Part 2

Question 1

A cybersecurity analyst is contributing to a team hunt on an organization’s endpoints.
Which of the following should the analyst do FIRST?
A. Write detection logic.
B. Establish a hypothesis.
C. Profile the threat actors and activities.
D. Perform a process analysis.

Answer 1

B. Establish a hypothesis.

https://www.cybereason.com/blog/blog-the-eight-steps-to-threat-hunting

Question 2

Which of the following software security best practices would prevent an attacker from being able to
run arbitrary SQL commands within a web application? (Choose two.)
A. Parameterized queries
B. Session management
C. Input validation
D. Output encoding
E. Data protection
F. Authentication

Answer 2

A. Parameterized queries
C. Input validation

Reference:
https://www.ptsecurity.com/ww-en/analytics/knowledge-base/how-to-prevent-sql-injection-attacks/

Question 3

A security analyst received an alert from the SIEM indicating numerous login attempts from users
outside their usual geographic zones, all of which were initiated through the web-based mail server. The
logs indicate all domain accounts experienced two login attempts during the same time frame.
Which of the following is the MOST likely cause of this issue?
A. A password-spraying attack was performed against the organization.
B. A DDoS attack was performed against the organization.
C. This was normal shift work activity; the SIEM’s AI is learning.
D. A credentialed external vulnerability scan was performed.

Answer 3

A: A password-spraying attack was performed against the organization.

Question 4

For machine learning to be applied effectively toward security analysis automation, it requires.
A. relevant training data.
B. a threat feed API.
C. a multicore, multiprocessor system.
D. anomalous traffic signatures.

Answer 4

D. anomalous traffic signatures.

Question 5

Which of the following BEST describes the primary role ol a risk assessment as it relates to
compliance with risk-based frameworks?
A. It demonstrates the organization’s mitigation of risks associated with internal threats.
B. It serves as the basis for control selection.
C. It prescribes technical control requirements.
D. It is an input to the business impact assessment.

Answer 5

A. It demonstrates the organization’s mitigation of risks associated with internal threats.

Question 6

During an investigation, an incident responder intends to recover multiple pieces of digital media.
Before removing the media, the responder should initiate:
A. malware scans.
B. secure communications.
C. chain of custody forms.
D. decryption tools.

Answer 6

C. chain of custody forms.

Question 7

Which of the following technologies can be used to house the entropy keys for task encryption on
desktops and laptops?
A. Self-encrypting drive
B. Bus encryption
C. TPM
D. HSM

Answer 7

A. Self-encrypting drive

Question 8

An organization wants to move non-essential services into a cloud computing environment.
Management has a cost focus and would like to achieve a recovery time objective of 12 hours.
Which of the following cloud recovery strategies would work BEST to attain the desired outcome?
A. Duplicate all services in another instance and load balance between the instances.
B. Establish a hot site with active replication to another region within the same cloud provider.
C. Set up a warm disaster recovery site with the same cloud provider in a different region
D. Configure the systems with a cold site at another cloud provider that can be used for failover.

Answer 8

C. Set up a warm disaster recovery site with the same cloud provider in a different region

Question 9

A security architect is reviewing the options for performing input validation on incoming web form
submissions.
Which of the following should the architect as the MOST secure and manageable option?
A. Client-side whitelisting
B. Server-side whitelisting
C. Server-side blacklisting
D. Client-side blacklisting

Answer 9

Server-side whitelisting

Question 10

An audit has revealed an organization is utilizing a large number of servers that are running
unsupported operating systems.
As part of the management response phase of the audit, which of the following would BEST demonstrate
senior management is appropriately aware of and addressing the issue?
A. Copies of prior audits that did not identify the servers as an issue
B. Project plans relating to the replacement of the servers that were approved by management
C. Minutes from meetings in which risk assessment activities addressing the servers were discussed
D. ACLs from perimeter firewalls showing blocked access to the

Answer 10

C. Minutes from meetings in which risk assessment activities addressing the servers were discussed

Question 11

A security analyst wants to identify which vulnerabilities a potential attacker might initially exploit if the
network is compromised.
Which of the following would provide the BEST results?
A. Baseline configuration assessment
B. Uncredentialed scan
C. Network ping sweep
D. External penetration test

