided not to offer the service because of the risk in offering the service and failing. What risk management technique is used in this scenario?
Risk avoidance
A company named HAL Systems recently decided to stop offering public NTP services because of a fear that its NTP servers would amplify distributed denial-of-service (DDoS) attacks. Which type of risk management strategy did this company pursue with its NTP services?
Risk avoidance
Sasha, the project manager of a computer networking project, is monitoring the performance of her project. She decides to change the project plan to eliminate risks to protect the objectives of the project. Which of the following strategies is she using for tackling the risk in the given scenario?
Risk avoidance
Jack works as a risk administrator for a company. He is concerned about the risk of phones which is introducing security risks to the network. However, many employees need these devices for their work. So, he decides to allow phones only if they meet specific security criteria. Which risk response technique is best for him to implement?
Risk mitigation
Sasha recently implemented an intrusion prevention system, which is designed to block common network attacks from affecting her organization. Which type of risk management strategy is she pursuing on the system in the given scenario?
Risk mitigation
In dealing with risks, which response is accomplished when an organization purchases insurance to protect the income when a disaster or threat is realized?
Risk transfer
After conducting a qualitative risk assessment of her organization, Sia recommends purchasing a cybersecurity breach insurance policy. What type of risk response behavior is she recommending to her organization in the given scenario?
Risk transference
Ria works as a cybersecurity analyst in an organization. She recently completed a risk assessment of her organization's exposure to data breaches and determined that there is a high level of risk related to the loss of sensitive personal information. After installing the web application firewall, she was worried about risks that are not addressed by the firewall and considered purchasing an insurance policy to cover those risks. Which of the following risk management strategies is being used by Ria to control the risk in the given scenario?
Risk transference
Which of the following is unauthorized equipment that is attached to a network or assets which create a side channel for an attack?
Rogue hardware
Which of the following pieces of information is most critical to conduct a solid incident recovery effort?
Root cause of an attack
Monica, a security administrator, wants to use a tool that will aggregate log and event data from the virtual and real networks, applications, and systems and also provides real-time reporting and alerting on information or events that may require intervention or other types of response. Which tool should she use in the given scenario?
SIEM
Kieran is evaluating forensic tools and would like to consider the use of an open source forensic suite. Which of the following toolkits would best meet his needs?
SIFT
Sofia works as a security analyst in an organization. She suspects that a system in her datacenter may be sending beaconing traffic to a remote system. Which of the following is not a useful tool to verify Sofia's suspicions about sending traffic in a given scenario?
SNMP
Alex has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is a common method of monitoring network bandwidth usage? Each correct answer represents a complete solution. Choose all that apply.
SNMP Packet sniffing Flow
What are SNMP alert messages called?
SNMP traps
Which NIST publication contains guidance on cybersecurity incident handling?
SP 800-61
A U.S. company stores data in an EU datacenter and finds that it is now subject to the requirements of GDPR. This is an example of __________.
data sovereignty
Sam works as a cybersecurity analyst for a company. He wants to make a full copy of an image for forensics use. Which of the following command utilities would he use to achieve the given task?
dd
Which of the following Linux commands will show a user how much disk space is in use?
df
Which of the following commands is not useful for monitoring memory usage in Linux?
df
Which of the following tools may be used to isolate attackers so that they may not cause damage to production systems but may still be observed by cybersecurity analysts?
Sandbox
Which of the following is an act of permanently removing all the data from a storage device?
Sanitization
Which law requires publicly traded companies to have proper internal control structures in place to validate that their financial statements accurately reflect their financial results?
Sarbanes-Oxley
Which law governs the financial records of publicly traded companies?
Sarbanes-Oxley Act
Which of the following activities does CompTIA classify as part of the recovery validation effort?
Scanning
Alex works for an organization that classifies security-related events using the National Institute of Standards and Technology's (NIST's) standard definitions. Which classification should Alex use when he discovers keylogging software on one of his executive's laptops?
Security incident
Alice works as a cybersecurity analyst in an organization. She is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places the system on a quarantine VLAN with limited access to other networked systems. Which containment strategy is Alice pursuing in the given scenario?
Segmentation
As part of her post-incident recovery process, Alicia created a separate virtual network, as shown in the figure, to contain compromised systems she needs to investigate. Which containment technique is Alicia using in the given scenario?
Segmentation
As part of his incident response program, Allan is designing a playcourse for zero-day threats. Which of the following should be in his plan to handle these threats? Each correct answer represents a complete solution. Choose all that apply.
Segmentation Using threat intelligence Whitelisting
Jordan is a network administrator who wants to specify which systems can send email messages through his company's mail servers. Which of the following will help him in accomplishing the given task?
Sender Policy Framework (SPF)
Susan is building an incident response program and intends to implement the National Institute of Standards and Technology's (NIST's) recommended actions to improve the effectiveness of incident analysis. Which of the following actions is not a NIST's recommended incident analysis improvement?
Set system BIOS clocks regularly.
Lisa is following the CompTIA process for validation after a compromise. Which of the following activities should be included in the validation phase?
Setting permissions
Which of the following is not a common use of formal incident reports?
Sharing with other organizations
During a forensic investigation, Shelly is told to look for information in the slack space on a drive. Where should she look and what is she likely to find?
She should look at the unused space left when a file is written and find file fragments from deleted files.
File carving is used to find file remnants found in clusters on disks that have been only partially rewritten by new files. Which of the following is the technical term for the location of these files in the given scenario?
Slack
Susan works as a senior software developer in an organization. Her team has been writing code for a major project for a year and recently released its third version of this code. During a post-implementation regression test, an issue that was originally seen in version 1 reappeared. Which of the following should Susan implement to avoid this issue in the future?
Source control management
Sia needs to deploy a solution that allows her to consolidate the logs for easier analysis. Which tool should she use?
Splunk
Allan works as a cybersecurity analyst in an organization. He is writing a document that lists acceptable mechanisms for securely obtaining remote administrative access to servers in his organization. Which of the following types of documents is Allan writing?
