MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: A technician receives an alert indicating an endpoint is beaconing to a suspect dynamic DNS domain.Which of the following countermeasures should be used to BEST protect the network in response to thisalert? (Choose two.)
Question2: File integrity monitoring states the following files have been changed without a written request or approvedchange. The following change has been made:chmod 777 -Rv /usrWhich of the following may be occurring?
Question3: A cybersecurity consultant is reviewing the following output from a vulnerability scan against a newlyinstalled MS SQL Server 2012 that is slated to go into production in one week:Based on the above information, which of the following should the system administrator do? (Select TWO).
Question4: A recently issued audit report highlighted exceptions related to end-user handling of sensitive data andaccess credentials. A security manager is addressing the findings. Which of the following activities shouldbe implemented?
Question5: After completing a vulnerability scan, the following output was noted:Which of the following vulnerabilities has been identified?
Question6: A red team actor observes it is common practice to allow cell phones to charge on company computers,but access to the memory storage is blocked. Which of the following are common attack techniques thattake advantage of this practice? (Choose two.)
Question7: Joe, an analyst, has received notice that a vendor who is coming in for a presentation will require access toa server outside the network. Currently, users are only able to access remote sites through a VPNconnection. Which of the following should Joe use to BEST accommodate the vendor?
Question8: An organization is conducting penetration testing to identify possible network vulnerabilities. Thepenetration tester has already identified active hosts in the network and is now scanning individual hosts todetermine if any are running a web server. The output from the latest scan is shown below:Which of the following commands would have generated the output above?
Question9: A security analyst is reviewing packet captures to determine the extent of success during an attacker'sreconnaissance phase following a recent incident.The following is a hex and ASCII dump of one such packet:Which of the following BEST describes this packet?
Question10: A company wants to update its acceptable use policy (AUP) to ensure it relates to the newly implementedpassword standard, which requires sponsored authentication of guest wireless devices. Which of thefollowing is MOST likely to be incorporated in the AUP?
Question11: A security analyst received a compromised workstation. The workstation's hard drive may containevidence of criminal activities. Which of the following is the FIRST thing the analyst must do to ensure theintegrity of the hard drive while performing the analysis?
Question12: A vulnerability scan returned the following results for a web server that hosts multiple wiki sites:Apache-HTTPD-cve-2014-023: Apache HTTPD: mod_cgid denial of service CVE-2014-0231Due to a flaw found in mog_cgid, a server using mod_cgid to host CGI scripts could be vulnerable to aDoS attack caused by a remote attacker who is exploiting a weakness in non-standard input, causingprocesses to hang indefinitely.The security analyst has confirmed the server hosts standard CGI scripts for the wiki sites, does not havemod_cgid installed, is running Apache 2.2.22, and is not behind a WAF. The server is located in the DMZ,and the purpose of the server is to allow customers to add entries into a publicly accessible database.Which of the following would be the MOST efficient way to address this finding?
Question13: A security administrator recently deployed a virtual honeynet. The honeynet is not protected by thecompany's firewall, while all production networks are protected by a stateful firewall. Which of the followingwould BEST allow an external penetration tester to determine which one is the honeynet's network?
Question14: A system administrator has reviewed the following output:Which of the following can a system administrator infer from the above output?
Question15: A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website.During the troubleshooting process, the network administrator notices that the web gateway proxy on thelocal network has signed all of the certificates on the local machine.Which of the following describes the type of attack the proxy has been legitimately programmed toperform?
Question16: Which of the following organizations would have to remediate embedded controller vulnerabilities?
Question17: The Chief Executive Officer (CEO) instructed the new Chief Information Security Officer (CISO) to providea list of enhancement to the company's cybersecurity operation. As a result, the CISO has identified theneed to align security operations with industry best practices. Which of the following industry references isappropriate to accomplish this?
Question18: After scanning the main company's website with the OWASP ZAP tool, a cybersecurity analyst is reviewingthe following warning:The analyst reviews a snippet of the offending code:Which of the following is the BEST course of action based on the above warning and code snippet?
Question19: In an effort to be proactive, an analyst has run an assessment against a sample workstation beforeauditors visit next month. The scan results are as follows:Based on the output of the scan, which of the following is the BEST answer?
Question20: A company invested ten percent of its entire annual budget in security technologies. The Chief InformationOfficer (CIO) is convinced that, without this investment, the company will risk being the next victim of thesame cyber attack its competitor experienced three months ago. However, despite this investment, usersare sharing their usernames and passwords with their coworkers to get their jobs done. Which of thefollowing will eliminate the risk introduced by this practice?
