Cysa Test 1 Certmaster Practice

A security analyst is investigating potential malicious activity associated with an IP address. Which of the following resources can the analyst use to gather information about the reputation of the IP address and determine if there are previous reports of malicious activities associated with it? Intrusion Detection System (IDS) Network Access Control (NAC) Security Information and Event Management (SIEM) AbuseIPDB

AbuseIPDB

A security engineer gathers information on a network to document baseline data. The data identifies a current footprint for a security posture report. If the report contains a list of software versions for devices, which tool does the engineer utilize? (Select the two best options.) Angry IP Scanner OpenVAS Maltego Nmap

Angry IP Scanner Nmap

A mid-sized stuffed pumpkin manufacturer has hired a penetration testing consulting firm to conduct penetration testing on their network. As the penetration testing team begins testing, they notice DNS records pointing to public-facing devices for the manufacturer that they were not previously aware of. What should be their next step? Conduct network discovery to identify other potential targets and vulnerabilities Conduct edge discovery to identify other potential targets and vulnerabilities Conduct host discovery to identify other potential targets and vulnerabilities Conduct a passive discovery to identify potential vulnerabilities

Conduct edge discovery to identify other potential targets and vulnerabilities

During a security breach, a security administrator identifies the stakeholders affected by the incident. What next step should the administrator take to ensure effective communication with the stakeholders? Send a detailed email to all stakeholders without prioritizing communication methods Avoid communication with stakeholders until the incident has been fully resolved Delegate stakeholder communication to the public relations team Develop a communication plan based on stakeholder needs and interests

Develop a communication plan based on stakeholder needs and interests

What type of vulnerability scan focuses on the target from the outside of the network, broadly referring to the Internet? External scans Credentialed application vulnerability scans Infrastructure vulnerability scans Internal scans

External scans

Political slogans have defaced the website of a large petroleum corporation. A group claiming to be responsible has posted a manifesto of their beliefs and reason for the attack. Upon further investigation, the system administrator discovers that the group used a simple SQL injection attack to gain access to the website's content management system. What type of attacker is most likely responsible for this attack? Organized crime Advanced persistent threat (APT) Nation-state Hacktivist

Hacktivist

A security analyst is evaluating the company's vulnerability management program in a mixed infrastructure environment. Which of the following infrastructure models requires the analyst to consider multiple environments when understanding vulnerability scoring concepts? Hybrid cloud Public cloud On-premises Private cloud

Hybrid cloud

A company's online ordering system uses cookies to match users to their accounts. As a result, an attacker can easily steal browser cookies and gain access to sensitive information. What type of vulnerability does this situation describe? SSRF Broken access control Identification and authentication failures Cryptographic failures

Identification and authentication failures

A small aviation services company suffered a cyber attack and wants to take steps to prevent future attacks. Which group should the company consider joining in communicating concerns about cyber threats and vulnerabilities with other businesses? Paid threat intelligence feed CERT Information sharing organization CSIRT

Information sharing organization

A security analyst is investigating suspicious network activity and needs to understand the behavior of a piece of malware found on a compromised system. Which tool can the analyst use to safely execute and analyze the malware to identify the actions and potential impact on the system? Joe Sandbox Password cracking tool Netflow analysis Log management system

Joe Sandbox

A network administrator at a large organization works on enhancing their network infrastructure's monitoring and alerting capabilities. The administrator wants to optimize the system logs to detect and respond to potential security threats efficiently. Which action should the network administrator prioritize to achieve this goal? Logging levels Time synchronization Forensic analysis System hardening

Logging levels

A security analyst validates a vulnerability by exploiting it. Which tool can best accomplish this task? Maltego Metasploit Framework (MSF) Angry IP Scanner Recon-ng

Metasploit Framework (MSF)

A security team is working to maintain operational visibility during a security incident involving potential indicators of compromise on a critical system. To effectively respond to the situation, what should be the primary focus of the team's investigation? Unauthorized scheduled tasks System log inconsistencies Monitoring and analyzing anomalous activity Reviewing suspicious email attachments

Monitoring and analyzing anomalous activity

A privately owned mid-size municipal solid waste landfill has experienced a severe data breach, and the IT security team is working to prevent future breaches. As the team analyzes traffic, they discover that the attacker was able to gain access through a previously unknown and publicly accessible entry point. The team decides to map out all of the devices, both public and private, on the landfill's infrastructure. What form of discovery does this represent? Edge discovery Host discovery Network discovery Passive discovery

