Cysa1
Configure NAC to only allow machines on the network that are patched and have active antivirus
The IT department is concerned about the possibility of a guest device infecting machines on the corporate network or taking down the company's single Internet connection. Which of the following should a security analyst recommend to BEST meet the requirements outlined by the IT department? A. Require the guest machines to install the corporate-owned EDR solution B. Configure NAC to only allow machines on the network that are patched and have active antivirus C. Place a firewall in between the corporate network and the guest network D. Configure the IPS with rules that will detect common malware signatures traveling from the guest network
Compile a list of IoCs so the IPS can be updated to halt the spread.
The SOC has received reports of slowness across all workstation network segments. The currently installed antivirus has not detected anything, but a different anti-malware product was just downloaded and has revealed a worm is spreading. Which of the following should be the NEXT step in this incident response? A. Send a sample of the malware to the antivirus vendor and request urgent signature creation. B. Begin deploying the new anti-malware on all uninfected systems. C. Enable an ACL on all VLANs to contain each segment. D. Compile a list of IoCs so the IPS can be updated to halt the spread.
. To prevent adversaries from intercepting response and recovery details
The incident response team is working with a third-party forensic specialist to investigate the root cause of a recent intrusion. An analyst was asked to submit sensitive network design details for review. The forensic specialist recommended electronic delivery for efficiency, but email was not an approved communication channel to send network details. Which of the following BEST explains the importance of using a secure method of communication during incident response? A. To prevent adversaries from intercepting response and recovery details B. To ensure intellectual property remains on company servers C. To have a backup plan in case email access is disabled D. To ensure the management team has access to all the details that are being exchanged
Invest in a failover and redundant system, as necessary
The steering committee for information security management annually reviews the security incident register for the organization to look for trends and systematic issues. The steering committee wants to rank the risks based on past incidents to improve the security program for next year. Below is the incident register for the organization: Which of the following should the organization consider investing in FIRST due to the potential impact of availability? A. Hire a managed service provider to help with vulnerability management B. Build a warm site in case of system outages C. Invest in a failover and redundant system, as necessary D. Hire additional staff for the IT department to assist with vulnerability management and log review
proactive threat hunting.
Understanding attack vectors and integrating intelligence sources are important components of: A. a vulnerability management plan. B. proactive threat hunting. C. risk management compliance. D. an incident response plan.
B. Enhanced encryption functions or D. Geographic access requirements
A Chief Executive Officer (CEO) is concerned the company will be exposed to data sovereignty issues as a result of some new privacy regulations. To help mitigate this risk, the Chief Information Security Officer (CISO) wants to implement an appropriate technical control. Which of the following would meet the requirement? A. Data masking procedures B. Enhanced encryption functions C. Regular business impact analysis functions D. Geographic access requirements
. Use a DLP product to monitor the data sets for unauthorized edits and changes.
A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verify that a user's data is not altered without the user's consent. Which of the following would be an appropriate course of action? A. Automate the use of a hashing algorithm after verified users make changes to their data. B. Use encryption first and then hash the data at regular, defined times. C. Use a DLP product to monitor the data sets for unauthorized edits and changes. D. Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.
Directory traversal
A SIEM analyst receives an alert containing the following URL: http:/companywebsite.com/displayPicture?filenamE=../../../../etc/passwd Which of the following BEST describes the attack? A. Password spraying B. Buffer overflow C. Insecure object access D. Directory traversal
Perform penetration tests against the software company's internal and external networks.
A business recently acquired a software company. The software company's security posture is unknown. However, based on an initial assessment, there are limited security controls. No significant security monitoring exists. Which of the following is the NEXT step that should be completed to obtain information about the software company's security posture? A. Develop an asset inventory to determine the systems within the software company. B. Review relevant network drawings, diagrams, and documentation. C. Perform penetration tests against the software company's internal and external networks. D. Baseline the software company's network to determine the ports and protocols in use.
MFA
A company frequently experiences issues with credential stuffing attacks. Which of the following is the BEST control to help prevent these attacks from being successful? A. SIEM B. IDS C. MFA D. TLS
Change management
A company has a cluster of web servers that is critical to the business. A systems administrator installed a utility to troubleshoot an issue, and the utility caused the entire cluster to go offline. Which of the following solutions would work BEST prevent to this from happening again? A. Change management B. Application whitelisting C. Asset management D. Privilege management
Data loss prevention
A company is experiencing a malware attack within its network. A security engineer notices many of the impacted assets are connecting outbound to a number of remote destinations and exfiltrating data. The security engineer also sees that deployed, up-to-date antivirus signatures are ineffective. Which of the following is the BEST approach to prevent any impact to the company from similar attacks in the future? A. IDS signatures B. Data loss prevention C. Port security D. Sinkholing
Legal counsel
A company recently experienced a breach of sensitive information that affects customers across multiple geographical regions. Which of the following roles would be BEST suited to determine the breach notification requirements? A. Legal counsel B. Chief Security Officer C. Human resources D. Law enforcement
Implement a CASB and prevent certain types of data from being downloaded to a workstation.
