CySA+
A security consultant is working with a client that recently suffered a breach. The consultant has been tasked with recommending additional controls based on the lessons learned report from the incident. The report indicates that initial access was gained via a web application server that had no application layer protection between it and the internet, and lateral movement to internal servers was successful due to a lack of segmentation between this perimeter asset and the organization's internal assets. Which controls would prevent similar attacks in the future? (Select TWO.)
A DMZ A WAF
A security consultant is using the OSS TMM to prepare for an engagement with a new client. Which of the following definitions describes the purpose of the OSS MM?
A comprehensive manual with guidance for testing the security of information systems
What are the characteristics of an APT ATTACK select two
A covert attack that remains undetected for a significant amount of time The primary goal is to monitor or steal data
Hey security analyst is using email headers to determine whether or not malicious activity has occurred which of the following is the best potential indicator of a phishing attempt found in the email header analysis process
A mismatch from the domain that the email is expected to come from
A SOC manager prepares a report for the CISO to present to the board of directors quarterly. The CISO has requested that only incidents should be included in the reporting numbers. What would NOT be included in this reporting?
A server unexpectedly rebooting
Which attack framework would security professionals reference for a knowledge base of adversary tactics and techniques?
ATT&CK
An ecommerce company discovers that the descriptions for many of their products have been mysteriously altered. Upon further analysis, it is determined that the site's shopping cart page includes a field that is susceptible to SQL injection. What should the company do to mitigate this risk?
Add input validation functions to the shopping cart page.
At what point in the SDLC is test planning initiated
After requirement gathering and analysis, and before design
At what point in the SDLC is test planning initiated?
After requirement gathering and analysis, and before design
The security team is determining the most appropriate vulnerability scanner solution to meet vulnerability management requirements. Scans must include computers deployed in the company's DMZ and support remote offices with limited bandwidth connections. What type of scan should the security team use?
Agent-based
A company is deploying a server that is to be used as a development server for security applications. Access to the server must be strictly limited to designated developers. Physical access to the server should be restricted as well as having no access to the Internet. The server should be as isolated as possible. What technology should the company employ
Air gap
A CISO is in the Preparation phase of NIST 800-61's Incident Response Life Cycle and is working on the communication plan. Which members of staff should the CISO include in this plan from the organization?
All stakeholders, including members of the IT department and cybersecurity, senior leaders and executives, and any relevant employees from other departments
The CISO has requested that an incident timeline be completed for a recent breach. Which of the following is true of an incident timeline?
An incident timeline records events, description of events, date-time group (UTC) of occurrences, impacts, and data sources.
When should law enforcement be contacted by the incident response team?
Any time a crime is suspected as part of the incident.
A banking customer reports that an unapproved transfer has been posted to their account. Upon investigation, a security analyst determines that the bank's website does not properly manage user sessions and it is vulnerable to CSRF attacks. What should the bank do to mitigate this risk?
Append unpredictable challenge tokens to requests.
A company suffered a data breach when a user installed a malware-infected movie player on their work tablet. The system administrator has been tasked with preventing unauthorized software installations on all company-owned devices. Which technology should the administrator implement?
Application whitelist
What is the role of Tactics, Techniques and Procedures (TTs) in threat hunting?
Assessing the level of threat, represented by a threat actor
A vulnerability analyst is reviewing the results of a recent vulnerability scan. There are multiple critical severity vulnerabilities in the findings, and the analyst has been tasked with prioritizing which vulnerability to remediate first. The CISO decides to prioritize any critical vulnerabilities that can be exploited over the internet. Which specific CVSS 3.1 Exploitability Metric would be reviewed to make this decision?
Attack vector
A security consultant prepares a report based on threat modeling research at a company. The report focuses on items such as: • Compromised and weak credentials • Disgruntled employees • Poor data encryption • The large number of external consultants working on the company campus Which threat modeling methodology is this an example of?
Attack vector analysis
A security provider has implemented a process that automatically scans incoming files and compares them to known malware signatures to identify possible new infections. This is an example of which of the following?
Automated malware signature creation
A SOC analyst received an alert from the SIEM, indicating that an unknown external IP address connected to a Web server over TCP port 23 on viewing the server access logs the analyst notices there were hundreds of failed attempts for the same user from the external IP on TCP, port, 23 before the successful connection, what kind of malicious activity would be suspected based on these findings
Brute force over telnet
A company decides to use fuzz testing to perform dynamic tests for software and operating system vulnerability testing. The company plans to initially use blackbox fuzzing but follow up with whitebox fuzzing in potential areas of concern. Which two types of vulnerabilities is the company MOST likely to see reported in the fuzz testing result report? (Choose two.)
Buffer overflow SQL injection
A company expands its operations with a pilot fleet of automated vehicles. A security analyst is performing penetration testing to assess vulnerabilities relating to the vehicles. Which attack vector is MOST likely to be used to exploit automated vehicles?
CAN bus
A contract security analyst supplies an organization with the results of a vulnerability scan, which shows a list of vulnerabilities due to funding shortages the organization can only afford to address the most critical vulnerabilities outlined in the report which of the following should the organization used to add their decision making
CVSS
A financial services firm hires a software development contractor to create a new portfolio management platform. The firm has stipulated that the developers implement a continuous delivery methodology. What is the firm hoping for by setting this requirement?
Call changes are released quickly and a sustainable way
The Computer Security Incident Response Team (CSIRT) concludes that an incident occurred because operating system patches on several servers were not up to date. Where should procedures for keeping the servers up to date be documented?
Change control process
The analysis of a recent incident exposed a need to modify or update the following: • Permission assignments • Router and firewall configurations • VLAN boundaries Where can the IT department find guidelines on how best to implement these?
Change control process
A security consultant recommends reducing your network's digital attack surface as a way of minimizing the risk of unknown attacks. Which two of the following actions would reduce the attack surface? (Select TWO.)
Closing unnecessary open ports on firewalls Segmenting the internal network into multiple subnets
What is the role of open-source intelligence (OSINT) in proactive threat hunting?
Collecting and analyzing data from public sources
A security administrator receives an alert from a NIPS. Upon inspection, the administrator discovers evidence of the traffic, as shown below: 184.168.131.241:63141 > 8.8.8.8:53 TXT? BA7zWb2BLTMH9zsD.hackerz.go. 184.168.131.241:63141 > 8.8.8.8:53 TXT? wJ2fumExmyeTLA3bEmjz.hackerz.go. 184.168.131.241:63141 > 8.8.8.8:53 TXT? 4yCrv]MrCBp.hackerz.go. Which step of the Cyber Kill Chain Model has the attacker most likely completed?
Command & control
Which of the following is not a collection source for OSINT?
Company file server
A company requests help from a security consultant to harden its network. The security consultant made several recommendations; however, due to the cost involved and to technical difficulties the company decided not to implement all of these recommendations. One of the recommendations the security consultant gave was related to the possibility of network traffic being intercepted and exploited. The security consultant recommended reconfiguring the network so that it only uses fiber optic cabling. The company decided to implement an alternative solution in which it configured the network to support encrypted communication only. What type of control is this an example of?
Compensating
A company decides to install motion detectors around its perimeter fence to avoid the cost of hiring security guards. How should you describe this control?
Compensation access control
A cybersecurity consultant completes a security review for a company that includes vulnerability scans and they identify multiple vulnerabilities. The consultant works with internal IT and technical services resources to determine how best to prioritize response actions. As part of this analysis, they use CVSS ratings provided by the vulnerability scans and the risk of vulnerabilities being exploited. What additional information should be used in making this determination?
Compliance with regulatory requirements
A senior vulnerability analyst is reviewing the results of a recent vulnerability scan. There are multiple critical severity vulnerabilities in the findings, and the analyst has been tasked with identifying which vulnerabilities to remediate first. Which specific CVSS 3.1 metric would the analyst seek out to find which critical vulnerabilities could result in sensitive information being accessed or exfiltrated by attackers?
