SY0-601 PART 7
A security manager needs to assess the security posture of one of the organization's vendors. The contract with the vendor does not allow for auditing of the vendor's security controls. Which of (he following should the manager request to complete the assessment? A. A service-level agreement B. A business partnership agreement C. A SOC 2 Type 2 report D. A memorandum of understanding
A. A service-level agreement
DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching alternatives to make the cloud environment respond to load fluctuation in a costeffective way. Which of the following options BEST fulfils the architect's requirements? A. An orchestration solution that can adjust scalability of cloud assets B. Use of multipath by adding more connections to cloud storage C. Cloud assets replicated on geographically distributed regions D. An on-site backup that is deployed and only used when the load increases
A. An orchestration solution that can adjust scalability of cloud assets
After multiple on premises security solutions were migrated to the cloud, the incident response time increased. The analyst are spending a long time to trace information on different cloud consoles and correlating data in different formats. Which of the following can be used to optimize the incident response time? A. CASB B. VPC C. SWG D. CMS
A. CASB
A security analyst was called to Investigate a file received directly from a hardware manufacturer. The analyst is trying to determine whether the file was modified in transit before installation on the user's computer. Which of the following can be used to safely assess the file? A. Check the hash of the installation file B. Match the file names C. Verify the URL download location D. Verify the code-signing certificate
A. Check the hash of the installation file
During a recent penetration test, the tester discovers large amounts of data were exfiltrated over the course of 12 months via the Internet. The penetration tester stops the test to inform the client of the findings. Which of the following should be the client's NEXT step to mitigate the issue? A. Conduct a full vulnerability scan to identify possible vulnerabilities. B. Perform containment on the critical servers and resources C. Review the firewall and identify the source of the active connection. D. Disconnect the entire infrastructure from the Internet
A. Conduct a full vulnerability scan to identify possible vulnerabilities.
A company Is planning to install a guest wireless network so visitors will be able to access the Internet. The stakeholders want the network to be easy to connect to so time is not wasted during meetings. The WAPs are configured so that power levels and antennas cover only the conference rooms where visitors will attend meetings. Which of the following would BEST protect the company's Internal wireless network against visitors accessing company resources? A. Configure the guest wireless network to be on a separate VLAN from the company's internal wireless network B. Change the password for the guest wireless network every month. C. Decrease the power levels of the access points for the guest wireless network. D. Enable WPA2 using 802.1X for logging on to the guest wireless network.
A. Configure the guest wireless network to be on a separate VLAN from the company's internal wireless network
As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a previous incident is happening again. Which of the following would allow the security analyst to alert the SOC if an event is reoccurring? A. Creating a playbook within the SOAR B. Implementing rules in the NGFW C. Updating the DLP hash database D. Publishing a new CRL with revoked certificates
A. Creating a playbook within the SOAR
A user's login credentials were recently compromised During the investigation, the security analyst determined the user input credentials into a pop-up window when prompted to confirm the username and password. However the trusted website does not use a pop-up for entering user credentials. Which of the following attacks occurred? A. Cross-site scripting B. SOL injection C. DNS poisoning D. Certificate forgery
A. Cross-site scripting
An administrator is experiencing issues when trying to upload a support file to a vendor. A pop-up message reveals that a payment card number was found in the file, and the file upload was blocked. Which of the following controls is most likely causing this issue and should be checked FIRST? A. DLP B. Firewall rule C. Content filter D. MDM E. Application whitelist
A. DLP
The Chief Information Security Officer warns lo prevent exfiltration of sensitive information from employee cell phones when using public USB power charging stations. Which of the following would be the BEST solution to Implement? A. DLP B. USB data blocker C. USB OTG D. Disabling USB ports
A. DLP
A company suspects that some corporate accounts were compromised. The number of suspicious logins from locations not recognized by the users is increasing. Employees who travel need their accounts protected without the risk of blocking legitimate login requests that may be made over new sign-in properties. Which of the following security controls can be implemented? A. Enforce MFA when an account request reaches a risk threshold. B. implement geofenoing to only allow access from headquarters C. Enforce time-based login requests trial align with business hours D. Shift the access control scheme to a discretionary access control
