A.4 - CompTIA CySA+ CS0-003 Certification Practice Exam

A security analyst is reviewing a vulnerability report and notices that the report has presented the same vulnerability for the past three months. The report also shows that the vulnerability is present in the same system each month. What does this indicate? A. A configuration management issue B. Lack of vulnerability management tools C. Inadequate training and awareness D. A recurring vulnerability trend

D. A recurring vulnerability trend Explanation The recurring presence of the same vulnerability on the same system indicates a trend of vulnerability recurrence. Therefore, the security analyst must address the vulnerability to prevent potential exploitation and reduce risk to the affected system. This scenario does not indicate that training, awareness, or lack thereof, causes the recurring vulnerability. While a configuration management issue could be a cause of vulnerability recurrence, the scenario does not provide evidence to support this as the reason for the recurring vulnerability. A lack of vulnerability management tools could contribute to a vulnerability going unnoticed, but in the context of this scenario, the answer would indicate a recurring vulnerability trend.

A silicon valley-based technology startup recently suffered a cyber-attack targeting key intellectual property and defacing the company website, painting an impolite mustache on the picture of the CEO's face. The CEO is enraged and directs the cybersecurity team to "hit the attackers hard!" What process is the CEO directing the cybersecurity team to undertake? A. Vulnerability management B. Risk management C. Security engineering D. Active defense

D. Active defense Explanation An active defense is the most offensive cyber defense strategy. It describes using offensive actions to outmaneuver an adversary to make an attack harder. An active approach to cyber defense seeks to increase the likelihood that hackers will make mistakes and expose their methods. Vulnerability management reporting will not directly address an ongoing threat actor in a breach. It describes risks associated with an organization's information systems so security teams can remediate them before threats can exploit them. Security engineering does not directly address an ongoing threat actor in a breach. It designs secure features. A risk management program works to identify risks and determine how to minimize their likelihood or impact. It does not help a breach in progress.

While investigating malicious activity against their organization, an analyst establishes that a malicious actor is using anti-forensic techniques to evade detection. What type of actor is MOST likely responsible for this activity? A. MITRE ATT&CK B. Script kiddie C. Command and control (C&C) D. Advanced persistent threat (APT)

D. Advanced persistent threat (APT) Explanation APT describes the type of activity conducted by advanced cyber actors. This designation is most often associated with organized criminals and nation-states since it requires significant resources and coordination. Script kiddie refers to an unsophisticated actor who uses readily available hacker tools. Often a script kiddie has a limited understanding of the tools they are using. Many organizations use the matrix MITRE ATT&CK to better understand the tactics, techniques, and procedures (TTPs) used to conduct malicious activity. However, it is not a malicious actor. C&C refers to techniques for maintaining communications with a compromised device and is often associated with APT actors, but it is not a malicious actor.

A financial services company has discovered that its web application suffers from broken access control issues. Which of the following controls should a security expert recommend to mitigate the risks associated with these issues? A. Employ Role-Based Access Control (RBAC) B. Adopt a Security Development Lifecycle (SDLC) approach C. Implement a Web Application Firewall (WAF) D. Enforce password complexity requirements

A. Employ Role-Based Access Control (RBAC) Explanation RBAC is a security model that restricts access to resources based on the roles assigned to users. Implementing RBAC can help fix broken access control issues by ensuring that users only have the appropriate level of access to the needed resources. While a WAF can help protect against various web application attacks, it does not address broken access control issues directly. Password complexity requirements help secure user accounts but do not address broken access control issues directly. Although an SDLC approach can help improve the overall security of a software product, it does not directly address broken access control issues in an existing application.

A security analyst is reviewing an announcement from the Cybersecurity and Infrastructure Agency. Which source of Defensive OSINT does the Agency represent? A. Government bulletins B. CSIRT C. Internal Sources D. CERT

A. Government bulletins Explanation The government is responsible for protecting the country's constituents and the national infrastructure and publishing various information and advice regarding observed threats. For example, the Department of Homeland Security and the Cybersecurity and Infrastructure Agency publishes several types of cybersecurity guidance, including basic informational content and binding operational directives that federal agencies must implement. A computer emergency response team (CERT) aims to mitigate cybercrime and minimize damage by responding to incidents quickly. It is important to consider that evidence regarding active threats, reconnaissance activities, and suspicious behavior exists within the protected environment. A computer security incident response team (CSIRT) is a group responsible for responding to security incidents involving computer systems.

Fill in the blank

1. 2. 3. System Logs 4. Internal Personnel 5. 6. 7. 8. 9.

An organization has implemented an incident response plan and regularly trains its employees to respond to security incidents. During a recent training session, an employee asked the trainer why playbooks are necessary when the incident response plan already exists. How would the trainer explain the difference between an incident response plan and playbooks? A. An incident response plan is a general framework for responding to any incident, while playbooks provide detailed procedures for responding to specific incidents. B. An incident response plan focuses on restoring business operations after an incident, while playbooks focus on containing and resolving the incident. C. An incident response plan is a step-by-step guide for responding to an incident, while playbooks provide guidelines and best practices for incident response.

A. An incident response plan is a general framework for responding to any incident, while playbooks provide detailed procedures for responding to specific incidents. Explanation An incident response plan provides a general framework for responding to any incident, while playbooks provide detailed procedures for responding to specific incidents. Incident response plans and playbooks can be flexible and adaptable to meet the needs of the organization and the incident at hand. The incident response plan focuses on minimizing the impact of security incidents on the organization, while playbooks focus on containing and resolving the incident. An incident response plan is a general framework for responding to any incident, while playbooks provide specific procedures for responding to specific incidents.

A small company has just experienced a cyberattack, which resulted in the unauthorized access of sensitive company data and significant damage to the network. Although the company has developed an incident response plan and a business continuity/disaster recovery plan, they have not tested either in a real-world scenario. Which options differentiate an incident response plan from a business continuity/disaster recovery plan? A. An incident response plan minimizes the impact of security incidents on the organization, while a BC/DR plan maintains essential business functions during a disruption. B. An incident response plan restores normal business operations as quickly as possible, while a BC/DR plan identifies and mitigates risks to the organization. C. An incident response plan and a BC/DR plan are the same thing.

A. An incident response plan minimizes the impact of security incidents on the organization, while a BC/DR plan maintains essential business functions during a disruption. Explanation An incident response plan focuses on minimizing the impact of security incidents on the organization. In contrast, a business continuity/disaster recovery plan focuses on maintaining essential business functions during a disruption. While both plans are critical for responding to security incidents, they have different objectives. An incident response plan focuses on responding to security incidents, not restoring business operations after a disruption. While restoring normal business operations may be a goal of incident response, it is not the plan's primary focus. An incident response plan and a business continuity/disaster recovery plan are distinct plans with different objectives.

A system administrator is looking for a process that reduces the time and resources required to keep the company network up to date with the latest patches and configurations. Which of the following is specifically designed to meet the administrator's requirements? A. Centralized operating system, application, and device management B. Awareness training C. Compensating controls D. Patching and policies

A. Centralized operating system, application, and device management Explanation Centralized operating system, application, and device management is a process that allows for the management of multiple systems, applications, and devices from a single location. This centralization ensures that everything stays updated with the latest patches and configurations, reducing the time and resources required to maintain multiple points of contact. Security patches released by developers and policies are often the first line of defense against successfully exploiting software vulnerabilities. However, patching and policies do not provide a process that meets the requirements of this administration. Compensating controls provide additional layers of security to protect against malicious or accidental breaches. However, it is not a process that reduces the time and resources required to keep the company network up to date with the latest patches and configurations. It is necessary to regularly test employees to ensure they have retained the information or developed the skills addressed in their training. However, awareness training is not part of the process of trying to reduce the time and resources required to keep the company network up to date with the latest patches and configurations.

A security analyst discovers that an attacker is attempting to launch a distributed denial-of-service (DDoS) attack on the company's network. What action should the security analyst take to prevent the DDoS attack from succeeding? A. Configure the router to limit the amount of traffic coming from the attacker's IP address B. Implement a firewall to block traffic from the attacker's IP address C. Shut down the server until the attacker is identified D. Add more bandwidth to the server to handle the increased traffic

A. Configure the router to limit the amount of traffic coming from the attacker's IP address Explanation The security analyst should configure the router to limit the amount of traffic coming from the attacker's IP address. This will prevent the attacker from overwhelming the company's server with traffic. The attacker could easily switch to a different IP address and continue the attack. Adding more bandwidth to the server would not prevent the DDoS attack and could actually make the situation worse by giving the attacker more resources. Shutting down the server would not prevent the attack from continuing, and it would also result in downtime for the company's services.

