CySA+ TestOut

Select the ISO 27k standard number from the dropdown list below that focuses on personal data and privacy. 27017 27018 27701 27002

27701

An organization has tasked a business leader with writing an executive summary for a cybersecurity incident report that they recently experienced. What key information should the executive include in the summary to provide a clear and concise overview of the incident? answer A detailed summary of the company's cybersecurity policies, procedures, and any relevant industry standards or regulations A detailed analysis of the methodology used by the attackers, including any statistical data and charts to support the findings A brief description of the incident, including the date, time, and scope of the attack A personal opinion on the effectiveness of the incident response plan and any biases or assumptions made

A brief description of the incident, including the date, time, and scope of the attack

Which of the following BEST describes a rogue access point attack? answer A hacker taking advantage of an access point that has not implemented the basic techniques to protect the network. A hacker getting a user or client to unintentionally connect to their access point instead of the legitimate point the user intended to use. A hacker installing an unauthorized access point within a company. A hacker advertising an access point using an extremely strong signal for malicious purposes.

A hacker installing an unauthorized access point within a company

An HVAC company's web application allows users to schedule appointments with their HVAC technicians. The application runs on outdated software and represents a security risk, but the software is also critical for the company's operations. The company decides not to upgrade the application and keep it as-is for business reasons. What kind of risk response does this represent? answer Transference Mitigation Acceptance Avoidance

Acceptance

While reviewing alerts, an analyst notices a new signature is generating a high volume of false positives. This appears to be the result of an error in the way the signature is written. This represents an issue with what attribute of threat intelligence? answer Timeliness Reconnaissance Relevancy Accuracy

Accuracy

A company has been targeted by a distributed denial-of-service (DDoS) attack, resulting in its website and online services being unavailable. Upon investigation, it was discovered that the attack originated from multiple sources and was directed at a specific set of targets. What is the most likely metric that the organization will use to measure the impact of this attack? answer Recurrence Affected hosts Mitigations required Risk score

Affected hosts

Which of the following components are the SIEM's way of letting the IT team know that a pre-established parameter is not within the acceptable range? answer Trends Sensors Alerts Dashboard

Alerts

The security team at a large organization is analyzing a recent cyberattack that targeted their network infrastructure. They must focus on the attack stages and the relationships between the adversary, infrastructure, and capabilities to understand the attack and plan for future security measures. What should the security team prioritize to address the current situation effectively and improve their security operations? answer Conducting a thorough vulnerability assessment of their systems Implementing strict access control policies and procedures Analyzing the attack using the Diamond Model of Intrusion Analysis and the cyber kill chain Deploying advanced intrusion detection systems

Analyzing the attack using the Diamond Model of Intrusion Analysis and the cyber kill chain

A company has recently upgraded to the latest version of their web application. During a review of the logs, the security analyst notices an unauthorized change made to the web application by an unknown user. Which of the following logs would MOST likely provide information about the unauthorized change? answer Event log Application log Security log System log

Application log

An attacker is browsing social media accounts associated with a targeted organization. Why is the attacker MOST likely using social media in this manner? answer Attackers can use information from social media as direct link into an organizations sensitive data. An attacker may find posts or user profiles that give away sensitive information. Attackers can use social media sites to access an organization's secure or critical internal information. Attackers can leverage social media as a vector to launch attacks against targets.

Attackers can leverage social media as a vector to launch attacks against targets.

A network administrator is responsible for securing a large organization's network. The administrator wants to identify potential threats by analyzing network traffic and routine activities. The network administrator believes that focusing on business-critical assets is the most important focus area for threat hunting. Which of the following is a reason to prioritize this focus area? answer Business-critical assets often have weak passwords or open ports that attackers can exploit. Attackers often target important assets like databases, servers, or applications. Misconfigurations in IT systems can create vulnerabilities that attackers can exploit. Isolated networks are often more secure, but attackers still exploit their vulnerabilities.

Attackers often target important assets like databases, servers, or applications.