Standard
A company wants to implement security during the software development lifecycle (SDLC) process. To achieve this task, the company wants to employ a method that detects weaknesses in an application before execution. Which code analysis method provides the feature mentioned in the given scenario?
Static
The Open Web Application Security Project (OWASP) maintains an application called Orizon. This application reviews Java classes and identifies potential security flaws. What type of tool describes the referred application?
Static code analyzer
During a testing process, Tiffany, a network administrator, slowly increases the number of connections to an application until it fails. Which of the following testing processes is Tiffany performing?
Stress
Jennifer's team has completed the initial phases of their incident response process and is assessing the time required to recover from an incident. The team has determined that they can predict the time to recovery but will require additional resources. This determination represents which of the following NIST recoverability effort categories?
Supplemented
Sam needs to deploy a tool that includes resources and utilities to manage, diagnose, troubleshoot, and monitor a Microsoft Windows environment. Which tool should Sam use?
Sysinternals
A technician is running an intensive vulnerability scan to detect which ports are open to exploit. During the scan, several network services are disabled and the production is affected. Which of the following sources would the technician use to evaluate which services were disabled?
Syslog
Which of the following issues makes both the cloud and virtualized environments more difficult to perform forensics?
Systems may be ephemeral.
A user wants to detect a denial-of-service attack against his web server. Which of the following tools should the user avoid?
iPerf
Lauren works as a security officer for an organization. From a security point of view, she wants to ensure that devices, systems, or spaces are not accessed while she is not available in the office. Which of the following should Lauren use to achieve the task in the given scenario?
Tamper-proof seal
Susan, a network administrator in an organization, needs to capture network traffic from a Linux server that does not use a graphical user interface (GUI). She decided to use a utility that is found on many Linux systems and works from the command line. Which of the following packet capture utilities can Susan use in the given scenario?
Tcpdump
Rose, a security administrator, implements screen savers that lock the PC after five minutes of inactivity to prevent unauthorized access to the PC. Which of the following controls is being used to achieve the given implementation?
Technical
Rosy wants to implement a security control to monitor and prevent threats and attacks to computer systems and services. Which of the following security controls should she implement to accomplish the given task?
Technical
Tina, a network administrator in an organization, is creating a set of firewall rules designed to block denial-of-service attacks from entering her organization's network. Which type of control is Tina creating in the given scenario?
Technical
During which phase of the software development life cycle (SDLC) model does UAT occur?
Testing and integration
Mike works as a security analyst in an organization. While reviewing a Wireshark traffic capture, he discovers the following information. Figure A: Snapshot of a Wireshark traffic capture Which of the following details did Mike get to know about a user's device based on this TCP stream in the given scenario?
The device is a Samsung SM-N950U.
Susan works as a network administrator in an organization. While observing a router via network flows, she sees a sudden drop in network traffic levels to zero and the traffic chart shows a flat line. What has likely happened in the given scenario?
The monitored link failed.
Brian works in an XYZ organization. His network suddenly stops working at 8:40 AM, interrupting video conferences, streaming, and other services throughout his organization, and then resumes functioning. When Brian logs into his Paessler Router Traffic Grapher (PRTG) console and checks his router's traffic via the primary connection's redundant network link, he sees the following graph. What should Brian presume occurred based on the given information shown in figure A?
The primary link went down and he should check the secondary link for traffic.
Which of the following would not normally be found in an organization's information security policy?
The requirement to use Advanced Encryption Standard-256 encryption
Which of the following statements are true of proper compensating controls? Each correct answer represents a complete solution. Choose all that apply.
They must meet the intent and rigor of the original requirement. They must provide a similar level of defense as the original requirement. They must be "above and beyond" other PCI DSS procedures.
Jason, a data analyst of an XYZ company, has to provide crucial details of their customers to his manager via an email message. Accidentally, he sent this email to one of their business partners, adversely impacting the confidentiality and integrity of the information of XYZ's sensitive information. Which of the following defines the situation mentioned in the given scenario?
Threats
In which tier of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, risk management practices are approved by management but may not be established as an organization-wide policy?
Tier 2
Dylan is an IT consultant brought in to assess the maturity of risk management practices at an organization using the National Institute for Standards and Technology (NIST) cybersecurity framework. During his evaluation, he determines that the organization does use an organization-wide approach to manage cybersecurity risk but that it does not use risk informed policies, processes, and procedures to address potential cybersecurity events. In which tier of the NIST cybersecurity framework does this organization's risk management approach reside?
Tier 3: Repeatable
Rob works as a cybersecurity analyst in an organization. While studying his organization's risk management process under the NIST Cybersecurity Framework, he determines that his organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Which of the following tiers his organization positioned to meet cybersecurity objectives in the given scenario?
Tier 4
Jeff works as a forensic analyst. He investigates a compromised system and knows that the first event was reported on October 5th. He needs to map other events found in logs and files to this date. Which forensic tool capability should he use to accomplish his task in the given scenario?
Timeline
Forensic suites typically build in ___________ that can match log entries to other forensic information, but specialized logs may require additional tools.
log viewers
Which of the following data protection techniques is reversible when conducted properly?
Tokenization
Which of the following obfuscation methods replaces sensitive values with a unique identifier using a lookup table?
Tokenization
Which of the following U.S. government classification levels requires the highest degree of security control?
Top Secret
You have been hired as a security consultant for an organization that does contract work for the U.S. Department of Defense (DoD). You must ensure that all data that is part of the contract work is categorized appropriately. What is the highest degree of data protection category you can use in the given scenario?
Top Secret
Rex, a security administrator, wants to identify irregular or unexpected behavior in network traffic communication patterns. Which of the following security analysis techniques should he perform?
Traffic analysis
Charles works as a network analyst in an organization. He is reviewing flow logs for his organization and notices that traffic witnessed a 20 percent increase on the second Thursday of each month after which the traffic returns to normal. Which type of analysis is Charles conducting in the given scenario?
