CYSA+

Question 1

A cyber security consultant is examining security control classes for an Infrastructure as a Service (IaaS) provider. The classes measure how effectively assets are protected. Which security control class would the consultant examine to gain oversight of the information system?

a. technical
b. managerial
c. operational
d. detective

Answer 1

B. Managerial

The managerial control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.

Question 2

A mission-critical system is offline at an organization due to a zero-day attack. The associated software vendor plans to release a patch to remediate the vulnerability. Which of the following are important patch management considerations for this scenario? (Select the three best options.)

A. a patch test environment
B. speedy push delivery of critical security patches
C. a specific team responsible for reviewing vendor-supplied newsletters and security patch bulletins
D. a routine schedule for the rollout of noncritical patches

Answer 2

A, B, and C

Question 3

A support manager is giving essential security training to the help desk. Which control class is the support manager implementing?

a. operational
b. technical
c. detective
d. managerial

Answer 3

A. operational

Operational controls are primarily implemented and executed by people (as opposed to systems). For instance, security guards and training programs are examples of operational controls.

Question 4

An IT director reviews a cyber security audit and learns that an old accounting server is significantly out of compliance. Rather than attempting repairs, the director concludes that decommissioning the server is the safest course of action. What is the risk management principle the IT director is following?

a. risk acceptance
b. risk mitigation
c. risk avoidance
d. risk transference

Answer 4

C. risk avoidance

Question 5

An organization recently had an attack that resulted in system data loss. The system administrator must now restore the system with a data backup. What functional security control was the system administrator able to implement?

a. preventative
b. responsive
c. corrective
d. compensating

Answer 5

C. corrective

A good example of a corrective control is a backup system that can restore data that an attacker damages during an intrusion.

Question 6

A CEO of a small corporation has decided to continue using a legacy system despite security concerns. This is an example of which risk management principle?

a. risk acceptance
b. risk avoidance
c. risk mitigation
d. risk transference

Answer 6

a. risk acceptance

Question 7

A security engineer installs a next-generation firewall on the perimeter of a network. This installation is an example of what type of security control class?

a. managerial
b. operational
c. detective
d. technical

Answer 7

d. technical

Question 8

The legal affairs team of an international conglomerate elects to assign certain risks to a third party. Which risk management principle are they implementing?

a. risk acceptance
b. risk avoidance
c. risk mitigation
d. risk transference

Answer 8

d. risk transference

Risk transference (or sharing) means the company would assign risk to a third party, which they would typically accomplish through insurance policies. Insurance transfers financial risks to a third party.

Question 9

An engineer is considering appropriate risk responses using threat modeling. They are trying to understand which threat actors are in scope for their organization. How does threat modeling identify the principal risks and tactics, techniques, and procedures (TTPs) for which their system may be susceptible? (Select the three best options.)

a. by evaluating the system from an attacker’s point of view
b. by evaluating a system from a neutral perspective
c. through using tools such as diagrams
d. by analyzing the system from the defender’s perspective

Answer 9

A, C, and D

Question 10

A system administrator is performing patchwork on their organization’s system. The administrator realizes the maintenance window will close before they complete the patchwork. What action must the administrator take to abide by the change management policy?

a. rollback to the system’s previous state
b. rollout earlier patches
c. rollback to a system’s initial state
d. rollout system patches

Answer 10

a. rollback to the system’s previous state

Question 11

A system administrator is hardening a newly provisioned server with software patches and security updates. What functional security control is the system administrator performing?

a. detective
b. preventative
c. corrective
d. compensating

Answer 11

b. preventative

Question 12

A support team is preparing for an upcoming maintenance window. What tasks should the support team accomplish during the proactive maintenance windows? (Select the three best options.)

a. implement untested patches
b. restart devices
c. analyze events
d. restore critical services after a backup test

Answer 12

B, C, and D

Question 13

A security analyst reviews a firewall log’s source IP addresses to investigate an attack. These logs are a representation of what type of functional security control?

a. corrective
b. preventative
c. detective
d. compensating

Answer 13

c. detective

Question 14

A large corporation’s security operations center (SOC) team is processing a recent incident. The team refers to a playbook for guidance about the incident. What type of functional security control does the playbook represent?

a. corrective
b. preventative
c. responsive
d. compensating

Answer 14

c. responsive

Responsive controls serve to direct corrective actions enacted after the SOC team confirms the incident. The team often documents these actions in a playbook.

Question 15

A systems administrator runs a scan on an application server and finds several vulnerabilities. The issues are not severe, and patches are available in each instance. The administrator decided to install the available patches. What risk management principle did they demonstrate?

a. risk mitigation
b. risk acceptance
c. risk avoidance
d. risk transference

Answer 15

a. risk mitigation

Question 16

A cybersecurity analyst wants to collect indicators of compromise (IoCs) to identify, investigate, and mitigate threats. What are some examples of IoCs that the analyst will be collecting? (Select the three best options.)

a. expected configuration changes
b. odd network patterns
c. unusual account behaviors
d. unfamiliar new files

Answer 16

B, C, and D

Question 17

A geographically diverse group of hackers commit fraud against a small company for commercial gain. What type of threat actor committed this fraud?

a. organized crime
b. hacktivist
c. nation-state
d. insider threat

Answer 17

a. organized crime

Question 18

A security analyst is analyzing systems for potential misconfiguration. Misconfiguration hunting is an important focus area. What are some key items the analyst should search for while misconfiguration hunting? (Select the three best options.)

a. weak passwords
b. open ports
c. unpatched software
d. isolated networks

Answer 18

A, B, and C

Question 19

A security consultant is using the dark web as a source of defensive open-source intelligence (OSINT). Which of the following should the consultant be aware of when using the dark web? (Select the three best options.)