Confidentiality impact
An NIDS that is deployed on a company's perimeter network issues an alert due to a rapid increase in traffic volume. The traffic analysis indicates that a small number of external computers are sending high levels of traffic to a web server on the perimeter network. The web server offers a business-critical service, and any interruption could be costly. What should the company do first to resolve this issue?
Configure the Internet-facing firewall's ACL to block the IP addresses of the sending computers.
Following a defense index approach, the organization has deployed the following systems SIEM an anti-spam, System, and an NGFW, however, the security Administrator spends too much time manually creating signatures. What should the Administrator due to address
Configure the SIEM system to support multiple TI feeds
Your incident response team has identified that an incident qualifies as a security incident. What action should the team take next?
Contain the incident and limit the damage it might cause.
Which development strategy provides for the greatest automation of the development and release process for existing software?
Continuous deployment
An incident response team needs to make a forensic copy of a hard disk. What should the team do before creating the copy?
Create a hash for the source disk
A security consultant notices that a client they are working with is giving users local administrator rights so that they can install the specialized software they need for their roles. What should the consultant suggest as a way to increase security, automate the process, and reduce the need for human interaction during system deployment?
Create and deploy golden images based on job roles.
A company completes its vulnerability scans and prepares technical and executive summary reports describing the results. The company needs to prioritize the remediation of the vulnerabilities identified. Which two factors should the company take into account when determining remediation priority? (Select TWO.)
Criticality Difficulty of implementation
An employee attempts to forward an email to a customer cloud storage service. The email includes an employee telephone list as an attachment. The email is blocked from delivery. What type of policy control is this an example of
DLP
An internal data exfiltration attack resulted in a small amount of unpublished material being upload external site. The investigation into the potential impact of the incident revealed an unexpected vulr any materials from the publisher, either sold directly by the publisher or through a third party, can copied and redistributed without any restrictions. The publisher needs to prevent this from happening in the future, in a way that protects the materia unauthorized duplication and/or redistribution. What is the BEST solution the publisher should implement?
DRM
A security engineer is using Scout Suite to analyze their organization's cloud environment. After scanning the environment, the engineer is reviewing the Scout Suite report before making recommendations on remediation prioritization. What designation is used in Scout Suite reports to signify findings that should get the most immediate attention?
Danger
A company's database server farm is deployed on a secure subnet. The only computers on the subnet are the database servers and a jump server. The databases support business applications and activities, including retail point-of-sale (POS), 24/7 online sales, and accounting. Traffic streaming from internal sources floods the router that faces the secure subnet, crashing the router and the attack spreads to the other internal hosts. Which of the following would NOT be considered in the scope of impact of the incident when determining the severity of the impact and prioritizing a response?
Data integrity
A security administrator runs a command and receives the output shown below: user@WKSTI:~$ sha256sum filel 07e7780d2c4918e6a5ae418edd042c4becc4e5a90eb9f4c423fd70b9207b7b2 file1 What is the administrator trying to ensure?
Data integrity
After a breach, an organization follows the incident response process outlined in NIST SP 800-61. During the final phase of the process, the organization is considering the possibility of taking legal action against the attacker. What should the organization consider during this process regarding collected evidence data?
Data retention policy and process
An application under development reaches the testing phase of SDLC. The development team starts with static code analysis. Which three of the following are types of static code analysis? (Select THREE.)
Dataflow analysis Symbolic execution Hoare logic
An incident response analyst is analyzing the root cause of a ransomware event that impacted their organization's operations last week. Since it is still early in the IR process, no public acknowledgement of the incident has been made. However, the analyst receives telephone calls from a reporter asking for a comment on rumors that claim that an incident occurred. How should the analyst BEST respond to this request? (Select TWO).
Declining to make a comment and pointing the reporter to PR contact information on the company website Declining to make a comment and passing all media requests directly to the designated media contact
A company is implementing an information security vulnerability management process. The company runs a series of vulnerability scans so that the security team can schedule remediation. Credentialed server-based scans are returning a much higher number of results than expected that appear to be false positives. The company wants to reduce the number of potential false positives as quickly as possible so that they can initially focus on the most critical threats. What should the team do?
Decrease the scan sensitivity
A hospital plans to deploy a patient management app that will be used on tablets supplied to doctors and nurses. The hospital security team needs to ensure that data entered on the tablet is protected while in transit what solution does not require any special configuration on the tablet while still meeting this requirement.
Deploy PKI, and configure the app server to require TLS
A network administrator is deploying a web server cluster behind a packet filtering firewall. In order to enhance security, the administrator must reduce each server's attack surface. What is the BEST option for meeting this requirement?
Deploy a HIPS on each node in the web server cluster.
A company wants to configure a Web server it so that it is accessible from the Internet. The company wants to place the web server on a screen subnet the solution should offer IPS functionality. What should the company do?
Deploy a NGFW and configure a demilitarized zone for the web server
A software development team develops ecommerce software. In order to mitigate risks for clients, the team needs to actively search their code for bugs, coding mistakes, and other vulnerabilities. When issues are discovered, they need to be corrected as quickly as possible. What should the development team do?
Deploy the continuous integration method
For which part of an incident response can senior management provide useful information and assistance?
Determining the financial cost of the incident
A traveling salesperson's laptop was recently returned in an anonymously addressed package. Upon inspection, a security analyst is able to recover a malware executable that was attached to an email sitting in the salesperson's outbox. The analyst plans to perform executable process analysis. What should the analyst use for this task?
Detonation chamber
A company works with a cybersecurity consultant to establish a computer incident response team. The team includes members from different departments in the company, including: • Technical services • Information technology (IT) • Management • Human resources (HR) • Public relations • Legal The team is developing an incident response plan that includes communication plans and guidelines in case of an incident. The team needs to ensure secure, reliable, and appropriate communications. Which two guidelines should be included in the communication plan? (Select TWO.)
Each team member should have multiple contact methods available. Contact information should be documented in a call/contact list.
A contracted security consultant is asked to evaluate the risk of a phishing attack against a company's users. How should the consultant start data reconnaissance in preparation for the test?
Email harvesting
The CISO states that the mean time to respond to incidents is currently unacceptably high. Which of the following options could help to reduce the mean time to respond? (Select TWO).
Employ a 24/7/365 managed SOC Implement a SOAR solution.
A network engineer is tasked with reducing device management overhead. The engineer has been given the following requirements: • Devices must support automation using YANG models. • Devices must be manageable using HITPS. • Devices should accept and return configuration information in a format similar to that shown below: "Cisco-IOS-XE-interfaces-oper:interface": { "name": "GigabitEthernetl" "interface-type": "iana-iftype-ethernet-csmacd" "admin-status": "if-state-up" "oper-status": "if-oper-state-ready" "last-change": "2020-08-1518:30:00.123+00:00" "if-index": 1, "phys-address": "00:ba: 56:bb:e2:9a" "speed": "1024000000",vrf": "! "ipv4": "10.10.10.11", "ipv4-subnet-mask": "255.255.255.0" "description": "MGMT INT" "mtu": 1500, "input-security-acl": "" "output-security-acl": What should the engineer do to meet the requirements?
Enable the RESTCONF API and use Python to set and retrieve configuration information.
An organization has recently completed the incident response planning process. The final requirement stipulated by management is that all emails sent by members of the computer security incident response team (CSIRT) are protected from spoofing or modification and remain encrypted in mailboxes. How should the CSIRT meet this requirement?
Ensure that all CSIRT communications use S/MIME.
A security analyst who was the first responder to an incident has advised all other analysts on site not to turn off a compromised system until forensic evidence is gathered. What is the PRIMARY reason the analyst would be concerned about ensuring the system is not powered down?
