EMT Practice Test

1. Question Content...


Question List

Question1: A technician receives an alert indicating an endpoint is beaconing to a suspect dynamic DNS domain.
Which of the following countermeasures should be used to BEST protect the network in response to this
alert? (Choose two.)

Question2: File integrity monitoring states the following files have been changed without a written request or approved
change. The following change has been made:
chmod 777 -Rv /usr
Which of the following may be occurring?

Question3: A cybersecurity consultant is reviewing the following output from a vulnerability scan against a newly
installed MS SQL Server 2012 that is slated to go into production in one week:

Based on the above information, which of the following should the system administrator do? (Select TWO).

Question4: A recently issued audit report highlighted exceptions related to end-user handling of sensitive data and
access credentials. A security manager is addressing the findings. Which of the following activities should
be implemented?

Question5: After completing a vulnerability scan, the following output was noted:

Which of the following vulnerabilities has been identified?

Question6: A red team actor observes it is common practice to allow cell phones to charge on company computers,
but access to the memory storage is blocked. Which of the following are common attack techniques that
take advantage of this practice? (Choose two.)

Question7: Joe, an analyst, has received notice that a vendor who is coming in for a presentation will require access to
a server outside the network. Currently, users are only able to access remote sites through a VPN
connection. Which of the following should Joe use to BEST accommodate the vendor?

Question8: An organization is conducting penetration testing to identify possible network vulnerabilities. The
penetration tester has already identified active hosts in the network and is now scanning individual hosts to
determine if any are running a web server. The output from the latest scan is shown below:

Which of the following commands would have generated the output above?

Question9: A security analyst is reviewing packet captures to determine the extent of success during an attacker's
reconnaissance phase following a recent incident.
The following is a hex and ASCII dump of one such packet:

Which of the following BEST describes this packet?

Question10: A company wants to update its acceptable use policy (AUP) to ensure it relates to the newly implemented
password standard, which requires sponsored authentication of guest wireless devices. Which of the
following is MOST likely to be incorporated in the AUP?

Question11: A security analyst received a compromised workstation. The workstation's hard drive may contain
evidence of criminal activities. Which of the following is the FIRST thing the analyst must do to ensure the
integrity of the hard drive while performing the analysis?

Question12: A vulnerability scan returned the following results for a web server that hosts multiple wiki sites:
Apache-HTTPD-cve-2014-023: Apache HTTPD: mod_cgid denial of service CVE-2014-
0231
Due to a flaw found in mog_cgid, a server using mod_cgid to host CGI scripts could be vulnerable to a
DoS attack caused by a remote attacker who is exploiting a weakness in non-standard input, causing
processes to hang indefinitely.

The security analyst has confirmed the server hosts standard CGI scripts for the wiki sites, does not have
mod_cgid installed, is running Apache 2.2.22, and is not behind a WAF. The server is located in the DMZ,
and the purpose of the server is to allow customers to add entries into a publicly accessible database.
Which of the following would be the MOST efficient way to address this finding?

Question13: A security administrator recently deployed a virtual honeynet. The honeynet is not protected by the
company's firewall, while all production networks are protected by a stateful firewall. Which of the following
would BEST allow an external penetration tester to determine which one is the honeynet's network?

Question14: A system administrator has reviewed the following output:

Which of the following can a system administrator infer from the above output?

Question15: A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website.
During the troubleshooting process, the network administrator notices that the web gateway proxy on the
local network has signed all of the certificates on the local machine.
Which of the following describes the type of attack the proxy has been legitimately programmed to
perform?

Question16: Which of the following organizations would have to remediate embedded controller vulnerabilities?

Question17: The Chief Executive Officer (CEO) instructed the new Chief Information Security Officer (CISO) to provide
a list of enhancement to the company's cybersecurity operation. As a result, the CISO has identified the
need to align security operations with industry best practices. Which of the following industry references is
appropriate to accomplish this?

Question18: After scanning the main company's website with the OWASP ZAP tool, a cybersecurity analyst is reviewing
the following warning:

The analyst reviews a snippet of the offending code:

Which of the following is the BEST course of action based on the above warning and code snippet?

Question19: In an effort to be proactive, an analyst has run an assessment against a sample workstation before
auditors visit next month. The scan results are as follows:

Based on the output of the scan, which of the following is the BEST answer?