Answer 11

B. Uncredentialed scan

Question 12

A security analyst has observed several incidents within an organization that are affecting one specific
piece of hardware on the network. Further investigation reveals the equipment vendor previously released
a patch.
Which of the following is the MOST appropriate threat classification for these incidents?
A. Known threat
B. Zero day
C. Unknown threat
D. Advanced persistent threat

Answer 12

C. Unknown threat

Question 13

Which of the following software assessment methods would be BEST for gathering data related to an
application’s availability during peak times?
A. Security regression testing
B. Stress testing
C. Static analysis testing
D. Dynamic analysis testing
E. User acceptance testing

Answer 13

B. Stress testing

Question 14

Bootloader malware was recently discovered on several company workstations. All the workstations
run Windows and are current models with UEFI capability.
Which of the following UEFI settings is the MOST likely cause of the infections?
A. Compatibility mode
B. Secure boot mode
C. Native mode
D. Fast boot mode

Answer 14

Compatibility mode

Question 15

Which of the following policies would state an employee should not disable security safeguards, such
as host firewalls and antivirus on company systems?
A. Code of conduct policy
B. Account management policy
C. Password policy
D. Acceptable use policy

Answer 15

Acceptable use policy

Question 16

Because some clients have reported unauthorized activity on their accounts, a security analyst is
reviewing network packet captures from the company’s API server.
A portion of a capture file is shown below:
POST /services/v1_0/Public/Members.svc/soap

192.168.1.22 - - api.somesite.com 200 0 1006 1001 0 192.168.1.22
POST /services/v1_0/Public/Members.svc/soap - can’t input code into brainscape-

Which of the following MOST likely explains how the clients’ accounts were compromised?

Answer 16

The clients’ authentication tokens were impersonated and replayed.

Question 17

A Chief Information Security Officer (CISO) is concerned the development team, which consists of
contractors, has too much access to customer datA. Developers use personal workstations, giving the
company little to no visibility into the development activities.
Which of the following would be BEST to implement to alleviate the CISO’s concern?
A. DLP
B. Encryption
C. Test data
D. NDA

Answer 17

D: NDA (non disclosure agreement)

Question 18

As part of an organization’s information security governance process, a Chief Information Security
Officer (CISO) is working with the compliance officer to update policies to include statements related to
new regulatory and legal requirements.
Which of the following should be done to BEST ensure all employees are appropriately aware of changes
to the policies?
A. Conduct a risk assessment based on the controls defined in the newly revised policies
B. Require all employees to attend updated security awareness training and sign an acknowledgement
C. Post the policies on the organization’s intranet and provide copies of any revised
policies to all active
vendors
D. Distribute revised copies of policies to employees and obtain a signed acknowledgement from them

Answer 18

B. Require all employees to attend updated security awareness training and sign an acknowledgement

Question 19

A security analyst implemented a solution that would analyze the attacks that the organization’s
firewalls failed to prevent. The analyst used the existing systems to enact the solution and executed the
following command.
S sudo nc -1 -v -c maildemon . py 25 caplog, txt
Which of the following solutions did the analyst implement?
A. Log collector
B. Crontab mail script
C. Snikhole
D. Honeypot

Answer 19

A. Log collector

Question 20

An organization that handles sensitive financial information wants to perform tokenization of data to
enable the execution of recurring transactions. The organization is most interested m a secure, built-in
device to support its solution.
Which of the following would MOST likely be required to perform the desired function?
A. TPM
B. eFuse
C. FPGA
D. HSM
E. UEFI

Answer 20

D: HSM

Question 21

As part of a merger with another organization, a Chief Information Security Officer (CISO) is working
with an assessor to perform a risk assessment focused on data privacy compliance. The CISO is primarily
concerned with the potential legal liability and fines associated with data privacy.
Based on the CISO’s concerns, the assessor will MOST likely focus on:
A. qualitative probabilities.
B. quantitative probabilities.
C. qualitative magnitude.
D. quantitative magnitude.