Network discovery

A large financial institution tasked its security analyst with ensuring the security of the institution's web applications. The analyst decides to use both the Open Source Security Testing Methodology Manual (OSSTMM) and the Open Web Application Security Project (OWASP) testing guide to conduct his security assessments. Which statements best describe why the analyst would use OSSTMM and the OWASP Testing Guide? OSSTMM and OWASP testing guide have a complementary relationship. OSSTMM provides a broad approach to security testing, while the OWASP Testing Guide provides specific guidance for web application security testing. OSSTMM and the OWASP Testing Guide are competing frameworks, and it is not recommended to use them together. OSSTMM is a comprehensive testing guide that includes web application security testing, while OWASP Testing Guide focuses only on web application security. OSSTMM focuses on network secur

OSSTMM and OWASP testing guide have a complementary relationship. OSSTMM provides a broad approach to security testing, while the OWASP Testing Guide provides specific guidance for web application security testing.

What is the most important consideration for sandboxing activities? Physical or logical isolation of the sandbox host from the main network Patch management Convenient sandbox capabilities Virtualization

Physical or logical isolation of the sandbox host from the main network

An organization moves computing resources to the cloud. A team of security consultants reviews the new configurations and reports on the details from an external perspective. As part of the investigation, the team takes advantage of regulatory compliance features of what tool? Prowler GNU debugger (GDB) ScoutSuite Pacu

Prowler

A large tech company wants to design and implement secure systems and applications resilient to cyber-attacks. Which cybersecurity process should the company follow to implement secure features into its products and services? Security engineering Incident response Vulnerability management Detection and monitoring

Security engineering

A company has a service-level agreement (SLA) with a third-party vendor for hosting its website. The SLA specifies that the vendor will maintain 99.9% uptime for the website. The vendor experiences a system outage that causes the website to be unavailable for several hours, resulting in a breach of the SLA. What is the most likely consequence of this breach? The company and vendor must renegotiate the service-level agreement (SLA) to address the breach. The vendor must pay the penalty to the company for the breach. The company is not impacted as the service-level agreement (SLA) is not legally binding. The company can terminate the service-level agreement (SLA) without penalty.

The company and vendor must renegotiate the service-level agreement (SLA) to address the breach.

A company has identified multiple vulnerabilities in its systems, including one critical vulnerability that could potentially cause significant damage if exploited. Which vulnerability should the security team prioritize for remediation? The vulnerability with the most identified instances The vulnerability with the highest Common Vulnerability Scoring System (CVSS) score The critical vulnerability The vulnerability that is easiest to fix

The critical vulnerability

A large corporation recently experienced a cyber attack, and the security team must analyze the incident and determine the appropriate response. They are using the Diamond Model of Intrusion Analysis and the cyber kill chain as part of the investigation. What is the difference between the Diamond Model of Intrusion Analysis and the cyber kill chain? Both the Diamond Model and the cyber kill chain are outdated and the team would no longer use them in incident response. The Diamond Model and the cyber kill chain are the same thing. The Diamond Model focuses on the stages of an attack, while the cyber kill chain focuses on the tactics the attacker used. The cyber kill chain focuses on the stages of an attack, while the Diamond Model focuses on the tactics the attacker used.

The cyber kill chain focuses on the stages of an attack, while the Diamond Model focuses on the tactics the attacker used.

A company's compliance team has identified a security vulnerability in the organization's network. The team has presented this finding to the risk management team, who, in turn, creates a response plan to address the vulnerability. What is the next best step in the process based on this scenario? The risk management team presents the response plan to the board of directors. The technical team immediately implements the response plan. The compliance team creates policies to prevent future vulnerabilities. The governance team approves and codifies the response plan in policy documents.

The governance team approves and codifies the response plan in policy documents.

Evaluate the impact of zero-day vulnerabilities in software development. Zero-day vulnerabilities can cause major damage to systems but are rare. The time between when a zero-day is published and when a patch is available is critical. Zero-day vulnerabilities only affect older software and can be easily patched. Zero-day vulnerabilities can be easily detected and prevented by modern antimalware solutions.

The time between when a zero-day is published and when a patch is available is critical.

