CySA+ Part II
A network attack that is exploiting a vulnerability in the SNMO is detected. Which of the following should the cybersecurity analyst do FIRST? A. Apply the required patches to remediate the vulnerability B. Escalate the incident to senior management for guidance C. Disable all privileged user accounts on the network D. Temporarily block the attacking IP address
A. Apply the required patches to remediate the vulnerability
During an investigation, an analyst discovers the following rule in an executive's email client (SEE FIG 131). The executive is not aware of this rule. Which of the following should the analyst do FIRST to evaluate the potential impact of this security? A. Check the server logs to evaluate which emails were sent to [email protected] B. Use the SIEM to correlate logging events from the email server and the domain server C. Remove the rule from the email client and change the password D. Recommend that management implement SPF and DKIM
A. Check the server logs to evaluate which emails were sent to [email protected]
Bootloader malware was recently discovered on several company workstations. All of the workstations run Windows and are current models with UEFI capability. Which of the following UEFI settings is the MOST likely cause of the infections? A. Compatibility mode B. Secure boot mode C. Native mode D. Fast boot mode
A. Compatibility mode
A security analyst is attempting to use the following threat intelligence for developing capabilities (SEE FIG 114). In which of the following phases is the APT MOST likely to leave discoverable artifacts? A. Data collection/exfiltration B. Defensive evasion C. Lateral movement D. Reconnaissance
A. Data collection/exfiltration
A security analyst is reviewing the following web server log (SEE FIG 81). Which of the following best describes the issue? A. Directory traversal exploit B. Cross-site scripting C. SQL injection D. Cross-site request forgery
A. Directory traversal exploit
The cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that: A. Enables remote code execution that is being exploited in the wild B. Enables data leakage but is not known to be in the environment C. Enables lateral movement and was reported as a proof of concept D. Affected the organization in the past but was probably contained and eradicated
A. Enables remote code execution that is being exploited in the wild
A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons-learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware. Which of the following actions should be take to BEST mitigate the effects of this type of threat in the future? A. Enabling sandboxing technology B. Purchasing cyber-insuracne C. Enabling application blacklisting D. Installing a firewall between the workstation and Internet
A. Enabling sandboxing technology
A compliance officer of a large organization has reviewed the firm's vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties. Which of the following would BEST satisfy the objectives defined by the compliance officer? A. Executing vendor compliance assessments against the organization's security controls B. Executing NDAs prior to sharing critical data with third parties C. Soliciting third-party audit reports on an annual basis D. Soliciting third-party audit reports on an annual basis E. Completing a business impact assessment for all critical service providers F. Utilizing DLP capabilities at both the endpoint and perimeter levels
A. Executing vendor compliance assessments against the organization's security controls E. Completing a business impact assessment for all critical service providers
An analyst is participating in the solution analysis process for a cloud hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC. Which of the following is the BEST approach for supply chain assessment when selecting a vendor? A. Gather information from providers, including datacenter specifications and copies of the audit reports B. Identify SLA requirements for monitoring and logging C. Consult with senior management for recommendations D. Perform a proof of concept to identify possible solutions
A. Gather information from providers, including datacenter specifications and copies of the audit reports
A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integrating intelligence into hunt operations? A. It enables the team to prioritize the focus areas and tactics within the company's environment B. It provides criticality analysis for key enterprise servers and services C. It allows analysts to receive routine updates on newly discovered software vulnerabilities D. It supports rapid response and recovery during and following an incident
A. It enables the team to prioritize the focus areas and tactics within the company's environment
A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch. Which of the following is the MOST appropriate threat classification for these incidents? A. Known threat B. Zero day C. Unknown threat D. APT
A. Known threat
A security analyst implemented a solution that would analyze the attacks that the organization's firewalls failed to prevent. The analyst used the existing systems to enact the solution and executed the following command: $ sudo nc -l -v -e maildaemon.py 25 > caplog.txt. Which of the following solutions did the analyst implement? A. Log collection B. Crontab mail script C. Sinkhole D. Honeypot
A. Log collection
While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security. To provide the MOST secure access model in this scenario, the jumpbox should be: A. Placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network B. Placed on the ICS network with a static firewall rule that allows IT network resources to authenticate C. Bridged between the IT and operational technology networks to allow authenticated access D. Placed on the IT side of the network, authenticated, and tunneled into the ICS environment
A. Placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network
A security analyst is reviewing a suspected phishing campaign that has targeted an organization. The organization has enabled a few email security technologies in the last year, however, the analyst believes the security features are not working. The analyst runs the following command: > dig domain._domainkey.comptia.org TXT. Which of the following email protection technologies is the analyst MOST likely validating? A. SPF B. DSSEC C. DMARC D. DKIM
A. SPF
After receiving reports of high latency, a security analyst performs an Nmap scan and observes the following output (SEE FIG 95). Which of the following suggests the system that produced this output was compromised? A. Secure shell is operating on a non-standard port B. There are no indicators of compromise on this system C. MySQL service id identified on a standard PostgreSQL port D. Standard HTTP is open on the system and should be closed
A. Secure shell is operating on a non-standard port
An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operations of the organization's product line. The legacy hardware does not have third party support, and the OEM manufacturer of the controller in no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability. Which of the following would be the MOST appropriate to remediate the controller? A. Segment the network to constrain access to administrative interfaces B. Replace the equipment that has third-party support C. Remove the legacy hardware from the network D. Install an IDS on the network between the switch and the legacy equipment
A. Segment the network to constrain access to administrative interfaces
Which of the following assessment methods should be used to analyze how specialized software performs during heavy loads? A. Stress test B. API compatibility test C. Code review D. User acceptance test E. Input validation
A. Stress test
During a cyber incident, which of the following is the BEST course of action? A. Switch to using a pre-approved, secure, third-party communication system B. Keep the entire company informed to ensure transparency and integrity during the incident C. Restrict customer communication until the severity of each breach is confirmed D. Limit communications to pre-authorized parties to ensure response efforts remain confidential
A. Switch to using a pre-approved, secure, third-party communication system
An organization that handles sensitive financial information wants to perform tokenization of data to enable the execution of recurring transactions. The organization is most interested in a secure, built-in device to support its solution. Which of the following would MOST likely be required to perform the desired function? A. TPM B. eFuse C. FPGA D. HSM E. UEFI
A. TPM
A security analyst recently used Archni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the following output (SEE FIG 79). Which one of the following is the MOST likely reason for proof of this vulnerability? A. The developer set input validation protection on the specific field of search.aspx B. The developer did not set proper cross-site scripting protections in the headers C. The developer did not implement default protections in the web application build D. The developer did not set proper cross-site request forgery protection
A. The developer set input validation protection on the specific field of search.aspx
Important to parameterize queries to prevent: A. The execution of unauthorized actions against a database B. A memory overflow that executes code with elevated privileges C. The establishment of a web shell that would allow unauthorized access D. The queries from using an outdated library with security vulnerabilities
A. The execution of unauthorized actions against a database
A security analyst is evaluating two vulnerability management tools for possible use in an organization. The analyst set up each of the tools according to the respective vendor's instructions and generated a report of vulnerabilities that ran against the same target server (SEE FIG 141). Which of the following BEST describes the method used by each tool? A. Tool A is agent based B. Tool A used fuzzing logic to test vulnerabilities C. Tool A is unauthenticated D. Tool A used machine learning technology E. Tool B is agent based F. Tool B is unauthenticated
A. Tool A is agent based F. Tool B is unauthenticated
An organization has several systems that require specific logons. Over the past few months, the security analyst has noticed numerous failed logon attempts followed by password resets. Which of the following should the analyst do to reduce the occurrence of legitimate failed logins and password resets? A. Use SSO across all applications B. Perform a manual privilege review C. Adjust the current monitoring and logging rules D. Implement multifactor authentication
A. Use SSO across all applications
The security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output (SEE FIG 120). Which of the following commands should the administrator run NET to further analyze the comprised system? A. strace /proc/1301 B. rpm -v openssh-server C. /bin/ls -l /proc/1301/exe D. kill -9 1301
A. strace /proc/1301
An organization was alerted to a possible compromise after its proprietary data was found for sale on the internet. An analyst is reviewing the logs from the next-generation UTM in an attempt to find evidence of this breach. Given the following output (SEE FIG 138). Which of the following should be the focus of the investigation? A. webserver.org-dmx.org B. sftp.org-dmz.org C. 83hht23.org-int.org D. ftps.bluemed.net
