CySa+ my verson 2
An organization developed a comprehensive incident response policy. Executive management approved the policy and its associated procedures. Which of the following activities would be MOST beneficial to evaluate personnel's familiarity with incident response procedures? A. A simulated breach scenario involving the incident response team B. Completion of annual information security awareness training by all employees C. Tabletop activities involving business continuity team members D. Completion of lessons-learned documentation by the computer security incident response team E. External and internal penetration testing by a third party
A. A simulated breach scenario involving the incident response team
A security analyst is reviewing the following web server log:GET %2f..%2f..%2f.. %2f.. %2f.. %2f.. %2f../etc/passwdWhich of the following BEST describes the issue? A. Directory traversal exploit B. Cross-site scripting C. SQL injection D. Cross-site request forgery
A. Directory traversal exploit
An analyst is responding to an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the field. Malware was loaded on the device via the installation of a third-party software package. The analyst has baselined the device. Which of the following should the analyst do to BEST mitigate future attacks? A. Implement MDM. B. Update the malware catalog. C. Patch the mobile device's OS. D. Block third-party applications.
A. Implement MDM.
A security analyst implemented a solution that would analyze the attacks that the organization's firewalls failed to prevent. The analyst used the existing systems to enact the solution and executed the following command:$ sudo nc -1 `"v `"e maildaemon.py 25 > caplog.txtWhich of the following solutions did the analyst implement? A. Log collector B. Crontab mail script C. Sinkhole D. Honeypot
A. Log collector
Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application?(Choose two.) A. Parameterized queries B. Session management C. Input validation D. Output encoding E. Data protection F. Authentication
A. Parameterized queries C. Input validation
A pharmaceutical company's marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided.Which of the following data privacy standards does this violate? A. Purpose limitation B. Sovereignty C. Data minimization D. Retention
A. Purpose limitation
A company's incident response team is handling a threat that was identified on the network. Security analysts have determined a web server is making multiple connections from TCP port 445 outbound to servers inside its subnet as well as at remote sites. Which of the following is the MOST appropriate next step in the incident response plan? A. Quarantine the web server B. Deploy virtual firewalls C. Capture a forensic image of the memory and disk D. Enable web server containerization
A. Quarantine the web server
During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect.Which of the following is the BEST place to acquire evidence to perform data carving? A. The system memory B. The hard drive C. Network packets D. The Windows Registry
A. The system memory
It is important to parameterize queries to prevent __________. A. the execution of unauthorized actions against a database. B. a memory overflow that executes code with elevated privileges. C. the establishment of a web shell that would allow unauthorized access. D. the queries from using an outdated library with security vulnerabilities.
A. the execution of unauthorized actions against a database.
A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT.Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis? A. Attack vectors B. Adversary capability C. Diamond Model of Intrusion Analysis D. Kill chain E. Total attack surface
B. Adversary capability
Which of the following SCAP standards provides standardization for measuring and describing the severity of security-related software flaws? A. OVAL B. CVSS C. CVE D. CCE
B. CVSS
A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets.Which of the following is the BEST example of the level of sophistication this threat actor is using? A. Social media accounts attributed to the threat actor B. Custom malware attributed to the threat actor from prior attacks Most Voted C. Email addresses and phone numbers tied to the threat actor D. Network assets used in previous attacks attributed to the threat actor E. IP addresses used by the threat actor for command and control
B. Custom malware attributed to the threat actor from prior attacks
A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.Which of the following should the analyst do FIRST? A. Write detection logic. B. Establish a hypothesis. C. Profile the threat actors and activities. D. Perform a process analysis.
