cyber Flashcards
A Chief Information Security Officer (CISO) requested a report on potential areas of improvement following a Security incident. Which of the following incident response processes is the CISO reqesting?
Lessons Learned
A web server has been compromised due to a ransomware attack. Further investigation reveals the ransomware has been in the server for the past 72 hours. The systems administrator needs to get the services back up as soon as possible. Which of the following should the administrator use to restore services to a secure state?
The last incremental backup that was conducted 72 hours ago
Which of the following is the most effective control against zero day vulnerabilities?
Intrusion Prevention System
A Chief Information Security Officer has defined resiliency requirements for a new data center architecture. The requirements are as follows: - Critical fileshares will remain accessible during and after a natural disaster - Five percent of hard disks can fail at any given time without impacting the data. - Systems will be forced to shut down gracefully when battery levels are below 20%. Which of the following are required to best meet these requirements?
IaC, NAS, and RAID
A user wanted to catch up on some work over the weekend but had issues logging into the corporate network using a VPN. On Monday, the user opened a ticket for this issue but was able to login successfully. Which of the following best describes the policy that is being implemented?
Geofencing
A routine audit of medical billing claim revealed that several claims were submitted without the subscribers knowledge. A review of the audit logs for the medical billing company’s system indicated a company employee downloaded customer records and adjusted the direct deposit information to a personal bank account. Which of the following does this action describe?
Insider Threat
A security manager has tasked the security operations center with locating all web servers that respond to an unsecure protocol. Which of the following commands could an analyst run to find the requested servers?
nmap -p 80 10.10.10.0/24
Which of the following tools is effective in preventing a user from accessing unauthorized removable media?
USB data blocker
A security proposal was set up to track requests for remote access by creating a baseline of the user’s common sign-in properties. When a baseline deviation is detected, an MFA challenge will be triggered. Which of the following should be configured in order to deploy the proposal?
Context-aware authentication
Which of the following BEST reduces the security risks introduced when running systems that have expired vendor support and lack an immediate replacement?
Implement proper network access restrictions
A user reports falling for a phishing email to an analyst. Which of the following system logs would the analyst check first?
DNS
A company wants to improve end users experiences when they log in to a trusted partners website. The company does not want the users to be issued separate credentials for the partner website. Which of the following should be implemented to allow users to authenticate using their own credentials to log in to the trusted partners website?
AAA server
An organization wants to participate in threat intelligence information sharing with peer groups. Which of the following would most likely meet the organization’s requirements?
Implement a TAXII server
Security analysts are conducting an investigation of an attack that occurred inside the organizations network. An attacker was able to collect network traffic between workstations throughout the network. The analyst review the following logs: VLAN. Adress 1. 0007.1e5d.3213 1. 002a.44.8801 1. 0011.aab4.344d. The layer 2 address table has hundreds of entries similar to the ones above. Which of the following attacks has most likely occurred?
MAC flooding
A security analyst is evaluating the risks of authorizing multiple security solutions to collect data from the company’s cloud environment. Which of the following is an immediate consequence of these integrations?
Non-Compliance with data sovereignty
A company wants to restrict emailing of PHI documents. The company is implementing a DLP solution. In order to restrict PHI documents, which of the following should be performed first?
Classification
Which of the following is used to ensure that evidence is admissible in legal proceedings when it is collected and provided to the authorities?
Chain of custody
Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further investigation, a security analyst notices the following: - All users share workstations throughout the day. - Endpoint protection was disabled on several workstations throughout the network. - Travel times on logins from the affected users are impossible. - Sensitive data is being uploaded to external sites. - All user account passwords were forced to be reset and the issue continued. Which of the following attacks is being used to compromise the user accounts?
Keylogger
Which of the following is the most relevant security check to be performed before embedding third party libraries in developed code?
Assesses existing vulnerabilities affecting the third party code and the remediation efficiency of the libraries developers
A forensic analyst needs to prove that data has not been tampered with since it was collected. Which of the following methods will the analyst most likely use?