During a security breach, a security administrator identifies the stakeholders affected by the incident. What next step should the administrator take to ensure effective communication with the stakeholders? A. Develop a communication plan based on stakeholder needs and interests B. Avoid communication with stakeholders until the incident has been fully resolved C. Delegate stakeholder communication to the public relations team D. Send a detailed email to all stakeholders without prioritizing communication methods

A. Develop a communication plan based on stakeholder needs and interests Explanation Developing a communication plan on stakeholder needs and interests is essential for effective communication. Building strong relationships with stakeholders is crucial and is successful by providing accurate and timely information, listening to feedback, and responding to requests. Emailing all stakeholders without prioritizing communication methods may not address stakeholder needs and interests, resulting in ineffective communication. Delegating stakeholder communication to the public relations team without a communication plan may not address stakeholder needs and interests, resulting in ineffective communication. Avoiding communication with stakeholders until resolving the incident may cause stakeholders to feel uniforming of communication, leading to mistrust and potentially negatively impacting the organization's reputation.

There are several types of breaches that may require outside reporting to various entities such as customers, media, and the government. One of these types of breaches occurs if a device is lost or stolen. Which type of breach does this MOST likely describe? A. Device theft or loss B. Integrity/availability C. Data exfiltration D. Accidental data breach

A. Device theft or loss Explanation Device theft or loss occurs if a device is lost or stolen, and should be reported. Even with encryption and strong authentication protecting it, device theft/loss must be treated as a suspected breach. Data exfiltration occurs when an attacker takes data that is stored inside of a private network and moves it to an external network. Attacks that compromise the availability (destruction of systems-processing data) and integrity (modification of database records, for instance) are likely to require regulatory notification and reporting, but does not normally involve lost or stolen devices. An accidental data breach usually happens because of employee error or a system misconfiguration. Although this can lead to data being made public or sent to unauthorized recipients, it does not involve lost or stolen devices.

An analyst reviews an alert detecting a rogue backend server deployed behind the company's load balancer. After the analyst attempts to identify the possible threat, the DMZ firewall blocks the action. What process was the analyst using to identify where the connection of the device was on the network? A. Discovery scan B. Dynamic analysis C. Vulnerability scan D. Device fingerprinting

A. Discovery scan Explanation A map, or discovery, scan identifies the devices connected to a network or network segment. Vulnerability scans are resource intensive and usually scheduled for off-hour instances. If the problem is zoning, scheduling a vulnerability scan would tell the analyst mostly what is known at this point. Device fingerprinting describes the effort taken to identify details about a device more precisely. While a map or discovery scan looks for connected devices, a fingerprint scan looks to focus attention on an individual device. Dynamic analysis includes using vulnerability scanning software to identify vulnerabilities.

A security analyst is evaluating the company's vulnerability management program in a mixed infrastructure environment. Which of the following infrastructure models requires the analyst to consider multiple environments when understanding vulnerability scoring concepts? A. Hybrid cloud B. On-premises C. Private cloud D. Public cloud

A. Hybrid cloud Explanation Hybrid cloud involves managing both on-premises and cloud infrastructure, which may affect vulnerability scoring due to the need to consider multiple environments. Private cloud is a cloud infrastructure solely dedicated to a single organization, making it less complex than a hybrid cloud in terms of vulnerability scoring. Public cloud refers to a shared cloud infrastructure available to multiple users but does not involve on-premises infrastructure like a hybrid cloud. On-premises infrastructure is solely managed within the organization's premises and does not involve cloud infrastructure, making it less complex than a hybrid cloud in terms of vulnerability scoring.

Which of the following incident response documents is used to track critical details about an incident? A. Incident form B. Incident response playbook C. Escalation list D. Incident checklist

A. Incident form Explanation An incident form is used to track critical details about an incident. An escalation list includes contact information for the person or persons responsible for responding to an incident. An incident checklist provides an overview of activities that should be completed anytime there is an incident. With an incident response playbook, organizations define the steps they need to take to respond to a security incident, such as the specific roles, processes, and procedures that security staff must follow.

Which of the following is an example of a Key Performance Indicator (KPI) that can indicate a trend in an organization's cybersecurity incidents over time? A. Indicators of Compromise (IoCs) B. Risk Assessment C. Detection Time D. Resource Allocation

A. Indicators of Compromise (IoCs) Explanation By tracking these key performance indicators (KPIs) over time, organizations can determine if the Indicators of Compromise (IoCs) are increasing in their environment, indicating a trend in cybersecurity incidents. Detection Time is a key performance indicator (KPI) that indicates the average time it takes to detect incidents; it does not necessarily indicate a trend in cybersecurity incidents. Resource Allocation is a key performance indicator (KPI) that indicates the percentage of cybersecurity resources organizations allocate to different areas. While ensuring the appropriate allocation of resources is essential, it does not indicate a trend in cybersecurity incidents over time. Risk Assessment does not indicate a trend in cybersecurity incidents over time.

A network engineer wants to simplify network and security services. How could Secure Access Service Edge (SASE) help to simplify these services for the engineer? A. It combines network and security functions into a single cloud-hosted service. B. It offers elementary features. C. It blocks the remote manage of networks and systems. D. It requires dedicated hardware.

A. It combines network and security functions into a single cloud-hosted service. Explanation Secure Access Service Edge (SASE) aims to simplify the complexity of managing multiple network and security services by combining networking and security functions into a single cloud-hosted service. SASE eliminates the need for dedicated hardware, which allows security teams to quickly adapt to changes while maintaining secure access to any user from any device. SASE also offers advanced features such as identity and access management, secure web gateways, and supports Zero Trust network access, all designed to protect an organization's data and applications while providing uninterrupted user access. SASE also facilitates remote management of networks and systems.

A company has tasked a network administrator with implementing vulnerability scanning methods to ensure the security of the company's network. The administrator decides to begin with asset discovery and device fingerprinting. How does this help with securing the company's network? (Select two.) A. It identifies vulnerabilities within the network. B. It identifies all employees who are connected to the network. C. It identifies the purpose, vendor, software, and configuration of each device on the network. D. It identifies the tampering of network and wireless equipment and computers. E. It detects malware and other malicious software on the network.

A. It identifies vulnerabilities within the network. C. It identifies the purpose, vendor, software, and configuration of each device on the network. Explanation Asset discovery and device fingerprinting can identify potential problems and uncover potential vulnerabilities to help secure the company's network. Asset discovery and device fingerprinting help identify devices on the company's network, including their purpose, vendor, software versions, and configuration details. This information can help identify potential vulnerabilities to help secure the network. While asset discovery and device fingerprinting do not specifically detect malware or other malicious software on a network, they can help identify unsecured or unauthorized devices on the network. Asset discovery and device fingerprinting do not identify individual employees connected to a network, but they can help determine the types of devices used by employees and whether they adhere to security policies and best practices. Hardware can be reverse-engineered to better understand how it operates and to carefully inspect how a device operates in order to determine if it has been tampered with.

Which of the following tools will allow a security analyst to run the module auxiliary/admin/networking/cisco_secure_acs_bypass to scan for vulnerabilities on a Cisco device? A. Metasploit Framework B. Nmap C. Recong-ng D. Pacu

A. Metasploit Framework Explanation The Metasploit Framework has a module library with the auxiliary/admin/networking/cisco_secure_acs_bypass module available for use. Administrators specify the module using these paths in the library. Pacu is an exploitation framework commonly used for evaluating an Amazon Web Services (AWS) environment. It has modules that can exploit application programming interfaces (APIs) and virtual machine (VM) instances. Recon-ng is a reconnaissance framework tool to map an organization's network. Acquired data would include IP addresses, subdomains, software versions, and many other attributes. The Nmap Security Scanner can use diverse methods of host discovery and fingerprinting. For example, the hacker would use this tool to discover IP, port, and software information.

A company has discovered that sensitive data leaked to the public. The IT team needs to assess the potential vulnerabilities and identify the attack vectors that could have led to this incident. Which methodology framework can the team use to guide their testing process? A. Open Source Security Testing Methodology Manual (OSSTMM) B. Open Web Application Security Project (OWASP) Testing Guide C. Penetration Testing Execution Standard (PTES) D. NIST Special Publication 800-53

A. Open Source Security Testing Methodology Manual (OSSTMM) Explanation The OSSTMM provides a comprehensive framework for testing the security of software systems. It includes identifying system assets, threat modeling, and vulnerability analysis. The OWASP Testing Guide focuses on testing web applications for security vulnerabilities. It provides a structured approach to testing vulnerabilities like injection and cross-site scripting (XSS) attacks. However, this framework does not apply to the current scenario. The PTES provides a framework for conducting penetration testing. It includes pre-engagement interactions, intelligence gathering, and threat modeling. While the PTES may be useful in testing network vulnerabilities, it may not be the best option for assessing the current data breach. NIST Special Publication (SP) 800-53 provides guidelines for security and privacy controls for federal information systems and organizations.

A security analyst is going through systems looking for potential misconfigurations. What are some key items the analyst should search for while misconfiguration hunting? (Select three.) A. Open ports B. Unpatched software C. New user creation D. Weak passwords E. Isolated networks F. Money transfer G. Physical access points

A. Open ports B. Unpatched software D. Weak passwords Explanation One key item to search for during misconfiguration hunting is weak passwords. An attacker can exploit weak passwords and gain control of a system. Another key item to look for while misconfiguration hunting is open ports. Open ports offer attackers potential exploits leading to system compromise. During misconfiguration hunting, it is crucial to search for unpatched software. Unpatched software is a common exploit used by cybercriminals. Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. Searching for isolated networks is not a component of misconfiguration hunting. Isolated network hunting involves searching for vulnerabilities in physical access points that could be used to gain access to the isolated network. Business-critical asset hunting involves an organization's processes used to manage critical assets. These processes can be targeted, such as new user creation, money transfer, access permission approvals, and other similar high-risk functions.