a. the dark web is protected by a single layer of encryption
b. the dark web serves as an operating platform for cybercrimes
c. threat actors leverage the dark web for criminal activities
d. the dark web can provide evidence of previously undiscovered breaches

Answer 19

B, C , and D

Question 20

A threat actor obtains and releases confidential information about a political candidate to the public domain. The information damages the person’s candidacy and helps the opposing party. These actions were likely performed by which type of threat actor?

a. insider threat
b. script kiddie
c. organized crime
d. hacktivist

Answer 20

D. hacktivist

Question 21

A security analyst is reviewing an announcement from the Cybersecurity and Infrastructure Security Agency. Which source of defensive open-source intelligence (OSINT) does the agency represent?

a. CERT
b. internal sources
c. government bulletins
d. CSIRT

Answer 21

c. government bulletins

Question 22

Agents from a sovereign region in North Africa perform a cyber attack against the energy infrastructure of a neighboring republic. What type of threat actor does this scenario illustrate?

a. insider threat
b. organized crime
c. hacktivist
d. nation-state

Answer 22

d. nation-state

Nation-state actors have participated in many attacks, particularly on energy and electoral systems. The goals of nation-state actors are primarily espionage and strategic advantage.

Question 23

An attacker is browsing social media accounts associated with a targeted organization. Why is the attacker using social media in this manner? (Select the three best options.)

a. attackers can use social media sites to find an organization information
b. attackers can leverage social media as a vector to launch attacks against targets
c. attackers can use information from social media as a source of defensive OSINT
d. an attacker may find posts or user profiles that give away sensitive information

Answer 23

A, B, and D

Question 24

An attacker is planning to target a business-critical database for a large enterprise. What are some business-critical asset-hunting methods that security analysts use to protect systems? (Select the two best options.)

a. search for unauthorized access attempts
b. search for misconfigured systems
c. search for unusual traffic patterns
d. search for routine activity

Answer 24

A and C

Business-critical asset hunting involves searching for vulnerabilities and threats that could impact these assets.

Question 25

A large corporation has established a team specifically tasked with responding to routine, non-emergency security incidents. Which of the following terms best describes this team?

a. CERT
b. internal sources
c. CSIRT
d. government bulletins

Answer 25

c. CSIRT

A computer security incident response team (CSIRT) is a group responsible for responding to security incidents involving computer systems.

Question 26

Someone with a casual interest in hacking techniques launches a random attack against a widely known enterprise using tools readily available online. What type of threat actor is likely behind this attack?

a. insider threat
b. script kiddie
c. organized crime
d. hacktivist

Answer 26

b. script kiddie

Question 27

A computer emergency response team (CERT) is quickly reacting to an attack on the network infrastructure of a semiconductor manufacturer. What is true about a CERT? (Select the three best options.)

a. CERTS mitigate cybercrime
b. CERTS work with local law enforcement
c. CERTS provide knowledge of trending attacks
d. CERTS publish a wide variety of information concerning threats

Answer 27

A, b, and C

Question 28

A systems administrator is researching active defense approaches. The administrator decides to install a honeypot to lure attackers away from assets of actual value. What is true of a honeypot? (Select the three best options.)

a. honeypots seek to redirect malicious traffic away from live production systems
b. honeypots can provide an early warning regarding ongoing attacks
c. honeypots help collect intelligence on the attackers and their techniques
d. honeypots assist defensive teams in identifying and responding after an attack has taken place on critical systems

Answer 28

A, b, and c

Question 29

A systems administrator is searching for potential vulnerabilities in the network. Which threat-hunting focus area should the administrator examine, as attackers often exploit it through connected systems or physical access?

a. isolated networks
b. misconfigured systems
c. business-critical assets
d. lateral movements

Answer 29

a. isolated networks

Isolated networks, such as air-gapped networks or networks with limited connectivity to the internet, are often thought to be more secure. However, attackers can still target these networks by exploiting vulnerabilities in connected systems or through physical access.

Question 30

Which of the following are characteristics of an advanced persistent threat? (Select the three best options.)

a. remove evidence of the attack
b. target large organizations
c. spend little time gathering intelligence
d. develop highly specific exploits

Answer 30

A, B, and D

Question 31

A cloud architect advises an associate to consider a serverless platform for their new endeavor. What benefits would the architect highlight about a serverless platform? (Select the two best options.)

a. serverless platforms require the mgmt of physical or virtual server instances
b. there are considerable mgmt demands for file system security monitoring
c. there is no requirement to provision multiple servers for redundancy or load balancing
d. the service provider manages the underlying architecture

Answer 31

C and D

Question 32

A security analyst needs a data loss prevention (DLP) solution to prevent users from transferring data without authorization. What components typically make up DLP solutions? (Select the three best options.)

a. policy servers
b. USB devices
c. endpoint agents
d. network agents

Answer 32

A, C, and D

Question 33

What computing environment can an administrator use to install multiple independent operating systems on a single hardware platform and run them simultaneously?

a. container
b. serverless computing
c. microservices
d. virtualization

Answer 33

d. virtualization

Question 34

A systems administrator is setting up single sign-on (SSO) for a company. What are some of the primary benefits of SSO to an organization? (Select the two best options.)

a. SSO allows users to access multiple resources using only a single set of credentials
b. SSO allows users to access multiple websites using only a single set of credentials
c. SSO dramatically reduces usability
d. SSO eliminates the risk of breached credentials

Answer 34

A and B

Question 35

A cloud consultant is investigating cloud deployment types for a client. The client requires both onsite and offsite infrastructure. Which of the following deployment types should the consultant recommend to their client?

a. public
b. hybrid
c. microservices
d. private

Answer 35

b. hybrid

Question 36

An engineer is studying the hardware architecture of a company’s various systems. The engineer can find the x86 architecture in which of the following items? (Select the three best options.)

a. desktops
b. ARM-based tablets
c. laptops
d. servers

Answer 36

A, C, and D

Advanced RISC Machines (ARM) and x86 are common architectures. The x86 architecture dominates desktops, laptops, and server computers, while the ARM architecture dominates smartphones, tablets, and single-board computers.