A. Enforce MFA when an account request reaches a risk threshold.
An organization wants to implement a biometric system with the highest likelihood that an unauthorized user will be denied access. Which of the following should the organization use to compare biometric solutions? A. FRR B. Difficulty of use C. Cost D. FAR E. CER
A. FRR
Which of the following BEST reduces the security risks introduced when running systems that have expired vendor support and lack an immediate replacement? A. Implement proper network access restrictions B. Initiate a bug bounty program C. Classify the system as shadow IT. D. Increase the frequency of vulnerability scans
A. Implement proper network access restrictions
The Chief Information Security Officer (CISO) requested a report on potential areas of improvement following a security incident. Which of the following incident response processes is the CISO requesting? A. Lessons learned B. Preparation C. Detection D. Containment E. Root cause analysis
A. Lessons learned
Two organizations plan to collaborate on the evaluation of new SIEM solutions for their respective companies. A combined effort from both organizations' SOC teams would speed up the effort. Which of the following can be written to document this agreement? A. MOU B. ISA C. SLA D. NDA
A. MOU
An attacker was eavesdropping on a user who was shopping online. The attacker was able to spoof the IP address associated with the shopping site. Later, the user received an email regarding the credit card statement with unusual purchases. Which of the following attacks took place? A. On-path attack B. Protocol poisoning C. Domain hijacking D. Bluejacking
A. On-path attack
An organization is moving away from the use of client-side and server-side certificates for EAR The company would like for the new EAP solution to have the ability to detect rogue access points. Which of the following would accomplish these requirements? A. PEAP B. EAP-FAST C. EAP-TLS D. EAP-TTLS
A. PEAP
Which of the following in a forensic investigation should be priorities based on the order of volatility? (Select TWO). A. Page files B. Event logs C. RAM D. Cache E. Stored files F. HDD
A. Page files and D. Cache
An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following: • Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users. Internal users in question were changing their passwords frequently during that time period. • A jump box that several domain administrator users use to connect to remote devices was recently compromised • The authentication method used in the environment is NTLM. Which of the following types of attacks is MOST likely being used to gain unauthorized access? A. Pass-the-hash B. Brute-force C. Directory traversal D. Replay
A. Pass-the-hash
Which of the following control types is focused primarily on reducing risk before an incident occurs? A. Preventive B. Deterrent C. Corrective D. Detective
A. Preventive
Per company security policy, IT staff members are required to have separate credentials to perform administrative functions using just-in-time permissions. Which of the following solutions is the company Implementing? A. Privileged access management B. SSO C. RADIUS D. Attribute-based access control
A. Privileged access management
A company needs to validate its updated incident response plan using a real-world scenario that will test decision points and relevant incident response actions without interrupting daily operations. Which of the following would BEST meet the company's requirements? A. Red-team exercise B. Capture-the-flag exercise C. Tabletop exercise D. Phishing exercise
A. Red-team exercise
After returning from a conference, a user's laptop has been operating slower than normal and overheating, and the fans have been running constantly. During the diagnosis process, an unknown piece of hardware is found connected to the laptop's motherboard. Which of the following attack vectors was exploited to install the hardware? A. Removable media B. Spear phishing C. Supply chain D. Direct access
A. Removable media
A recent security breach exploited software vulnerabilities in the firewall and within the network management solution. Which of the following will MOST likely be used to identify when the breach occurred through each device? A. SIEM correlation dashboards B. Firewall syslog event logs C. Network management solution login audit logs D. Bandwidth monitors and interface sensors
A. SIEM correlation dashboards
Which of the following policies establishes rules to measure third-party work tasks and ensure deliverables are provided within a specific time line? A. SLA B. MOU C. AUP D. NDA
A. SLA
After a recent security breach, a security analyst reports that several administrative usernames and passwords are being sent via cleartext across the network to access network devices over port 23. Which of the following should be implemented so all credentials sent over the network are encrypted when remotely accessing and configuring network devices? A. SSH B. SNMPv3 C. SFTP D. Telnet E. FTP
A. SSH
A company is looking to migrate some servers to the cloud to minimize its technology footprint. The company has 100 databases that are on premises. Which of the following solutions will require the LEAST management and support from the company? A. SaaS B. IaaS C. PaaS D. SDN
A. SaaS
A security forensics analyst is examining a virtual server. The analyst wants to preserve the present state of the virtual server, including memory contents. Which of the following backup types should be used? A. Snapshot B. Differential C. Cloud D. Full E. Incremental
A. Snapshot
Which of the following environments minimizes end user disruption and is MOST likely to be used to assess the impacts of any database migrations or major system changes by using the final version of the code in an operationally representative environment? A. Staging B. Test C. Production D. Development
A. Staging (A staging environment is used to validate code that will be deployed. I have seen you providing answers with no context behind them and being wrong. You need to stop that.)