Answer 21

D. quantitative magnitude

Question 22

Which of the following roles is ultimately responsible for determining the classification levels assigned
to specific data sets?
A. Data custodian
B. Data owner
C. Data processor
D. Senior management

Answer 22

B. Data owner

Question 23

A product manager is working with an analyst to design a new application that will perform as a data
analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS
provider to host the application.
Which of the following is a security concern when using a PaaS solution?
A. The use of infrastructure-as-code capabilities leads to an increased attack surface.
B. Patching the underlying application server becomes the responsibility of the client.
C. The application is unable to use encryption at the database level.
D. Insecure application programming interfaces can lead to data compromise.

Answer 23

B. Patching the underlying application server becomes the responsibility of the client.

Question 24

A security analyst gathered forensics from a recent intrusion in preparation for legal proceedings. The
analyst used EnCase to gather the digital forensics. cloned the hard drive, and took the hard drive home
for further analysis.
Which of the following of the security analyst violate?
A. Cloning procedures
B. Chain of custody
C. Hashing procedures
D. Virtualization

Answer 24

B. Chain of custody

Question 25

An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs
the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint.
Which of the following data sources will BEST help the analyst to determine whether this event constitutes
an incident?
A. Patching logs
B. Threat feed
C. Backup logs
D. Change requests
E. Data classification matrix

Answer 25

E. Data classification matrix

Question 26

A Chief Information Security Officer (CISO) wants to upgrade an organization’s security
posture by improving proactive activities associated with attacks from internal and external threats.
Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?
A. Development of a hypothesis as part of threat hunting
B. Log correlation, monitoring, and automated reporting through a SIEM platform
C. Continuous compliance monitoring using SCAP dashboards
D. Quarterly vulnerability scanning using credentialed scans

Answer 26

A. Development of a hypothesis as part of threat hunting

Question 27

A cybersecurity analyst has access to several threat feeds and wants to organize them while
simultaneously comparing intelligence against network traffic.
Which of the following would BEST accomplish this goal?
A. Continuous integration and deployment
B. Automation and orchestration
C. Static and dynamic analysis
D. Information sharing and analysis

Answer 27

C. Static and dynamic analysis

Question 28

As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack
scenarios derived from the available threat intelligence information.
After forming the basis of the scenario, which of the following may the threat hunter construct to establish
a framework for threat assessment?
A. Critical asset list
B. Threat vector
C. Attack profile
D. Hypothesis

Answer 28

D. Hypothesis

Question 29

An information security analyst is working with a data owner to identify the appropriate controls to
preserve the confidentiality of data within an enterprise environment One of the primary concerns is
exfiltration of data by malicious insiders.
Which of the following controls is the MOST appropriate to mitigate risks?
A. Data deduplication
B. OS fingerprinting
C. Digital watermarking
D. Data loss prevention

Answer 29

D. Data loss prevention

Question 30

Which of the following technologies can be used to store digital certificates and is typically used in
highsecurity
implementations where integrity is paramount?
A. HSM
B. eFuse
C. UEFI
D. Self-encrypting drive

Answer 30

A: HSM

Question 31

A system is experiencing noticeably slow response times, and users are being locked out frequently.
An analyst asked for the system security plan and found the system comprises two servers: an
application server in the DMZ and a database server inside the trusted domain.
Which of the following should be performed NEXT to investigate the availability issue?
A. Review the firewall logs.
B. Review syslogs from critical servers.
C. Perform fuzzing.
D. Install a WAF in front of the application server.

Answer 31

C. Perform fuzzing.

Question 32

Which of the following is the BEST way to share incident-related artifacts to provide non-repudiation?
A. Secure email
B. Encrypted USB drives
C. Cloud containers
D. Network folders

Answer 32

B. Encrypted USB drives

Question 33

A company just chose a global software company based in Europe to implement a new supply chain
management solution.
Which of the following would be the MAIN concern of the company?
A. Violating national security policy
B. Packet injection
C. Loss of intellectual property
D. International labor laws

Answer 33

A. Violating national security policy

Question 34

A security analyst discovered a specific series of IP addresses that are targeting an organization.
None of the attacks have been successful.
Which of the following should the security analyst perform NEXT?
A. Begin blocking all IP addresses within that subnet.
B. Determine the attack vector and total attack surface.
C. Begin a kill chain analysis to determine the impact.
D. Conduct threat research on the IP addresses

Answer 34

D. Conduct threat research on the IP addresses

Question 35

A development team signed a contract that requires access to an on-premises physical server.
Access must be restricted to authorized users only and cannot be connected to the Internet.
Which of the following solutions would meet this requirement?
A. Establish a hosted SSO.
B. Implement a CASB.
C. Virtualize the server.
D. Air gap the server.

