Latest Questions Flashcards by Danielle Frei

Which of the following security controls is used to isolate a section of the network and its externally available resources from the internal corporate network in order to reduce the number of possible attacks?

Air gap

How well did you know this?

Not at all

Perfectly

A security analyst is reviewing an IDS alert and sees the following:

C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe -noP -exe byPass -nonI - wind hidden -no1 -c dir;findstr /s maldinuv %USERPROFILE%\*.lnk > %USERPROFILE%\Documents\iijlqe.ps1;%USERPROFILE%\Documents\iijlqe.ps1;exit

Fileless malware execution

How well did you know this?

Not at all

Perfectly

A security analyst is responding to a malware incident at a company. The malware connects to a command-and-control server on the internet in order to function. Which of the following should the security analyst implement first?

IP-based firewall rules

How well did you know this?

Not at all

Perfectly

An employee in the accounting department receives an email containing a demand for payment for services performed by a vendor. However, the vendor is not in the vendor management database. Which of the following is this scenario an example of

Invoice scam

How well did you know this?

Not at all

Perfectly

A company wants to begin taking online orders for products but has decided to outsource payment processing to limit risk. Which of the following best describes what the company should request from the payment processor?

Proof of PCI DSS compliance

How well did you know this?

Not at all

Perfectly

A security team received the following requirements for a new BYOD program that will allow employees to use personal smartphones to access business email:

-Sensitive customer data must be safeguarded.
-Documents from managed sources should not be opened in unmanaged destinations.
-Sharing of managed documents must be disabled.
-Employees should not be able to download emailed images to their devices.
-Personal photos and contact lists must be kept private.
-IT must be able to remove data from lost/stolen devices or when an employee no longer works for the company.

Which of the following are the best features to enable to meet these requirements? (Choose two.)

Remote wipe

Containerization

How well did you know this?

Not at all

Perfectly

A systems administrator is auditing all company servers to ensure they meet the minimum security baseline. While auditing a Linux server, the systems administrator observes the /etc/shadow file has permissions beyond the baseline recommendation. Which of the following commands should the systems administrator use to resolve this issue?

chmod

How well did you know this?

Not at all

Perfectly

A company has had several malware incidents that have been traced back to users accessing personal SaaS applications on the internet from the company network. The company has a policy that states users can only access business-related cloud applications from within the company network. Which of the following technical solutions should be used to enforce the policy?

Leverage a cloud access security broker

How well did you know this?

Not at all

Perfectly

In which of the following scenarios is tokenization the best privacy technique to use?

Enabling established customers to safely store credit card information

How well did you know this?

Not at all

Perfectly

A new vulnerability enables a type of malware that allows the unauthorized movement of data from a system. Which of the following would detect this behavior?

Monitoring outbound traffic

How well did you know this?

Not at all

Perfectly

Which of the following is a reason why a forensic specialist would create a plan to preserve data after an incident and prioritize the sequence for performing forensic analysis?

Order of volatility

How well did you know this?

Not at all

Perfectly

A server administrator is reporting performance issues when accessing all internal resources. Upon further investigation, the security team notices the following:

-A user’s endpoint has been compromised and is broadcasting its MAC as the default gateway’s MAC throughout the LAN.
-Traffic to and from that endpoint is significantly greater than all other similar endpoints on the LAN.
-Network ports on the LAN are not properly configured.
-Wired traffic is not being encrypted properly.

Which of the following attacks is most likely occurring?

ARP poisoning

How well did you know this?

Not at all

Perfectly

A company wants to implement MFA. Which of the following enables the additional factor while using a smart card?

How well did you know this?

Not at all

Perfectly

A security analyst is reviewing the following system command history on a computer that was recently utilized in a larger attack on the corporate infrastructure:

Which of the following best describes what the analyst has discovered?

