CYSA Personal Test Prep Questions
To validate local system-hardening requirements, which of the following types of vulnerability scans would work BEST to verify the scanned device meets security policies? A. SCAP B. SAST C. DAST D. DACS
A
A development team has asked users to conduct testing to ensure an application meets the needs of the business. Which of the following types of testing does this describe? A. Acceptance testing B. Stress testing C. Regression testing D. Penetration testing
A. Acceptance testing
A security analyst is correlating, ranking, and enriching raw data into a report that will be interpreted by humans or machines to draw conclusions and create actionable recommendations. Which of the following steps in the intelligence cycle is the security analyst performing? A. Analysis and production B. Processing and exploitation C. Dissemination and evaluation D. Data collection E. Planning and direction
A. Analysis and production
A company has a cluster of web servers that is critical to the business. A systems administrator installed a utility to troubleshoot an issue, and the utility caused the entire cluster to go offline. Which of the following solutions would work BEST prevent to this from happening again? A. Change management B. Application whitelisting C. Asset management D. Privilege management Reveal Solution
A. Change management
An organization needs to limit its exposure to accidental disclosure when employees send emails that contain personal information to recipients outside the company. Which of the following technical controls would BEST accomplish this goal? A. DLP B. Encryption C. Data masking D. SPF
A. DLP
A security team implemented a SIEM as part of its security-monitoring program. There is a requirement to integrate a number of sources into the SIEM to provide better context relative to the events being processed. Which of the following BEST describes the result the security team hopes to accomplish by adding these sources? A. Data enrichment B. Continuous integration C. Machine learning D. Workflow orchestration
A. Data enrichment
A Chief Information Security Officer (CISO) is concerned developers have too much visibility into customer data. Which of the following controls should be implemented to BEST address these concerns? A. Data masking B. Data loss prevention C. Data minimization D. Data sovereignty
A. Data masking
A security administrator needs to provide access from partners to an isolated laboratory network inside an organization that meets the following requirements:* The partners' PCs must not connect directly to the laboratory network* The tools the partners need to access while on the laboratory network must be available to all partners* The partners must be able to run analyses on the laboratory network, which may take hours to completeWhich of the following capabilities will MOST likely meet the security objectives of the request? A. Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis B. Deployment of a firewall to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis C. Deployment of a firewall to allow access to the laboratory network and use of VDI in persis
A. Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis
A business recently acquired a software company. The software company's security posture is unknown. However, based on an initial assessment, there are limited security controls. No significant security monitoring exists. Which of the following is the NEXT step that should be completed to obtain information about the software company's security posture? A. Develop an asset inventory to determine the systems within the software company. B. Review relevant network drawings, diagrams, and documentation. C. Perform penetration tests against the software company's internal and external networks. D. Baseline the software company's network to determine the ports and protocols in use.
A. Develop an asset inventory to determine the systems within the software company.
A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons-learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware. Which of the following actions should be taken to BEST mitigate the effects of this type of threat in the future? A. Enabling sandboxing technology B. Purchasing cyber insurance C. Enabling application blacklisting D. Installing a firewall between the workstations and internet
A. Enabling sandboxing technology
In response to an audit finding, a company's Chief Information Officer (CIO) instructed the security department to increase the security posture of the vulnerability management program. Currently, the company's vulnerability management program has the following attributes:✑ It is unauthenticated.✑ It is at the minimum interval specified by the audit framework.✑ It only scans well-known ports.Which of the following would BEST increase the security posture of the vulnerability management program? A. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans. B. Expand the ports being scanned to include all ports. Keep the scan interval at its current level. Enable authentication and perform credentialed scans. C. Expand the ports being scanned to include all ports. I
A. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans.
In SIEM software, a security analyst detected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers. Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise? A. Fully segregate the affected servers physically in a network segment, apart from the production network. B. Collect the network traffic during the day to understand if the same activity is also occurring during business hours. C. Check the hash signatures, comparing them with malware databases to verify if the files are infected. D. Collect all the files that have changed and compare them with the previous baseline.
A. Fully segregate the affected servers physically in a network segment, apart from the production network.
A security team wants to make SaaS solutions accessible from only the corporate campus. Which of the following would BEST accomplish this goal? A. Geotagging B. IP restrictions C. Reverse proxy D. Single sign-on
A. Geotagging
Which of the following are considered PI I by themselves? (Choose two.) A. Government ID B. Job title C. Employment start date D. Birth certificate E. Employer address F. Mother's maiden name
A. Government ID D. Birth certificate
Which of the following are considered PII by themselves? (Choose two.) A. Government ID B. Job title C. Employment start date D. Birth certificate E. Employer address F. Mother's maiden name
A. Government ID D. Birth certificate
Which of the following sources will provide the MOST relevant threat intelligence data to the security team of a dental care network? A. H-ISAC B. Dental forums C. Open threat exchange D. Dark web chatter
A. H-ISAC
While reviewing incident reports from the previous night, a security analyst notices the corporate websites were defaced with political propaganda. Which of the following BEST describes this type of actor? A. Hacktivist B. Nation-state C. Insider threat D. Organized crime Hide Solution
A. Hacktivist
An analyst is responding to an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the field. Malware was loaded on the device via the installation of a third-party software package. The analyst has baselined the device. Which of the following should the analyst do to BEST mitigate future attacks? A. Implement MDM. B. Update the malware catalog. C. Patch the mobile device's OS. D. Block third-party applications.
A. Implement MDM.
A manufacturing company uses a third-party service provider for Tier 1 security support. One of the requirements is that the provider must only source talent from its own country due to geopolitical and national security interests. Which of the following can the manufacturing company implement to ensure the third-party service provider meets this requirement? A. Implement a secure supply chain program with governance. B. Implement blacklisting for IP addresses from outside the country C. Implement strong authentication controls for all contractors. D. Implement user behavior analytics for key staff members.
A. Implement a secure supply chain program with governance.
A cybersecurity analyst is implementing a new network configuration on an existing network access layer to prevent possible physical attacks. Which of the following BEST describes a solution that would apply and cause fewer issues during the deployment phase? A. Implement port security with one MAC address per network port of the switch. B. Deploy network address protection with DHCP and dynamic VLANs C. Configure 802.1X and EAPOL across the network. D. Implement software-defined networking and security groups for isolation.
A. Implement port security with one MAC address per network port of the switch.
Due to a rise in cyber attackers seeking PHI, a healthcare company that collects highly sensitive data from millions of customers is deploying a solution that will ensure the customers' data is protected by the organization internally and externally. Which of the following countermeasures can BEST prevent the loss of customers' sensitive data? A. Implement privileged access management. B. Implement a risk management process. C. Implement multifactor authentication. D. Add more security resources to the environment.
