CySA+ (CS0-002)
A security analyst discovers a vulnerability on an unpatched web server that is used for testing machine learning on Big Data sets. Exploitation of the vulnerability could cost the organization &1.5 million in lost productivity. The server is located on an isolated network segment that has a 5% chance of being compromised. Which of the following is the value of the risk? A. $75,000 B. $300,000 C. $1.425 million D. $1.5 million
A. $75,000
A security analyst received an alert from the SIEM indicating numerous login attempts from users outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempts during the same time frame. Which of the following is the MOST likely cause of this issue? A. A password-spraying attack was performed against the organization. B. A DDoS attack was performed against the organization. C. This was normal shift work activity; the SIEM's AI is learning. D. A credentialed external vulnerability scan was performed.
A. A password-spraying attack was performed against the organization.
An organization developed a comprehensive incident response policy. Executive management approved the policy and its associated procedures. Which of the following activities would be MOST beneficial to evaluate personnel's familiarity with incident response procedures? A. A simulated breach scenario involving the incident response team B. Completion of annual information security awareness training by all employees C. Tabletop activities involving business continuity team members D. Completion of lessons-learned documentation by the computer security incident response team E. External and internal penetration testing by a third party
A. A simulated breach scenario involving the incident response team
A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is comptia.org. The testing is successful, and the security technician is prepared to fully implement the solution. Which of the following actions should the technician take to accomplish this task? A. Add TXT @ "v=spfl mx include:_spf.comptia.org -all" to the DNS record. B. Add TXT @ "v=spfl mx include:_spf.comptia.org -all" to the email server. C. Add TXT @ "v=spfl mx include:_spf.comptia.org -all" to the domain controller. D. Add TXT @ "v=spfl mx include:_spf.comptia.org -all" to the web server.
A. Add TXT @ "v=spfl mx include:_spf.comptia.org -all" to the DNS record.
A new on-premises application server was recently installed on the network. Remote access to the server was enabled for vendor support on required ports, but recent security reports show large amounts of data are being sent to various unauthorized networks through those ports. Which of the following configuration changes must be implemented to resolve this security issue while still allowing remote vendor access? A. Apply a firewall application server rule. B. Whitelist the application server. C. Sandbox the application server. D. Enable port security. E. Block the unauthorized networks.
A. Apply a firewall application server rule.
Which of the following is the MOST important objective of a post-incident review? A. Capture lessons learned and improve incident response processes. B. Develop a process for containment and continue improvement efforts. C. Identify new technologies and strategies to remediate. D. identify a new management strategy.
A. Capture lessons learned and improve incident response processes.
During an investigation, an analyst discovers the following rule in an executive's email client: IF * TO [email protected] THEN mailto: [email protected] SELECT FROM 'sent' THEN DELETE FROM [email protected] The executive is not aware of this rule. Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident? A. Check the server logs to evaluate which emails were sent to [email protected] B. Use the SIEM to correlate logging events from the email server and the domain server. C. Remove the rule from the email client and change the password. D. Recommend that management implement SPF and DKIM
A. Check the server logs to evaluate which emails were sent to [email protected]
Which of the following are components of the intelligence cycle? (Select TWO). A. Collection B. Normalization C. Response D. Analysis E. Correction F. Dissension
A. Collection D. Analysis
Bootloader malware was recently discovered on several company workstations. All the workstations run Windows and are current models with UEFI capability. Which of the following UEFI settings is the MOST likely cause of the infections? A. Compatibility mode B. Secure boot mode C. Native mode D. Fast boot mode
A. Compatibility mode
A security analyst has discovered that developers have installed browsers on all development servers in the company's cloud infrastructure and are using them to browse the internet. Which of the following changes should the security analyst make to BEST protect the environment? A. Create a security rule that blocks Internet access in the development VPC. B. Place a jumpbox in between the developers' workstation and the development VPC. C. Remove the administrator's profile from the developer user group in identity and access management. D. Create an alert that is triggered when a developer installs an application on a server.
A. Create a security rule that blocks Internet access in the development VPC.
A security analyst is attempting to utilize the following threat intelligence for developing detection capabilities: APT X's approach to a target would be sending a phishing email to the target after conducting active and passive reconnaissance. Upon successful compromise, APT X conducts internal reconnaissance and attempts to move laterally by utilizing existing resources. When APT X finds data that aligns to its objectives, it stages and then exfiltrates data sets in sizes that can range from 1GB to 5GB. APT X also establishes several backdoors to maintain a C2 presence in the environment. In which of the following phases is the APT MOST likely to leave discoverable artifacts? A. Data collection/exfiltration B. Defensive evasion C. Lateral movement D. Reconnaissance
A. Data collection/exfiltration
A Chief Information Security Officer (CISO) is concerned developers have too much visibility into customer data. Which of the following controls should be implemented to BEST address these concerns? A. Data masking B. Data loss prevention C. Data minimization D. Data sovereignty
A. Data masking
A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality. Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing? A. Deidentification B. Encoding C. Encryption D. Watermarking
A. Deidentification
A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats. Which of the following is the MOST proactive tool or technique that feeds incident response capabilities? A. Development of a hypothesis as part of threat hunting B. Log correlation, monitoring, and automated reporting through a SIEM platform C. Continuous compliance monitoring using SCAP dashboards D. Quarterly vulnerability scanning using credentialed scans
A. Development of a hypothesis as part of threat hunting
A SECURITY ANALYST IS REVIEWING THE FOLLOWING WEB SERVER LOG: Get %2F..%2F..%2F..%2F..%2F..%2F..%2F../etc/password Which of the following BEST describes the issue? A. Directory traversal exploit B. Cross-site scripting C. SQL injection D. Cross-site request forgery
A. Directory traversal exploit
A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons-learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware. Which of the following actions should be taken to BEST mitigate the effects of this type of threat in the future? A. Enabling sandboxing technology B. Purchasing cyber-insurance C. Enabling application blacklisting D. Installing a firewall between the workstations and Internet
A. Enabling sandboxing technology
A large software company wants to move its source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business, management determines the recovery time objective needs to be within one hour. Which of the following strategies would put the company in the BEST position to achieve the desired recovery time? A. Establish an alternate site with active replication to other regions B. Configure a duplicate environment in the same region and load balance between both instances. C. Set up every cloud component with duplicated copies and auto-scaling turned on. D. Set up every cloud component with duplicated copies and auto-scaling turned off E. Create a duplicate copy on premises that can be used for failover in a disaster situation
A. Establish an alternate site with active replication to other regions
A compliance officer of a large organization has reviewed the firm's vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties. Which of the following would BEST satisfy the objectives defined by the compliance officer? (Select TWO). A. Executing vendor compliance assessments against the organization's security controls B. Executing NDAs prior to sharing critical data with third parties C. Soliciting third-party audit reports on an annual basis D. Maintaining and reviewing the organization risk assessment on a quarterly basis E. Completing a business impact assessment for all critical service providers F. Utilizing DLP capabilities at both the endpoint and perimeter levels
A. Executing vendor compliance assessments against the organization's security controls E. Completing a business impact assessment for all critical service providers
An analyst is participating in the solution analysis process for a cloud hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC. Which of the following is the BEST approach for supply chain assessment when selecting a vendor? A. Gather information from providers, including datacenter specifications and copies of the audit reports. B. Identify SLA requirements for monitoring and logging. C. Consult with senior management for recommendations. D. Perform a proof of concept to identify possible solutions.
A. Gather information from providers, including datacenter specifications and copies of the audit reports.
A security team wants to make SaaS solutions accessible from only the corporate campus. Which of the following would BEST accomplish this goal? A. Geofencing B. IP restrictions C. Reverse proxy D. Single sign-on
A. Geofencing
Which of the following technologies can be used to store digital certificates and is typically used in high security implementations where integrity is paramount? A. HSM B. eFuse C. UEFI D. Self-encrypting drive
A. HSM
A security analyst is trying to determine if a host is active on a network. The analyst first attempts the following: $ ping 192.168.1.4 PING 192.168.1.4 (192.168.1.4) : 56 data bytes --- 192.168.1.4 ping statistics --- 4 packets transmitted, 0 packets received, 100.0% packet loss The analyst runs the following command next: $ sudo hping3 -c 4 -n -I 192.168.1.4 HPING 192.168.1.4 (en1 192.168.1.4) : NO FLAGS are set, 40 headers + 0 data bytes lens=46 ip=192.168..1.4 ttl=64 id=32101 sport=0 flags=RA seq=0 win=0 rtt=0 . 4ms lens=46 ip=192.168..1.4 ttl=64 id=32102 sport=2 flags=RA seq=1 win=0 rtt=0 . 3ms lens=46 ip=192.168..1.4 ttl=64 id=32103 sport=3 flags=RA seq=2 win=0 rtt=0 . 4ms lens=46 ip=192.168..1.4 ttl=64 id=32104 sport=4 flags=RA seq=3 win=0 rtt=0 . 4ms --- 10.0.1.33 hping statistic --- 4 packets transmitted, 4 packets received, 0% packet loss Which of the following would explain the difference in results? A. ICMP is being blocked by a firewall. B. The routing tables for ping and hping3 were difference. C. The original ping command needed root permission to execute. D. hping3 is returning a false positive.