A. webserver.org-dmx.org
After a breach involving the exfiltration of a large amount of sensitive data, a security analyst is reviewing the following firewall logs to determine how the breach occurred (SEE FIG128). Which of the following IP addresses does the analyst need to investigate further? A. 192.168.1.1 B. 192.168.1.10 C. 192.168.1.12 D. 192.168.1.193
B. 192.168.1.10
When reviewing a compromised authentication server, a security analyst discovers the following hidden file (SEE FIG 152). Further analysis shows these users never logged into the server. Which of the following types of the attacks was used to obtain the file, and what should the analyst recommend to prevent this type of attack from reoccurring? A. A rogue LDAP server is installed on the system and is collecting passwords. The analyst should recommend wiping and reinstalling the server B. A password spraying attack was used to compromise the passwords. The analyst should recommend that all users receive a unique password C. A rainbow tables attack was used to comprise the accounts. The analyst should recommend that future password hashes contain a salt D. A phishing attack was used to compromise that account. The analyst should recommend users install endpoint protection to disable phishing links
B. A password spraying attack was used to compromise the passwords. The analyst should recommend that all users receive a unique password
For machine learning to be applied effectively toward security analysis automation, it requires: A. Relevant training data B. A threat feed API C. A multicore, multiprocessor system D. Anomalous traffic signatures
B. A threat feed API
A threat feed notes malicious actors have been infiltrating companies and exfiltrated data to a specific set of domains. Management at an organization wants to know if it is a victim. Which of the following should the security analyst recommend to identify this behavior without altering any potential malicious actions? A. Create an IPS rule to block these domains and trigger an alert within the SIEM tool when these domains are requested B. Add the domains to a DNS sinkhole and create an alert in the SIEM tool when the domains are queries C. Look up the IP addresses for these domains and search firewall logs for any traffic being sent to those IPs over port 443 D. Query DNS logs with a SIEM tool for any hosts requesting the malicious domains and create alerts based on this information
B. Add the domains to a DNS sinkhole and create an alert in the SIEM tool when the domains are queries
Which of the following MOST accurately describes an HSM? A. An HSM is a low-cost solution for encryption B. An HSM can be networked based or a removable USB C. An HSM is slower at encrypting than software D. An HSM is explicitly used for MFA
B. An HSM can be networked based or a removable USB
A cybersecurity analyst has access to several threat feeds and wants to organize them while simultaneously comparing intelligence against network traffic. Which of the following would BEST accomplish this goal? A. Continuous integration and deployment B. Automation and orchestration C. Static and dynamic analysis D. Information sharing and analysis
B. Automation and orchestration
Clients are unable to access a company's API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources. Which of the following would be BEST to protect the availability of the APIs? A. IP whitelisting B. Certificate-based authentication C. Virtual private network D. Web supplication firewall
B. Certificate-based authentication
Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient. Which of the following controls would have MOST likely prevented this incident? A. SSO B. DLP C. WAF D. VDI
B. DLP
During routing monitoring, a security analyst discovers several suspicious websites that are communicating with a local host. The analyst queries IP 192.168.50.2 for a 24-hour period (SEE FIG 94). To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and: A. DST 138.10.2.5 B. DST 138.10.25.5 C. DST 172.10.3.5 D. DST 172.10.45.5
B. DST 138.10.25.5
A developer wrote a script to make names and other PII data unidentifiable before loading a database export into the testing system. Which of the following describes the types of control that is being used? A. Data encoding B. Data masking C. Data loss prevention D. Data classification
B. Data masking
The inability to do remote updates of certificates, keys, software, and firmware is a security issue commonly associated with: A. Web servers on private networks B. HVAC control systems C. Smartphones D. Firewalls and UTM devices
B. HVAC control systems
A development team uses open source software and follows an Agile methodology with two-week sprints. Last month, the security team filled a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server. Which of the following should be done to correct the cause of the vulnerability? A. Deploy a WAF in front of the application B. Implement a software repository management tool C. Install a HIPS on the server D. Instruct the developers to use input validation in the code
B. Implement a software repository management tool
Which of the following best describes the primary role of a risk assessment as it relates to compliance with risk based frameworks? A. It demonstrates the organization's mitigation of risks associated with internal threats B. It serves as the basis for control selection C. It prescribes technical control requirements D. It is an input to the business impact assessment