Question 37

Data loss prevention (DLP) systems detect and prevent users from storing information on unauthorized systems or transmitting information over unauthorized networks. Which of the following are examples of DLP systems an organization can set for users? (Select the three best options.)

a. enforce the use of external media
b. implement clipboard privacy controls
c. use print blocking
d. restrict virtual desktop infrastructure (VDI) implementation

Answer 37

B, C, and D

Question 38

After provisioning a server, a support technician conducts system hardening. Why is system hardening such a vital practice? (Select the three best options.)

a. system hardening eliminates monitoring software
b. system hardening reduces the attack surface of a system
c. system hardening includes disabling unnecessary services
d. system hardening involves patching the operating system

Answer 38

B, C, and D

Question 39

A support manager is deploying multifactor authentication (MFA) in a corporate office. What is true of MFA? (Select the three best options.)

a. using at least two of the three factors of authentication is called multifactor authentication (MFA)
b. MFA can use multiple authentication factors combined with authentication attributes
c. when using MFA, abusing authentication becomes far more simplified
d. with MFA in place, a username and password can be breached but are unusable without the additional factor

Answer 39

A, B, and D

Question 40

A systems administrator is developing a plan for deploying Zero Trust architecture throughout the enterprise. What components of Zero Trust architecture should the administrator consider essential? (Select the three best options.)

a. increased granularity
b. network and endpoint security
c. identity and access mgmt (IAM)
d. network segmentation

Answer 40

B, C, and D

Question 41

A security engineer wants to implement Zero Trust architecture at their workplace. What key benefits would the engineer mention to their company for using a Zero Trust architecture? (Select the three best options.)

a. greater security
b. better access controls
c. improved governance and compliance
d. decreased granularity

Answer 41

A, B, and C

Question 42

A support technician examines the Windows registry for a host on a local area network (LAN). The technician uses which subkey to find username information for accounts used on a computer?

a. SAM
b. SECURITY
c. DEFAULT
d. SYSTEM

Answer 42

a. SAM

The Windows registry is a database for storing operating system, device, and software application configuration information. The support technician can use the Security Accounts Manager (SAM), which stores username information for accounts on the current computer.

Question 43

A systems administrator installs a syslog server to capture and report events for wireless infrastructure. Following a requirement from the Chief Information Officer (CIO), recorded logging levels should include a status if an access point is unusable and if any immediate action is required. Which logging levels does the administrator evaluate and configure? (Select the two best options.)

a. 2-criitical
b. 4-warning
c. 0-emergency
d. 1-alert

Answer 43

C and D

Question 44

A network engineer wants to simplify network and security services. How could Secure Access Service Edge (SASE) help to simplify these services for the engineer?

a. it combines network and security functions into a single cloud-hosted service
b. it requires dedicated hardware
c. it offers elementary features
d. it blocks the remote mgmt of networks and systems

Answer 44

A

Secure Access Service Edge (SASE) aims to simplify the complexity of managing multiple network and security services by combining networking and security functions into a single cloud-hosted service.

Question 45

A system technician reviews system logs from various devices and notices discrepancies between recorded events. The events between the systems are not synchronizing in the correct order. Which configuration should the technician analyze and adjust to ensure proper and accurate logging? (Select the two best options.)

a. NTP
b. GPS
c. PKI
d. SSL

Answer 45

A and B

Question 46

An organization looks to utilize an approach with minimal human engagement in security scanning and reporting. What actions does the organization put in place to achieve this goal? (Select the three best options.)

a. effective communication
b. trigger actions
c. application integration
d. data enrichment

Answer 46

B, C, and D

Question 47

A new software development organization looks to provide a security solution for an existing security product. In doing so, developers at the organization utilize which technology from the existing product’s toolkit to provide an integrated solution?

a. SOAR
b. SOC
c. SIEM
d. API

Answer 47

d. API

An application programming interface (API) is a set of functions and procedures that allow two or more applications to integrate. Developers can use the existing product’s toolkit for integration.

Question 48

An organization looks to strengthen team coordination in a security operations center (SOC) without needing to rely on self-operating support. In doing so, which policies should management implement for team members to achieve this goal? (Select the three best options.)

a. information sharing
b. streamlined automation
c. communication protocols
d. effective collaboration

Answer 48

A, C, and D

Question 49

The success of a data security program at an organization relies on which factors from personnel within a security operations center (SOC)? (Select the two best options.)

a. effective collaboration
b. diverse threat feeds
c. automation accuracy
d. information sharing

Answer 49

A and D

Question 50

An automation engineer utilizes an application programming interface (API) to enable communications between software applications. The engineer configures systems this way to minimize which management approach?

a. extended functionality
b. information relevancy
c. trigger actions
d. human engagement

Answer 50

d. human engagement

Question 51

To improve security posture, an organization gathers information from varying sources to gain a larger picture of the threat landscape. What general approach is the organization implementing to achieve this level of reporting?

a. effective collaboration
b. automated trigger actions
c. threat feed combination
d. human engagement

Answer 51

c. threat feed combination

Question 52

A group of security engineers looks to achieve high data enrichment while compiling threat information for review. Which solution will the engineers apply to achieve this goal?

a. using different data sources
b. using automation
c. identifying threat areas
d. improving accuracy

Answer 52

a. using different data sources

Data enrichment is the process of analyzing data from different sources to better understand the threat landscape. Using different sources for high data enrichment is essential to providing a well-rounded view of threat information.