A successful privilege escalation attack by a local user

C:\sysadmin>psexec.exe -s cmd
The command you provided involves the use of PsExec, a command-line utility developed by Sysinternals (now part of Microsoft) that allows you to execute processes on remote systems. Here’s a breakdown of the command:
bashCopy code
C:\sysadmin>psexec.exe -s cmd
C:\sysadmin>: This part indicates the current working directory in the command prompt. It’s not part of the PsExec command; rather, it shows the context in which the command is being executed.
psexec.exe: This is the executable file for PsExec. It is a tool used for executing processes on other systems.
-s: This is a command-line switch for PsExec, and it stands for “Run as SYSTEM.” When you use the -s option, the specified command (in this case, cmd, which is the Command Prompt) is executed with the privileges of the SYSTEM account, which is a high-privileged account in Windows.
cmd: This is the command that PsExec will execute with elevated privileges. In this case, it’s the Command Prompt (cmd). Running cmd with -s means that it will run with SYSTEM-level privileges.
So, when you run this command, it launches a Command Prompt with elevated privileges (SYSTEM account) on the local system (the system where the command is executed). Using PsExec requires administrative privileges on the system where it’s executed.

It is NOT Living off the Land (LotL) attack

A Living off the Land (LotL) attackdescribes a cyberattack in which intruders use legitimate software and functions available in the system to perform malicious actions on it.
Living off the land means surviving on what you can forage, hunt, or grow in nature. LotL cyberattack operators forage on target systems for tools, such as operating system components or installed software, they can use to achieve their goals. LotL attacks are often classified as fileless because they do not leave any artifacts behind.

How well did you know this?

Not at all

Perfectly

During a forensic investigation, an analyst uses software to create a checksum of the affected subject’s email file. Which of the following is the analyst practicing?

Integrity

How well did you know this?

Not at all

Perfectly

A software company has a shared codebase for multiple projects using the following strategy:

-Unused features are deactivated but still present on the code.
-New customer requirements trigger additional development work.

Which of the following will most likely occur when the company uses this strategy?

Dead code

How well did you know this?

Not at all

Perfectly

A security audit of an organization revealed that most of the IT staff members have domain administrator credentials and do not change the passwords regularly. Which of the following solutions should the security team propose to resolve the findings in the most complete way?

Securing domain administrator credentials in a PAM vault and controlling access with role-based access control

How well did you know this?

Not at all

Perfectly

Which of the following best describes a threat actor who is attempting to use commands found on a public code repository?

Script kiddie

How well did you know this?

Not at all

Perfectly

While assessing the security of a web application, a security analyst was able to introduce unsecure strings through the application input fields by bypassing client-side controls. Which of the following solutions should the analyst recommend?

Server-side validation

How well did you know this?

Not at all

Perfectly

A vulnerability scan returned the following results:
-2 Critical
-5 High
-15 Medium
-98 Low
Which of the following would the information security team most likely use to decide if all discovered vulnerabilities must be addressed and the order in which they should be addressed?

Risk matrix

How well did you know this?

Not at all

Perfectly

A company wants to ensure that all employees in a given department are trained on each job role to help with employee burnout and continuity of business operations in the event an employee leaves the company. Which of the following should the company implement?

Job rotation

How well did you know this?

Not at all

Perfectly

Various stakeholders are meeting to discuss their hypothetical roles and responsibilities in a specific situation, such as a security incident or major disaster. Which of the following best describes this meeting?

Tabletop exercise

How well did you know this?

Not at all

Perfectly

Which of the following threat actors is most likely to use a high level of sophistication and potentially zero-day exploits to target organizations and systems?

APT groups

How well did you know this?

Not at all

Perfectly

A company is implementing a vendor’s security tool in the cloud. The security director does not want to manage users and passwords specific to this tool but would rather utilize the company’s standard user directory. Which of the following should the company implement?

SAML

How well did you know this?

Not at all

Perfectly

An organization wants to ensure it can track changes between software deployments. Which of the following concepts should the organization implement?

Version control

A company has implemented a policy that requires two people to agree in order to push any changes from the test codebase repository into production. Which of the following best describes this control type?

Operational

A security analyst is looking for a way to categorize and share a threat actor's TTPs with colleagues at a partner organization. Which of the following would be the best method to achieve this goal?