Question21: A network technician is concerned that an attacker is attempting to penetrate the network, and wants to seta rule on the firewall to prevent the attacker from learning which IP addresses are valid on the network.Which of the following protocols needs to be denied?
Question22: Which of the following best practices is used to identify areas in the network that may be vulnerable topenetration testing from known external sources?
Question23: NOTE: Question IP must be 192.168.192.123During a network reconnaissance engagement, a penetration tester was given perimeter firewall ACLs toaccelerate the scanning process. The penetration tester has decided to concentrate on trying to brute forcelog in to destination IP address 192.168.192.132 via secure shell.Given a source IP address of 10.10.10.30, which of the following ACLs will permit this access?A:B:C:D:
Question24: A cybersecurity analyst is reviewing the following outputs:Which of the following can the analyst infer from the above output?
Question25: A security analyst discovers a network intrusion and quickly solves the problem by closing an unused port.Which of the following should be completed?
Question26: A security analyst performed a review of an organization's software development life cycle. The analystreports that the life cycle does not contain in a phase in which team members evaluate and provide criticalfeedback on another developer's code. Which of the following assessment techniques is BEST fordescribing the analyst's report?
Question27: An analyst was testing the latest version of an internally developed CRM system. The analyst created abasic user account. Using a few tools in Kali's latest distribution, the analyst was able to accessconfiguration files, change permissions on folders and groups, and delete and create new system objects.Which of the following techniques did the analyst use to perform these unauthorized activities?
Question28: A threat intelligence analyst who works for an oil and gas company has received the following email from asuperior:"We will be connecting our IT network with our ICS. Our IT security has historically been top of the line,and this convergence will make the ICS easier to manage and troubleshoot. Can you please perform arisk/vulnerability assessment on this decision?"Which of the following is MOST accurate regarding ICS in this scenario?
Question29: A cybersecurity analyst traced the source of an attack to compromised user credentials. Log analysisrevealed that the attacker successfully authenticated from an unauthorized foreign country. Managementasked the security analyst to research and implement a solution to help mitigate attacks based oncompromised passwords. Which of the following should the analyst implement?
Question30: A centralized tool for organizing security events and managing their response and resolution is known as:
Question31: Which of the following utilities could be used to resolve an IP address to a domain name, assuming theaddress has a PTR record?
Question32: A cybersecurity professional typed in a URL and discovered the admin panel for the e-commerceapplication is accessible over the open web with the default password. Which of the following is the MOSTsecure solution to remediate this vulnerability?
Question33: Which of the following tools should an analyst use to scan for web server vulnerabilities?
Question34: A security professional is analyzing the results of a network utilization report. The report includes thefollowing information:Which of the following servers needs further investigation?
Question35: An organization is conducting penetration testing to identify possible network vulnerabilities. Thepenetration tester has received the following output from the latest scan:The penetration tester knows the organization does not use Timbuktu servers and wants to have Nmapinterrogate the ports on the target in more detail. Which of the following commands should the penetrationtester use NEXT?
Question36: A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic healthrecord (EHR) systems. After further analysis, the analyst discovered that a large volume of data has beenuploaded to a cloud provider in the last six months. Which of the following actions should the analyst doFIRST?
Question37: The development team recently moved a new application into production for the accounting department.After this occurred, the Chief Information Officer (CIO) was contacted by the head of accounting becausethe application is missing a key piece of functionality that is needed to complete the corporation's quarterlytax returns. Which of the following types of testing would help prevent this from reoccurring?
Question38: A staff member reported that a laptop has degraded performance. The security analyst has investigatedthe issue and discovered that CPU utilization, memory utilization, and outbound network traffic areconsuming the laptop resources. Which of the following is the BEST course of actions to resolve theproblem?
Question39: After analyzing and correlating activity from multiple sensors, the security analyst has determined a groupfrom a high-risk country is responsible for a sophisticated breach of the company network and continuousadministration of targeted attacks for the past three months. Until now, the attacks went unnoticed. This isan example of:
Question40: An application development company released a new version of its software to the public. A few days afterthe release, the company is notified by end users that the application is notably slower, and older securitybugs have reappeared in the new release. The development team has decided to include the securityanalyst during their next development cycle to help address the reported issues. Which of the followingshould the security analyst focus on to remedy the existing reported problems?