A. Implement privileged access management.
An analyst receives artifacts from a recent intrusion and is able to pull a domain, IP address, email address, and software version. Which of the following points of the Diamond Model of Intrusion Analysis does this intelligence represent? A. Infrastructure B. Capabilities C. Adversary D. Victims
A. Infrastructure
Which of the following threat classifications would MOST likely use polymorphic code? A. Known threat B. Zero-day threat C. Unknown threat D. Advanced persistent threat
A. Known threat
A company recently experienced a breach of sensitive information that affects customers across multiple geographical regions. Which of the following roles would be BEST suited to determine the breach notification requirements? A. Legal counsel B. Chief Security Officer C. Human resources D. Law enforcement
A. Legal counsel
Which of the following organizational initiatives would be MOST impacted by data sovereignty issues? A. Moving to a cloud-based environment B. Migrating to locally hosted virtual servers C. Implementing non-repudiation controls D. Encrypting local database queries Reveal Solution
A. Moving to a cloud-based environment
A Chief Information Security Officer has asked for a list of hosts that have critical and high-severity findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request? A. Nessus B. Nikto C. Fuzzer D. Wireshark E. Prowler
A. Nessus
A cybersecurity analyst is supporting an incident response effort via threat intelligence. Which of the following is the analyst MOST likely executing? A. Requirements analysis and collection planning B. Containment and eradication C. Recovery and post-incident review D. Indicator enrichment and research pivoting
A. Requirements analysis and collection planning
A software development team asked a security analyst to review some code for security vulnerabilities. Which of the following would BEST assist the security analyst while performing this task? A. Static analysis B. Dynamic analysis C. Regression testing D. User acceptance testing
A. Static analysis
A security analyst identified one server that was compromised and used as a data mining machine, and a clone of the hard drive that was created. Which of the following will MOST likely provide information about when and how the machine was compromised and where the malware is located? A. System timeline reconstruction B. System registry extraction C. Data carving D. Volatile memory analysis
A. System timeline reconstruction
The security team decides to meet informally to discuss and test their response plan for potential security breaches and emergency situations. Which of the following types of training will the security team perform? A. Tabletop exercise B. Red-team attack C. System assessment implementation D. Blue-team training E. White-team engagement
A. Tabletop exercise
Which of the following types of controls defines placing an ACL on a file folder? A. Technical control B. Confidentiality control C. Managerial control D. Operational control
A. Technical control
A security analyst reviews SIEM logs and detects a well-known malicious executable running in a Windows machine. The up-to-date antivirus cannot detect the malicious executable. Which of the following is the MOST likely cause of this issue? A. The malware fileless and exists only in physical memory. B. The malware detects and prevents its own execution in a virtual environment C. The antivirus does not have the malware's signature. D. The malware is being executed with administrative privileges.
A. The malware fileless and exists only in physical memory.
The incident response team is working with a third-party forensic specialist to investigate the root cause of a recent intrusion. An analyst was asked to submit sensitive network design details for review. The forensic specialist recommended electronic delivery for efficiency, but email was not an approved communication channel to send network details. Which of the following BEST explains the importance of using a secure method of communication during incident response? A. To prevent adversaries from intercepting response and recovery details B. To ensure intellectual property remains on company servers C. To have a backup plan in case email access is disabled D. To ensure the management team has access to all the details that are being exchanged
A. To prevent adversaries from intercepting response and recovery details
Which of the following BEST explains the function of TPM? A. To provide hardware-based security features using unique keys B. To ensure platform confidentiality by storing security measurements C. To improve management of the OS Installations D. To implement encryption algorithms for hard drives
A. To provide hardware-based security features using unique keys
An organization is adopting IoT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs. Despite the number of devices being deployed, the organization has only focused on software patches so far, leaving hardware-related weaknesses open to compromise. Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management programs? A. Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing. B. Apply all firmware updates as soon as they are released to mitigate the risk of compromise. C. Sign up for vendor emails and create firmware update change plans for affected devices. D. Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.
A. Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.
During a forensic investigation, a security analyst reviews some Session Initiation Protocol packets that came from a suspicious IP address. Law enforcement requires access to a VoIP call that originated from the suspicious IP address. Which of the following should the analyst use to accomplish this task? A. Wireshark B. iptables C. Tcp dump D. Net flow
A. Wireshark
A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify: A. detection and prevention capabilities to improve. B. which systems were exploited more frequently. C. possible evidence that is missing during forensic analysis. D. which analysts require more training. E. the time spent by analysts on each of the incidents.
A. detection and prevention capabilities to improve.
During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap partition on the hard drive that needs to be checked. Which of the following should the analyst use to extract human-readable content from the partition? A. strings B. head C. fsstat D. dd
A. strings
A company has started planning the implementation of a vulnerability management procedure. However, its security maturity level is low. So there are some prerequisites to complete before risk calculation and prioritization.Which of the following should be completed FIRST? A. A business impact analysis B. A system assessment C. Communication of the risk factors D. A risk identification process
B. A system assessment
Some hard disks need to be taken as evidence for further analysis during an incident response. Which of the following procedures must be completed FIRST for this type of evidence acquisition? A. Extract the hard drives from the compromised machines and then plug them into a forensics machine to apply encryption over the stored data to protect it from nonauthorized access. B. Build the chain-of-custody document, noting the media model, serial number, size, vendor, date, and time of acquisition. C. Perform a disk sanitization using the command #dd if=/dev/zero of=/dev/sdc bs=1M over the media that will receive a copy of the collected data. D. Execute the command #dd if-/dev/sda of=/dev/sdc bs=512 to clone the evidence data to external media to prevent any further change.
B. Build the chain-of-custody document, noting the media model, serial number, size, vendor, date, and time of acquisition.
An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which of the following attack vectors is the vulnerability MOST likely targeting? A. SCADA B. CAN bus C. Modbus D. IoT Reveal Solution
B. CAN bus
The IT department is concerned about the possibility of a guest device infecting machines on the corporate network or taking down the company's single Internet connection. Which of the following should a security analyst recommend to BEST meet the requirements outlined by the IT department? A. Require the guest machines to install the corporate-owned EDR solution B. Configure NAC to only allow machines on the network that are patched and have active antivirus C. Place a firewall in between the corporate network and the guest network D. Configure the IPS with rules that will detect common malware signatures traveling from the guest network
B. Configure NAC to only allow machines on the network that are patched and have active antivirus
A company is experiencing a malware attack within its network. A security engineer notices many of the impacted assets are connecting outbound to a number of remote destinations and exfiltrating data. The security engineer also sees that deployed, up-to-date antivirus signatures are ineffective. Which of the following is the BEST approach to prevent any impact to the company from similar attacks in the future? A. IDS signatures B. Data loss prevention C. Port security D. Sinkholing
B. Data loss prevention
During the security assessment of a new application, a tester attempts to log in to the application but receives the following message: incorrect password for given username. Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information? A. Set the web page to redirect to an application support page when a bad password is entered. B. Disable error messaging for authentication. C. Recognize that error messaging does not provide confirmation of the correct element of authentication. D. Avoid using password-based authentication for the application.
B. Disable error messaging for authentication.
A company experienced a security compromise due to the inappropriate disposal of one of its hardware appliances. Sensitive information stored on the hardware appliance was not removed prior to disposal. Which of the following is the BEST manner in which to dispose of the hardware appliance? A. Ensure the hardware appliance has the ability to encrypt the data before disposing of it. B. Dispose of all hardware appliances securely, thoroughly, and in compliance with company policies. C. Return the hardware appliance to the vendor, as the vendor is responsible for disposal. D. Establish guidelines for the handling of sensitive information.
B. Dispose of all hardware appliances securely, thoroughly, and in compliance with company policies.
A company has contracted with a software development vendor to design a web portal for customers to access a medical records database. Which of the following should the security analyst recommend to BEST control the unauthorized disclosure of sensitive data when sharing the development database with the vendor? A. Establish an NDA with the vendor. B. Enable data masking of sensitive data tables in the database. C. Set all database tables to read only. D. Use a de-identified data process for the development database.
B. Enable data masking of sensitive data tables in the database.
An organization wants to ensure the privacy of the data that is on its systems. Full disk encryption and DLP are already in use. Which of the following is the BEST option? A. Require all remote employees to sign an NDA. B. Enforce geofencing to limit data accessibility. C. Require users to change their passwords more frequently. D. Update the AUP to restrict data sharing.