A company recently hired a new Chief Information Security Officer (CISO) to help improve the company's security posture. This decision occurred after the company ran into the issue of siloed teams not working together to protect the security of their systems. What is the CISO's most important responsibility in this situation? answer Configuration management Changing business requirements Patching Awareness training

Awareness training

Which of the following are the three metrics used to determine a CVSS score? answer Risk, change, and severity Risk, temporal, and severity Base, change, and environmental Base, temporal, and environmental

Base, temporal, and environmental

A threat-hunting team is looking for unusual traffic and anomalous attempts to access the company's essential servers, databases, and applications. What is this an example of? answer Business-critical asset hunting Misconfiguration hunting Isolated network hunting Indicators of compromise hunting

Business-critical asset hunting

A customer logs into their bank account and simultaneously checks their email. They see an email containing a link that, when clicked, initiates a transfer of funds from the user's bank account to an attacker's account. What type of vulnerability does this situation describe? answer Broken access control CSRF XSS Injection

CSRF

This government resource is a community-developed list of common software security weaknesses. They strive to create commonality in the descriptions of weaknesses of software security. Which of the following government resource is described? answer CVE CISA NVD CWE

CWE

A system administrator is looking for a process that reduces the time and resources required to keep the company network up to date with the latest patches and configurations. Which of the following is specifically designed to meet the administrator's requirements? answer Compensating controls Patching and policies Awareness training Centralized operating system, application, and device management

Centralized operating system, application, and device management

The Chief Information Security Officer (CISO) at XYZ Corporation received a legal request to preserve an employee's data under investigation for insider trading. The CISO has to ensure that the data is preserved and kept under legal hold until the company concludes its investigation. Which of the following is true regarding the chain of custody in the scenario? answer Chain of custody is the documentation of evidence movement from one person to another, including who had custody of the evidence, when and why they transferred it, and what they did with it. Chain of custody refers to the process of restoring data from backup after a security incident. Chain of custody refers to the process of analyzing digital evidence to identify the source and cause of a security incident. Chain of custody refers to the security controls implemented to protect evidence from unauthorized access, modification, or deletion.

Chain of custody is the documentation of evidence movement from one person to another, including who had custody of the evidence, when and why they transferred it, and what they did with it.

The Results section of an assessment report contains four subtopics. Which of the following subsections contains the origin of the scan? answer Assessment Services Classification Target

Classification

A company's cybersecurity leadership team reviews its incident response plan (IRP) and wants to ensure it is fully prepared for potential disruptions to its business operations. The team considers the role of business continuity (BC) and disaster recovery (DR) in their IRP. Which options would be the most appropriate way for the team to integrate BC/DR in their IRP? answer Develop and test BC/DR plans to ensure operational resilience. Establish an incident response team. Conduct regular tabletop exercises to evaluate incident response procedures. Train employees on phishing awareness and prevention techniques.

Conduct regular tabletop exercises to evaluate incident response procedures.

A small information technology department is trying to reorganize and prioritize future projects. Senior management in the company now requires the IT department to track and control changes. What can the department use to benchmark its operations? answer Risk scores Service-level objectives Mitigation Configuration management

Configuration management

A financial organization is exploring special considerations in vulnerability scanning to enhance its security posture. After discovering a security breach, the organization focuses on remediation and maintaining the chain of custody for legal purposes. Which action would be MOST appropriate for the organization to ensure effective remediation while preserving the chain of custody? answer Re-image affected systems Use a cloud access security broker (CASB) Create a detailed incident response plan Establish a security operations center (SOC)

Create a detailed incident response plan

Which of the following network security attack types uses botnets on multiple networks to simultaneously attack a target? answer Fragmentation Protocol Amplification DDoS

DDoS

Where can you find a quick overview of your monitored system's current state? answer Information Management Retentions Dashboard Alerts

Dashboard

A financial institution is experiencing persistent cyberattacks from unknown sources. Which of the following active defense approaches can the company deploy to outmaneuver the attackers and gain insights into their methodologies? answer Performing regular vulnerability scans and patching identified issues. Installing firewalls and intrusion detection systems. Encrypting all sensitive data and limiting user access. Deploying honeypots to attract and identify potential attackers.

Deploying honeypots to attract and identify potential attackers.