Trend
James, a security analyst in an organization, wants to monitor a Linux system's filesystem for unauthorized changes. Which open source tool can he use to perform this task in the given scenario?
Tripwire
Which of the following is a chip built into a system to secure hardware through integrated cryptographic keys?
Trusted Platform Module
Which of the following processes checks to ensure that the functionality of an application or software meets customer needs?
UAT
Which of the following test types involves an evaluation of an application by end users?
UAT
Alaina works as a network administrator in an organization. She wants to deploy a tool that can monitor the behavior of users and can detect anomalous behavior to determine if a security incident has occurred. Which type of tool should Aliana acquire for monitoring in the given scenario?
UEBA
Which technology takes user behavior into account when making security determinations?
UEBA
Which of the following is not a potential issue with live imaging of a system?
Unallocated space will be captured.
Which of the following issues is the fuzz testing methodology most likely to detect?
Unvalidated inputs
Mika wants to analyze the contents of a drive without causing any changes to the drive. Which method is best suited to ensure this?
Use a write blocker.
Which of the following options is not a valid way to check the status of a service in Windows?
Use service --status at the command line.
If SLE of a specific risk is $25,000 and ARO occurs once every four years, then what will be its ALE?
$6,250
Which of the following grep flags only shows lines that do not contain any regular expression?
-v
Elaine works as an application developer in an organization. She wants to check for user logins on her organization's Linux system. Which of the following log location should she check first in the system to achieve her task?
/var/log/auth.log
Aziz works as a website administrator in an organization. He is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He is assessing the risk of an SQL injection attack against the database where the attacker would steal all of the customer personally identifiable information (PII) from the database. After consulting threat intelligence, he believes that there is a 5 percent chance of a successful attack in any given year. According to the given scenario, what is ARO?
0.05
Harry works as a website administrator for a firm. He is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 in fines against his firm. According to the given scenario, what is the exposure factor (EF)?
100 percent
Jim is considering locating a new business in the downtown area of Miami, Florida. He consults the FEMA flood plain map for the region and determines that the area he is considering suffers from flood plain twice a year. What is the ARO of a flood in this area?
2.0
Which ISO standard applies to information security management controls?
27001
Which of the following International Organization of Standardization (ISO) standards mandates requirements that define how to implement, monitor, maintain, and continually improve an information security management system?
27001
Joy works as a website administrator in a firm. He is responsible for the administration of an e-commerce website that generates $100,000 per day in revenue for his firm. The website uses a database that contains sensitive information about the firm's customers. He expects that a compromise of that database would result in $500,000 in fines against his firm. According to the given scenario, what is the AV?
500,000
Sia works as a website administrator in an organization. She is responsible for the administration of an e-commerce website that generates $300,000 per day in revenue for the organization. The website uses a database that contains sensitive information about the organization's customers. She expects that a compromise of that database would result in $700,000 in fines against the organization. According to the given scenario, what is the SLE?
700,000
During a forensic investigation, Shawn discovers that he needs to recover encrypted data from live memory. If he is having the encryption key, he needs a tool to recover data. Which of the following tools is being referred to in the given scenario?
Volatility
Jennifer works as a forensics analyst. She wants to perform memory analysis and forensics for Windows, macOS, and Linux systems. Which of the following is best suited to Jennifer to accomplish her task in the given scenario?
Volatility Framework
Which tool is not used to generate the hash of a forensic copy?
AES
Which of the following options represents the ALE calculation?
ALE = SLE * ARO
Which policy should contain provisions for removing user access upon termination?
Account management
Which form of monitoring involves the injection of packets into communications to measure the performance of various elements in a network?
Active
In the National Institute of Standards and Technology (NIST) Cybersecurity Framework tiers, which of the following framework implementation tiers is labeled Tier 4?
Adaptive
What is the purpose of creating an MD5 hash for a drive during the forensic imaging process?
All of these
Which of the following is the major component of reports?
All of these
Tim works in the forensic department of an organization. During a forensic investigation, Tim discovers a program called Eraser installed on an employee's system. What should Tim expect to find as part of his investigation in the given scenario?
Antiforensic activities
Which forensic issue does the presence of a program like CCleaner indicate?
Antiforensic activities
Renee works as a security analyst in a company. She is responding to a security incident that resulted in the unavailability of a website critical to her company's operations. She is unsure of the amount of time and effort that it will take to recover the website. How should Renee classify the recoverability effort in the given scenario?
As extended
Joseph works in the security analysis team at XYZ Inc. He was reviewing a business document and identifies the cost linked to major business interruption, such as expected loss of earnings, potential fines, and potential consequences to customer service. Which of the following documents is Joseph reviewing in the given scenario?
BIA
Ryan's organization allows employees to bring personally owned devices and connect them to the organization's network. Which approach is Ryan's organization using?
BYOD
Cynthia wants to build scripts to detect malware beaconing behavior. Which of the following is not a means of identifying malware beaconing behavior for building scripts on a network?
Beacon protocol
Avika works as a network administrator in an organization. She has been asked to identify unexpected traffic on her organization's network. Which of the following is not a technique that she should use to accomplish her task in the given scenario?
Beaconing
Which of the following is an activity sent to a command and control (C&C) system as part of a botnet or a malware remote control system?
Beaconing
Which of the following terms describes a system sending heartbeat traffic to a botnet command and a control server?
Beaconing
Sayed works as a data analyst in an organization. He manages Windows workstations and is planning to prohibit a variety of files, including games, from being installed on these workstations. Which of the following tools or applications can allow Sayed to achieve his task in the given scenario?
Blacklisting
Which of the following teams is a defender who secures systems and networks from attacks?
Blue
Ed, Barb, and Sophia are cybersecurity analysts in an ABC company. The company is conducting a cybersecurity exercise designed to test the effectiveness of its security controls. For conducting the cybersecurity exercise, participants have been divided into different teams to perform different functions. The team led by Ed is responsible for facilitating the exercise and arbitrating rules disputes. Barb's team is responsible for securing the systems in the exercise environment and defending systems against attacks. Sofia's team is conducting offensive operations and attempting to break into the systems protected by Barb's team. Which of the following terms best describes the role that Barb's team is playing in the exercise?
