EMT Practice Test

1. Question Content...


Question List

Question1: A security analyst is performing a review of Active Directory and discovers two new user accounts in the
accounting department. Neither of the users has elevated permissions, but accounts in the group are given
access to the company's sensitive financial management application by default. Which of the following is
the BEST course of action?

Question2: A Linux-based file encryption malware was recently discovered in the wild. Prior to running the malware on
a preconfigured sandbox to analyze its behavior, a security professional executes the following command:
umount -a -t cifs,nfs
Which of the following is the main reason for executing the above command?

Question3: A project lead is reviewing the statement of work for an upcoming project that is focused on identifying
potential weaknesses in the organization's internal and external network infrastructure. As part of the
project, a team of external contractors will attempt to employ various attacks against the organization. The
statement of work specifically addresses the utilization of an automated tool to probe network resources in
an attempt to develop logical diagrams indication weaknesses in the infrastructure.
The scope of activity as described in the statement of work is an example of:

Question4: A company has received the results of an external vulnerability scan from its approved scanning vendor.
The company is required to remediate these vulnerabilities for clients within 72 hours of acknowledgement
of the scan results.
Which of the following contract breaches would result if this remediation is not provided for clients within
the time frame?

Question5: A security analyst is creating ACLs on a perimeter firewall that will deny inbound packets that are from
internal addresses, reversed external addresses, and multicast addresses. Which of the following is the
analyst attempting to prevent?

Question6: A security analyst was asked to join an outage call for a critical web application. The web middleware
support team determined the web server is running and having no trouble processing requests; however,
some investigation has revealed firewall denies to the web server that began around 1.00 a.m. that
morning. An emergency change was made to enable the access, but management has asked for a root
cause determination. Which of the following would be the BEST next step?

Question7: A company has been a victim of multiple volumetric DoS attacks. Packet analysis of the offending traffic
shows the following:

Which of the following mitigation techniques is MOST effective against the above attack?

Question8: An analyst has received unusual alerts on the SIEM dashboard. The analyst wants to get payloads that the
hackers are sending toward the target systems without impacting the business operation. Which of the
following should the analyst implement?

Question9: A newly discovered malware has a known behavior of connecting outbound to an external destination on
port 27500 for the purpose of exfiltrating data. The following are four snippets taken from running netstat
-anon separate Windows workstations:




Based on the above information, which of the following is MOST likely to be exposed to this malware?

Question10: A business-critical application is unable to support the requirements in the current password policy
because it does not allow the use of special characters. Management does not want to accept the risk of a
possible security incident due to weak password standards. Which of the following is an appropriate
means to limit the risks related to the application?

Question11: The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on which
to base the security program. The CISO would like to achieve a certification showing the security program
meets all required best practices. Which of the following would be the BEST choice?

Question12: A security analyst has noticed an alert from the SIEM. A workstation is repeatedly trying to connect to port
445 of a file server on the production network. All of the attempts are made with invalid credentials. Which
of the following describes what is occurring?

Question13: A security analyst begins to notice the CPU utilization from a sinkhole has begun to spike. Which of the
following describes what may be occurring?

Question14: A security analyst is reviewing a report from the networking department that describes an increase in
network utilization, which is causing network performance issues on some systems. A top talkers report
over a five-minute sample is included.

Given the above output of the sample, which of the following should the security analyst accomplish FIRST
to help track down the performance issues?

Question15: Which of the following commands would a security analyst use to make a copy of an image for forensics
use?

Question16: A cybersecurity analyst is completing an organization's vulnerability report and wants it to reflect assets
accurately. Which of the following items should be in the report?

Question17: Which of the following are essential components within the rules of engagement for a penetration test?
(Select TWO).

Question18: Which of the following items represents a document that includes detailed information on when an incident
was detected, how impactful the incident was, and how it was remediated, in addition to incident response
effectiveness and any identified gaps needing improvement?