Question20: A company invested ten percent of its entire annual budget in security technologies. The Chief Information
Officer (CIO) is convinced that, without this investment, the company will risk being the next victim of the
same cyber attack its competitor experienced three months ago. However, despite this investment, users
are sharing their usernames and passwords with their coworkers to get their jobs done. Which of the
following will eliminate the risk introduced by this practice?

Question21: A network technician is concerned that an attacker is attempting to penetrate the network, and wants to set
a rule on the firewall to prevent the attacker from learning which IP addresses are valid on the network.
Which of the following protocols needs to be denied?

Question22: Which of the following best practices is used to identify areas in the network that may be vulnerable to
penetration testing from known external sources?

Question23: NOTE: Question IP must be 192.168.192.123
During a network reconnaissance engagement, a penetration tester was given perimeter firewall ACLs to
accelerate the scanning process. The penetration tester has decided to concentrate on trying to brute force
log in to destination IP address 192.168.192.132 via secure shell.

Given a source IP address of 10.10.10.30, which of the following ACLs will permit this access?
A:

B:

C:

D:

Question24: A cybersecurity analyst is reviewing the following outputs:

Which of the following can the analyst infer from the above output?

Question25: A security analyst discovers a network intrusion and quickly solves the problem by closing an unused port.
Which of the following should be completed?

Question26: A security analyst performed a review of an organization's software development life cycle. The analyst
reports that the life cycle does not contain in a phase in which team members evaluate and provide critical
feedback on another developer's code. Which of the following assessment techniques is BEST for
describing the analyst's report?

Question27: An analyst was testing the latest version of an internally developed CRM system. The analyst created a
basic user account. Using a few tools in Kali's latest distribution, the analyst was able to access
configuration files, change permissions on folders and groups, and delete and create new system objects.
Which of the following techniques did the analyst use to perform these unauthorized activities?

Question28: A threat intelligence analyst who works for an oil and gas company has received the following email from a
superior:
"We will be connecting our IT network with our ICS. Our IT security has historically been top of the line,
and this convergence will make the ICS easier to manage and troubleshoot. Can you please perform a
risk/vulnerability assessment on this decision?"
Which of the following is MOST accurate regarding ICS in this scenario?

Question29: A cybersecurity analyst traced the source of an attack to compromised user credentials. Log analysis
revealed that the attacker successfully authenticated from an unauthorized foreign country. Management
asked the security analyst to research and implement a solution to help mitigate attacks based on
compromised passwords. Which of the following should the analyst implement?

Question30: A centralized tool for organizing security events and managing their response and resolution is known as:

Question31: Which of the following utilities could be used to resolve an IP address to a domain name, assuming the
address has a PTR record?

Question32: A cybersecurity professional typed in a URL and discovered the admin panel for the e-commerce
application is accessible over the open web with the default password. Which of the following is the MOST
secure solution to remediate this vulnerability?

Question33: Which of the following tools should an analyst use to scan for web server vulnerabilities?

Question34: A security professional is analyzing the results of a network utilization report. The report includes the
following information:

Which of the following servers needs further investigation?

Question35: An organization is conducting penetration testing to identify possible network vulnerabilities. The
penetration tester has received the following output from the latest scan:

The penetration tester knows the organization does not use Timbuktu servers and wants to have Nmap
interrogate the ports on the target in more detail. Which of the following commands should the penetration
tester use NEXT?

Question36: A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health
record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been
uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do
FIRST?

Question37: The development team recently moved a new application into production for the accounting department.
After this occurred, the Chief Information Officer (CIO) was contacted by the head of accounting because
the application is missing a key piece of functionality that is needed to complete the corporation's quarterly
tax returns. Which of the following types of testing would help prevent this from reoccurring?

Question38: A staff member reported that a laptop has degraded performance. The security analyst has investigated
the issue and discovered that CPU utilization, memory utilization, and outbound network traffic are
consuming the laptop resources. Which of the following is the BEST course of actions to resolve the
problem?

Question39: After analyzing and correlating activity from multiple sensors, the security analyst has determined a group
from a high-risk country is responsible for a sophisticated breach of the company network and continuous
administration of targeted attacks for the past three months. Until now, the attacks went unnoticed. This is
an example of:

Question40: An application development company released a new version of its software to the public. A few days after
the release, the company is notified by end users that the application is notably slower, and older security
bugs have reappeared in the new release. The development team has decided to include the security
analyst during their next development cycle to help address the reported issues. Which of the following
should the security analyst focus on to remedy the existing reported problems?

Question41: A cybersecurity analyst was asked to discover the hardware address of 30 networked assets. From a
command line, which of the following tools would be used to provide ARP scanning and reflects the MOST
efficient method for accomplishing the task?