Blue team
Which of the following is an example of an attrition attack?
Brute-force password attack
Which type of attack is typically associated with the strcpy function?
Buffer overflow
Carla is performing a penetration test of a web application and wants to use a software package that allows her to modify requests being sent from her system to a remote web server. Which of the following tools would meet Carla's needs? Each correct answer represents a complete solution. Choose all that apply.
Burp ZAP Tamper Data
Matt works as a security analyst in an organization. He is building a device and wants to prevent attackers from capturing data by directly connecting to the hardware communications components of the device. Which technique should Matt use to make sure that communications between the processor and other chips are not vulnerable?
Bus encryption
Jim works as a cybersecurity analyst in an organization. He notices a high number of SQL injection attacks against a web application run by his organization and installs a web application firewall to block many of these attacks before they reach the web server. How has Jim altered the severity of the risk of these attacks reaching the server in the given scenario?
By reducing the probability
Which of the following ESA frameworks was created by ISACA and provides a structure for IT management and governance?
COBIT
Susan has been asked to capture forensic data from a Windows PC and needs to ensure that she captures this data in their order of volatility. Which order is correct from most volatile to least volatile?
CPU cache > network traffic > disk drives > optical media
Which of the following terms is a fun way to achieve training objectives?
Capture the flag
Juan works in an investigation department. He gathers the evidence that can be used in court to convict persons of crimes. Which of the following is used to address the reliability and credibility of the evidence?
Chain of custody
Robert is finishing a draft of a proposed incident response policy for his organization by signing the policy. Which of the following is the appropriate role of Robert to accomplish his task in the given scenario?
Chief executive officer
Which of the following properly lists sanitization descriptions from least to most effective activities for media sanitization?
Clear > purge > destroy
Which type of security policy often serves as a backstop for issues not addressed in policies?
Code of conduct
After completing an incident response process and providing a final report to management, which step should Casey use to identify improvements in her incident response process?
Conduct a lessons-learned review.
Which of the following functions is not one of the five core security functions defined by the NIST Cybersecurity Framework?
Contain
The following figure signifies the concepts of virtualization vs. containerization: Figure A: Virtualization vs. containerization What is represented by the two question marks in the given figure?
Container engine and operating system
Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which of the following activities should be Tamara's first priority?
Containment
During an incident response process, Susan heads to a compromised system and pulls its network cable. Which phase of the incident response process is Susan performing?
Containment, eradication, and recovery
During an incident response process, Susan plugs a system back into the network, allowing the system to normally access the network. Which phase of the incident response process is she performing in the given scenario?
Containment, eradication, and recovery
Which of the following phases of incident response involves active undertakings designed to minimize the damage that an attacker might cause?
Containment, eradication, and recovery
Which of the following phases of the incident response process would include measures designed to limit the damage caused by an ongoing breach?
Containment, eradication, and recovery
Every time Susan checks code into her organization's code repository, it is tested, validated, then if accepted it is immediately put into production. In which of the following methodologies is Susan operating?
Continuous delivery
Which element of the Control Objectives for Information and Related Technology (COBIT) framework contains the high-level requirements that an organization should implement to manage its information technology functions?
Control objectives
Which of the following statements is not true about compensating controls under PCI DSS?
Controls used to fulfill PCI DSS requirement that may be used to compensate for the absence of control needed to meet another requirement.
Which two files may contain encryption keys normally stored only in memory on a Windows system?
Core dumps and hibernation files
Which of the following is not an objective of the NIST Cybersecurity Framework?
Create specific technology requirements for an organization.
What is a function of the dd command in Linux?
Creating an image of a boot disk for duplication
Which of the following items is not typically found in corporate forensic kits?
Crime scene tape
An evidence investigation for a physical incident is going on an organization's premises. Which tool should be used by an organization's investigation team to isolate that premises while the investigation is underway?
Crime tape
NIST SP 800-61 identifies six outside parties with which an incident response team generally communicates. Which of the following represents those parties? Each correct answer represents a complete solution. Choose all that apply.
Customers, constituents, and media Internet service providers Law enforcement agencies
Betty works as a security administrator at XYZ Inc. Her network is being flooded by ICMP packets. She observes that these packets came from multiple different IP addresses. Which type of attack can be the result of such a situation?
DDoS
Ben wants guidance on grouping information into varying levels of sensitivity. He plans to use these groupings to assist with decisions related to the security controls that an organization will apply to storage devices containing that information. Which of the following policies is most likely to have relevant information for Ben's decision-making process?
Data classification
Tim works as a security analyst in an organization. He is assigned to add third-party threat data feeds to his organization's SIEM. Once his work is completed, he will spend time reviewing syslog data feeds to ensure that he contains the information that is needed for responses. Which of the following processes the analyst is performing in the given scenario?
Data enrichment
Mike's company recently suffered a security incident where they lost control of thousands of personal customer records. Many of these records were from projects that ended long ago and served no business purpose. Which type of policy, if followed, would have best limited the impact of the security incident in the given scenario?
Data retention
Which of the following policies would typically answer questions about when an organization should destroy records?
Data retention
Your organization enforces new data privacy laws, such as general data protection regulation (GDPR), which significantly restricts that information should be converted and stored in binary digital form. Which of the following concepts does this law encompass?
Data sovereignty
You work as a security assistant at XYZ company and asked to analyze malware dynamically on the company's web site. Which of the following tools will you use to achieve the given task?
Debugger
As part of his forensic investigation, Scott intends to make a forensic image of a network share that is mounted by the PC. What information will he be unable to capture during his investigation in the given scenario?
Deleted files
Jordan works as a network analyst in a company. His company follows the systems development life cycle (SDLC). He works with a network systems team on various features, wiring diagrams, and the layout of a new network to support the expansion of the headquarters building. Which phase of the SDLC is Jordan working on in the given scenario?