B. Establish a hypothesis.
A security analyst needs to obtain the footprint of the network. The footprint must identify the following information:✑ TCP and UDP services running on a targeted system✑ Types of operating systems and versions✑ Specific applications and versionsWhich of the following tools should the analyst use to obtain the data? A. Prowler B. Nmap C. Reaver D. ZAP
B. Nmap
A security analyst discovers the following firewall log entries during an incident: Which of the following is MOST likely occurring? A. Banner grabbing B. Port scanning C. Beaconing D. Data exfiltration
B. Port scanning
Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII? A. Human resources B. Public relations C. Marketing D. Internal network operations center
B. Public relations
An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment? A. FaaS B. RTOS C. SoC D. GPS E. CAN bus
B. RTOS
Bootloader malware was recently discovered on several company workstations. All the workstations run Windows and are current models with UEFI capability.Which of the following UEFI settings is the MOST likely cause of the infections? A. Compatibility mode B. Secure boot mode C. Native mode D. Fast boot mode
B. Secure boot mode
A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:Which of the following commands should the administrator run NEXT to further analyze the compromised system? A. strace /proc/1301 B. rpm -V openssh-server C. /bin/ls -1 /proc/1301/exe D. kill -9 1301
C. /bin/ls -1 /proc/1301/exe
During routine monitoring, a security analyst identified the following enterprise network traffic:Packet capture output: Which of the following BEST describes what the security analyst observed? A. 66.187.224.210 set up a DNS hijack with 192.168.12.21. B. 192.168.12.21 made a TCP connection to 66.187.224.210. C. 192.168.12.21 made a TCP connection to 209.132.177.50. D. 209.132.177.50 set up a TCP reset attack to 192.168.12.21.
C. 192.168.12.21 made a TCP connection to 209.132.177.50.
Which of the following sets of attributes BEST illustrates the characteristics of an insider threat from a security perspective? A. Unauthorized, unintentional, benign B. Unauthorized, intentional, malicious C. Authorized, intentional, malicious D. Authorized, unintentional, benign
C. Authorized, intentional, malicious
An incident responder successfully acquired application binaries off a mobile device for later forensic analysis.Which of the following should the analyst do NEXT? A. Decompile each binary to derive the source code. B. Perform a factory reset on the affected mobile device. C. Compute SHA-256 hashes for each binary. Most Voted D. Encrypt the binaries using an authenticated AES-256 mode of operation. E. Inspect the permissions manifests within each application.
C. Compute SHA-256 hashes for each binary.
Which of the following would a security engineer recommend to BEST protect sensitive system data from being accessed on mobile devices? A. Use a UEFI boot password B. Implement a self-encrypted disk C. Configure filesystem encryption D. Enable Secure Boot using TPM
C. Configure filesystem encryption
An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing requirements. The organization has three environments: development, testing, and production. These environments have interdependencies but must remain relatively segmented.Which of the following methods would BEST secure the company's infrastructure and be the simplest to manage and maintain? A. Create three separate cloud accounts for each environment. Configure account peering and security rules to allow access to and from each environment. B. Create one cloud account with one VPC for all environments. Purchase a virtual firewall and create granular security rules. C. Create one cloud account and three separate VPCs for each environment. Create security rules to allow access to and from each environment. D. Create three separate cloud accounts for each environment and a single core account for network services. Route all traffic through the core account.
C. Create one cloud account and three separate VPCs for each environment. Create security rules to allow access to and from each environment.
During routine monitoring, a security analyst discovers several suspicious websites that are communicating with a local host. The analyst queries for IP192.168.50.2 for a 24-hour period:To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and __________. A. DST 138.10.2.5. B. DST 138.10.25.5. C. DST 172.10.3.5. D. DST 172.10.45.5. E. DST 175.35.20.5.
C. DST 172.10.3.5.
A financial organization has offices located globally. Per the organization's policies and procedures, all executives who conduct business overseas must have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect the organization's data.Which of the following controls would work BEST to protect the privacy of the data if a device is stolen? A. Implement a mobile device wiping solution for use once the device returns home. B. Install a DLP solution to track data flow. C. Install an encryption solution on all mobile devices. D. Train employees to report a lost or stolen laptop to the security department immediately.