A. ICMP is being blocked by a firewall.
An employee in the billing department accidentally sent a spreadsheet containing payment card data to a recipient outside the organization. The employee intended to send the spreadsheet to an internal staff member with a similar name and was unaware of the mistake until the recipient replied to the message. In addition to retraining the employee, which of the following would prevent this from happening in the future? A. Implement outgoing filter rules to quarantine messages that contain card data. B. Configure the outgoing mail filter to allow attachments only to addresses on the whitelist. C. Remove all external recipients from the employee's address book. D. Set the outgoing mail filter to strip spreadsheet attachments from all messages.
A. Implement outgoing filter rules to quarantine messages that contain card data.
A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integrating intelligence into hunt operation? A. It enables the learn to prioritize the focus areas and tactics within the company's environment. B. It provides criticality analyses for key enterprise servers and services. C. It allows analysts to receive routine updates on newly discovered software vulnerabilities. D. It supports rapid response and recovery during and following an incident.
A. It enables the learn to prioritize the focus areas and tactics within the company's environment.
A security analyst implemented a solution that would analyze the attacks that the organization's firewalls failed to prevent. The analyst used the existing systems to enact the solution and executed the following command: $ sudo nc -l -v -e maildaemon.py 25 > caplog.txt Which of the following solutions did the analyst implement? A. Log collector B. Crontab mail script C. Sinkhole D. Honeypot
A. Log collector
Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.) A. Parameterized queries B. Session management C. Input validation D. Output encoding E. Data protection F. Authentication
A. Parameterized queries C. Input validation
A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database. Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Select TWO). A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities. B. Remove the servers reported to have high and medium vulnerabilities. C. Tag the computers with critical findings as a business risk acceptance. D. Manually patch the computers on the network, as recommended on the CVE website. E. Harden the hosts on the network, as recommended by the NIST framework. F. Resolve the monthly job issues and test them before applying them to the production network.
A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities. F. Resolve the monthly job issues and test them before applying them to the production network.
A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst to provide to the security manager, who would then communicate the risk factors to senior management? (Select TWO). A. Probability B. Adversary capability C. Attack vector D. Impact E. Classification F. Indicators of compromise
A. Probability D. Impact
A pharmaceutical company's marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided. Which of the following data privacy standards does this violate? A. Purpose limitation B. Sovereignty C. Data minimization D. Retention
A. Purpose limitation
A company's incident response team is handling a threat that was identified on the network. Security analysts have determined a web server is making multiple connections from TCP port 445 outbound to servers inside its subnet as well as at remote sites. Which of the following is the MOST appropriate next step in the incident response plan? A. Quarantine the web server. B. Deploy virtual firewalls. C. Capture a forensic image of the memory and disk. D. Enable web server containerization.
A. Quarantine the web server
A cybersecurity analyst is supporting an incident response effort via threat intelligence. Which of the following is the analyst MOST likely executing? A. Requirements analysis and collection planning B. Containment and eradication C. Recovery and post-incident review D. Indicator enrichment and research pivoting
A. Requirements analysis and collection planning
A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committed makes a risk-based policy decision to review and enforce the vendor upgrade before the end of life is reached. Which of the following risk actions has the security committee taken? A. Risk exception B. Risk avoidance C. Risk tolerance D. Risk acceptance
A. Risk exception
After receiving reports of high latency, a security analyst performs an Nmap scan and observes the following output: Port State Service Version 80/tcp open http Apache httpd 2.2.14 111/udp open rpcbind 443/tcp filtered https Apache httpd 2.2.14 2222/tcp open ssh OpenSSH 5.3p1 Debian 3306/tcp open mysql 5.5.40-Oubuntu0.14.1 Which of the following suggests the system that produced this output was compromised? A. Secure shell is operating on a non-standard port. B. There are no indicators of compromise on this system. C. MySQL service id identified on a standard PostgreSQL port. D. Standard HTTP is open on the system and should be closed.
A. Secure shell is operating on a non-standard port.
A security analyst receives an alert that highly sensitive information has left the company's network. Upon investigation, the analyst discovers an outside IP range has had connections from three servers more than 100 times in the past month. The affected servers are virtual machines. Which of the following is the BEST course of action? A. Shut down the servers as soon as possible, move them to a clean environment, restart, run a vulnerability scanner to find weaknesses, determine the root cause, remediate, and report. B. Report the data exfiltration to management, take the affected servers offline, conduct an antivirus scan, remediate all threats found, and return the servers to service. C. Disconnect the affected servers from the network, use the virtual machine console to access the systems, determine which information has left the network, find the security weakness, and remediate. D. Determine if any other servers have been affected, snapshot any servers found, determine the vector that was used to allow the data exfiltration, fix any vulnerabilities, remediate, and report.
A. Shut down the servers as soon as possible, move them to a clean environment, restart, run a vulnerability scanner to find weaknesses, determine the root cause, remediate, and report.
A security analyst is reviewing the following requirements for new time clocks that will be installed in a shipping warehouse: The clocks must be configured so they do not respond to ARP broadcasts. The server must be configured with static ARP entries for each clock. Which of the following types of attacks will this configuration mitigate? A. Spoofing B. Overflows C. Rootkits D. Sniffing
A. Spoofing
Which of the following assessment methods should be used to analyze how specialized software performs during heavy loads? A. Stress test B. API compatibility test C. Code review D. User acceptance test E. Input validation
A. Stress test
An organization that handles sensitive financial information wants to perform tokenization of data to enable the execution of recurring transactions. The organization is most interested in a secure, built-in device to support its solution. Which of the following would MOST likely be required to perform the desired function? A. TPM B. eFuse C. FPGA D. HSM E. UEFI
A. TPM
An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used. Which of the following commands should the analyst use? A. Tcpdump -X dst port 21 B. ftp ftp.server -p 21 C. nmap -o ftp.server -p 21 D. telnet ftp.server 21
A. Tcpdump -X dst port 21
A cybersecurity analyst in investigating a potential incident multiple systems on a company's internal network. Although there is a negligible impact to performance, the following systemoms are present on each of the affected systems: Existence of a new and unexpected svchost.exe process Persistent, outbound TCP/IP connections to an unknown external host with routine keep-alives transferred DNS query logs showing successful name resolution for an Internet-resident dynamic DNS domain If this situation remains unresolved, which of the following will MOST likely occur? A. The affected hosts may participate in a coordinated DDoS attack upon command B. An adversary may leverage the affected hosts to reconfigure the company's router ACLs. C. Key files on the affected hosts may become encrypted and require ransom payment for unlock. D. The adversary may attempt to perform a man-in-the-middle attack.
A. The affected hosts may participate in a coordinated DDoS attack upon command
A security analyst recently used Archni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the following output: [+] XSS: In form input 'txtSearch' with action https://localhost/search.aspx [+] XSS: Analyzing response #1. . . [+] XSS: Analyzing response #2. . . [+] XSS: Analyzing response #3. . . [+] XSS: Response is tainted. Looking for proof of the vulnerability. Which of the following is the MOST likely reason for this vulnerability? A. The developer set input validation protection on the specific field of search.aspx. B. The developer did not set proper cross-site scripting protections in the header. C. The developer did not implement default protections in the web application build. D. The developer did not set proper cross-site request forgery protections.
A. The developer set input validation protection on the specific field of search.aspx
During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect. Which of the following is the BEST place to acquire evidence to perform data carving? A. The system memory B. The hard drive C. Network packets D. The Windows Registry
A. The system memory
A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output: Antivirus is installed on the remote host: Installation path: C:\Program Files\AVProduct\Win32\ Product Engine: 14.12.101 Engine Version: 3.5.71 Scanner does not currently have information about AVProduct version 3.5.71. It may no Longer be supported. The analyst uses the vendor's website to confirm the oldest supported version is correct. Which of the following BEST describes the situation? A. This is a false positive, and the scanning plugin needs to be updated by the vendor. B. This is a true negative, and the new computers have the correct version of the software. C. This is a true positive, and the new computers were imaged with an old version of the software. D. This is a false negative, and the new computers need to be updated by the desktop team.
A. This is a false positive, and the scanning plugin needs to be updated by the vendor.
An analyst has been asked to provide feedback regarding the controls required by a revised regulatory framework. At this time, the analyst only needs to focus on the technical controls. Which of the following should the analyst provide an assessment of? A. Tokenization of sensitive data B. Establishment of data classifications C. Reporting on data retention and purging activities D. Formal identification of data ownership E. Execution of NDAs
A. Tokenization of sensitive data
A security analyst is evaluating two vulnerability management tools for possible use in an organization. The analyst set up each of the tools according to the respective vendor's instructions and generated a report of vulnerabilities that ran against the same target server. Tool A reported the following: The target host (10=92.168.10.13) is missing the following patches: CRITICAL KB50227328: Windows Server 2016 June 2019 Cumulative Update CRITICAL KB50255293: Windows Server 2016 June 2019 Cumulative Update HIGH MS10-055: Cumulative Security Update for Edge (2863871) Tool B reported the following: Methods GET HEAD OPTIONS POST TRACE are allowed on 192.168.10.13:80 192.168.10.13:443 uses a self-signed certificate Apache 4.2.x < 4.2.28 Contains Multiple Vulnerabilities Which of the following BEST describes the method used by each tool? (Select TWO). A. Tool A is agent based. B. Tool A used fuzzing logic to test vulnerabilities. C. Tool A is unauthenticated. D. Tool B utilized machine learning technology. E. Tool B is agent based. F. Tool B is unauthenticated
A. Tool A is agent based. F. Tool B is unauthenticated
An organization has several systems that require specific logons. Over the past few months, the security analyst has noticed numerous failed logon attempts followed by password resets. Which of the following should the analyst do to reduce the occurrence of legitimate failed logins and password resets? A. Use SSO across all applications. B. Perform a manual privilege review. C. Adjust the current monitoring and logging rules. D. Implement multifactor authentication.