A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company's data? A. Implement UEM on all systems and deploy security software. B. Implement DLP on all workstations and block company data from being sent outside the company. C. Implement a CASB and prevent certain types of data from being downloaded to a workstation. D. Implement centralized monitoring and logging for all company systems.
B. Shredding
A company wants to ensure confidential data from its storage media files is sanitized so the drives cannot be reused. Which of the following is the BEST approach? A. Degaussing B. Shredding C. Formatting D. Encrypting
Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud.
A company's Chief Information Officer wants to use a CASB solution to ensure policies are being met during cloud access. Due to the nature of the company's business and risk appetite, the management team elected to not store financial information in the cloud. A security analyst needs to recommend a solution to mitigate the threat of financial data leakage into the cloud. Which of the following should the analyst recommend? A. Utilize the CASB to enforce DLP data-at-rest protection for financial information that is stored on premises. B. Do not utilize the CASB solution for this purpose, but add DLP on premises for data in motion. C. Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud. D. Do not utilize the CASB solution for this purpose, but add DLP on premises for data at rest.
Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it.
A company's blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance? A. Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network. B. Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed. C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it. D. Review the current blocklist to determine which domains can be removed from the list and then update the ACLs and IPS signatures.
B. SaaS
A company's legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage to a third party. The IT management team has decided to implement a cloud model and has asked the security team for recommendations. Which of the following will allow all data to be kept on the third-party network? A. VDI B. SaaS C. CASB D. FaaS
eFuse
A computer hardware manufacturer is developing a new SoC that will be used by mobile devices. The SoC should not allow users or the process to downgrade from a newer firmware to an older one. Which of the following can the hardware manufacturer implement to prevent firmware downgrades? A. Encryption B. eFuse C. Secure Enclave D. Trusted execution
C. Look at attacks against similar industry peers and assess the probability of the same attacks happening.
A consultant is evaluating multiple threat intelligence feeds to assess potential risks for a client. Which of the following is the BEST approach for the consultant to consider when modeling the client's attack surface? A. Ask for external scans from industry peers, look at the open ports, and compare information with the client. B. Discuss potential tools the client can purchase to reduce the likelihood of an attack. C. Look at attacks against similar industry peers and assess the probability of the same attacks happening. D. Meet with the senior management team to determine if funding is available for recommended solutions.
ISAC
A cybersecurity analyst is establishing a threat-hunting and intelligence group at a growing organization. Which of the following is a collaborative resource that would MOST likely be used for this purpose? A. IoC feeds B. CVSS scores C. Scrum D. ISAC
A. Requirements analysis and collection planning
A cybersecurity analyst is supporting an incident response effort via threat intelligence. Which of the following is the analyst MOST likely executing? A. Requirements analysis and collection planning B. Containment and eradication C. Recovery and post-incident review D. Indicator enrichment and research pivoting
Block the download of the file via the web proxy.
A developer downloaded and attempted to install a file transfer application in which the installation package is bundled with adware. The next-generation antivirus software prevented the file from executing, but it did not remove the file from the device. Over the next few days, more developers tried to download and execute the offending file. Which of the following changes should be made to the security tools to BEST remedy the issue? A. Blacklist the hash in the next-generation antivirus system. B. Manually delete the file from each of the workstations. C. Remove administrative rights from all developer workstations. D. Block the download of the file via the web proxy.
Acceptance testing
A development team has asked users to conduct testing to ensure an application meets the needs of the business. Which of the following types of testing does this describe? A. Acceptance testing B. Stress testing C. Regression testing D. Penetration testing
Install an encryption solution on all mobile devices.
A financial organization has offices located globally. Per the organization's policies and procedures, all executives who conduct business overseas must have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect the organization's data. Which of the following controls would work BEST to protect the privacy of the data if a device is stolen? A. Implement a mobile device wiping solution for use if a device is lost or stolen. B. Install a DLP solution to track data flow. C. Install an encryption solution on all mobile devices. D. Train employees to report a lost or stolen laptop to the security department immediately.