Question41: A cybersecurity analyst was asked to discover the hardware address of 30 networked assets. From acommand line, which of the following tools would be used to provide ARP scanning and reflects the MOSTefficient method for accomplishing the task?
Question42: A server contains baseline images that are deployed to sensitive workstations on a regular basis. Theimages are evaluated once per month for patching and other fixes, but do not change otherwise. Which ofthe following controls should be put in place to secure the file server and ensure the images are notchanged?
Question43: External users are reporting that a web application is slow and frequently times out when attempting tosubmit information. Which of the following software development best practices would have helped preventthis issue?
Question44: An analyst is troubleshooting a PC that is experiencing high processor and memory consumption.Investigation reveals the following processes are running on the system:lsass.execsrss.exewordpad.exenotepad.exeWhich of the following tools should the analyst utilize to determine the rogue process?
Question45: An analyst reviews a recent report of vulnerabilities on a company's financial application server. Which ofthe following should the analyst rate as being of the HIGHEST importance to the company's environment?
Question46: A security analyst's company uses RADIUS to support a remote sales staff of more than 700 people. TheChief Information Security Officer (CISO) asked to have IPSec using ESP and 3DES enabled to ensure theconfidentiality of the communication as per RFC 3162. After the implementation was complete, many salesusers reported latency issues and other performance issues when attempting to connect remotely. Whichof the following is occurring?
Question47: A company that is hiring a penetration tester wants to exclude social engineering from the list of authorizedactivities. Which of the following documents should include these details?
Question48: The Chief Security Officer (CSO) has requested a vulnerability report of systems on the domain, identifyingthose running outdated OSs. The automated scan reports are not displaying OS version details, so theCSO cannot determine risk exposure levels from vulnerable systems. Which of the following should thecybersecurity analyst do to enumerate OS information as part of the vulnerability scanning process in theMOST efficient manner?
Question49: There have been several exploits to critical devices within the network. However, there is currently noprocess to perform vulnerability analysis.Which of the following should the security analyst implement during production hours to identify criticalthreats and vulnerabilities?
Question50: Given the following log snippet:Which of the following describes the events that have occurred?
Question51: Which of the following principles describes how a security analyst should communicate during an incident?
Question52: A company has received the results of an external vulnerability scan from its approved scanning vendor.The company is required to remediate these vulnerabilities for clients within 72 hours of acknowledgementof the scan results.Which of the following contract breaches would result if this remediation is not provided for clients withinthe time frame?
Question53: During a routine review of firewall logs, an analyst identified that an IP address from the organization'sserver subnet had been connecting during nighttime hours to a foreign IP address, and had been sendingbetween 150 and 500 megabytes of data each time. This had been going on for approximately one week,and the affected server was taken offline for forensic review. Which of the following is MOST likely to driveup the incident's impact assessment?
Question54: A technician receives the following security alert from the firewall's automated system:After reviewing the alert, which of the following is the BEST analysis?
Question55: An organization has recently recovered from an incident where a managed switch had been accessed andreconfigured without authorization by an insider. The incident response team is working on developing alessons learned report with recommendations. Which of the following recommendations will BEST preventthe same attack from occurring in the future?
Question56: A security analyst is conducting a vulnerability assessment of older SCADA devices on the corporatenetwork. Which of the following compensating controls is likely to prevent the scans from providing value?
Question57: An analyst received a forensically sound copy of an employee's hard drive. The employee's managersuspects inappropriate images may have been deleted from the hard drive. Which of the following couldhelp the analyst recover the deleted evidence?
Question58: Company A suspects an employee has been exfiltrating PII via a USB thumb drive. An analyst is taskedwith attempting to locate the information on the drive. The PII in question includes the following:Which of the following would BEST accomplish the task assigned to the analyst?
Question59: A vulnerability analyst needs to identify all systems with unauthorized web servers on the 10.1.1.0/24network. The analyst uses the following default Nmap scan:nmap -sV -p 1-65535 10.1.1.0/24Which of the following would be the result of running the above command?
Question60: A security analyst has been asked to scan a subnet. During the scan, the following output was generated:Based on the output above, which of the following is MOST likely?
Question61: During a review of security controls, an analyst was able to connect to an external, unsecured FTP serverfrom a workstation. The analyst was troubleshooting and reviewed the ACLs of the segment firewall theworkstation is connected to:Based on the ACLs above, which of the following explains why the analyst was able to connect to the FTPserver?