Question19: A cybersecurity professional wants to determine if a web server is running on a remote host with the IP
address 192.168.1.100. Which of the following can be used to perform this task?

Question20: A production web server is experiencing performance issues. Upon investigation, new unauthorized
applications have been installed and suspicious traffic was sent through an unused port. Endpoint security
is not detecting any malware or virus. Which of the following types of threats would this MOST likely be
classified as?

Question21: Which of the following actions should occur to address any open issues while closing an incident involving
various departments within the network?

Question22: Using a heuristic system to detect an anomaly in a computer's baseline, a system administrator was able
to detect an attack even though the company signature based IDS and antivirus did not detect it. Further
analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB
port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely
occurred?

Question23: A security analyst is conducting traffic analysis and observes an HTTP POST to the company's main web
server. The POST header is approximately 1000 bytes in length. During transmission, one byte is delivered
every ten seconds. Which of the following attacks is the traffic indicative of?

Question24: A company invested ten percent of its entire annual budget in security technologies. The Chief Information
Officer (CIO) is convinced that, without this investment, the company will risk being the next victim of the
same cyber attack its competitor experienced three months ago. However, despite this investment, users
are sharing their usernames and passwords with their coworkers to get their jobs done. Which of the
following will eliminate the risk introduced by this practice?

Question25: An HR employee began having issues with a device becoming unresponsive after attempting to open an
email attachment. When informed, the security analyst became suspicious of the situation, even though
there was not any unusual behavior on the IDS or any alerts from the antivirus software. Which of the
following BEST describes the type of threat in this situation?

Question26: A medical organization recently started accepting payments over the phone. The manager is concerned
about the impact of the storage of different types of data. Which of the following types of data incurs the
highest regulatory constraints?

Question27: A cybersecurity analyst has received an alert that well-known "call home" messages are continuously
observed by network sensors at the network boundary. The proxy firewall successfully drops the
messages. After determining the alert was a true positive, which of the following represents the MOST
likely cause?

Question28: A security analyst is preparing for the company's upcoming audit. Upon review of the company's latest
vulnerability scan, the security analyst finds the following open issues:

Which of the following vulnerabilities should be prioritized for remediation FIRST?

Question29: During a routine review of firewall logs, an analyst identified that an IP address from the organization's
server subnet had been connecting during nighttime hours to a foreign IP address, and had been sending
between 150 and 500 megabytes of data each time. This had been going on for approximately one week,
and the affected server was taken offline for forensic review. Which of the following is MOST likely to drive
up the incident's impact assessment?

Question30: Management is concerned with administrator access from outside the network to a key server in the
company. Specifically, firewall rules allow access to the server from anywhere in the company. Which of
the following would be an effective solution?

Question31: The new Chief Technology Officer (CTO) is seeking recommendations for network monitoring services for
the local intranet. The CTO would like the capability to monitor all traffic to and from the gateway, as well
as the capability to block certain content. Which of the following recommendations would meet the needs
of the organization?

Question32: A technician recently fixed a computer with several viruses and spyware programs on it and notices the
Internet settings were set to redirect all traffic through an unknown proxy. This type of attack is known as
which of the following?

Question33: Which of the following countermeasures should the security administrator apply to MOST effectively
mitigate Bootkit-level infections of the organization's workstation devices?

Question34: A web application has a newly discovered vulnerability in the authentication method used to validate
known company users. The user ID of Admin with a password of "password" grants elevated access to the
application over the Internet. Which of the following is the BEST method to discover the vulnerability before
a production deployment?

Question35: A nuclear facility manager determined the need to monitor utilization of water within the facility. A startup
company just announced a state-of-the-art solution to address the need for integrating the business and
ICS network. The solution requires a very small agent to be installed on the ICS equipment. Which of the
following is the MOST important security control for the manager to invest in to protect the facility?