B. Enforce geofencing to limit data accessibility.
An analyst must review a new cloud-based SIEM solution. Which of the following should the analyst do FIRST prior to discussing the company's needs? A. Check industry news feeds for product reviews. B. Ensure a current non-disclosure agreement is on file. C. Perform a vulnerability scan against a test instance. D. Download the product security white paper.
B. Ensure a current non-disclosure agreement is on file.
A routine vulnerability scan detected a known vulnerability in a critical enterprise web application. Which of the following would be the BEST next step? A. Submit a change request to have the system patched. B. Evaluate the risk and criticality to determine if further action is necessary. C. Notify a manager of the breach and initiate emergency procedures. D. Remove the application from production and inform the users.
B. Evaluate the risk and criticality to determine if further action is necessary.
After examining a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using? A. Header analysis B. File carving C. Metadata analysis D. Data recovery
B. File carving
A team of network security analysts is examining network traffic to determine if sensitive data was exfiltrated. Upon further investigation, the analysts believe confidential data was compromised. Which of the following capabilities would BEST defend against this type of sensitive data exfiltration? A. Deploy an edge firewall. B. Implement DLP. C. Deploy EDR. D. Encrypt the hard drives.
B. Implement DLP.
An organization is upgrading its network and all of its workstations. The project will occur in phases, with infrastructure upgrades each month and workstation installs every other week. The schedule should accommodate the enterprise-wide changes, while minimizing the impact to the network. Which of the following schedules BEST addresses these requirements? A. Monthly vulnerability scans, biweekly topology scans, daily host discovery scans B. Monthly topology scans, biweekly host discovery scans, monthly vulnerability scans C. Monthly host discovery scans, biweekly vulnerability scans, monthly topology scans D. Monthly topology scans, biweekly host discovery scans, weekly vulnerability scans
B. Monthly topology scans, biweekly host discovery scans, monthly vulnerability scans
Due to continued support of legacy applications, an organization's enterprise password complexity rules are inadequate for its required security posture. Which of the following is the BEST compensating control to help reduce authentication compromises? A. Smart cards B. Multifactor authentication C. Biometrics D. Increased password-rotation frequency
B. Multifactor authentication
A security analyst receives an alert to expect increased and highly advanced cyberattacks originating from a foreign country that recently had sanctions implemented. Which of the following describes the type of threat actors that should concern the security analyst? A. Insider threat B. Nation-threat C. Hacktivist D. Organized crime
B. Nation-threat
A financial institution's business unit plans to deploy a new technology in a manner that violates existing information security standards. Which of the following actions should the Chief Information Security Officer (CISO) take to manage any type of violation? A. Enforce the existing security standards and controls. B. Perform a risk analysis and qualify the risk with legal. C. Perform research and propose a better technology. D. Enforce the standard permits.
B. Perform a risk analysis and qualify the risk with legal.
A help desk technician inadvertently sent the credentials of the company's CRM in cleartext to an employee's personal email account. The technician then reset the employee's account using the appropriate process and the employee's corporate email, and notified the security team of the incident. According to the incident response procedure, which of the following should the security team do NEXT? A. Contact the CRM vendor. B. Prepare an incident summary report. C. Perform postmortem data correlation. D. Update the incident response plan.
B. Prepare an incident summary report.
A small organization has proprietary software that is used internally. The system has not been well maintained and cannot be updated with the rest of the environment. Which of the following is the BEST solution? A. Virtualize the system and decommission the physical machine. B. Remove it from the network and require air gapping. C. Implement privileged access management for identity access. D. Implement MFA on the specific system.
B. Remove it from the network and require air gapping.
An internally developed file-monitoring system identified the following excerpt as causing a program to crash often: char filedata[100]; fp = fopen(`access.log`, `r`); srtcopy (filedata, fp); printf (`%s\n`, filedata);Which of the following should a security analyst recommend to fix the issue? A. Open the access.log file in read/write mode. B. Replace the strcpy function. C. Perform input sanitization. D. Increase the size of the file data buffer.
B. Replace the strcpy function.
A vulnerability assessment solution is hosted in the cloud. This solution will be used as an accurate inventory data source for both the configuration management database and the governance, risk, and compliance tool. An analyst has been asked to automate the data acquisition. Which of the following would be the BEST way to acquire the data? A. CSV export B. SOAR C. API D. Machine learning
B. SOAR
Which of the following is a difference between SOAR and SCAP? A. SOAR can be executed faster and with fewer false positives than SCAP because of advanced heuristics. B. SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope. C. SOAR is less expensive because process and vulnerability remediation is more automated than what SCAP does. D. SOAR eliminates the need for people to perform remediation, while SCAP relies heavily on security analysts.
B. SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope.
Which of the following is an advantage of SOAR over SIEM? A. SOAR is much less expensive. B. SOAR reduces the amount of human intervention required. C. SOAR can aggregate data from many sources. D. SOAR uses more robust encryption protocols.
B. SOAR reduces the amount of human intervention required.
A company's application development has been outsourced to a third-party development team. Based on the SLA, the development team must follow industry best practices for secure coding. Which of the following is the BEST way to verify this agreement? A. Input validation B. Security regression testing C. Application fuzzing D. User acceptance testing E. Stress testing
B. Security regression testing
Company A is in the process of merging with Company B. As part of the merger, connectivity between the ERP systems must be established so pertinent financial information can be shared between the two entities. Which of the following will establish a more automated approach to secure data transfers between the two entities? A. Set up an FTP server that both companies can access and export the required financial data to a folder. B. Set up a VPN between Company A and Company B, granting access only to the ERPs within the connection. C. Set up a PKI between Company A and Company B and intermediate shared certificates between the two entities. D. Create static NATs on each entity's firewalls that map to the ERR systems and use native ERP authentication to allow access.
B. Set up a VPN between Company A and Company B, granting access only to the ERPs within the connection.
A company wants to ensure confidential data from its storage media files is sanitized so the drives cannot be reused. Which of the following is the BEST approach? A. Degaussing B. Shredding C. Formatting D. Encrypting
B. Shredding
An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST steps to confirm and respond to the incident? (Choose two.) A. Pause the virtual machine. B. Shut down the virtual machine. C. Take a snapshot of the virtual machine. D. Remove the NIC from the virtual machine. E. Review host hypervisor log of the virtual machine. F. Execute a migration of the virtual machine.
B. Shut down the virtual machine. C. Take a snapshot of the virtual machine.
A security analyst reviews a recent network capture and notices encrypted inbound traffic on TCP port 465 was coming into the company's network from a database server. Which of the following will the security analyst MOST likely identify as the reason for the traffic on this port? A. The server is configured to communicate on the secure database standard listener port. B. Someone has configured an unauthorized SMTP application over SSL. C. A connection from the database to the web front end is communicating on the port. D. The server is receiving a secure connection using the new TLS 1.3 standard.
B. Someone has configured an unauthorized SMTP application over SSL.
A software developer is correcting the error-handling capabilities of an application following the initial coding of the fix. Which of the following would the software developer MOST likely perform to validate the code prior to pushing it to production? A. Web-application vulnerability scan B. Static analysis C. Packet inspection D. Penetration test
B. Static analysis
Which of the following describes the main difference between supervised and unsupervised machine-learning algorithms that are used in cybersecurity applications? A. Supervised algorithms can be used to block attacks, while unsupervised algorithms cannot. B. Supervised algorithms require security analyst feedback, while unsupervised algorithms do not. C. Unsupervised algorithms are not suitable for IDS systems, while supervised algorithms are. D. Unsupervised algorithms produce more false positives than supervised algorithms.