Question62: Using a heuristic system to detect an anomaly in a computer's baseline, a system administrator was ableto detect an attack even though the company signature based IDS and antivirus did not detect it. Furtheranalysis revealed that the attacker had downloaded an executable file onto the company PC from the USBport, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likelyoccurred?
Question63: A company has several internal-only, web-based applications on the internal network. Remote employeesare allowed to connect to the internal corporate network with a company-supplied VPN client. During aproject to upgrade the internal application, contractors were hired to work on a database server and weregiven copies of the VPN client so they could work remotely. A week later, a security analyst discovered aninternal web-server had been compromised by malware that originated from one of the contractor'slaptops. Which of the following changes should be made to BEST counter the threat presented in thisscenario?
Question64: A technician receives a report that a user's workstation is experiencing no network connectivity. Thetechnician investigates and notices the patch cable running the back of the user's VoIP phone is routeddirectly under the rolling chair and has been smashed flat over time.Which of the following is the most likely cause of this issue?
Question65: A company has recently launched a new billing invoice website for a few key vendors. The cybersecurityanalyst is receiving calls that the website is performing slowly and the pages sometimes time out. Theanalyst notices the website is receiving millions of requests, causing the service to become unavailable.Which of the following can be implemented to maintain the availability of the website?
Question66: While reviewing firewall logs, a security analyst at a military contractor notices a sharp rise in activity froma foreign domain known to have well-funded groups that specifically target the company's R&Ddepartment. Historical data reveals other corporate assets were previously targeted. This evidence MOSTlikely describes:
Question67: A company installed a wireless network more than a year ago, standardizing on the same model APs in asingle subnet. Recently, several users have reported timeouts and connection issues with Internetbrowsing. The security administrator has gathered some information about the network to try to recreatethe issues with the assistance of a user. The administrator is able to ping every device on the network andconfirms that the network is very slow.Output:Given the above results, which of the following should the administrator investigate FIRST?
Question68: A technician at a company's retail store notifies an analyst that disk space is being consumed at a rapidrate on several registers. The uplink back to the corporate office is also saturated frequently. The retaillocation has no Internet access. An analyst then observes several occasional IPS alerts indicating a serverat corporate has been communicating with an address on a watchlist. Netflow data shows large quantitiesof data transferred at those times.Which of the following is MOST likely causing the issue?
Question69: A security audit revealed that port 389 has been used instead of 636 when connecting to LDAP for theauthentication of users. The remediation recommended by the audit was to switch the port to 636 wherevertechnically possible. Which of the following is the BEST response?
Question70: While preparing for a third-party audit, the vice president of risk management and the vice president ofinformation technology have stipulated that the vendor may not use offensive software during the audit.This is an example of:
Question71: A security analyst is concerned that unauthorized users can access confidential data stored in theproduction server environment. All workstations on a particular network segment have full access to anyserver in production. Which of the following should be deployed in the production environment to preventunauthorized access? (Choose two.)
Question72: Which of the following remediation strategies are MOST effective in reducing the risk of a network-basedcompromise of embedded ICS? (Select two.)
Question73: A software development company in the manufacturing sector has just completed the alpha version of itsflagship application. The application has been under development for the past three years. The SOC hasseen intrusion attempts made by indicators associated with a particular APT. The company has a hot sitelocation for COOP. Which of the following threats would most likely incur the BIGGEST economic impactfor the company?
Question74: Due to new regulations, a company has decided to institute an organizational vulnerability managementprogram and assign the function to the security team. Which of the following frameworks would BESTsupport the program? (Choose two.)
Question75: A Chief Information Security Officer (CISO) wants to standardize the company's security program so it canbe objectively assessed as part of an upcoming audit requested by management.Which of the following would holistically assist in this effort?
Question76: A logistics company's vulnerability scan identifies the following vulnerabilities on Internet-facing devices inthe DMZ:SQL injection on an infrequently used web server that provides files to vendorsSSL/TLS not used for a website that contains promotional informationThe scan also shows the following vulnerabilities on internal resources:Microsoft Office Remote Code Execution on test server for a human resources systemTLS downgrade vulnerability on a server in a development networkIn order of risk, which of the following should be patched FIRST?
Question77: A corporation employs a number of small-form-factor workstations and mobile devices, and an incidentresponse team is therefore required to build a forensics kit with tools to support chip-off analysis. Which ofthe following tools would BEST meet this requirement?