C. Install an encryption solution on all mobile devices.
A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices.Which of the following should be used to identify the traffic? A. Carving B. Disk imaging C. Packet analysis D. Memory dump E. Hashing
C. Packet analysis
An organization wants to consolidate a number of security technologies throughout the organization and standardize a workflow for identifying security issues, prioritizing the severity, and automating a response. Which of the following would best meet the organization's needs? A. MaaS B. SIEM C. SOAR D. CI/CD
C. SOAR
A security analyst is reviewing malware files without running them. Which of the following analysis types is the security analyst using? A. Dynamic B. Sandbox C. Static D. Heuristic
C. Static
Which of the following are important reasons for performing proactive threat-hunting activities? (Choose two.) A. To ensure all alerts are fully investigated B. To test incident response capabilities C. To uncover unknown threats D. To allow alerting rules to be more specific E. To create a new security baseline F. To improve user awareness about security threat
C. To uncover unknown threats D. To allow alerting rules to be more specific
A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization. ToBEST resolve the issue, the organization should implement: A. federated authentication B. role-based access control C. manual account reviews D. multifactor authentication
C. manual account reviews
As part of a review of incident response plans, which of the following is MOST important for an organization to understand when establishing the breach notification period? A. Organizational policies B. Vendor requirements and contracts C. Service-level agreements D. Legal requirements
D. Legal requirements
Which of the following types of policies is used to regulate data storage on the network? A. Password B. Acceptable use C. Account management D. Retention
D. Retention
A security analyst is reviewing the following log from an email security service.Which of the following BEST describes the reason why the email was blocked? A. The To address is invalid. B. The email originated from the www.spamfilter.org URL. C. The IP address and the remote server name are the same. D. The IP address was blacklisted. E. The From address is invalid.
D. The IP address was blacklisted.
A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication.Which of the following will remediate this software vulnerability? A. Enforce unique session IDs for the application. B. Deploy a WAF in front of the web application. C. Check for and enforce the proper domain for the redirect. D. Use a parameterized query to check the credentials. E. Implement email filtering with anti-phishing protection.
E. Implement email filtering with anti-phishing protection.
A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity. Below is a snippet of the log:Which of the following commands would work BEST to achieve the desired result? A. grep -v chatter14 chat.log B. grep -i pythonfun chat.log C. grep -i javashark chat.log D. grep -v javashark chat.log E. grep -v pythonfun chat.log F. grep -i chatter14 chat.log
F. grep -i chatter14 chat.log
A manager asks a security analyst to provide the web-browsing history of an employee. Which of the following should the analyst do first? A. Obtain permission to perform the search. B. Obtain the web-browsing history from the proxy. C. Obtain the employee's network ID to form the query. D. Download the browsing history, encrypt it, and hash it.
Obtain permission to perform the search.
During a risk assessment, a senior manager inquires about what the cost would be if a unique occurrence would impact the availability of a critical service. The service generates $1,000 in revenue for the organization. The impact of the attack would affect 20% of the server's capacity to perform jobs. The organization expects that five out of twenty attacks would succeed during the year. Which of the following is the calculated single loss expectancy? A. $200 B. $800 C. $5,000 D. $20,000
A. $200
A security analyst received an alert from the SIEM indicating numerous login attempts from users outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempts during the same time frame.Which of the following is the MOST likely cause of this issue? A. A password-spraying attack was performed against the organization. B. A DDoS attack was performed against the organization. C. This was normal shift work activity; the SIEM's AI is learning. D. A credentialed external vulnerability scan was performed.
A. A password-spraying attack was performed against the organization.
A company's Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized user's activity session. Which of the following is the best technique to address the CISO's concerns? A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes. B. Regularly use SHA-256 to hash the directory containing the sensitive information. Monitor the files for unauthorized changes. C. Place a legal hold on the files. Require authorized users to abide by a strict time context access policy. Monitor the files for unauthorized changes. D. Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.
A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.
A company's Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized user's activity session. Which of the following is the best technique to address the CISO's concerns? A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes. B. Regularly use SHA-256 to hash the directory containing the sensitive information. Monitor the files for unauthorized changes. C. Place a legal hold on the files. Require authorized users to abide by a strict time context access policy. Monitor the files for unauthorized changes. D. Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.
A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes.