B. Supervised algorithms require security analyst feedback, while unsupervised algorithms do not.
A company's domain has been spoofed in numerous phishing campaigns. An analyst needs to determine why the company is a victim of domain spoofing, despite having a DMARC record that should tell mailbox providers to ignore any email that fails DMARC. Upon review of the record, the analyst finds the following: v=DMARC1; p=none; fo=0; rua=mailto:[email protected]; ruf=mailto:[email protected]; adkim=r; rf=afrf; ri=86400;Which of the following BEST explains the reason why the company's requirements are not being processed correctly by mailbox providers? A. The DMARC record's DKIM alignment tag is incorrectly configured. B. The DMARC record's policy tag is incorrectly configured. C. The DMARC record does not have an SPF alignment tag. D. The DMARC record's version tag is set to DMARC1 instead of the current version, which is DMARC3.
B. The DMARC record's policy tag is incorrectly configured.
A security analyst needs to develop a brief that will include the latest incidents and the attack phases of the incidents. The goal is to support threat intelligence and identify whether or not the incidents are linked. Which of the following methods would be MOST appropriate to use? A. The Cyber Kill Chain B. The MITRE ATT&CK framework C. An adversary capability model D. The Diamond Model of Intrusion Analysis
B. The MITRE ATT&CK framework
Which of the following are reasons why consumer IoT devices should be avoided in an enterprise environment? (Choose two.) A. Message queuing telemetry transport does not support encryption. B. The devices may have weak or known passwords. C. The devices may cause a dramatic increase in wireless network traffic. D. The devices may utilize unsecure network protocols. E. Multiple devices may interfere with the functions of other IoT devices. F. The devices are not compatible with TLS 1.2.
B. The devices may have weak or known passwords. D. The devices may utilize unsecure network protocols.
Which of the following BEST describes what an organization's incident response plan should cover regarding how the organization handles public or private disclosures of an incident? A. The disclosure section should focus on how to reduce the likelihood customers will leave due to the incident. B. The disclosure section should contain the organization's legal and regulatory requirements regarding disclosures. C. The disclosure section should include the names and contact information of key employees who are needed for incident resolution. D. The disclosure section should contain language explaining how the organization will reduce the likelihood of the incident from happening in the future.
B. The disclosure section should contain the organization's legal and regulatory requirements regarding disclosures.
Which of the following is MOST dangerous to the client environment during a vulnerability assessment/penetration test? A. There is a longer period of time to assess the environment. B. The testing is outside the contractual scope. C. There is a shorter period of time to assess the environment. D. No status reports are included with the assessment. Reveal Solution
B. The testing is outside the contractual scope.
A security analyst identified some potentially malicious processes after capturing the contents of memory from a machine during incident response. Which of the following procedures is the NEXT step for further investigation? A. Data carving B. Timeline construction C. File cloning D. Reverse engineering
B. Timeline construction
Which of the following BEST explains the function of a managerial control? A. To help design and implement the security planning, program development, and maintenance of the security life cycle B. To guide the development of training, education, security awareness programs, and system maintenance C. To create data classification, risk assessments, security control reviews, and contingency planning D. To ensure tactical design, selection of technology to protect data, logical access reviews, and the implementation of audit trails
B. To guide the development of training, education, security awareness programs, and system maintenance
Which of the following BEST identifies the appropriate use of threat intelligence as a function of detection and response? A. To identify weaknesses in an organization's security posture B. To identify likely attack scenarios within an organization C. To build a business continuity plan for an organization D. To build a network segmentation strategy
B. To identify likely attack scenarios within an organization
A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization. Which of the following BEST describes the security analyst's goal? A. To create a system baseline B. To reduce the attack surface C. To optimize system performance D. To improve malware detection
B. To reduce the attack surface
Which of the following allows Secure Boot to be enabled? A. eFuse B. UEFI C. HSM D. PAM
B. UEFI
A security analyst discovers a standard user has unauthorized access to the command prompt, PowerShell, and other system utilities. Which of the following is the BEST action for the security analyst to take? A. Disable the appropriate settings in the administrative template of the Group Policy. B. Use AppLocker to create a set of whitelist and blacklist rules specific to group membership. C. Modify the registry keys that correlate with the access settings for the System32 directory. D. Remove the user's permissions from the various system executables.
B. Use AppLocker to create a set of whitelist and blacklist rules specific to group membership.
A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task? A. dcfldd if=/dev/one of=/mnt/usb/evidence.bin hash=md5, sha1 hashlog=/mnt/usb/evidence.bin.hashlog B. dd if=/dev/sda of=/mnt/usb/evidence.bin bs=4096; sha5l2sum /mnt/usb/evidence.bin > /mnt/usb/evidence.bin.hash C. tar -zcf /mnt/usb/evidence.tar.gz / -except /mnt; sha256sum /mnt/usb/evidence.tar.gz > /mnt/usb/evidence.tar.gz.hash D. find / -type f -exec cp {} /mnt/usb/evidence/ \; sha1sum /mnt/usb/evidence/* > /mnt/usb/evidence/evidence.hash
B. dd if=/dev/sda of=/mnt/usb/evidence.bin bs=4096; sha5l2sum /mnt/usb/evidence.bin > /mnt/usb/evidence.bin.hash
A computer hardware manufacturer is developing a new SoC that will be used by mobile devices. The SoC should not allow users or the process to downgrade from a newer firmware to an older one. Which of the following can the hardware manufacturer implement to prevent firmware downgrades? A. Encryption B. eFuse C. Secure Enclave D. Trusted execution
B. eFuse
Understanding attack vectors and integrating intelligence sources are important components of: A. a vulnerability management plan. B. proactive threat hunting. C. risk management compliance. D. an incident response plan.
B. proactive threat hunting.
An organization is experiencing security incidents in which a systems administrator is creating unauthorized user accounts. A security analyst has created a script to snapshot the system configuration each day. Following is one of the scripts: cat /etc/passwd > daily_$(date +"%m_%d_%Y")This script has been running successfully every day. Which of the following commands would provide the analyst with additional useful information relevant to the above script? A. diff daily_11_03_2019 daily_11_04_2019 B. ps ג€"ef | grep admin > daily_process_$(date +%m_%d_%Y") C. more /etc/passwd > daily_$(date +%m_%d_%Y_%H:%M:%S") D. la ג€"lai /usr/sbin > daily_applications
B. ps ג€"ef | grep admin > daily_process_$(date +%m_%d_%Y")
Which of the following is the BEST security practice to prevent ActiveX controls from running malicious code on a user's web application? A. Deploying HIPS to block malicious ActiveX code B. Installing network-based IPS to block malicious ActiveX code C. Adjusting the web-browser settings to block ActiveX controls D. Configuring a firewall to block traffic on ports that use ActiveX controls
C. Adjusting the web-browser settings to block ActiveX controls
Which of the following is MOST closely related to the concept of privacy? A. The implementation of confidentiality, integrity, and availability B. A system's ability to protect the confidentiality of sensitive information C. An individual's control over personal information D. A policy implementing strong identity management processes
C. An individual's control over personal information
A company offers a hardware security appliance to customers that provides remote administration of a device on the customer's network. Customers are not authorized to alter the configuration. The company deployed a software process to manage unauthorized changes to the appliance, log them, and forward them to a central repository for evaluation. Which of the following processes is the company using to ensure the appliance is not altered from its original configured state? A. CI/CD B. Software assurance C. Anti-tamper D. Change management
C. Anti-tamper
A company's legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage to a third party. The IT management team has decided to implement a cloud model and has asked the security team for recommendations. Which of the following will allow all data to be kept on the third-party network? A. VDI B. SaaS C. CASB D. FaaS
C. CASB
After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a Group PolicyObject update but cannot validate which update caused the issue. Which of the following security solutions would resolve this issue? A. Privilege management B. Group Policy Object management C. Change management D. Asset management
C. Change management
During a review of SIEM alerts, a security analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring tool about files from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue? A. Warn the incident response team that the server can be compromised. B. Open a ticket informing the development team about the alerts. C. Check if temporary files are being monitored. D. Dismiss the alert, as the new application is still being adapted to the environment.