Question 53

An engineer wants to automate threat response mechanisms by leveraging a solution that can act on threat-related events. Which solution does the engineer implement?

a. API
b. SOAR
c. SOC
d. SIEM

Answer 53

b. SOAR

Security orchestration, automation, and response (SOAR) use technology to automate acting upon security threats. The engineer uses a SOAR approach to meet the specified goal.

Question 54

An engineer enables a lightweight data sharing technology for trigger-based message sharing between security software applications. What automation feature does the engineer implement?

a. add-ons
b. APIs
c. webhooks
d. plugins

Answer 54

c. webhooks

The engineer will utilize webhooks in an automated messaging solution. They will implement webhooks to send automated messages from applications to other applications when certain events occur.

Question 55

A security engineer suggests using a single pane of glass approach while monitoring a server farm and delegates the orchestration to several server administrators. To utilize this approach, the server administrators apply which solution?

a. a series of automated messages configured as webhooks
b. a customized and unified graphical user interface
c. a set of functions within an API procedure
d. application add-ons that help to tailor a software package

Answer 55

b. a customized and unified graphical user interface

Question 56

A local city council tasked its Information Technology (IT) department to implement an international-scale cybersecurity framework. The requirement is coming from their cyber security insurance vendor. The vendor warned that this set of frameworks is not freely available. Which industry framework should the IT department investigate?

a. CIS
b. PCI DSS
c. OWASP
d. ISO

Answer 56

d. ISO

The International Organization for Standardization (ISO) manages and publishes a cybersecurity framework called ISO 27k. Obtaining the ISO 27001 standard is not free of charge

Question 57

A boutique crafts company would like to set up a new eCommerce website. They are checking out vendors who have put a high level of detail in the security practices and implementation. They want to test a specific vendor’s system to verify that it is not vulnerable to malicious actors injecting malformed data into the checkout process. Which kind of scan or test can the company run with permission?

a. baseline scan
b. map scan
c. fuzzing
d. internal scan

Answer 57

c. fuzzing

Fuzzing is an unknown environment testing method using specialty software tools designed to identify problems and issues with an application by injecting malformed data into it.

Question 58

A defense contractor discovered that a competitor duplicated some of their products. While the contractor is afraid of losing revenue, the more significant concern is how the competitor was able to duplicate the product. What term describes how this situation occurred?

a. reverse engineering
b. internal scan
c. fuzzing
d. external scan

Answer 58

a. reverse engineering

Question 59

The Security Operations (SecOps) completed a rollout of a next-generation antivirus solution that will better protect the company from known viruses and provide heuristic scanning for unknown viruses. After the implementation, the team received a flood of tickets complaining about computer sluggishness. What did the SecOps team fail to consider with the new antivirus and its effects on potential settings?

a. segmentation
b. sensitivity levels
c. performance
d. operations

Answer 59

c. performance

Question 60

Recent industry reports are pushing a data analytics company to implement better vulnerability scanning to prevent improper access and distribution of intellectual property. What should the company take into account when running the next scan to ensure proper classification of the data?

a. scheduling
b. host performance
c. sensitivity levels
d. segmentation

Answer 60

c. sensitivity levels

The data inventory describes the data in terms of what it contains, such as its classification and sensitivity. Having a clear view of data is the first step in protecting it.

Question 61

A helpdesk technician receives a ticket regarding a badging system crash after a recent after-hours vulnerability scan. The helpdesk team discovers that a specific service on the system was incompatible with the software that ran the scan. What special considerations should the team take into account when choosing the specific software to avoid this situation?

a. segmentation
b. operations
c. scheduling
d. sensitivity levels

Answer 61

b. operations

Vulnerability scanning can, unfortunately, cause operational problems, such as negatively impacting a system’s performance or causing services to crash.

Segmentation has performance and security benefits. Segmentation would be useful as a remediation technique.

Scheduling vulnerability scans is essential to maintaining a secure environment and is often required to maintain regulatory compliance. Scheduling scans will need to take into account negative impacts on operations.

Question 62

An implementation consultant is completing a project for a client implementing Microsoft Intune. Part of that mobile device management platform project is the requirement to implement baseline benchmarks for device policy. Which organization defines the best practice approaches to patching and hardening?

a. OWASP
b. ISO
c. CIS
d. PCI DSS

Answer 62

c. CIS

Question 63

A Chief Investment Officer (CIO) wants to compare their policies and practices to industry best practices. Which kind of scan can help the CIO understand what gaps they have?

a. map scan
b. fuzzing
c. baseline scan
d. internal scan

Answer 63

c. baseline scan

Question 64

During a morning standup meeting, the network operations manager reported a large spike in traffic that spawned dozens of end-user tickets. These tickets stated that the company shared drives were inaccessible. The security operations manager confirmed that the security team was running a vulnerability scan during that time. What should the security team consider when running a vulnerability scan?

a. sensitivity levels
b. scheduling
c. segmentation
d. host performance

Answer 64

b. scheduling

Question 65

A large multinational bank completed an upgrade of its device management, security practices, and user training. The next step in their project is to hire a third-party penetration testing company to attempt to breach their systems. The bank wants the vendor to approach it from the outside. What kind of penetration testing should the vendor conduct?

a. external scan
b. internal scan
c. map scan
d. baseline scan

Answer 65

a. external scan

Question 66

A small vendor is working to sell their point-of-sale register product to a large pharmacy chain. Before the vendor can complete the sale, they must attest to their controls designed to prevent fraud and protect consumer financial data. Which industry framework should the vendor adopt in product planning and implementation?

a. ISO
b. PCI DSS
c. CIS
d. OWASP

Answer 66

b. PCI DSS

Payment Card Industry Data Security Standard (PCI DSS) is a global data protection standard established and maintained by a consortium of payment card companies. PCI DSS identifies controls designed to prevent fraud, protect credit, and debit card data.