B. It serves as the basis for control selection
A security analyst has discovered that developers have installed browsers on all development servers in the company's cloud infrastructure and are using them to browse the internet. Which of the following changes should the analyst make to BEST protect the environment? A. Create a security rule that blocks internet access in the development VPC B. Place a jumpbox in between the developers' workstation and the development VPC C. Remove the administrator's profile from the developer user group in identify and access management D. Create an alert that is triggered when a developer installs an application on a server
B. Place a jumpbox in between the developers' workstation and the development VPC
Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII? A. Human resources B. Public relations C. Marketing D. International network operations center
B. Public relations
The help desk provided a security analyst with a screenshot of a user's desktop (SEE FIG 116). Which of the following is aircrack-ng being used? A. Wireless access point discovery B. Rainbow attack C. Brute-force attack D. PCAP data collection
B. Rainbow attack
A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization. Which of the following BEST describes the security analyst's goal? A. To create a system baseline B. To reduce the attack surface C. To optimize system performance D. To improve malware detection
B. To reduce the attack surface
The information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supple. Which of the following would BEST identify potential indicators of compromise? A. Use Burp Suite to capture packets to the SCADA device's IP B. Use tcpdump to capture packets between SCADA devices and the management system C. Use Wireshark to capture packets between SCADA devices and the management system D. Use Nmap to capture packets from the management system to the SCADA devices
B. Use tcpdump to capture packets between SCADA devices and the management system
A security analyst needs to assess the web server versions on a list of hosts to determine which are running a vulnerable version of the software and output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt. Which of the following Nmap commands would BEST accomplish this goal? A. nmap -iL webserverlist.txt -sC -p 443 -0X webserverlist.xml B. nmap -iL webserverlist.txt -sV -p 443 -0X webserverlist.xml C. nmap -iL webserverlist.txt -F -p 443 -0X webserverlist.xml D. nmap -takefile webserverlist.txt --outputfileasXML we3bserverlist.xml --scanports 443
B. nmap -iL webserverlist.txt -sV -p 443 -0X webserverlist.xml
A security analyst is building a malware analysis lab. The analyst wants to ensure malicious applications and not capable of escaping the virtual machines and pivoting to other networks. To BEST mitigate this risk, the analyst should use: A. An 802.11ac wireless bridge to create an air gap B. A managed switch to segment the lab into a separate VLAN C. A firewall to isolate the lab network from all other networks D. An unmanaged switch to segment the environments from one another
C. A firewall to isolate the lab network from all other networks
Which of the following sets of attributes BEST illustrate the characteristics of an insider threat from a security perspective? A. Unauthorized, unintentional, benign B. Unauthorized, intentional, malicious C. Authorized, intentional, malicious D. Authorized, unintentional, benign
C. Authorized, intentional, malicious
An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing requirements. The organization has three environments: development, testing, and production. These environments have interdependence but must remain relatively segmented. Which of the following methods would BEST secure the company's infrastructure and be the simplest to manage and maintain? A. Create three separate cloud accounts for each environment. Configure account peering and security rules to allow access to and from each environment B. Create one cloud account with one VPC for all environments. Purchase a firewall and create granular security rules C. Create one cloud account and three separate VPCs for each environment. Create security rules to allow access from each environment D. Create three separate cloud accounts for each environment and a single core account for network services. Route all traffic through the core account
C. Create one cloud account and three separate VPCs for each environment. Create security rules to allow access from each environment
A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT. Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis? A. Attack vectors B. Adversary capability C. Diamond Model of Intrusion Analysis D. Kill chain E. Total attack surface
C. Diamond Model of Intrusion Analysis
During a review of the vulnerability scan results on a server an information security analyst notices the following (SEE FIG 85). The MOST appropriate action for the analyst to recommend to developers is to change the web server so: A. It only accepts TLSv1.2 B. It only accepts ciphers suites using AES and SHA C. It no longer accepts the vulnerable cipher suites D. SSL/TLS is offloaded to a WAF and load balancer
C. It no longer accepts the vulnerable cipher suites
A user's computer has been running slowly when the user tried to access web pages. A security analyst runs the command netstat -aon from the command line and receives the following output (SEE FIG 132). Which of the following lines indicates the computer may be compromised? A. Line 1 B. Line 2 C. Line 3 D. Line 4 E. Line 5 F. Line 6
C. Line 3