A security administrator has identified suspicious activity on the network and believes a security incident occurred. The administrator needs to create a timeline of events to help determine the scope of the incident and take appropriate actions. Why is creating a timeline important in this scenario? To identify potential threats and incidents To determine the sequence of events that occurred during the incident To create an executive summary of the incident To assess the potential impacts of the incident

To determine the sequence of events that occurred during the incident

A security analyst working for a large financial institution became concerned about a security incident that could compromise sensitive customer information. As part of the incident response process, their team conducted a tabletop exercise to identify areas for improvement in the incident response plan. What is the purpose of reviewing lessons learned after a security incident? To identify weaknesses in the incident response plan To gather forensic evidence To simulate a real-world security incident To train staff members on incident response procedures

To identify weaknesses in the incident response plan

A large retail company notified its incident response team in response to a recent security incident. The team then activated the incident response plan (IRP) and business continuity plan (BCP). After they resolved the incident, they conducted a lessons-learned review. What is the purpose of an incident response plan (IRP) and business continuity plan (BCP) in cybersecurity incident response and management? To conduct a forensic analysis of the incident to determine the root cause and identify the responsible party To restore affected systems and data to their pre-incident state To educate employees on how to prevent and respond to future security incidents To provide a step-by-step guide on how to respond to a security incident and ensure the continuity of critical business functions

To provide a step-by-step guide on how to respond to a security incident and ensure the continuity of critical business functions

A security analyst is evaluating the company's infrastructure to optimize security operations. How can the analyst best improve the company's security operations? Implement hardware architecture Utilize virtualization Deploy honeypots Implement intrusion detection systems

Utilize virtualization

A company's security team wants to receive real-time alerts from its Intrusion Detection System (IDS) whenever a potential threat is detected. Which solution should the team consider to achieve this goal? Application programming interface (API) Security orchestration, automation and response (SOAR) Plugins Webhooks

Webhooks

A security team wants to automate its incident response process and ensure its systems receive real-time notifications of security events from other systems. Which technology would allow the team to achieve this goal? Plugins Webhooks Application programming interface (API) Single pane of glass

Webhooks

A security administrator is investigating a potential security incident reported by a user. First, the administrator needs to gather information to determine the scope and severity of the incident. Which of the following "5 Ws" should the security administrator use to begin the investigation? What Where When Who

Where

In a large organization, the security team struggles to track all the security tools used across different departments. They want to streamline their security operations by integrating all the security tools into a central dashboard. Which solution should the team consider to achieve this goal? Application programming interface (API) Security orchestration, automation and response (SOAR) Webhooks Plugins

Application programming interface (API)

A company's website is vulnerable to several attack vectors. The company has hired a red team to identify these vulnerabilities and exploit them to gain access to the company's systems. What is the best way to mitigate the risk of these attacks? Input validation Output encoding Threat modeling Attack surface reduction

Attack surface reduction

A small ice cream truck leasing agency detected a cyber attack targeting their systems. The agency needs to respond quickly and contain the attack. Which organization should the agency contact for assistance with incident response and handling? Paid threat intelligence feed CERT Information sharing organization CSIRT

CSIRT

A security administrator uses Arachni, an open-source web scanner application, to scan a web application for vulnerabilities. What type of vulnerabilities does this application actively test? Code injection, SQL injection, XSS, CSRF, and others Outdated software and configuration errors Physical security vulnerabilities Network vulnerabilities

Code injection, SQL injection, XSS, CSRF, and others

A security team reviews an incident where someone made unauthorized changes to a system and granted certain users unauthorized privileges. The team needs to recommend the most suitable control type to avoid such incidents in the future. Which of the following control types should the security team recommend? Preventive controls Corrective controls Detective controls Compensating controls

Preventive controls

A small business wants to identify, assess, and prioritize adverse events by filtering out data that isn't critically important. Which aspect of threat intelligence data should the cyber security team of the business maximize to handle these events and reduce the likelihood and impact of cyber-attacks? Accuracy Social media Timeliness Relevancy

Relevancy

A mortgage underwriter specializing in circus equipment loans implements a SOAR system for cybersecurity. Which security control functional type best describes this situation? Responsive Corrective Operational Managerial

Responsive

A major financial company is establishing a new IT security team to comply with legal and regulatory requirements for its environment. What frameworks and measures should the IT security team implement to ensure compliance and meet these regulations? (Select the three best options.) Security framework Security Information and Event Management (SIEM) Controls checklist Configuration settings checklists