When it comes to data monitoring, heuristics programs typically take one of several approaches. Which of the following are approaches that heuristics programs often take? (Select two.) answer Keep a user log to document everyone that handles each piece of sensitive data. Detect suspicious files through identification of genetic signatures that are similar to previously known malware. Compare current file states to a known baseline. Bring a file into a virtual testing environment and running it to identify its behavior. Monitor the system both in real time and randomly.

Detect suspicious files through identification of genetic signatures that are similar to previously known malware. Bring a file into a virtual testing environment and running it to identify its behavior.

During which phase of the incidence response life cycle do you identify an attack or an incident after it has begun? answer Post-incident Preparation Detection and analysis Containment

Detection and analysis

During a security breach, a security administrator identifies the stakeholders affected by the incident. What next step should the administrator take to ensure effective communication with the stakeholders? answer Delegate stakeholder communication to the public relations team Develop a communication plan based on stakeholder needs and interests Avoid communication with stakeholders until the incident has been fully resolved Send a detailed email to all stakeholders without prioritizing communication methods

Develop a communication plan based on stakeholder needs and interests

A security analyst has received a suspicious email that appears to be from a recognized address. The analyst needs to determine if the email is legitimate or not. Which of the following email analysis techniques would be the most appropriate for the security analyst to use in this scenario? answer Simple Mail Transfer Protocol (SMTP) JavaScript Object Notation (JSON) DomainKeys Identified Mail (DKIM) Multipurpose Internet Mail Extensions (MIME)

DomainKeys Identified Mail (DKIM)

A financial institution has experienced a cyber attack that has resulted in the theft of customer information. Which of the following is the MOST critical consideration for the incident response team? answer Stakeholders impacted Evidence Incident declaration Timeline of breach

Evidence

A system engineer wants to harden a system as a precaution against malicious port scans and probes. Which type of malicious activity is the engineer likely concerned about? answer External Zero-day Internal Isolated

External

An IPS permits a connection between a domain controller and a user device in the domain on port 445. A domain-enabled account then authenticates to the user device, accesses sensitive data, and transmits it over a Wide Area Network (WAN). What is the type of error in this situation? answer True negative False positive False negative True positive

False negative

Which of the following works together by calling on each other, passing data to each other, and returning values in a program? answer Kernel Function Stack Variable

Function

A boutique crafts company would like to set up a new eCommerce website. They are checking out vendors who have put a high level of detail into the security practices and implementation. They want to test a specific vendor's system to verify that it is not vulnerable to malicious actors injecting malformed data into the checkout process. Which kind of scan or test can the company run with permission? answer Map scan Fuzzing Baseline scan Internal scan

Fuzzing

You are a security analyst for your financial investment company, which services thousands of customers. A data breach has just occurred, and the incident response plan indicates that you need to notify the media of the data breach. Which of the following requires this type of notification? answer Law Enforcement Senior Management Human Resources HIPAA

HIPAA

You are checking the registry on a Windows server, as you suspect an autorun key has been compromised. Which of the following are keys you should check to verify that the autorun keys are still secure? (Select two.) answer HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Which of the following beaconing intrusion communication channel attacks can be mitigated by intercepting and decrypting traffic at the edge of a network and forwarding only legitimate traffic? answer Media files Domain Name System (DNS) Internet Relay Chat (IRC) HTTP and HTTPS Social media

HTTP and HTTPS

Threat actors can be divided into different types based on their methods and motivations. Which type of hacker usually targets government agencies, corporations, or other entities they are protesting? answer Nation-state Intentional Hacktivist Criminal

Hacktivist

Behavioral threat research combines IoCs to show patterns and techniques used in previous attacks. Which of the following threat indicators is normally associated with viruses? answer High memory usage Port hopping IP addresses from unusual geographic locations Rapidly changing domain IP addresses

High memory usage

A security team has conducted a vulnerability scan on their organization's systems and has generated a detailed list of affected hosts. The team needs to share the report with the IT department, but they want to ensure it is easy to view in a browser. Which format should the security team choose for the vulnerability report to ensure it is visually appealing and can be viewed in a browser-based dashboard? answer EXtensible Markup Language (XML) HyperText Markup Language (HTML) Plain text Comma Separated Values (CSV)