Prepare an incident summary report.
A help desk technician inadvertently sent the credentials of the company's CRM in cleartext to an employee's personal email account. The technician then reset the employee's account using the appropriate process and the employee's corporate email, and notified the security team of the incident. According to the incident response procedure, which of the following should the security team do NEXT? A. Contact the CRM vendor. B. Prepare an incident summary report. C. Perform postmortem data correlation. D. Update the incident response plan.
. Risk response
A newly appointed Chief Information Security Officer has completed a risk assessment review of the organization and wants to reduce the numerous risks that were identified. Which of the following will provide a trend of risk mitigation? A. Planning B. Continuous monitoring C. Risk response D. Risk analysis E. Oversight
Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis
A security administrator needs to provide access from partners to an isolated laboratory network inside an organization that meets the following requirements: * The partners' PCs must not connect directly to the laboratory network * The tools the partners need to access while on the laboratory network must be available to all partners * The partners must be able to run analyses on the laboratory network, which may take hours to complete Which of the following capabilities will MOST likely meet the security objectives of the request? A. Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis B. Deployment of a firewall to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis C. Deployment of a firewall to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis D. Deployment of a jump box to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis
. Switch to the WPA2 protocol.
A security analyst conducted a risk assessment on an organization's wireless network and identified a high-risk element in the implementation of data confidentiality protection. Which of the following is the BEST technical security control to mitigate this risk? A. Switch to RADIUS technology. B. Switch to TACACS+ technology. C. Switch to MAC filtering. D. Switch to the WPA2 protocol.
B. The host downloaded an application from utoftor.com.
A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following: Follow TCP stream: Which of the following describes what has occurred? A. The host attempted to download an application from utoftor.com. B. The host downloaded an application from utoftor.com. C. The host attempted to make a secure connection to utoftor.com. D. The host rejected the connection from utoftor.com.
Port scanning
A security analyst discovers the following firewall log entries during an incident: (Image) Which of the following is MOST likely occurring? A. Banner grabbing B. Port scanning C. Beaconing D. Data exfiltration
Logical network segmentation and the use of jump boxes
A security analyst has discovered malware is spreading across multiple critical systems and is originating from a single workstation, which belongs to a member of the cyberinfrastructure team who has legitimate administrator credentials. An analysis of the traffic indicates the workstation swept the network looking for vulnerable hosts to infect. Which of the following would have worked BEST to prevent the spread of this infection? A. Vulnerability scans of the network and proper patching B. A properly configured and updated EDR solution C. A honeynet used to catalog the anomalous behavior and update the IPS D. Logical network segmentation and the use of jump boxes
Examine the server logs for further indicators of compromise of a web application.
A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following commands: Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation? A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system. B. Examine the server logs for further indicators of compromise of a web application. C. Run kill -9 1325 to bring the load average down so the server is usable again. D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.
Volatile memory analysis
A security analyst identified one server that was compromised and used as a data mining machine, and a clone of the hard drive that was created. Which of the following will MOST likely provide information about when and how the machine was compromised and where the malware is located? A. System timeline reconstruction B. System registry extraction C. Data carving D. Volatile memory analysis
Reverse engineering
A security analyst identified some potentially malicious processes after capturing the contents of memory from a machine during incident response. Which of the following procedures is the NEXT step for further investigation? A. Data carving B. Timeline construction C. File cloning D. Reverse engineering
The sender's email address
A security analyst inspects the header of an email that is presumed to be malicious and sees the following: Which of the following is inconsistent with the rest of the header and should be treated as suspicious? A. The use of a TLS cipher B. The sender's email address C. The destination email server D. The subject line
Use effective authentication and authorization methods.
A security analyst is generating a list of recommendations for the company's insecure API. Which of the following is the BEST parameter mitigation recommendation? A. Use TLS for all data exchanges. B. Use effective authentication and authorization methods. C. Implement parameterized queries. D. Validate all incoming data.
Establish a ransomware awareness program and implement secure and verifiable backups.
A security analyst is handling an incident in which ransomware has encrypted the disks of several company workstations. Which of the following would work BEST to prevent this type of incident in the future? A. Implement a UTM instead of a stateful firewall and enable gateway antivirus. B. Back up the workstations to facilitate recovery and create a gold image. C. Establish a ransomware awareness program and implement secure and verifiable backups. D. Virtualize all the endpoints with daily snapshots of the virtual machines.