Evidence in volatile memory could be lost
Anomaly based and I DS is installed on a company's net work during end of quarter accounting activities, the NIDS generates multiple alerts related to network van with a database server activity. The database server is running a signature based HIDS, which is the most likely cause of the alerts
False positive
A company wants to implement an authentication system that supports authentication using the same user identities across organizations and security domains. What type of authentication should the company implement?
Federation
A government contractor discovers that a batch of recently procured laptops are infected with malware. The contractor determines that the malware was installed at a shipping warehouse. In order to prevent this issue in the future, which two methods can the contractor employ to verify hardware and software authenticity? (Select TWO.)
File system hashing Anti-tampering devices
A company works with a cybersecurity consultant to complete a risk assessment profile for network vulnerabilities. The assessment will be used to determine the best actions to take to mitigate risks and set remediation priorities. Which is NOT a factor in determining the likelihood of a potential risk?
Financial impact
A company initiated a series of security architecture reviews after a series of incidence among the recommendations made was to implement a syslog server to consolidate syslog messages from the companies, Linux servers. The company wants to limit logged messages and warning, error and critical conditions to minimize log server, size, and to make manual review easier which message severity level values should be included in the log.
Four and lower
A cybersecurity analyst is responding to an incident that involves PIl for customers, some of which are citizens of countries in the European Union. What would be impacted by the reporting of this incident?
GDPR
Which of the following is a regulation that has requirements for reporting if personal data for a citizen of the EU has been involved in a breach?
GFPR
A company lowers its restrictions on BYOD, and connections to, and through the company net work the company determines that it should update its AUP before allowing personal devices. What should be included in an AUP.
Guidelines, regarding restrictions to websites that can be accessed from the company net work
A cybersecurity analyst is responding to an incident that involves PHI. What would be impacted by the reporting of this incident?
HIPAA
The incident response team collects a hard disk in an incident site and it may be used as evidence in a trial. The team needs to be able to show that the drive contents have not changed since collection. What should the team use
Hash utility
Internal cyber security suspects that a network server is the target of a zero day attack. What type of analysis should be cyber security team perform to verify this
Heuristic
The security team has detected attempts to compromise Web servers deployed in a companies DMZ the team wants to capture related traffic and analyze the attackers method in detail. What should they deploy?
Honey pot
A company suspects an ongoing attempt to infiltrate its network. The company sets up a honeynet and needs to collect information about activity in the network. To avoid detection by the possible attacker, the company needs to use a passive collection technology. Which technology should the company use?
IDS
What type of information might a security analyst find while analyzing output from recon-ng? (Select TWO).
IP addresses and ports Social media activity and email addresses
Which of the following activities would a security analyst perform while applying a legal hold during the incident response process?
Identify the relevant data and preserve it and its original state
A security analyst has been asked to review findings from Nikto to improve the organization's security posture. What are the primary activities an analyst would perform while analyzing the output from Nikto? (Select TWO).
Identifying and clearing false positives Identifying potential vulnerabilities in a web application
At what point is an organization MOST likely to initiate proactive threat hunting?
If an indicator of compromise is suspected on the net work
When should law enforcement be contacted as part of an incident response?
Immediately, when it is obvious that a law has been broken.
An employee has been caught exfiltrating sensitive company data. The employer needs to preserve the evidence before notifying the employee. What should the employer do NEXT?
Implement a legal hold on email and file service
A network audit by a cybersecurity consultant finds unauthorized software installed on several client computers. The technical services department removes the applications. The company needs to prevent this from happening in the future. What should the company do?
Implement application whitelisting
Following a serious security breach in which a virus infected an email server, an organization deploys an IDS that alerts on known IOCs. The security administrator ensures the IDS is updated daily. However, the organization recently suffered another malware outbreak. What is the BEST way to mitigate the risk of similar future attacks?
Implement behavior-based detection on the existing IDS.
A bank is preparing to launch a new web application for loan processing; however, during testing it is determined that the application is vulnerable to buffer overflow attacks. What should the bank do to mitigate this risk?
Implement input validation
A company's public website is deployed in the company network DMZ. Several visitors to the website report that they have been infected with malware. The problem is traced to an XSS attack on the web server. The company needs to minimize the risk of this occurring again in the future. What should the company do?
Implement input validation with input filtering
Which of the following is NOT a common vulnerability in SCADA systems?
Inability to use IDS to monitor traffic
What is the difference between cybersecurity incident declaration and cybersecurity incident escalation?
Incident declaration is the formal acknowledgment of a security breach, while incident escalation is the process of transferring the responsibility of the incident to another team or department.
Due to a rash of frequent security breaches, an organization has implemented several SOC metrics. The organization's goal is to track these metrics for each breach. Which of the following has the most impact on the MTTR metric?
Incident response plan
Recently, a vendor was able to break into a sensitive data center while performing maintenance on an air conditioning unit. The organization decides to implement preventative physical controls to mitigate this risk. Which solution should the organization choose?
Install a locked fence that limits access to the data center.
A security analyst detects suspicious activity on a database server that supports an e-commerce website. The analyst performs a Nessus scan against the server and receives the partial output displayed below: 86576 (1) - Oracle Database Multiple Vulnerabilities (October 2015 CPU) References CVE CVE-2015-4794 CVE CVE-2015-4796 CVE CVE-2015-4857 CVE CVE-2015-4863 CVE CVE-2015-4873 CVE CVE-2015-4888 CVE CVE-2015-4900 What should the analyst do FIRST to mitigate the issue?
Install any missing updates
A company performed vulnerability scans in their system and identified several network servers and clients with vulnerabilities. A remediation team is contracted to assist with the remediation process. It is determined that most of the devices require software patches. What should the remediation team do first when applying the patches?
Install the patches in sandboxed environments and test
Upper management has tasked the in-house security team with making protection against unknown threats a priority. Which of the following actions is NOT considered effective against unknown threats?
Installing anti malware
A senior security analyst is using Burp Suite to test a web application. The analyst would like to modify an HTTP request with a payload and send it to the application to see its response. What tool in Burp Suite would the analyst use in order to take this action?
Intruder
A security consultant determines that an attack has taken place at a company based on: • Mismatched port and application traffic • Increased and unusual outgoing network traffic . Traffic to and from regions where the company does NOT do business • Increased HTML response traffic Which of the following types of threat research is this scenario an example of?
IoC
The incident response team is contacted when an end user's computer is infected with ransomware. The team wants to contain the incident but also preserve as much forensic evidence as possible. What action should the team take FIRST?
Isolate the end users computer
The CISO is currently reviewing root cause analysis findings and preparing a report based on the discoveries made throughout the incident response process. What is the importance of root cause analysis in incident response reporting?
It helps to identify the underlying causes of the incident to prevent similar incidents from occurring in the future.
A company brings in a cyber security consultant to improve network security. The consultant explains that the way client computers are used to remotely manage high value servers as a potential risk currently administrators use client computers to access servers that are deployed on a VLAN through an internal firewall. What technology should a consultant recommend to help ensure secure administration
Jump box
A company's website is deployed on a perimeter network and it is accessible from the Internet. A cybersecurity consultant recommends that the company should require encrypted communication with its website in order to prevent unauthorized parties from intercepting information related to intellectual property. Which type of threat is the cybersecurity consultant trying to prevent?
Known
A review of security information shows that a network has been under attack several times during the last month. The attacks took the form of streams of packets coming from various IP external addresses. The specific types of packets that were used varied, and different network servers were targeted by the attacks. The attacks were unsuccessful. Which type of threat does this BEST describe?
Known
Which group within an incident response team should take primary responsibility for communicating with the police after a security incident?
Legal
You need to ensure that select network data, such as company emails, are not deleted or changed. If an unauthorized change does occur, the original version of the file should remain available. What should you use to accomplish this?