A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality.Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing? A. Deidentification B. Encoding C. Encryption D. Watermarking
A. Deidentification
A large software company wants to move its source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business, management determines the recovery time objective needs to be within one hour. Which of the following strategies would put the company in the BEST position to achieve the desired recovery time? A. Establish an alternate site with active replication to other regions B. Configure a duplicate environment in the same region and load balance between both instances C. Set up every cloud component with duplicated copies and auto-scaling turned on D. Create a duplicate copy on premises that can be used for failover in a disaster situation
A. Establish an alternate site with active replication to other regions
A compliance officer of a large organization has reviewed the firm's vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties.Which of the following would BEST satisfy the objectives defined by the compliance officer? (Choose two.) A. Executing vendor compliance assessments against the organization's security controls B. Executing NDAs prior to sharing critical data with third parties C. Soliciting third-party audit reports on an annual basis D. Maintaining and reviewing the organizational risk assessment on a quarterly basis E. Completing a business impact assessment for all critical service providers F. Utilizing DLP capabilities at both the endpoint and perimeter levels
A. Executing vendor compliance assessments against the organization's security controls C. Soliciting third-party audit reports on an annual basis
A security analyst is reviewing the event logs on an air-gapped workstation. The analyst knows the system is used regularly for classified work. Additionally, the analyst knows multiple users locked themselves out and required a password reset. When reviewing the logs, the security analyst is surprised to see that these incidents were not recorded in the logs. Which of the following is the best remediation for this issue? A. Modify the local group policy to use advanced logging. B. Install third-party software to log the events remotely. C. Require users to log a trouble ticket when failures occur. D. Ensure the analyst has the correct permissions to view the logs.
A. Modify the local group policy to use advanced logging.
An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.Which of the following would be the MOST appropriate to remediate the controller? A. Segment the network to constrain access to administrative interfaces. B. Replace the equipment that has third-party support. C. Remove the legacy hardware from the network. D. Install an IDS on the network between the switch and the legacy equipment.
A. Segment the network to constrain access to administrative interfaces.
A security analyst is reviewing vulnerability scans from an organization's internet-facing web services. The following is from an output file called ssl-test_webapps.comptia.org:Which of the following lines from this output most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key? A. TLS_RSA_WITH_DES_CBC_SHA 56 B. TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits) C. TLS_RSA_WITH_AES_256_CBC_SHA 256 D. TLS_DHE_RSA_WITH_AES_256_GCM_SHA256 DH (2048 bits)
A. TLS_RSA_WITH_DES_CBC_SHA 56
An organization that handles sensitive financial information wants to perform tokenization of data to enable the execution of recurring transactions. The organization is most interested in a secure, built-in device to support its solution. Which of the following would MOST likely be required to perform the desired function? A. TPM B. eFuse C. FPGA D. HSM E. UEFI
A. TPM
A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output:Antivirus is installed on the remote host:Installation path: C:\Program Files\AVProduct\Win32\Product Engine: 14.12.101 -Engine Version: 3.5.71 -Scanner does not currently have information about AVProduct version 3.5.71. It may no longer be supported.The engine version is out of date. The oldest supported version from the vendor is 4.2.11.The analyst uses the vendor's website to confirm the oldest supported version is correct.Which of the following BEST describes the situation? A. This is a false positive, and the scanning plugin needs to be updated by the vendor. B. This is a true negative, and the new computers have the correct version of the software. C. This is a true positive, and the new computers were imaged with an old version of the software. D. This is a false negative, and the new computers need to be updated by the desktop team.
A. This is a false positive, and the scanning plugin needs to be updated by the vendor.
An analyst has been asked to provide feedback regarding the controls required by a revised regulatory framework. At this time, the analyst only needs to focus on the technical controls.Which of the following should the analyst provide an assessment of? A. Tokenization of sensitive data B. Establishment of data classifications C. Reporting on data retention and purging activities D. Formal identification of data ownership E. Execution of NDAs
A. Tokenization of sensitive data
A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that: A. enables remote code execution that is being exploited in the wild B. enables data leakage but is not known to be in the environment C. enables lateral movement and was reported as a proof of concept D. affected the organization in the past but was probably contained and eradicated
A. enables remote code execution that is being exploited in the wild
For machine learning to be applied effectively toward security analysis automation, it requires __________. A. relevant training data. B. a threat feed API. C. a multicore, multiprocessor system. D. anomalous traffic signatures.
A. relevant training data.
While investigating reports of issues with a web server, a security analyst attempts to log in remotely and receives the following message:The analyst accesses the server console, and the following console messages are displayed:The analyst is also unable to log in on the console. While reviewing network captures for the server, the analyst sees many packets with the following signature:Which of the following is the best step for the analyst to take next in this situation? A. Load the network captures into a protocol analyzer to further investigate the communication with 128.50.100.23, as this may be a botnet command server. B. After ensuring network captures from the server are saved, isolate the server from the network, take a memory snapshot, reboot, and log in to do further analysis. C. Corporate data is being exfiltrated from the server. Reboot the server and log in to see if it contains any sensitive data. D. Cryptomining malware is running on the server and utilizing all CPU and memory. Reboot the server and disable any cron jobs or startup scripts that start the mining software
B. After ensuring network captures from the server are saved, isolate the server from the network, take a memory snapshot, reboot, and log in to do further analysis.