Question42: A server contains baseline images that are deployed to sensitive workstations on a regular basis. The
images are evaluated once per month for patching and other fixes, but do not change otherwise. Which of
the following controls should be put in place to secure the file server and ensure the images are not
changed?

Question43: External users are reporting that a web application is slow and frequently times out when attempting to
submit information. Which of the following software development best practices would have helped prevent
this issue?

Question44: An analyst is troubleshooting a PC that is experiencing high processor and memory consumption.
Investigation reveals the following processes are running on the system:
lsass.exe

csrss.exe

wordpad.exe

notepad.exe

Which of the following tools should the analyst utilize to determine the rogue process?

Question45: An analyst reviews a recent report of vulnerabilities on a company's financial application server. Which of
the following should the analyst rate as being of the HIGHEST importance to the company's environment?

Question46: A security analyst's company uses RADIUS to support a remote sales staff of more than 700 people. The
Chief Information Security Officer (CISO) asked to have IPSec using ESP and 3DES enabled to ensure the
confidentiality of the communication as per RFC 3162. After the implementation was complete, many sales
users reported latency issues and other performance issues when attempting to connect remotely. Which
of the following is occurring?

Question47: A company that is hiring a penetration tester wants to exclude social engineering from the list of authorized
activities. Which of the following documents should include these details?

Question48: The Chief Security Officer (CSO) has requested a vulnerability report of systems on the domain, identifying
those running outdated OSs. The automated scan reports are not displaying OS version details, so the
CSO cannot determine risk exposure levels from vulnerable systems. Which of the following should the
cybersecurity analyst do to enumerate OS information as part of the vulnerability scanning process in the
MOST efficient manner?

Question49: There have been several exploits to critical devices within the network. However, there is currently no
process to perform vulnerability analysis.
Which of the following should the security analyst implement during production hours to identify critical
threats and vulnerabilities?

Question50: Given the following log snippet:

Which of the following describes the events that have occurred?

Question51: Which of the following principles describes how a security analyst should communicate during an incident?

Question52: A company has received the results of an external vulnerability scan from its approved scanning vendor.
The company is required to remediate these vulnerabilities for clients within 72 hours of acknowledgement
of the scan results.
Which of the following contract breaches would result if this remediation is not provided for clients within
the time frame?

Question53: During a routine review of firewall logs, an analyst identified that an IP address from the organization's
server subnet had been connecting during nighttime hours to a foreign IP address, and had been sending
between 150 and 500 megabytes of data each time. This had been going on for approximately one week,
and the affected server was taken offline for forensic review. Which of the following is MOST likely to drive
up the incident's impact assessment?

Question54: A technician receives the following security alert from the firewall's automated system:

After reviewing the alert, which of the following is the BEST analysis?

Question55: An organization has recently recovered from an incident where a managed switch had been accessed and
reconfigured without authorization by an insider. The incident response team is working on developing a
lessons learned report with recommendations. Which of the following recommendations will BEST prevent
the same attack from occurring in the future?

Question56: A security analyst is conducting a vulnerability assessment of older SCADA devices on the corporate
network. Which of the following compensating controls is likely to prevent the scans from providing value?

Question57: An analyst received a forensically sound copy of an employee's hard drive. The employee's manager
suspects inappropriate images may have been deleted from the hard drive. Which of the following could
help the analyst recover the deleted evidence?

Question58: Company A suspects an employee has been exfiltrating PII via a USB thumb drive. An analyst is tasked
with attempting to locate the information on the drive. The PII in question includes the following:

Which of the following would BEST accomplish the task assigned to the analyst?

Question59: A vulnerability analyst needs to identify all systems with unauthorized web servers on the 10.1.1.0/24
network. The analyst uses the following default Nmap scan:
nmap -sV -p 1-65535 10.1.1.0/24
Which of the following would be the result of running the above command?

Question60: A security analyst has been asked to scan a subnet. During the scan, the following output was generated:

Based on the output above, which of the following is MOST likely?

Question61: During a review of security controls, an analyst was able to connect to an external, unsecured FTP server
from a workstation. The analyst was troubleshooting and reviewed the ACLs of the segment firewall the
workstation is connected to:

Based on the ACLs above, which of the following explains why the analyst was able to connect to the FTP
server?

Question62: Using a heuristic system to detect an anomaly in a computer's baseline, a system administrator was able
to detect an attack even though the company signature based IDS and antivirus did not detect it. Further
analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB
port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely
occurred?