A security analyst is scanning the network to determine if a critical security patch was applied to all systems in an enterpriser. The organization has a very low tolerance for risk when it comes to resource availability. Which of the following is the BEST approach for configuring and scheduling the scan? A. Make sure the scan is credentialed, covers and hosts in the patch management system, and is scheduled during business hours so it can be terminated if it affects business operations B. Make sure the scan is uncredentialled, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations C. Make sure the scan is credentialed, has the latest software and signature versions, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations D. Make sure the scan is credentialed, uses a limited plugin set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has least impact on operations
C. Make sure the scan is credentialed, has the latest software and signature versions, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations
A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach. Which of the following is the BEST mitigation to prevent unauthorized access? A. Single sign-on B. Mandatory access control C. Multifactor authentication D. Federation E. Privileged access management
C. Multifactor authentication
A CISO is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities. Which of the following would be BEST to implement to alleviate the CISO's concerns? A. DLP B. Encryption C. Test data D. NDA
C. Test data
A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output (SEE FIG 78). The analyst uses the vendor's website to confirm the oldest supported version is correct. Which of the following BEST describes the situation? A. This is a false positive, and the scanning plugin needs to be updated by the vendor B. This is a true negative, and the new computers have the correct version of the software C. This is a true positive, and the new computers were imaged with an old version of the software D. This is a false negative, and the new computers need to be updated by the desktop team
C. This is a true positive, and the new computers were imaged with an old version of the software
During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future? A. An IPS signature modification for the specific IP addresses B. An IDS signature modification for the specific IP addresses C. A firewall rule that will block port 80 traffic D. A firewall rule that will block traffic from the specific IP address
D. A firewall rule that will block traffic from the specific IP address
Which of the following policies would state an employee should not disable security safeguards, such as host firewalls and antivirus, on company systems? A. Code of conduct policy B. Account management policy C. Password policy D. Acceptable use policy
D. Acceptable use policy
A finances department employee has received a message that appears to have been sent from the CFO, asking the employee to perform a wire transfer. Analysis of the email shows the message came from an external source and is fraudulent. Which of the following would work BEST to improve the likelihood of quickly recognizing fraudulent emails? A. Implementing a sandboxing solution for viewing emails and attachments B. Limiting email from the finance department to recipients on a pre-approved whitelist C. Configuring email client settings to display all messages in plaintext when read D. Adding a banner to incoming messages that identifies the messages as external
D. Adding a banner to incoming messages that identifies the messages as external
A security analyst discovered a specific series of IP addresses that are targeting an organization. Non of the attacks have been successful. Which of the following should the security analyst perform NEXT? A. Begin blocking all IP addresses with that subnet B. Determine the attack vector and total attack surface C. Begin a kill chain analysis to determine the impact D. Conduct threat research on the IP address
D. Conduct threat research on the IP address
A security analyst is investigating malicious traffic from an international system that attempted to download proxy avoidance software as identified from the firewall logs, but the destination IP is blocked and not captured. Which of the following should the analyst do? A. Shut down the computer B. Capture live data using Wireshark C. Take a snapshot D. Determine if DNS logging is enable E. Review the network logs
D. Determine if DNS logging is enable
A large organization wants to move account registration services to the cloud to benefit from faster processing and elasticity. Which of the following should be done FIRST to determine the potential risk to the organization? A. Establish a recovery time objective and a recovery point objective for the systems being moved B. Calculate the resource requirements for moving the systems to the cloud C. Determine recovery priorities for the assets being moved to the cloud-based systems D. Identify the business processes that will be migrated and the criticality of each one E. Perform an inventory of the servers that will be moving and assign priority to each one
D. Identify the business processes that will be migrated and the criticality of each one
As part of incident response plans, which of the following is MOST important for an organization to understand when establishing the breach notification period? A. Organizational policies B. Vendor requirements and contracts C. Service-level agreements D. Legal requirements
D. Legal requirements