Answer 35

D. Air gap the server.

Question 36

A finance department employee has received a message that appears to have been sent from the
Chief Financial Officer (CFO) asking the employee to perform a wife transfer Analysis of the email shows
the message came from an external source and is fraudulent.
Which of the following would work BEST to improve the likelihood of employees quickly recognizing
fraudulent emails?
A. Implementing a sandboxing solution for viewing emails and attachments
B. Limiting email from the finance department to recipients on a pre-approved whitelist
C. Configuring email client settings to display all messages in plaintext when read
D. Adding a banner to incoming messages that identifies the messages as external

Answer 36

D. Adding a banner to incoming messages that identifies the messages as external

Question 37

The security team at a large corporation is helping the payment-processing team to prepare for a
regulatory compliance audit and meet the following objectives:
✑ Reduce the number of potential findings by the auditors.
✑ Limit the scope of the audit to only devices used by the payment-processing team for activities directly
impacted by the regulations.
✑ Prevent the external-facing web infrastructure used by other teams from coming into scope.
✑ Limit the amount of exposure the company will face if the systems used by the payment-processing
team are compromised.
Which of the following would be the MOST effective way for the security team to meet these objectives?
A. Limit the permissions to prevent other employees from accessing data owned by the business unit.
B. Segment the servers and systems used by the business unit from the rest of the network.
C. Deploy patches to all servers and workstations across the entire organization.
D. Implement full-disk encryption on the laptops used by employees of the payment-processing team

Answer 37

B. Segment the servers and systems used by the business unit from the rest of the network.

Question 38

Which of the following MOST accurately describes an HSM?
A. An HSM is a low-cost solution for encryption.
B. An HSM can be networked based or a removable USB
C. An HSM is slower at encrypting than software
D. An HSM is explicitly used for MFA

Answer 38

B. An HSM can be networked based or a removable USB

Question 39

A security analyst for a large pharmaceutical company was given credentials from a threat
intelligence resources organisation for Internal users, which contain usernames and valid passwords for
company accounts.
Which of the following is the FIRST action the analyst should take as part of security operations
monitoring?
A. Run scheduled antivirus scans on all employees’ machines to look for malicious processes.
B. Reimage the machines of all users within the group in case of a malware infection.
C. Change all the user passwords to ensure the malicious actors cannot use them.
D. Search the event logs for event identifiers that indicate Mimikatz was used.

Answer 39

C. Change all the user passwords to ensure the malicious actors cannot use them.

Question 40

110.A user reports the system is behaving oddly following the installation of an approved thirdparty
software application. The application executable was sourced from an internal repository.
Which of the following will ensure the application is valid?
A. Ask the user to refresh the existing definition file for the antivirus software
B. Perform a malware scan on the file in the internal repository
C. Hash the application’s installation file and compare it to the hash provided by the vendor
D. Remove the user’s system from the network to avoid collateral contamination

Answer 40

C. Hash the application’s installation file and compare it to the hash provided by the vendor

Question 41

A compliance officer of a large organization has reviewed the firm’s vendor management program but
has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity.
The compliance officer wants to gain some level of assurance on a recurring basis regarding the
implementation of controls by third parties.
Which of the following would BEST satisfy the objectives defined by the compliance officer? (Choose two.)
A. Executing vendor compliance assessments against the organization’s security controls
B. Executing NDAs prior to sharing critical data with third parties
C. Soliciting third-party audit reports on an annual basis
D. Maintaining and reviewing the organizational risk assessment on a quarterly basis
E. Completing a business impact assessment for all critical service providers
F. Utilizing DLP capabilities at both the endpoint and perimeter levels

Answer 41

A. Executing vendor compliance assessments against the organization’s security controls
E. Completing a business impact assessment for all critical service providers

Question 42

A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a
vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the
firm’s largest client.
Which of the following is MOST likely inhibiting the remediation efforts?
A. The parties have an MOU between them that could prevent shutting down the systems
B. There is a potential disruption of the vendor-client relationship
C. Patches for the vulnerabilities have not been fully tested by the software vendor
D. There is an SLA with the client that allows very little downtime