Design
Joe works as a cybersecurity analyst. He would like to determine the appropriate disposition of a flash drive, which is used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner who is an outside contractor. Which is the appropriate disposition option Joe considered to use for performing the task in the given scenario?
Destroy
Which of the following is not an objective of the containment, eradication, and recovery phase of the incident response process?
Detect an incident in progress.
In which of the incident response process phase, does a CSIRT leader analyzes precursors and indicators?
Detection and analysis
Matt's incident response team has collected log information and is working on identifying attackers using that information. Which two stages of the NIST incident response process is his team working on in the given scenario? Each correct answer represents a complete solution. Choose two.
Detection and analysis Containment, eradication, and recovery
If users are performing forensic investigations on cloud services, it will be very challenging for them to preserve data. Which of the following tasks will users perform to overcome these challenges in the given scenario? Each correct answer represents a complete solution. Choose all that apply.
Determine what users' contract says about investigations. Determine what legal recourse users have with a vendor. Identify data that users needs and whether it is available via methods, which they or their organization controls.
Which of the following control types are designed to discourage an attacker?
Deterrent
Which of the following tools is used to convert machine language into assembly language?
Disassembler
Which of the following security activities is not normally a component of the operations and maintenance phase of the software development life cycle (SDLC)?
Disposition
During the analysis of a malware sample, John reviews malware files and binaries by executing them. Which type of analysis process did John perform in the given scenario?
Dynamic
Which incident response activity focuses on removing any artifacts of an incident that may remain on an organization's network?
Eradication
Mike, a forensic analyst, is looking for information about files that were changed on a Windows endpoint system. Which of the following is least likely to contain useful information for his investigation in the given scenario?
Event log
After reaching the office, Ron found a subpoena on his desk ordering him to appear in a law court. Which type of procedure should he use to determine appropriate next steps including the people he should consult and the technical process he should follow regarding the subpoena?
Evidence production
Jim is concerned to comply with the U.S. federal act covering student educational records. Jim is attempting to comply with which of the following acts in the given scenario?
FERPA
Joe, an investigator, wants to scan a hard drive to view the deleted communication. Which of the following tools should Joe use to accomplish the given task?
FTK
Which of the following approaches is an example of a formal code review process?
Fagan inspection
Juan, a security technician, is reviewing IDS log files. He investigated and found that many alerts for multicast packets from switches on a network were reported. After investigation, he discovers that this is a normal activity for the network. Which of the following best describes the result of his investigation?
False positive
Which type of testing focuses on inserting errors into the error handling process and path in an application?
Fault injection
Which of the following is the process of extracting data from a computer when that data has no associated file system metadata?
File carving
Your organization needs to install a device that will act as a filter and permits or denies data traffic, both incoming and outgoing, using a set of rules based on traffic content and traffic pattern. Which type of device security will help in accomplishing the task in the given scenario?
Firewall
Which of the following is an example of a logical control?
Firewall rule
Which type of network information should users capture to provide a report about how much traffic systems in their network are sent to remote systems?
Flow data
You've been asked to implement a policy that defines how retired hard drives are sanitized securely. Which of the following would be the least acceptable?
Format hard drives.
Which of the following is an example of a computer security incident?
Former employee crashes a server
Patricia is evaluating the security of an application developed within her organization. She would like to assess the application's security by supplying it with invalid inputs. Which technique is Patricia planning to use in the given scenario?
Fuzz testing
A cross-site scripting attack is an example of which type of threat vector?
Web
Chelsea recently accepted a new position as a cybersecurity analyst for a privately held bank and asked to design a cybersecurity program. Which of the following regulations will have the greatest impact on her cybersecurity program?
GLBA
Which of the following regulations imposes compliance obligations specifically upon financial institutions?
GLBA
A user is authoring a document that explains to system administrators that one way to comply with an organization's requirement is to encrypt all laptops. Which type of document is the user authoring?
Guideline
Which of the following security policy framework components does not contain mandatory instructions for individuals in the organization?
Guideline
Suzanne is the chief information security officer (CISO) at a major non-profit hospital group and is given the responsibility to handle medical records. Which of the following regulations most directly covers the way she uses to handle these medical records?
HIPAA
Which law creates cybersecurity obligations for healthcare providers and others in the health industry?
HIPAA
Kevin is an internal auditor at a major retailer and would like to ensure that the information contained in audit logs is not changed after it is created. Which one of the following would best meet his goal?
Hashing
Which of the following techniques uses a one-way cryptographic function to create a digest of original data?
Hashing
You work as a network administrator for a company. Your company asks you to analyze the traffic of layer 7 of the OSI model between a web client and a web server. Which of the following will you use to accomplish the given task?
Web application firewall
Charles is building an incident response playcourse for his organization that will address command and control (C&C) client-server traffic detection and response. Which of the following information sources is least likely to be part of his playcourse?
Honeypot's data
While reviewing the monthly Internet usage, Ann, a security analyst, noticed that there is a large spike in traffic classified as "unknown" and does not appear to be within the bounds of an organization's acceptable use policy (AUP). Which of the following tools or technologies will work best for her to obtain more information on this traffic?
IDS logs
Roger is the chief information officer (CIO) for a midsize manufacturing firm. He recently returned from a meeting of the board of directors where he had an in-depth discussion about cybersecurity. One member of the board who is familiar with the International Organization for Standardization (ISO) standards in manufacturing quality control, asked if there was an ISO standard covering cybersecurity. Which standard is most relevant to the director's concern in the given scenario?
ISO 27001
Paul is researching models for providing guidance on best practices in the industry for implementing an information technology help desk. Which of the following standard frameworks should Paul use for this implementation?
ITIL
Rex works as a cybersecurity analyst in an organization. He has been asked to improve the delivery of IT services. Management requests him to follow the guidelines outlined in available frameworks. Which framework would Rex most likely use?
ITIL
Which of the following is not typically found in a cybersecurity incident report?