A cybersecurity analyst has access to several threat feeds and wants to organize them while simultaneously comparing intelligence against network traffic.Which of the following would BEST accomplish this goal? A. Continuous integration and deployment B. Automation and orchestration C. Static and dynamic analysis D. Information sharing and analysis
B. Automation and orchestration
A security analyst at example.com receives SIEM alert for an IDS signature and reviews the associated packet capture and TCP stream:Packet capture: Which of the following actions should the security analyst take NEXT? A. Review the known Apache vulnerabilities to determine if a compromise actually occurred. B. Contact the application owner for connect.example.local for additional information. C. Mark the alert as a false positive scan coming from an approved source. D. Raise a request to the firewall team to block 203.0.113.15.
B. Contact the application owner for connect.example.local for additional information
Which of the following attacks can be prevented by using output encoding? A. Server-side request forgery B. Cross-site scripting C. SQL injection D. Command injection E. Cross-site request forgery F. Directory traversal
B. Cross-site scripting
A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following commands: Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation? A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system. B. Examine the server logs for further indicators of compromise of a web application. C. Run kill -9 1325 to bring the load average down so the server is usable again. D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.
B. Examine the server logs for further indicators of compromise of a web application.
A security analyst has received information from a third-party intelligence-sharing resource that indicates employee accounts were breached.Which of the following is the NEXT step the analyst should take to address the issue? A. Audit access permissions for all employees to ensure least privilege. B. Force a password reset for the impacted employees and revoke any tokens. C. Configure SSO to prevent passwords from going outside the local network. D. Set up privileged access management to ensure auditing is enabled.
B. Force a password reset for the impacted employees and revoke any tokens.
A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server.Which of the following should be done to correct the cause of the vulnerability? A. Deploy a WAF in front of the application. B. Implement a software repository management tool. C. Install a HIPS on the server. D. Instruct the developers to use input validation in the code.
B. Implement a software repository management tool.
Which of the following BEST articulates the benefit of leveraging SCAP in an organization's cybersecurity analysis toolset? A. It automatically performs remedial configuration changes to enterprise security services B. It enables standard checklist and vulnerability analysis expressions for automation C. It establishes a continuous integration environment for software development operations D. It provides validation of suspected system vulnerabilities through workflow orchestration
B. It enables standard checklist and vulnerability analysis expressions for automation
The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives:✑ Reduce the number of potential findings by the auditors.✑ Limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations.✑ Prevent the external-facing web infrastructure used by other teams from coming into scope.✑ Limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised.Which of the following would be the MOST effective way for the security team to meet these objectives? A. Limit the permissions to prevent other employees from accessing data owned by the business unit. B. Segment the servers and systems used by the business unit from the rest of the network. C. Deploy patches to all servers and workstations across the entire organization. D. Implement full-disk encryption on the laptops used by employees of the payment-processing team.
B. Segment the servers and systems used by the business unit from the rest of the network.
Which of the following would best protect sensitive data if a device is stolen? A. Remote wipe of drive B. Self-encrypting drive C. Password-protected hard drive D. Bus encryption
B. Self-encrypting drive
As part of an exercise set up by the information security officer, the IT staff must move some of the network systems to an off-site facility and redeploy them for testing. All staff members must ensure their respective systems can power back up and match their gold image. If they find any inconsistencies, they must formally document the information.Which of the following BEST describes this test? A. Walk through B. Full interruption C. Simulation D. Parallel
C. Simulation
Which of the following are the most likely reasons to include reporting processes when updating an incident response plan after a breach? (Choose two.) A. To use the SLA to determine when to deliver the report B. To meet regulatory requirements for timely reporting C. To limit reputation damage caused by the breach D. To remediate vulnerabilities that led to the breach E. To isolate potential insider threats F. To provide secure network design changes
B. To meet regulatory requirements for timely reporting C. To limit reputation damage caused by the breach
A security analyst wants to identify which vulnerabilities a potential attacker might initially exploit if the network is compromised. Which of the following would provide the BEST results? A. Baseline configuration assessment B. Uncredentialed scan C. Network ping sweep D. External penetration test
B. Uncredentialed scan
A security analyst at an organization is reviewing vulnerability reports from a newly deployed vulnerability management platform. The organization is not receiving information about devices that rarely connect to the network. Which of the following will the analyst most likely do to obtain vulnerability information about these devices? A. Add administrator credentials to mobile devices. B. Utilize cloud-based agents. C. Deploy a VPC in front of a NAC. D. Implement MDM.