C. Check if temporary files are being monitored.
During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in confirmed malware activity. The analyst also notes there is no other alert in place for this traffic. After resolving the security incident, which of the following would be theBEST action for the analyst to take to increase the chance of detecting this traffic in the future? A. Share details of the security incident with the organization's human resources management team. B. Note the security incident so other analysts are aware the traffic is malicious. C. Communicate the security incident to the threat team for further review and analysis. D. Report the security incident to a manager for inclusion in the daily report.
C. Communicate the security incident to the threat team for further review and analysis.
An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to mitigate significant damage and implement corrective actions. By having incident response mechanisms in place, which of the following should be notified for lessons learned? A. The human resources department B. Customers C. Company leadership D. The legal team
C. Company leadership
A small business does not have enough staff in the accounting department to segregate duties. The comptroller writes the checks for the business and reconciles them against the ledger. To ensure there is no fraud occurring, the business conducts quarterly reviews in which a different officer in the business compares all the cleared checks against the ledger. Which of the following BEST describes this type of control? A. Deterrent B. Preventive C. Compensating D. Detective
C. Compensating
A security analyst observes a large amount of scanning activity coming from an IP address outside the organization's environment. Which of the following should the analyst do to block this activity? A. Create an IPS rule to block the subnet. B. Sinkhole the IP address. C. Create a firewall rule to block the IP address. D. Close all unnecessary open ports.
C. Create a firewall rule to block the IP address.
After detecting possible malicious external scanning, an internal vulnerability scan was performed, and a critical server was found with an outdated version ofJBoss. A legacy application that is running depends on that version of JBoss. Which of the following actions should be taken FIRST to prevent server compromise and business disruption at the same time? A. Make a backup of the server and update the JBoss server that is running on it. B. Contact the vendor for the legacy application and request an updated version. C. Create a proper DMZ for outdated components and segregate the JBoss server. D. Apply virtualization over the server, using the new platform to provide the JBoss service for the legacy application as an external service.
C. Create a proper DMZ for outdated components and segregate the JBoss server.
Which of the following data security controls would work BEST to prevent real PII from being used in an organization's test cloud environment? A. Encryption B. Data loss prevention C. Data masking D. Digital rights management E. Access control
C. Data masking
A security analyst is researching ways to improve the security of a company's email system to mitigate emails that are impersonating company executives. Which of the following would be BEST for the analyst to configure to achieve this objective? A. A TXT record on the name server for SPF B. DNSSEC keys to secure replication C. Domain Keys Identified Mail D. A sandbox to check incoming mail
C. Domain Keys Identified Mail
An organization is developing software to match customers' expectations. Before the software goes into production, it must meet the following quality assurance guidelines: Uncover all the software vulnerabilities. ✑ Safeguard the interest of the software's end users. ✑ Reduce the likelihood that a defective program will enter production. ✑ Preserve the interests of the software producer. Which of the following should be performed FIRST? A. Run source code against the latest OWASP vulnerabilities. B. Document the life-cycle changes that took place. C. Ensure verification and validation took place during each phase. D. Store the source code in a software escrow. E. Conduct a static analysis of the code.
C. Ensure verification and validation took place during each phase.
A security analyst is handling an incident in which ransomware has encrypted the disks of several company workstations. Which of the following would work BEST to prevent this type of incident in the future? A. Implement a UTM instead of a stateful firewall and enable gateway antivirus. B. Back up the workstations to facilitate recovery and create a gold image. C. Establish a ransomware awareness program and implement secure and verifiable backups. D. Virtualize all the endpoints with daily snapshots of the virtual machines.
C. Establish a ransomware awareness program and implement secure and verifiable backups.
An employee was found to have performed fraudulent activities. The employee was dismissed, and the employee's laptop was sent to the IT service desk to undergo a data sanitization procedure. However, the security analyst responsible for the investigation wants to avoid data sanitization. Which of the following can the security analyst use to justify the request? A. GDPR B. Data correlation procedure C. Evidence retention D. Data retention
C. Evidence retention
The Chief Information Officer of a large cloud software vendor reports that many employees are falling victim to phishing emails because they appear to come from other employees. Which of the following would BEST prevent this issue? A. Include digital signatures on messages originating within the company. B. Require users to authenticate to the SMTP server. C. Implement DKIM to perform authentication that will prevent the issue. D. Set up an email analysis solution that looks for known malicious links within the email.
C. Implement DKIM to perform authentication that will prevent the issue.
A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company's data? A. Implement UEM on all systems and deploy security software. B. Implement DLP on all workstations and block company data from being sent outside the company. C. Implement a CASB and prevent certain types of data from being downloaded to a workstation. D. Implement centralized monitoring and logging for all company systems.
C. Implement a CASB and prevent certain types of data from being downloaded to a workstation.
A security analyst needs to reduce the overall attack surface. Which of the following infrastructure changes should the analyst recommend? A. Implement a honeypot. B. Air gap sensitive systems. C. Increase the network segmentation. D. Implement a cloud-based architecture.
C. Increase the network segmentation.
Which of the following sources would a security analyst rely on to provide relevant and timely threat information concerning the financial services industry? A. Real-time and automated firewall rules subscriptions B. Open-source intelligence, such as social media and blogs C. Information sharing and analysis membership D. Common vulnerability and exposure bulletins Reveal Solution Discussion 3
C. Information sharing and analysis membership
A financial organization has offices located globally. Per the organization's policies and procedures, all executives who conduct business overseas must have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect the organization's data. Which of the following controls would work BEST to protect the privacy of the data if a device is stolen? A. Implement a mobile device wiping solution for use once the device returns home. B. Install a DLP solution to track data flow. C. Install an encryption solution on all mobile devices. D. Train employees to report a lost or stolen laptop to the security department immediately.
C. Install an encryption solution on all mobile devices.
A financial organization has offices located globally. Per the organization's policies and procedures, all executives who conduct business overseas must have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect the organization's data.Which of the following controls would work BEST to protect the privacy of the data if a device is stolen? A. Implement a mobile device wiping solution for use if a device is lost or stolen. B. Install a DLP solution to track data flow. C. Install an encryption solution on all mobile devices. D. Train employees to report a lost or stolen laptop to the security department immediately.
C. Install an encryption solution on all mobile devices.
A company's security team recently discovered a number of workstations that are at the end of life. The workstation vendor informs the team that the product is no longer supported, and patches are no longer available. The company is not prepared to cease its use of these workstations. Which of the following would be the BEST method to protect these workstations from threats? A. Deploy whitelisting to the identified workstations to limit the attack surface. B. Determine the system process criticality and document it. C. Isolate the workstations and air gap them when it is feasible. D. Increase security monitoring on the workstations.