Legal hold
After a security incident, the Computer Security Incident Response Team (CSIRT) concludes that several actions could be taken to reconfigure network security and enable the team to respond faster during future security incidents. Where should this be documented?
Lessons learned
The incident response team determines that the primary cause of a recent incident was improperly set permissions. User accounts that had administrative permissions should not have had those permissions. Where should the need to change these permissions be documented?
Lessons learned report
The incident response team determines that the primary cause of a recent incident was improperly set permissions. User accounts that had administrative permissions should not have had those permissions. Where should the need to change these permissions be documented?
Lessons learned reported
Hey security consultant determines that recent instances of data exfiltration occurred when employees access network service from remote locations a security policy is set into place to limit employees accessing the net work from outside. The net work access is restricted to the email server and public facing websites, only which access control is the security policy applying.
Location based
A cybersecurity consultant is helping a company to organize its internal incident response team. The consultant recommends that the company must be able to collect information about system events and system activity leading up to an incident. What should the team use?
Log viewer
A security consultant prepares a risk impact probability chart based on risk assessment. For which risk assessment ranking should the consultant recommend that the organization develop contingency plans?
Low likelihood/high impact
A threat hunter is analyzing logs as part of the detection phase of incident response. The logs show a user received 24 prompts in a row from their authenticator app before accepting the prompt. Correlating with other logs from the SIM, this user then started attempting to log into systems that they had never previously logged into. What type of attack is indicated by the large number of prompts found in the logs?
MFA fatigue
A user notify the security Administrator about being prompted with an invalid certificate warning when connecting to the corporate Internet upon inspection, the Administrator discovers an invalid ARP entry which attack was most likely being perpetrated against the user
MITM
A junior threat intelligence analyst wants to improve their organization's awareness of TPs used by several APT groups that target their industry. What popular open-source tool can be used to gather threat intelligence on the APTs known for targeting the industry, as well as the APT groups TTs, all in one source?
MITRE ATT&CK
A company completes its vulnerability scans as part of the implementation for an information security management process. The company is finalizing its remediation plans, and the legal team is working wit house technicians to determine if there are any inhibitors to remediation. Which agreements should the legal team consider as inhibitors to remediation? (Choose two.)
MOU SLA
An in-house team is collecting downtime and repair time data based on recommendations made by a cybersecurity consultant. What information should they get from device manufacturers?
MTBF
Representatives from cybersecurity, technical support, network administration, and corporate management are working together to develop business impact analysis (BIA) as part of the company's business continuity plan. The team needs to develop guidelines for assessing criticality related to an incident. What should the team use as guidelines to help them to determine the criticality of an incident?
MTD
If there is a sizable time gap between mean time to detect and mean time to respond, which of the following incident response processes needs to be improved?
MTTA
A company's recent changes place it under regulations that require an annual security audit. The audit will be performed by an outside cybersecurity consulting group. As part of the preparation, the company needs to take an inventory of security controls in use, categorized by type. How should the company categorize the controls? Select the correct control types from the drop-down menus.
Mantrap - physical Password - logical IDS - logical Guard - physical Training - administrative Separation of duties - administrative
During an ongoing incident response, which group is BEST qualified to avoid the inadvertent release of information?
Marketing (PR)
Which IOC would lead a security consultant to suspect that a command and control server is present on a net work
Miss matched port an application traffic
An organization has completed a quantitative risk analysis for its ecommerce system and is now trying to prioritize risks. The organization has calculated an annual loss expectancy (ALE) of $1M for the system. Implementing and managing security controls that will reduce the ALE by 40% will cost $300,000 per year to implement and maintain. What should the organization do?
Mitigate the risk to the system
An extensible markup language (XML) injection attack resulted in several of a company's websites being compromised and used in cross-site scripting attacks. It is thought that the attack was the result of, or assisted by, an intentional insider threat. What should be done to prevent this type of attack in the future?
Monitor and validate user input
A company implements a BYOD policy. Employees can access company network resources internally or remotely using personal devices. The company needs to ensure that minimum configuration and security profiles are met before devices are allowed access. The company has prepared policies with specific technical requirements. What should the company use to enforce these policies?
NAC
An internet service provider (ISP) is acquiring a small regional competitor and the negotiations are ongoing. An unauthorized disclosure of information about the acquisition has occurred. Additional releases of information could increase the cost of the acquisition or jeopardize the deal. The ISP's security team initially suspects a social engineering exploit. It was finally identified as being from an email sent by an ISP employee. The employee's excuse was that he did not know what he could or could not say about the acquisition. What is the BEST solution that both companies should put in place to minimize the risk of additional unauthorized releases of information?
NDA
Hey security, Administrator is analyzing the data provided on the exhibit below, which technology or tool most likely generated this output
Netflow
A company network is configured as a single subnet. A cyber security consultant recommends to pulling a signature base and IDS on the subnet to identify collect and report information about malicious activity. What is the drawback to this type of device??
New previously unknown so it's typically go undetected
A company recently hired a dedicated security administrator. The administrator's first action will be to deploy a HIDS that makes decisions based on statistical data. What benefit will the new HIDS provide?
Node behavior will be tracked and analyzed against baseline
What advantage do non-credentialed scans offer compared to credentialed scans?
Non-credentialed scans require fewer resources and have less impact on network operations.
A security analyst is requested to identify factors for determining a company's risk likelihood. Which is not a factor related to risk likelihood
Noncompliance resulting from a data breach
A company is considering using more cloud-based resources. What is considered the biggest risk area for the SaaS service model?
Password management
A security administrator receives the results of a vulnerability scan. Upon investigation, the administrator discovers the information shown in the exhibit. Which of the following is the best recommendation for mitigating this and similar risks in the future?
Patch management
A company detects an incident that impacts multiple offices in various locations in its network. The incident has been verified, but the incident response team has not yet been able to determine the scope of the incident or all of the devices and servers that are involved. The incident response team includes personnel from different departments within the company. The need for secure and timely communication between team members is critical. What should they use for communication?
Personal mobile devices
During which phase of the NIST 800-61 Incident Response Life Cycle is the lessons learned report prepared and later delivered to stakeholders at the lessons learned meeting?
Post-incident activity
What is the FIRST key phase of an incident response plan?
Preparation
What are the phases of an incident response plan? Arrange the phases in the correct order.
Preparation Identification Containment Eradication Recovery Lessons learned
An organization's incident response team includes: • Technical services • Information technology (IT) • Management • Human resources (HR) • Public relations (PR) • Legal What is the BEST description of the primary role of PR in incident response?
Preparing clear, factual, jargon-free statements to customers, investors, and other stakeholders
What is a roll of eFuse in computing devices
Prevent downgrading the device firmware version
What are the phases of an incident response plan? Arrange the phases in the correct order.
Proposed changes to the incident response plan
An incident leads to the inadvertent release of information about customers. A large number of ecommerce customers are involved. The response team needs to inform the appropriate person so that they can notify customers of the incident. Which stakeholder should the team contact for this?
Public relations
A security analyst is assisting the systems team in mitigating recent vulnerability scan findings. One finding indicates that a server is running an EOL, unsupported operating system. The systems team has informed the analyst that a critical application running on this server has been tested and will not function on a newer, supported operating system. Which of the following is NOT an appropriate compensating control to address this vulnerability?
Putting the server in the DMZ
A company contracts with a cyber security analyst as part of a risk identification exercise. The analyst plans to interview individuals from each department in order to assess the risks each of them perceives related to the systems they own. Which of the following is the analyst planning to perform?
Qualitative risk analysis
A machine learning system is being designed to provide a platform to effectively target security issues through automated analysis. What is the most important element in setting up a machine learning system for this purpose?
Quality and relevant training data
A company's disaster recovery plan (DRP) includes the following statement: "Continued business operations require at least one public web server to be returned to service with the content not older than the last 24 hours. Which of the following is this an example of?