A. Use SSO across all applications
A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that: A. enables remote code execution that is being exploited in the wild. B. enables data leakage but is not known to be in the environment. C. enables lateral movement and was reported as a proof of concept. D. affected the organization in the past but was probably contained and eradicated.
A. enables remote code execution that is being exploited in the wild.
A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization. To BEST resolve the issue, the organization should implement: A. federated authentication. B. role-based access control. C. manual account reviews D. multifactor authentication.
A. federated authentication
While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security. To provide the MOST secure access model in this scenario, the jumpbox should be: A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network. B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate. C. bridged between the IT and operational technology networks to allow authenticated access. D. Placed on the IT side of the network, authenticated, and tunneled into the ICS environment.
A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network.
While preparing for an audit of information security controls in the environment, an analyst outlines a framework control that has the following requirements: All sensitive data must be classified. All sensitive data must be purged on a quarterly basis. Certificates of disposal must remain on file for at least three years. This framework controls is MOST likely classified as: A. prescriptive. B. risk-based. C. preventive. D. corrective.
A. prescriptive.
A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviewed the email and decides to download the attachment to be a Linux sandbox for review. Which of the following commands would MOST likely indicate if the email is malicious? A. sha256sum B. file C. strings D. cat
A. sha256sum
A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output: 1286 ? Ss 0:00 /usr/sbin/cupsd -f 1287 ? Ss 0:00 /usr/sbin/httpd 1296 ? Ss1 0:00 /usr/bin/libvirtd 1301 ? Ss 0:00 ./usr/sbin/sshd -d 1308 ? Ss 0:00 /usr/sbin/atd -f Which of the following commands should the administrator run NET to further analyze the compromised system? A. strace /proc/1301 B. rpm -v openssh-server C. /bin/ls -l /proc/1301/exe D. kill -9 1301
A. strace /proc/1301
It is important to parameterize queries to prevent: A. the execution of unauthorized actions against a data base. B. a memory overflow that executes code with elevated privileges. C. the establishment of a web shell that would allow unauthorized access. D. the queries from using an outdated library with security vulnerabilities.
A. the execution of unauthorized actions against a data base.
An organization was alerted to a possible compromise after its proprietary data was found for sale on the Internet. An alalyst is review the logs from the next-generation UTM in an attempt to find evidence of this breach. Given the following output: Src IP Src DNS Dst IP Dst DNS Port Application 10.50.50.121 83hht23.org-int.org 8.8.8.8 google...dns-a.google.com 53 DNS 10.50.50.121 83hht23.org-int.org 77.88.55.66 yandex.ru 443 HTTPS 172.16.52.20 webserver.org-dmz.org 131.52.88.45 -- 53 DNS 10.100.10.45 appserver.org-int.org 69.134.21.90 repo.its.utk.edu 21 FTP 172.16.52.20 webserver.org-dmz.org 131.52.88.45 -- 10999 HTTPS 172.16.52.100 sftp.org-dmz.org 62.30.221.56 ftps.bluemed.net 42991 SSH 172.16.52.20 webserver.org-dmz.org 131.52.88.45 -- 10999 HTTPS Which of the following should be the focus of the investigation? A. webserver.org-dmz.org B. sftp.org-dmz.org C. 83hht23.org-int.org D. ftps.bluemed.net
A. webserver.org-dmz.org
After a breach involving the exfiltration of a large amount of sensitive data, a security analyst is reviewing the following firewall logs to determine how the breach occurred. 3-10-2019 10:23:22 FROM 192.168.1.10:3243 TO 10.10.10.5:53 PERMIT UDP 143 BYTES 3-10-2019 10:23:24 FROM 192.168.1.12:1076 TO 10.10.35.221:80 PERMIT TCP 100 BYTES 3-10-2019 10:23:25 FROM 192.168.1.1:1244 TO 10.10.1.1:22 DENY TCP 1 BYTES 3-10-2019 10:23:26 FROM 192.168.1.10:1034 TO 10.10.10.5:53 PERMIT UDP 5.3M BYTES 3-10-2019 10:23:29 FROM 192.168.1.10:4311 TO 10.10.200.50:3389 DENY TCP 1 BYTES 3-10-2019 10:23:30 FROM 192.168.1.193:2356 TO 10.10.50.199:25 PERMIT TCP 20K BYTES Which of the following IP addresses does the analyst need to investigate further? A. 192.168.1.1 B. 192.168.1.10 C. 192.168.1.12 D. 192.168.1.193
B. 192.168.1.10
When reviewing a compromised authentication server, a security anlyst discovers the following hidden file: root@ldap1:~# cat .pass.txt jsmith:Welcome 123 : 18073 : 0 : 99999 : 7 : : : mjones4:Welcome 123 : 18073 : 0 : 99999 : 7 : : : egreen1:Welcome 123 : 18073 : 0 : 99999 : 7 : : : rbarger:Welcome 123 : 18073 : 0 : 99999 : 7 : : : mhemel4:Welcome 123 : 18073 : 0 : 99999 : 7 : : : mgill:Welcome 123 : 18073 : 0 : 99999 : 7 : : : cyoung1:Welcome 123 : 18073 : 0 : 99999 : 7 : : : gkiepper3:Welcome123 : 18073 : 0 : 99999: 7 : : : Further analysis shows these users never logged in to the server. Which of the following types of attacks was used to obtain the file, and what should the analyst recommend to prevent this type of attack from reoccurring? A. A rogue LDAP server is installed on the system and is collecting passwords. The analyst should recommend wiping and reinstalling the server. B. A password spraying attack was used to compromise the passwords. The analyst should recommend that all users receive a unique password. C. A rainbow tables attack was used to compromise the accounts. The analyst should recommend that future password hashes contain a salt. D. A phishing attack was used to compromise the account. The analyst should recommend users install endpoint protection to disable phishing links.
B. A password spraying attack was used to compromise the passwords. The analyst should recommend that all users receive a unique password
An analyst is reviewing the following output: If (searchname != null) { %> Employee <%searchname%> not found <% } Vulnerability found: Improper neutralization of script-related HTML tag Which of the following was MOST likely used to discover this? A. Reverse engineering using a debugger B. A static analysis vulnerability scan C. A passive vulnerability scan D. A web application vulnerability scan
B. A static analysis vulnerability scan
A threat feed notes malicious actors have been infiltrating companies and exfiltrated data to a specific set of domains. Management at an organization wants to know if it is a victim. Which of the following should the security analyst recommend to identify this behavior without altering any potential malicious actions? A. Create an IPS rule to block these domains and trigger an alert within the SIEM tool when these domains are requested. B. Add the domains to a DNS sinkhole and create an alert in the SIEM tool when the domains are queried. C. Look up the IP addresses for these domains and search firewall logs for any traffic being sent to those IPs over port 443. D. Query DNS logs with a SIEM tool for any hosts requesting the malicious domains and create alerts based on this information.
B. Add the domains to a DNS sinkhole and create an alert in the SIEM tool when the domains are queried.
A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT. Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis? A. Attack vectors B. Adversary capability C. Diamond Model of Intrusion Analysis D. Kill chain E. Total attack surface
B. Adversary capability
Which of the following MOST accurately describes an HSM? A. An HSM is a low-cost solution for encryption. B. An HSM can be networked based or a removable USB. C. An HSM is slower at encrypting than software. D. An HSM is explicitly used for MFA.
B. An HSM can be networked based or a removable USB.
A cybersecurity analyst has access to several threat feeds and wants to organize them while simultaneously comparing intelligence against network traffic. Which of the following would BEST accomplish this goal? A. Continuous integration and deployment B. Automation and orchestration C. Static and dynamic analysis D. Information sharing and analysis
B. Automation and orchestration ThreatConnect for Automation & Orchestration. Reduce workload and make better security and business decisions with ThreatConnect's intelligence-driven automation and orchestration. Achieve faster, smarter, and repeatable processes with easily accessible intelligence and customizable workflows in one platform.
A security analyst gathered forensics from a recent intrusion in preparation for legal proceedings. The analyst used EnCase to gather the digital forensics, cloned the hard drive, and took the hard drive home for further analysis. Which of the following did the security analyst violate? A. Cloning procedures B. Chain of custody C. Hashing procedures D. Virtualization
B. Chain of custody
A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets. Which of the following is the BEST example of the level of sophistication this threat actor is using? A. Social media accounts attributed to the threat actor B. Custom malware attributed to the threat actor from prior attacks C. Email addresses and phone numbers tied to the threat actor D. Network assets used in previous attacks attributed to the threat actor E. IP addresses used by the threat actor for command and control
B. Custom malware attributed to the threat actor from prior attacks
Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient. Which of the following controls would have MOST likely prevented this incident? A. SSO B. DLP C. WAF D. VDI
B. DLP
A developer wrote a script to make names and other PII data unidentifiable before loading a database export into the testing system. Which of the following describes the type of control that is being used? A. Data encoding B. Data masking C. Data loss prevention D. Data classification
B. Data masking
Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets? A. Data custodian B. Data owner C. Data processor D. Senior management
B. Data owner
A cybersecurity analyst is contributing to a team hunt on an organization's endpoints. Which of the following should the analyst do FIRST? A. Write detection logic. B. Establish a hypothesis. C. Profile the threat actors and activities. D. Perform a process analysis.