Identification of an attacker performing an attack
What strategy does the National Institute of Standards and Technology (NIST) suggest about identifying attackers during an incident response process?
Identifying attackers is not an important part of the incident response process
Roland received a security assessment report from a third-party assessor, which indicated that one of the organization's web applications is susceptible to the OAuth redirect attack vulnerability. Which type of attack would this vulnerability allow an attacker to wage?
Impersonation
Your organization is merged with another organization in legal jurisdiction and wants to improve its network security posture in ways that do not require additional resources to implement data isolation. Which of the following would be the best solution for improving the organization's network security?
Implementing network segmentation
Which of the following activities is not normally conducted during the recovery validation phase?
Implementing new firewall rules
As Lauren prepares her organization's security practices and policies, she wants to address as many threat vectors as she can using an awareness program. Which of the following threats can be most effectively dealt with via an awareness program?
Improper usage
Kathleen works as a data analyst in an organization. She needs to find data contained in memory but only has an image of an offline Windows system. Where does she have the best chance of recovering data she needs in the given scenario?
In %SystemRoot%\MEMORY.DMP
Alex, a technician in an organization, is conducting a forensic examination of a Windows system and wants to determine if an application was installed. Where can he find the Windows installer log files for a user named Jim?
In C:\Windows\Jim\AppData\Local\Temp
During an investigation, Jeff, a certified forensic examiner, is provided with a drive image created by an IT staff member and is asked to add it to his forensic case. If the case goes to court and Jeff's procedures are questioned, he can encounter an issue. Which of the following is the most important issue that Jeff can encounter?
Inability to certify the chain of custody
Who is the best facilitator for a post-incident lessons learned session?
Independent facilitator
Which of the following control models describes the five core activities associated with ITSM as service strategy, service design, service transition, service operation, and continual service improvement?
Information Technology Infrastructure Library (ITIL)
You suspect that few employees in your organization are sending confidential data outside of the organization via an email message, posing a threat to the organization. As a security administrator, which of the following will you implement to mitigate such threats?
Install a network-based DLP.
Alice works as a cybersecurity analyst in an organization. While monitoring, she confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems to cut off an attack. Which strategy is Alice pursuing in the given scenario?
Isolation
Which of the following are characteristics of an information systems security audit? Each correct answer represents a complete solution. Choose all that apply
It is conducted on behalf of a third party. It results in a formal statement. It is conducted by internal groups.
Cheryl, a security analyst, has decided to use Wireshark for capturing and analyzing network data in a GUI. What advantages of Wireshark must be the reasons behind Cheryl's decision? Each correct answer represents a complete solution. Choose all that apply.
It provides detailed information about packets within a network. It is available for multiple platforms, such as Windows and Android.
Frederick works as an assistant manager in an organization. His organization has been informed that data must be preserved due to pending legal actions. What is this process of preserving data called?
Legal hold
Which of the following forensic tool capabilities preserves all forms of potentially relevant information when litigation is pending or reasonably anticipated?
Legal hold
Mark works as an incident team lead at XYZ Inc. Following the successful response to a data-leakage incident, he facilitates an exercise that focuses on continuous improvement of the organization's incident response capabilities. Which of the following he has facilitated in the given scenario?
Lessons learned report
Mark, a security analyst, wants to analyze an incident and determine actions that were taken during the analysis and steps needed to prevent a future occurrence. Which of the following will he use in the given scenario?
Lessons learned report
Jeff, an investigating officer, is investigating a system that is running malware, which encrypts its data on a drive. Which of the following processes should he use to have the best chance of viewing data in the given scenario?
Live imaging
Ryan is concerned about the possibility of a distributed denial-of-service attack against his organization's web portal. Which one of the following types of testing would best evaluate the portal's susceptibility to this type of attack in the given scenario?
Load
Which process is used to ensure that an application can handle very high numbers of concurrent users or sessions?
Load testing
Which of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy?
Log records generated by the strategy
Which of the following is not a commonly recommended best practice of the incident analysis process based on NIST's guidelines?
Maintain backups of every system and device.
During a forensic investigation Ben, a forensic analyst, asks Chris, another forensics expert, to sign off the actions he has taken. What is Ben doing by asking Chris to sign off in the given scenario?
Maintaining the chain of custody documentation
Which of the following data elements would not normally be included in an evidence log?
Malware signatures
Darren works as a risk analyst in an organization. For the security of his organization, he is updating the organization's risk management process. Which type of control is Darren creating by performing the task in the given scenario?
Managerial
Which of the following primary modes of data acquisition involves reviewing the content of the live and an unlocked phone and taking pictures and notes about what is found?
Manual access
What does the MAC address of a rogue device tells a user?
Manufacturer of the device
Which of the following is a component of the COBIT framework that allows a company to have its methods and processes assessed according to management best practices against a clear set of external benchmarks?
Maturity model
Ben is working in an IT services organization that uses the National Institute of Standards and Technology (NIST) functional impact categories to describe the impact of incidents. During a recent construction project, a contractor plugged a network device to the same switch twice, resulting in a network loop and taking down the organization's network for one-third of its users. Which functional impact category should Ben use to classify the event given in the scenario?
Medium
Ben, a security analyst in an organization, is working to classify the functional impact of an incident. The incident has disabled email services for approximately 30 percent of his organization's staff. According to the NIST scale, in which of the following categories should, Ben classify the functional impact of the incident in the given scenario?
Medium
Which phase of the Fagan inspection process identifies defects based on notes from the preparation phase?
Meeting
Which of the following tools does not provide real time drive capacity monitoring for Windows?
Microsoft Endpoint Configuration Manager
Bob recently implemented an intrusion prevention system designed to block common network attacks from affecting his organization. Which type of risk management strategy is he implementing in the given scenario?
Mitigation
Danielle works as a data analyst in an organization. As part of her job, she sets an alarm to notify her team via an email if her Windows server uses 80 percent of its memory and to send a text message if it reaches 90 percent utilization. Which of the following options represents the task performed by Danielle in the given scenario?