Question36: Weeks before a proposed merger is scheduled for completion, a security analyst has noticed unusual
traffic patterns on a file server that contains financial information. Routine scans are not detecting the
signature of any known exploits or malware. The following entry is seen in the ftp server logs:
tftp -I 10.1.1.1 GET fourthquarterreport.xls
Which of the following is the BEST course of action?

Question37: Which of the following policies BEST explains the purpose of a data ownership policy?

Question38: Company A's security policy states that only PKI authentication should be used for all SSH accounts. A
security analyst from Company A is reviewing the following auth.log and configuration settings:

Which of the following changes should be made to the following sshd_config file to establish compliance
with the policy?

Question39: When network administrators observe an increased amount of web traffic without an increased number of
financial transactions, the company is MOST likely experiencing which of the following attacks?

Question40: During a recent audit, there were a lot of findings similar to and including the following:

Which of the following would be the BEST way to remediate these findings and minimize similar findings in
the future?

Question41: A security analyst has discovered that an outbound SFTP process is occurring at the same time of day for
the past several days. At the time this was discovered, large amounts of business critical data were
delivered. The authentication for this process occurred using a service account with proper credentials.
The security analyst investigated the destination IP for this transfer and discovered that this new process is
not documented in the change management log. Which of the following would be the BEST course of
action for the analyst to take?

Question42: A computer at a company was used to commit a crime. The system was seized and removed for further
analysis. Which of the following is the purpose of labeling cables and connections when seizing the
computer system?

Question43: Datacenter access is controlled with proximity badges that record all entries and exits from the datacenter.
The access records are used to identify which staff members accessed the data center in the event of
equipment theft.
Which of the following MUST be prevented in order for this policy to be effective?

Question44: Which of the following represent the reasoning behind careful selection of the timelines and time-of-day
boundaries for an authorized penetration test? (Select TWO).

Question45: A server contains baseline images that are deployed to sensitive workstations on a regular basis. The
images are evaluated once per month for patching and other fixes, but do not change otherwise. Which of
the following controls should be put in place to secure the file server and ensure the images are not
changed?

Question46: An analyst was testing the latest version of an internally developed CRM system. The analyst created a
basic user account. Using a few tools in Kali's latest distribution, the analyst was able to access
configuration files, change permissions on folders and groups, and delete and create new system objects.
Which of the following techniques did the analyst use to perform these unauthorized activities?

Question47: A database administrator contacts a security administrator to request firewall changes for a connection to a
new internal application.
The security administrator notices that the new application uses a port typically monopolized by a virus.
The security administrator denies the request and suggests a new port or service be used to complete the
application's task.
Which of the following is the security administrator practicing in this example?

Question48: Which of the following could be directly impacted by an unpatched vulnerability in vSphere ESXi?

Question49: A system administrator has reviewed the following output:

Which of the following can a system administrator infer from the above output?

Question50: Policy allows scanning of vulnerabilities during production hours, but production servers have been
crashing lately due to unauthorized scans performed by junior technicians. Which of the following is the
BEST solution to avoid production server downtime due to these types of scans?

Question51: The development team currently consists of three developers who each specialize in a specific
programming language:
Developer 1 - C++/C#
Developer 2 - Python
Developer 3 - Assembly
Which of the following SDLC best practices would be challenging to implement with the current available
staff?

Question52: A cybersecurity analyst is reviewing log data and sees the output below:

Which of the following technologies MOST likely generated this log?

Question53: A retail corporation with widely distributed store locations and IP space must meet PCI requirements
relating to vulnerability scanning. The organization plans to outsource this function to a third party to
reduce costs.
Which of the following should be used to communicate expectations related to the execution of scans?

Question54: While a threat intelligence analyst was researching an indicator of compromise on a search engine, the
web proxy generated an alert regarding the same indicator. The threat intelligence analyst states that
related sites were not visited but were searched for in a search engine. Which of the following MOST likely
happened in this situation?

Question55: A cybersecurity analyst has several SIEM event logs to review for possible APT activity. The analyst was
given several items that include lists of indicators for both IP addresses and domains. Which of the
following actions is the BEST approach for the analyst to perform?