Question78: An incident response report indicates a virus was introduced through a remote host that was connected tocorporate resources. A cybersecurity analyst has been asked for a recommendation to solve this issue.Which of the following should be applied?
Question79: While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hostswere observed communicating with an external IP address over port 80 constantly. An incident wasdeclared, and an investigation was launched. After interviewing the affected users, the analyst determinedthe activity started right after deploying a new graphic design suite. Based on this information, which of thefollowing actions would be the appropriate NEXT step in the investigation?
Question80: A zero-day crypto-worm is quickly spreading through the internal network on port 25 and exploiting asoftware vulnerability found within the email servers.Which of the following countermeasures needs to be implemented as soon as possible to mitigate theworm from continuing to spread?
Question81: Alerts have been received from the SIEM, indicating infections on multiple computers. Based on threatcharacteristics, these files were quarantined by the host-based antivirus program. At the same time,additional alerts in the SIEM show multiple blocked URLs from the address of the infected computers; theURLs were classified as uncategorized. The domain location of the IP address of the URLs that wereblocked is checked, and it is registered to an ISP in Russia. Which of the following steps should be takenNEXT?
Question82: A recent audit has uncovered several coding errors and a lack of input validation being used on a publicportal. Due to the nature of the portal and the severity of the errors, the portal is unable to be patched.Which of the following tools could be used to reduce the risk of being compromised?
Question83: A cybersecurity professional wants to determine if a web server is running on a remote host with the IPaddress 192.168.1.100. Which of the following can be used to perform this task?
Question84: Review the following results:Which of the following has occurred?
Question85: The software development team pushed a new web application into production for the accountingdepartment. Shortly after the application was published, the head of the accounting department informedIT operations that the application was not performing as intended. Which of the following SDLC bestpractices was missed?
Question86: A company's asset management software has been discovering a weekly increase in non-standardsoftware installed on end users' machines with duplicate license keys. The security analyst wants to knowif any of this software is listening on any non-standard ports, such as 6667. Which of the following toolsshould the analyst recommend to block any command and control traffic?
Question87: A company's computer was recently infected with ransomware. After encrypting all documents, themalware logs a random AES-128 encryption key and associated unique identifier onto a compromisedremote website. A ransomware code snippet is shown below:Based on the information from the code snippet, which of the following is the BEST way for a cybersecurityprofessional to monitor for the same malware in the future?
Question88: Which of the following are essential components within the rules of engagement for a penetration test?(Select TWO).
Question89: An executive tasked a security analyst to aggregate past logs, traffic, and alerts on a particular attackvector. The analyst was then tasked with analyzing the data and making predictions on futurecomplications regarding this attack vector. Which of the following types of analysis is the security analystMOST likely conducting?
Question90: A cybersecurity analyst has been asked to follow a corporate process that will be used to managevulnerabilities for an organization. The analyst notices the policy has not been updated in three years.Which of the following should the analyst check to ensure the policy is still accurate?
Question91: An employee at an insurance company is processing claims that include patient addresses, clinic visits,diagnosis information, and prescription. While forwarding documentation to the supervisor, the employeeaccidentally sends the data to a personal email address outside of the company due to a typo. Which ofthe following types of data has been compromised?
Question92: A cybersecurity analyst has several log files to review. Instead of using grep and cat commands, theanalyst decides to find a better approach to analyze the logs. Given a list of tools, which of the followingwould provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches,and output a report?
Question93: A cybersecurity analyst was hired to resolve a security issue within a company after it was reported thatmany employee account passwords had been compromised. Upon investigating the incident, thecybersecurity analyst found that a brute force attack was launched against the company.Which of the following remediation actions should the cybersecurity analyst recommend to seniormanagement to address these security issues?
Question94: A security analyst is performing a forensic analysis on a machine that was the subject of some historicSIEM alerts. The analyst noticed some network connections utilizing SSL on non-common ports, copies ofsvchost.exe and cmd.exe in %TEMP% folder, and RDP files that had connected to external IPs. Which ofthe following threats has the security analyst uncovered?
Question95: A security analyst at a small regional bank has received an alert that nation states are attempting toinfiltrate financial institutions via phishing campaigns. Which of the following techniques should the analystrecommend as a proactive measure to defend against this type of threat?