Using the MITRE ATT&CK framework

A security administrator is reviewing reports about suspicious network activity occurring on a subnet. Users on the network report that connectivity to various websites is intermittent. The administrator logs in to a workstation and reviews the following command output: Which of the following best describes what is occurring on the network?

ARP poisoning

A systems administrator wants to add a second factor to the single sign-on portal that the organization uses. Currently, only a username and password are required. Which of the following should the administrator implement to best meet this requirement?

Software-based TOTP

A company needs to keep the fewest records possible, meet compliance needs, and ensure destruction of records that are no longer needed. Which of the following best describes the policy that meets these requirements?

Retention policy

A systems administrator is considering switching from tape backup to an alternative backup solution that would allow data to be readily available in the event of a disaster. Which of the following backup types should the administrator implement?

Cloud

A web application for a bank displays the following output when showing details about a customer's bank account: Which of the following techniques is most likely implemented in this web application?

Data masking

The security team installed video cameras in a prominent location in the building lobby. Which of the following best describe this type of control? (Choose two.)

Detective Deterrent

Which of the following is best to use when determining the severity of a vulnerability?

CVSS

Which of the following best describes an environment where a business owns the application and operating system but requires the resources to host them in the cloud?

IaaS

An organization wants to minimize the recovery time from backups in case of a disaster. Backups must be retained for one month, while minimizing the storage space used for backups. Which of the following is the best approach for a backup strategy?

Full weekly and incremental daily

An incident analyst finds several image files on a hard disk. The image files may contain geolocation coordinates. Which of the following best describes the type of information the analyst is trying to extract from the image files?

Metadata

A company uses a SaaS vendor to host its customer database. The company would like to reduce the risk of customer data exposure if the systems are breached. Which of the following risks should the company focus on to achieve this objective?

Access auditing

An employee finds a USB flash drive labeled "Salary Info" in an office parking lot. The employee picks up the USB flash drive, goes into the office, and plugs it into a laptop. Later, a technician inspects the laptop and realizes it has been compromised by malware. Which of the following types of social engineering attacks has occurred?

Baiting

The primary goal of the threat-hunting team at a large company is to identify cyberthreats that the SOC has not detected. Which of the following types of data would the threat-hunting team primarily use to identify systems that are exploitable?

Vulnerability scan

Which of the following best describes the process of adding a secret value to extend the length of stored passwords?

Salting

Adding a value to the end of a password to create a different password hash is called:

salting

An organization is concerned about hackers bypassing MFA through social engineering of phone carriers. Which of the following would most likely protect against such an attack?

Receiving a push notification to a mobile application

A security analyst is working with a vendor to get a new SaaS application deployed to an enterprise. The analyst wants to ensure role-based security policies are correctly applied as users access the application. Which of the following is most likely to solve the issue?

CASB

A municipality implements an IoT device discovery scanner and finds a legacy controller for a critical internal utility SCADA service that is running firmware with multiple vulnerabilities. Unfortunately, the controller cannot be upgraded, and a replacement for it is not available for at least a year. Which of the following is the best action to take to mitigate the risk posed by this controller in the meantime?

Isolate the controller from the rest of the network and constrain connectivity

Which of the following types of data are most likely to be subject to regulations and laws?

PHI PII

An analyst is reviewing an incident in which a user clicked on a link in a phishing email. Which of the following log sources would the analyst utilize to determine whether the connection was successful?

Network

Which of the following, if compromised, can indirectly impact systems’ availability by imposing inadequate environmental conditions for the hardware to operate properly?

HVAC

An audit report showed that a former employee saved the following files to an external USB drive before the employee's termination date: * annual_tax_form.pdf * encrypted_passwords.db * team_picture.jpg * contact_list.db * human_resources.txt Which of the following could the former employee do to potentially compromise corporate credentials?

Perform an offline brute-force attack

Which of the following best describes a legal hold?

It occurs during litigation and requires retention of both electronic and physical documents

A company wants to move one of its environments to the cloud. The biggest requirement is to have as much control as possible regarding the environment. Which of the following would most likely satisfy this requirement?