Question56: Creating an isolated environment in order to test and observe the behavior of unknown software is also
known as:

Question57: After running a packet analyzer on the network, a security analyst has noticed the following output:

Which of the following is occurring?

Question58: A computer has been infected with a virus and is sending out a beacon to command and control server
through an unknown service. Which of the following should a security technician implement to drop the
traffic going to the command and control server and still be able to identify the infected host through
firewall logs?

Question59: An insurance company employs quick-response team drivers that carry corporate-issued mobile devices
with the insurance company's app installed on them. Devices are configuration-hardened by an MDM and
kept up to date. The employees use the app to collect insurance claim information and process payments.
Recently, a number of customers have filed complaints of credit card fraud against the insurance company,
which occurred shortly after their payments were processed via the mobile app. The cyber-incident
response team has been asked to investigate. Which of the following is MOST likely the cause?

Question60: An analyst reviews a recent report of vulnerabilities on a company's financial application server. Which of
the following should the analyst rate as being of the HIGHEST importance to the company's environment?

Question61: A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website.
During the troubleshooting process, the network administrator notices that the web gateway proxy on the
local network has signed all of the certificates on the local machine.
Which of the following describes the type of attack the proxy has been legitimately programmed to
perform?

Question62: After a recent security breach, it was discovered that a developer had promoted code that had been written
to the production environment as a hotfix to resolve a user navigation issue that was causing issues for
several customers. The code had inadvertently granted administrative privileges to all users, allowing
inappropriate access to sensitive data and reports. Which of the following could have prevented this code
from being released into the production environment?

Question63: During the forensic a phase of a security investigation, it was discovered that an attacker was able to find
private keys on a poorly secured team shared drive. The attacker used those keys to intercept and decrypt
sensitive traffic on a web server. Which of the following describes this type of exploit and the potential
remediation?

Question64: Which of the following has the GREATEST impact to the data retention policies of an organization?

Question65: A company discovers an unauthorized device accessing network resources through one of many network
drops in a common area used by visitors.
The company decides that it wants to quickly prevent unauthorized devices from accessing the network
but policy prevents the company from making changes on every connecting client.
Which of the following should the company implement?

Question66: Which of the following tools should a cybersecurity analyst use to verify the integrity of a forensic image
before and after an investigation?

Question67: Which of the following is a control that allows a mobile application to access and manipulate information
which should only be available by another application on the same mobile device (e.g. a music application
posting the name of the current song playing on the device on a social media site)?

Question68: An organization uses Common Vulnerability Scoring System (CVSS) scores to prioritize remediation of
vulnerabilities.
Management wants to modify the priorities based on a difficulty factor so that vulnerabilities with lower
CVSS scores may get a higher priority if they are easier to implement with less risk to system functionality.
Management also wants to quantify the priority. Which of the following would achieve management's
objective?

Question69: Which of the following is MOST effective for correlation analysis by log for threat management?

Question70: During which of the following NIST risk management framework steps would an information system
security engineer identify inherited security controls and tailor those controls to the system?

Question71: A security analyst notices PII has been copied from the customer database to an anonymous FTP server
in the DMZ. Firewall logs indicate the customer database has not been accessed from anonymous FTP
server. Which of the following departments should make a decision about pursuing further investigation?
(Choose two.)

Question72: After reviewing the following packet, a cybersecurity analyst has discovered an unauthorized service is
running on a company's computer.

Which of the following ACLs, if implemented, will prevent further access ONLY to the unauthorized service
and will not impact other services?

Question73: The Chief Information Security Officer (CISO) asked for a topology discovery to be conducted and verified
against the asset inventory. The discovery is failing and not providing reliable or complete data. The syslog
shows the following information:

Which of the following describes the reason why the discovery is failing?

Question74: After scanning the main company's website with the OWASP ZAP tool, a cybersecurity analyst is reviewing
the following warning:

The analyst reviews a snippet of the offending code:

Which of the following is the BEST course of action based on the above warning and code snippet?