Question63: A company has several internal-only, web-based applications on the internal network. Remote employees
are allowed to connect to the internal corporate network with a company-supplied VPN client. During a
project to upgrade the internal application, contractors were hired to work on a database server and were
given copies of the VPN client so they could work remotely. A week later, a security analyst discovered an
internal web-server had been compromised by malware that originated from one of the contractor's
laptops. Which of the following changes should be made to BEST counter the threat presented in this
scenario?

Question64: A technician receives a report that a user's workstation is experiencing no network connectivity. The
technician investigates and notices the patch cable running the back of the user's VoIP phone is routed
directly under the rolling chair and has been smashed flat over time.
Which of the following is the most likely cause of this issue?

Question65: A company has recently launched a new billing invoice website for a few key vendors. The cybersecurity
analyst is receiving calls that the website is performing slowly and the pages sometimes time out. The
analyst notices the website is receiving millions of requests, causing the service to become unavailable.
Which of the following can be implemented to maintain the availability of the website?

Question66: While reviewing firewall logs, a security analyst at a military contractor notices a sharp rise in activity from
a foreign domain known to have well-funded groups that specifically target the company's R&D
department. Historical data reveals other corporate assets were previously targeted. This evidence MOST
likely describes:

Question67: A company installed a wireless network more than a year ago, standardizing on the same model APs in a
single subnet. Recently, several users have reported timeouts and connection issues with Internet
browsing. The security administrator has gathered some information about the network to try to recreate
the issues with the assistance of a user. The administrator is able to ping every device on the network and
confirms that the network is very slow.

Output:

Given the above results, which of the following should the administrator investigate FIRST?

Question68: A technician at a company's retail store notifies an analyst that disk space is being consumed at a rapid
rate on several registers. The uplink back to the corporate office is also saturated frequently. The retail
location has no Internet access. An analyst then observes several occasional IPS alerts indicating a server
at corporate has been communicating with an address on a watchlist. Netflow data shows large quantities
of data transferred at those times.
Which of the following is MOST likely causing the issue?

Question69: A security audit revealed that port 389 has been used instead of 636 when connecting to LDAP for the
authentication of users. The remediation recommended by the audit was to switch the port to 636 wherever
technically possible. Which of the following is the BEST response?

Question70: While preparing for a third-party audit, the vice president of risk management and the vice president of
information technology have stipulated that the vendor may not use offensive software during the audit.
This is an example of:

Question71: A security analyst is concerned that unauthorized users can access confidential data stored in the
production server environment. All workstations on a particular network segment have full access to any
server in production. Which of the following should be deployed in the production environment to prevent
unauthorized access? (Choose two.)

Question72: Which of the following remediation strategies are MOST effective in reducing the risk of a network-based
compromise of embedded ICS? (Select two.)

Question73: A software development company in the manufacturing sector has just completed the alpha version of its
flagship application. The application has been under development for the past three years. The SOC has
seen intrusion attempts made by indicators associated with a particular APT. The company has a hot site
location for COOP. Which of the following threats would most likely incur the BIGGEST economic impact
for the company?

Question74: Due to new regulations, a company has decided to institute an organizational vulnerability management
program and assign the function to the security team. Which of the following frameworks would BEST
support the program? (Choose two.)

Question75: A Chief Information Security Officer (CISO) wants to standardize the company's security program so it can
be objectively assessed as part of an upcoming audit requested by management.
Which of the following would holistically assist in this effort?

Question76: A logistics company's vulnerability scan identifies the following vulnerabilities on Internet-facing devices in
the DMZ:
SQL injection on an infrequently used web server that provides files to vendors

SSL/TLS not used for a website that contains promotional information

The scan also shows the following vulnerabilities on internal resources:
Microsoft Office Remote Code Execution on test server for a human resources system

TLS downgrade vulnerability on a server in a development network

In order of risk, which of the following should be patched FIRST?

Question77: A corporation employs a number of small-form-factor workstations and mobile devices, and an incident
response team is therefore required to build a forensics kit with tools to support chip-off analysis. Which of
the following tools would BEST meet this requirement?

Question78: An incident response report indicates a virus was introduced through a remote host that was connected to
corporate resources. A cybersecurity analyst has been asked for a recommendation to solve this issue.
Which of the following should be applied?