Calculate the checksum using a hashing algorithm
Several attempts have been made to pick the door lock of a secure facility. As a result, the security engineer has been assigned to implement a stronger preventative access control. Which of the following would best complete the engineers assignment?
Replacing the traditional key with an RFID key
Which of the following can work as an authentication method and as an alerting mechanism for unauthorized access attempts?
Push notifications
Several Universities are participating in a collaborative research project and need to share compute and storage resources. Which of the following cloud deployment strategies would best meet this need?
Community
The board of directors at a company contracted with an insurance firm to limit the organizations liability. Which of the following risk management practices does this best describe?
Transference
As a part of a security compliance assessment, an auditor performs automated vulnerability scans. In addition, which of the following should the auditor do to complete the assessment?
User behavior analysis
Which of the following terms describes a broad range of information that is sensitive to a specific organizaition?
Proprietary
A company is moving its retail website to a public cloud provider. The company wants to tokenize credit card data but not allow the cloud provider to see the stored credit card information. Which of the following would best meet these objectives?
TLS
During a trial, a judge determined evidence gathered from a hard drive was not admissible. Which of the following best explains this reasoning?
The chain of custody form did not note time zone offsets between transportation regions
Which of the following best describes the process of documenting who has access to evidence?
Chain of custody
An organization has decided to purchase an insurance policy because a risk assessment determined that the cost to remediate the risk is greater than the five-year cost of the insurance policy. The organization is enabling risk:
Transference
A company needs to validate its updated incident response plan using a real-world scenario that will test decision points and relevant incident response without interrupting daily operations. Which of the following would best meet the company’s requirements?
Tabletop exercise
A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates that users tend to choose the same credentials on different systems and applications. Which of the following policies should the CISO use to prevent someone from using teh exfiltrated credentials?
MFA
A chief security officer is looking for a solution that can provde increased scalability and flexibilty for back-end infrastructure, allowing it to be updated and modified without disruption to services. The security archiect would like the solution selected to recude the back-end server resources and has highlighted that session persistence is not important for the applications running on the back-end servers. Which of the following would best meet the requirements?
Snapshots
After a recent security breach, a security analyst reports that several administrative usernames and passwords are being sent via clear text across the network to access network devices over port 23. Which of the following should be implemented so all credentials sent over the network are encrypted when remotely accessing and configuring network devices?
SSH
A security analyst is reviewing application logs to determine the source breach locates the following log: https://www.comptia.com/login.php? id=’20or%20’1’1’1’=’1 Which of the following has been observed?
SQLi
Which of the following is an example of transference of risk?
Purchasing insurance
The SOC for a large MSSP is meeting to discuss the lessons learned from a recent incident that took much too long to resolve. This type of incident has become more common in recent weeks and is consuming large amount of the analysts time due to manual tasks being performed. Which of the following soltions should the SOC consider to best improve its response time?
Implement a SOAR with customizable playbooks
After returning from a conference, a users laptop has been operating slower than normal and overheating, and the fans have been running constantly. During the diagnosis process, an unknown piece of hardware is found connected to the laptop’s motherboard. Which of the following attack vectors was exploited to install the hardware?
Removable Media
A company is receiving emails with links to phishing sites that look very similar to the company’s own website address and content. Which of the following is the best way for the company to mitigate this attack?
Generate a list of domains similar to the company’s own and implement a DNS sinkhole for each
A security analyst is receiving numerous alerts reporting that the response time of an internet-facing application has been degraded. However, the internal network performance was not degraded. Which of the following most likely explains this behavior?
DDoS Attack
A security analyst generated a file named host1.pcap and shared it with a team member who is going to use it for further incident analysis. Which of the following tools will the other team member most likely use to open this file?
wireshark
Which of the following is an effective tool to stop or prevent the exfiltration of data from a network?