A system administrator is responsible for maintaining the security and integrity of a company's servers. One of the critical tasks to perform involves keeping software up to date and protected from known vulnerabilities. Which concept is most relevant to updating software to address these vulnerabilities? A. Patch management B. Time synchronization C. Log analysis D. Windows Registry management

A. Patch management Explanation Patch management deals specifically with the identification, acquisition, and deployment of software updates to fix known vulnerabilities, making it the most relevant choice for the system administrator's task. Time synchronization ensures accurate event correlation and system management, but it is not the primary method for addressing software vulnerabilities. Log analysis is essential for detecting potential security incidents and monitoring system activities, but it does not focus on remediating software vulnerabilities through updates. Windows Registry management optimizes system performance and configuration, but it does not directly involve updating software to fix vulnerabilities, especially for systems that are not Windows.

As you review your network's storage shares to ensure permissions have been securely defined, you come across the following list of users and permissions set to a share on one of your key storage locations. Two of the regular users should have Read and Write permissions (Bob Barker and Jennifer Banks). The other two individuals should not (Joseph Lange and Bob Marley), who were both given access during a specific project but should've had their Write permissions removed afterward. What is it called when permissions are given for a task but then never removed when they are no longer required? A. Privilege creep B. Account elevation C. Privilege elevation D. SAM database creep

A. Privilege creep Explanation The answer is privilege creep, which is the gradual accumulation of permissions beyond what a person requires to do their job. Account elevation is not a label for the slow accumulation of privileges. Privilege elevation does not describe the process of slowly adding rights. The SAM database is where local usernames and password hashes are stored on Windows, but there is no creep function that provides what is described here.

Which of the following is a benefit of vulnerability management reporting? A. Reduced response time to cyber threats B. Higher risk of cyberattacks C. Increased complexity of IT infrastructure D. Decreased awareness of potential weaknesses in systems

A. Reduced response time to cyber threats Explanation Vulnerability management reporting aims to improve an organization's response to cyber threats. By incorporating vulnerability management into the incident response plan, organizations can efficiently identify and respond to security incidents, minimizing damage and downtime. Higher risk of cyber attacks goes against the goal of vulnerability management reporting, which is to improve the organization's security posture. Decreased awareness of potential weaknesses in systems goes against what vulnerability management reporting aims to do, which is to identify and mitigate vulnerabilities. Increased complexity of IT infrastructure is not a benefit of vulnerability management. Ultimately, organizations should prioritize reducing response time to better protect against cyber threats.

Which of the following is a security procedure that is essential to verifying that website certificates are valid, helping protect against on-path attacks? A. SSL inspection B. Personally identifiable information (PII) C. Cardholder data (CHD) D. Public key infrastructure (PKI)

A. SSL inspection Explanation Secure Sockets Layer (SSL) inspection is essential for verifying that website certificates are valid, helping protect against on-path attacks (where an attacker intercepts communications between two parties) and detecting traffic encrypted with anything other than a trusted third-party certificate. Public key infrastructure (PKI) provides a suite of tools designed to support public/private key management, integrity checks via digital signatures, and authentication as well as non-repudiation of users and/or devices through the use of private key encryption. Personally identifiable information (PII) is data that can be used to directly or indirectly identify an individual. This covers a very broad range of information and is further subcategorized to include sensitive PII, which describes US social security numbers, biometrics, financial records, medical records, immigration identifiers, and criminal history. Cardholder data (CHD) is information related to the owner of a payment card, such as a credit or debit card. This data includes the cardholder's name, card number, expiration date, billing address, and security code (CVV).

You are using Wireshark to capture packets (frames) on your company network. Your current task is to analyze the traffic to a web server before it is put into production, looking for security risks. What should you tell the project manager about whether to launch the new site or not based on the image below? A. Tell them the username and password parameters are being transferred in cleartext at login. B. Tell them the user_token field is using a generic token and needs to be updated. C. Tell them to change the password for the admin user to something stronger. D. Tell them the site is ready to go with no reason to delay launch.

A. Tell them the username and password parameters are being transferred in cleartext at login. Explanation The correct answer is to point out the username and password parameters are in cleartext during login, not hashes as they should be. Because of this fact, the site is not ready to go until that is fixed. Changing the password will not resolve the problem since that new password would also be transferred in cleartext. The user_token field is a generated field and likely unique, not something used as a generic token.

A company's security team has identified several indicators of compromise (IoCs) in its system logs, including unusual network traffic and the presence of a suspicious file on a system. What actions can the team take to respond to these IoCs? (Select two.) A. The team can conduct network traffic analysis to identify the source and destination of the unusual traffic and any associated systems and users. B. The team can notify all employees of the security incident and advise them to be cautious when opening emails or accessing websites. C. The team can update the antivirus software on all systems to detect and prevent any further malware infections. D. The team can quarantine and analyze the suspicious file to identify any malware or other security threats it may contain. E. The team can create proper documentation regarding the incident, the response, and any recommendations for future action.

A. The team can conduct network traffic analysis to identify the source and destination of the unusual traffic and any associated systems and users. D. The team can quarantine and analyze the suspicious file to identify any malware or other security threats it may contain. Explanation Network traffic analysis can help the security team identify the source of the unusual traffic and any systems or users involved in the incident. This analysis can help the team identify the extent of the incident and respond appropriately. Quarantining and analyzing the suspicious file can help the security team identify any malware or other security threats. This approach helps the team isolate and remove the threat to prevent further damage. While updating antivirus software is an important security measure, it is not enough to address an ongoing security incident. While notifying employees of a security incident is an important step, it is not the most effective way to respond to the incident. While creating proper documentation regarding the incident, the response, and any recommendations for future action are important steps, they are not part of an initial IoC response.

You suspect an attacker has been securing sensitive files on a Windows host device for exfiltration. You also know that any interaction with the file system by the attacker will leave a trail of metadata that can be followed to determine if an attack or malware infection has occurred. You decide to start by using the Window dir command to find any hidden files or folders the attacker may be storing on the Windows host. Which of the following commands would you use to find these hidden files or folders? A. dir /AH B. dir /Q C. dir /L D. dir /R

A. dir /AH Explanation The dir /AH command displays only hidden files and folders. Malicious files marked as hidden are much easier to find this way rather than looking through every entry, especially if the folder contains hundreds or thousands of files. The dir /Q command displays file ownership, along with the standard information. Sometimes, sensitive files are given ownership to an unknown or unauthorized user by using this switch. The dir /R command displays alternate data streams for a file. Attackers can use alternate data streams (ADSs) for anti-forensics purposes, and being able to spot an ADS can help identify a malicious process attached to a legitimate file. The dir /L command shows all folder and file names in lowercase.

The recommendations in your IR report include details about what to do in response to the incident. Which of the following should be important characteristics of your response recommendations? (Select two.) A. Measureable B. Actionable C. Specific D. Trackable E. Illustrated

B. Actionable C. Specific Explanation Incident response recommendations include details regarding what to do in response to the incident. The recommendations must be specific and actionable. Once decisions are made regarding your response recommendations, the resulting actions must be able to be measured and tracked to demonstrate their successful completion. Although illustrating your response recommendations might provide some clarification, they are not required (and not used) in most cases.

A company is investigating a potential incident on its network. They have collected data and logs from various sources and are preparing to validate the integrity of the data. Why should the company avoid deleting irrelevant log entries during the incident response? A. Because they may contain sensitive information that should not be deleted. B. Because they may contain relevant evidence. C. Because they may contain false information that could lead to erroneous conclusions. D. Because deleting them is not an efficient use of time.

B. Because they may contain relevant evidence. Explanation Even seemingly irrelevant log entries can provide valuable insight into the events leading up to and following the incident. Therefore, the company should avoid deleting any log entries, even those that appear irrelevant. Irrelevant log entries may not contain false information, but they can still contribute to the overall understanding of the incident. The primary reason for not deleting irrelevant log entries is to ensure the company preserves all available evidence for the investigation. Irrelevant log entries may not contain sensitive information, but they still need protection to maintain the integrity of the data. Deleting them can potentially compromise the overall accuracy of the log data and hinder the investigation.