B. Establish a hypothesis.
A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following command: [root@www18 /tmp] # uptime 19:23:35 up 2:33, 1 user, load average: 87.22, 79.69, 72.17 [root@www18 /tmp] # crontab -1 * * * * * /tmp/ .t/t [root@www18 /tmp] # ps ax | grep tmp 1325 ? Ss 0:00 /tmp/ .t/t [root@www18 /tmp] # netstat -anlp tcp 0 0 0.0.0.0:22 172.168.0.0:* ESTABLISHED 1204/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1214/ cupsd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1267/httpd Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation? A. Run crontab -r; rm -rf /tmp/ .t to remove and disable the malware on the system. B. Examine the server logs for further indicators of compromise of a web application. C. Run kill -9 1325 to bring the load average down so the server is usable again. D. Perform a binary analysis on the /tmp/ .t/t file, as it is likely to be a rogue SSHD server.
B. Examine the server logs for further indicators of compromise of a web application
A security analyst had received information from a third-party intelligence-sharing resource that indicates employee accounts were breached. Which of the following is the NEXT step the analyst should take to address the issue? A. Audit access permissions for all employees to ensure least privilege B. Force a password reset for the impacted employees and revoke any tokens. C. Configure SSO to prevent passwords from going outside the local network. D. Set up prevailed access management to ensure auditing is enabled
B. Force a password reset for the impacted employees and revoke any tokens.
A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server. Which of the following should be done to correct the cause of the vulnerability? A. Deploy a WAF in front of the application. B. Implement a software repository management tool. C. Install a HIPS on the server. D. Instruct the developers to use input validation in the code.
B. Implement a software repository management tool.
The Chief Executive Officer (CEO) of a large insurance company has reported phishing emails that contain malicious links are targeting the entire organization. Which of the following actions would work BEST to prevent against this type of attack? A. Turn on full behavioral analysis to avert an infection. B. Implement an EDR mail module that will rewrite and analyze email links. C. Reconfigure the EDR solution to perform real-time scanning of all files. D. Ensure EDR signatures are updated every day to avert infection. E. Modify the EDR solution to use heuristic analysis techniques for malware.
B. Implement an EDR mail module that will rewrite and analyze email links.
Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the MOST practical solution to improve the equipment's security posture? A. Move the legacy systems behind a WAF. B. Implement an air gap for the legacy systems. C. Place the legacy systems in the DMZ. D. Implement a VPN between the legacy systems and the local network.
B. Implement an air gap for the legacy systems.
Which of the following BEST articulates the benefit of leveraging SCAP in an organization's cybersecurity analysis toolset? A. It automatically performs remedial configuration changes to enterprise security services. B. It enables standard checklist and vulnerability analysis expressions for automation. C. It establishes a continuous integration environment for software development operations. D. It provides validation of suspected system vulnerabilities through workflow orchestration
B. It enables standard checklist and vulnerability analysis expressions for automation
Which of the following BEST describes the primary role of a risk assessment as it relates to compliance with risk-based frameworks? A. It demonstrates the organization's mitigation of risks associated with internal threats. B. It serves as the basis for control selection. C. It prescribes technical control requirements D. It is an input to the business impact assessment
B. It serves as the basis for control selection.
An application authenticate users. The application then uses a service account to perform queries and look up data in a database. A security analyst discovers employees are access data sets they have not been authorized to use. Which of the following will fix the cause of the issue? A. Change the security model to force the users to access database as themselves. B. Parameterize queries to prevent unauthorized SQL queries against the database. C. Configure database security logging using syslog or a SIEM. D. Enforce unique session Ids so users do not get a reused session ID.
B. Parameterize queries to prevent unauthorized SQL queries against the database.
A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application. Which of the following is a security concern when using a PaaS solution? A. The use of infrastructure-as-code capabilities leads to an increased attack surface. B. Patching the underlying application server becomes the responsibility of the client. C. The application is unable to use encryption at the database level. D. Insecure application programming interfaces can lead to data compromise.
B. Patching the underlying application server becomes the responsibility of the client.
Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII? A. Human resources B. Public relations C. Marketing D. Internal network operations center
B. Public relations
The help desk provided a security analyst with a screenshot of a user's desktop: $ aircrack-ng -e AHT4 -w dictionary.txt wpa2.pcapdump Opening wpa2.pcapdump Read 6396 packets. Opening wpa2.pcapdump Reading packets, please wait. . . For which of the following is aircrack-ng being used? A. Wireless access point discovery B. Rainbow attack C. Brute-force attack D. PCAP data collection
B. Rainbow attack
As part of an organization's information security governance process, a Chief Information Security Officer (CISO) is working with the compliance officer to update policies to include statements related to new regulatory and legal requirements. Which of the following should be done to BEST ensure all employees are appropriately aware of changes to the policies? A. Conduct a risk assessment based on the controls defined in the newly revised policies. B. Require all employees to attend updated security awareness training and sign an acknowledgement. C. Post the policies on the organization's intranet and provide copies of any revised policies to all active vendors. D. Distribute revised copies of policies to employees and obtain a signed acknowledgement from them.
B. Require all employees to attend updated security awareness training and sign an acknowledgement.
The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives: Reduce the number of potential findings by the auditors. Limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations. Prevent the external-facing web infrastructure used by other teams from coming into scope. Limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised. Which of the following would be the MOST effective way for the security team to meet these objectives? A. Limit the permissions to prevent other employees from accessing data owned by the business unit. B. Segment the servers and systems used by the business unit from the rest of the network. C. Deploy patches to all servers and workstations across the entire organization. D. Implement full-disk encryption on the laptops used by employees of the payment-processing team.
B. Segment the servers and systems used by the business unit from the rest of the network
Which of the following software assessment methods would be BEST for gathering data related to an application's availability during peak times? A. Security regression testing B. Stress testing C. Static analysis testing D. Dynamic analysis testing E. User acceptance testing
B. Stress testing
Because some clients have reported unauthorized activity of their accounts, a security analyst is reviewing network packet captures from the company's API server. A portion of a capture file is shown below: POST / services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s= http://schemas.s/soap/envelope/ .,s:Body> <GetIPLocation+xmlns=http://tempuri.org/> <request+xmlns:a=http://schemas.somesite.org+xmlns:i=http://www.w3.org/2001/XMLSchema-instance>></ s:Body> </s:Envelope> 192.168.1.22 - - api.somesite.com 200 0 1006 1001 0 192.168.1.22 POST / services/v1_0/Public/Members.svc/soap <s:Password>Password123</a:Password> <a:ResetPasswordToken+i:nil="true"/><a:ShouldImpersonatedAuthenticationBepopulated+i:nil="true"/> <a:Username>[email protected]</a:Username></request></Login></s:Body></s:Envelope> 192.168.5.66 - - api.somesite.com 200 0 11558 1712 2014 192.168.4.89 POST / services/v1_0/Public/Members.svc/soap <s:Envelop+xmlns:s=http://schemas.xmlsoap.org/soap/envelope/"> <a:Body><GetIPLocation+xmlns=http://tempuri.org/"><a:IPAddress>516.7.446.605</a:IPAddress> 200 0 1003 1011 307 192.168.1.22 POST / services/v1_0/Public/Members.svc/soap <s:Envelop+xmlns:s=http://schemas.xmlsoap.org/soap/ envelope/"> <a:Body><IsLoggedIn+xmlns+http:///tempuri.org/> <Request+xmlns:a=http://schemas.datacontract.org/2004/07/somesite.web+xmlns:i+http://www.w3.org/2001/ XMLSchemasinstance"><a:Authentication><a:ApiToken>kmL4Krg2CwwWBan5BReGv5Djb7syxXTNKcWFuS jd</a:ApiToken> <a:ImpersonateUserID>0</a:ImpersonateUserID><a:LocationID>161222</a:LocationId><a:NetworkId>4</ a:NetworkId> <a:ProviderId:' ' 1=1</a:ProviderId><a:UserId>13026046</aUserId></a:Authentication></request></ IsLoggedIn> </s:Body></s: Envelope> 192.168.5.66 - - api.somesite.com 200 0 1378 1209 48 192.168.4.89 Which of the following MOST likely explains how the clients' accounts were compromised? A. The clients' authentication tokens were impersonated and replayed. B. The clients' usernames and passwords were transmitted in cleartext. C. An XSS scripting attack was carried out on the server. D. A SQL injection attack was carried out on the server.
B. The clients' usernames and passwords were transmitted in cleartext.
A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization. Which of the following BEST describes the security analyst's goal? A. To create a system baseline B. To reduce the attack surface C. To optimize system performance D. To improve malware detection
B. To reduce the attack surface
A security analyst discovered a specific series of IP address that are targeting an organization. None of the attacks have been successful. Which of the following should the security analyst perform NEXT? A. Baseline configuration assessment B. Uncredentialed scan C. Network ping sweep D. External penetration test
B. Uncredentialed scan
A security analyst wants to identify which vulnerabilities a potential attacker might initially exploit if the network is compromised. Which of the following would provide the BEST results? A. Baseline configuration assessment B. Uncredentialed scan- network ping sweep C. Network ping sweep D. External penetration test
B. Uncredentialed scan- network ping sweep
An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply. Which of the following would BEST identify potential indicators of compromise? A. Use Burp Suite to capture packets to the SCADA device's IP. B. Use tcpdump to capture packets from the SCADA device IP. C. Use Wireshark to capture packets between SCADA devices and the management system. D. Use Nmap to capture packets from the management system to the SCADA devices.