B. Utilize cloud-based agents.
A hybrid control is one that: A. is implemented differently on individual systems B. is implemented at the enterprise and system levels C. has operational and technical components D. authenticates using passwords and hardware tokens
B. is implemented at the enterprise and system levels
A company's marketing emails are either being found in a spam folder or not being delivered at all. The security analyst investigates the issue and discovers the emails in question are being sent on behalf of the company by a third party, mail.marketing.com. Below is the existing SPF record: v=spf1 a mx -allWhich of the following updates to the SPF record will work BEST to prevent the emails from being marked as spam or blocked? A. v=spf1 a mx redirect:mail.marketing.com ?all B. v=spf1 a mx include:mail.marketing.com -all C. v=spf1 a mx +all D. v=spf1 a mx include:mail.marketing.com ~all
B. v=spf1 a mx include:mail.marketing.com -all
A security analyst is investigating a system compromise. The analyst verifies the system was up to date on OS patches at the time of the compromise. Which of the following describes the type of vulnerability that was MOST likely exploited? A. Insider threat B. Buffer overflow C. Advanced persistent threat D. Zero day
D. Zero day
A security analyst responds to a series of events surrounding sporadic bandwidth consumption from an endpoint device. The security analyst then identifies the following additional details:• Bursts of network utilization occur approximately every seven days.• The content being transferred appears to be encrypted or obfuscated.• A separate but persistent outbound TCP connection from the host to infrastructure in a third-party cloud is in place.• The HDD utilization on the device grows by 10GB to 12GB over the course of every seven days.• Single file sizes are 10GB.Which of the following describes the most likely cause of the issue? A. Memory consumption B. Non-standard port usage C. Data exfiltration D. System update E. Botnet participant
C. Data exfiltration
An organization is required to be able to consume multiple threat feeds simultaneously and to provide actionable intelligence to various teams. The organization would also like to be able to leverage the intelligence to enrich security event data. Which of the following functions would most likely help the security analyst meet the organization's requirements? A. Vulnerability management B. Risk management C. Detection and monitoring D. Incident response
C. Detection and monitoring
An organization has the following policies:✑ Services must run on standard ports.✑ Unneeded services must be disabled.The organization has the following servers:✑ 192.168.10.1 - web server✑ 192.168.10.2 - database serverA security analyst runs a scan on the servers and sees the following output:Which of the following actions should the analyst take? A. Disable HTTPS on 192.168.10.1. B. Disable IIS on 192.168.10.1. C. Disable DNS on 192.168.10.2. D. Disable MSSQL on 192.168.10.2. E. Disable SSH on both servers.
C. Disable DNS on 192.168.10.2.
During the onboarding process for a new vendor, a security analyst obtains a copy of the vendor's latest penetration test summary:Performed by: Vendor Red Team -Last performed: 14 days ago -Which of the following recommendations should the analyst make first? A. Perform a more recent penetration test. B. Continue vendor onboarding. C. Disclose details regarding the findings. D. Have a neutral third party perform a penetration test.
C. Disclose details regarding the findings.
A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault notification features.Which of the following should be done to prevent this issue from reoccurring? A. Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes down, the other remains powered. B. Install additional batteries in the SAN power supplies with enough capacity to keep the system powered on during maintenance operations. C. Ensure power configuration is covered in the datacenter change management policy and have the SAN administrator review this policy. D. Install a third power supply in the SAN so loss of any power intuit does not result in the SAN completely powering off.