Which of the following authentication methods sends out a unique password to be used within a specific number of seconds? A. TOTP B. Biometrics C. Kerberos D. LDAP
A. TOTP
Which of the following is the MOST likely reason for securing an air-gapped laboratory HVAC system? A. To avoid data leakage B. To protect surveillance logs C. To ensure availability D. To restrict remote access
A. To avoid data leakage
During an investigation, the incident response team discovers that multiple administrator accounts were suspected of being compromised. The host audit logs indicate a repeated brute-force attack on a single administrator account followed by suspicious logins from unfamiliar geographic locations. Which of the following data sources would be BEST to use to assess the accounts impacted by this attack? A. User behavior analytics B. Dump files C. Bandwidth monitors D. Protocol analyzer output
A. User behavior analytics (User behavior analytics User behavior analytics is a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud that tracks a system's users. UBA looks at patterns of human behavior, and then analyzes them to detect anomalies that indicate potential threats.)
A company recently experienced a significant data loss when proprietary Information was leaked to a competitor. The company took special precautions by using proper labels; however, email filter logs do not have any record of the incident. An Investigation confirmed the corporate network was not breached, but documents were downloaded from an employee's COPE tablet and passed to the competitor via cloud storage. Which of the following is the BEST remediation for this data leak? A. User training B. CASB C. MDM D. DLP
A. User training
Which of the following describes the continuous delivery software development methodology? A. Waterfall B. Spiral C. V-shaped D. Agile
A. Waterfall
A company reduced the area utilized in its datacenter by creating virtual networking through automation and by creating provisioning routes and rules through scripting. Which of the following does this example describe? A. laC B. MSSP C. Containers D. SaaS
A. laC (Infrastructure as Code Infrastructure as code is the process of managing and provisioning computer data centers through machine-readable definition files, rather than physical hardware configuration or interactive configuration tools.)
After gaining access to a dual-homed (i.e.. wired and wireless) multifunction device by exploiting a vulnerability in the device's firmware, a penetration tester then gains shell access on another networked asset This technique is an example of: A. privilege escalation B. footprinting C. persistence D. pivoting.
A. privilege escalation
A security engineer needs to build a solution to satisfy regulatory requirements that state certain critical servers must be accessed using MFA. However, the critical servers are older and are unable to support the addition of MFA. Which of the following will the engineer MOST likely use to achieve this objective? A. A forward proxy B. A stateful firewall C. A jump server D. A port tap
B. A stateful firewall
A network engineer at a company with a web server is building a new web environment with the following requirements: Only one web server at a time can service requests. If the primary web server fails, a failover needs to occur to ensure the secondary web server becomesthe primary. Which of the following load-balancing options BEST fits the requirements? A. Cookie-based B. Active-passive C. Persistence D. Round robin
B. Active-passive
Which of the following employee roles is responsible for protecting an organization's collected personal information? A. CTO B. DPO C. CEO D. DBA
B. DPO (A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing a company's data protection strategy and its implementation to ensure compliance with GDPR requirements.)