Answer 42

D. There is an SLA with the client that allows very little downtime

Question 43

A security analyst is reviewing vulnerability scan results and notices new workstations are being
flagged as having outdated antivirus signatures.
The analyst observes the following plugin output:
Antivirus is installed on the remote host:
Installation path: C:\Program Files\AVProduct\Win32\
Product Engine: 14.12.101
Engine Version: 3.5.71
Scanner does not currently have information about AVProduct version 3.5.71. It may no longer be
supported.
The engine version is out of date. The oldest supported version from the vendor is 4.2.11.
The analyst uses the vendor’s website to confirm the oldest supported version is correct.
Which of the following BEST describes the situation?
A. This is a false positive, and the scanning plugin needs to be updated by the vendor.
B. This is a true negative, and the new computers have the correct version of the software.
C. This is a true positive, and the new computers were imaged with an old version of the software.
D. This is a false negative, and the new computers need to be updated by the desktop team.

Answer 43

C. This is a true positive, and the new computers were imaged with an old version of the software.

Question 44

A company was recently awarded several large government contracts and wants to determine its
current risk from one specific APT.
Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis?
A. Attack vectors
B. Adversary capability
C. Diamond Model of Intrusion Analysis
D. Kill chain
E. Total attack surface

Answer 44

B. Adversary capability

Question 45

117.A large software company wants to move «s source control and deployment pipelines into a
cloud-computing environment. Due to the nature of the business management determines the recovery
time objective needs to be within one hour.
Which of the following strategies would put the company in the BEST position to achieve the desired
recovery time?
A. Establish an alternate site with active replication to other regions
B. Configure a duplicate environment in the same region and load balance between both instances
C. Set up every cloud component with duplicated copies and auto scaling turned on
D. Create a duplicate copy on premises that can be used for failover in a disaster situation

Answer 45

A. Establish an alternate site with active replication to other regions

Question 46

A small electronics company decides to use a contractor to assist with the development of a new
FPGA-based device. Several of the development phases will occur off-site at the contractor’s labs.
Which of the following is the main concern a security analyst should have with this arrangement?
A. Making multiple trips between development sites increases the chance of physical damage to the
FPGAs.
B. Moving the FPGAs between development sites will lessen the time that is available for security testing.
C. Development phases occurring at multiple sites may produce change management issues.
D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.

Answer 46

D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft..

Question 47

120.A network attack that is exploiting a vulnerability in the SNMP is detected.
Which of the following should the cybersecurity analyst do FIRST?
A. Apply the required patches to remediate the vulnerability.
B. Escalate the incident to senior management for guidance.
C. Disable all privileged user accounts on the network.
D. Temporarily block the attacking IP address

Answer 47

A. Apply the required patches to remediate the vulnerability.

Question 48

A development team uses open-source software and follows an Agile methodology with two-week
sprints. Last month, the security team filed a bug for an insecure version of a common library. The
DevOps team updated the library on the server, and then the security team rescanned the server to verify
it was no longer vulnerable. This month, the security team found the same vulnerability on the server.
Which of the following should be done to correct the cause of the vulnerability?
A. Deploy a WAF in front of the application.
B. Implement a software repository management tool.
C. Install a HIPS on the server.
D. Instruct the developers to use input validation in the code.

Answer 48

B. Implement a software repository management tool.

Question 49

A contained section of a building is unable to connect to the Internet A security analyst. A security
analyst investigates me issue but does not see any connections to the corporate web proxy However the
analyst does notice a small spike in traffic to the Internet. The help desk technician verifies all users are
connected to the connect SSID. but there are two of the same SSIDs listed in the network connections.
Which of the following BEST describes what is occurring?
A. Bandwidth consumption
B. Denial of service
C. Beaconing
D. Rogue device on the network

Answer 49

A. Bandwidth consumption

Question 50

A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve
the highest level of security.
To BEST complete this task, the analyst should place the:
A. firewall behind the VPN server
B. VPN server parallel to the firewall
C. VPN server behind the firewall
D. VPN on the firewall

Answer 50

C. VPN server behind the firewall