RPO
A security analyst makes the following recommendations as part of proactive threat hunting: • Disable or turn off unused software features. • Segment the network with border firewalls. • Bring operating system patches up to current levels. What types of action are these examples of?
Reducing the attack surface
A company is considering moving a portion of its operations to a public cloud to reduce operational expenses. The company deals with large amounts of private and privileged data. The company currently hosts its own data centers at multiple locations in the United States and they are designed to meet data isolation and regulatory requirements. What is a potential concern of moving to this deployment model?
Regulatory compliance requirements can prevent moving data to the cloud.
A company is preparing to release an online service that is targeted at healthcare providers. The company contracts a cybersecurity consultant to assist with final security tests. A vulnerability scan identifies a vulnerability in the web interface to the service. The consultant determines that although the risk is low, it is technically in violation of HIPAA requirements. Remediation would be expensive and it would delay the public release of the service. Future expansion plans rely on the service, so management will not consider not releasing the service. What should the company do?
Remediate the vulnerability and delay the release.
An ecommerce auction site allows clients to post auctions using a REST API. A security analyst is concerned about API key security. Which two methods should the analyst recommend for securing API keys? (Choose two.)
Require TLS for all connections. Restrict key usage to known IPs.
An organization processes, and stores, PHI, the organizations management is concerned that the employees will breach regulatory requirements regarding this PHI, what type of administrative safeguards should the organization employ?
Require employees to sign confidentiality agreements
A company uses websites for communication with both employees and customers. The company hosts multiple private and public websites. Some websites have been found vulnerable to session hijacking after some attacks have been detected. What should the company do to prevent session hijacking in the future?
Require https for all websites
A company was recently targeted by a password spraying attack. An unknown number of user accounts and some sensitive data was compromised by the attack. The company changed its password policy to require more complex passwords based on recommendations from a security consultant. What other action should the company take?
Require two factor or MFA
A company follows the SDLC phases to provide guidelines for software development and release. In which phase should the company determine its security needs?
Requirement gathering
A GRC analyst is mapping their organization's cybersecurity program to the NIST Cybersecurity Framework. The analyst is trying to identify the functions that cover vulnerability scanning and vulnerability mitigation. Which functions cover these topics? (Select TWO).
Respond Detect
A security analyst is re-imaging systems as part of incident response procedures. What activity would the analyst perform as part of this process?
Restoring the system to a clean, default state
The CISO has reviewed annual metrics for incident response and would like to focus on improving the mean time to remediate. From an organizational perspective, why would improving this metric be a priority?
Return to normal business sooner
And Administrator downloads and install the driver from a driver listing site after receiving complaints that the Vm based server is running slow, the administrator requests and receives the following digest from the vendor for FS driver the administrator runs the following command, which two actions should the administrator do next select two
Revert DVM to the most recent snapshot Ask the vendor to email the driver
To mitigate the risk of a breach, a health services company has deployed a network-based intrusion prevention system (NIPS). However, a security analyst claims that this IPS may not detect breaches that use lost or stolen credentials. The analyst recommends that the company purchase cyberliability insurance. Which of the following risk management techniques is the analyst recommending?
Risk transference
A cyber consultant determines that sensitive information relating to company employees has been inappropriately released. The recommendation is made that access to this information should be limited to senior management and personnel in the human resources department what type of access control should the company implement?
Role based
A company wants to employ continuous scans as part of its information security vulnerability management process. A security consultant recommends using standards to enable the automated vulnerability management that can enumerate software flaws and configuration issues. Which standard should the company use to provide this?
SCAP
An enterprise network has several security controls that need to be updated or replaced. Management has made this a priority, and they want to complete the process as quickly as possible. A cybersecurity analyst plans to use automated testing to measure control effectiveness and ensure compliance. Which of the following provides standards methods for accomplishing this?
SCAP
An organization discovers that its systems are frequently being breached due to inconsistent or improper configurations. The organization needs a way to scan systems and ensure that they are in compliance with a hardened system configuration baseline. Which technology or platform should the organization deploy?
SCAP
A web application allows sales personnel to look up customer information. A sudden spike of data transmissions from the website is detected. Closer investigation indicates that the traffic started after the following string was used to connect to the website: http://fref.company.com/showcust.php?ID=1000 OR 1=1 What type of vulnerability is being exploited?
SQL injection
Accompanies perimeter network includes a secure Web server, not server and FTP server and a DNS server. The network is connected to the Internet by a firewall several remote clients access the internal net work through the perimeter, net work, remote clients have recently been the target of a man in the middle attack the company wants to require remote. Client connections through encrypted VPN connections only clients need to connect with multiple server types changes to firewall configurations must be kept to a minimum. What type of VPN should the company use?
SSL tunnel VPN
Recent activity reported by an NIDS makes the security team suspect that a recently installed program is infected with malware antivirus software scans do not indicate an infection The security team needs a safe location in which to test the What should I use?
Sandbox
As part of an organization's risk mitigation planning, an incident response (IR) team has been formed and an incident response plan (IP) has been drafted and approved by management. The IR team leader would like to meet with the team and review each member's role. The team leader also plans to guide the team through a simple IR scenario. What should the IR team leader do?
Schedule a tabletop exercise for all team members.
An organization frequently suffers phishing attacks and has determined that managerial controls need to be implemented to mitigate the risk of further attacks. Which of these controls is categorized as a managerial control?
Security awareness training for end users
A company is developing an application that has high security requirements. The company's development team plans to base the development process on the SANS secure SDLC model using an agile development methodology. Bugs were reported in a recently completed program component, and the development team coded corrections. The component needs to be tested again in order to ensure that the new code has not introduced any problems relating to confidentiality or integrity. What type of testing should the company perform?
Security regression testing
A web application team has just finished developing the first major update for their inventory management system. The new functionality has been verified; however, a security analyst is concerned that unexpected vulnerabilities have not been addressed. Which process should the development team implement to address this concern?
Security regression testing
A security consultant has run a vulnerability scan in a client's network. Upon reviewing the results of the scan, the consultant notices that there any many assets not showing up in the scans that should be included in the scope of the assessment. What change in the scan configuration should the consultant make?
Set the scan to include all required subnets.
An organization has deployed an NGFW, a SIEM System, and a HIDS on all workstations that handle sensitive data however, a security team still spends an inordinate amount of time responding to low level security events which technology can help the organization automate this process
Soar
Which of the following is a set of software programs that enables an organization to collect data about security, threats from different sources, and respond to low-level events without human assistance
Soar
Network administrators apply additional rules on perimeter network firewalls after a series of attempted attacks. A cybersecurity consultant has recommended reviewing the firewall logs to help ensure that the rules are having the desired effect. Which information is NOT available through the firewall logs?
Source and destination MAC addresses
During the analysis phase of incident response, an analyst finds a copy of an Excel file from a user's desktop in the temp folder. After comparing hashes of the original file and the copy to check data integrity, the analyst finds they do not have matching SHA-2 hashes. Upon further inspection, both files appear identical when opened, but the copy has a substantially larger file size. The copy was emailed to an unknown external email address during the time the threat actor was in the environment. Which terms describe the way the data was manipulated and moved during this incident? (Select TWO).
Steganography Exfiltration
The CISO is working on a communication plan, ensuring incident response stakeholders are adequately informed at the appropriate times. Which of the following MOST likely refers to communication to be sent only to technical stakeholders and not leadership?
Step-by-step instructions to properly escalate an incident to the forensic analysis team
New application requirements are requested shortly after the implementation and coding phase of the software development lifecycle is complete. The projected number of transactions per minute is increased by 50%. What type of testing should the development team use to determine if the application can meet this performance goal in its current version?