A cybersecurity team at a large organization that uses various operating systems, applications, and hardware devices is responsible for ensuring that these systems get configured securely to prevent potential security breaches. As part of their research, they come across a set of security configuration best practices that offer a secure baseline configuration for various operating systems, applications, and hardware devices. Which of the following provides this specific set of security configuration best practices? A. CMMI B. CIS Benchmarks C. PCI DSS D. CSA STAR

B. CIS Benchmarks Explanation Center for Internet Security (CIS) Benchmarks is a set of security configuration best practices providing a secure baseline configuration for various operating systems, applications, and hardware devices. Payment Card Industry Data Security Standard (PCI DSS) are requirements for businesses that accept card payments, ensuring secured cardholder data. Capability Maturity Model Integration (CMMI) is a framework for improving, streamlining, and optimizing an organization's processes to deliver better products and services. It is not related to security configuration best practices. Cloud Security Alliance (CSA) STAR is a certification program for cloud service providers that demonstrates their compliance with best practices for security and privacy. It does not provide security configuration best practices for operating systems, applications, or hardware devices.

What is the name of the sanitization method that involves destruction of an encryption key to render a drive's data useless? A. Secure disposal B. Cryptographic erase C. Degaussing D. Reimaging

B. Cryptographic erase Explanation A cryptographic erase basically involves throwing away the proverbial key. If a device was encrypted and you destroy the key, the data is deemed useless and can be overwritten. Degaussing involves the use of a powerful magnetic force to wipe data completely from a drive. This process usually destroys the motors that control the drive's platters so that it cannot be used again. Secure disposal ensures that nothing is left behind from a destroyed drive. Reimaging is a recovery process that involves restoring a computer back to its factory settings.

The cybersecurity leadership team of a company is reviewing its incident response plan (IRP) and must consider the role of business continuity (BC) and disaster recovery (DR) in the IRP. How should the company account for BC/DR in its incident response plan? A. Conduct regular tabletop exercises. B. Develop and test BC/DR plans for operational resilience. C. Establish an incident response team. D. Train employees on phishing awareness.

B. Develop and test BC/DR plans for operational resilience. Explanation Integrating BC/DR plans into the IRP can help ensure operational resilience and help the company recover from potential disruptions to its business operations. Developing and testing BC/DR plans can help improve the effectiveness of its IRP. While tabletop exercises are important for evaluating incident response procedures, they do not directly address the integration of BC/DR plans into the IRP or ensure operational resilience. While training employees on phishing awareness is an important part of a cybersecurity program, it does not directly address the integration of BC and DR into the IRP. While an incident response team is important, it does not specifically address the integration of BC/DR plans into the IRP or ensure operational resilience.

Blue Team - Task 1 - Task 2 - Task 3 White Team - Task 1 - Task 2 - Task 3 Red Team - Task 1 - Task 2 - Task 3

Blue Team - Task 1 - Task 2: Install antivirus on Windows server - Task 3: Run netstat on honeypot White Team - Task 1: Recommend a next-gen firewall appliance - Task 2: Set criterion: Disable remote access to servers - Task 3 Red Team - Task 1 - Task 2: Utilize Metasploit - Task 3

Select the ISO 27k standard number from the dropdown list below that focuses on personal data and privacy. A. 27017 B. 27018 C. 27701 D. 27002

C. 27701 Explanation ISO 27k includes over a dozen standards, including: 27002, which defines security controls; 27017/27018 for cloud security; and 27701, which focuses on personal data and privacy.

A software developer is working on a Linux-based application and encounters an unexpected issue in the code execution. The software developer needs a tool that can help them examine and debug the application, allowing them to inspect the runtime state and modify the program's execution flow. Which of the following tools is BEST suited for this task? A. Cuckoo B. GNU debugger C. Tcpdump D. Wireshark

B. GNU debugger Explanation The GNU Debugger is a widely used debugging tool for Linux-based applications. It allows developers to examine and debug applications, inspect the runtime state, and modify the program's execution flow. Tcpdump is a command-line network traffic analyzer that captures and displays network packets. It is not for debugging Linux-based applications like the GNU Debugger. Wireshark is a network protocol analyzer that allows users to capture and analyze network traffic in real time. However, it is not for debugging Linux-based applications like the GNU Debugger. Cuckoo Sandbox is an open-source automated malware analysis system that helps analyze suspicious files and URLs in a safe, isolated environment. It is not for debugging Linux-based applications like the GNU Debugger.

The economic impact of an incident can be tangible or intangible. Which of the following costs would be considered intangible? (Select two.) A. Lost data B. Loss of potential customers C. Damage to reputation D. Damaged hardware E. Stolen passwords

B. Loss of potential customers C. Damage to reputation Explanation Costs that are intangible are more difficult to pinpoint and represent. Loss of potential customers because of downtime or damage to reputation are both examples of such costs. Costs that are tangible can be easily identified and quantified. Specific losses, such as damaged hardware, stolen passwords, and lost or corrupted data, are examples of tangible costs.

Which of the following honeypot interaction levels can't be compromised completely and is generally set to collect information about attacks, like network probes and worms? A. Medium B. Low C. High D. Critical

B. Low Explanation A low-interaction honeypot simulates only a limited number of services and applications for a target system. It relies on the emulation of services and programs that would be found on a vulnerable system. This means the honeypot cannot be compromised completely and is generally set to collect information about attacks, like network probes and worms. A medium-interaction honeypot simulates a real OS, its applications, and its services. This provides a better facade of an OS than low-interaction honeypots. A high-interaction honeypot simulates all services and applications and can be completely compromised by attackers to gain full access to a system in a controlled area. Critical is not a honeypot interaction level.

A security team is working to maintain operational visibility during a security incident involving potential indicators of compromise (IoCs) on a critical system. What should be the primary focus of the team's investigation? A. System log inconsistencies B. Monitoring and analyzing anomalous activity C. Unauthorized scheduled tasks D. Reviewing suspicious email attachments

B. Monitoring and analyzing anomalous activity Explanation By monitoring and analyzing anomalous activity, the team can detect and respond to potential threats more quickly, assess the extent of the compromise, and minimize the impact on the organization. Unauthorized scheduled tasks can indicate an attacker's attempt to maintain persistence within a system, but they may not provide immediate insights into the active threats affecting operational visibility. Suspicious email attachments can serve as an initial infection vector for malware but do not provide immediate insights into the active threats within a compromised system. System log inconsistencies can reveal possible tampering or attempts to cover an attacker's tracks. Maintaining operational visibility requires a more comprehensive approach, focusing on monitoring and analyzing anomalous activity to detect and respond to threats.

Where are network device log files stored by default? A. On the SIEM system B. On the local device C. On the nearest server D. On an intrusion detection system

B. On the local device Explanation Infrastructure-related security events can happen anywhere: on servers, switches, routers, firewalls, and intrusion detection systems. By default, events generated by each of these systems are stored locally. Log files are not stored on the nearest server, the intrusion detection system, or the SIEM system by default.

A security administrator is conducting a digital forensic investigation for a company that suspects an employee has been stealing proprietary data. The administrator has found evidence on the employee's work computer that could be used in a legal case against the employee. What next step should the security administrator take in handling this evidence? A. Ignore the evidence and continue the investigation. B. Secure the evidence and notify the legal department. C. Share the evidence with the employee's coworkers for their input. D. Report the employee to management and terminate their employment.

B. Secure the evidence and notify the legal department. Explanation When handling evidence that could be in a legal case, the security administrator should secure the evidence and notify the legal department. The legal department can then determine the appropriate action and ensure the administrator properly collects and handles the evidence. While terminating an employee may be an appropriate response to the theft of proprietary data, it is not the next step in handling the evidence. Sharing the evidence with the employee's coworkers could compromise the investigation's integrity and is not an appropriate step in handling the evidence. Ignoring the evidence would not be an appropriate response and could compromise the investigation's integrity.

Which of the following are security benefits of using software-defined networking (SDN) and virtualization in a network environment? (Select two.) A. Improved network performance through optimized routing B. Simplified network segmentation and isolation for easier threat containment C. Enhanced network security through hardware-based firewalls D. Increased network agility for faster deployment of security controls E. An easier transition to a cloud computing network architecture

B. Simplified network segmentation and isolation for easier threat containment D. Increased network agility for faster deployment of security controls Explanation SDN and virtualization network agility improve network security and facilitate faster deployment of security controls. SDN and virtualization allow the user to identify and respond to security threats more easily. SDN does not improve network security through hardware-based firewalls. Instead, it enhances network security by centralizing management and control of the network, providing a single point of control for monitoring, identifying, and responding to potential threats. The primary benefit of SDN and virtualization concerns network security. While SDN can enhance network performance, its primary benefit is providing increased network agility. SDN does not normally provide an easier transition to a cloud computing network architecture.

A support technician conducts system hardening after provisioning a server. Why is system hardening such a vital practice? (Select three.) A. System hardening eliminates the need for employee security training. B. System hardening involves patching the operating system. C. System hardening reduces the attack surface of a system. D. System hardening eliminates monitoring software. E. System hardening stores operating system configuration information. F. System hardening includes configuring security policies. G. System hardening includes disabling unnecessary services.