HyperText Markup Language (HTML)

Which of the following devices can monitor a network and detect potential security attacks? answer CSU/DSU Proxy DNS server IDS

IDS

A company is implementing a new authentication system that uses passwordless and SSO capabilities. During the rollout, the IT team notices some employees are having trouble accessing certain applications and resources, while others are experiencing no issues. Upon investigation, the team discovers that some applications and resources are not compatible with the new system. What is the BEST course of action for the IT team to take in response to this issue? answer Ignore the issue and allow some employees to be unable to access certain applications and resources Notify all employees to use their previous login credentials until the incompatible applications and resources are updated Contact the vendors of the incompatible applications and resources to see if they have updates that will make them compatible with the new system Immediately roll back the passwordless and SSO authentication system and revert to the previo

Immediately roll back the passwordless and SSO authentication system and revert to the previous system

What is the process of determining the extent of damage/potential damage from a security event known as? answer Intrusion analysis Impact analysis Damage analysis Trend analysis

Impact analysis

Your company has had a problem with users getting hacked even though you have established strong password policies. What is the next logical step to increase your company's security? answer Train the employees on the different types of hackers. Revise your company's password policy. Purchase new computers for all your employees. Implement two or more methods of authentication.

Implement two or more methods of authentication.

A large organization has recently experienced a significant cyberattack that disrupted its daily operations. The organization's management team reviews the incident and improves its business continuity and disaster recovery strategies. They want to focus on patch management concepts as part of the lessons learned. Which patch management best practices would most effectively enhance their BC/DR preparedness? answer Implementing a risk-based patch prioritization Prioritizing updates based on vendor recommendations Coordinating patch management with change management processes Establishing a centralized patch management system

Implementing a risk-based patch prioritization

According to OWASP, what is the number one risk for mobile devices? answer Improper platform usage Unsecure data storage Unsecure communications Extraneous functionality

Improper platform usage

Which of the following are security benefits of using software-defined networking (SDN) and virtualization in a network environment? (Select two.) answer Improved network performance through optimized routing Simplified network segmentation and isolation for easier threat containment Increased network agility for faster deployment of security controls Enhanced network security through hardware-based firewalls An easier transition to a cloud computing network architecture

Improved network performance through optimized routing Simplified network segmentation and isolation for easier threat containment Increased network agility for faster deployment of security controls

A company hires a new employee to work in its IT department. The new employee quickly gains the trust of the other coworkers. However, the company soon notices someone is accessing files without authorization and leaking sensitive information. Which of the following BEST describes the security threat presented in this scenario? answer Malware attack Phishing attack Insider threat Social engineering attack

Insider threat

A large company has just undergone a series of layoffs, and several employees have lost their jobs. One of the disgruntled laid-off employees feels the company treated those who were laid off unfairly. Which threat is this disgruntled employee MOST likely to pose to the company's cybersecurity? answer Supply chain Unintentional insider threat Script kiddie Intentional insider threat

Intentional insider threat

A security analyst wants to use a web application scanner to test the security of a web application. Which of the following is a feature of Burp Suite that could support the security analyst's requirements? answer Assessing the security of the underlying operating system Testing for vulnerabilities in the application source code Detecting malware and viruses on the web server Intercepting and modifying HTTP requests and responses

Intercepting and modifying HTTP requests and responses

Which of the following beaconing intrusion communication channels provides an easy method for attackers to send commands to zombie systems? answer Internet Relay Chat (IRC) Media files Social media HTTP and HTTPS Domain Name System (DNS)

Internet Relay Chat (IRC)

Which of the following BEST describes the isolation-based containment method? answer Involves disconnecting a device, VLAN, or network segment from the rest of the network Separates the network into subnetworks that are not able to communicate with each other directly Helps to ensure that compromised systems are restricted to the local segment Provides an extra layer of security that helps with containment

Involves disconnecting a device, VLAN, or network segment from the rest of the network