Question96: A nuclear facility manager determined the need to monitor utilization of water within the facility. A startupcompany just announced a state-of-the-art solution to address the need for integrating the business andICS network. The solution requires a very small agent to be installed on the ICS equipment. Which of thefollowing is the MOST important security control for the manager to invest in to protect the facility?
Question97: A cybersecurity consultant found common vulnerabilities across the following services used by multipleservers at an organization: VPN, SSH, and HTTPS. Which of the following is the MOST likely reason forthe discovered vulnerabilities?
Question98: Which of the following actions should occur to address any open issues while closing an incident involvingvarious departments within the network?
Question99: Creating an isolated environment in order to test and observe the behavior of unknown software is alsoknown as:
Question100: As part of the SDLC, software developers are testing the security of a new web application by inputtinglarge amounts of random data. Which of the following types of testing is being performed?
Question101: When network administrators observe an increased amount of web traffic without an increased number offinancial transactions, the company is MOST likely experiencing which of the following attacks?
Question102: A security analyst is reviewing the following log after enabling key-based authentication.Given the above information, which of the following steps should be performed NEXT to secure thesystem?
Question103: Which of the following commands would a security analyst use to make a copy of an image for forensicsuse?
Question104: An insurance company employs quick-response team drivers that carry corporate-issued mobile deviceswith the insurance company's app installed on them. Devices are configuration-hardened by an MDM andkept up to date. The employees use the app to collect insurance claim information and process payments.Recently, a number of customers have filed complaints of credit card fraud against the insurance company,which occurred shortly after their payments were processed via the mobile app. The cyber-incidentresponse team has been asked to investigate. Which of the following is MOST likely the cause?
Question105: A cybersecurity analyst develops a regular expression to find data within traffic that will alarm on a hit.The SIEM alarms on seeing this data in cleartext between the web server and the database server.Which of the following types of data would the analyst MOST likely to be concerned with, and to which typeof data classification does it belong?
Question106: Policy allows scanning of vulnerabilities during production hours, but production servers have beencrashing lately due to unauthorized scans performed by junior technicians. Which of the following is theBEST solution to avoid production server downtime due to these types of scans?
Question107: Which of the following describes why it is important to include scope within the rules of engagement of apenetration test?
Question108: Which of the following is the MOST secure method to perform dynamic analysis of malware that can sensewhen it is in a virtual environment?
Question109: In order to leverage the power of data correlation within Nessus, a cybersecurity analyst needs to write anSQL statement that will provide how long a vulnerability has been present on the network.Given the following output table:Which of the following SQL statements would provide the resulted output needed for this correlation?
Question110: The following IDS log was discovered by a company's cybersecurity analyst:Which of the following was launched against the company based on the IDS log?
Question111: Which of the following is a feature of virtualization that can potentially create a single point of failure?
Question112: Which of the following systems would be at the GREATEST risk of compromise if found to have an openvulnerability associated with perfect forward secrecy?
Question113: A cybersecurity analyst is conducting packet analysis on the following:Which of the following is occurring in the given packet capture?
Question114: Given the following code:Which of the following types of attacks is occurring in the example above?
Question115: A company has decided to process credit card transactions directly. Which of the following would meet therequirements for scanning this type of data?
Question116: An analyst is reviewing the following log from the company web server:Which of the following is this an example of?
Question117: A security analyst received an alert from the antivirus software identifying a complex instance of malwareon a company's network. The company does not have the resources to fully analyze the malware anddetermine its effect on the system. Which of the following is the BEST action to take in the incidentrecovery and post-incident response process?
Question118: An organization is requesting the development of a disaster recovery plan. The organization has grownand so has its infrastructure. Documentation, policies, and procedures do not exist. Which of the followingsteps should be taken to assist in the development of the disaster recovery plan?
Question119: After reviewing the following packet, a cybersecurity analyst has discovered an unauthorized service isrunning on a company's computer.Which of the following ACLs, if implemented, will prevent further access ONLY to the unauthorized serviceand will not impact other services?
Question120: Weeks before a proposed merger is scheduled for completion, a security analyst has noticed unusualtraffic patterns on a file server that contains financial information. Routine scans are not detecting thesignature of any known exploits or malware. The following entry is seen in the ftp server logs:tftp -I 10.1.1.1 GET fourthquarterreport.xlsWhich of the following is the BEST course of action?