B. System hardening involves patching the operating system. C. System hardening reduces the attack surface of a system. G. System hardening includes disabling unnecessary services. Explanation The purpose of system hardening is to reduce the attack surface of a system. Hardening involves enabling or disabling specific features and restricting access to sensitive areas of the system, such as protected operating system files, the Windows Registry, configuration files, and logs. System hardening includes making many changes to a system, such as disabling unnecessary services. Best-practice hardening configurations can be very complex. Patching the operating system is one of many procedures that can take place while hardening a system. System hardening does not eliminate monitoring software. Installing monitoring software to protect against malware and intrusions is a component of system hardening. The Windows Registry is a database for storing operating system, device, and software application configuration information. It is not a system hardening tool. Although system hardening does help with reducing network and device vulnerabilities, it does not replace the need for employee security training. System hardening does not normally include the task of configuring security policies for the network.

A company's compliance team has identified a security vulnerability in the organization's network. The team has presented this finding to the risk management team, who, in turn, creates a response plan to address the vulnerability. What is the next best step in the process based on this scenario? A. The compliance team creates policies to prevent future vulnerabilities. B. The governance team approves and codifies the response plan in policy documents. C. The risk management team presents the response plan to the board of directors. D. The technical team immediately implements the response plan.

B. The governance team approves and codifies the response plan in policy documents. Explanation The governance team creates and maintains organizational policies that direct the work of technical teams. The policy documents must approve and codify the response plan to ensure compliance and enforcement. Creating new policies in response to the vulnerability is not the next step in the process. Although the technical team will implement the response plan, the risk management team needs to present the response plan to the governance team for approval and incorporation into policy documents before proceeding. Presenting the response plan to the board of directors might happen eventually, but it is not the next step in the process.

What should organizations prioritize when selecting tools for vulnerability reporting? A. The cost of the tools B. The reporting needs of the organization C. The complexity of the tools D. The number of vulnerabilities identified

B. The reporting needs of the organization Explanation When selecting tools for vulnerability reporting, organizations should prioritize their organization's reporting needs over other factors, such as the tools' cost, the tools' complexity, or the number of identifying vulnerabilities. While cost and complexity may be important factors to consider, the organization's reporting needs are the most important priority when selecting vulnerability reporting tools. This includes considering the organization's specific requirements, such as the type of data, the size, and the available resources. The number of identifying vulnerabilities has little to do with vulnerability reporting tools. The organization will select reporting tools following the reporting needs.

What is the main purpose of a memorandum of understanding (MoU)? A. To outline the services provided by a third-party service provider B. To ensure all parties involved in an agreement understand each other's expectations and obligations C. To protect both parties involved in a service-level agreement D. To legally bind two or more parties to an agreement

B. To ensure all parties involved in an agreement understand each other's expectations and obligations Explanation A memorandum of understanding (MoU) is a legal document that outlines the terms and conditions of an agreement between two or more parties. A memorandum of understanding (MoU) does not outline the services provided by a third-party service provider; a service-level agreement (SLA) does this. A memorandum of understanding (MoU) does not legally bind two or more parties to an agreement. The MoU's main purpose is to ensure that all parties involved in the agreement understand each other's expectations and obligations. A memorandum of understanding (MoU) does not protect parties in a service-level agreement (SLA).

The Chief Information Security Officer (CISO) has informed a security analyst that an attacker has compromised a critical system. Upon investigation, the analyst determines that the attacker gained access through an unpatched vulnerability. The analyst recommends implementing compensating controls and isolating the system to prevent further damage. How can the security analyst use compensating controls in this scenario? A. To patch the unpatched vulnerability and prevent the attacker from accessing the system again B. To isolate the compromised system and prevent the attacker from exploiting the vulnerability again C. To provide additional security controls to the compromised system and prevent future attacks D. To monitor and detect further intrusion attempts (but not isolate the compromised system)

B. To isolate the compromised system and prevent the attacker from exploiting the vulnerability again Explanation The analyst can use compensating controls to isolate the compromised system and prevent the attacker from exploiting the unpatched vulnerability again. Compensating controls are not temporary measures to mitigate the risk caused by a vulnerability. Instead, they compensate for the lack of security controls in a system. The analyst cannot use compensating controls to isolate the compromised system. Instead, they reduce the likelihood or impact of potential risks. Compensating controls do not compensate for a system's lack of security controls. Instead, they compensate for the lack of security controls for specific vulnerabilities.

Which of the following is the practice of gathering insight about network events based on users daily behaviors to create a baseline for anomaly detection? A. ETDR B. UEBA C. File monitoring D. DGA monitoring

B. UEBA Explanation UEBA is user and entity behavior analysis, which is the practice of gathering insight about network events based on users' daily behaviors. The data is used to create a baseline of behaviors that can help security teams recognize any anomalies. ETDR is Endpoint Threat Detection and Response, which is a tool that monitors endpoints and network events. File monitoring is the process of tracking changes to files. DGA is a tool attackers use to hide malware from detection by generating numerous domains. DGA monitoring is monitoring either with a tool or manually for the malicious domains.

Which command is used to allow a string to be copied in the code but can be exploited to carry out overflow attacks? A. ls -l B. strcpy C. icacls D. chmod

B. strcpy Explanation The strcpy command is included in the C and C++ languages. It was a useful command that allowed a string to be copied in the code. The problem with this command is it doesn't check to see if the data being copied would overwrite the boundaries of a buffer. Attackers could exploit programs using this command to carry out overflow attacks. The icacls command is used to modify a file's permissions in Windows. The chmod command is used to modify a file's permissions in Linux. The ls -l command will show the permissions of a file or directory in Linux.

Which of the following BEST describes Central Policy? A. An access management strategy where an attribute is created for every element of an organization's operations. B. An authentication process the requires two or more steps. C. A program that checks for the correct attributes in an attribute-based system. D. An access management strategy where people are granted privileges based on their role in the organization.

C. A program that checks for the correct attributes in an attribute-based system. Explanation Central Policy is a program that checks for the correct attributes in an attribute-based system. Multi-factor authentication is an authentication process the requires two or more steps. Role-based access management is an access management strategy where people are granted privileges depending on their role in the organization. Attribute-based access management is an access management strategy where an attribute is created for every element of an organization's operations.

As part of a new policy, a system administrator must ensure that system configurations remain consistent, compliant, and secure. What kind of control should the administrator set up? A. Awareness training B. Patching C. Centralized configuration management system D. Compensating controls

C. Centralized configuration management system Explanation A centralized configuration management system (CCMS) can help the system administrator ensure that systems remain consistent, compliant, and secure. A CCMS can help streamline both patching and configuration management and allows administrators to manage multiple systems, applications, and devices from a central location. Security patches released by developers are often the first line of defense against successfully exploiting software vulnerabilities. A policy may be part of configuration management but not necessarily the sole concern in the scenario. Compensating controls provide additional layers of security to protect against malicious or accidental breaches. The scenario tries to avoid needing compensating controls. It is necessary to regularly test employees to ensure they have retained the information or developed the skills addressed in their training. Configuration management does not necessarily involve awareness training.

The Chief Information Security Officer (CISO) at XYZ Corporation received a legal request to preserve an employee's data under investigation for insider trading. The CISO has to ensure that the data is preserved and kept under legal hold until the company concludes its investigation. Which of the following is true regarding the chain of custody in the scenario? A. Chain of custody refers to the process of analyzing digital evidence to identify the source and cause of a security incident. B. Chain of custody refers to the security controls implemented to protect evidence from unauthorized access, modification, or deletion. C. Chain of custody is the documentation of evidence movement from one person to another, including who had custody of the evidence, when and why they transferred it, and what they did with it. D. Chain of custody refers to the process of restoring data from backup after a security incident.

C. Chain of custody is the documentation of evidence movement from one person to another, including who had custody of the evidence, when and why they transferred it, and what they did with it. Explanation Chain of custody is the documentation of evidence movement from one person to another, including who had custody of the evidence, when and why they transferred it, and what they did with it. In the given scenario, the CISO must ensure that they preserve the employee's data under investigation and keep it under legal hold until the company concludes the investigation. Chain of custody is not about security controls but rather the documentation of evidence movement. Chain of custody is not about analyzing digital evidence but rather the documentation of the evidence movement. Chain of custody is not about restoring data from backup but rather the documentation of the evidence movement.

A multinational corporation wants to enhance its incident response capabilities and ensure continuous improvement in the process. What should the security operations center (SOC) focus on to achieve this objective? A. Conduct security training B. Review playbooks C. Conduct post-incident reviews D. Implement a threat intelligence program

C. Conduct post-incident reviews Explanation Post-incident reviews involve analyzing the incident response process, identifying areas of improvement, and implementing changes to enhance the team's effectiveness in handling future incidents. Although playbooks provide a step-by-step guide for incident response activities, they alone do not guarantee continuous improvement in the incident response process. Security training can complement the continuous improvement process but should not be the main focus. A threat intelligence program helps organizations stay informed about potential threats and improve their security posture, but it does not specifically address continuous improvement in the incident response process.

A security auditor reviews the compliance reports of an organization to evaluate their adherence to regulations and standards. What information can typically be in this type of report? A. Configuration management policies B. Top 10 lists of security risks C. Employee training records D. Vulnerability scan results

C. Employee training records Explanation Compliance reports often include employee training records as evidence of compliance with regulations and standards. Vulnerability scan results typically include vulnerability reports but are not commonly a part of the compliance reports. The top 10 lists of security risks are typically used in dashboards and vulnerability reports to highlight potential problems and trends but are not commonly a part of the compliance reports. The compliance reports may include Configuration management policies as evidence of adherence to standards and regulations, but this is not typically the primary focus of the compliance reports.

