Part 1 Flashcards
Copied from test dump
While planning segmentation for an ICS environment, a security engineer determines IT resources will
need access to devices within the ICS environment without compromising security.
To provide the MOST secure access model in this scenario, the jumpbox should be…
A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS
network.
B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate.
C. bridged between the IT and operational technology networks to allow authenticated access.
D. placed on the IT side of the network, authenticated, and tunneled into the ICS environment.
D: placed on the IT side of the network, authenticated, and tunneled into the ICS environment.
Which of the following secure coding techniques can be used to prevent cross-site request forgery attacks? A. Input validation B. Output encoding C. Parameterized queries D. Tokenization
D: Tokenization
3.Risk management wants IT to implement a solution that will permit an analyst to intercept, execute, and
analyze potentially malicious files that are downloaded from the Internet.
Which of the following would BEST provide this solution?
A. File fingerprinting
B. Decomposition of malware
C. Risk evaluation
D. Sandboxing
D: Sandboxing
A web-based front end for a business intelligence application uses pass-through authentication to
authenticate users. The application then uses a service account, to perform queries and look up data in a database A security analyst discovers employees are accessing data sets they have not been authorized
to use.
Which of the following will fix the cause of the issue?
A. Change the security model to force the users to access the database as themselves
B. Parameterize queries to prevent unauthorized SQL queries against the database
C. Configure database security logging using syslog or a SIEM
D. Enforce unique session IDs so users do not get a reused session ID
A. Change the security model to force the users to access the database as themselves
Clients are unable to access a company’s API to obtain pricing data. An analyst discovers sources other
than clients are scraping the API for data, which is causing the servers to exceed available resources.
Which of the following would be BEST to protect the availability of the APIs?
A. IP whitelisting
B. Certificate-based authentication
C. Virtual private network
D. Web application firewall
D: Web application firewall
A security team is implementing a new vulnerability management program in an environment that has a
historically poor security posture. The team is aware of issues patch management in the environment and
expects a large number of findings.
Which of the following would be the MOST efficient way to increase the security posture of the
organization in the shortest amount of time?
A. Create an SLA stating that remediation actions must occur within 30 days of discovery for all levels of
vulnerabilities.
B. Incorporate prioritization levels into the remediation process and address critical findings first.
C. Create classification criteria for data residing on different servers and provide remediation only for
servers housing sensitive data.
D. Implement a change control policy that allows the security team to quickly deploy patches in the
production environment to reduce the risk of any vulnerabilities found.
B: Incorporate prioritization levels into the remediation process and address critical findings first.
The computer incident response team at a multinational company has determined that a breach of
sensitive data has occurred in which a threat actor has compromised the organization’s email system. Per
the incident response procedures, this breach requires notifying the board immediately.
Which of the following would be the BEST method of communication?
A. Post of the company blog
B. Corporate-hosted encrypted email
C. VoIP phone call
D. Summary sent by certified mail
E. Externally hosted instant message
C: VoIP phone call
.A security analyst for a large financial institution is creating a threat model for a specific threat actor that
is likely targeting an organization’s financial assets.
Which of the following is the BEST example of the level of sophistication this threat actor is using?
A. Social media accounts attributed to the threat actor
B. Custom malware attributed to the threat actor from prior attacks
C. Email addresses and phone numbers tied to the threat actor
D. Network assets used in previous attacks attributed to the threat actor
E. IP addresses used by the threat actor for command and control
D. Network assets used in previous attacks attributed to the threat actor
During an investigation, an analyst discovers the following rule in an executive’s email client:
IF * TO THEN mailto:
SELECT FROM ‘sent’ THEN DELETE FROM
The executive is not aware of this rule.
Which of the following should the analyst do FIRST to evaluate the potential impact of this security
incident?
A. Check the server logs to evaluate which emails were sent to
B. Use the SIEM to correlate logging events from the email server and the domain server
C. Remove the rule from the email client and change the password
D. Recommend that management implement SPF and DKIM
Check the server logs to evaluate which emails were sent to
A security analyst is supporting an embedded software team.
Which of the following is the BEST recommendation to ensure proper error handling at runtime?
A. Perform static code analysis.
B. Require application fuzzing.
C. Enforce input validation
D. Perform a code review
Require application fuzzing.
During an investigation, a security analyst determines suspicious activity occurred during the night
shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to
an external website.