Stress testing
The development team receives updated requirements for the number of transactions per minute, as well as the data throughput requirements for a new application under development. The team has already completed the verification phase of the development process; however, they are concerned that the new requirements could introduce new vulnerabilities and leave the application in an unstable state. Which type of test should the team perform?
Stress testing
What is a requirement of the trusted foundry program?
Suppliers must provide, and assured chain of custody for classified and unclassified ICs
Odd activity in server applications running on a Linux server leads a forensic analyst to suspect that the server was breached during a recent incident. The server is deployed in a company's perimeter network. The analyst needs to determine if the server is infected with malware. The anti-malware software that is running on the server did not detect an infection. The analyst is concerned about losing potentially volatile evidence. What data should the analyst attempt to capture FIRST?
System memory
Each university in a consortium actively performs threat hunting on their networks and systems. Rather than duplicate efforts, consortium members are interested in sharing cyber threat intelligence. Which option can help the consortium meet this requirement?
TAXII
The following scan was run on the internal network: map 192.168.2.15 The result is shown below: Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-29 13:09 Central Standard Time Nmap scan report for 192.168.2.15 Host is up (0.0023s latency). Not shown: 997 filtered ports PORT STATE SERVICE 80/tcp open http What type of scan was run to collect this information
TCP SYN
A company manufactures components used in aviation applications to protect its supply chain from counterfeit products. The company plans to install IOT tracking devices on sensitive cargo while it is transported from suppliers the company must ensure that the devices can store encryption keys securely. What should the company deploy to meet these requirements
TPM
A company replaces the routers used to segment its network. It replaces them with firewalls to gain better control over traffic between subnets. What type of control is being used?
Technical control
ISO 27002 is a popular framework for security controls. The ISO 27002 framework document separates controls into four different categories. Which category would include the use of vulnerability scanning tools like Nessus or OpenVAS?
Technological controls
SOC analyst is delivering the results of a recent vulnerability scan to the SOC manager. The results include the following vulnerabilities: • A 9.8 CVSS critical severity vulnerability on one non-critical workstation • A 9.1 CVSS critical severity vulnerability on three internet-facing servers • A 7.7 CVSS high severity vulnerability on all user workstations •A 7.1 CVSS high severity vulnerability on all user workstations In addition to presenting the results, the analyst needs to recommend which vulnerabilities to prioritize for mitigation. Based on the information provided, which vulnerabilities should they recommend for the organization to mitigate before the others? (Select TWO.)
The 7.7 CVSS high severity vulnerability on all user workstations. The 9.1 CVSS critical severity vulnerability on three internet-facing servers.
A company has four rack-mounted physical servers that are physically secured in a locked room and deployed on a private subnet. Each server hosts multiple VMs. Event logs from both the physical hosts and the VMs are consolidated on a syslog server that runs in a separate physical server. Administrative access is provided using jump box. A review of the Windows system logs for the VMs indicates that two VMs are rebooting spontaneously at apparently random intervals. The VMs are hosts on different physical servers. One of the VM hosts a database instance and the other is configured as a general file server. No other problems or anomalies have been reported. What is MOST likely causing this problem?
The VMs are infected with malware
A company developed an electronic health record system that is primarily used to maintain diagnostic results and clinical notes. Data is access through a web application deployed in the companies perimeter Nettwerk, an NIDS reports unexpected high rates of outgoing data from the HR system database what is the possible impact of this incident
The company can be held legally liable for the release of PHI
Window server is running with a higher than normal processor and memory consumption. The technical team suspects that there is a malicious process, running on the server a technician open task manager on the server, but nothing stands out as causing the problem based on the current CPU usage, what else could indicate a malicious process
The description is blank
On which two assumptions does data carving of a hard disk rely select two
The file is not fragmented The beginning of the file containing the file signature is present
While prioritizing vulnerabilities, a security analyst was instructed by the CISO to consider asset values in the process. What is the relationship between asset value and vulnerability prioritization in information security?
The higher the asset value, the higher the priority for remediating vulnerabilities.
A SOC manager has been tasked with using the Diamond Model of Intrusion Analysis as a model to describe a recent cyber attack on their organization. The manager is currently focusing on the Infrastructure and Victim components of the model. Which of the following would be considered part of the Infrastructure or Victim sections? (Select TWO.)
The people the threat actor targeted The C2 servers the threat actor used in the attack
The following scan was run on the local network. map -sX 192.168.2.4 The results are shown below: Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-29 12:15 Central Standard Time Nap scan report for 192.168.2.4 Host is up (0.0023s latency). Not shown: 994 closed porth What does this indicate about the listed ports?
The port gave no response to the scan
A security analyst is running a Nessus scan to confirm the findings that a third-party vulnerability scan had detected in their environment. Upon comparing the Nessus scan results to the third-party assessment, the analyst notices that there are a large number of additional vulnerabilities on critical Windows servers. What is the most likely cause of this difference in the scan findings?
The security analyst ran a credentialed scan.
A SOC manager has been tasked with using the Diamond Model of Intrusion Analysis as a model to describe a recent cyber attack on their organization. The manager is currently focusing on the Adversary and Capability components of the model. Which of the following would be considered part of the Adversary or Capability sections? (Select TWO.)
The tactics the threat actor used The motives of the threat actor
The security team updated your vulnerability scanner with current plug-ins. The result after scanning the network shows an increase in reported vulnerabilities. A custom application running on every network client computer is reported as vulnerable. The client computers are not showing any symptoms of malware or other intrusions. What does this most likely indicate to the security team?
The vulnerability reported is a false positive.
The CISO for your company has been asked to make sure that the legal department is present at an upcoming meeting. Which of the following highlights the importance of involving the legal department in incident response reporting and communication? (Select TWO).
They can provide guidance on complying with regulatory requirements. They can ensure that internal and external communications do not expose the organization to unnecessary additional liability.
A security administrator has been tasked with improving an organization's security stance. The administrator has collected and processed data and used the information to establish a hypothesis. What process is the administrator performing?
Threat hunting
In order to maintain regulatory compliance, a bank must prove that it is actively mitigating vulnerabilities. To achieve this requirement, a security analyst has been tasked with identifying the attack vectors a threat actor may try to use to breach the bank's website. Which process will the analyst perform?
Threat modeling
incident response analyst has been told to be extremely cautious with forensic evidence and to always document the chain of custody. Which of the following are important components of chain of custody reporting in incident response? (Select TWO.)
Time evidence was collected Who handled the evidence
What is the goal of DevSecOps?
To automate integration of security at every phase of software development
An application that is currently under development calls for the use of parameterized queries. What is the justification for requiring parameterized queries?
To avoid SQL injection attacks
A company's network is founded by a perimeter net work. The internal net work includes multiple subnets review of network. Traffic indicates that there have been multiple ping sweeps originating from different external. IP address is a cyber security analyst thinks that these are part of an attempt to map the information in preparation for an attack. How should Internet fencing firewalls be configured to prevent sweeps in the future
To block all ICMP ECHO traffic
A security engineer decides to isolate a compromised system. What is the primary purpose of using isolation during incident response?
To block all network traffic preventing further damage
How is bus encryption used in PCs
To help and force DRM
What is the goal of proactive threat hunting?
To identify and remove malware or attackers that are hiding within a network.
What is the role of measured boot in the windows 10 boot process?
To log the boot process to the computers, UEFI and load the information to a trusted server
The incident response team determines that confidential information, including PHI, was downloaded during an incident. The legal department determines that a statement should be issued to customers who may have been affected. Why is this important?
To meet regulatory requirements about PHI
A security consultant is using the WASP Testing Guide to prepare for an upcoming client engagement. What is the primary purpose of the OWASP Testing Guide?
To provide guidance for performing web application penetration testing and vulnerability assessments
What is the role of continuous integration in streamlining the software development process?
To roll validated changes back to the main branch more quickly
A member of the cyberteam executes the following from a Linux host: ping -b -c 3 -i 30 192.168.2.255 What type of environmental reconnaissance effort does this indicate?