IaaS

A penetration test revealed that several Linux servers were misconfigured at the file level and access was granted incorrectly. A security analyst is referencing the instructions in the incident response runbook for remediation information. Which of the following is the best command to use to resolve the issue?

chmod

Which of the following is the most important security concern when using legacy systems to provide production service?

Lack of vendor support

Which of the following would best enable a systems administrator to easily determine which devices are located at a remote facility and allow policy to be pushed to only those devices?

Standard naming conventions Standard naming conventions allow the system administrator to identify the devices by their location, function, or other criteria, and apply policy settings accordingly

A company is utilizing an offshore team to help support the finance department. The company wants to keep the data secure by keeping it on a company device but does not want to provide equipment to the offshore team. Which of the following should the company implement to meet this requirement?

VDI

Which of the following is best used to detect fraud by assigning employees to different roles?

Job rotation Separation of duties will PREVENT Job rotation will DETECT

A company implemented an MDM policy to mitigate risks after repeated instances of employees losing company-provided mobile phones. In several cases, the lost phones were used maliciously to perform social engineering attacks against other employees. Which of the following MDM features should be configured to best address this issue? (Choose two.)

Screen locks Remote wipe

During a recent company safety stand-down, the cyber-awareness team gave a presentation on the importance of cyber hygiene. One topic the team covered was best practices for printing centers. Which of the following describes an attack method that relates to printing centers?

Dumpster diving

The security operations center is researching an event concerning a suspicious IP address. A security analyst looks at the following event logs and discovers that a significant portion of the user accounts have experienced failed log-in attempts when authenticating from the same IP address: Which of the following most likely describes the attack that took place?

Spraying

Which of the following is an algorithm performed to verify that data has not been modified?

Hash

A network administrator deployed a DNS logging tool that logs suspicious websites that are visited and then sends a daily report based on various weighted metrics. Which of the following best describes the type of control the administrator put in place?

Detective

A business uses Wi-Fi with content filtering enabled. An employee noticed a coworker accessed a blocked site from a work computer and reported the issue. While investigating the issue, a security administrator found another device providing internet access to certain employees. Which of the following best describes the security risk?

A rogue access point is allowing users to bypass controls

While considering the organization's cloud-adoption strategy, the Chief Information Security Officer sets a goal to outsource patching of firmware, operating systems, and applications to the chosen cloud vendor. Which of the following best meets this goal?

IaaS

A spoofed identity was detected for a digital certificate. Which of the following are the type of unidentified key and the certificate that could be in use on the company domain?

Private key and self-signed certificate

A software developer would like to ensure the source code cannot be reverse engineered or debugged. Which of the following should the developer consider?

Obfuscation toolkit

Which of the following is the most effective way to protect an application server running software that is no longer supported from network threats?

Screened subnet

A growing company would like to enhance the ability of its security operations center to detect threats but reduce the amount of manual work required for the security analysts. Which of the following would best enable the reduction in manual work?

SOAR

Which of the following can a security director use to prioritize vulnerability patching within a company's IT environment?

CVSS

The Chief Information Security Officer wants to put security measures in place to protect PHI. The organization needs to use its existing labeling and classification system to accomplish this goal. Which of the following would most likely be configured to meet the requirements?

DLP

A company wants to get alerts when others are researching and doing reconnaissance on the company. One approach would be to host a part of the infrastructure online with known vulnerabilities that would appear to be company assets. Which of the following describes this approach?

Honeypot

Which of the following is the final step of the incident response process?

Lessons learned

A systems administrator is redesigning how devices will perform network authentication. The following requirements need to be met: * An existing internal certificate must be used. * Wired and wireless networks must be supported. * Any unapproved device should be isolated in a quarantine subnet. * Approved devices should be updated before accessing resources. Which of the following would best meet the requirements?

802.1X

An IT security team is concerned about the confidentiality of documents left unattended in MFPs. Which of the following should the security team do to mitigate the situation?

Deploy an authentication factor that requires in-person action before printing.

A security analyst finds a rogue device during a monthly audit of current endpoint assets that are connected to the network. The corporate network utilizes 802.1x for access control. To be allowed on the network, a device must have a known hardware address, and a valid username and password must be entered in a captive portal. The following is the audit report: Which of the following is the most likely way a rogue device was allowed to connect?