Question121: A project lead is reviewing the statement of work for an upcoming project that is focused on identifyingpotential weaknesses in the organization's internal and external network infrastructure. As part of theproject, a team of external contractors will attempt to employ various attacks against the organization. Thestatement of work specifically addresses the utilization of an automated tool to probe network resources inan attempt to develop logical diagrams indication weaknesses in the infrastructure.The scope of activity as described in the statement of work is an example of:
Question122: A cybersecurity analyst is hired to review the security measures implemented within the domain controllersof a company. Upon review, the cybersecurity analyst notices a brute force attack can be launched againstdomain controllers that run on a Windows platform. The first remediation step implemented by thecybersecurity analyst is to make the account passwords more complex. Which of the following is the NEXTremediation step the cybersecurity analyst needs to implement?
Question123: A security administrator has uncovered a covert channel used to exfiltrate confidential data from an internaldatabase server through a compromised corporate web server. Ongoing exfiltration is accomplished byembedding a small amount of data extracted from the database into the metadata of images served by theweb server. File timestamps suggest that the server was initially compromised six months ago using acommon server misconfiguration. Which of the following BEST describes the type of threat being used?
Question124: A database administrator contacts a security administrator to request firewall changes for a connection to anew internal application.The security administrator notices that the new application uses a port typically monopolized by a virus.The security administrator denies the request and suggests a new port or service be used to complete theapplication's task.Which of the following is the security administrator practicing in this example?
Question125: Given a packet capture of the following scan:Which of the following should MOST likely be inferred on the scan's output?
Question126: A computer has been infected with a virus and is sending out a beacon to command and control serverthrough an unknown service. Which of the following should a security technician implement to drop thetraffic going to the command and control server and still be able to identify the infected host throughfirewall logs?
Question127: An HR employee began having issues with a device becoming unresponsive after attempting to open anemail attachment. When informed, the security analyst became suspicious of the situation, even thoughthere was not any unusual behavior on the IDS or any alerts from the antivirus software. Which of thefollowing BEST describes the type of threat in this situation?
Question128: Management wants to scan servers for vulnerabilities on a periodic basis. Management has decided thatthe scan frequency should be determined only by vendor patch schedules and the organization'sapplication deployment schedule. Which of the following would force the organization to conduct an out-of-cycle vulnerability scan?
Question129: A newly discovered malware has a known behavior of connecting outbound to an external destination onport 27500 for the purposes of exfiltrating data. The following are four snippets taken from runningnetstat -anon separate Windows workstations:Based on the above information, which of the following is MOST likely to be exposed to this malware?
Question130: A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel.Unfortunately, the company's asset inventory is not current. Which of the following techniques would acybersecurity analyst perform to find all affected servers within an organization?
Question131: An analyst wants to use a command line tool to identify open ports and running services on a host alongwith the application that is associated with those services and port. Which of the following should theanalyst use?
Question132: Following a recent security breach, a post-mortem was done to analyze the driving factors behind thebreach. The cybersecurity analysis discussed potential impacts, mitigations, and remediations based oncurrent events and emerging threat vectors tailored to specific stakeholders. Which of the following is thisconsidered to be?
Question133: A new policy requires the security team to perform web application and OS vulnerability scans. All of thecompany's web applications use federated authentication and are accessible via a central portal. Which ofthe following should be implemented to ensure a more thorough scan of the company's web application,while at the same time reducing false positives?
Question134: A computer at a company was used to commit a crime. The system was seized and removed for furtheranalysis. Which of the following is the purpose of labeling cables and connections when seizing thecomputer system?
Question135: An analyst is observing unusual network traffic from a workstation. The workstation is communicating witha known malicious site over an encrypted tunnel. A full antivirus scan with an updated antivirus signaturefile does not show any sign of infection. Which of the following has occurred on the workstation?
Question136: A penetration tester is preparing for an audit of critical systems that may impact the security of theenvironment. This includes the external perimeter and the internal perimeter of the environment. Duringwhich of the following processes is this type of information normally gathered?
Question137: A security analyst is creating baseline system images to remediate vulnerabilities found in differentoperating systems. Each image needs to be scanned before it is deployed. The security analyst mustensure the configurations match industry standard benchmarks and the process can be repeatedfrequently. Which of the following vulnerability options would BEST create the process requirements?
Question138: A security analyst is conducting traffic analysis and observes an HTTP POST to the company's main webserver. The POST header is approximately 1000 bytes in length. During transmission, one byte is deliveredevery ten seconds. Which of the following attacks is the traffic indicative of?