Your company is about to begin litigation, and you need to gather information. You need to collect emails, memos, invoices, and other electronic documents from employees. You'd also like to get printed, physical copies of documents. Which tool would you use to gather this information? answer Legal hold Timeline of events Chain of custody Timestamps

Legal hold

What is the name of the open-source forensics tool that can be used to pull information from social media postings and find relationships between companies, people, email addresses, and other information? answer Maltego Wayback Machine Google Earth Echosec

Maltego

You have just used the nano editor on your Linux server to create the following script: #!/bin/bashecho "Enter a number."read num1echo "Enter a second number."read num2sum=`expr $num1+$num2`echo "The sum of the numbers is: $sum" Which of the following scripting tools have you used to provide the sum of the two numbers entered by the user? answer Dynamic variables If/Else statements Boolean operators Mathematical operations Fixed variables

Mathematical operations Mathematical operations

A security analyst has identified a critical vulnerability in the company's web server. The analyst was able to fix the vulnerability within two hours. What does this two-hour time period represent? answer Mean time to detect Mean time between failure Mean time to respond Mean time to recover

Mean time to respond

A company is trying to determine how to handle the fallout of an executive that was arrested for embezzlement. Even though their customer's money is secure, they want to ensure there is not a run on the bank for withdrawals. Who should they work with to release details to the public? answer Legal Regulators Media Law enforcement

Media

A company is considering entering into a collaboration with a potential partner. The potential partner is a large, well-respected company with a strong track record in cybersecurity. The company has a concern about the potential partner's ability to comprehend and meet all its needs per its standard operating procedures. What is best to ensure mutual comprehension and communication methods short of legal recourse? answer Memorandum of understanding (MoU) Organizational governance Service-level agreement (SLA) Configuration management

Memorandum of understanding (MoU)

A network security analyst is performing a penetration testing engagement for a client. The analyst needs to identify and exploit vulnerabilities in the client's network. Which of the following tools is most commonly used by security professionals for this purpose? answer Angry IP Scanner OpenVAS Metasploit Nessus

Metasploit

As a sales representative for your company, you are in an airline lounge waiting for your next flight. To make the best use of your time, you decide to connect to the internet from your tablet to do some additional research about the company you will be contacting. You search for and connect to a Wi-Fi access point with the same name as the access point provided by the airline. However, it does not require a passcode, which the airline has instructed you to use to make the connection. You suspect that it might be a rogue access point. Which of the following vulnerability vectors does this type of attack fall under? answer Database Unsecured apps Device Network

Network

Which web application scanner uses an on-path (man-in-the-middle) proxy design? answer Nikto OWASP ZAP Burp Suite OWASP Top 10

OWASP ZAP

A security administrator wants to scan the company's network for vulnerabilities. Which of these scanners is an open-source software developed from the Nessus codebase? answer Tenable nmap Qualys OpenVAS

OpenVAS

An information security project manager of a large corporation suggests the security operations center (SOC) should replace the current vulnerability scanner with a more cost-efficient alternative that still retains the capabilities of their current closed-source software (proprietary software). At the next board meeting, which vulnerability scanner should the project manager propose? (Select two.) answer Nessus OpenVAS Qualys SecurityScorecard OpenSCAP

OpenVAS OpenSCAP

Which devices are responsible for forwarding packets in a virtual network? answer Virtual network software Virtual network devices Hypervisor software Physical networking devices

Physical networking devices

During an incident response, a security analyst has identified a compromised system and wants to isolate it from the network to prevent further damage. Which of the following is the BEST approach for isolating the system? answer Shutting down the system Terminating the system's processes through Task Manager Physically disconnecting the system from the network Disabling the system's network adapter through the device manager

Physically disconnecting the system from the network

An attacker is disguising a signature by encoding the attack payload and placing a decoder in front of the payload. Every time the payload is sent, the code is rewritten so the signature changes. Which of the following obfuscation techniques is the attacker using? answer Polymorphic shellcode Encryption Unicode evasion Insertion attack

Polymorphic shellcode

Which security control functional type operates before an attack can take place? answer Operational Preventative Managerial Technical