A systems administrator is considering different backup solutions for the IT infrastructure. The company is looking for a solution that offers the fastest recovery time while also saving the most amount of storage used to maintain the backups. Which of the following recovery solutions would be the BEST option to meet these requirements? A. Snapshot B. Differential C. Full D. Tape
B. Differential (There are mainly three types of backup: full, differential, and incremental; A full backup is the most complete type of backup where you clone all the selected data. This includes files, folders, SaaS applications, hard drives and more. The highlight of a full backup is the minimal time it requires to restore data. However, since as everything is backed up in one go, it takes longerto backup compared to other types of backup. The other common issue with running full backups is that it overloads storage space. That's why most businesses tend to run a full backup and occasionally follow it up with differential or incremental backup. This reduces the burden on the storage space, increasing backup speed. Differential Backup A differential backup straddles the line between a full and an incremental backup. This type of backup involves backing up data that )
Developers are about to release a financial application, but the number of fields on the forms that could be abused by an attacker is troubling. Which of the following techniques should be used to address this vulnerability? A. Implement input validation B. Encrypt data Before submission C. Perform a manual review D. Conduct a peer review session
B. Encrypt data Before submission
Which of the following would detect intrusions at the perimeter of an airport? A. Signage B. Fencing C. Motion sensors D. Lighting E. Bollards
B. Fencing (Fibre optic cable is designed to detect and pinpoint the location of intrusion anywhere on the airport perimeter fence, providing real-time reporting of intrusion)
A security administrator has discovered that workstations on the LAN are becoming infected with malware. The cause of the infections appears to be users receiving phishing emails that are bypassing the current email-filtering technology. As a result, users are being tricked into clicking on malicious URLs, as no internal controls currently exist in the environment to evaluate their safety. Which of the following would be BEST to implement to address the issue? A. Forward proxy B. HIDS C. Awareness training D. A jump server E. IPS
B. HIDS
A security analyst is responding to an alert from the SIEM. The alert states that malware was discovered on a host and was not automatically deleted. Which of the following would be BEST for the analyst to perform? A. Add a deny-all rule to that host in the network ACL B. Implement a network-wide scan for other instances of the malware. C. Quarantine the host from other parts of the network D. Revoke the client's network access certificates
B. Implement a network-wide scan for other instances of the malware.
Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further investigation, a security analyst notices the following: • All users share workstations throughout the day. • Endpoint protection was disabled on several workstations throughout the network. • Travel times on logins from the affected users are impossible. • Sensitive data is being uploaded to external sites. • All user account passwords were forced to be reset and the issue continued. Which of the following attacks is being used to compromise the user accounts? A. Brute-force B. Keylogger C. Dictionary D. Rainbow
B. Keylogger
An amusement park is implementing a biometric system that validates customers' fingerprints to ensure they are not sharing tickets The park's owner values customers above all and would prefer customers' convenience over security. For this reason, which of the following features should the security team prioritize FIRST? A. LOW FAR B. Low efficacy C. Low FRR D. Low CER
B. Low efficacy
A system that requires an operation availability of 99.99% and has an annual maintenance window available to patching and fixes will require the HIGHEST: A. MTBF B. MTTR C. RPO D. RTO
B. MTTR
A security analyst has been asked by the Chief Information Security Officer to: • develop a secure method of providing centralized management of infrastructure • reduce the need to constantly replace aging end user machines • provide a consistent user desktop experience Which of the following BEST meets these requirements? A. BYOD B. Mobile device management C. VDI D. Containerization
B. Mobile device management
Historically. a company has had issues with users plugging in personally owned removable media devices into corporate computers. As a result, the threat of malware incidents is almost constant. Which of the following would BEST help prevent the malware from being installed on the computers? A. AUP B. NGFW C. DLP D. EDR
B. NGFW
Multiple business accounts were compromised a few days after a public website had its credentials database leaked on the Internet. No business emails were identified in the breach, but the security team thinks that the list of passwords exposed was later used to compromise business accounts. Which of the following would mitigate the issue? A. Complexity requirements B. Password history C. Acceptable use policy D. Shared accounts
B. Password history
A security proposal was set up to track requests for remote access by creating a baseline of the users' common sign-in properties. When a baseline deviation is detected, an Iv1FA challenge will be triggered. Which of the following should be configured in order to deploy the proposal? A. Context-aware authentication B. Simultaneous authentication of equals C. Extensive authentication protocol D. Agentless network access control.