Monitoring threshold
Ashley is working with software developers to evaluate the security of an application they are upgrading. She is performing testing that slightly modifies the application code to help in identifying errors in code segments that might be infrequently used. Which type of testing is she performing in the given scenario?
Mutation testing
Which of the following technologies is suited to prevent wired rogue devices from connecting to a network?
NAC
Which utility will you use to connect and directly interact with a service?
Netcat
Which of the following protocols provides a common source of time information that allows the synchronizing of clocks throughout an enterprise?
Network Time Protocol (NTP)
When an organization handles sensitive data, it is required that the organization must apply a security control so that all employees working with that data are not able to share that information with unauthorized individuals. Which security control would best protect the integrity of data in the given scenario?
Nondisclosure agreement
Which of the following is an administrative control that can protect the confidentiality of sensitive information?
Nondisclosure agreement
Hank works as a security analyst in a company. He is responding to a security event where the CEO of his company had her laptop stolen. The laptop was encrypted but contained sensitive information about the company's employees. In which of the following NIST information impact categories, should Hank classify the impact of this security event?
None
Sondra works as a cybersecurity analyst. She determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which of the following strategies would meet Sondra's goal in the given scenario?
None of these
Eric leads a team of software developers and wants to help them in understanding the most important security issues in web application development. Which of the following sources would provide Eric with the most useful resource?
OWASP
Which of the following contractual obligations applies to merchants and service providers who work with credit card information?
PCI DSS
During their organization's incident response preparation, Charles and Linda are identifying critical information assets that an organization uses. Their organizational data sets include a list of customer names, addresses, phone numbers, and demographic information. By using which of the following should Charles and Linda classify this information?
PII
Testing and Integration start when the development stage is complete to make sure it conforms to the previous requirements of the SDLC
Pair programming
Precompiled SQL statements that only require variables for the input are an example of which type of application security control?
Parameterized queries
Kristen works as a software tester in an organization. She wants to implement a code review but has a distributed team that works in different shifts during the day. She also does not want to create any additional support load for her team with new development environment applications. Which type of review process will work best for Kristen's needs in the given scenario?
Pass-around
Which of the following monitoring methods relies on acquiring data about a network as traffic flows through a location on a network link?
Passive monitoring
Allen needs to evaluate, test, and deploy software updates. Which of the following management techniques will she use?
Patch
Which of the following three options are most likely to be used to handle a memory leak?
Patching, service restarts, and system reboots
Which Windows tool provides detailed information including information about USB host controllers, memory usage, and disk transfers?
Perfmon
Charles works as a security analyst in an organization. He is worried about users conducting SQL injection attacks. Which of the following solutions will best address Charles's concerns in the given scenario?
Performing user input validation
Which Domain-Based Message Authentication, Reporting, and Conformance (DMARC) tag includes a series of uniform resource identifiers (URIs) that lists where to send forensic feedback reports?
ruf=
A fire suppression system is an example of which type of control?
Physical
Catherine is working with an architect on the design of a new data center for her organization. She wants to design an intrusion alarm in the data center that will notify security personnel for an attempted break-in to the facility. Which type of control is she designing in the given scenario?
Physical
Chris works as a network administrator in an organization. He wants to use an active monitoring approach to test his network. Which of the following techniques is appropriate for Chris to test the network in the given scenario?
Pinging remote systems
Which of the following documents are the highest-level component of an organization's cybersecurity program?
Policies
Which of the following document types would outline the authority of CSIRT responding to an active security incident?
Policy
Which of the following documents must be approved by the CEO or an equivalent high-level executive?
Policy
Adam is performing an internal security assessment and wants to identify services running on servers. Which of the following will he use to identify services available on servers?
Port scan
A security administrator wants to manage both local and remote hosts together on a Windows system. Which of the following can a security administrator use to accomplish the given task?
PowerShell
Juan works as a network administrator in an organization. He wants to see a list of processes along with their CPU utilization in an interactive format. Which of the following built-in Linux commands should he use to accomplish his task in the given scenario?
top
Which protocol provides an encryption key and a digital signature that verifies that an email message was not forged or altered?
DKIM
A network administrator must install a device that will proactively stop outside attacks from reaching the LAN. Which of the following devices should a network administrator install in the given scenario?
Intrusion prevention system (IPS)
Tony and Mal are friends. Tony wants to check the digital signature of an encrypted email that he received from Mal. Which of the following keys does Tony need to verify that the email is from Mal?
Mal's public key
Tommy is a team leader of the computer security incident response team (CSIRT) for his organization and is responding to a newly discovered security incident. To respond to the incident, he is following step-by-step instructions that he might follow in the early hours of the response effort. Which of the following document is most likely to contain instructions mentioned in the above scenario?
Playcourse
During an incident response process, Cynthia conducts a lessons-learned review for project management improvement. Which phase of the incident response process is she performing in the given scenario?
Post-incident recovery
Dan is designing a segmented network that places systems with different levels of security requirements into different subnets with firewalls and other network security devices between them. In which phase of the incident response process is Dan working in the given scenario?
Preparation
During which phase of the incident response process will an organization implement cybersecurity defenses designed to reduce the likelihood of a security incident?
Preparation
What is the primary role of management in the incident response process?
Providing authority and resources required during a response
Ryan is a security tester in an XYZ organization. He needs to perform a web application vulnerability scanning. To achieve this scanning he requires some tools. Which tools will he use to accomplish the task?Each correct answer represents a complete solution. Choose all that apply.
W3AF Burp Suite
Susan works as a security analyst in an organization. She wants to use an email security protocol to determine the authenticity of an email. For security purposes, Susan wants to ensure that her organization's email server can determine if it should accept email from a sender. Which of the following options will help her to ensure the authenticity in the given scenario?
DMARC
Which of the following elements is not normally found in an incident response policy?
Procedures for rebuilding systems
A company has developed an application that is undergoing the testing process. According to the results of the testing process, some changes have been made to the application. The company now wishes to check whether or not the changes made in the application have caused a failure in the previously existing functionality. Which test should the company perform in the given scenario?