Preventative

A security engineer is looking to improve the security of their email system. The system has a built-in reporting mechanism that shows what things they can do to improve overall security and suggested fixes with different percentages to show importance. What component of vulnerability reporting does this relate to? answer Risk score Prioritization Mitigation Vulnerabilities

Prioritization

A company's website allows users to upload files stored on the server for other users to download. An attacker uploads a specially crafted file that contains malicious code, and the server does not properly validate the file. As a result, when other users download the file, the malicious code gets executed on their system. What type of vulnerability does this situation describe? answer RCE SSRF CSRF XSS

RCE

Alex, a security specialist, is using an Xmas tree scan. Which of the following TCP flags will be sent back if the port is closed? answer FIN URG ACK RST

RST

Which of the following describes an attack where injected script is immediately mirrored off a web server when a user inputs data in a form or search field? answer Reflected cross-site scripting Port mirroring MAC spoofing Stored cross-site scripting

Reflected cross-site scripting

A security analyst for a corporation notices abnormal OS process behavior and unauthorized changes in the network environment. The analyst reviews the logs and identifies suspicious activities on a server. Which security operations practice could the analyst have implemented to prevent the incident from happening in the first place? answer Regular vulnerability assessments to identify and remediate vulnerabilities before attackers can exploit them. Incident response procedures to quickly detect and respond to security incidents. Regular system backups to quickly restore systems and data in the event of a compromise. User access control policies to limit access to sensitive systems and data.

Regular vulnerability assessments to identify and remediate vulnerabilities before attackers can exploit them.

What is the first step in the recovery process after a security incident occurs? answer Reconstruct disks on any sanitized devices. Initiate employee security training. Remove the problem. Verify that user access has been restored.

Remove the problem

A defense contractor discovered that a competitor duplicated some of their products. While the contractor is afraid of losing revenue, the more significant concern is how the competitor was able to duplicate the product. What term describes how this situation occurred? answer Reverse engineering Fuzzing Internal scan External scan

Reverse engineering

A security analyst receives an alert from the organization's intrusion detection system (IDS) regarding unexpected output from a critical application. The analyst suspects that the application may be compromising. What should the analyst prioritize when investigating this issue to determine the cause of the unexpected output? answer Check for unauthorized user account creation Analyze network traffic for unusual patterns Investigate recent firewall rule changes Review application logs for anomalies

Review application logs for anomalies

Mary has been receiving text messages that contain links to malicious websites. Which type of attack is Mary a victim of? answer Agent Smith attack SMiShing SS7 vulnerability Simjacker

SMiShing

A cybersecurity analyst for a small company ensures the company's email security by configuring Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The analyst needs to explain to other employees how SPF and DKIM work together. Which of the following statements correctly explain the role of SPF and DKIM in securing email communications? (Select two.) answer SPF verifies the source IP address of incoming messages while DKIM verifies the message content. SPF and DKIM allows the recipient to report back to the sender emails that failed the security measures. SPF verifies the message content while DKIM verifies the source IP address of incoming messages. SPF and DKIM together prevent email spoofing and ensure message authenticity. SPF and DKIM work together to scan for malware.

SPF and DKIM together prevent email spoofing and ensure message authenticity. SPF and DKIM work together to scan for malware.

Which method is used to limit and identify suspicious traffic by separating a network into manageable chunks? answer Air gap Jumpbox Segmentation ACL

Segmentation

A security researcher has discovered a vulnerability in a web application that allows an attacker to make requests to internal or external resources on behalf of the web server. Which of the following web vulnerabilities BEST describes this scenario? answer Structured Query Language (SQL) injection Server-Side Request Forgery (SSRF) Cross-Site Request Forgery (CSRF) Cross-Site Scripting (XSS)

Server-Side Request Forgery (SSRF)

Which of the following tools can be used to create botnets? answer Poison Ivy, Targa, and LOIC Jolt2, PlugBot, and Shark Shark, PlugBot, and Poison Ivy Trin00, Targa, and Jolt2

Shark, PlugBot, and Poison Ivy

You are currently attempting to establish a baseline of regular network traffic to detect potential DDoS attacks. At the moment, you are tracking numerous parameters like the number of packets sent and received, the number of unique connections, bandwidth usage, and other metrics that reflect the network's regular operation. Which step in establishing a baseline are you currently working on? answer Step 2 Step 1 Step 3 Step 4

Step 2

A support technician conducts system hardening after provisioning a server. Why is system hardening such a vital practice? (Select three.) answer System hardening eliminates the need for employee security training. System hardening involves patching the operating system. System hardening eliminates monitoring software. System hardening includes disabling unnecessary services. System hardening stores operating system configuration information. System hardening includes configuring security policies. System hardening reduces the attack surface of a system.