DLP
A technician enables full disk encryption on a laptop that will be taken on a business trip. Which of the following does this process best protect?
Data at rest
An untrusted SSL certificate was discovered during the most recent vulnerability scan. A security analyst determines the certificate is signed properly and is a valid wildcard. This same certificate is installed on the other company servers without issue. Which of the following is the most likely reason for this finding?
The certificate is on the CRL and is no longer valid
An organization would like to give remote workers the ability to use applications hosted inside the corporate network. Users will be allowed to use their personal computers, or they will be provided organization asstes. Either way, no data or applications will be installed locally on any user systems. Which of the following mobile solutions would accomplish these goals?
MDM
Which of the following prevents an employee from seeing a colleague who is visting an inappropriate website?
AUP
A systems administrator is troubleshooting a server’s connection to an internal web server. The administrator needs to determine the correct ports to use. Which of the following tools best shows which ports on the web server are in a listening state?
netstat
A business operations manager is concerned that a PC that is critical to business operations will have a costly hardware failure soon. The manager is looking for options to continue business operations without incurring large costs. Which of the following would mitigate the manager’s concerns?
Perform a physical-to-virtual migration
A company labeled some documents with the public sensitivity classification. This means the documents can be accessed by:
Only the company’s employees and those listed in the document
Which of the following control types is focused primarily on reducing risk before an incident occurs?
Preventive
A security analyst is working on a project to implement a solution that monitors network communications and provides alets when abnormal behabior is detected. Which of the following is the security analyst most likely implementing?
User behavior analysis
A help desk technician receives a phone call from someone claiming to be a part of the organization’s cybersecurity incident response team. The caller asks the technician to verify the network’s internal firewall IP Address. Which of the following is the technician’s best course of action?
Request the caller send an email for identity verification and provide the requested information via email to the caller
Which of the following actions would be recommended to improve an incident response process?
Train the team to identify the difference between events and incidents
Which of the following uses SAML for authentication
Federation
A security analyst needs to be able to search and correlate logs from multiple sources in a single tool. Which of the following would best allow a security analyst to have this ability?
SIEM
A security engineer was assigned to implement a solution to prevent attackers from gaining access by pretending to be authorized users. Which of the following technologies meets the requirement?
MFA
The Chief Information Security Officer wants to prevent exfiltration of sensitive information from employee cell phones when using public USB power charging stations. Which of the following is the best solution to implement?
USB data blocker
Which of the following is the best example of cost-effective physical control to enforce a USB removable media restriction policy?
Implementing a GPO that will restrict access to authorized USB removable media and regularly verifying that it is enforced.
A security analyst was called to investigate a file received directly from a hardware manufacturer. The analyst is trying to determine whether the file was modified in transit before installation on the user’s computer. Which of the following can be used to safely assess the file?
Chech the hash of the installation file
Which of the following components can be used to consolidate and forward inbound internet traffic to multiple cloud environments through a single firewall?
transit gateway
Which of the following would best provided a systems administrator with the ability to more efficiently identify systems and manage permissions and policies based on location, role, and service level?
domain services
An organization has activated an incident response plan due to a malware outbreak on its network. The organization has brought in a forensics team that has identified an internet-facing Windows server as the likely point of intial compromise. The malware family that was detected is known to be distributed by manually logging on to servers and running the malicious code. Which of the following actions would be best to prevent reinfection from the infection vector?
Disable file sharing over port 445 to the server
A company acquired several other small companies. The company that acquired the others in transitioning network services to the cloud. The company wants to make sure that performance and security remain intact. Which of the following best meets both requirements?
Integration and auditing
An administrator needs to protect user and passwords and has been advised to hash the passwords. Which of the following best describes what the administrator is being advised to do?
Perform a mathematical operations on the passwords that will convert them into unique strings.
Which of the following is a reason to publish files hashes?