A cybersecurity analyst is working to identify active threats within their organization. Preserving certain data and logs for potential legal proceedings is necessary during the investigation. Which of the following actions should the analyst take to accomplish this task while continuing the investigation? A. Share the relevant data and logs with the legal department for review. B. Conduct a full system backup, including all data and logs. C. Implement a legal hold on the relevant data and logs. D. Archive the relevant data and logs on an encrypted external storage device.

C. Implement a legal hold on the relevant data and logs. Explanation Placing a legal hold on the relevant data and logs ensures their preservation for potential legal proceedings while allowing the continuation of the investigation. It prevents the alteration or deletion of the data and logs in question. While a full system backup may help ensure data availability, it does not directly address the need to specifically preserve the relevant data and logs for potential legal proceedings. Archiving the data and logs on an encrypted external storage device helps protect their confidentiality but does not directly ensure their preservation and availability during potential legal proceedings. Sharing the data and logs with the legal department may be helpful but does not directly address the need to preserve them during the ongoing investigation.

A large organization suffers a major data breach and tasks the cybersecurity team with conducting a forensic analysis to understand the extent of the damage and identify potential vulnerabilities. The team must learn from this incident and apply this knowledge to their system and network architecture. Which of the following steps is most crucial in effectively applying the lessons learned to improve the organization's security posture? A. Performing vulnerability assessments on key systems B. Collecting and preserving digital evidence C. Implementing architectural changes based on findings D. Conducting regular network traffic analysis

C. Implementing architectural changes based on findings Explanation The organization can address the identified vulnerabilities and improve its overall security posture by applying the lessons learned from the forensic analysis to make architectural changes in the system and network infrastructure. While collecting and preserving digital evidence is an essential part of forensic analysis, it does not directly contribute to applying lessons learned to the system and network architecture improvements. Regular network traffic analysis can help detect anomalies and potential threats but does not directly address the application of lessons learned to improve the system and network architecture. While vulnerability assessments can help identify potential weaknesses in key systems, they do not directly focus on applying lessons learned from forensic analysis to the system and network architecture.

Which of the following malware detection methods establishes a baseline for a system and then alerts the user if any suspicious changes occur? (This method cannot distinguish if a change is from malware, a system failure, or another cause.) A. YARA rule writing B. Code emulation C. Integrity checking D. Interception

C. Integrity checking Explanation Integrity checking establishes a baseline for a system and alerts the user if any suspicious system changes occur. Integrity checkers cannot determine if a change is from malware, a system failure, or some other cause. Interception is mainly used against logic bombs and Trojans. If a request for network access or any request that could damage the system is made, the interceptor notifies the user and asks for permission to approve the request. Code emulation opens a virtual environment to mimic CPU and RAM activity. Malware code is executed in this environment instead of the physical processor. This method works well against polymorphic and metamorphic viruses. Writing YARA rules allows the anti-malware tool to identify and classify malware based on binary or textual patterns.

A company has just experienced a data breach that exposed sensitive customer information. The company's security team has determined that the breach likely originated from a specific IP address. What entity should the company notify in this situation? A. Information technology team B. Public relations team C. Law enforcement d. Legal team

C. Law enforcement Explanation In a data breach, involving law enforcement to help investigate the incident and potentially bring the perpetrator to justice is important. Law enforcement agencies have the resources and legal authority to investigate cybercrimes and can often handle complex data breach cases. While the company's legal team may need to involve in the aftermath of a data breach, its primary role is not to investigate the breach or apprehend the attacker. The company's public relations team may be crafting messaging to customers or the public about the breach. IT teams typically do not have the legal authority or resources to pursue an investigation and apprehend the attacker.

You entered your password on a website and are sent a code to your cell phone. Which of the following is this an example of? A. SSO B. SP C. MFA D. IDP

C. MFA Explanation Multi-factor authentication provides an extra layer of security to an account. It is especially useful when using a single sign-on account to make sure it has not been compromised. It takes longer but is also more secure. SSO is a process that allows a user to sign in once to a secure account and then to use this account to sign into multiple websites or apps. A federation consists of two parts: An identity provider (IDP), which does the heavy lifting of authenticating users. A service provider (SP), which is the site or app that needs to authenticate the users.

A project manager is overseeing a new device management system deployment that comes with the added benefit of keeping devices current. What would this type of system allow the company to accomplish? A. Changing business requirements B. Compensating controls C. Patching D. Awareness training

C. Patching Explanation Security patches released by developers are often the first line of defense against successfully exploiting software vulnerabilities. Device management systems can help automate and streamline the patching process. Compensating controls would be beneficial if the company found a device unable to receive patches. It is necessary to regularly test employees to ensure they have retained the information or developed the skills addressed in their training. The scenario does not require awareness training. The scenario did not involve changing business requirements. However, the company may have changed requirements before the project.

Which of the following concepts related to security operations involves the use of digital certificates to establish trust between entities and secure communication channels? A. Single sign-on (SSO) B. Firewall C. Public key infrastructure (PKI) D. Intrusion detection system (IDS)

C. Public key infrastructure (PKI) Explanation PKI is a framework that enables secure communication by using digital certificates to authenticate and establish trust between entities. Secure Sockets Layer (SSL) is a protocol that uses PKI to secure communication channels such as web traffic. SSO is a method that allows users to access multiple applications with a single set of credentials. IDS is a security tool that monitors network traffic for signs of malicious activity. A firewall is a network security device that monitors and controls the incoming and outgoing network traffic based on a set of security rules.

What is the primary difference between reconnaissance and enumeration? A. An attacker uses information gathered from enumeration to discover key personnel information for phishing and other social networking purposes. B. Reconnaissance is active discovery; enumeration is passive discovery. C. Reconnaissance is passive discovery; enumeration is active discovery. D. Enumeration uses publicly available resources, such as magazine articles and the internet, to gather information about an organization.

C. Reconnaissance is passive discovery; enumeration is active discovery. Explanation Reconnaissance is passive discovery, and enumeration is active discovery. Moving from reconnaissance (a passive activity using publicly available resources), the attacker uses information learned to try and discover public-facing resources, such as the screened subnet (DMZ) and the firewall. Reconnaissance is a passive activity that uses websites, financial reports, and dumpster diving to gather information. Discovering key personnel names is a passive activity that is part of the reconnaissance phase.

Which of the following statements are true when describing Heuristic analysis? (Select two.) A. Analyzes data over a period of time to establish patterns. B. Looks at frequency, volume, and statistical deviations data. C. Requires little human interaction. D. Triggers an alert when any activity falls outside a baseline. E. Involves security teams analyzing logs and data.

C. Requires little human interaction. D. Triggers an alert when any activity falls outside a baseline. Explanation Heuristic analysis: - Triggers an alert when any activity falls outside the baseline. - Requires little human interaction. Is also referred to as statistical anomaly-based analysis. - Determines baseline of regular known-good behavior for network, applications, and endpoint devices. - Can receive and process data from different sources to discover real world threats and learn how to recognize and defeat them. Trend analysis: - Looks at frequency, volume, and statistical deviations data. - Analyzes data over a period of time to establish patterns. - Involves security teams analyzing logs and data.

An unauthenticated attacker exploited a company's web portal that contains customer information, where customers can view their account profile, such as their name, email address, and account balance. Each customer has a unique ID and password used to retrieve their information from the database. However, the attacker noticed that the system enabled the default database account on this application. As a result, the attacker successfully authenticated the account using default credentials and began stealing data. What kind of web application vulnerability did the attacker exploit? A. Broken access control B. Software and data integrity failures C. Security misconfiguration D. Injection

C. Security misconfiguration Explanation Security misconfiguration refers to configuring a system insecurely, such as using default passwords or leaving unnecessary ports open. As a result, a default account remained activated, causing the breach. Broken access control is a common vulnerability in web applications that allows attackers to access sensitive data or perform unauthorized actions, such as manipulating the URL. Software and data integrity failures refer to the compromise of software or data integrity, such as through malware, hacking, or other forms of attack. Injection refers to inserting malicious code or commands into a program or system, such as a Structured Query Language (SQL) injection, allowing attackers to access or modify data they are not authorized to access or modify.

A security analyst who has discovered a data breach on an organization's network has also identified the source of the attack and must now remediate the issue. What is the BEST course of action for the analyst to take for remediation? A. The analyst should ignore the issue and hope it doesn't happen again. B. The analyst should immediately shut down the affected system to prevent further damage. C. The analyst should patch the affected system to prevent the vulnerability from being exploited again. D. The analyst should restore the system from a backup taken prior to the attack.