B. Simultaneous authentication of equals
A security monitoring company offers a service that alerts ifs customers if their credit cards have been stolen. Which of the following is the MOST likely source of this information? A. STIX B. The dark web C. TAXII D. Social media E. PCI
B. The dark web
Due to unexpected circumstances, an IT company must vacate its main office, forcing all operations to alternate, off-site locations Which of the following will the company MOST likely reference for guidance during this change? A. The business continuity plan B. The retention policy C. The disaster recovery plan D. The incident response plan
B. The retention policy
A security analyst has been tasked with creating a new WiFi network for the company. The requirements received by the analyst are as follows: • Must be able to differentiate between users connected to WiFi • The encryption keys need to change routinely without interrupting the users or forcing reauthentication • Must be able to integrate with RADIUS • Must not have any open SSIDs Which of the following options BEST accommodates these requirements? A. WPA2-Enterprise B. WPA3-PSK C. 802.11n D. WPS
C. 802.11n
An organization has hired a red team to simulate attacks on its security posture. Which of the following will the blue team do after detecting an loC? A. Reimage the impacted workstations. B. Activate runbooks for incident response C. Conduct forensics on the compromised system D. Conduct passive reconnaissance to gather information
C. Conduct forensics on the compromised system
Hackers recently attacked a company's network and obtained several unfavorable pictures from the Chief Executive Officer's workstation. The hackers are threatening to send the images to the press if a ransom is not paid. Which of the following is impacted the MOST? A. Identify theft B. Data loss C. Data exfiltration D. Reputation
C. Data exfiltration (Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft.)
A company is receiving emails with links to phishing sites that look very similar to the company's own website address and content. Which of the following is the BEST way for the company to mitigate this attack? A. Create a honeynet to trap attackers who access the VPN with credentials obtained by phishing. B. Generate a list of domains similar to the company's own and implement a DNS sinkhole for each. C. Disable POP and IMAP on all Internet-facing email servers and implement SMTPS. D. Use an automated tool to flood the phishing websites with fake usernames and passwords.
C. Disable POP and IMAP on all Internet-facing email servers and implement SMTPS.
Which of the following components can be used to consolidate and forward inbound Interne! traffic to multiple cloud environments though a single firewall? A. Transit gateway B. Cloud hot site C. Edge computing D. DNS sinkhole
C. Edge computing
A security analyst receives an alert from the company's SIEM that anomalous activity is coming from a local source IP address of 192.168.34.26. The Chief Information Security Officer asks the analyst to block the originating source. Several days later another employee opens an internal ticket stating that vulnerability scans are no longer being performed properly. The IP address the employee provides is 192.168.34.26. Which of the following describes thistype of alert? A. True positive B. True negative C. False positive D. False negative
C. False positive (Traditional SIEM Log Analysis Traditionally, the SIEM used two techniques to generate alerts from log data: correlation rules, specifying a sequence of events that indicates an anomaly, which could represent a security threat, vulnerability or active security incident; and vulnerabilities and risk assessment, which involves scanning networks for known attack patterns and vulnerabilities. The drawback of these older techniques is that they generate a lot of false positives, and are not successful at detecting new and unexpected event types)
A database administrator wants to grant access to an application that will be reading and writing data to a database. The database is shared by other applications also used by the finance department Which of the following account types Is MOST appropriate for this purpose? A. Service B. Shared C. Generic D. Admin
C. Generic
A cloud service provider has created an environment where customers can connect existing local networks to the cloud lor additional computing resources and block internal HR applications from reaching the cloud. Which of the following cloud models is being used? A. Public B. Community C. Hybrid D. Private
C. Hybrid
Which of the following will Increase cryptographic security? A. High data entropy B. Algorithms that require less computing power C. Longer key longevity D. Hashing
C. Longer key longevity
A malware attack has corrupted 30TB of company data across all file servers A systems administrator Identifies the malware and contains the Issue, but the data Is unrecoverable. The administrator Is not concerned about the data loss because the company has a system in place that will allow users to accessthe data that was backed up last night. Which of the following resiliency techniques did the administrator MOST likely use to prevent impacts to business operations after an attack? A. Tape backups B. Replication C. RAID D. Cloud storage
C. RAID
An organization wants seamless authentication to its applications. Which of the following should the organization employ to meet this requirement? A. SOAP B. SAML C. SSO D. Kerberos