Question75: A red team actor observes it is common practice to allow cell phones to charge on company computers,
but access to the memory storage is blocked. Which of the following are common attack techniques that
take advantage of this practice? (Choose two.)

Question76: When reviewing network traffic, a security analyst detects suspicious activity:

Based on the log above, which of the following vulnerability attacks is occurring?

Question77: A recent vulnerability scan found four vulnerabilities on an organization's public Internet-facing IP
addresses. Prioritizing in order to reduce the risk of a breach to the organization, which of the following
should be remediated FIRST?

Question78: A staff member reported that a laptop has degraded performance. The security analyst has investigated
the issue and discovered that CPU utilization, memory utilization, and outbound network traffic are
consuming the laptop resources. Which of the following is the BEST course of actions to resolve the
problem?

Question79: Alerts have been received from the SIEM, indicating infections on multiple computers. Based on threat
characteristics, these files were quarantined by the host-based antivirus program. At the same time,
additional alerts in the SIEM show multiple blocked URLs from the address of the infected computers; the
URLs were classified as uncategorized. The domain location of the IP address of the URLs that were
blocked is checked, and it is registered to an ISP in Russia. Which of the following steps should be taken
NEXT?

Question80: During a web application vulnerability scan, it was discovered that the application would display
inappropriate data after certain key phrases were entered into a webform connected to a SQL database
server. Which of the following should be used to reduce the likelihood of this type of attack returning
sensitive data?

Question81: A security analyst received several service tickets reporting that a company storefront website is not
accessible by internal domain users. However, external users are accessing the website without issue.
Which of the following is the MOST likely reason for this behavior?

Question82: Which of the following is a vulnerability when using Windows as a host OS for virtual machines?

Question83: On which of the following organizational resources is the lack of an enabled password or PIN a common
vulnerability?

Question84: A network technician is concerned that an attacker is attempting to penetrate the network, and wants to set
a rule on the firewall to prevent the attacker from learning which IP addresses are valid on the network.
Which of the following protocols needs to be denied?

Question85: A software patch has been released to remove vulnerabilities from company's software. A security analyst
has been tasked with testing the software to ensure the vulnerabilities have been remediated and the
application is still functioning properly. Which of the following tests should be performed NEXT?

Question86: Various devices are connecting and authenticating to a single evil twin within the network. Which of the
following are MOST likely being targeted?

Question87: Following a recent security breach, a post-mortem was done to analyze the driving factors behind the
breach. The cybersecurity analysis discussed potential impacts, mitigations, and remediations based on
current events and emerging threat vectors tailored to specific stakeholders. Which of the following is this
considered to be?

Question88: An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability
scan has been performed, and analysts are reviewing the results. Before starting any remediation, the
analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities.
Which of the following would be an indicator of a likely false positive?

Question89: A security analyst has determined the security team should take action based on the following log:

Which of the following should be used to improve the security posture of the system?

Question90: Several users have reported that when attempting to save documents in team folders, the following
message is received:
The File Cannot Be Copied or Moved - Service Unavailable.
Upon further investigation, it is found that the syslog server is not obtaining log events from the file server
to which the users are attempting to copy files. Which of the following is the MOST likely scenario causing
these issues?

Question91: An alert has been distributed throughout the information security community regarding a critical Apache
vulnerability. Which of the following courses of action would ONLY identify the known vulnerability?

Question92: Company A permits visiting business partners from Company B to utilize Ethernet ports available in
Company A's conference rooms. This access is provided to allow partners the ability to establish VPNs
back to Company B's network. The security architect for Company A wants to ensure partners from
Company B are able to gain direct Internet access from available ports only, while Company A employees
can gain access to the Company A internal network from those same ports. Which of the following can be
employed to allow this?

Question93: Which of the allowing is a best practice with regard to interacting with the media during an incident?