DMARC
A security analyst is looking at the headers of a few emails that appear to be targeting all users at an organization: Which of the following technologies would MOST likely be used to prevent this phishing attempt? A. DNSSEC B. DMARC C. STP D. S/IMAP
detection and prevention capabilities to improve.
A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify: A. detection and prevention capabilities to improve. B. which systems were exploited more frequently. C. possible evidence that is missing during forensic analysis. D. which analysts require more training. E. the time spent by analysts on each of the incidents.
Domain Keys Identified Mail
A security analyst is researching ways to improve the security of a company's email system to mitigate emails that are impersonating company executives. Which of the following would be BEST for the analyst to configure to achieve this objective? A. A TXT record on the name server for SPF B. DNSSEC keys to secure replication C. Domain Keys Identified Mail D. A sandbox to check incoming mail
Confirm the workstation's signatures against the most current signatures.
A security analyst is reviewing a vulnerability scan report and notes the following finding: As part of the detection and analysis procedures, which of the following should the analyst do NEXT? A. Patch or reimage the device to complete the recovery. B. Restart the antiviruses running processes. C. Isolate the host from the network to prevent exposure. D. Confirm the workstation's signatures against the most current signatures.
SMS is a cleartext protocol and does not support encryption
A security analyst is revising a company's MFA policy to prohibit the use of short message service (SMS) tokens. The Chief Information Officer has questioned this decision and asked for justification. Which of the following should the analyst provide as justification for the new policy? A. SMS relies on untrusted, third-party carrier networks. B. SMS tokens are limited to eight numerical characters. C. SMS is not supported on all handheld devices in use. D. SMS is a cleartext protocol and does not support encryption.
Input can be crafted to trigger an injection attack in the executable.
A security analyst is running a tool against an executable of an unknown source. The input supplied by the tool to the executable program and the output from the executable are shown below: Which of the following should the analyst report after viewing this information? A. A dynamic library that is needed by the executable is missing. B. Input can be crafted to trigger an injection attack in the executable. C. The tool caused a buffer overflow in the executable's memory. D. The executable attempted to execute a malicious command
D. Make sure the scan is credentialed, uses a limited plug-in set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.
A security analyst is scanning the network to determine if a critical security patch was applied to all systems in an enterprise. The organization has a very low tolerance for risk when it comes to resource availability. Which of the following is the BEST approach for configuring and scheduling the scan? A. Make sure the scan is credentialed, covers all hosts in the patch management system, and is scheduled during business hours so it can be terminated if it affects business operations. B. Make sure the scan is uncredentialed, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations. C. Make sure the scan is credentialed, has the latest software and signature versions, covers all external hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations. D. Make sure the scan is credentialed, uses a limited plug-in set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.
The MITRE ATT&CK framework
A security analyst needs to develop a brief that will include the latest incidents and the attack phases of the incidents. The goal is to support threat intelligence and identify whether or not the incidents are linked. Which of the following methods would be MOST appropriate to use? A. The Cyber Kill Chain B. The MITRE ATT&CK framework C. An adversary capability model D. The Diamond Model of Intrusion Analysis
VPN
A security analyst needs to provide the development team with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport? A. CASB B. VPC C. Federation D. VPN
To reduce the attack surface
A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization. Which of the following BEST describes the security analyst's goal? A. To create a system baseline B. To reduce the attack surface C. To optimize system performance D. To improve malware detection
DNS server
A security analyst reviews SIEM logs and discovers the following error event: Which of the following environments does the analyst need to examine to continue troubleshooting the event? A. Proxy server B. SQL server C. Windows domain controller D. WAF appliance E. DNS server
Someone has configured an unauthorized SMTP application over SSL.
A security analyst reviews a recent network capture and notices encrypted inbound traffic on TCP port 465 was coming into the company's network from a database server. Which of the following will the security analyst MOST likely identify as the reason for the traffic on this port? A. The server is configured to communicate on the secure database standard listener port. B. Someone has configured an unauthorized SMTP application over SSL. C. A connection from the database to the web front end is communicating on the port. D. The server is receiving a secure connection using the new TLS 1.3 standard.
Data enrichment
A security team implemented a SIEM as part of its security-monitoring program. There is a requirement to integrate a number of sources into the SIEM to provide better context relative to the events being processed. Which of the following BEST describes the result the security team hopes to accomplish by adding these sources? A. Data enrichment B. Continuous integration C. Machine learning D. Workflow orchestration
Remove it from the network and require air gapping.