Question 67

A financial firm recently introduced a new email service for its employees. One of the main reasons for the new service was that the cloud provider has integrated tools to better control security and are tailored specifically for their industry. Why would this feature reduce the overall risk for the financial firm?

a. it allows the firm to meet regulatory requirements
b. it allows the firm to cut costs
c. it allows the firm to get building insurance
d. it allows the firm to increase costs to cut taxable income

Answer 67

a. it allows the firm to meet regulatory requirements

Question 68

A security engineer is looking to improve the security posture of their organization. One of the issues the security engineer finds is that they need to know what devices are on the network. What kind of scan can help the engineer get visibility into what is on the network?

a. baseline scan
b. external scan
c. fuzzing
d. map scan

Answer 68

d. map scan

Question 69

A company has set up various virtual local area networks (VLANs) to protect access to sensitive data. The Security Operations (SecOps) team finished a recent vulnerability scan and found no issues. The Chief Information Security Officer (CISO) followed up with the SecOps team to see if they considered all VLANs during the scan. The CISO is thinking about what special consideration?

a. segmentation
b. sensitivity levels
c. scheduling
d. host performance

Answer 69

a. segmentation

Question 70

A security engineer is improving their company’s security posture. During that process, they are looking to implement an industry-grade framework. The engineer is looking for one known for its practical information about web application security. Which organization best fits this need and description?

a. OWASP
b. CIS
c. PCI DSS
d. ISO

Answer 70

a. OWASP

The Open Web Application Security Project (OWASP) is a nonprofit foundation. OWASP is an international organization that provides unbiased, practical information about application security.

Question 71

A systems administrator in charge of the company’s vulnerability scanning software signs in and reviews alerts. The administrator notices an alert showing that vulnerable software is present on an endpoint. However, closer inspection reveals that the software is not actually installed. What type of scan result would the alert be classified as?

a. false negative
b. false positive
c. true positive
d. true negative

Answer 71

b. false positive

Question 72

A company hired a forensics team to determine how their systems got infected with a crypto locker virus. The team concluded that an employee opened a malicious attachment that installed a trojan virus, leading to the crypto locker virus taking over the network. Which Common Vulnerability Scoring System (CVSS) base metric would this affect?

a. scope
b. user interaction
c. attack vector
d. integrity

Answer 72

b. user interaction

User interaction revolves around whether an exploit of the vulnerability depends on some local user action, such as executing a file attachment.

Question 73

A defense contractor has taken all their machines offline due to an ‘unpatchable’ vulnerability in the embedded Unified Extensible Firmware Interface (UEFI) boot subsystem. Due to the extremely sensitive data on their systems, the contractor cannot their machines breached. What describes this kind of vulnerability?

a. high asset value
b. low asset value
c. false positive
d. true negative

Answer 73

a. high asset value

Question 74

A security operations center is responding to an alert that a team member found a USB thumb drive connected to a computer. The company has a policy that prohibits the use of USB thumb drives on the company’s computers. What is this policy referencing in regard to the Common Vulnerability Scoring System (CVSS)?

a. user interaction
b. attack vectors
c. scope
d. availability

Answer 74

b. attack vectors

Question 75

A security engineer reviews a company’s attack surface and because of a vulnerability discovered, the entire company is vulnerable to exploitation. However, the exploit must use administrator credentials. What is a potential reason the engineer wouldn’t have to patch immediately?

a. employee user accounts have limited to change things on their devices
b. employee user accounts have full access to change things on their devices
c. non-IT employees know not to use the IT administrator credentials
d. the computers are not available

Answer 75

a. employee user accounts have limited to change things on their devices

Question 76

A video production company has a server farm with graphics cards that allows the company to generate computer-generated imagery. Although the servers do not currently store any data and are not expensive, the company wants to ensure the security of its equipment. What is a compelling reason why the company should be proactive in preventing server vulnerabilities?

a. exploitability
b. low asset value
c. high asset value
d. save power consumption

Answer 76

a. exploitability

Question 77

The use of USBs for malicious purposes would affect which metric on the Common Vulnerability Scoring System (CVSS)?

a. user interaction
b. availability
c. scope
d. attack vectors

Answer 77

d. attack vectors

Question 78

A security engineer is demoing new antivirus software. The engineer installed a standardized imitation virus to see if the new software would catch it. The engineer found that the old antivirus software did not detect it, but the new one did. What is happening with the old antivirus software?

a. false positive
b. true positive
c. false negative
d. true negative

Answer 78

c. false negative

The software did not detect the virus, resulting in a false negative. A false negative occurs when a vulnerability scan incorrectly identifies that a vulnerability does not exist.

Question 79

When associating CVSS with the Risk Rating Framework, which scenario is considered a true statement?

a. if an attack is unlikely to occur but would cause critical impact, the overall risk rating would be considered moderate
b. If an attack is imminent but will have a somewhat effective impact on the organization’s operation, the overall risk rating would be considered low.
c. If an attack is likely to occur and would cause a critical impact to the company, the overall risk rating would be considered high or critical/severe.
d. If an attack is likely and could cause mediocre impacts to the company, the overall risk rating would be considered low.

Answer 79

c. If an attack is likely to occur and would cause a critical impact to the company, the overall risk rating would be considered high or critical/severe.

When both the likelihood and impact are high (likely to occur and critical impact), this typically results in a high or critical/severe risk rating. This reflects the gravity and potential consequences of the risk in question.