Question139: The Chief Information Security Officer (CISO) asked for a topology discovery to be conducted and verifiedagainst the asset inventory. The discovery is failing and not providing reliable or complete data. The syslogshows the following information:Which of the following describes the reason why the discovery is failing?
Question140: Which of the following stakeholders would need to be aware of an e-discovery notice received by thesecurity office about an ongoing case within the manufacturing department?
Question141: A security analyst is reviewing packet captures for a specific server that is suspected of containingmalware and discovers the following packets:Which of the following traffic patterns or data would be MOST concerning to the security analyst?
Question142: A cybersecurity analyst has received a report that multiple systems are experiencing slowness as a resultof a DDoS attack. Which of the following would be the BEST action for the cybersecurity analyst toperform?
Question143: On which of the following organizational resources is the lack of an enabled password or PIN a commonvulnerability?
Question144: A recent vulnerability scan found four vulnerabilities on an organization's public Internet-facing IPaddresses. Prioritizing in order to reduce the risk of a breach to the organization, which of the followingshould be remediated FIRST?
Question145: A security analyst is reviewing IDS logs and notices the following entry:Which of the following attacks is occurring?
Question146: Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o:" followed bya company name, product name, and version. Which of the following would this string help anadministrator to identify?
Question147: When reviewing network traffic, a security analyst detects suspicious activity:Based on the log above, which of the following vulnerability attacks is occurring?
Question148: A security analyst has been asked to remediate a server vulnerability. Once the analyst has located apatch for the vulnerability, which of the following should happen NEXT?
Question149: A security analyst begins to notice the CPU utilization from a sinkhole has begun to spike. Which of thefollowing describes what may be occurring?
Question150: An organization has a policy prohibiting remote administration of servers where web services are running.One of the Nmap scans is shown here:Given the organization's policy, which of the following services should be disabled on this server?
Question151: A technician recently fixed a computer with several viruses and spyware programs on it and notices theInternet settings were set to redirect all traffic through an unknown proxy. This type of attack is known aswhich of the following?
Question152: A malicious user is reviewing the following output:root:~#ping 192.168.1.1376 4 bytes from 192.168.2.1 icmp_seq=1 ttl=63 time=1.58 ms6 4 bytes from 192.168.2.1 icmp_seq=2 ttl=63 time=1.45 msroot: ~#Based on the above output, which of the following is the device between the malicious user and the target?
Question153: Management is concerned with administrator access from outside the network to a key server in thecompany. Specifically, firewall rules allow access to the server from anywhere in the company. Which ofthe following would be an effective solution?
Question154: Which of the following countermeasures should the security administrator apply to MOST effectivelymitigate Bootkit-level infections of the organization's workstation devices?
Question155: The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on whichto base the security program. The CISO would like to achieve a certification showing the security programmeets all required best practices. Which of the following would be the BEST choice?
Question156: Due to new regulations, a company has decided to institute an organizational vulnerability managementprogram and assign the function to the security team. Which of the following frameworks would BESTsupport the program? (Select two.)
Question157: While a threat intelligence analyst was researching an indicator of compromise on a search engine, theweb proxy generated an alert regarding the same indicator. The threat intelligence analyst states thatrelated sites were not visited but were searched for in a search engine. Which of the following MOST likelyhappened in this situation?
Question158: In reviewing firewall logs, a security analyst has discovered the following IP address, which severalemployees are using frequently:152.100.57.18The organization's servers use IP addresses in the 192.168.0.1/24 CIDR. Additionally, the analyst hasnoticed that corporate data is being stored at this new location. A few of these employees are on themanagement and executive management teams. The analyst has also discovered that there is no recordof this IP address or service in reviewing the known locations of managing system assets. Which of thefollowing is occurring in this scenario?
Question159: A web application has a newly discovered vulnerability in the authentication method used to validateknown company users. The user ID of Admin with a password of "password" grants elevated access to theapplication over the Internet. Which of the following is the BEST method to discover the vulnerability beforea production deployment?
Question160: During a recent audit, there were a lot of findings similar to and including the following:Which of the following would be the BEST way to remediate these findings and minimize similar findings inthe future?
Question161: A list of vulnerabilities has been reported in a company's most recent scan of a server. The security analystmust review the vulnerabilities and decide which ones should be remediated in the next change windowand which ones can wait or may not need patching. Pending further investigation. Which of the followingvulnerabilities should the analyst remediate FIRST?