Security framework Controls checklist Configuration settings checklists

A security team is reviewing the output of a cloud vulnerability assessment to detect and respond to potential threats. Which aspect should the team prioritize when analyzing the assessment results to effectively identify security issues related to data exfiltration in cloud environments? Unexpected output from cloud-based applications Unexpected outbound communication from cloud services Unauthorized access to cloud storage Misconfigured cloud security settings

Unexpected outbound communication from cloud services

A company recently experienced a data breach that resulted in the loss of customer data. What is an important factor to consider when communicating with affected customers during the incident response process in this scenario? Be transparent about what happened and how the company is responding Delay communication until completing a full investigation Downplay the severity of the breach to avoid causing panic Only communicate with customers who have been directly impacted

Be transparent about what happened and how the company is responding

A financial institution experienced a security breach due to a phishing email that compromised employee credentials. The incident response team responded promptly by implementing the incident response plan (IRP) and restoring services using the business continuity plan (BCP). After the incident, the team conducted a lessons learned review to identify areas for improvement in both plans. Which plan will ensure business operations can continue during and after the disruption? Recovery time objective (RTO) Disaster recovery plan (DRP) Business continuity plan (BCP) Incident response plan (IRP)

Business continuity plan (BCP)

An index-card marketing companys' login portal encounters a computer attempting to log in to the system administrator's web portal account. The portal then compares the username and hash of the user's password to the known credentials in its database. What is the login portal attempting to accomplish? Conduct data protection Utilize SDLC Conduct authentication activities Conduct a parameterized query

Conduct authentication activities

A security team is analyzing a cyber threat and wants to gather additional information to understand the potential impact of the threat. Which process can the team use to gather additional information about the threat? Repeatable/do not require human interaction Data enrichment Team coordination Security orchestration, automation and response (SOAR)

Data enrichment

A cybersecurity team is investigating a security incident and needs to efficiently manage access to sensitive resources during the response process. Which solutions can best help the team control access and minimize potential damage? (Select the three best options.) Data loss prevention (DLP) Privileged access management (PAM) Cloud access security broker (CASB) Threat intelligence platforms

Data loss prevention (DLP) Privileged access management (PAM) Cloud access security broker (CASB)

A security analyst discovered that an attacker used a spear-phishing email to access the system and then used an exploit to install malware. Which phase of the cyber kill chain did the attacker use to gain access to the system? Exploitation Command and Control Reconnaissance Delivery

Delivery

A social media website for pets permits users to upload videos of their pets for others to see. However, the application does not properly sanitize the filenames, and an attacker uploads a file with a malicious filename. By manipulating the filename, the attacker can access files on the server without access authorization. What type of vulnerability does this situation describe? Broken access control Directory traversal Software and data integrity failures CSRF

Directory traversal

A security analyst has identified a compromised system on the network and needs to take action to prevent further damage. The analyst has decided to implement compensating controls to limit the potential damage. Which of the following is an example of a compensating control that the analyst could implement to prevent further damage to the compromised system while limiting the impact to normal operations? Deleting system files Physically removing the compromised system from the network Shutting down the network Disabling the compromised system's network adapter

Disabling the compromised system's network adapter

A security analyst performs incident response activities after a recent security incident. They need to analyze a suspicious email attachment and verify the email's authentication to determine the attack's origin. Which tools and techniques should the analyst utilize to accomplish these tasks? (Select the two best options.) Network Access Control (NAC) Domain-based Message Authentication, Reporting, and Conformance (DMARC) Cuckoo Sandbox Security Information and Event Management (SIEM)

Domain-based Message Authentication, Reporting, and Conformance (DMARC) Cuckoo Sandbox

A security analyst is investigating a series of phishing emails that bypassed the organization's email filtering system. They need to determine the most likely method the attacker used to ensure the recipients received the phishing emails. Which of the following methods is most likely used by the attacker? Impossible travel Network Time Protocol (NTP) abuse Address Resolution Protocol (ARP) poisoning DomainKeys Identified Mail (DKIM) exploit