C. SSO
A recent audit cited a risk involving numerous low-criticality vulnerabilities created by a web application using a third-party library. The development staff state there are still customers using the application even though it is end of life and it would be a substantial burden to update the application for compatibility with more secure libraries. Which of the following would be the MOST prudent course of action? A. Accept the risk if there is a clear road map for timely decommission B. Deny the risk due to the end-of-life status of the application. C. Use containerization to segment the application from other applications to eliminate the risk D. Outsource the application to a third-party developer group
C. Use containerization to segment the application from other applications to eliminate the risk
A software company is analyzing a process that detects software vulnerabilities at the earliest stage possible. The goal is to scan the source looking for unsecure practices and weaknesses before the application is deployed in a runtime environment. Which of the following would BEST assist the company with this objective? A. Use fuzzing testing B. Use a web vulnerability scanner C. Use static code analysis D. Use a penetration-testing OS
C. Use static code analysis (Fuzzing Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program. The program is then monitored for exceptions such as crashes, failing built-in code assertions, or potential memory leaks. Static program analysis Static program analysis is the analysis of computer software performed without executing any programs, in contrast with dynamic analysis, which is performed on programs during their execution. What is static code analysis? Static code analysis is a method of debugging by examining source code before a program is run. It's done by analyzing a set of code against a set (or multiple sets) of coding rules This type of analysis addresses weaknesses in source code that might lead to vulnerabilities. Penetration test A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment.)
A security analyst wants to fingerprint a web server. Which of the following tools will the security analyst MOST likely use to accomplish thistask? A. nmap -p1-65535 192.168.0.10 B. dig 192.168.0.10 C. curl --head http://192.168.0.10 D. ping 192.168.0.10
C. curl --head http://192.168.0.10
During an incident, an EDR system detects an increase in the number of encrypted outbound connections from multiple hosts. A firewall is also reporting an increase in outbound connections that use random high ports. An analyst plans to review the correlated logs to find the source of the incident. Which of the following tools will BEST assist the analyst? A. A vulnerability scanner B. A NGFW C. The Windows Event Viewer D. A SIEM
D. A SIEM
All security analysts workstations at a company have network access to a critical server VLAN. The information security manager wants to further enhance the controls by requiring that all access to the secure VLAN be authorized only from a given single location. Which of the following will the information security manager MOST likely implement? A. A forward proxy server B. A jump server C. A reverse proxy server D. A stateful firewall server
D. A stateful firewall server
Which of the following must be in place before implementing a BCP? A. SLA B. AUP C. NDA D. BIA
D. BIA (To create an effective business continuity plan, a firm should take these five steps: Step 1: Risk Assessment This phase includes: Evaluation of the company's risks and exposures Assessment of the potential impact of various business disruption scenarios Determination of the most likely threat scenarios Assessment of telecommunication recovery options and communication plans Prioritization of findings and development of a roadmap Step 2: Business Impact Analysis (BIA) During this phase we collect information on: Recovery assumptions, including Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO) Critical business processes and workflows as well as the supporting production applications Interdependencies, both internal and external Critical staff including backups, skill sets, primary and secondary contacts Future endeavors that may impact recovery Special circumstances Pro tip: Compiling your BIA into a master list can be helpful from a wholistic standpoint, as well as helpful in identifying pain points throughout the organization. Step 3: Business Continuity Plan Development This phase includes: Obtaining executive sign-off of Business Impact Analysis Synthesizing the Risk Assessment and BIA findings to create an actionable and thorough plan. Developing department, division and site level plans Reviewing plan with key stakeholders to finalize and distribute Step 4: Strategy and Plan Development Validate that the recovery times that you have stated in your plan are obtainable and meet the objectives that are stated in the BIA. They should easily be available and readily accessible to staff, especially if and when a disaster were to happen. In the development phase, it's important to incorporate many perspectives from various staff and all departments to help map the overall company feel and organizational focus. Once the plan is developed, we recommend that you have an executive or management team review and sign off on the overall plan. Step 5: Plan Testing & Maintenance The final critical element of a business continuity plan is to ensure that it is tested and maintained on a regular basis. Thisincludes: Conducting periodic table top and simulation exercises to ensure key stakeholders are comfortable with the plan steps Executing bi-annual plan reviews Performing annual Business Impact Assessments)