Question94: A security analyst discovers a network intrusion and quickly solves the problem by closing an unused port.
Which of the following should be completed?

Question95: A university wants to increase the security posture of its network by implementing vulnerability scans of
both centrally managed and student/employee laptops. The solution should be able to scale, provide
minimum false positives and high accuracy of results, and be centrally managed through an enterprise
console. Which of the following scanning topologies is BEST suited for this environment?

Question96: The Chief Security Officer (CSO) has requested a vulnerability report of systems on the domain, identifying
those running outdated OSs. The automated scan reports are not displaying OS version details, so the
CSO cannot determine risk exposure levels from vulnerable systems. Which of the following should the
cybersecurity analyst do to enumerate OS information as part of the vulnerability scanning process in the
MOST efficient manner?

Question97: A company has decided to process credit card transactions directly. Which of the following would meet the
requirements for scanning this type of data?

Question98: A recent audit included a vulnerability scan that found critical patches released 60 days prior were not
applied to servers in the environment. The infrastructure team was able to isolate the issue and determined
it was due to a service being disabled on the server running the automated patch management application.
Which of the following would be the MOST efficient way to avoid similar audit findings in the future?

Question99: A penetration tester is preparing for an audit of critical systems that may impact the security of the
environment. This includes the external perimeter and the internal perimeter of the environment. During
which of the following processes is this type of information normally gathered?

Question100: A technician receives a report that a user's workstation is experiencing no network connectivity. The
technician investigates and notices the patch cable running the back of the user's VoIP phone is routed
directly under the rolling chair and has been smashed flat over time.
Which of the following is the most likely cause of this issue?

Question101: A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel.
Unfortunately, the company's asset inventory is not current. Which of the following techniques would a
cybersecurity analyst perform to find all affected servers within an organization?

Question102: A new zero-day vulnerability was discovered within a basic screen capture app, which is used throughout
the environment. Two days after discovering the vulnerability, the manufacturer of the software has not
announced a remediation or if there will be a fix for this newly discovered vulnerability. The vulnerable
application is not uniquely critical, but it is used occasionally by the management and executive
management teams. The vulnerability allows remote code execution to gain privileged access to the
system. Which of the following is the BEST course of actions to mitigate this threat?

Question103: Which of the following remediation strategies are MOST effective in reducing the risk of a network-based
compromise of embedded ICS? (Select two.)

Question104: A security analyst has just completed a vulnerability scan of servers that support a business critical
application that is managed by an outside vendor. The results of the scan indicate the devices are missing
critical patches. Which of the following factors can inhibit remediation of these vulnerabilities? (Choose
two.)

Question105: Which of the following principles describes how a security analyst should communicate during an incident?

Question106: The Chief Information Security Officer (CISO) asks a security analyst to write a new SIEM search rule to
determine if any credit card numbers are being written to log files. The CISO and security analyst suspect
the following log snippet contains real customer card data:

Which of the following expressions would find potential credit card numbers in a format that matches the
log snippet?

Question107: A security analyst has determined that the user interface on an embedded device is vulnerable to common
SQL injections. The device is unable to be replaced, and the software cannot be upgraded. Which of the
following should the security analyst recommend to add additional security to this device?

Question108: During an investigation, a computer is being seized. Which of the following is the FIRST step the analyst
should take?

Question109: A security analyst performed a review of an organization's software development life cycle. The analyst
reports that the life cycle does not contain in a phase in which team members evaluate and provide critical
feedback on another developer's code. Which of the following assessment techniques is BEST for
describing the analyst's report?

Question110: The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious
email that has been reported by multiple users. The analyst has determined the email includes an
attachment named invoice.zip that contains the following files:
Locky.js
xerty.ini
xerty.lib
Further analysis indicates that when the .zip file is opened, it is installing a new version of ransomware on
the devices. Which of the following should be done FIRST to prevent data on the company NAS from being
encrypted by infected devices?