System hardening involves patching the operating system. System hardening reduces the attack surface of a system. System hardening includes disabling unnecessary services.

Which of the following are common examples of file system abnormal activity? (Select two.) answer Probes for services or systems running on the network by a remote device Unknown or unexplained messages and warnings in log files System reboots or crashes Modifications to system software and configuration files Anonymous logins

System reboots or crashes s logins

A small company recently experienced a cyberattack. The attackers have accessed sensitive company data and have caused significant damage to the network. The company has an incident response plan and a business continuity/disaster recovery plan in place, but the company has not tested the plan in a real-world scenario. What best practice should a cyber security analyst use to ensure an incident response plan is effective for a real-world scenario? answer Ignore the plan and respond to incidents as they occur Store the plan in a secure location and only provide access to top-level executives Rely on the expertise of the IT team to make decisions during an incident Test the plan on a regular basis and update it as necessary

Test the plan on a regular basis and update it as necessary

A company has identified multiple vulnerabilities in its systems, including one critical vulnerability that could potentially cause significant damage if exploited. Which vulnerability should the security team prioritize for remediation? answer The vulnerability with the most identified instances The vulnerability with the highest Common Vulnerability Scoring System (CVSS) score The vulnerability that is easiest to fix The critical vulnerability

The critical vulnerability

Which of the following is the MOST challenging part of gathering forensic data in a cloud environment? answer The data is not secure. The data is replicated in many places. The data is not saved on a hard drive. The data is subject to the laws in the country in which it's gathered.

The data is subject to the laws in the country in which it's gathered.

A company's security team is reviewing the logs of a recent cyber attack and using the Cyber Kill Chain and MITRE Attack framework to analyze the attack. They want to determine what stage of the Cyber Kill Chain the attacker was in and what techniques they used from the MITRE Attack framework. What is the primary reason the security team uses the Cyber Kill Chain and MITRE Attack frameworks during incident response and management? answer The frameworks offer real-time threat intelligence and analysis. The frameworks can help prevent attackers from transmitting sensitive data outside the organization, reducing the risk of data breaches and compliance violations. The frameworks help determine the root cause of a security incident and identify the responsible party. The frameworks allow analysts to break down a complex attack into smaller, more manageable components, which helps them identify potential vulnerabilities a

The frameworks allow analysts to break down a complex attack into smaller, more manageable components, which helps them identify potential vulnerabilities a

The Chief Information Security Officer (CISO) has informed a security analyst that an attacker has compromised a critical system. Upon investigation, the analyst determines that the attacker gained access through an unpatched vulnerability. The analyst recommends implementing compensating controls and isolating the system to prevent further damage. How can the security analyst use compensating controls in this scenario? answer To monitor and detect further intrusion attempts (but not isolate the compromised system) To isolate the compromised system and prevent the attacker from exploiting the vulnerability again To patch the unpatched vulnerability and prevent the attacker from accessing the system again To provide additional security controls to the compromised system and prevent future attacks

To isolate the compromised system and prevent the attacker from exploiting the vulnerability again

A large retail company notifies its incident response team in response to a recent security incident. The team then activates the incident response plan (IRP) and business continuity plan (BCP). After they resolve the incident, they conduct a lessons-learned review. What is the purpose of an incident response plan (IRP) and business continuity plan (BCP) in cybersecurity incident response and management? answer To educate employees on how to prevent and respond to future security incidents To provide a step-by-step guide on how to respond to a security incident and ensure the continuity of critical business functions To conduct a forensic analysis of the incident to determine the root cause and identify the responsible party To restore affected systems and data to their pre-incident state