C. Isolate the workstations and air gap them when it is feasible.
Which of the following BEST describes how logging and monitoring work when entering into a public cloud relationship with a service provider? A. Logging and monitoring are not needed in a public cloud environment. B. Logging and monitoring are done by the data owners. C. Logging and monitoring duties are specified in the SLA and contract. D. Logging and monitoring are done by the service provider.
C. Logging and monitoring duties are specified in the SLA and contract.
A consultant is evaluating multiple threat intelligence feeds to assess potential risks for a client. Which of the following is the BEST approach for the consultant to consider when modeling the client's attack surface? A. Ask for external scans from industry peers, look at the open ports, and compare information with the client. B. Discuss potential tools the client can purchase to reduce the likelihood of an attack. C. Look at attacks against similar industry peers and assess the probability of the same attacks happening. D. Meet with the senior management team to determine if funding is available for recommended solutions.
C. Look at attacks against similar industry peers and assess the probability of the same attacks happening.
A company frequently experiences issues with credential stuffing attacks. Which of the following is the BEST control to help prevent these attacks from being successful? A. SIEM B. IDS C. MFA D. TLS
C. MFA
While implementing a PKI for a company, a security analyst plans to utilize a dedicated server as the certificate authority that is only used to sign intermediate certificates. Which of the following are the MOST secure states for the certificate authority server when it is not in use? (Choose two.) A. On a private VLAN B. Full disk encrypted C. Powered off D. Backed up hourly E. VPN accessible only F. Air gapped
C. Powered off F. Air gapped
An analyst receives an alert from the continuous-monitoring solution about unauthorized changes to the firmware versions on several field devices. The asset owners confirm that no firmware version updates were performed by authorized technicians, and customers have not reported any performance issues or outages.Which of the following actions would be BEST for the analyst to recommend to the asset owners to secure the devices from further exploitation? A. Change the passwords on the devices. B. Implement BIOS passwords. C. Remove the assets from the production network for analysis. D. Report the findings to the threat intel community.
C. Remove the assets from the production network for analysis.
A company's blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance? A. Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network. B. Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed. C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it. D. Review the current blocklist to determine which domains can be removed from the list and then update the ACLs and IPS signatures.
C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it.
A newly appointed Chief Information Security Officer has completed a risk assessment review of the organization and wants to reduce the numerous risks that were identified. Which of the following will provide a trend of risk mitigation? A. Planning B. Continuous monitoring C. Risk response D. Risk analysis E. Oversight
C. Risk response
During the forensic analysis of a compromised machine, a security analyst discovers some binaries that are exhibiting abnormal behaviors. After extracting the strings, the analyst finds unexpected content. Which of the following is the NEXT step the analyst should take? A. Validate the binaries' hashes from a trusted source. B. Use file integrity monitoring to validate the digital signature. C. Run an antivirus against the binaries to check for malware. D. Only allow whitelisted binaries to execute.
C. Run an antivirus against the binaries to check for malware.
A company uses an FTP server to support its critical business functions. The FTP server is configured as follows :✑ The FTP service is running with the data directory configured in /opt/ftp/data. ✑ The FTP server hosts employees' home directories in /home. ✑ Employees may store sensitive information in their home directories. An IoC revealed that an FTP directory traversal attack resulted in sensitive data loss. Which of the following should a server administrator implement to reduce the risk of current and future directory traversal attacks targeted at the FTP server? A. Implement file-level encryption of sensitive files. B. Reconfigure the FTP server to support FTPS. C. Run the FTP server in a chroot environment. D. Upgrade the FTP server to the latest version.
C. Run the FTP server in a chroot environment.
Which of the following is the BEST way to gather patch information on a specific server? A. Event Viewer B. Custom script C. SCAP software D. CI/CD
C. SCAP software
A security analyst notices the following entry while reviewing the server logs:OR 1=1' ADD USER attacker' PW 1337password' --Which of the following events occurred? A. CSRF B. XSS C. SQLi D. RCE
C. SQLi
A security team has begun updating the risk management plan, incident response plan, and system security plan to ensure compliance with security review guidelines. Which of the following can be executed by internal managers to simulate and validate the proposed changes? A. Internal management review B. Control assessment C. Tabletop exercise D. Peer review
C. Tabletop exercise
A security analyst is concerned the number of security incidents being reported has suddenly gone down. Daily business interactions have not changed, and no additional security controls have been implemented. Which of the following should the analyst review FIRST? A. The DNS configuration B. Privileged accounts C. The IDS rule set D. The firewall ACL
C. The IDS rule set
As part of the senior leadership team's ongoing risk management activities, the Chief Information Security Officer has tasked a security analyst with coordinating the right training and testing methodology to respond to new business initiatives or significant changes to existing ones. The management team wants to examine a new business process that would use existing infrastructure to process and store sensitive data. Which of the following would be appropriate for the security analyst to coordinate? A. A black-box penetration testing engagement B. A tabletop exercise C. Threat modeling D. A business impact analysis
C. Threat modeling
A proposed network architecture requires systems to be separated from each other logically based on defined risk levels. Which of the following explains the reason why an architect would set up the network this way? A. To complicate the network and frustrate a potential malicious attacker B. To create a design that simplifies the supporting network C. To reduce the attack surface of those systems by segmenting the network based on risk D. To reduce the number of IP addresses that are used on the network
C. To reduce the attack surface of those systems by segmenting the network based on risk
Which of the following attack techniques has the GREATEST likelihood of quick success against Modbus assets? A. Remote code execution B. Buffer overflow C. Unauthenticated commands D. Certificate spoofing
C. Unauthenticated commands
Which of the following is MOST important when developing a threat hunting program? A. Understanding penetration testing techniques B. Understanding how to build correlation rules within a SIEM C. Understanding security software technologies D. Understanding assets and categories of assets
C. Understanding security software technologies
An organization's internal department frequently uses a cloud provider to store large amounts of sensitive data. A threat actor has deployed a virtual machine to attack another virtual machine to gain access to the data. Through the use of the cloud host's hypervisor, the threat actor has escalated the access rights. Which of the following actions would be BEST to remediate the vulnerability the attacker has used to exploit the system? A. Sandbox the virtual machine. B. Implement an MFA solution. C. Update to the secure hypervisor version. D. Implement dedicated hardware for each customer.
C. Update to the secure hypervisor version.
A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verify that a user's data is not altered without the user's consent. Which of the following would be an appropriate course of action? A. Automate the use of a hashing algorithm after verified users make changes to their data. B. Use encryption first and then hash the data at regular, defined times. C. Use a DLP product to monitor the data sets for unauthorized edits and changes. D. Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.
C. Use a DLP product to monitor the data sets for unauthorized edits and changes.
Which of the following is the software development process by which function, usability, and scenarios are tested against a known set of base requirements? A. Security regression testing B. Code review C. User acceptance testing D. Stress testing
C. User acceptance testing
A company's Chief Information Officer wants to use a CASB solution to ensure policies are being met during cloud access. Due to the nature of the company's business and risk appetite, the management team elected to not store financial information in the cloud. A security analyst needs to recommend a solution to mitigate the threat of financial data leakage into the cloud. Which of the following should the analyst recommend? A. Utilize the CASB to enforce DLP data-at-rest protection for financial information that is stored on premises. B. Do not utilize the CASB solution for this purpose, but add DLP on premises for data in motion. C. Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud. D. Do not utilize the CASB solution for this purpose, but add DLP on premises for data at rest.
C. Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud.