B. Use tcpdump to capture packets from the SCADA device IP.
A security analyst is building a malware analysis lab. The analyst wants to ensure malicious applications and not capable of escaping the virtual machines and pivoting to other networks. To BEST mitigate this risk, the analyst should use: A. an 802.11ac wireless bridge to create an air gap. B. a managed switch to segment the lab into a separate VLAN. C. a firewall to isolate the lab network from all other networks. D. an unmanaged switch to segment the environments from one another.
B. a managed switch to segment the lab into a separate VLAN.
A security analyst needs to assess the web server versions on a list of hosts to determine which are running a vulnerable version of the software and output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt. Which of the following Nmap commands would BEST accomplish this goal? A. nmap -iL webserverlist.txt -sC -p 443 -0X webserverlist.xml B. nmap -iL webserverlist.txt -sV -p 443 -0X webserverlist.xml C. nmap -iL webserverlist.txt -F -p 443 -0X webserverlist.xml D. nmap --takefile webserverlist.txt --outputfileasXML we3bserverlist.xml --scanports 443
B. nmap -iL webserverlist.txt -sV -p 443 -0X webserverlist.xml note: -sV = attempts to determine the version of the service running on port
An information security analyst is compiling data from a recent penetration test and reviews the following output: Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-01 16:06 UTC Nmap scan report for 10.79.95.173.rdns.datacenters.com (10.79.95.173) Host is up (0.026s latency) . Not shown : 994 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 22/tcp open ssh SilverSHielD sshd (protocol 2.0) 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP / UPnP) 443/tcp open https? 691/tcp open resvc? 5060/tcp open sip Barracuda NG Firewall (Status: 200 OK) Nmap done: 1 IP address (1 host up) scanned in 158.22 seconds) The analyst wants to obtain more information about the web-based services that are running on the target. Which of the following MOST likely provide the needed information? A. ping -t 10.79.95.173.rdns.datacenters.com B. telnet 10.79.95.173 443 C. ftpd 10.79.95.173.rdns.datacenters.com 443 D. tracert 10.79.95.173
B. telnet 10.79.95.173 443 USING TELNET TO TROUBLESHOOT To use telnet to troubleshoot a network application, you need to know at least two things: - The remote server name or IP address. - The port number for the network application you want to test. - If you are only testing basic connectivity to a particular network application, that is all you need to know. - If you want to do more in-depth testing, however, you will need to know specific commands for the protocol you want to test (for example, HTTP or SMTP).
Given the Nmap request below: Scanner# nmap -p 22,113,139,1433 www.scanable.org - d --packet-trace Starting Nmap (http: / / nmap.org) Nmap scan report for www.scannable.org SENT (0.0149s) ICMP SCANNER > SCANNABLE echo request (type=8/ code=0) TTL=52 ID=1929 SENT (0.0112S) TCP SCANNER:63541 > SCANNABLE:80 iplen=40 seq=99850910 RCVC (0.0179S) ICMP SCANNABLE > SCANNER echo reply(type-0/code=0 iplen=28 seq=99850910 we got a ping back for SCANNABLE: ID=48822 seq=713 checksum=16000 massping done: num_host:1 num_response:1 Initiating SYN STEALTH Scan against www.scannable.org (SCANNABLE) 3 ports at 00:47 SENT (0.0134s) TCP SCANNER:63517 > SCANNABLE:113 iplen+40 seq=1048634 SENT (0.0148s) TCP SCANNER:63517 > SCANNABLE:139 iplen+40 seq=1048634 SENT (0.0092s) TCP SCANNER:63517 > SCANNABLE:22 iplen+40 seq=1048634 RCVD (0.0151s) TCP SCANNABLE:113 > SCANNER:63517 iplen+40 seq=1048634 RCVD (0.0151s) TCP SCANNABLE:22 > SCANNER:63517 iplen+40 seq=1048634 SENT (0.0097s) TCP SCANNER:63517 > SCANNABLE:139 iplen+40 seq=1048634 The SYN STEALTH Scan took 1.25s to scan 3 total ports Nmap Report for www.scannable.org (SCANNABLE) PORT STATE SERVICE 22/tcp open ssh 113/tcp closed auth 139/tcp filtered netbios-ssh 1433/tcp closed ms-sql Nmap done:1 10.155.187.1 (1 host) Which of the following actions will an attacker be able to initiate directly against this host? A. Password sniffing B. ARP spoofing C. A brute-force attack D. An SQL injection
C. A brute-force attack
Which of the following sets of attributes BEST illustrates the characteristics of an insider threat from a security perspective? A. Unauthorized, unintentional, benign B. Unauthorized, intentional, malicious C. Authorized, intentional, malicious D. Authorized, unintentional, benign
C. Authorized, intentional, malicious
A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication. Which of the following will remediate this software vulnerability? A. Enforce unique session IDs for the application. B. Deploy a WAF in front of the web application. C. Check for and enforce the proper domain for the redirect. D. Use a parameterized query to check the credentials. E. Implement email filtering with anti-phishing protection.
C. Check for and enforce the proper domain for the redirect.
Which of the following would a security engineer recommend to BEST protect sensitive system data from being accessed on mobile devices? A. Use a UEFI boot password. B. Implement a self-encrypted disk C. Configure filesystem encryption. D. Enable Secure Boot using TPM
C. Configure filesystem encryption.
An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing requirements. The organization has three environments: development, testing, and production. These environment have interdependencies but must remain relatively segmented. Which of the following methods would BEST secure the company's infrastructure and be the simplest to manage and maintain? A. Create three separate cloud accounts for each environment. Configure account peering and security rules to allow access to and from each environment. B. Create one cloud account with one VPC for all environments. Purchase a virtual firewall and create granular security rules. C. Create one cloud account and three separate VPCs for each environment. Create security rules to allow access to the from each environment. D. Create three separate cloud accounts for each environment and a single core account for network services. Route all traffic through the core account.
C. Create one cloud account and three separate VPCs for each environment. Create security rules to allow access to the from each environment.
A security analyst is reviewing a suspected phishing campaign that has targeted an organization. The organization has enabled a few email security technologies in the last year, however, the analyst believes the security features are not working. The analyst runs the following command: > dig domain . _domainkey.comptia.org TXT Which of the following email protection technologies is the analyst MOST likely validating? A. SPF B. DSSEC C. DMARC D. DKIM
C. DMARC
During routing monitoring, a security analyst discovers several suspicious websites that are communicating with a local host. The analyst queries IP 192.168.50.2 for a 24-hour period: Time SRC DST Domain Bytes 6/26/19 10:01 192.168.50.2 138.10.2.5 www.wioapsfeje.co 50 6/26/19 11:05 192.168.50.2 138.10.2.5 www.wioapsfeje.co 1000 6/26/19 13:09 192.168.50.2 138.10.25.5 www.wioapsfeje.co 1000 6/26/19 15:13 192.168.50.2 172.10.2.5 www.wfalksdjflae.co 1000 6/26/19 17:17 192.168.50.2 138.10.45.5 www.waslfsdjlfe.co 1000 6/26/19 23:45 192.168.50.2 172.10.3.5 ftp.walkadjgfl.co 50000 6/27/19 10:21 192.168.50.2 138.35.2.5 www.whatamyip.com 25 6/27/19 11:25 192.168.50.2 138.35.2.5 www.whatamyip.com 25 To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and: A. DST 138.10.2.5 B. DST 138.10.25.5 C. DST 172.10.3.5 D. DST 172.10.45.5 E. DST 175.35.20.5
C. DST 172.10.3.5
A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources. Which of the following BEST describes this attack? A. Injection attack B. Memory corruption C. Denial of service D. Array attack
C. Denial of service
A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault notification features. Which of the following should be done to prevent this issue from reoccurring? A. Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes down, the other remains powered. B. Install additional batteries in the SAM power supplies with enough capacity to keep the system powered on during maintenance. C. Ensure power configuration is covered in the data center change management policy and have the SAN administrator review this policy D. Install a third power supply in the SAN so loss of any power input does not result in the SAN completely powering off.
C. Ensure power configuration is covered in the data center change management policy and have the SAN administrator review this policy
A user reports the system is behaving oddly following the installation of an approved third-party software application. The application executable was sourced from an internal repository. Which of the following will ensure the application is valid? A. Ask the user to refresh the existing definition file for the antivirus software. B. Perform a malware scan on the file in the internal repository. C. Hash the application's installation file and compare it ito the hash provided by the vendor. D. Remove the user's system from the network to avoid collateral contamination
C. Hash the application's installation file and compare it ito the hash provided by the vendor
A security analyst needs to reduce the overall attack surface. Which of the following infrastructure changes should the analyst recommend? A. Implement a honeypot. B. Air gap sensitive systems. C. Increase the network segmentation. D. Implement a cloud-based architecture.