C. Ensure power configuration is covered in the datacenter change management policy and have the SAN administrator review this policy. Most Voted
An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems.As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue? A. Copies of prior audits that did not identify the servers as an issue B. Project plans relating to the replacement of the servers that were approved by management C. Minutes from meetings in which risk assessment activities addressing the servers were discussed D. ACLs from perimeter firewalls showing blocked access to the servers E. Copies of change orders relating to the vulnerable servers
C. Minutes from meetings in which risk assessment activities addressing the servers were discussed
A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach.Which of the following is the BEST mitigation to prevent unauthorized access? A. Single sign-on B. Mandatory access control C. Multifactor authentication D. Federation E. Privileged access management
C. Multifactor authentication
An analyst needs to provide recommendations based on the following vulnerability report:Which of the following vulnerabilities should the analyst recommend addressing first? A. SSL certificate signed using weak hashing algorithm B. TLS version 1.0 protocol detection C. PHP 7.1.x <7.1.25 multiple vulnerabilities D. RHEL 7 : qemu-kvm (RHSA-2020:1208)
C. PHP 7.1.x <7.1.25 multiple vulnerabilities
An analyst is reviewing email headers to determine if an email has been sent from a legitimate sender. The organization uses SPF to validate email origination. Which of the following most likely indicates an invalid originator? A. Received-SPF: neutral B. Received-SPF: none C. Received-SPF: softfail D. Received-SPF: error
C. Received-SPF: softfail
A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities.Which of the following would be BEST to implement to alleviate the CISO's concern? A. DLP B. Encryption C. Test data D. NDA
C. Test data
A systems administrator believes a user's workstation has been compromised. The workstation's performance has been lagging significantly for the past several hours. The administrator runs the task list /v command and receives the following output:Which of the following should a security analyst recognize as an indicator of compromise? A. dwm.exe being executed under the user context B. The high memory usage of vscode.exe*32 C. The abnormal behavior of paint.exe D. svchost.exe being executed as SYSTEM
C. The abnormal behavior of paint.exe
Which of the following describes the difference between intentional and unintentional insider threats? A. Their access levels will be different. B. The risk factor will be the same. C. Their behavior will be different. D. The rate of occurrence will be the same.
C. Their behavior will be different.
A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command execution through an integer overflow:Which of the following controls must be in place to prevent this vulnerability? A. Convert all integer numbers in strings to handle the memory buffer correctly. B. Implement float numbers instead of integers to prevent integer overflows. C. Use built-in functions from libraries to check and handle long numbers properly. D. Sanitize user inputs, avoiding small numbers that cannot be handled in the memory.
C. Use built-in functions from libraries to check and handle long numbers properly.
While preparing for an audit of information security controls in the environment, an analyst outlines a framework control that has the following requirements:✑ All sensitive data must be classified.✑ All sensitive data must be purged on a quarterly basis.✑ Certificates of disposal must remain on file for at least three years.This framework control is MOST likely classified as: A. prescriptive B. risk-based C. preventive D. corrective
C. preventive
A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.Which of the following commands would MOST likely indicate if the email is malicious? A. sha256sum B. file C. strings D. cat
C. strings
Which of the following policies would state an employee should not disable security safeguards, such as host firewalls and antivirus, on company systems? A. Code of conduct policy B. Account management policy C. Password policy D. Acceptable use policy
D. Acceptable use policy
A finance department employee has received a message that appears to have been sent from the Chief Financial Officer (CFO), asking the employee to perform a wire transfer. Analysis of the email shows the message came from an external source and is fraudulent. Which of the following would work BEST to improve the likelihood of employees quickly recognizing fraudulent emails? A. Implementing a sandboxing solution for viewing emails and attachments B. Limiting email from the finance department to recipients on a pre-approved whitelist C. Configuring email client settings to display all messages in plaintext when read D. Adding a banner to incoming messages that identifies the messages as external
D. Adding a banner to incoming messages that identifies the messages as external
During an incident, a cybersecurity analyst found several entries in the web server logs that are related to an IP with a bad reputation. Which of the following would cause the analyst to further review the incident? A. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /etc/passwdג€ 403 1023 B. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /index.html?src=../.ssh/id_rsaג€ 401 17044 C. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /a.php?src=/etc/passwdג€ 403 11056 D. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /a.php?src=../../.ssh/id_rsaג€ 200 15036 E. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /favicon.ico?src=../usr/share/iconsג€ 200 19064
D. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /a.php?src=../../.ssh/id_rsaג€ 200 15036
A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised. When viewing the capture in a packet analyzer, the analyst sees the following:Which of the following can the analyst conclude? A. Malware is attempting to beacon to 128.50.100.3. B. The system is running a DoS attack against ajgidwle.com. C. The system is scanning ajgidwle.com for PII. D. Data is being exfiltrated over DNS.