Regression
Haley, a security administrator, is planning to deploy a security update to an application provided by a third-party vendor. She installed a patch in a test environment and would like to determine whether applying the patch creates other issues. Which type of test can Haley run to best determine the impact of applying the patch in the given scenario?
Regression
You have implemented a security technique where an automated system generates random input data to test an application. Which of the following techniques have you implemented in the given scenario?
Fuzzing
Sam works as a software developer in an organization. He is working on a web application for its improvement. For the improvement of the web application, a major patch is released. After the release of the patch, Sam proceeds to run the security scanner against the web application to verify that it is still secure. Which of the following processes is Sam conducting in the given scenario?
Regression testing
During the Fagan code inspection, which stage can redirect to the planning stage?
Rework
Which of the following enables security personnel to take defensive actions more quickly by providing real-time or near-real-time analysis of security alerts generated by network hardware and applications?
SIEM
Which of the following concepts relies on a stack of security tools to collect data from a variety of security sources and then automatically respond to the sources?
SOAR
Which technology enables organizations to collect inputs monitored by the security operations team?
SOAR
Alan works as a security analyst in an organization. He is responsible for developing his organization's detection and analysis capabilities for identifying a security incident that is taking place. To detect potential security incidents he would like to purchase a system that can combine log records from multiple sources. Which type of system is best suited to meet Alan's security objective in the given scenario?
Security information and event management
Bruce is considering the acquisition of a software testing package that allows programmers to provide their source code as input. The package analyzes the code and identifies potential security issues without executing it. What type of analysis is Bruce performing in the given scenario?
Static analysis
A user is conducting software testing by reviewing the source code of an application. What type of software testing is the user conducting in the given scenario?
Static code analysis
Which phase of the Rapid Application Development (RAD) model focuses on the dataflow and interfaces between components?
Testing and turnover
Ian works as an application developer in an organization. He wants to view a report, which shows the current memory consumption of all data on his Linux systems and also wants to be able to read the report. Which of the following commands will help him to accomplish his task in the given scenario?
top | more
A user wants to review the syslog on a Linux system. Which directory should the user check to find it on most Linux distributions?
/var/log
Danielle's security team has found consistent evidence of system compromise for weeks with additional evidence pointing to systems, which the team is investigating. Despite her team's best efforts, Danielle has found that her team cannot seem to track down and completely remove the compromise. What type of attack is Danielle likely dealing with?
APT
As a chief information security officer (CISO) of her organization, Jennifer is working on an incident classification scheme and wants to make her design on the National Institute of Standards and Technology's (NIST's) definitions. Which of the following classification scheme should she use to describe users accessing a file that users are not authorized to view?
Adverse event
Sam works as a software developer at an XYZ company. For his current project, he wants to work in iterations of phases for the quality of the project with each iteration producing specific deliverable. Which of the following models will he use to accomplish this task?
Agile development
Which of the following are the major categories of security event indicators described by NIST 800-61? Each correct answer represents a complete solution. Choose all that apply.
Alerts from IDS, IPS, SIEM, AV, and other security systems Logs generated by systems, services, and applications Internal and external sources
A user executes the following command against the boot.log file. Which entries will this command return? grep -v error /var/log/boot.log
All lines without the string "error" in the lines
Megan works as a security analyst in an organization. She is trying to prevent impersonation attacks from impacting her company but receives the "No DMARC record found" error when she checks a frequent business partner's DNS information. Which of the following does she need to enable DMARC in the given scenario?
All of these.
A man-in-the-middle attack is an example of which type of threat vector?
Impersonation
Which of the following attacks includes an email purporting from a trusted coworker or manager?
Impersonation
During a web application test, Ben, an application developer, prepares a report for the issues reported during the testing of the application. He discovers that the application shows SQL code as part of an error provided to application users. What should he note in his report in the given scenario?
Improper error handling
Ben works as a security analyst in an organization. His organization uses an IP reputation service to block outbound access to all sites that are flagged with a negative reputation score. Which of the following can be the consequences of this issue of negative reputation score in the given scenario?
Inadvertent blocking of sites due to false positives.
Gabby works as a software tester in an organization. She wants to insert the data into the response received from her web browser to a web application. She wants to easily make manual changes into the data sent from the web browser when she interacts with the website. Which type of tool should Gabby use to make these changes in the given scenario?
Interception proxy
Joseph works as a security analyst in an organization. While analyzing malware, Joseph notes that this malware has encrypted files. For security purposes, he instantly prevented the organization's main web application server from sharing files. Which type of impact has he noted in the given scenario?
Localized, immediate impact
Charleen's incident response team is fighting a rapidly spreading zero-day malware package on a system that silently installs a vulnerability via Adobe Flash when an email attachment is viewed through webmail. After identifying the compromised system, she determines that the system is beaconing to a group of fast flux DNS entries. Which of the following techniques is best suited to identify other infected systems?
Log DNS queries to identify compromised systems.
Mark is a cybersecurity analyst for a nonprofit company. He wants to begin a vulnerability scanning program for the company but does not have any available funds to purchase a tool. Which open source tool can he use at no cost in the given scenario?
OpenVAS
Chris works as a network administrator in an organization. He is reviewing proxy logs while monitoring for systems that are participating in a botnet. Which of the following types of data will he not be able to see in his proxy logs?
Packet payload
Jim is helping a software development team to integrate security reviews into their code review process. He would like to implement a real-time review technique. Which of the following approaches will help Jim to accomplish the given task in the given scenario?
Pair programming
Which of the following parties is not a target of external communications during an incident?
Perpetrator
Michelle is analyzing a Wireshark traffic capture and follows the TCP stream for the TIFF file download. What concern should she raise from the information displayed in the stream viewer?
The file is an executable file.
In which of the following categories, do workflow, reporting, and collaboration tools fit?
Threat and vulnerability management
What is the minimum tenure for retaining incident-handling records?
Three years