Topology discovery
The number of smart loT devices deployed in an organization has increased. loT devices include smart sensors that are used throughout the organization and consumer devices that are brought in by employees. A security consultant has been brought in to help improve organizational security due to the increased number of smart devices. Which threat modelling methodology should the security consultant use?
Total attack surface
A security engineer has been tasked with analyzing the security posture of a SCADA environment. Which of the following statements about scanning for vulnerabilities in ICS and SCADA environments are true? (Select TWO).
Traditional scanning tools may not be able to detect all ICS or SCADA system vulnerabilities. Vulnerability scanning can cause disruptions or damage to critical systems.
A SOC analyst notices that Tier 1 analysts are passing too many false positive alerts to Tier 2 analysts. What should the analyst suggest to improve this process? (Select TWO).
Triage training for Tier 1 analysts Improved alert tuning
The incident response team is investigating a possible incident. To which parties should communication be limited during the initial investigation?
Trusted parties
The development team needs to determine if an application fulfills its defined business requirements. What type of testing should they use?
UAT
During a vulnerability scan of the local network, a security administrator discovers some systems respond on non-standard ports. The administrator is concerned that this puts the systems at risk. What is the best option for mitigating this risk?
Uninstall, unused applications, and services
A security engineer has been tasked with mitigating several vulnerabilities discovered on their organization's most recent vulnerability scans. One of the vulnerabilities is related to SMB signing being disabled on all systems. How would the engineer advise the systems team to address this vulnerability in the most efficient way?
Use Domain-level Group Policy to enable SMB signing.
A banks website was recently hijacked. An encryption keys were stolen. The bank is upgraded the web and database servers, but it wants to ensure encryption keys are stored a securely as possible, which is the best method for securely storing encryption keys.
Use HSM to generate and store all keys
A company is setting up a small working group for a product development project the project will have private resources that should be accessible from a small set a client hosts. It should be as easy as possible to add clients to or remove clients from the working group network. Traffic related to the project should be as isolated as possible from the network as a whole there should be no access to or from the Internet by the working group, working group members work in various locations in the corporate campus, and should not change offices what solutions should the security team use
VLAN
The security team updated your vulnerability scanner with current plug-ins. The result after running a non-credentialed scan of the network shows an increase in reported vulnerabilities. A custom application running on several hosts is reported as vulnerable. The security team suspects a false positive. What action should the security team take first?
Verify whether the reported vulnerability is a true vulnerability.
An SOC analyst has been tasked with using the Diamond Model of Intrusion Analysis as a model to describe a recent cyber attack on their organization. The analyst is currently assessing the users targeted with spear phishing emails by the threat actor responsible for the incident. Which of the four components of the Diamond Model of Intrusion Analysis would this fall under?
Victim
A cyber security analyst is responding to a ticket from a user regarding a PDF attachment to an email although the email appears to be from a noncontact the user did not expect it to contain an attachment and wants to be sure it is legitimate which two of the following tools or techniques to the analyst used to safely determine whether or not, the attachment is malicious select two
Virus total Sandboxing
A company is deploying a set of web applications on its perimeter network. A security consultant is contracted to help identify potential problems and protective measures. The company wants to initially focus on risks identified in the OWASP top ten threats. The solution should minimize configuration and management requirements. Which are the BEST logs to monitor for this information?
WAF logs
A security engineer is using the Lockheed Martin Cyber Kill Chain to better understand a recent breach. What is the second stage of the Cyber Kill Chain?
Weaponization
A company establishes a Computer Security Incident Response Team (CSIRT). The company is documenting guidelines for communications during incident responses. The guidelines specify which stakeholders must be contacted and when, as well as the stakeholder roles. When should human resources (HR) be notified in incident response?
When an employee is involved in the incident.
An IT department of a major accounting firm has been informed that regulatory requirements stipulate that the firm must have a written data retention policy. Besides compliance, in which of the following scenarios is a data retention policy important? (Select TWO).
When performing Discovery and litigation holds When proving that chain of custody has been maintained
When should human resources (HR) be included in an incident response? (Select TWO.)
When the incident resulted in release of employee personally identifiable information (PIl). When an employee is found to have had a direct role in the incident.
A company purchases mobile devices for employee use. Employees should be limited to running only a specific list of approved applications on the devices. How should the company control access to applications?
Whitelisting
An organization receives processes and stores, highly sensitive data as part of a multi prong approach to security data in use at rest and motion. The company has decided to deploy trust platform module technology, which of the following describes the primary benefits of this technology.
Whole desk encryption
Users have reported the following issue with a commercial customer management application, any time a user accesses a customer record, even just to view the record, it is deleted from the database. The application runs as a web application. Antivirus software is running on the web server and the database server has not reported any problems. How should the security analyst classify the threat?
Zero day
Which command should be used to create a forensic image of a hard disk?
dd
Which two statements describe vulnerabilities that are associated with loT devices? (Choose two.)
loT devices usually ship with known default passwords. loT devices can offer a broader attack surface.
Which command should be used to capture network packets and write them to a text file?
tcpdump
A company completes a careful review of ID, S reports device logs and operating system blogs. It determines that activity, which was originally thought to be due to transient conditions is actually being caused by an ongoing attempt to infiltrate the net work the activities it has detected include network mapping port, scanning attempts to hack password and attempts to remotely administer servers. This has been occurring for six months employee interviews indicate increase attempt at social media attacks, and at least one attempt at a watering hole, exploit the target appears to be the companies database servers. What is this an example of
APT
An educational institution is considering buying several laptops that come with self encrypting devices installed which statement about SED security is accurate
An SED remains unlocked if the laptop is restarted, without shutting off power
The requirement to support mobile devices, an access from home office space devices has increased recently. The corporate security team will implement a policy based endpoint security management system to protect the net work and Company resources. The team needs to audit external on mobile devices that require network access to develop the policy which elements are typically required for an endpoint security management policy select three.
Anti-malware support Operating system version VPN support
A company contracts with a cybersecurity firm to perform a detailed security review of the company network and procedures. After its initial review, the firm recommends that the company perform an internal review of its operational controls. Which actions should the company include in this review? (Select TWO.)
Check all acceptable use policies to determine if they are accurate and appropriate. Verify that users are aware of security policies and that they are being followed.
Hey security analyst is contracted to identify security risks in an organization. The analyst discovers several instances in which sensitive information was disclosed outside of the organization. It appears that most, if not all of the disclosures were inadvertent most instances occurred through email messages. The company provides a training program to help users better recognize what is and what is not considered sensitive data the analyst recommends implementing technical controls to prevent the release of data. What should the company implement?
DLP
Hey security audit identifies the employees have accidentally exposed, sensitive company, information to outsiders, which type of control is most likely to prevent this from happening in the future
DLP
During an audit, an analyst performs a full packet capture. The analyst is surprised to discover the packet payload displayed below. What two concerns would the analyst have?
DLP functionality and transport encryption
A company uses net flow analysis to provide real time information about band with usage by protocol and buy application. The outgoing TCP traffic from one application rapidly, increases to the point that it is using most of the available bandwidth incoming traffic levels have not changed by significant amount what type of attacked is this most likely indicate.
Data exfiltration
Accompanies not work, includes an on premise is host, named for user 40 for the following anomalous activity is recorded for the host • increased internal traffic with networks service outside of normal business hours • increased outgoing traffic with an unfamiliar Internet location outside of business hours • Intermittent spontaneous restarts What type of activity might this indicate?
Data exfiltration
A company is developing a new application for processing patient records. The company is using external resources to develop the application initial testing will take place outside of the company. The company has decided to supply developers with data that is structurally similar to live data, but that is an inauthentic version of the data. What is this an example of
Data masking
Which policy identifies the person or group responsible for determining who has access to view or modified data and for setting guidelines for data disposal?