C. Increase the network segmentation
Which of the following sources would a security analyst rely on to provide relevant and timely threat information concerning the financial services industry? A. Real-time and automated firewall rules subscriptions B. Open-source intelligence, such as social media and blogs C. Information sharing and analysis membership D. Common vulnerability and exposure bulletins
C. Information sharing and analysis membership
During a review of the vulnerability scan results on a server. an information security analyst notices the following: The MOST appropriate action for the analyst to recommend to developers is to charge the web server so: A. It only accepts TLSv1.2 B. It only accepts ciphers suites using AES and SHA C. It no longer accepts the vulnerable cipher suites D. SSL/TLS is offloaded to a WAF and load balancer
C. It no longer accepts the vulnerable cipher suites
A user's computer has been running slowly when the user tries to access web pages. A security analyst runs the command netstat -aon from the command line and receives the following output: LINE PROTOCOL LOCAL ADDRESS FOREIGN ADDRESS STATE 1 TCP 127.0.0.1:15453 127.0.0.1:16374 ESTABLISHED 2 TCP 127.0.0.1:8193 127.0.0.1:8192 ESTABLISHED 3 TCP 192.168.0.23:443 185.23.17.119:17207 ESTABLISHED 4 TCP 192.168.0.23:13985 172.217.0.14:443 ESTABLISHED 5 TCP 192.168.0.23:6023 185.23.17.120:443 ESTABLISHED 6 TCP 192.168.0.23:7264 10.23.63.217:445 ESTABLISHED Which of the following lines indicates the computer may be compromised? A. Line 1 B. Line 2 C. Line 3 D. Line 4 E. Line 5 F. Liine 6
C. Line 3 Line 3: It is suspicious that that client has established a connection from TCP 443, vice to TCP port 443 on the Web server.
An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems. As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue? A. Copies of prior audits that did not identify the servers as an issue B. Project plans relating to the replacement of the servers that were approved by management C. Minutes from meetings in which risk assessment activities addressing the servers were discussed D. ACLs from perimeter firewalls showing blocked access to the servers E. Copies of change orders relating to the vulnerable servers
C. Minutes from meetings in which risk assessment activities addressing the servers were discussed
A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach. Which of the following is the BEST mitigation to prevent unauthorized access? A. Single sign-on B. Mandatory access control C. Multifactor authentication D. Federation E. Privileged access management
C. Multifactor authentication
A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices. Which of the following should be used to identify the traffic? A. Carving B. Disk imaging C. Packet analysis D. Memory dump E. Hashing
C. Packet analysis
An analyst performs a routine scan o a host using Nmap and receives the following output: $ nmap -sS 10.0.3.1 Starting Nmap 8.9 (http://nmap.org) at 2019-01-19 12:03 PST Nmap scan report for 10.0.3.1 Host is up (0.00098s latency) . Not shown: 979 closed ports PORT STATE SERVICE 20/tcp filtered ftp-data 21/tcp filtered ftp 22/tcp open ssh 23/tcp open telnet 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.840 seconds Which of the following should the analyst investigate FIRST? A. Port 21 B. Port 22 C. Port 23 D. Port 80
C. Port 23
Which of the following BEST describes the process by which code is developed, tested, and deployed in small batches? A. Agile B. Waterfall C. SDLC D. Dynamic code analysis
C. SDLC
An organization wants to move non-essential services into a cloud computing Environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome? A. Duplicate all services in another instance and load balance between the instances. B. Establish a hot site with active replication to another region within the same cloud provider C. Set up a warm disaster recovery site with the same cloud provider in a different region. D. Configure the systems with a cold site at another cloud provider that can be used for failover.
C. Set up a warm disaster recovery site with the same cloud provider in a different region.
A critical server was compromised by malware, and all functionality was lost. Backups of the server were taken; however, management believes a logic bomb may have been injected by a rootkit. Which of the following should a security analyst perform to restore functionality quickly? A. Work backward, restoring each backup until the server is clean. B. Restore the previous backup and scan with a live boot anti-malware scanner. C. Stand up a new server and restore critical data from backups. D. Offload the critical data to a new server and continue operations.
C. Stand up a new server and restore critical data from backups.
Which of the following technologies can be used to house the entropy keys for disk encryption on desktops and laptops? A. Self-encryption drive B. Bus encryption C. TPM D. HSM
C. TPM
An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST step to confirm and respond to the incident? A. Pause the virtual machine. B. Shut down the virtual machine. C. Take a snapshot of the virtual machine. D. Remove the NIC from the virtual machine.
C. Take a snapshot of the virtual machine.
A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities. Which of the following would be BEST to implement to alleviate the CISO's concern? A. DLP B. Encryption C. Test data D. NDA
C. Test data
A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised. When viewing the capture in a packet analyzer, the analyst sees the following: 11:03:09.095091 IP 10.1.1.10.47787 > 128.50.100.3.53:48202+ A? michael.smith.334-54-2343.985-334- 5643.1123- Kathman-dr.ajgidwle.com. 11:03:09.186945 IP 10.1.1.10.47788 > 128.50.100.3.53:49675+ A? Ronald.young.437-96-6523.212-635- 6538.2426- Riverland-st.ajgidwle.com. 11:03:09.189567 IP 10.1.1.10.47789 > 128.50.100.3.53:50986+ A? mark.leblanc.485-63-5278.802-632- 5841.68951- Peachtree-st.ajgidwle.com. 11:03:09.296854 IP 10.1.1.10.47790 > 128.50.100.3.53:51567+ A? gina.buras.471-96-2354.313-654- 9254.3698- Mcghee-rd.ajgidwle.com. Which of the following can the analyst conclude? A. Malware is attempting to beacon to 128.50.100.3 B. The system is running a DoS attack against ajgidwle.com C. The system is scanning ajgidwle.com for PII. D. Data is being exfiltrated over DNS.
C. The system is scanning ajgidwle.com for PII.
A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch. Which of the following is the MOST appropriate threat classification for these incidents? A. Known threat B. Zero day C. Unknown threat D. Advanced persistent threat
C. Unknown threat
Employees of a large financial company are continuously being infected by strands of maleware that are not detected by EDR tools. Which of the following is the BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites? A. MFA on the workstations B. Additional host firewall rules C. VDI environment D. Hard drive encryption E. Network access control F. Network segmentation
C. VDI environment
A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve the highest level of security. To BEST complete this task, the analyst should place the: A. firewall behind the VPN server. B. VPN server parallel to the firewall. C. VPN server behind the firewall. D. VPN on the firewall
C. VPN server behind the firewall.
A security analyst is conducting a post-incident log analysis to determine which indicators can be used to detect further occurrences of a data exfiltration incident. The analyst determines backups were not performed during this time and reviews the following: Which of the following should the analyst review to find out how the data was exfiltrate? A. Monday's logs B. Tuesday's logs C. Wednesday's logs D. Thursday's logs
C. Wednesday's logs
The IT team reports the EDR software that is installed on laptops is using a large amount of resources. Which of the following changes should a security analyst make to the EDR to BEST improve performance without compromising security? A. Quarantine the infected systems. B. Disable on-access scanning. C. Whitelist known-good applications. D. Sandbox unsigned applications.
C. Whitelist known-good applications
A security analyst has discovered suspicious traffic and determined a host is connecting to a known malicious website. The MOST appropriate action for the analyst to take would be to implement a change request to: A. update the antivirus software. B. configure the firewall to block traffic to the domain. C. add the domain to the blacklist. D. create an IPS signature for the domain.
C. add the domain to the blacklist.
When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal? A. nmap -sA -o <system> -noping B. nmap -sT -o <system> -po C. nmap -sS -o <system> -po D. nmap -sQ -o <system> -po
C. nmap -sS -o <system> -po
A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwaresource>/a.php in a phishing email. To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the: A. email server that automatically deletes attached executables. B. IDS to match the malware sample. C. proxy to block all connections to <malwaresource> D. firewall to block connection attempts to dynamic DNS hosts.
C. proxy to block all connections to <malwaresource>
While reviewing a packet capture. a security analyst discovers a recent attack used specific ports communicating across non-standard ports and exchanged a particular set of files. In addition, forensics determines the files contain maleware and have a specific callback domain within the files. The MOST appropriate action to take in this situation would be to implement a change request for an IPS. A. to block the callback domain and another signature hash to block the files B. behavioral signature and update the blacklisting on the domain C. rule to block the non-standard ports and update the blacklisting of the callback domain D. signature for the callback domain and update the firewall settings to block the non-standard ports
C. rule to block the non-standard ports and update the blacklisting of the callback domain
An analyst needs to forensically examine a Windows machine that was compromised by a threat actor. Intelligence reports state this specific threat actor is characterized by hiding malicious artifacts, especially with alternate data streams. Based on this intelligence, which of the following BEST explains alternate data streams? A. A different way data can be streamlined if the user wants to use less memory on a Windows system for forking resources B. A way to store data on an external drive attached to a Windows machine that is not readily accessible to users C. A windows attribute that provides for forking resources and is potentially used to hide the presence of secret or malicious files inside the file records of a benign file D. A Windows attribute that can be used by attackers to hide malicious files within system memory
D. A Windows attribute that can be used by attackers to hide malicious files within system memory
During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to prevent he activity from happening in the future? A. An IPS signature modification for the specific IP addresses B. An IDS signature modification for the specific IP addresses C. A firewall rule that will block port 80 traffic D. A firewall rule that will block traffic from the specific IP address
D. A firewall rule that will block traffic from the specific IP address
Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity? A. Reverse engineering B. Application log collections C. Workflow or orchestration D. API integration E. Scripting
D. API integration
Which of the following policies would state an employee should not disable security safeguards, such as host firewalls and antivirus, on company systems? A. Code of conduct policy B. Account management policy C. Password policy D. Acceptable use policy
D. Acceptable use policy
A finance department employee has received a message that appears to have been sent from the Chief Financial Officer (CFO), asking the employee to perform a wire transfer. Analysis of the email shows the message came from an external source and is fraudulent. Which of the following would work BEST to improve the likelihood of employees quickly recognizing fraudulent emails? A. Implementing a sandboxing solution for viewing emails and attachments B. Limiting email from the finance department to recipients on a pre-approved whitelist C. Configuring email client settings to display all messages in plaintext when read D. Adding a banner to incoming messages that identifies the messages as external
D. Adding a banner to incoming messages that identifies the messages as external
A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet. Which of the following solutions would meet this requirements? A. Establish a hosted SSO. B. Implement a CASB. C. Virtualize the server. D. Air gap the server.