A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve the highest level of security. To BEST complete this task, the analyst should place the: A. firewall behind the VPN server. B. VPN server parallel to the firewall C. VPN server behind the firewall. D. VPN on the firewall.
C. VPN server behind the firewall.
According to a static analysis report for a web application, a dynamic code evaluation script injection vulnerability was found. Which of the following actions is the BEST option to fix the vulnerability in the source code? A. Delete the vulnerable section of the code immediately. B. Create a custom rule on the web application firewall. C. Validate user input before execution and interpretation. D. Use parameterized queries.
C. Validate user input before execution and interpretation.
A security analyst is deploying a new application in the environment. The application needs to be integrated with several existing applications that contain SPI. Prior to the deployment, the analyst should conduct: A. a tabletop exercise. B. a business impact analysis. C. a PCI assessment. D. an application stress test
C. a PCI assessment.
When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal? A. nmap -sA -O -noping B. nmap -sT -O -Pn C. nmap -sS -O -Pn D. nmap -sQ -O -Pn
C. nmap -sS -O -Pn
The majority of a company's employees have stated they are unable to perform their job duties due to outdated workstations, so the company has decided to institute BYOD. Which of the following would a security analyst MOST likely recommend for securing the proposed solution? A. A Linux-based system and mandatory training on Linux for all BYOD users B. A firewalled environment for client devices and a secure VDI for BYOD users C. A standardized anti-malware platform and a unified operating system vendor D. 802.1X to enforce company policy on BYOD user hardware
D. 802.1X to enforce company policy on BYOD user hardware
Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity? A. Reverse engineering B. Application log collectors C. Workflow orchestration D. API integration E. Scripting
D. API integration
A developer downloaded and attempted to install a file transfer application in which the installation package is bundled with adware. The next-generation antivirus software prevented the file from executing, but it did not remove the file from the device. Over the next few days, more developers tried to download and execute the offending file. Which of the following changes should be made to the security tools to BEST remedy the issue? A. Blacklist the hash in the next-generation antivirus system. B. Manually delete the file from each of the workstations. C. Remove administrative rights from all developer workstations. D. Block the download of the file via the web proxy.
D. Block the download of the file via the web proxy; The next-gen antivirus already prevents it from executing.
A security analyst has received a report that servers are no longer able to connect to the network. After many hours of troubleshooting, the analyst determines aGroup Policy Object is responsible for the network connectivity issues. Which of the following solutions should the security analyst recommend to prevent an interruption of service in the future? A. CI/CD pipeline B. Impact analysis and reporting C. Appropriate network segmentation D. Change management process
D. Change management process
Which of the following incident response components can identify who is the liaison between multiple lines of business and the public? A. Red-team analysis B. Escalation process and procedures C. Triage and analysis D. Communications plan
D. Communications plan
The SOC has received reports of slowness across all workstation network segments. The currently installed antivirus has not detected anything, but a different anti-malware product was just downloaded and has revealed a worm is spreading. Which of the following should be the NEXT step in this incident response? A. Send a sample of the malware to the antivirus vendor and request urgent signature creation. B. Begin deploying the new anti-malware on all uninfected systems. C. Enable an ACL on all VLANs to contain each segment. D. Compile a list of IoCs so the IPS can be updated to halt the spread.
D. Compile a list of IoCs so the IPS can be updated to halt the spread.
A host is spamming the network unintentionally. Which of the following control types should be used to address this situation? A. Managerial B. Technical C. Operational D. Corrective
D. Corrective
An organization is focused on restructuring its data governance programs, and an analyst has been tasked with surveying sensitive data within the organization.Which of the following is the MOST accurate method for the security analyst to complete this assignment? A. Perform an enterprise-wide discovery scan. B. Consult with an internal data custodian. C. Review enterprise-wide asset inventory. D. Create a survey and distribute it to data owners.
D. Create a survey and distribute it to data owners.
An organization has the following policy statements: ✑ All emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized content. ✑ All network activity will be logged and monitored. ✑ Confidential data will be tagged and tracked. ✑ Confidential data must never be transmitted in an unencrypted form.✑ Confidential data must never be stored on an unencrypted mobile device. Which of the following is the organization enforcing? A. Acceptable use policy B. Data privacy policy C. Encryption policy D. Data management policy
D. Data management policy
A SIEM analyst receives an alert containing the following URL: http:/companywebsite.com/displayPicture?filenamE=../../../../etc/passwdWhich of the following BEST describes the attack? A. Password spraying B. Buffer overflow C. Insecure object access D. Directory traversal
D. Directory traversal
A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs. Which of the following is the main concern a security analyst should have with this arrangement? A. Making multiple trips between development sites increases the chance of physical damage to the FPGAs. B. Moving the FPGAs between development sites will lessen the time that is available for security testing. C. Development phases occurring at multiple sites may produce change management issues. D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.
D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.
During an incident, it is determined that a customer database containing email addresses, first names, and last names was exfiltrated. Which of the following should the security analyst do NEXT? A. Consult with the legal department for regulatory impact. B. Encrypt the database with available tools. C. Email the customers to inform them of the breach. D. Follow the incident communications process.
D. Follow the incident communications process.
A Chief Executive Officer (CEO) is concerned the company will be exposed to data sovereignty issues as a result of some new privacy regulations. To help mitigate this risk, the Chief Information Security Officer (CISO) wants to implement an appropriate technical control. Which of the following would meet the requirement? A. Data masking procedures B. Enhanced encryption functions C. Regular business impact analysis functions D. Geographic access requirements
D. Geographic access requirements
A cybersecurity analyst is establishing a threat-hunting and intelligence group at a growing organization. Which of the following is a collaborative resource that would MOST likely be used for this purpose? A. IoC feeds B. CVSS scores C. Scrum D. ISAC
D. ISAC
A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445. Which of the following should be the team's NEXT step during the detection phase of this response process? A. Escalate the incident to management, who will then engage the network infrastructure team to keep them informed. B. Depending on system criticality, remove each affected device from the network by disabling wired and wireless connections. C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses. D. Identify potentially affected systems by creating a correlation search in the SIEM based on the network traffic.
D. Identify potentially affected systems by creating a correlation search in the SIEM based on the network traffic.
During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to prevent similar activity from happening in the future? A. An IPS signature modification for the specific IP addresses B. An IDS signature modification for the specific IP addresses C. A firewall rule that will block port 80 traffic D. Implement a web proxy to restrict malicious web content
D. Implement a web proxy to restrict malicious web content
An analyst is responding to an incident within a cloud infrastructure. Based on the logs and traffic analysis, the analyst thinks a container has been compromised. Which of the following should the analyst do FIRST? A. Perform threat hunting in other areas of the cloud infrastructure. B. Contact law enforcement to report the incident. C. Perform a root cause analysis on the container and the service logs. D. Isolate the container from production using a predefined policy template.