DomainKeys Identified Mail (DKIM) exploit

A security analyst has discovered a workstation infected with malware that has spread to other systems on the network. The analyst has determined that they cannot easily remove the malware cannot and that re-imaging the workstation is necessary. However, the workstation has important data that the analyst has not backed up. After re-imaging the infected workstation, what is the best practice to prevent future malware infections? Install anti-virus software on all workstations Implement a security policy that prohibits downloading unauthorized software Disable USB ports on all workstations Educate end-users on safe browsing and email practices

Educate end-users on safe browsing and email practices

Which of the following are the objectives of the Open Source Security Testing Methodology Manual (OSSTMM) and actions related to incident response and management? (Select the three best options.) Evaluating network security Configuring firewalls and intrusion prevention systems Identifying assets and critical systems Conducting vulnerability assessments

Evaluating network security Identifying assets and critical systems Conducting vulnerability assessments

A security analyst reviews a scan report. As part of the review, the analyst focuses on identifying any instances where a scanning tool did not report a legitimate issue. The analyst is looking for what type of result? False positive False negative True positive True negative

False negative

During a forensic investigation, an administrator modified a file, but the changes occurred under proper circumstances. What aspect of cyber security does this situation relate to? Authentication Confidentiality Integrity Availability

Integrity

A security analyst is analyzing the activities of an incident response team during a recent security breach. They find that unauthorized privileges were granted to a user account, and there was unexpected outbound communication from the compromised system. Which of the following actions should the analyst prioritize to mitigate the risks associated with these issues? Revoke unauthorized privileges Isolate the compromised system Monitor network traffic for additional anomalies Perform a comprehensive system audit

Isolate the compromised system

A company recently experienced a significant data breach. During the post-incident investigation, the incident response team performed a root cause analysis to determine the factors contributing to the breach. Which of the following statements is true regarding root cause analysis? It is unnecessary if an organization has a robust incident response plan in place. It involves working backward from the immediate cause of an incident to determine the ultimate cause. It is a quick and simple process completed in a single meeting. It is only useful for identifying the technical factors that led to an incident, not the human or procedural factors.

It involves working backward from the immediate cause of an incident to determine the ultimate cause.

A security administrator has identified a critical vulnerability in a computer system. The security administrator knows that they can fix the vulnerability by applying a patch but are hesitant. What could be the possible inhibitor to vulnerability remediation in this scenario? Business process interruption Service-level objectives Legacy system Organizational governance

Legacy system

A cybersecurity analyst needs to recommend a solution to detect ongoing attacks involving unauthorized data transfers to rogue devices within the company's network. Which control would be the most effective in identifying such attacks? Implementing a web content filtering system Installing unauthorized devices on the network Upgrading the company's firewall Monitoring irregular peer-to-peer communication

Monitoring irregular peer-to-peer communication

A well-established technology company is overhauling its incident response and management processes. They tasked a cybersecurity analyst with identifying a framework that can help improve their security posture. The analyst recommends the Open Source Security Testing Methodology Manual (OSSTMM) framework. What benefits of OSSTMM should the analyst present? (Select the two best options.) OSSTMM is a framework that focuses on assessing the maturity level of an organization's security practices. OSSTMM is a framework that focuses on identifying and mitigating software vulnerabilities. OSSTMM is a framework that focuses on identifying and analyzing the stages of a cyber attack. OSSTMM is a framework that focuses on understanding the tactics, techniques, and procedures (TTPs) used by attackers during a cyber attack.

OSSTMM is a framework that focuses on assessing the maturity level of an organization's security practices. OSSTMM is a framework that focuses on identifying and mitigating software vulnerabilities.

A security administrator wants to scan the company's network for vulnerabilities. Which of these scanners is an open-source software developed from the Nessus codebase? Qualys nmap Tenable OpenVAS

OpenVAS

Which of the following security control categories is primarily handled by people rather than systems? Operational Managerial Technical Preventative

Operational

A cybersecurity team at a large financial organization that uses various operating systems, applications, and hardware devices is responsible for configuring these systems securely to prevent potential security breaches. As part of their research, they came across a set of global data protection standards maintained by a consortium. What standards do they need to follow to prevent fraud and protect transactions? PCI DSS CSA STAR CMMI CIS Benchmarks

PCI DSS

A security analyst is investigating a recent incident where a web application experienced intermittent service interruptions. The analyst suspects that the interruptions are a network-related issue. Which network indicators should the analyst prioritize examining to determine the root cause of the service interruptions? NetFlow data Packet captures Firewall logs Application logs