Question 80

A company is forced to disable the pre-boot management engine on all of its computers due to a flaw with no available patch, making the vulnerability exploitable. Which type of vulnerability does this describe?

a. false positive
b. false negative
c. low value
d. zero-day

Answer 80

d. zero-day

A zero-day vulnerability represents an exploitable vulnerability with no available patch. This vulnerability often goes undetected. Infecting the pre-boot management engine can cause a potentially unpatchable attack vector for a malicious actor.

Question 81

Despite recovering from a crypto locker virus a year ago, a small investment firm finds itself the target of a new attack. In this instance, the attacker gains access using a computer desktop scoped to be removed due to end-of-support over a year ago. What type of exposure does the firm see in this instance?

a. risk score
b. mitigation
c. prioritization
d. vulnerabilities

Answer 81

D. vulnerabilities

Question 82

A company recently hired a new Chief Information Security Officer (CISO) to help improve the company’s security posture. This decision occurred after the company ran into the issue of siloed teams not working together to protect the security of their systems. What is the CISO’s most important responsibility in this situation?

a. awareness training
b. configuration mgmt
c. patching
d. changing business requirements

Answer 82

d. changing business requirements

Question 83

A security engineer is looking to improve the security of their email system and identify vulnerabilities that require immediate attention. The system has a built-in reporting mechanism that shows what things they can do to improve overall security and suggested fixes with different percentages to show importance. What component of vulnerability reporting does this relate to?

a. risk score
b. prioritization
c. vulnerabilities
d. mitigation

Answer 83

a. risk score

Question 84

A small information technology department is trying to reorganize and prioritize future projects. Senior management in the company now requires metrics to determine whether a project is worth implementing. What can the department use to benchmark its operations?

a. risk scores
b. configuration mgmt
c. mitigation
d. service-level objectives

Answer 84

d. service-level objectives

Question 85

To maintain a consistent, compliant, and secure state across systems in line with a new policy, which control should a systems administrator primarily focus on?

a. patching
b. compensating controls
c. awareness training
d. configuration mgmt

Answer 85

d. configuration mgmt

Question 86

A large information technology department is preparing for an audit by their cyber security insurance company. While reviewing some vulnerability reports in their security information and event management (SIEM) tool, the department found critical vulnerabilities and steps to resolve them. In this type of report, what does this finding represent?

a. risk score
b. prioritization
c. mitigation
d. vulnerabilities

Answer 86

c. mitigation

Detailed vulnerability reports include recommended mitigations, such as identifying a patch or describing a workaround. These mitigations from the security information and event management tool can help better secure a company’s equipment.

Question 87

A security engineer is looking to improve the security of their email system. The system has a built-in reporting mechanism that rates the current setup. What component of vulnerability reporting does this feature relate to?

a. prioritization
b. mitigation
c. vulnerabilities
d. risk score

Answer 87

d. risk score

Question 88

A project manager oversees a new device management system deployment with the added benefit of keeping devices current. What type of action would this system allow the company to accomplish?

a. patching
b. compensating controls
c. awareness training
d. changing business requirements

Answer 88

a. Patching

Question 89

Given the recent adoption of new National Institute of Standards and Technology (NIST) guidelines, a company plans to adjust its policies to provide protection when circumstances prevent the use of primary security measures. Which provides this type of protection to the company?

a. patching
b. compensating controls
c. configuration mgmt
d. awareness training

Answer 89

b. compensating controls

Many organizations use complicated and highly integrated systems that are extremely difficult to change, upgrade, and maintain. Compensating controls provide protection when circumstances prevent the use of primary security measures.

Question 90

An employee received an email impersonating the owner of the company. The employee followed the email’s request and bought gift cards without verifying the legitimacy of the email. Due to this issue, the company decides to implement a new policy to mitigate this risk. What policy should the company implement?

a. compensating controls
b. patching
c. awareness training
d. configuration mgmt

Answer 90

c. awareness training

Question 91

Legacy system constraints prevent the modification of a financial organization’s critical application. However, the application does not meet a specific security requirement outlined in the organization’s security policy. Which of the following should the organization implement to address the security requirement without modifying the application?

a. preventative
b. detective
c. compensating
d. corrective

Answer 91

c. compensating

Question 92

For a criminal case, a company places the hard drives in an antistatic bag to ensure the safety of the data during transfer to the authorities. What is the purpose of the antistatic bag?

A.Data preservation
B.Data validation
C.Chain of custody
D.Data analysis

Answer 92

a. data preservation

Question 93

An employee believes someone breached their computer and leaked their sensitive financial information. What should a responding security team do to verify the claim’s veracity?

A.Collect evidence
B.Determine the scope
C.Setup a timeline
D.Respond to recommendations

Answer 93

a. collect evidence

Question 94

A password management software company had a data breach. The company released a statement detailing how and when the attack happened chronologically. What describes the process they completed prior to releasing the statement?

A.Set up a timeline
B.Incident declaration
C.Respond to recommendations
D.Determine the scope

Answer 94

a. set up a timeline

Question 95

A rapidly growing tech startup faces potential cybersecurity threats due to its expanding user base. The CTO, alarmed by this, recognizes the importance of an incident response plan to safeguard the company’s reputation and assets. Considering the heightened risks, which action should the tech startup prioritize to address potential security incidents?

A. Focus only on post-incident analysis.

B. Document potential breaches without containment.

C. Directly proceed with detection without prior preparation.

D. Harden systems and set up confidential communication lines.

Answer 95

d. harden systems and set up confidential communication lines

Question 96

After doing a forensics audit of malicious activity by a former employee, a company is looking to protect against potential liability. What process should the company follow to protect any evidence?