A user performed a MAC cloning attack with a personal device

A security administrator recently reset local passwords and the following values were recorded in the system: Which of the following is the security administrator most likely protecting against?

Password compromise

Which of the following characteristics of tokenization explains how credit card information that is stored in a database is protected?

The data is relabeled Tokenization involves replacing sensitive data, such as credit card numbers, with a unique identifier called a token. The token is used in place of the actual data for processing transactions or other operations, and it is meaningless to those who might gain unauthorized access. This process is a form of data relabeling, providing a layer of security by ensuring that even if the tokenized data is compromised, the actual sensitive information remains protected.

A systems administrator wants to implement a backup solution. The solution needs to allow recovery of the entire system, including the operating system, in case of a disaster. Which of the following backup types should the administrator consider?

Image

An administrator is investigating an incident and discovers several users’ computers were infected with malware after viewing files that were shared with them. The administrator discovers no degraded performance in the infected machines and an examination of the log files does not show excessive failed logins. Which of the following attacks is most likely the cause of the malware?

Malicious flash drive

A security analyst discovers that a large number of employee credentials had been stolen and were being sold on the dark web. The analyst investigates and discovers that some hourly employee credentials were compromised, but salaried employee credentials were not affected. Most employees clocked in and out while they were inside the building using one of the kiosks connected to the network. However, some clocked out and recorded their time after leaving to go home. Only those who clocked in and out while inside the building had credentials stolen. Each of the kiosks are on different floors, and there are multiple routers, since the business segments environments for certain business functions. Hourly employees are required to use a website called acmetimekeeping.com to clock in and out. This website is accessible from the internet. Which of the following is the most likely reason for this compromise?

The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials and then passed them through to the real site

The Chief Information Security Officer of an organization needs to ensure recovery from ransomware would likely occur within the organization's agreed-upon RPOs and RTOs. Which of the following backup scenarios would best ensure recovery?

Daily full backups stored on premises in magnetic offline media

A company is currently utilizing usernames and passwords, and it wants to integrate an MFA method that is seamless, can integrate easily into a user’s workflow, and can utilize employee-owned devices. Which of the following will meet these requirements?

Push notifications

Since a recent upgrade to a WLAN infrastructure, several mobile users have been unable to access the internet from the lobby. The networking team performs a heat map survey of the building and finds several WAPs in the area. The WAPs are using similar frequencies with high power settings. Which of the following installation considerations should the security team evaluate next?

Channel overlap

A security administrator needs to publish multiple application URLs that will run on different internal web servers but use only one external IP address. Which of the following is the best way for the administrator to achieve this goal?

Reverse proxy

Which of the following is the first step to take when creating an anomaly detection process?

Building a baseline

When a newly developed application was tested, a specific internal resource was unable to be accessed. Which of the following should be done to ensure the application works correctly?

Modify the allow/deny list for those specific resources.

Which of the following best describes why the SMS OTP authentication method is more risky to implement than the TOTP method?

The SMS OTP is more likely to be intercepted and lead to unauthorized disclosure of the code than the TOTP method

A security manager is implementing MFA and patch management. Which of the following would best describe the control type and category? (Choose two.)

Preventative Technical

A security analyst is creating baselines for the server team to follow when hardening new devices for deployment. Which of the following best describes what the analyst is creating?

Secure configuration guide

Which of the following environments utilizes a subset of customer data and is most likely to be used to assess the impacts of major system upgrades and demonstrate system features?

Staging -Development - Creating new code -Test - Verifying the code works as specified -Staging - Proving the final code in as close to the real world as possible -Production - Running the code in the real world

An external vendor recently visited a company's headquarters for a presentation. Following the visit, a member of the hosting team found a file that the external vendor left behind on a server. The file contained detailed architecture information and code snippets. Which of the following data types best describes this file?

Proprietary

An organization has too many variations of a single operating system and needs to standardize the arrangement prior to pushing the system image to users. Which of the following should the organization implement first?