A small organization has proprietary software that is used internally. The system has not been well maintained and cannot be updated with the rest of the environment. Which of the following is the BEST solution? A. Virtualize the system and decommission the physical machine. B. Remove it from the network and require air gapping. C. Implement privileged access management for identity access. D. Implement MFA on the specific system.
Static analysis
A software development team asked a security analyst to review some code for security vulnerabilities. Which of the following would BEST assist the security analyst while performing this task? A. Static analysis B. Dynamic analysis C. Regression testing D. User acceptance testing
Implement DLP.
A team of network security analysts is examining network traffic to determine if sensitive data was exfiltrated. Upon further investigation, the analysts believe confidential data was compromised. Which of the following capabilities would BEST defend against this type of sensitive data exfiltration? A. Deploy an edge firewall. B. Implement DLP. C. Deploy EDR. D. Encrypt the hard drives.
API
A vulnerability assessment solution is hosted in the cloud. This solution will be used as an accurate inventory data source for both the configuration management database and the governance, risk, and compliance tool. An analyst has been asked to automate the data acquisition. Which of the following would be the BEST way to acquire the data? A. CSV export B. SOAR C. API D. Machine learning
Validate user input before execution and interpretation.
According to a static analysis report for a web application, a dynamic code evaluation script injection vulnerability was found. Which of the following actions is theBEST option to fix the vulnerability in the source code? A. Delete the vulnerable section of the code immediately. B. Create a custom rule on the web application firewall. C. Validate user input before execution and interpretation. D. Use parameterized queries.
Properly configure XML handlers so they do not process &ent parameters coming from user inputs.
After a remote command execution incident occurred on a web server, a security analyst found the following piece of code in an XML file: Which of the following is the BEST solution to mitigate this type of attack? A. Implement a better level of user input filters and content sanitization. B. Properly configure XML handlers so they do not process &ent parameters coming from user inputs. C. Use parameterized queries to avoid user inputs from being processed by the server. D. Escape user inputs using character encoding conjoined with whitelisting.
Change management
After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a Group Policy Object update but cannot validate which update caused the issue. Which of the following security solutions would resolve this issue? A. Privilege management B. Group Policy Object management C. Change management D. Asset management
ANDREAD
After an incident involving a phishing email, a security analyst reviews the following email access log: Based on this information, which of the following accounts was MOST likely compromised? A. CARLB B. CINDYP C. GILLIANO D. ANDREAD E. LAURAB
CAN bus
An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which of the following attack vectors is the vulnerability MOST likely targeting? A. SCADA B. CAN bus C. Modbus D. IoT
Ensure a current non-disclosure agreement is on file.
An analyst must review a new cloud-based SIEM solution. Which of the following should the analyst do FIRST prior to discussing the company's needs? A. Check industry news feeds for product reviews. B. Ensure a current non-disclosure agreement is on file. C. Perform a vulnerability scan against a test instance. D. Download the product security white paper.
Remove the assets from the production network for analysis.
An analyst receives an alert from the continuous-monitoring solution about unauthorized changes to the firmware versions on several field devices. The asset owners confirm that no firmware version updates were performed by authorized technicians, and customers have not reported any performance issues or outages. Which of the following actions would be BEST for the analyst to recommend to the asset owners to secure the devices from further exploitation? A. Change the passwords on the devices. B. Implement BIOS passwords. C. Remove the assets from the production network for analysis. D. Report the findings to the threat intel community.
A. Infrastructure
An analyst receives artifacts from a recent intrusion and is able to pull a domain, IP address, email address, and software version. Which of the following points of the Diamond Model of Intrusion Analysis does this intelligence represent? A. Infrastructure B. Capabilities C. Adversary D. Victims
Evidence retention
An employee was found to have performed fraudulent activities. The employee was dismissed, and the employee's laptop was sent to the IT service desk to undergo a data sanitization procedure. However, the security analyst responsible for the investigation wants to avoid data sanitization. Which of the following can the security analyst use to justify the request? A. GDPR B. Data correlation procedure C. Evidence retention D. Data retention
Reducing the attack surface area
An information security analyst on a threat-hunting team is working with administrators to create a hypothesis related to an internally developed web application.The working hypothesis is as follows: ✑ Due to the nature of the industry, the application hosts sensitive data associated with many clients and is a significant target. ✑ The platform is most likely vulnerable to poor patching and inadequate server hardening, which expose vulnerable services. ✑ The application is likely to be targeted with SQL injection attacks due to the large number of reporting capabilities within the application. As a result, the systems administrator upgrades outdated service applications and validates the endpoint configuration against an industry benchmark. The analyst suggests developers receive additional training on implementing identity and access management, and also implements a WAF to protect against SQL injection attacks. Which of the following BEST represents the technique in use? A. Improving detection capabilities B. Bundling critical assets C. Profiling threat actors and activities D. Reducing the attack surface area
B. Replace the strcpy function
An internally developed file-monitoring system identified the following excerpt as causing a program to crash often: char filedata[100]; fp = fopen(`access.log`, `r`); srtcopy (filedata, fp); printf (`%s\n`, filedata); Which of the following should a security analyst recommend to fix the issue? A. Open the access.log file in read/write mode. B. Replace the strcpy function. C. Perform input sanitization. D. Increase the size of the file data butter.