D. Air gap the server
A security analyst is investigating an incident that appears that appears to have started with SQL injection against a publicly available web application. Which of the following is the FIRST step the analyst should take to prevent future attacks? A. Modify the IDS rules to have a signature for SQL injection. B. Take the server offline to prevent continue SQL injection. C. Create a WAF rule in block mode for SQL injection. D. Ask the developers to implement parameterized SQL queries.
D. Ask the developers to implement parameterized SQL queries.
During an incident, a cybersecurity anlyst found several entries in the web server logs that are related to an IP with a bad reputation. Which of the following would cause the analyst to further review the incident? A. BadReputationIP - - [2019-04-12 10:43z] "GET /etc/passwd" 403 1023 B. BadReputationIP - - [2019-04-12 10:43z] "GET /index.html ?arc=../.ssh/id_rsa" 401 17044 C. BadReputationIP - - [2019-04-12 10:43z] "GET /a.php?src=/etc/passwd" 403 11056 D. BadReputationIP - - [2019-04-12 10:43z] "GET /a.php?src=../../.ssh/id_rsa" 200 15036 E. BadReputationIP - - [2019-04-12 10:43z] "GET /favicon.ico?arc=../usr/share/icons" 200 19064
D. BadReputationIP - - [2019-04-12 10:43z] "GET /a.php?src=../../.ssh/id_rsa" 200 15036
A company recently experienced a break-in, whereby a number of hardware assets were stolen through unauthorized access at the back of the building. Which of the following would BEST prevent this type of theft from occurring in the future? A. Motion detection B. Perimeter fencing C. Monitored security cameras D. Badged entry
D. Badged entry
A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful. Which of the following should the security analyst perform NEXT? A. Begin blocking all IP addresses with that subnet. B. Determine the attack vector and total attack surface. C. Begin a kill chain analysis to determine the impact. D. Conduct threat research on the IP address.
D. Conduct threat research on the IP address
An information security analyst is working with a data owner to identify the appropriate controls to preserve the confidentiality of data within an enterprise environment. One of the primary concerns is exfiltration of data by malicious insiders. Which of the following controls is the MOST appropriate to mitigate risks? A. Data deduplication B. OS fingerprinting C. Digital watermarking D. Data loss prevention
D. Data loss prevention
A security analyst is investigating malicious traffic from an internal system that attempted to download proxy avoidance software as identified from the firewall logs, but the destination IP is blocked and not captured. Which of the following should the analyst do? A. Shut down the computer. B. Capture live data using Wireshark. C. Take a snapshot. D. Determine if DNS logging is enabled. E. Review the network logs.
D. Determine if DNS logging is enabled.
An incident responder successfully acquired application binaries off a mobile device for later forensic analysis. Which of the following should the analyst do NEXT? A. Decompile each binary to derive the source code. B. Perform a factory reset on the affected mobile device. C. Compute SHA-256 hashes for each binary. D. Encrypt the binaries using an authenticated AES-256 mode of operation. E. Inspect the permissions manifests within each application.
D. Encrypt the binaries using an authenticated AES-256 mode of operation.
A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs. Which of the following is the main concern a security analyst should have with this arrangement? A. Making multiple trips between development sites increases the chance of physical damage to the FPGAs. B. Moving the FPGAs between development sites will less the time that is available for security testing. C. Development phases occurring at multiple sites may produce change management issues. D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.
D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.
As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information. After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for threat assessment? A. Critical assert list B. Threat vector C. Attack profile D. Hypothesis
D. Hypothesis
A cybersecurity analyst is establishing a threat hunting and intelligence group at a growing organization. Which of the following is a collaborative resource that would MOST likely be used for this purpose? A. IOC feeds B. CVSS scores C. Scrum D. ISAC
D. ISAC An Information Sharing and Analysis Center or (ISAC) is a nonprofit organization that provides a central resource for gathering information on cyber threats to critical infrastructure and providing two-way sharing of information between the private and public sector.
A team of security analysis has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445. Which of the following should be the team's NEXT step during the detection phase of this response process? A. Escalate the incident to management, who will then engage the network infrastructure team to keep them informed. B. Depending on system criticality, remove each affected device from the network by disabling wired and wireless connections. C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP addresses. D. Identify potentially affected systems by creating a correlation search in the SIEM based on the network traffic.
D. Identify potentially affected systems by creating a correlation search in the SIEM based on the network traffic.
A large organization wants to move account registration services to the cloud to benefit from faster processing and elasticity. Which of the following should be done FIRST to determine the potential risk to the organization? A. Establish a recovery time objective and a recovery point objective for the systems being moved. B. Calculate the resource requirements for moving the systems to the cloud. C. Determine recovery priorities for the assets being moved to the cloud-based systems. D. Identify the business processes that will be migrated and the critically of each one. E. Perform an inventory of the servers that will be moving and assign priority to each one.
D. Identify the business processes that will be migrated and the critically of each one.
A security analyst working in the SOC recently discovered instances in which hosts visited an specific set of domains and IPs and became infected with malware. Which of the following is the MOST appropriate action to take in this situation? A. Implement an IPS signature for the malware and update the blacklisting for the associated domains and IPs. B. Implement an IPS signature for the malware and another signature request to block all the associated domains and IPs. C. Implement a change request to the firewall setting to now allow traffic to and from the IPs and domains. D. Implement an IPS signature for the malware and a change request to the firewall setting to not allow traffic to and from the IPs and domains.
D. Implement an IPS signature for the malware and a change request to the firewall setting to not allow traffic to and from the IPs and domains
An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability. Which of the following would be the MOST appropriate to remediate the controller? A. Segment the network to constrain access to administrative interfaces. B. Replace the equipment that has third-party support. C. Remove the legacy hardware from the network. D. Install an IDS on the network between the switch and the legacy equipment.
D. Install an IDS on the network between the switch and the legacy equipment.
As part of a review of incident response plans, which of the following is MOST important for an organization to understand when establishing the breach notification period? A. Organizational policies B. Vendor requirements and contracts C. Service-level agreements D. Legal requirements
D. Legal requirements
During a cyber incident, which of the following is the BEST course of action? A. Switch to using a pre-approved, secure, third-party communication system. B. Keep the entire company informed to ensure transparency and integrity during the incident. C. Restrict customer communication until the severity of the breach is confirmed. D. Limit communications to pre-authorized parties to ensure response efforts remain confidential.
D. Limit communications to pre-authorized parties to ensure response efforts remain confidential.
A custom script currently monitors real-time logs of a SAML authentication servicer to mitigate brut-force attacks. Which of the following is a concern when moving authentication to a cloud service? A. Logs may contain incorrect information. B. SAML logging is not supported for cloud-based authentication. C. Access to logs may be delayed for some time. D. Log data may be visible to other customers.
D. Log data may be visible to other customers
A security analyst is scanning the network to determine if a critical security patch was applied to all systems in an enterprise. The organization has a very low tolerance for risk when it comes to resource availability. Which of the following is the BEST approach for configuring and scheduling the scan? A. Make sure the scan is credentialed, covers all hosts in the patch management system, and is scheduled during business hours so it can be terminated if it affects business operations. B. Make sure the scan is uncredentialed, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations. C. Make sure the scan is credentialed has the latest software and signature versions, covers all hosts in the patch management system, and is scheduled during off-business hours so it has the least impact on operations. D. Make sure the scan is credentialed, uses a limited plugin set, scans all host I addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.
D. Make sure the scan is credentialed, uses a limited plugin set, scans all host I addresses in the enterprise, and is scheduled during off-business hours so it has the least impact on operations.
An organization wants to mitigate against risks associated with network reconnaissance. ICMP is already blocked at the firewall; however, a penetration testing team has been able to perform reconnaissance against the organization's network and identify active hosts. An analyst sees the following output from a packet capture: 192.168.2.3 (eth0 192.168.2.3) : NO FLAGS are set, 40 headers + 0 data bytes Len=46 ip=192.168.2.3 ttl=64 id=32551 sport=0 flags=RA seq=0 win=0 rtt=0 . 4ms Which of the following phrases from the output provides information on how the testing team is successfully getting around the ICMP firewall rule? A. flags=RA indicates the testing team is using a Christmas tree attack B. ttl=64 indicates the testing team is setting the TTL below the firewall's threshold. C. 0 data bytes indicates the testing team is crafting empty ICMP packets. D. NO FLAGS are set indicates the testing team is using hping.