Question111: A security analyst is attempting to configure a vulnerability scan for a new segment on the network. Given
the requirement to prevent credentials from traversing the network while still conducting a credentialed
scan, which of the following is the BEST choice?

Question112: Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o:" followed by
a company name, product name, and version. Which of the following would this string help an
administrator to identify?

Question113: A security analyst is performing a forensic analysis on a machine that was the subject of some historic
SIEM alerts. The analyst noticed some network connections utilizing SSL on non-common ports, copies of
svchost.exe and cmd.exe in %TEMP% folder, and RDP files that had connected to external IPs. Which of
the following threats has the security analyst uncovered?

Question114: Organizational policies require vulnerability remediation on severity 7 or greater within one week. Anything
with a severity less than 7 must be remediated within 30 days. The organization also requires security
teams to investigate the details of a vulnerability before performing any remediation. If the investigation
determines the finding is a false positive, no remediation is performed and the vulnerability scanner
configuration is updates to omit the false positive from future scans:
The organization has three Apache web servers:

The results of a recent vulnerability scan are shown below:

The team performs some investigation and finds a statement from Apache:

Which of the following actions should the security team perform?

Question115: A cybersecurity consultant found common vulnerabilities across the following services used by multiple
servers at an organization: VPN, SSH, and HTTPS. Which of the following is the MOST likely reason for
the discovered vulnerabilities?

Question116: A security professional is analyzing the results of a network utilization report. The report includes the
following information:

Which of the following servers needs further investigation?

Question117: An analyst is observing unusual network traffic from a workstation. The workstation is communicating with
a known malicious site over an encrypted tunnel. A full antivirus scan with an updated antivirus signature
file does not show any sign of infection. Which of the following has occurred on the workstation?

Question118: A technician receives an alert indicating an endpoint is beaconing to a suspect dynamic DNS domain.
Which of the following countermeasures should be used to BEST protect the network in response to this
alert? (Choose two.)

Question119: A systems administrator is trying to secure a critical system. The administrator has placed the system
behind a firewall, enabled strong authentication, and required all administrators of this system to attend
mandatory training.
Which of the following BEST describes the control being implemented?

Question120: Several accounting department users are reporting unusual Internet traffic in the browsing history of their
workstations after returning to work and logging in. The building security team informs the IT security team
that the cleaning staff was caught using the systems after the accounting department users left for the day.
Which of the following steps should the IT security team take to help prevent this from happening again?
(Choose two.)

Question121: A threat intelligence analyst who works for a technology firm received this report from a vendor.
"There has been an intellectual property theft campaign executed against organizations in the technology
industry. Indicators for this activity are unique to each intrusion. The information that appears to be
targeted is R&D data. The data exfiltration appears to occur over months via uniform TTPs. Please
execute a defensive operation regarding this attack vector."
Which of the following combinations suggests how the threat should MOST likely be classified and the type
of analysis that would be MOST helpful in protecting against this activity?

Question122: An analyst finds that unpatched servers have undetected vulnerabilities because the vulnerability scanner
does not have the latest set of signatures. Management directed the security team to have personnel
update the scanners with the latest signatures at least 24 hours before conducting any scans, but the
outcome is unchanged. Which of the following is the BEST logical control to address the failure?

Question123: Which of the following utilities could be used to resolve an IP address to a domain name, assuming the
address has a PTR record?

Question124: A security analyst at a small regional bank has received an alert that nation states are attempting to
infiltrate financial institutions via phishing campaigns. Which of the following techniques should the analyst
recommend as a proactive measure to defend against this type of threat?

Question125: The primary difference in concern between remediating identified vulnerabilities found in general-purpose
IT network servers and that of SCADA systems is that:

Question126: While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts
were observed communicating with an external IP address over port 80 constantly. An incident was
declared, and an investigation was launched. After interviewing the affected users, the analyst determined
the activity started right after deploying a new graphic design suite. Based on this information, which of the
following actions would be the appropriate NEXT step in the investigation?

Question127: Given the following log snippet:

Which of the following describes the events that have occurred?