D. 1433
An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from an Nmap scan of a web server: Which of the following ports should be closed? A. 21 B. 80 C. 443 D. 1433
Threat hunting
An organization has not had an incident for several months. The Chief Information Security Officer wants to move to a more proactive stance for security investigations. Which of the following would BEST meet that goal? A. Root-cause analysis B. Active response C. Advanced antivirus D. Information-sharing community E. Threat hunting
Perform automated security controls testing of expected configurations prior to production
An organization has specific technical risk mitigation configurations that must be implemented before a new server can be approved for production. Several critical servers were recently deployed with the antivirus missing, unnecessary ports disabled, and insufficient password complexity. Which of the following should the analyst recommend to prevent a recurrence of this risk exposure? A. Perform password-cracking attempts on all devices going into production B. Perform an Nmap scan on all devices before they are released to production C. Perform antivirus scans on all devices before they are approved for production D. Perform automated security controls testing of expected configurations prior to production
A. Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing
An organization is adopting IoT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs. Despite the number of devices being deployed, the organization has only focused on software patches so far, leaving hardware-related weaknesses open to compromise. Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management programs? A. Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing. B. Apply all firmware updates as soon as they are released to mitigate the risk of compromise. C. Sign up for vendor emails and create firmware update change plans for affected devices. D. Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.
Create a survey and distribute it to data owners.
An organization is focused on restructuring its data governance programs, and an analyst has been tasked with surveying sensitive data within the organization. Which of the following is the MOST accurate method for the security analyst to complete this assignment? A. Perform an enterprise-wide discovery scan. B. Consult with an internal data custodian. C. Review enterprise-wide asset inventory. D. Create a survey and distribute it to data owners.
B. Monthly topology scans, biweekly host discovery scans, monthly vulnerability scans
An organization is upgrading its network and all of its workstations. The project will occur in phases, with infrastructure upgrades each month and workstation installs every other week. The schedule should accommodate the enterprise-wide changes, while minimizing the impact to the network. Which of the following schedules BEST addresses these requirements? A. Monthly vulnerability scans, biweekly topology scans, daily host discovery scans B. Monthly topology scans, biweekly host discovery scans, monthly vulnerability scans C. Monthly host discovery scans, biweekly vulnerability scans, monthly topology scans D. Monthly topology scans, biweekly host discovery scans, weekly vulnerability scans
more webserver.log | grep ג€"E ג€return=200 | xlsג€ > accessreport.txt
An organization recently discovered that spreadsheet files containing sensitive financial data were improperly stored on a web server. The management team wants to find out if any of these files were downloaded by public users accessing the server. The results should be written to a text file and should include the date, time, and IP address associated with any spreadsheet downloads. The web server's log file is named webserver.log, and the report file name should be accessreport.txt. Following is a sample of the web server's log file: Which of the following commands should be run if an analyst only wants to include entries in which a spreadsheet was successfully downloaded? A. more webserver.log | grep *.xls > accessreport.txt B. more webserver.log > grep ג€*xlsג€ | egrep ג€"E 'success' > accessreport.txt C. more webserver.log | grep ג€"E ג€return=200 | xlsג€ > accessreport.txt D. more webserver.log | grep ג€"A *.xls < accessreport.txt
Enforce geofencing to limit data accessibility
An organization wants to ensure the privacy of the data that is on its systems. Full disk encryption and DLP are already in use. Which of the following is the BEST option? A. Require all remote employees to sign an NDA. B. Enforce geofencing to limit data accessibility. C. Require users to change their passwords more frequently. D. Update the AUP to restrict data sharing.