A.Data validation
B.Chain of custody
C.Legal hold
D.Data analysis

Answer 96

b. chain of custody

Question 97

A company suspects a former employee of damaging company information. The company hires a forensics company to investigate. Which of the following steps should be the forensics vendor’s first priority to ensure the integrity of the information during the investigation?

A.Data validation
B.Legal hold
C.Data analysis
D.Data preservation

Answer 97

b. legal hold

The first priority should be to enact a legal hold, which involves the preservation of all relevant data and information related to the case. A legal hold is a communication issued as a result of current or anticipated litigation, audit, government investigation, or other such matter that suspends the normal disposal or processing of records.

Question 98

An employee is leaving a company. Due to their position within the business, the company needs to retain emails for seven years to maintain regulatory compliance. What should the company enable on the email?

A.Data validation
B.Data preservation
C.Legal hold
D.Data analysis

Answer 98

c. legal hold

A legal hold, or litigation hold, describes the notification received by an organization’s legal team instructing them to preserve electronically stored information (ESI).

Question 99

A security incident response contractor is investigating a data breach for a client. After analyzing the breach, the contractor reports that only basic information such as usernames and emails were leaked. What does this investigation help the client do?

A.Set up a timeline
B.Incident declaration
C.Respond to recommendations
D.Determine the scope

Answer 99

D.Determine the scope

Organizations use risk analysis and impact assessments to measure the scope of identified incidents in the organization.

Question 100

A small retailer had its customers’ credit card information breached. The retailer contracted a third party to help determine the scope of the breach. The contractor came back with a list of changes to make. What describes what the contractor gave them?

A.Recommendations
B.Incident declaration
C.Timeline
D.Scope

Answer 100

a. recommendations

Question 101

A security engineer is trying to manage all the security logs the company collects from its various tools and services. The security engineer implements a security information and event management (SIEM) tool to accomplish this. What feature of the SIEM tool is the engineer trying to take advantage of?

A.Data analysis
B.Data validation
C.Legal hold
D.Data preservation

Answer 101

a. data analysis

Question 102

A medical facility is responding to a recent breach of patient data. An employee was transporting an encrypted data backup to an offsite storage facility when someone broke into their car. Even though the thief did not steal the data, the company feared compliance repercussions. Who should the company contact to avoid these repercussions?

A.Customers
B.Public Relations Department
C.Law enforcement
D.Regulators

Answer 102

d. regulators
The requirements for different types of breaches are found in the regulatory requirements and often include relevant regulatory bodies. Specifically, in this scenario, Health Insurance Portability and Accountability Act (HIPAA).

Question 103

A company is trying to determine how to handle the fallout of an executive that was arrested for embezzlement. Even though their customer’s money is secure, they want to ensure there is not a run on the bank for withdrawals. Who should they work with to release details to the public?

A.Law enforcement
B.Media
C.Regulators
D.Legal

Answer 103

b. Media
The media can make or break a company’s reputation during an incident response. Staying ahead of salacious rumors can help mitigate the risk of damaging a reputation.

Question 104

An executive from a large multinational bank had their work laptop stolen from their luggage while flying back from a business trip. Due to the sensitive nature of their work, who should they work with to try to get the stolen laptop back?

A.Regulators
B.Law enforcement
C.Customers
D.Legal

Answer 104

b. law enforcement

Question 105

Upon identifying that HIPAA data was shared with the wrong patients, a medical facility elects to work with regulators to mitigate future risks. Who should the facility work with when preparing or speaking with the regulators?

A.Law enforcement
B.Regulators
C.Customers
D.Legal

Answer 105

d. Legal

Question 106

A small construction company had an inaccessible server for several days. Upon resolution of the access issue, the owner requested an investigation into how it was possible and the problem’s underlying cause. Which kind of report is the owner requesting?

A.Root cause analysis
B.Law enforcement report
C.Lessons learned
D.Regulatory reporting

Answer 106

a. root cause analysis

Question 107

After a large retailer resolved an incident regarding its credit card processing service being down, management wanted a report describing what happened and identifying what changes will help mitigate future incidents. What kind of report can a company prepare that fulfills this need?

A.Lessons learned
B.Regulatory reporting
C.Forensic analysis
D.Law enforcement report

Answer 107

a. lessons learned

Question 108

A small construction company investigated its server outage and found that an employee purposely disabled it. The company wants to investigate the server further to determine if the outage caused any losses. What kind of analysis can the company conduct?

A.Root cause analysis
B.Forensic
C.Lessons learned
D.Regulatory

Answer 108

b. forensic

Question 109

An employee was transporting an encrypted data backup to an offsite storage facility when a thief broke into the employee’s car and stole the data. To whom should the employee report the incident first?

A.Customers
B.Regulators
C.Law enforcement
D.Legal

Answer 109

c. law enforcement

Question 110

After a company resolved an incident, the management wanted a report describing what happened to identify what changes would help mitigate future incidents. What kind of report can a company prepare that fulfills this need?

A.Regulatory reporting
B.Lessons learned
C.Law enforcement report
D.Forensic analysis

Answer 110

b. lessons learned

Question 111

A small business had inaccessible internet for several hours. Upon resolution of the situation, the owner requested an investigation into how the situation was possible and what the underlying cause of the problem was. Which kind of report is the owner requesting from the investigators?

A.Root cause analysis
B.Regulatory reporting
C.Law enforcement
D.Lessons learned

Answer 111

a. root cause analysis

Question 112

A security analyst at a large organization is investigating a recent cyber attack. The analyst wants to use a model for analyzing the attack and understanding the different stages of the attack. A co-worker suggests the model developed by Lockheed Martin. Which of the following models was developed by that organization?