To provide a step-by-step guide on how to respond to a security incident and ensure the continuity of critical business functions

Which type of impact is damage to an organization's reputation and other non-cost incident consequences? answer Immediate impact Total impact Organizational impact Local impact

Total impact

Which of the following data monitoring methods involves security teams monitoring data anomalies to investigate any outliers? answer File monitoring Heuristics Endpoint monitoring Trend analysis

Trend analysis

The Common Vulnerability Scoring System (CVSS) scoring for a newly deployed virtual appliance has reached 9.4. The attack vectors in the report included physical and network paths. Some of the other metrics in the report included: Privileges Required (PR) with a value of 'N' and User Interaction (UI) with a value of 'N.' After reviewing the details of the CVSS report, which response would a systems security officer provide to the appliance administrators to resolve most of the issues immediately? answer Use only Active Directory (AD) groups and/or configure roles. Setup data-at-rest encryption for the SQL database. Setup a new local account with a complex password Verify physical access logs to server racks.

Use only Active Directory (AD) groups and/or configure roles.

A technician is using a modem to dial a large block of phone numbers in an attempt to locate other systems connected to a modem. Which type of network scan is being used? answer Ping sweep Stealth Fingerprinting Wardialing

Wardialing

From the list on the left, drag each regular expression element to its correct description on the right. [A-Z] \w \d \s {1,3} Whitespace Word Quantifier Range

Whitespace \s Word \w Quantifier {1,3} Range [A-Z]

You are monitoring your network's traffic, looking for signs of strange activity. After looking at the logs, you see that there was a recent spike in database read volume. Could this be a problem and why? answer No. A spike in database read volume is a normal occurrence that is not suspicious. Yes. A spike in database read volume can show that someone is trying to use a brute force attack. Yes. A spike in database read volume can show that a hacker has downloaded a great deal of information from the database. No. A spike in database read volume is only a problem if it happens multiple times in a short period.

Yes. A spike in database read volume can show that a hacker has downloaded a great deal of information from the database.

Which of the following BEST describes the verification phase of the vulnerability management life cycle? answer It proves your work to management and generates verifiable evidence to show that your patching and hardening implementations have been effective. It protects the organization from its most vulnerable areas first and then focuses on less likely and less impactful areas. It communicates clearly to management what your findings and recommendations are for locking down the systems and patching problems. It is critical to ensure that organizations have monitoring tools and regularly scheduled vulnerability maintenance testing in place.

ble evidence to show that your patching and hardening implementations have been effective. It protects the organization from its most vulnerable areas first and then focuses on less likely and less impactful areas. It communicates clearly to management what your findings and recommendations are for locking down the systems and patching problems. It is critical to ensure that organizations have monitoring tools and regularly scheduled vulnerability maintenance testing in place.

A security administrator identified a vulnerability in an older system that requires significant changes to fix. However, the organization is reluctant to make these changes due to the cost and complexity associated with the transition. What type of inhibitor to vulnerability remediation is this? answer Service-level agreement Proprietary systems Legacy systems Organizational governance

gacy systems Organizational governance

Which of the following Linux and UNIX text editors provides a more user-friendly and intuitive interface than the more traditional text editors? answer nano zsh vim vi

nano

A large organization experiences a major data breach, and the cybersecurity team has been tasked to conduct a forensic analysis to understand the damage and identify potential vulnerabilities. What is the most crucial step in effectively applying the lessons learned from this incident? answer Assessing key systems for vulnerabilities Making architectural changes Securely storing digital evidence Monitoring network traffic regularly

ng architectural changes Securely storing digital evidence Monitoring network traffic regularly

A supervisor has tasked a security administrator with monitoring network activity on a subnet. Specifically, the supervisor wants all DNS requests incoming to the Samba domain controller on the domain controller's eth0 interface. The supervisor insists that the security administrator use a command line tool. What tool will provide the BEST results in accomplishing this task? answer Security information and event management (SIEM) Wireshark Security orchestration, automation, and response (SOAR) tcpdump

tcpdump