C. The analyst should patch the affected system to prevent the vulnerability from being exploited again. Explanation The purpose of validating data integrity after remediating a security issue is to ensure that the remediation was successful and that no further issues have arisen. Simply shutting down the affected system will not address the issue's root cause, which could lead to the problem recurring if the analyst does not address the underlying vulnerability. Ignoring the issue is not an appropriate response to a security breach. Failure to address the vulnerability may expose the system or network to further attacks and data breaches, which could result in significant financial losses or damage to the organization's reputation. Restoring the system from a backup taken before the attack may not be feasible or effective.

A company experiences a severe security incident where an attacker accesses and steals sensitive information from its servers. The incident response team investigates the issue and performs a root cause and forensic analysis. What will the company gain from conducting the forensic analysis? A. To restore services and systems as quickly as possible B. To identify areas for improvement in the incident response plan C. To gather evidence D. To identify the initial entry point of the attack

C. To gather evidence Explanation The company conducts a forensic analysis to collect and analyze evidence associated with a security incident, such as identifying the attacker and determining compromised data. A root cause analysis will pinpoint areas for improvement in the incident response plan. While identifying the initial entry point is a component of incident response, it is not the primary objective of forensic analysis. Although restoring services and systems is an important part of incident response, it is not the goal of forensic analysis, which focuses on gathering and analyzing evidence to determine the scope and impact of a security incident.

A company experiences a security incident where an attacker steals sensitive information from their servers. The incident response team investigates the issue and performs a root cause and forensic analysis to determine how the breach occurred and what data was affected. What can the company gain by performing a root cause analysis during this incident response? A. To gather forensic evidence B. To restore services and systems as quickly as possible C. To identify areas for improvement in the incident response plan D. To identify the initial entry point of the attack

C. To identify areas for improvement in the incident response plan Explanation Root cause analysis is an important part of incident response, as it helps identify the underlying cause or causes of a security incident so that the incident response team can make necessary changes to prevent similar incidents from happening in the future. Gathering forensic evidence is not the primary purpose of root cause analysis. Root cause analysis focuses on identifying the underlying cause or causes of the incident, which may go beyond just identifying the initial entry point. Root cause analysis focuses on identifying the underlying cause or causes of the incident so that the company can make necessary changes to prevent similar incidents from happening in the future.

An organization's cybersecurity staff needs to be competent at their jobs or serious consequences can occur. Which of the following is an important component to staying up to date and honing a team's cybersecurity skills? A. Device reconfiguration B. Activity registration C. Training D. Outsourcing

C. Training Explanation Defensive and offensive cybersecurity techniques are always changing. It's imperative for teams to constantly train to learn about new techniques and vulnerabilities, usually by conducting practice exercises. After learning new techniques, a team may decide to reconfigure their protection devices. Registering activities is not a cybersecurity practice. Outsourcing would not keep the actual team members apprised of the latest security threats and fixes.

Which of the following BEST describes Structured Threat Information eXpression (STIX)? A. A method for the threat information to be shared at the application level using HTTPS. B. A site for security collaboration between the FBI and industry professionals. C. A website that provides extensive information on recent attacks, threats, and security updates. D. An XML standardized information-sharing system that defines malware, threat actors, tools, and attack patterns.

D. An XML standardized information-sharing system that defines malware, threat actors, tools, and attack patterns. Explanation STIX is an XML standardized information-sharing system that defines malware, threat actors, tools, and attack patterns. The objects are related to field names such as type, name, description, and primary motivation. This simplistic format allows users to read the data manually or to use the data in automated systems. Trusted Automated eXchange of Indicator Information (TAXII) is used with STIX to provide a method for the threat information to be shared at the application level using HTTPS. Cybersecurity and Infrastructure Security Agency is a US Department of Homeland Security site that includes extensive information on recent attacks, threats, and security updates. Self-reporting links are provided for reporting known incidents, phishing, malware, vulnerabilities, and indicators. InfraGard provides a site for security collaboration between the FBI and industry professionals.

You have just discovered that a hacker is trying to penetrate your network using MAC spoofing. Which of the following BEST describes MAC spoofing? A. Driving around in a car and searching for wireless networks that allow MAC addresses to be captured. B. Configuring a network card to run in promiscuous mode, allowing MAC addresses to be captured. C. The process of sending many Ethernet frames, each containing different source MAC addresses, to a switch. D. Changing a hacker's network card to match a legitimate address being used on a network.

D. Changing a hacker's network card to match a legitimate address being used on a network. Explanation MAC spoofing is changing a network interface card's (NIC's) media access control (MAC) address to a different MAC address in an attempt to impersonate another computer or disguise the source of the transmission. MAC flooding is the process of sending many Ethernet frames, each containing different source MAC addresses, to a switch. Running a network card in promiscuous or monitor mode allows a user to use a sniffing tool to capture all packets transmitted over the network, which, of course, includes capturing MAC addresses, but is not considered MAC spoofing. Wardriving is when a hacker drives around in their car and uses a smartphone or laptop to search for wireless networks they can then attempt to break into. Although wardriving is defined as using a car for this purpose, any means of transportation can be used.

Which of the following is the core purpose of CCMSs? A. Reduced time and resources B. Automated deployment of patches and configurations C. System reliability D. Endpoint configuration and control

D. Endpoint configuration and control Explanation Endpoint configuration and control are the core purpose of CCMSs (centralized configuration management systems). While automated deployment of patches and configurations, reduced time and resources, and system reliability are all advantages of using CCMSs, they are not the core purpose.

Attackers often target data and intangible assets. What might hackers do with the information they collect. (Select two.) A. Stage an on-path attack B. Hijack DNS C. Damage or disable a firewall D. Harm a company's reputation E. Sell the data to the competition

D. Harm a company's reputation E. Sell the data to the competition Explanation Attackers look to profit from their efforts. Collecting and selling information is one way to accomplish that task. Hacktivists also seek to harm a company's reputation by defacing a website or divulging embarrassing information about the company and their practices. Hackers may introduce an obscure rule in a firewall to help them gain access to a network. They may hijack or poison DNS to redirect users and gain credentials, or they may stage an on-path attack. These are all actions they might take to gather the information they sell or use nefariously.

Behavioral threat research combines IoCs to show patterns and techniques used in previous attacks. Which of the following threat indicators is normally associated with a denial-of-service (DoS) attack? A. Rapidly changing domain IP addresses B. Port hopping C. High memory usage D. IP addresses from unusual geographic locations

D. IP addresses from unusual geographic locations Explanation IP addresses from unusual geographic locations is normally an indicator of a denial-of-service (DoS) attack. High memory usage is normally an indicator of a virus attack. Port hopping and rapidly changing domain IP addresses are normally indicators of an advanced persistent threat (APT).

Which of the following is the MOST effective first step that an organization can do when using the CIS Benchmarks? A. Incorporate the benchmarks into their cybersecurity program. B. Determine the best way to implement the benchmarks. C. Monitor the network based on the benchmarks. D. Identify the specific benchmarks most relevant to them.

D. Identify the specific benchmarks most relevant to them. Explanation Organizations should first identify the specific benchmarks that are most relevant to them and then incorporate them into their cybersecurity program. Once organizations have selected the specific CIS Benchmarks they want to follow, they should determine the best way to implement them. Monitoring the network based on the benchmarks should be the last step after implementation.

A cybersecurity analyst at a large organization is working on improving their techniques for identifying malicious activity on the company's network. The analyst is considering several methodologies and frameworks to help them achieve this objective. Which actions should the analyst prioritize to enhance their ability to detect and respond to potential threats? A. Deploy additional firewalls throughout the network. B. Implement stronger password policies. C. Conduct regular penetration testing of web applications. D. Implement network traffic analysis and threat hunting.

D. Implement network traffic analysis and threat hunting. Explanation Network traffic analysis and threat hunting, guided by frameworks like Open Source Security Testing Methodology Manual (OSSTMM) and MITRE ATT&CK, can help the analyst identify potential malicious activity. The deployment of additional firewalls alone does not specifically address the techniques for identifying malicious activity or align with the methodologies and frameworks mentioned in the scenario. Stronger password policies do not specifically address the techniques for identifying malicious activity or align with the methodologies and frameworks mentioned in the scenario. Penetration testing does not specifically address the techniques for identifying malicious activity within a network or align with the methodologies and frameworks mentioned in the scenario.

A security administrator has identified a critical vulnerability in a computer system. They know the security administrator can fix the vulnerability by applying a patch but are hesitant. What could be the possible inhibitor to vulnerability remediation in this scenario? A. Organizational governance B. Service-level objectives C. Business process interruption D. Legacy systems

D. Legacy systems Explanation Legacy systems can be challenging to update and maintain, making them vulnerable to security threats. Applying security patches could lead to a fear of causing business process interruptions or degrading functionality. SLOs can be an inhibitor to vulnerability remediation in some scenarios, but they are not the primary inhibitor in this scenario. The security administrator has identified a critical vulnerability and knows how to fix it by applying a patch but hesitates. The dynamics and pressures of organizational governance often overshadow security initiatives; it is unlikely to inhibit vulnerability remediation in this scenario. While a business process interruption can significantly impact a business's bottom line, it is not the inhibitor to vulnerability remediation in this scenario.