A.Cyber kill chain
B.Diamond model
C.National Institute of Standards and Technology (NIST)
D.MITRE ATT&CK

Answer 112

a. cyber kill chain
The cyber kill chain is a model developed by Lockheed Martin that describes the stages by which a threat actor progresses to a network intrusion.

Question 113

A network administrator at a small business is concerned about the increasing number of phishing attacks that are targeting the organization’s employees. The administrator wants to implement a solution to help protect the organization from these types of attacks. Which of the following solutions would be the most appropriate for the network administrator to use in this scenario?

A.Sender Policy Framework (SPF)
B.Domain-based Message Authentication, Reporting, and Conformance (DMARC)
C.DomainKeys Identified Mail (DKIM)
D.Transport Layer Security (TLS)

Answer 113

B. DMARC
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a robust solution for protecting against phishing attacks. It builds on Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to provide a complete solution for preventing email spoofing.

Question 114

A security analyst is responsible for detecting and responding to security incidents in the organization. The security analyst has decided to implement a security orchestration, automation, and response (SOAR) platform. What is the primary purpose of using a SOAR platform in this scenario?

A.To automate incident responses
B.To provide real-time threat intelligence to security teams
C.To store and manage security-related data
D.To monitor and control access to sensitive information

Answer 114

a. to automate incident response

Question 115

27.3% complete
Question
A network administrator at a large business is performing a security assessment of the company’s network infrastructure. The administrator must determine the most appropriate framework for conducting a comprehensive security assessment. Which of the following frameworks would be the most appropriate for the network administrator?

A.National Institute of Standards and Technology (NIST) Cybersecurity Framework
B.Federal Information Security Management Act (FISMA)
C.Open Source Security Testing Methodology Manual (OSSTMM)
D.International Organization for Standardization (ISO) 27001/27002

Answer 115

Open Source Security Testing Methodology Manual (OSSTMM)
Open Source Security Testing Methodology Manual (OSSTMM) is a comprehensive methodology for conducting a security assessment of a network infrastructure.

Question 116

A network administrator has received reports of intermittent connectivity issues. To diagnose the problem, the network administrator has decided to use tcpdump. Which of the following are the primary functionalities of using tcpdump in this scenario? (Select the two best options.)

A.To monitor network performance
B.To capture and analyze network packets for troubleshooting purposes
C.To detect and prevent malicious activity on the network
D.To implement network-based firewall rules

Answer 116

a. to monitor network performance
b. to capture and analyze network packets for troubleshooting purposes

Question 117

An e-commerce company has recently experienced a series of phishing attacks targeting its employees. The company tasks the security team with implementing a solution to prevent email spoofing and protect against future phishing attempts. Which of the following technologies would be the most effective at achieving this goal?

A.Two-factor authentication
B.DNS-based Authentication of Named Entities (DANE)
C.Sender Policy Framework (SPF)
D.Public key infrastructure (PKI)

Answer 117

c. sender policy framework (SPF)

Question 118

A security analyst has received a suspicious email that appears to be from a recognized address. The analyst needs to determine if the email is legitimate or not. Which of the following email analysis methods would be the most appropriate for the security analyst to use in this scenario?

A.Email Header Analysis
B.Link and Attachment Analysis
C.Sender Reputation Verification
D.Analysis of Domain-based Message Authentication (DMARC)

Answer 118

d. analysis of domain-based message authentication (DMARC)

Question 119

A security analyst at a large organization is investigating a recent cyber attack. The analyst needs to determine the most appropriate framework for analyzing the attacker’s tactics, techniques, and procedures (TTPs). Which of the following frameworks would be the most appropriate for the security analyst to use?

A.Cyber kill chain
B.MITRE ATT&CK
C.SANS
D.National Institute of Standards and Technology (NIST)

Answer 119

b. MITRE ATT&K
MITRE ATT&CK is a comprehensive framework for analyzing and understanding the tactics, techniques, and procedures (TTPs) used by attackers in cyber attacks.

Question 120

A security analyst in a large organization is concerned about potential security incidents. To enhance the endpoint security strategy, an endpoint detection and response (EDR) solution is implemented. Which of the following best describes the key feature of EDR and how it helps the security analyst detect and respond to malicious activity in the organization’s network?

A.Automates security-related tasks
B.Provides real-time visibility into endpoint activity
C.Integrates with other security solutions
D.Performs forensic analysis on endpoints

Answer 120

b. provides real-time visibility into endpoint security

Question 121

An organization plans to conduct a security assessment and wants to utilize a comprehensive and open approach to guide the assessment process. Which of the following covers various security aspects, such as physical, information, and wireless security, making it the most appropriate choice for the organization’s security assessment?

A.Open Worldwide Application Security Project (OWASP) Top Ten
B.MITRE ATT&CK
C.National Institute of Standards and Technology (NIST) Cybersecurity Framework
D.Open Source Security Testing Methodology Manual (OSSTMM)

Answer 121

Open Source Security Testing Methodology Manual (OSSTMM)
The Open Source Security Testing Methodology Manual (OSSTMM) covers various security aspects, such as physical, information, and wireless security, making it the most appropriate choice for the organization’s security assessment.

Question 122

A financial organization is dealing with a sudden rise in security incidents. The security analyst has discovered a malware strain behind the incidents. To study its behavior and find a solution, the analyst decides to use a specific tool to isolate and analyze malware behavior. What tool is the analyst using?

A.ScoutSuite
B.Prowler
C.Cuckoo
D.Pacu

Answer 122

c. Cuckoo
The analyst uses Cuckoo, a malware analysis tool, to isolate and execute the malware in a controlled environment, which allows the analyst to study its behavior and determine the best way to mitigate the threat.