Standard naming convention

The Chief Information Security Officer (CISO) asks a security analyst to install an OS update to a production VM that has a 99% uptime SLA. The CISO tells the analyst the installation must be done as quickly as possible. Which of the following courses of action should the security analyst take first?

Take a snapshot of the VM

The application development teams have been asked to answer the following questions: * Does this application receive patches from an external source? * Does this application contain open-source code? * Is this application accessible by external users? * Does this application meet the corporate password standard? Which of the following are these questions part of?

Risk control self-assessment

A website user is locked out of an account after clicking an email link and visiting a different website. Web server logs show the user’s password was changed, even though the user did not change the password. Which of the following is the most likely cause?

Cross-site request forgery

Two companies are in the process of merging. The companies need to decide how to standardize their information security programs. Which of the following would best align the security programs?

Both companies following the same CSF

A company recently decided to allow employees to work remotely. The company wants to protect its data without using a VPN. Which of the following technologies should the company implement?

Secure web gateway

A vendor needs to remotely and securely transfer files from one server to another using the command line. Which of the following protocols should be implemented to allow for this type of access? (Choose two.)

SSH SFTP

A security analyst needs to propose a remediation plan for each item in a risk register. The item with the highest priority requires employees to have separate logins for SaaS solutions and different password complexity requirements for each solution. Which of the following implementation plans will most likely resolve this security issue?

Integrating each SaaS solution with the identity provider

Callers speaking a foreign language are using company phone numbers to make unsolicited phone calls to a partner organization. A security analyst validates through phone system logs that the calls are occurring and the numbers are not being spoofed. Which of the following is the most likely explanation?

The company’s SIP server security settings are weak

Which of the following best describes a penetration test that resembles an actual external attack?

Unknown environment

An accounting intern receives an invoice via email from the Chief Executive Officer (CEO). In the email, the CEO demands the immediate release of funds to the bank account that is listed. Which of the following principles best describes why this attack might be successful?

Authority

A user downloaded software from an online forum. After the user installed the software, the security team observed external network traffic connecting to the user's computer on an uncommon port. Which of the following is the most likely explanation of this unauthorized connection?

The software contained a backdoor

During a penetration test, a flaw in the internal PKI was exploited to gain domain administrator rights using specially crafted certificates. Which of the following remediation tasks should be completed as part of the cleanup phase?

Updating the CRL A good part of cleanup is revoking the specially crafted certificates

Which of the following security program audits includes a comprehensive evaluation of the security controls in place at an organization over a six- to 12-month time period?

SOC 2 Type II

An organization recently experienced the following social engineering attacks that introduced malware into the network: -In the first attack, the sender impersonated a staff member in the legal department and sent an email stating that the employee needed to click a link to sign an NDA in order to remain employed. The link provided was to a malicious website. -In the second attack, the sender impersonated the director of finance and instructed the accounts payable department to pay an outstanding invoice. The attached invoice contained malware. Which of the following is the most likely reason these attacks were successful?

Both attacks appealed to authority, which made the end users feel obligated to perform the requested actions

Development team members set up multiple application environments so they can develop, test, and deploy code in a secure and reliable manner. One of the environments is configured with real data that has been obfuscated so the team can adequately assess how the code will work in production. Which of the following environments is set up?

Sandbox

Which of the following provides guidelines for the management and reduction of information security risk?

NIST CSF

During a wireless network scan at a data center the IT security team discovered Wi-Fi signals broadcasting from an unknown device. Which of the following best describes the cause of the incident?

Rogue access point

A security analyst is reviewing a secure website that is generating TLS certificate errors. The analyst determines that the browser is unable to receive a response from the OCSP for the certificate. Which of the following actions would most likely resolve the issue?

Unblock the OCSP protocol in the host-based firewall

An organization plans to take online orders via a new website. Three web servers are available for this website. However, the organization does not want to reveal the network addresses or quantity of the individual servers to the general public. Which of the following would best fulfill these requirements?

Virtual IP

A threat actor was able to use a username and password to log in to a stolen company mobile device. Which of the following provides the best solution to increase mobile data security on all employees’ company mobile devices?

Containerization