Question128: A cybersecurity consultant is reviewing the following output from a vulnerability scan against a newly
installed MS SQL Server 2012 that is slated to go into production in one week:

Based on the above information, which of the following should the system administrator do? (Select TWO).

Question129: A technician is running an intensive vulnerability scan to detect which ports are open to exploit. During the
scan, several network services are disabled and production is affected. Which of the following sources
would be used to evaluate which network service was interrupted?

Question130: A cybersecurity analyst is hired to review the security measures implemented within the domain controllers
of a company. Upon review, the cybersecurity analyst notices a brute force attack can be launched against
domain controllers that run on a Windows platform. The first remediation step implemented by the
cybersecurity analyst is to make the account passwords more complex. Which of the following is the NEXT
remediation step the cybersecurity analyst needs to implement?

Question131: A cybersecurity analyst has been asked to follow a corporate process that will be used to manage
vulnerabilities for an organization. The analyst notices the policy has not been updated in three years.
Which of the following should the analyst check to ensure the policy is still accurate?

Question132: Given the following access log:

Which of the following accurately describes what this log displays?

Question133: Given the following output from a Linux machine:
file2cable -i eth0 -f file.pcap
Which of the following BEST describes what a security analyst is trying to accomplish?

Question134: Company A suspects an employee has been exfiltrating PII via a USB thumb drive. An analyst is tasked
with attempting to locate the information on the drive. The PII in question includes the following:

Which of the following would BEST accomplish the task assigned to the analyst?

Question135: A recently issued audit report highlighted exceptions related to end-user handling of sensitive data and
access credentials. A security manager is addressing the findings. Which of the following activities should
be implemented?

Question136: An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability
scan has been performed, and analysts are reviewing the results. Before starting any remediation, the
analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities.
Which of the following would be an indicator of a likely false positive?

Question137: Creating a lessons learned report following an incident will help an analyst to communicate which of the
following information? (Select TWO)

Question138: A security analyst is concerned that unauthorized users can access confidential data stored in the
production server environment. All workstations on a particular network segment have full access to any
server in production. Which of the following should be deployed in the production environment to prevent
unauthorized access? (Choose two.)

Question139: A company has implemented WPA2, a 20-character minimum for the WiFi passphrase, and a new WiFi
passphrase every 30 days, and has disabled SSID broadcast on all wireless access points. Which of the
following is the company trying to mitigate?

Question140: A security analyst is reviewing packet captures for a specific server that is suspected of containing
malware and discovers the following packets:

Which of the following traffic patterns or data would be MOST concerning to the security analyst?

Question141: A vulnerability analyst needs to identify all systems with unauthorized web servers on the 10.1.1.0/24
network. The analyst uses the following default Nmap scan:
nmap -sV -p 1-65535 10.1.1.0/24
Which of the following would be the result of running the above command?

Question142: As part of the SDLC, software developers are testing the security of a new web application by inputting
large amounts of random data. Which of the following types of testing is being performed?

Question143: An application development company released a new version of its software to the public. A few days after
the release, the company is notified by end users that the application is notably slower, and older security
bugs have reappeared in the new release. The development team has decided to include the security
analyst during their next development cycle to help address the reported issues. Which of the following
should the security analyst focus on to remedy the existing reported problems?

Question144: A cybersecurity analyst traced the source of an attack to compromised user credentials. Log analysis
revealed that the attacker successfully authenticated from an unauthorized foreign country. Management
asked the security analyst to research and implement a solution to help mitigate attacks based on
compromised passwords. Which of the following should the analyst implement?

Question145: A centralized tool for organizing security events and managing their response and resolution is known as:

Question146: A recent audit has uncovered several coding errors and a lack of input validation being used on a public
portal. Due to the nature of the portal and the severity of the errors, the portal is unable to be patched.
Which of the following tools could be used to reduce the risk of being compromised?

Question147: A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health
record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been
uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do
FIRST?