C. Sinkhole the domains.
As part of an intelligence feed, a security analyst receives a report from a third-party trusted source. Within the report are several domains and reputational information that suggest the company's employees may be targeted for a phishing campaign. Which of the following configuration changes would be the MOST appropriate for intelligence gathering? A. Update the whitelist. B. Develop a malware signature. C. Sinkhole the domains. D. Update the blacklist.
To identify likely attack scenarios within an organization
Which of the following BEST identifies the appropriate use of threat intelligence as a function of detection and response? A. To identify weaknesses in an organization's security posture B. To identify likely attack scenarios within an organization C. To build a business continuity plan for an organization D. To build a network segmentation strategy
. UEFI
Which of the following allows Secure Boot to be enabled? A. eFuse B. UEFI C. HSM D. PAM
Government ID Birth certificate
Which of the following are considered PI I by themselves? (Choose two.) A. Government ID B. Job title C. Employment start date D. Birth certificate E. Employer address F. Mother's maiden name
The devices may have weak or known passwords. The devices may utilize unsecure network protocols.
Which of the following are reasons why consumer IoT devices should be avoided in an enterprise environment? (Choose two.) A. Message queuing telemetry transport does not support encryption. B. The devices may have weak or known passwords. C. The devices may cause a dramatic increase in wireless network traffic. D. The devices may utilize unsecure network protocols. E. Multiple devices may interfere with the functions of other IoT devices. F. The devices are not compatible with TLS 1.2.
Unauthenticated commands
Which of the following attack techniques has the GREATEST likelihood of quick success against Modbus assets? A. Remote code execution B. Buffer overflow C. Unauthenticated commands D. Certificate spoofing
Supervised algorithms require security analyst feedback, while unsupervised algorithms do not.
Which of the following describes the main difference between supervised and unsupervised machine-learning algorithms that are used in cybersecurity applications? A. Supervised algorithms can be used to block attacks, while unsupervised algorithms cannot. B. Supervised algorithms require security analyst feedback, while unsupervised algorithms do not. C. Unsupervised algorithms are not suitable for IDS systems, while supervised algorithms are. D. Unsupervised algorithms produce more false positives than supervised algorithms.
Set up a VPN between Company A and Company B, granting access only to the ERPs within the connection
Company A is in the process of merging with Company B. As part of the merger, connectivity between the ERP systems must be established so pertinent financial information can be shared between the two entities. Which of the following will establish a more automated approach to secure data transfers between the two entities? A. Set up an FTP server that both companies can access and export the required financial data to a folder. B. Set up a VPN between Company A and Company B, granting access only to the ERPs within the connection. C. Set up a PKI between Company A and Company B and intermediate shared certificates between the two entities. D. Create static NATs on each entity's firewalls that map to the ERR systems and use native ERP authentication to allow access.
Communications plan
Which of the following incident response components can identify who is the liaison between multiple lines of business and the public? A. Red-team analysis B. Escalation process and procedures C. Triage and analysis D. Communications plan
An individual's control over personal information
Which of the following is MOST closely related to the concept of privacy? A. The implementation of confidentiality, integrity, and availability B. A system's ability to protect the confidentiality of sensitive information C. An individual's control over personal information D. A policy implementing strong identity management processes
The testing is outside the contractual scope.
Which of the following is MOST dangerous to the client environment during a vulnerability assessment/penetration test? A. There is a longer period of time to assess the environment. B. The testing is outside the contractual scope. C. There is a shorter period of time to assess the environment. D. No status reports are included with the assessment.
B. SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope.
Which of the following is a difference between SOAR and SCAP? A. SOAR can be executed faster and with fewer false positives than SCAP because of advanced heuristics. B. SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope. C. SOAR is less expensive because process and vulnerability remediation is more automated than what SCAP does. D. SOAR eliminates the need for people to perform remediation, while SCAP relies heavily on security analysts.
Adjusting the web-browser settings to block ActiveX controls
Which of the following is the BEST security practice to prevent ActiveX controls from running malicious code on a user's web application? A. Deploying HIPS to block malicious ActiveX code B. Installing network-based IPS to block malicious ActiveX code C. Adjusting the web-browser settings to block ActiveX controls D. Configuring a firewall to block traffic on ports that use ActiveX controls
SCAP software
Which of the following is the BEST way to gather patch information on a specific server? A. Event Viewer B. Custom script C. SCAP software D. CI/CD
User acceptance testing
Which of the following is the software development process by which function, usability, and scenarios are tested against a known set of base requirements? A. Security regression testing B. Code review C. User acceptance testing D. Stress testing
A. strings
During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap partition on the hard drive that needs to be checked. Which of the following should the analyst use to extract human-readable content from the partition? A. strings B. head C. fsstat D. dd
Implement a web proxy to restrict malicious web content
During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to prevent similar activity from happening in the future? A. An IPS signature modification for the specific IP addresses B. An IDS signature modification for the specific IP addresses C. A firewall rule that will block port 80 traffic D. Implement a web proxy to restrict malicious web content