To validate the integrity of the files
An organization discovered file with proprietary financial data have been deleted. The files have been recovered from backup, but every time the chief financial officer logs in to the fille server, the smae files are deleted afain. No other users are experiencing this issue. Which of the following types of malware is most likely causing this behavior?
Logic Bomb
A chief security officer is concerned that cloud-based services are not adequately protected from advanced threats and malware. The cso believes there is a high risk that a data breach could occur in the near future due to the lack of detective and preventive controls. Which of the following should be implemented to best address the cso’s concerns? (choose two.)
An NG-SWG and Segmentation
During a recent penetration test, the tester discovers large amount of data were exfiltrated over the course of 12 months via the internet. The penetration tester stops to the test to inform the client of the findings. Which of the following should be the client’s next step to mitigate the issue?
Perform containment on the critical servers and resources
A security analyst has identified malware spreading through the corporate network and has activated the CSIRT. Which of the following should the analyst do next?
Attempt to quarantine all infected hosts to limit further spread
A cybersecurity administrator needs to implement a layer 7 security control on a network and block potential attacks. Which of the following can block an attack at layer 7? (Choose two.)
NIPS and WAF
A security engineer must deploy two wireless routers in an office suite. Other tenants in the office building should not be able to connect to this wireless network. Which of the following protocols should the engineer implement to ensure the strongest encryption?
WPA2
An annual information security assessment has revealed that several OS-level configurations are not in compliance due to outdated hardening standards the company is using. Which of the following would be best to use to update and reconfigure the OS-level security configurations?
CIS benchmarks
An analyst is reviewing logs associated with an attack. The logs indicated an attacker downloaded a malicious file tha was quarantined by the AV solution. The attacker utilized a local non-administrative account to restore the malicious file to a new location. The file was then used by another process to execute a payload. Which of the following attacks did the analyst observe?
Injection
After gaining access to a dual-homed (i.e. wired and wireless) multifunction device by exploiting a vulnerability in the device’s firmware, a penetration tester then gains shell access on another networked asset. This technique is an example of:
Pivoting
An attacker browses a company’s online job board attempting to find any relevant information regarding the technologies the company uses. Which of the following best describes this social engineering technique?
Impersonation
A help desk technician receives an email from the chief information officer asking for documents. The technician knows the cio is on vacation for a few weeks. Which of the following should the technician do to validate the authenticity of the email?
Check the metadata in the email header of the received path in reverse order to follow the email’s path
Data exfiltration analysis indicates that an attacker managed to download system configuration notes from a web server. The web server logs have been deleted, but analyst have determined that the system configuration notes were stored in the database administrators folder on the web server. Which of the following attacks explains what occured? (choose two.)
Directory transversal and Privilege escalation
Two hospitals merged into a single organization. The privacy officer requested a review of all records to ensure encryption was used during record storage, in compliance with regulations. During the review, the officer discovered that medical diagnosis codes and patient names were left unsecured. Which of the following types of data does this combination best represent?
Personally identifiable information
A security analyst is reviewing the vulnerability scan report for a web server following an incident. The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available for the vulnerability. Which of the following is the most likely cause?
Security patches were uninstalled due to user impact
A company is considering transitioning to the cloud. The company employs individuals from various locations around the world. The company does not want to increase its on premises infrastructure blueprint and only wants to pay for additional compute power required. Which of the following solutions would best meet the needs of the company?
Hybrid environment
A DBA reports that several production server hard drives were wiped over the weekend. The DBA also reports that several Linux servers were unavailable due to system files being deleted unexpectly. A security analyst verified that software was configured to to delete data deliberately from those servers. No backdoors to any servers were found. Which of the following attacks was most likely used to cause the data loss?
Logic Bomb
The chief information security officer has requested that a third-party vendor provide supporting documents that show proper controls are in place to protect customer data. Which of the following would be best for the third-party vendor provide to the ciso?
SOC 2 Type 2 Report