A company is providing security awareness training regarding the importance of not forwarding social media messages from unverified sources. Which of the following risks would this training help to prevent? A. Hoaxes B. SPIMs C. Identity fraud D. Credential harvesting
D. Credential harvesting (Hoax A hoax is a falsehood deliberately fabricated to masquerade as the truth. It is distinguishable from errors in observation or judgment, rumors, urban legends, pseudo sciences, and April Fools' Day events that are passed along in good faith by believers or as jokes. Identity theft Identity theft occurs when someone uses another person's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Identity fraud (also known as identity theft or crime) involves someone using another individual's personal information without consent, often to obtain a benefit. Credential Harvesting Credential Harvesting (or Account Harvesting) is the use of MITM attacks, DNS poisoning, phishing, and other vectors to amass large numbers of credentials (username / password combinations) for reuse.)
A routine audit of medical billing claims revealed that several claims were submitted without the subscriber's knowledge. A review of the audit logs for the medical billing company's system indicated a company employee downloaded customer records and adjusted the direct deposit information to a personal bank account. Which of the following does this action describe? A. Insider threat B. Social engineering C. Third-party risk D. Data breach
D. Data breach
While reviewing an alert that shows a malicious request on one web application, a cybersecurity analyst is alerted to a subsequent token reuse moments later on a different service using the same single sign-on method. Which of the following would BEST detect a malicious actor? A. Utilizing SIEM correlation engines B. Deploying Netflow at the network border C. Disabling session tokens for all sites D. Deploying a WAF for the web server
D. Deploying a WAF for the web server
The Chief Technology Officer of a local college would like visitors to utilize the school's WiFi but must be able to associate potential malicious activity to a specific person. Which of the following would BEST allow this objective to be met? A. Requiring all new, on-site visitors to configure their devices to use WPS B. Implementing a new SSID for every event hosted by the college that has visitors C. Creating a unique PSK for every visitor when they arrive at the reception area D. Deploying a captive portal to capture visitors' MAC addresses and names
D. Deploying a captive portal to capture visitors' MAC addresses and names
Administrators have allowed employee to access their company email from personal computers. However, the administrators are concerned that these computes are another attach surface and can result in user accounts being breached by foreign actors. Which of the following actions would provide the MOST secure solution? A. Enable an option in the administration center so accounts can be locked if they are accessed from different geographical areas B. Implement a 16-character minimum length and 30-day expiration password policy C. Set up a global mail rule to disallow the forwarding of any company email to email addresses outside the organization D. Enforce a policy that allows employees to be able to access their email only while they are connected to the internet via VPN
D. Enforce a policy that allows employees to be able to access their email only while they are connected to the internet via VPN
During an incident response, an analyst applied rules to all inbound traffic on the border firewall and implemented ACLs on each critical server. Following an investigation, the company realizes it is still vulnerable because outbound traffic is not restricted, and the adversary is able to maintain a presence in the network. In which of the following stages of the Cyber Kill Chain is the adversary currently operating? A. Reconnaissance B. Command and control C. Actions on objective D. Exploitation
D. Exploitation
An organization is planning to open other datacenters to sustain operations in the event of a natural disaster. Which of the following considerations would BEST support the organization's resiliency? A. Geographic dispersal B. Generator power C. Fire suppression D. Facility automation
D. Facility automation
A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new ERP system for the company. The CISO categorizes the system, selects the controls that apply to the system, implements the controls, and then assesses the success of the controls before authorizing the system. Which of the following is the CISO using to evaluate the environment for this new ERP system? A. The Diamond Model of Intrusion Analysis B. CIS Critical Security Controls C. NIST Risk Management Framework D. ISO 27002
D. ISO 27002 (ISO/IEC 27002 is an information security standard published by the International Organization for Standardization and by the International Electrotechnical Commission, titled Information technology - Security techniques - Code of practice for information security controls.)