Which of the following would be the MOST appropriate recommendation to prevent the activity from
happening in the future?
A. An IPS signature modification for the specific IP addresses
B. An IDS signature modification for the specific IP addresses
C. A firewall rule that will block port 80 traffic
D. A firewall rule that will block traffic from the specific IP addresses
A firewall rule that will block traffic from the specific IP addresses
The inability to do remote updates of certificates. keys software and firmware is a security issue commonly associated with: A. web servers on private networks. B. HVAC control systems C. smartphones D. firewalls and UTM devices
D. firewalls and UTM devices
A security analyst received an email with the following key:
Xj3XJ3LLc
A second security analyst received an email with following key:
3XJ3xjcLLC
The security manager has informed the two analysts that the email they received is a key that allows
access to the company’s financial segment for maintenance.
This is an example of:
A. dual control
B. private key encryption
C. separation of duties
D. public key encryption
E. two-factor authentication
dual control
A security analyst is providing a risk assessment for a medical device that will be installed on the
corporate network. During the assessment, the analyst discovers the device has an embedded operating
system that will be at the end of its life in two years. Due to the criticality of the device, the security
committee makes a risk-based policy decision to review and enforce the vendor upgrade before the end
of life is reached.
Which of the following risk actions has the security committee taken?
A. Risk exception
B. Risk avoidance
C. Risk tolerance
D. Risk acceptance
Risk acceptance
A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in
the application, the user is redirected to the login page. After successful authentication, the user is then
redirected back to the original page. Some users have reported receiving phishing emails with a link that
takes them to the application login page but then redirects to a fake login page after successful
authentication.
Which of the following will remediate this software vulnerability?
A. Enforce unique session IDs for the application.
B. Deploy a WAF in front of the web application.
C. Check for and enforce the proper domain for the redirect.
D. Use a parameterized query to check the credentials.
E. Implement email filtering with anti-phishing protection.
A. Enforce unique session IDs for the application.
A security analyst has received information from a third-party intelligence-sharing resource that
indicates employee accounts were breached.
Which of the following is the NEXT step the analyst should take to address the issue?
A. Audit access permissions for all employees to ensure least privilege.
B. Force a password reset for the impacted employees and revoke any tokens.
C. Configure SSO to prevent passwords from going outside the local network.
D. Set up privileged access management to ensure auditing is enabled.
Force a password reset for the impacted employees and revoke any tokens.
An information security analyst on a threat-hunting team Is working with administrators to create a
hypothesis related to an internally developed web application.
The working hypothesis is as follows:
• Due to the nature of the industry, the application hosts sensitive data associated with many clients and Is
a significant target
•. The platform Is most likely vulnerable to poor patching and Inadequate server hardening, which expose
vulnerable services.
•. The application is likely to be targeted with SQL injection attacks due to the large number of reporting
capabilities within the application.
As a result, the systems administrator upgrades outdated service applications and validates the endpoint
configuration against an industry benchmark. The analyst suggests developers receive additional training
on implementing identity and access management, and also implements a WAF to protect against SOL
injection attacks.
Which of the following BEST represents the technique in use?
A. Improving detection capabilities
B. Bundling critical assets
C. Profiling threat actors and activities
D. Reducing the attack surface area
Reducing the attack surface area
An incident response team is responding to a breach of multiple systems that contain PII and PHI.
Disclosing the incident to external entities should be based on:
A. the responder’s discretion
B. the public relations policy
C. the communication plan
D. senior management’s guidance
C. the communication plan
A security analyst has a sample of malicious software and needs to know what the sample does. The
analyst runs the sample in a carefully controlled and monitored virtual machine to observe the software
behavior.
Which of the following malware analysis approaches is this?
A. White box testing
B. Fuzzing
C. Sandboxing
D. Static code analysis
Sandboxing
A company’s Chief Information Security Officer (CISO) is concerned about the integrity of some highly
confidential files. Any changes to these files must be tied back to a specific authorized user’s activity
session.
Which of the following is the BEST technique to address the CISO’s concerns?
A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for
unauthorized changes.
B. Regularly use SHA-256 to hash the directory containing the sensitive information.
Monitor the files for unauthorized changes.
C. Place a legal hold on the files. Require authorized users to abide by a strict time context access policy.
Monitor the files for unauthorized changes.
D. Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.
A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for
unauthorized changes.