A network engineer is gathering requirements from a security operations center (SOC) analyst. Which of the following requirements might lead the engineer to suggest deploying a honeypot? (Select two.) A. Analysts need to track the attacker's email and text messages. B. Analysts need the ability to code in eXtensible Markup Language (XML). C. The organization needs to minimize human interaction through orchestration. D. Network defenders need the ability to observe attacks on the network. E. The organization needs to regularly develop new indicators of compromise (IoCs) and indicators of attack (IoAs) based on the attacks they are experiencing.

D. Network defenders need the ability to observe attacks on the network. E. The organization needs to regularly develop new indicators of compromise (IoCs) and indicators of attack (IoAs) based on the attacks they are experiencing. Explanation A honeypot is a fake file, host, or network designed to lure an attacker away from legitimate network assets and information. An organization can steer an attacker toward these fake resources to watch how they operate without exposing valuable resources. Indicators of compromise (IoCs) are items that suggest a compromise may have occurred. Indicators of attack (IoAs) are items that can identify an ongoing attack. Security orchestration, automation, and response (SOAR) automates well-documented, highly procedural actions taken in response to alerts generated by specific security information and event management (SIEM). eXtensible Markup Language (XML) is a text-based scripting language that transfers data. An important differentiator of XML is that the user defines the data tags. The purpose of deploying a honeypot is to study the attack methods of the attacker, not to access the attacker's emails or text messages.

On Wireshark, you have used a filter to help capture only the desired types of packets. Using the information shown in the image, which of the following BEST describes the effects of using the host 192.168.0.34 filter? A. Only packets with 192.168.0.34 in the source address are captured. B. Only packets with 192.168.0.34 in the destination address are captured. C. Only packets on the 192.168.0.34 network are captured. D. Only packets with 192.168.0.34 in either the source or destination address are captured.

D. Only packets with 192.168.0.34 in either the source or destination address are captured. Explanation Wireshark's host filter lets you only capture where the specified IP address is in either the source or the destination address. The IP address of 192.168.0.34 is a specific address for an individual device. It is not an address for the entire network.

An information security project manager of a large software firm is in charge of researching alternative vulnerability scanners for the security operations center (SOC) reduced budget. At the next stakeholder meeting, the manager proposes several free, open-source software (FOSS). Which of these vulnerability scanners fits the needs of the enterprise business? (Select two.) A. SecurityScorecard B. Qualys C. Nessus D. OpenSCAP E. OpenVAS

D. OpenSCAP E. OpenVAS Explanation The OpenVAS scanner (openvas.org) is open-source software initially developed from the Nessus codebase before Nessus became commercial software. The cost efficiency of the open-source scanner, while maintaining the ability to assess CVSS scoring abilities, makes OpenVAS optimal for this scenario. OpenSCAP is an open-source scanner used to identify system vulnerabilities. It also provides the ability to calculate a Common Vulnerability Scoring System (CVSS) score based on the vulnerabilities identified in the system. Qualys's vulnerability management solution is a cloud-based commercial vulnerability scanner. Nessus is known to be a commercial vulnerability scanner. The product is free to use for home users, but enterprise businesses must pay for it on a subscription basis. SecurityScorecard is a cloud-based solution that enables organizations to assess and improve their security posture. It also provides the ability to calculate a CVSS score based on the vulnerabilities identified in the system. However, it is not available for free.

A company's security team needs to assess the security posture of its Amazon Web Services (AWS) environment, focusing on both the reconnaissance and exploitation phases of a penetration testing engagement. The team requires a tool that can automate various attack scenarios and validate the effectiveness of its cloud security controls. Which of the following tools is best suited for this task? A. Zed Attack Proxy (ZAP) B. Tenable.io C. Suricata D. Pacu

D. Pacu Explanation Pacu is an open-source Amazon Web Services (AWS) exploitation framework for penetration testing engagements in AWS environments. It automates various attack scenarios and helps validate the effectiveness of cloud security controls. Zed Attack Proxy (ZAP) is an open-source web application security scanner that helps identify vulnerabilities in web applications. It is not specifically for Amazon Web Services (AWS) environment reconnaissance and exploitation. Tenable.io is a cloud-based vulnerability management platform that helps organizations identify and manage vulnerabilities in their infrastructure. It is not for Amazon Web Services (AWS) environment reconnaissance and exploitation. Suricata is an open-source network threat detection engine that provides intrusion detection (IDS), intrusion prevention (IPS), and network security monitoring (NSM) functionalities.

A gray hat hacker who desires to be ethical has discovered a critical vulnerability that could potentially compromise a glass bottle manufacturing company's user data. What should the gray hat hacker do next? A. Create a list of patching exceptions. B. Implement session management. C. Conduct adversary emulation to determine whether an APT could gain access. D. Submit the findings to the company's bug bounty program.

D. Submit the findings to the company's bug bounty program. Explanation Bug bounties identify elements of the environment that are in scope for testing and the rewards available for reporting issues. Using an independent (external) vulnerability researcher indicates that this is a bug bounty program. Adversary emulation involves simulating a real-world cyber attack by an actual adversary to assess an organization's defenses. The vulnerability researcher is not emulating an adversary. Create a list of patching exceptions is not a suitable response, as the hacker is not focused on making patch exceptions for business purposes. Session management refers to the process of managing and maintaining user sessions in a web application. The compromise here is not related to a web application.

Which of the following statements is true concerning the use of top 10 style lists? A. They are useful for developing policies and procedures but not effort prioritization. B. They are ineffective when used in a detailed report. C. They provide an exhaustive list of all potential problems. D. They allow for a quick and easy overview of important activities and trends.

D. They allow for a quick and easy overview of important activities and trends. Explanation Top 10 lists effectively highlight potential problems or focus on important activities, trends, or environmental changes. They are a quick and easy way to gain an overview of what is happening within a system, and they can identify potential problems that may need further investigation. Top 10 lists do not provide an exhaustive list of all potential problems and typically focus on traffic volume or indicators of compromise. The top 10 lists are useful for developing policies and procedures and prioritizing vulnerabilities. The top 10 lists are effective in both summary and detailed reports.

What are compensating controls used for? A. To track and control changes in system configuration. B. To replace primary security measures. C. To ensure that security approaches and capabilities are aligned with changing business requirements. D. To add additional layers of security when traditional measures are not viable.

D. To add additional layers of security when traditional measures are not viable. Explanation Compensating controls provide additional layers of security to protect against malicious or accidental breaches. Compensating controls should be for the organization's specific security needs and regularly reviewed and updated to ensure they remain effective. Compensating controls are not meant to replace primary security measures but are an alternative protection method. Configuration management is to track and control changes in system configuration. Changing business requirements are an example of how the evolution of an organization impacts the cybersecurity program and is not specifically related to the purpose of compensating controls.

You are a security analyst for a large trading firm. Over the past few years, you have made sure that automated network security tools were in place that triggered alerts when any activity fell outside a security baseline. While that has worked well in the past, recently the alerts have increased to the point where you need to analyze data over a period of time to: - Determine what might be happening. - Establish patterns to make predictions about future events. - Make improvements to the security baseline. Which of the following methods would meet these analysis requirements? A. Heuristic B. Anomaly-based C. Signature detection D. Trend

D. Trend Explanation Trend analysis involves looking at data over a period of time and using those patterns to make predictions about future events. Network security teams can analyze logs and data to find events that are connected and possibly indicate that an attack is coming. Trend analysis looks at three main areas that could indicate an attack: - Frequency - A change in the frequency of specific events can indicate that something might be wrong. For example, an increase in failed login attempts could signify that an attacker is attempting to crack the password. - Volume - A increase in the volume of events can include increased network traffic or an increase in the number of logs being generated. This can signify an attack. - Statistical deviations - These are small changes in the system over a period of time. These deviations can be more difficult to spot, but when noticed, can lead the security team to further investigate smaller changes in the network. Heuristic analysis does not look at the data over an extended period of time to make predictions about future events, and involves using security baselines in security tools. Signature detection looks at known patterns or signatures that are stored in a database to detect malicious traffic. Anomaly-based detection is another name for heuristic analysis.

A security analyst is working to discover zero-day attacks before the system is compromised. What is one method for discovering these types of attacks that the security analyst should try? A. Rely on the signature-based antivirus program to update its database. B. Train the network's users to change their passwords regularly and require them to report any password breaches as soon as they are aware of them. C. Regularly run a signature-based antivirus program scan. D. Write rules in a program like YARA that recognizes similar patterns of code found in other malware and flags them if they interact with the system.

D. Write rules in a program like YARA that recognizes similar patterns of code found in other malware and flags them if they interact with the system. Explanation YARA is a tool that can identify new malware samples. A security analyst can write rules to search for certain patterns and strings to match them to similar known malware code patterns and strings. These rules can detect a malware program before its signature is known and included in signature-based antivirus programs. Running a signature-based antivirus program can only detect known malware signatures already in its database. Zero-day attacks come from malware that has not been identified previously. Training the network's users to change their passwords regularly is good practice, but it will not help a security analyst identify a zero-day attack before the system is compromised.