As part of a security compliance assessment, an auditor performs automated vulnerability scans. In addition, which of the following should the auditor do to complete the assessment? A. User behavior analysis B. Packet captures C. Configuration reviews D. Log analysis
D. Log analysis
Which of the following would MOST likely be identified by a credentialed scan but would be missed by an uncredentialed scan? A. Vulnerabilities with a CVSS score greater than 6.9. B. Critical infrastructure vulnerabilities on non-IP protocols. C. CVEs related to non-Microsoft systems such as printers and switches. D. Missing patches for third-party software on Windows workstations and servers.
D. Missing patches for third-party software on Windows workstations and servers.
Which of the following provides a catalog of security and privacy controls related to the United States federal information systems? A. GDPR B. PCI DSS C. ISO 27000 D. NIST 800-53
D. NIST 800-53 (NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce.)
A systems administrator is troubleshooting a server's connection to an internal web server. The administrator needs to determine the correct ports to use. Which of the following tools BEST shows which ports on the web server are in a listening state? A. Ipconfig B. ssh C. Ping D. Netstat
D. Netstat
A penetration tester was able to compromise an internal server and is now trying to pivot the current session in a network lateral movement. Which of the following tools, if available on the server, will provide the MOST useful information for the next assessment step? A. Autopsy B. Cuckoo C. Memdump D. Nmap
D. Nmap (Memdump A display or printout of all or selected contents of RAM. After a program abends (crashes), a memory dump is taken in order to analyze the status of the program. The programmer looks into the memory buffers to see which data items were being worked on at the time of failure. Nmap Nmap is a network scanner created by Gordon Lyon. Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection.)
Which of the following are common VoIP-associated vulnerabilities? (Select TWO). A. SPIM B. vising C. Hopping D. Phishing E. Credential harvesting F. Tailgating
D. Phishing and F. Tailgating
Which of the following is the MOST relevant security check to be performed before embedding third-party libraries in developed code? A. Check to see if the third party has resources to create dedicated development and staging environments. B. Verify the number of companies that downloaded the third-party code and the number of contributions on the code repository. C. Assess existing vulnerabilities affecting the third-parry code and the remediation efficiency of the libraries' developers. D. Read multiple penetration-testing reports for environments running software that reused the library.
D. Read multiple penetration-testing reports for environments running software that reused the library.
An application developer accidentally uploaded a company's code-signing certificate private key to a public web server. The company is concerned about malicious use of its certificate. Which of the following should the company do FIRST? A. Delete the private key from the repository-. B. Verify the public key is not exposed as well. C. Update the DLP solution to check for private keys. D. Revoke the code-signing certificate.
D. Revoke the code-signing certificate.
A customer service representative reported an unusual text message that was sent to the help desk. The message contained an unrecognized invoice number with a large balance due and a link to click for more details. Which of the following BEST describes this technique? A. Vishing B. Whaling C. Phishing D. Smishing
D. Smishing
A security analyst has identified malware spreading through the corporate network and has activated the CSIRT Which of the following should the analyst do NEXT? A. Review how the malware was introduced to the network. B. Attempt to quarantine all infected hosts to limit further spread. C. Create help desk tickets to get infected systems reimaged. D. Update all endpoint antivirus solutions with the latest updates.
D. Update all endpoint antivirus solutions with the latest updates.
Which of the following should be monitored by threat intelligence researchers who search for leaked credentials? A. Common Weakness Enumeration B. OSINT C. Dark web D. Vulnerability databases
D. Vulnerability databases
A cybersecurity administrator needs to implement a Layer 7 security control on a network and block potential attacks. Which of the following can block an attack at Layer 7? (Select TWO). A. HIDS B. NIPS C. HSM D. WAF E. NAC F. NIDS G. Stateless firewall
D. WAF and G. Stateless firewall