D. NO FLAGS are set indicates the testing team is using hping.
The Chief Information Officer (CIO) of a large healthcare institution is concerned about all machines having direct access to sensitive patient information. Which of the following should the security analyst implement to BEST mitigate the risk of sensitive data exposure? A. A cloud access service broker system B. NAC to ensure minimum standards are met C. MFA on all workstations D. Network segmentation
D. Network segmentation
As part of an exercise set up by the information security officer, the IT staff must move some of the network systems to an off-site facility and redeploy them for testing. All staff members must ensure their respective systems can power back up and match their gold image. If they find any inconsistencies, they must formally document the information. Which of the following BEST describes this test? A. Walk through B. Full interruption C. Simulation D. Parallel
D. Parallel
Which of the following types of policies is used to regulate data storage on the network? A. Password B. Acceptable use C. Account management D. Retention
D. Retention
An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets. Which of the following should be considered FIRST prior to disposing of the electronic data? A. Sanitization policy B. Data sovereignty C. Encryption policy D. Retention standards
D. Retention standards
A security analyst for a large pharmaceutical company was given credentials from a threat intelligence resources organization for internal users, which contain usernames and valid passwords for company accounts. Which of the following is the FIRST action the analyst should take as part of security operations monitoring? A. Run scheduled antivirus scans on all employees' machines to look for malicious processes. B. Reimage the machines of all users within the group in case of a malware infection. C. Change all the user passwords to ensure the malicious actors cannot use them. D. Search the event logs for event identifiers that indicate Mimikatz was used.
D. Search the event logs for event identifiers that indicate Mimikatz was used.
A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's server. Which of the following is the FIRST step the analyst should take? A. Create a full disk image of the server's hard drive to look for the file containing the malware. B. Run a manual antivirus scan on the machine to look for known malicious software. C. Take a memory snapshot of the machine to capture volatile information stored in memory. D. Start packet capturing to look for traffic that could be indicative of command and control from the miner.
D. Start packet capturing to look for traffic that could be indicative of command and control from the miner.
A network attack that is exploiting a vulnerability in the SNMP is detected. Which of the following should the cybersecurity analyst do FIRST? A. Apply the required patches to remediate the vulnerability. B. Escalate the incident to senior management for guidance. C. Disable all privileged user accounts on the network. D. Temporarily block the attacking IP address.
D. Temporarily block the attacking IP address.
A security analyst is reviewing the following log from an email security service. Rejection type: Drop Rejection Description: IP found in RBL Event time: Today at 16:06 Rejection information mail.comptia.org https://www.spamfilter.org/query?p=192.167.28.243 From address: [email protected] To address: [email protected] IP address 192.167.28.243 Remote server name: 192.167.28.243 Which of the following best describes the reason why the email was blocked? A. To address is invalid. B. The email originated from the www.spamfilter.org URL. C. The IP address and the remote server name are the same. D. The IP address was blacklisted. E. The From address is invalid
D. The IP address was blacklisted.
A security analyst is reviewing the following log from an email security service. Which of the following BEST describes the reason why the email was blocked? A. The To address is invalid. B. The email originated from the www.spamfilter.org URL. C. The IP address and the remote server name are the same. D. The IP address was blacklisted. E. The From address is invalid.
D. The IP address was blacklisted.
A security analyst is reviewing the following DNS logs as part of security-monitoring activities: FROM 192.168.1.20 A www.google.com 67.43.45.22 FROM 192.168.1.20 AAAA www.google.com 2006:67:AD:1FAB::102 FROM 192.168.1.43 A www.mail.com 193.56.221.99 FROM 192.168.1.2 A www.company.com 241.23.22.11 FROM 192.168.1.211 A www.uewiryfajfcbfaerwfj.co 32.56.32.122 FROM 192.168.1.106 A www.whatsmyip.com 102.45.33.53 FROM 192.168.1.93 AAAA www.nbc.com 2002:10:976: :1 FROM 192.168.1.78 A www.comptia.org 122.10.31.87 Which of the following MOST likely occurred? A. The attack used an algorithm to generate command and control information dynamically. B. The attack attempted to contact www.google.com to verify Internet connectivity. C. The attack used encryption to obfuscate the payload and bypass detection by an IDS. D. The attack caused an internal host to connect to a command and control server.
D. The attack caused an internal host to connect to a command and control server
A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firm's largest client. Which of the following is MOST likely inhibiting the remediation efforts? A. The parties have an MOU between them that could prevent shutting down the systems. B. There is a potential disruption of the vendor-client relationship. C. Patches for the vulnerabilities have not been fully tested by the software vendor. D. There is an SLA with the client that allows very little downtime.
D. There is an SLA with the client that allows very little downtime.
While analyzing logs from a WAF, a cybersecurity analyst finds the following: "GET /form.php?id=463225%2b%2575%256e%2569%256f%256e%2b%2573%2574% 2box3133333731,1224&state=IL" Which of the following BEST describes what the analyst had found? A. This is an encrypted GET HTTP request. B. A packet is being used to bypass the WAF. C. This is an encrypted packet. D. This is an encoded WAF bypass.
D. This is an encoded WAF bypass.
An executive assistant wants to onboard a new cloud-based product to help with business analytics and dashboarding. Which of the following would be the BEST integration option for this service? A. Manually log in to the service and upload data files on a regular basis. B. Have the internal development team script connectivity and file transfers to the new service. C. Create a dedicated SFTP site and schedule transfers to ensure file transport security. D. Utilize the cloud product's API for supported and ongoing integrations.
D. Utilize the cloud product's API for supported and ongoing integrations
Clients are unable to access a company's API to obtain pricing data. An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources. Which of the following would be BEST to protect the availability of the APIs? A. IP whitelisting B. Certificate-based authentication C. Virtual private network D. Web application firewall
D. Web application firewall
A security analyst is investigating a system compromise. The analyst verifies the system was up to date on OS patches at the time of the compromise. Which of the following describes the type of vulnerability that was MOST likely exploited? A. Insider threat B. Buffer overflow C. Advanced persistent threat D. Zero day vulnerability
D. Zero day vulnerability
For machine learning to be applied effectively toward security analysis automation, it requires: A. relevant training data. B. a threat feed API. C. a multicore, multiprocessor system. D. anomalous traffic signatures.
D. anomalous traffic signatures.
The inability to do remote updates of certificates, keys, software, and firmware is a security issue commonly associated with: A. web servers on private networks. B. HVAC control systems. C. smartphones. D. firewalls and UTM devices.
D. firewalls and UTM devices.
A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity. Below is a snippet of the log: A. grep -v chatter14 chat.log B. grep -i pythonfun chat.log C. grep -i javashark chat.log D. grep -v javashark chat.log E. grep -v pythonfun chat.log F. grep -i chatter14 chat.log
D. grep -v javashark chat.log
As part of a merger with another organization, a Chief Information Security Manager (CISO) is working with an assessor to perform a risk assessment focused on data privicy compliance. The CISO is primarily concerned with the potential legal liability and fines associated with data privacy. Based on the CISO's concerns, the assessor will MOST likely focus on: A. qualitative probabilities B. quantitative probabilities C. qualitative magnitude D. quantitative magnitude
D. quantitative magnitude
A security analyst is required to stay current with the most recent threat data and intelligence reports. When gathering data, it is MOST important for the data to be: A. proprietary and timely. B. proprietary and accurate. C. relevant and deep. D. relevant and accurate.
D. relevant and accurate.
A security analyst has been alerted to several emails that show evidence an employee is planning malicious activities that involve employee PII on the network before leaving the organizations. The security analyst's BEST response would be to coordinate with the legal department and: A. the public relation department. B. senior leadership. C. law enforcement. D. the human resources department.
D. the human resources department
A company's marketing emails are either being found in a spam folder or not being delivered at all. The security analyst investigates the issue and discovers the emails in question are being sent on behalf of the company by a third part, mail.marketingpartners.com. Below is the existing SPF record: V=spfl a mx -all Which of the following updates to the SPF record will work BEST to prevent the emails from being marked as spam or blocked? A. v=spfl a mx redirect:mail.marketingpartners.com ?all B. v=spfl a mx include:mail.marketingpartners.com -all C. v=spfl a mx +all D. v=spfl a mx include:mail.marketingpartners.com ~all
D. v=spfl a mx include:mail.marketingpartners.com ~all
An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform. Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment? A. FaaS B. RTOS C. SoC D. GPS E. CAN bus
E. CAN bus A Controller Area Network (CAN bus) is a robust vehicle bus standard designed to allow microcontrollers and devices to communicate with each other's applications without a host computer. It is a message-based protocol, designed originally for multiplex electrical wiring within automobiles to save on copper, but can also be used in many other contexts. For each device the data in a frame is transmitted sequentially but in such a way that if more than one device transmits at the same time the highest priority device is able to continue while the others back off. Frames are received by all devices, including by the transmitting device.
An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs, the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint. Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident? A. Patching logs B. Threat feed C. Backup logs D. Change requests E. Data classification matrix
E. Data classification matrix
A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL: Server1 Server2 PC1 PC2 22/tcp open 3389/tcp open 80/tcp open 80/tcp open 80/tcp open 53/udp open 443/tcp open 1443/tcp open 443.tcp open Firewall ACL 10 permit tcp from:any to:server1.www 15 permit udp from:lan-net to:any.dns 16 permit udp from:any to:server2.dns 20 permit tcp from:any to:server1.ssl 25 permit tcp from:lan-net to:any www 26 permit tcp from:lan-net to:any:ssl 27 permit tcp from:any to pc2:mssql 30 permit tcp from:any to server1:ssh 100 deny ip any any Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality? A. PC1 B. PC2 C. Server1 D. Server2 E. Firewall
E. Firewall
An organization has not had an incident for several months. The Chief Information Security Officer (CISO) wants to move to a more proactive stance for security investigations. Which of the following would BEST meet that goal? A. Root-cause analysis B. Active response C. Advanced antivirus D. Information-sharing community E. Threat hunting
E. Threat hunting