Packet captures

A company's website allows users to upload files stored on the server for other users to download. An attacker uploads a specially crafted file that contains malicious code, and the server does not properly validate the file. As a result, when other users download the file, the malicious code gets executed on their system. What type of vulnerability does this situation describe? SSRF RCE XSS CSRF

RCE

An IT security analyst at a financial institution monitors the network for any signs of malicious activity. During a routine inspection, they noticed unauthorized software installed on one of the servers. This unauthorized software can lead to security vulnerabilities that cybercriminals could exploit. What should be the analyst's immediate response? Install additional security software to protect the network from the unauthorized software Shut down the server that has the unauthorized software installed on it Investigate the source of the unauthorized software and report it to the appropriate personnel Remove the unauthorized software and monitor the network for any unusual traffic

Remove the unauthorized software and monitor the network for any unusual traffic

A security consultant uses a software tool to perform security tests for an organization's cloud presence. Which tool will the consultant use in an attempt to gain a list of all virtual machine and storage container instances? ScoutSuite Nessus OpenVAS Arachni

ScoutSuite

A company was the victim of a severe cyber-attack and lost 50% of its customer base in the aftermath due to downtime. The incident response team was unable to prevent the attack since they failed to organize in advance and use the playbook. The CISO wants to streamline the company's cybersecurity processes and automate tasks to increase efficiency. Which cybersecurity tool or process can help the company achieve this goal? Team coordination Data enrichment Security orchestration, automation and response (SOAR) Repeatable/do not require human interaction

Security orchestration, automation and response (SOAR)

An organization uses multiple security tools to protect its network, including SIEM, IDS, and firewalls. However, they need help managing these tools separately and would like a way to view all security data comprehensively. What technology or concept would allow them to achieve this goal? Webhooks Single pane of glass Plugins Application programming interface (API)

Single pane of glass

A security analyst is using Burp Suite to analyze a web application's security. The analyst is running a vulnerability scan and notices that the scan has identified several injection vulnerabilities. Which Burp Suite feature can the analyst use to exploit these vulnerabilities? Sniper Repeater Intruder Decoder

Sniper

A security analyst is reviewing the results of a recent vulnerability scan on a company's web application. The analyst notices a pattern of suspicious user behavior and wants to determine if this behavior relates to a specific type of attack. Which attack methods should the analyst investigate to uncover the reason behind this suspicious behavior? Obfuscated links SQL injection Cross-Site Scripting (XSS) Social engineering

Social engineering

A security administrator creates an incident response plan for the organization. What are some common components of incident response planning that the security administrator should include in their plan? (Select the three best options.) Stakeholder identification and communication Timeline Executive summary Incident declaration and escalation

Stakeholder identification and communication Timeline Incident declaration and escalation

A network administrator is using Nmap to scan a target host for open ports. Which Nmap scan type is known for being a fast and stealthy technique? TCP SYN UDP scans Zed Attack Proxy TCP connect

TCP SYN

A cybersecurity analyst's team has recently implemented both the Diamond Model of Intrusion Analysis and the Open Source Security Testing Methodology Manual (OSSTMM) in their incident response process. One of the analyst's colleagues, who is less familiar with these frameworks, asks the analyst to explain their differences. Which statements accurately describe the difference between the Diamond Model of Intrusion Analysis and the OSSTMM? The Diamond Model of Intrusion Analysis focuses on the methodology for testing vulnerabilities while OSSTMM focuses on the stages of an attack. The Diamond Model of Intrusion Analysis focuses on the stages of an attack while OSSTMM focuses on the methodology for testing vulnerabilities. The Diamond Model of Intrusion Analysis and OSSTMM are essentially the same, with only minor differences in terminology and emphasis. The Diamond Model of Intrusion Analysis and OSSTMM are both o

The Diamond Model of Intrusion Analysis focuses on the stages of an attack while OSSTMM focuses on the methodology for testing vulnerabilities.

During an incident response, a security analyst identified a suspicious file on a workstation that may be related to a malware infection. The analyst needs to collect the file as evidence for further analysis. Which of the following is the analyst's critical step to preserve the digital evidence? The analyst must shut down the system. The analyst must log off the user account. The analyst must copy evidence to a USB drive. The analyst must maintain chain of custody.

The analyst must maintain chain of custody.