A. Validate the binaries' hashes from a trusted source.
During the forensic analysis of a compromised machine, a security analyst discovers some binaries that are exhibiting abnormal behaviors. After extracting the strings, the analyst finds unexpected content. Which of the following is the NEXT step the analyst should take? A. Validate the binaries' hashes from a trusted source. B. Use file integrity monitoring to validate the digital signature. C. Run an antivirus against the binaries to check for malware. D. Only allow whitelisted binaries to execute.
Initiate the incident response plan.
Following a recent security breach, a company decides to investigate account usage to ensure privileged accounts are only being utilized during typical business hours. During the investigation, a security analyst determines an account was consistently utilized in the middle of the night. Which of the following actions should the analyst take NEXT? A. Disable the privileged account. B. Initiate the incident response plan. C. Report the discrepancy to human resources. D. Review the activity with the user.
A. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans.
In response to an audit finding, a company's Chief Information Officer (CIO) instructed the security department to increase the security posture of the vulnerability management program. Currently, the company's vulnerability management program has the following attributes :✑ It is unauthenticated. ✑ It is at the minimum interval specified by the audit framework .✑ It only scans well-known ports. Which of the following would BEST increase the security posture of the vulnerability management program? A. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans. B. Expand the ports being scanned to include all ports. Keep the scan interval at its current level. Enable authentication and perform credentialed scans. C. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Continue unauthenticated scanning. D. Continue scanning the well-known ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans.
get-content './Massivelog.log' -Last 10000 > extract.txt;
Massivelog.log has grown to 40GB on a Windows server. At this size, local tools are unable to read the file, and it cannot be moved off the virtual server where it is located. Which of the following lines of PowerShell script will allow a user to extract the last 10,000 lines of the log for review? A. tail -10000 Massivelog.log > extract.txt B. info tail n -10000 Massivelog.log | extract.txt; C. get content './Massivelog.log' -Last 10000 | extract.txt D. get-content './Massivelog.log' -Last 10000 > extract.txt;
Moving to a cloud-based environment
Which of the following organizational initiatives would be MOST impacted by data sovereignty issues? A. Moving to a cloud-based environment B. Migrating to locally hosted virtual servers C. Implementing non-repudiation controls D. Encrypting local database queries
A. H-ISAC
Which of the following sources will provide the MOST relevant threat intelligence data to the security team of a dental care network? A. H-ISAC B. Dental forums C. Open threat exchange D. Dark web chatter
A. Known threat
Which of the following threat classifications would MOST likely use polymorphic code? A. Known threat B. Zero-day threat C. Unknown threat D. Advanced persistent threat
B. Disconnect the laptop and ask the users jsmith and progers to log out.
While conducting a network infrastructure review, a security analyst discovers a laptop that is plugged into a core switch and hidden behind a desk. The analyst sees the following on the laptop's screen: [*] [NBT-NS] Poisoned answer sent to 192.169.23.115 for name FILE-SHARE-A (service: File Server)[*] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A[*] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A[SMBv2] NTLMv2-SSP Client : 192.168.23.115[SMBv2] NTLMv2-SSP Username : CORP\jsmith[SMBv2] NTLMv2-SSP Hash : F5DBF769CFEA7...[*] [NBT-NS] Poisoned answer sent to 192.169.23.24 for name FILE-SHARE-A (service: File Server)[*] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A[*] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A[SMBv2] NTLMv2-SSP Client : 192.168.23.24[SMBv2] NTLMv2-SSP Username : CORP\progers[SMBv2] NTLMv2-SSP Hash : 6D093BE2FDD70A... Which of the following is the BEST action for the security analyst to take? A. Force all users in the domain to change their passwords at the next login. B. Disconnect the laptop and ask the users jsmith and progers to log out. C. Take the FILE-SHARE-A server offline and scan it for viruses. D. Initiate a scan of devices on the network to find password-cracking tools.
Hacktivist
While reviewing incident reports from the previous night, a security analyst notices the corporate websites were defaced with political propaganda. Which of the following BEST describes this type of actor? A. Hacktivist B. Nation-state C. Insider threat D. Organized crime