D. Isolate the container from production using a predefined policy template.
Which of the following APT adversary archetypes represent non-nation-state threat actors? (Choose two.) A. Kitten B. Panda C. Tiger D. Jackal E. Bear F. Spider
D. Jackal F. Spider
A security analyst has discovered malware is spreading across multiple critical systems and is originating from a single workstation, which belongs to a member of the cyberinfrastructure team who has legitimate administrator credentials. An analysis of the traffic indicates the workstation swept the network looking for vulnerable hosts to infect. Which of the following would have worked BEST to prevent the spread of this infection? A. Vulnerability scans of the network and proper patching B. A properly configured and updated EDR solution C. A honeynet used to catalog the anomalous behavior and update the IPS D. Logical network segmentation and the use of jump boxes
D. Logical network segmentation and the use of jump boxes
A security analyst is scanning the network to determine if a critical security patch was applied to all systems in an enterprise. The organization has a very low tolerance for risk when it comes to resource availability. Which of the following is the BEST approach for configuring and scheduling the scan? A. Make sure the scan is credentialed, covers all hosts in the patch management system, and is scheduled during business hours so it can be terminated if it affects business operations. Make sure the scan is uncredentialed... C. Make sure the scan is credentialed, has the latest software and signature versions, covers all external hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations. D. Make sure the scan is credentialed, uses a limited plug-in set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has t
D. Make sure the scan is credentialed, uses a limited plug-in set, scans all host IP addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.
The Chief Information Officer (CIO) of a large healthcare institution is concerned about all machines having direct access to sensitive patient information. Which of the following should the security analyst implement to BEST mitigate the risk of sensitive data exposure? A. A cloud access service broker system B. NAC to ensure minimum standards are met C. MFA on all workstations D. Network segmentation
D. Network segmentation
An organization has specific technical risk mitigation configurations that must be implemented before a new server can be approved for production. Several critical servers were recently deployed with the antivirus missing, unnecessary ports disabled, and insufficient password complexity. Which of the following should the analyst recommend to prevent a recurrence of this risk exposure? A. Perform password-cracking attempts on all devices going into production B. Perform an Nmap scan on all devices before they are released to production C. Perform antivirus scans on all devices before they are approved for production D. Perform automated security controls testing of expected configurations prior to production
D. Perform automated security controls testing of expected configurations prior to production
The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit requests for new users at the last minute, causing the help desk to scramble to create accounts across many different interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company's assets? A. MFA B. CASB C. SSO D. RBAC
D. RBAC
An information security analyst on a threat-hunting team is working with administrators to create a hypothesis related to an internally developed web application. The working hypothesis is as follows:✑ Due to the nature of the industry, the application hosts sensitive data associated with many clients and is a significant target.✑ The platform is most likely vulnerable to poor patching and inadequate server hardening, which expose vulnerable services.✑ The application is likely to be targeted with SQL injection attacks due to the large number of reporting capabilities within the application.As a result, the systems administrator upgrades outdated service applications and validates the endpoint configuration against an industry benchmark. The analyst suggests developers receive additional training on implementing identity and access management, and also implements a WAF to protect against SQL injection attacks.
D. Reducing the attack surface area
Following a recent security breach, a company decides to investigate account usage to ensure privileged accounts are only being utilized during typical business hours. During the investigation, a security analyst determines an account was consistently utilized in the middle of the night. Which of the following actions should the analyst take NEXT? A. Disable the privileged account. B. Initiate the incident response plan. C. Report the discrepancy to human resources. D. Review the activity with the user.
D. Review the activity with the user.
While monitoring the information security notification mailbox, a security analyst notices several emails were reported as spam. Which of the following should the analyst do FIRST? A. Block the sender in the email gateway. B. Delete the email from the company's email servers. C. Ask the sender to stop sending messages. D. Review the message in a secure environment.
D. Review the message in a secure environment.
A security analyst is revising a company's MFA policy to prohibit the use of short message service (SMS) tokens. The Chief Information Officer has questioned this decision and asked for justification. Which of the following should the analyst provide as justification for the new policy? A. SMS relies on untrusted, third-party carrier networks. B. SMS tokens are limited to eight numerical characters. C. SMS is not supported on all handheld devices in use. D. SMS is a cleartext protocol and does not support encryption.
D. SMS is a cleartext protocol and does not support encryption.
A product security analyst has been assigned to evaluate and validate a new product's security capabilities. Part of the evaluation involves reviewing design changes at specific intervals for security deficiencies, recommending changes, and checking for changes at the next checkpoint. Which of the following BEST describes the activity being conducted? A. User acceptance testing B. Stress testing C. Code review D. Security regression testing
D. Security regression testing
A security analyst conducted a risk assessment on an organization's wireless network and identified a high-risk element in the implementation of data confidentiality protection. Which of the following is the BEST technical security control to mitigate this risk? A. Switch to RADIUS technology. B. Switch to TACACS+ technology. C. Switch to MAC filtering. D. Switch to the WPA2 protocol.
D. Switch to the WPA2 protocol.
A threat hunting team received a new IoC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated NEXT? A. The whitelist B. The DNS C. The blocklist D. The IDS signature
D. The IDS signature
Which of the following BEST explains the function of trusted firmware updates as they relate to hardware assurance? A. Trusted firmware updates provide organizations with development, compilation, remote access, and customization for embedded devices. B. Trusted firmware updates provide organizations with security specifications, open-source libraries, and custom tools for embedded devices. C. Trusted firmware updates provide organizations with remote code execution, distribution, maintenance, and extended warranties for embedded devices. D. Trusted firmware updates provide organizations with secure code signing, distribution, installation, and attestation for embedded devices.
D. Trusted firmware updates provide organizations with secure code signing, distribution, installation, and attestation for embedded devices.
As part of an intelligence feed, a security analyst receives a report from a third-party trusted source. Within the report are several domains and reputational information that suggest the company's employees may be targeted for a phishing campaign. Which of the following configuration changes would be the MOST appropriate for intelligence gathering? A. Update the whitelist. B. Develop a malware signature. C. Sinkhole the domains. D. Update the blacklist.
D. Update the blacklist.
An organization supports a large number of remote users. Which of the following is the BEST option to protect the data on the remote users' laptops? A. Require the use of VPNs. B. Require employees to sign an NDA C. Implement a DLP solution. D. Use whole disk encryption.
D. Use whole disk encryption.
An executive assistant wants to onboard a new cloud-based product to help with business analytics and dashboarding. Which of the following would be the BEST integration option for this service? A. Manually log in to the service and upload data files on a regular basis. B. Have the internal development team script connectivity and file transfers to the new service. C. Create a dedicated SFTP site and schedule transfers to ensure file transport security. D. Utilize the cloud product's API for supported and ongoing integrations.
D. Utilize the cloud product's API for supported and ongoing integrations.
A security analyst needs to provide the development team with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport? A. CASB B. VPC C. Federation D. VPN
D. VPN
A security analyst is generating a list of recommendations for the company's insecure API. Which of the following is the BEST parameter mitigation recommendation? A. Use TLS for all data exchanges. B. Use effective authentication and authorization methods. C. Implement parameterized queries. D. Validate all incoming data.
D. Validate all incoming data.
Massivelog.log has grown to 40GB on a Windows server. At this size, local tools are unable to read the file, and it cannot be moved off the virtual server where it is located. Which of the following lines of PowerShell script will allow a user to extract the last 10,000 lines of the log for review? A. tail -10000 Massivelog.log > extract.txt B. info tail n -10000 Massivelog.log | extract.txt; C. get content './Massivelog.log' -Last 10000 | extract.txt D. get-content './Massivelog.log' -Last 10000 > extract.txt;
D. get-content './Massivelog.log' -Last 10000 > extract.txt;
An organization has not had an incident for several months. The Chief Information Security Officer wants to move to a more proactive stance for security investigations. Which of the following would BEST meet that goal? A. Root-cause analysis B. Active response C. Advanced antivirus D. Information-sharing community E. Threat hunting
E
At which of the following phases of the SDLC should security FIRST be involved? A. Design B. Maintenance C. Implementation D. Analysis E. Planning F. Testing
E. Planning