D. Data is being exfiltrated over DNS.
An information security analyst is working with a data owner to identify the appropriate controls to preserve the confidentiality of data within an enterprise environment. One of the primary concerns is exfiltration of data by malicious insiders. Which of the following controls is the MOST appropriate to mitigate risks? A. Data deduplication B. OS fingerprinting C. Digital watermarking D. Data loss prevention
D. Data loss prevention
An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets.Which of the following should be considered FIRST prior to disposing of the electronic data? A. Sanitization policy B. Data sovereignty C. Encryption policy D. Retention standards
D. Retention standards
A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk-based policy decision to review and enforce the vendor upgrade before the end of life is reached.Which of the following risk actions has the security committee taken? A. Risk exception B. Risk avoidance C. Risk tolerance D. Risk acceptance
D. Risk acceptance
During an audit, several customer order forms were found to contain inconsistencies between the actual price of an item and the amount charged to the customer. Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products. Which of the following would be the best way to locate this issue?
D. Run a dynamic code analysis.
A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's server.Which of the following is the FIRST step the analyst should take? A. Create a full disk image of the server's hard drive to look for the file containing the malware. B. Run a manual antivirus scan on the machine to look for known malicious software. C. Take a memory snapshot of the machine to capture volatile information stored in memory. D. Start packet capturing to look for traffic that could be indicative of command and control from the miner.
D. Start packet capturing to look for traffic that could be indicative of command and control from the miner.
While analyzing logs from a WAF, a cybersecurity analyst finds the following:`GET /form.php?id=463225%2b%2575%256e%2569%256f%256e%2b%2573%2574%2box3133333731,1223,1224&name=&state=IL`Which of the following BEST describes what the analyst has found? A. This is an encrypted GET HTTP request B. A packet is being used to bypass the WAF C. This is an encrypted packet D. This is an encoded WAF bypass
D. This is an encoded WAF bypass
A security analyst has been alerted to several emails that show evidence an employee is planning malicious activities that involve employee PII on the network before leaving the organization. The security analyst's BEST response would be to coordinate with the legal department and: A. the public relations department B. senior leadership C. law enforcement D. the human resources department
D. the human resources department
An analyst needs to provide recommendations based on a recent vulnerability scan:Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified? A. SMB use domain SID to enumerate users B. SYN scanner C. SSL certificate cannot be trusted D. Scan not performed with admin privileges
Scan not performed with admin privileges
An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply.Which of the following would BEST identify potential indicators of compromise? A. Use Burp Suite to capture packets to the SCADA device's IP. B. Use tcpdump to capture packets from the SCADA device IP. C. Use Wireshark to capture packets between SCADA devices and the management system. D. Use Nmap to capture packets from the management system to the SCADA devices.
Use Wireshark to capture packets between SCADA devices and the management system.
An analyst is reviewing the output from some recent network enumeration activities. The following entry relates to a target on the network:Based on the Nmap output above, which of the following features is running on the router? A. Web application firewall B. Port triggering C. Intrusion prevention system D. Port isolation E. Port address translation
Web application firewall
A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwaresource>/a.php in a phishing email.To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the __________. A. email server that automatically deletes attached executables. term-429B. IDS to match the malware sample. C. proxy to block all connections to <malwaresource>. D. firewall to block connection attempts to dynamic DNS hosts.
proxy to block all connections to <malwaresource>.
An information security analyst is compiling data from a recent penetration test and reviews the following output:The analyst wants to obtain more information about the web-based services that are running on the target.Which of the following commands would MOST likely provide the needed information? A. ping -t 10.79.95.173.rdns.datacenters.com B. telnet 10.79.95.173 443 C. ftpd 10.79.95.173.rdns.datacenters.com 443 D. tracert 10.79.95.173
telnet 10.79.95.173 443