A security analyst who has discovered a data breach in an organization's network identified the source of the attack and now must remediate the issue. What is the best course of action for the analyst to take to remediate the issue? The analyst should patch the affected system to prevent the vulnerability from being exploited again. The analyst should restore the system from a backup taken prior to the attack. The analyst should immediately shut down the affected system to prevent further damage. The analyst should ignore the issue and hope that it doesn't happen again.

The analyst should patch the affected system to prevent the vulnerability from being exploited again.

A security analyst has identified a potential incident involving unauthorized access to an organization's database. What aspect of the incident should the analyst focus on when determining the scope of the incident? The type of access gained The location of the database The identity of the attacker The time when the access occurred

The type of access gained

A company was affected by a recent ransomware attack that impacted its critical systems. The incident response team is conducting a scope and impact analysis to determine the extent of the damage. They identify the affected systems, the encrypted data, and the potential impact on business operations. What would a scope and impact analysis provide for the company's incident response and management team? To educate employees on how to prevent and respond to cybersecurity incidents To develop a plan to restore the affected systems to their pre-incident state To determine the extent of the damage and identify affected systems and data To prevent future incidents by implementing security controls and measures

To determine the extent of the damage and identify affected systems and data

A malicious actor hacked a company's web application and stole sensitive data. The security team uses the Diamond Model of Intrusion Analysis and the Open Web Application Security Project (OWASP) Testing Guide to analyze the attack and identify any vulnerabilities in the application that the attacker may have exploited. What is the primary purpose of using both the Diamond Model of Intrusion Analysis and the OWASP Testing Guide in response to a security incident? To identify the root cause of the attack and prevent similar incidents in the future To determine the identity of the attacker and bring them to justice To determine the financial impact of the incident on the company To create a report on the incident to present to the company's executive leadership

To identify the root cause of the attack and prevent similar incidents in the future

A breach occurred in a company's customer database due to an insider threat. The incident response team has concluded its investigation and is moving on to the lessons learned phase. The team is meeting with staff to review the incident and its response. What is the purpose of this meeting? To assign blame for the incident To review current security policy To improve procedures for incident response To identify new security tools to prevent future incidents

To improve procedures for incident response

A company has just discovered a breach in its network and is conducting an investigation. They collected all relevant data and logs and are preparing to analyze them. The company implemented a legal hold for this data during the response. What is the purpose of this legal hold during the incident response? To prevent the accidental or intentional alteration or deletion of data that may be relevant to the investigation To prevent further compromise by shutting down all affected systems To conduct a vulnerability assessment of the affected systems To collect all system logs related to the breach

To prevent the accidental or intentional alteration or deletion of data that may be relevant to the investigation

A large retail company recently experienced a security breach that resulted in the theft of customer data. The company tasked the team with developing a playbook for responding to future security incidents and reviewing lessons learned from the recent breach. Why should the team develop a playbook? To provide a step-by-step guide for responding to security incidents and ensuring consistency in response efforts To review lessons learned and identify areas for improvement in the incident response plan To identify the attacker and gather forensic evidence To restore services and systems after a security incident

To provide a step-by-step guide for responding to security incidents and ensuring consistency in response efforts

A security analyst has just completed a vulnerability scan and identified several critical vulnerabilities that require immediate remediation. The report includes recommended mitigations, such as installing patches and reconfiguring settings. What is the purpose of these recommended mitigations? To identify previously unknown vulnerabilities To provide specific steps to address vulnerabilities To report on the security posture of the organization To identify trends and highlight potential problems

To provide specific steps to address vulnerabilities

A company has experienced a series of cyber attacks over the past few months, including phishing emails, malware infections, and ransomware attacks. The security team wants to implement a new system to monitor and identify potential vulnerabilities. What type of metric can help the company process and prioritize remediation efforts? Compliance reports Risk scores Mitigations Top 10 lists

Top 10 lists

An onion processing factory has asked a facility security officer to implement a system or procedure that will regulate personnel entrance to a facility. Which of the following is a suitable control for this situation? Bollards Turnstiles Chain link fence Account reviews

Turnstiles

A company implements a new security protocol that requires employees to use a two-factor authentication process to log into the system. However, one employee frequently forgets their password and shares it with colleagues. Which type of threat does this employee pose to the company's cybersecurity? Unintentional insider threat Supply chain Intentional insider threat Script kiddie

Unintentional insider threat