Data ownership
A company is under regulatory restriction regarding when and how archives data can be destroyed which company policy should document this
Date retention
An e-commerce company plans to subscribe to a shared infrastructure as a service. The company wants to ensure that other tenants will not be able to view or modify running processes. What should the IAS provider do to support this requirement?
Deploy servers as VM's and implement the VM-based trusted execution, environment, model
The volume of sensitive data that a company is responsible for has increased significantly. A security consultant was contracted out of fear that the company might be under some form of APT. The consultant recommends implementing a policy of proactive threat hunting. What is the first step in proactive threat hunting?
Develop a hypothesis
A company contacted a security consultant to find ways to better protect its networks client computers. The company has asked the security consultant for a recommendation to help prevent route kit infection which UEFI configuration settings should the consultant recommend
Enabling secure boot
A company recently suffered a breach after a malware infected firmware update was installed. System Administrator needs to ensure the authenticity and integrity of all future updates. What should the administrator do?
Ensure that all updates are digitally signed verify each update signature
A hardware supplier plans to bed for a government contract contract stipulates that the bitters must provide evidence to show that company, authenticity and integrity are closely monitored. What should the supplier due to meet this requirement
Ensure that processes are compliant with trusted foundry
What is the best description of HSM
HSM provides for the provisioning managing storing and disposing or archiving of cryptographic keys
A company was targeted by an APT attack. A security consultant helped identify the attack and remediate its effects. The security consultant recommends deploying a system to act as a lure for the attacks. The device will be deployed in the company's DMZ (perimeter network). Which type of device should the company deploy?
Honeypot
A security administrator is proactively hunting threats. As part of this exercise, the administrator would like to analyze attacker TTPs. Which technology or platform should the administrator deploy?
Honeypot
Hey security, Administrator is concerned that sensitive data could be valuable to sniffing attacks which technology Kenny Administrator used to mitigate the risk
IPsec
An organization is expanding its operations to the European Union and it needs to ensure compliance with the GDPR a security analyst informed the organization that according to the GDP are collecting data, must be adequate and Revell and what should the organization due to comply with this requirement
Implement data minimization practices
A company recently put together a computer security incident response team to enable to company to manage incidents using internal resources a cyber security consultant helps the team to create a forensic tool kit to support on site acquisition and analysis the team requires a hard disk from a computer that was part of an incident the team needs to use a disk analysis utility to search the hard disk for hidden threats which three actions should the team perform in sequence in order to analyze the desk to answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order
Install a hardware blocker on the source disk Run a disk imaging utility to copy the desk to a wiped disk Run the analysis on the forensic copy
A company decides to use open source freeware to manipulate photos, the security administrator. Suggest the application should be sandbox in order to enhance system security. What should the security administrator do on each system that will run the application
Install virtualization software
An alert set of a Windows server fires because disk space is dropping below a predefined threshold level, a detailed analysis of the hardest discovers that there are multiple hidden partitions, including one that is gradually increasing in size the server is receiving data from other hosts and it is sending out data to an external IP address installed anti-malware software does not report any threats. The technical security team needs to diagnose and resolve the problem as quickly as possible. What action should the team take first
Isolate the server from the net work
A security consultant is working with a client that recently suffered a breach. The consultant has been tasked with recommending additional controls based on the lessons learned report from the incident report indicates that initial access was gained, because the attacker somehow acquired a valid, active username and password combination, and simply locked in the other company. VPN with only that information next, the attacker was able to run, malicious custom code on a server because the survey to the traditional antivirus on the system that relies on signatures, which of the following controls, would prevent similar tax happening in future select two.
MFA heuristic based EDR
During a recent security audit at a medical practice, it was discovered that sensitive patient records are left open on publicly visible computer screens. The auditor warns the practice they may be in violation of regulatory laws. What is the auditor concerned will be disclosed
PHI
An organization implemented defense in depth methodology by deploying anti-malware on workstations and placing firewalls between sensitive network segments. The organization wants to further enhance the system by improving detection capabilities. Which two technologies or methods can the organization use to passively monitor all inbound and outbound network traffic? (Select TWO.)
Port mirror Network tap
A network administrator is concerned that several servers are being targeted by ADOS attack. The Administrator needs to continuously check the reachability of the servers and therefore creates the script shown below which language has the Administrator used to create the script.
Power shell
A company security team needs to validate the results of a vulnerability scan. They want to compare the results with historic log data from network, router, switches, and firewalls. What should I use to do this?
SIEM
A company security team wants to implement a security solution the aggregate data from both Lenix and windows computers in order to establish relationships between data entry is the solution should leverage machine learning technologies to help recognize concerns. What should the company implement?
SIEM
System Administrator needs to ensure data visibility by sending status diagnostic an event information from network notes to a centralized server which two technologies are platforms. Should the administrator use choose two
SNMP Syslog
Several users browse multiple websites each day and document the results. The company needs the ability to analyze any malware downloaded to users, computers and quickly restore computers to a clean state which technology should the company use.
Sandbox application
A government contractor works with data that has been labeled as top-secret. The contractor has addressed encryption at rest and in motion, however it must also be possible for data in used to be encrypted what technology to the contractor employ
Secure enclaves
Point-in-time analysis of network traffic through the perimeter network indicates that some network clients are streaming traffic to www.company.com. The number of clients involved is increasing, and the cyber security team suspects that the network is infected with a worm. The security team needs to prevent other clients from contacting that web location and redirect the traffic. What should the team use?
Sinkhole
Security analyst determines that a network is being targeted by a zombie botnet. What should the analyst used to gather information about the botnet?
Sinkholing
Accompany the process is protected health information needs to provide remote access to it systems which of the following offers root of trust, security, and ensures that only trusted devices are allowed when connected via untrusted networks
TPM Based attestation
Hey security consultant recommends implementing measured boot on all companies computers that run Microsoft windows 10 what are two hardware prerequisites for measured boot select two
TPM and UEFI
A window server processor and memory use intermittently increased very high levels. A review of the task list in task manager does not show any unexpected processes, nor does it indicate any process that are likely to be causing. The problem of virus scan does not indicate any malware the technical team needs to isolate the cause of this problem. What should the technical team do?
The next time the problem occurs, dump, memory to an external hard disk
I use a reports that their account has been hijacked while investigating the users claim a security specialist performs packet analysis and obtains the partial results shown below which of the following should be the specialists primary recommendation
The organization should implement transport encryption
A security administrator is evaluating the security of an organizations wireless network as shown in the exhibit. What should the security administrators top concern be?
The possibility of evil twins
A critical database server is experiencing intermittent performance issues however, it does not exhibit any other symptoms of possible malware infection all application, services and data on the server or scan for potential problems and signature-based analysis scan does not report any problems. A heuristic-based analysis scan reports three possible malware infections, which statement best describes what is evidence from the scan reports.
The possible infections should be further investigated
A company is moving to a cloud-based CRM solution a security analyst recommends to the company that the insurer customer PII is protected. The analyst suggest that the data should be protected using the method shown below. Which method is the analyst proposing.
Tokenizing
An organization plans to supply laptops to all sales executives and has asked a security administrator to provide a list of suggested specifications. The primary security requirement states that all data at rest should be encrypted, and that encryption keys should be stored securely which technology should the administrator recommend.
Trusted platform module's
A company recently suffered a data breach when the CEOs laptop was modified to boot from an interested OS the company plans to deploy more secure laptops to mitigate this risk and future which technology should the company ensure the new laptops support
UEFI
I use a returns from a sales trip and reports that their laptop seems to be running slowly the security Administrator runs a malware scan, and they do not detect any issues. However, the Administrator discovers the following power shell script, and the users recycle bin which of the following should the administrators primary concern be?
Unauthorized changes have been made to the System's registry