A security analyst is scanning the network to determine if a critical security patch was applied to all systems in an enterprise. The organization has very low tolerance for risk when it comes to resource availability. Which of the following is the BEST approach for configuring and scheduling the scan? A. Make sure the scan is credentialed, covers all hosts in the patch management system, and is scheduled during business hours so it can be terminated if it affects business operations B. Make sure the scan is uncredentialled, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations C. Make sure the scan is credentialed has the latest software and signature versions, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations D. Make sure the scan is credentialed, uses a limited plugin set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations
D. Make sure the scan is credentialed, uses a limited plugin set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations
An organization wants to mitigate against risks associated with network reconnaissance. ICMP is already blocked at the firewall, however, a penetration testing team has been able to perform reconnaissance against the organization's network and identify active hosts. An analyst sees the following output from a packet capture (SEE FIG 98). Which of the following phrases from the output provides information on how the testing team is successfully getting around the ICMP firewall rule? A. flags=RA indicates the testing team is using a Christmas tree attack B. ttl=64 indicates the testing team is setting the TTL below the firewall's threshold C. 0 data bytes indicates the testing team is crafting empty ICMP packets D. NO FLAGS are set indicates the testing team is using hping
D. NO FLAGS are set indicates the testing team is using hping
The CIO of a large healthcare institution is concerned about all machines having direct access to sensitive patient information. Which of the following should the security analyst implement to BEST mitigate the risk of sensitive data exposure? A. A cloud access service broker system B. NAC to ensure minimum standards are met C. MFA on all workstations D. Network segmentation
D. Network segmentation
As part of an exercise set up by the information security officer, the IT staff must move some of the network systems to an off-site facility and redeploy them for testing. All staff members must ensure their respective systems can power back up and match their gold image. If they find any inconsistencies, they must formally document the information. Which of the following BEST describes this test? A. Walk through B. Full interruption C. Simulation D. Parallel
D. Parallel
As a part of a merger with another organization, a CISO is working with an assessor to perform a risk assessment focused on data privacy compliance. The CISO is primarily concerned with the potential legal liability and fines associated with data privacy. Based on the CISO's concerns, the assessor will MOST likely focus on: A. Qualitative probabilities B. Quantitative probabilities C. Qualitative magnitudes D. Quantitative magnitudes
D. Quantitative magnitudes
A security analyst is required to stay current with the most recent threat data and intelligence reports. When gathering data, it is MOST important for the data to be: A. Proprietary and timely B. Proprietary and accurate C. Relevant and deep D. Relevant and accurate
D. Relevant and accurate
Which of the following types of policies is used to regulate date storage on the network? A. Password B. Acceptable use C. Account management D. Retention
D. Retention
An information security analyst is reviewing backup data sets as part of a project focused on eliminated archival data sets. Which of the following should be considered FIRST prior to disposing of the electronic data? A. Sanitization policy B. Data sovereignty C. Encryption policy D. Retention standards
D. Retention standards
A security analyst has been alerted to several emails that show evidence an employee is planning malicious activities that involve employee PII on the network before leaving the organizations. The security analyst's BEST response would be to coordinate with the legal department and: A. The public relation department B. Senior leadership C. Law enforcement D. The human resources department
D. The human resources department
While analyzing logs from a WAF, a cybersecurity analyst finds the following (SEE FIG 97). Which of the following BEST describes what the analyst had found? A. This is an encrypted GET HTTP request B. A packet is being used to bypass the WAF C. This is an encrypted packet D. This is an encoded WAF bypass
D. This is an encoded WAF bypass
An executive assistant wants to onboard a new cloud-based product to help with the business analytics and dashboarding. Which of the following would be the BEST integration option for this service? A. Manually log in to the service and upload data files on a regular basis B. Have the internal development team script connectivity and file transfers to the new service C. Create a dedicated SFTP site and schedule transfers to ensure file transport security D. Utilize the cloud product's API for supported and ongoing integrations
D. Utilize the cloud product's API for supported and ongoing integrations
An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform. Which of the following is MOST likely an attack vector that is being used as part of the testing and assessment? A. FaaS B. RTOS C. SoC D. GPS E. CAN bus
E. CAN bus
An organization has not had an incident for several months. The CISO wants to move a more proactive stance for security investigations. Which of the following would BEST meet that goal? A. Root-cause analysis B. Active response C. Advanced antivirus D. Information-sharing community E. Threat hunting
E. Threat hunting