Question79: While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts
were observed communicating with an external IP address over port 80 constantly. An incident was
declared, and an investigation was launched. After interviewing the affected users, the analyst determined
the activity started right after deploying a new graphic design suite. Based on this information, which of the
following actions would be the appropriate NEXT step in the investigation?

Question80: A zero-day crypto-worm is quickly spreading through the internal network on port 25 and exploiting a
software vulnerability found within the email servers.
Which of the following countermeasures needs to be implemented as soon as possible to mitigate the
worm from continuing to spread?

Question81: Alerts have been received from the SIEM, indicating infections on multiple computers. Based on threat
characteristics, these files were quarantined by the host-based antivirus program. At the same time,
additional alerts in the SIEM show multiple blocked URLs from the address of the infected computers; the
URLs were classified as uncategorized. The domain location of the IP address of the URLs that were
blocked is checked, and it is registered to an ISP in Russia. Which of the following steps should be taken
NEXT?

Question82: A recent audit has uncovered several coding errors and a lack of input validation being used on a public
portal. Due to the nature of the portal and the severity of the errors, the portal is unable to be patched.
Which of the following tools could be used to reduce the risk of being compromised?

Question83: A cybersecurity professional wants to determine if a web server is running on a remote host with the IP
address 192.168.1.100. Which of the following can be used to perform this task?

Question84: Review the following results:

Which of the following has occurred?

Question85: The software development team pushed a new web application into production for the accounting
department. Shortly after the application was published, the head of the accounting department informed
IT operations that the application was not performing as intended. Which of the following SDLC best
practices was missed?

Question86: A company's asset management software has been discovering a weekly increase in non-standard
software installed on end users' machines with duplicate license keys. The security analyst wants to know
if any of this software is listening on any non-standard ports, such as 6667. Which of the following tools
should the analyst recommend to block any command and control traffic?

Question87: A company's computer was recently infected with ransomware. After encrypting all documents, the
malware logs a random AES-128 encryption key and associated unique identifier onto a compromised
remote website. A ransomware code snippet is shown below:

Based on the information from the code snippet, which of the following is the BEST way for a cybersecurity
professional to monitor for the same malware in the future?

Question88: Which of the following are essential components within the rules of engagement for a penetration test?
(Select TWO).

Question89: An executive tasked a security analyst to aggregate past logs, traffic, and alerts on a particular attack
vector. The analyst was then tasked with analyzing the data and making predictions on future
complications regarding this attack vector. Which of the following types of analysis is the security analyst
MOST likely conducting?

Question90: A cybersecurity analyst has been asked to follow a corporate process that will be used to manage
vulnerabilities for an organization. The analyst notices the policy has not been updated in three years.
Which of the following should the analyst check to ensure the policy is still accurate?

Question91: An employee at an insurance company is processing claims that include patient addresses, clinic visits,
diagnosis information, and prescription. While forwarding documentation to the supervisor, the employee
accidentally sends the data to a personal email address outside of the company due to a typo. Which of
the following types of data has been compromised?

Question92: A cybersecurity analyst has several log files to review. Instead of using grep and cat commands, the
analyst decides to find a better approach to analyze the logs. Given a list of tools, which of the following
would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches,
and output a report?

Question93: A cybersecurity analyst was hired to resolve a security issue within a company after it was reported that
many employee account passwords had been compromised. Upon investigating the incident, the
cybersecurity analyst found that a brute force attack was launched against the company.
Which of the following remediation actions should the cybersecurity analyst recommend to senior
management to address these security issues?

Question94: A security analyst is performing a forensic analysis on a machine that was the subject of some historic
SIEM alerts. The analyst noticed some network connections utilizing SSL on non-common ports, copies of
svchost.exe and cmd.exe in %TEMP% folder, and RDP files that had connected to external IPs. Which of
the following threats has the security analyst uncovered?

Question95: A security analyst at a small regional bank has received an alert that nation states are attempting to
infiltrate financial institutions via phishing campaigns. Which of the following techniques should the analyst
recommend as a proactive measure to defend against this type of threat?

Question96: A nuclear facility manager determined the need to monitor utilization of water within the facility. A startup
company just announced a state-of-the-art solution to address the need for integrating the business and
ICS network. The solution requires a very small agent to be installed on the ICS equipment. Which of the
following is the MOST important security control for the manager to invest in to protect the facility?

Question97: A cybersecurity consultant found common vulnerabilities across the following services used by multiple
servers at an organization: VPN, SSH, and HTTPS. Which of the following is the MOST likely reason for
the discovered vulnerabilities?

Question98: Which of the following actions should occur to address any open issues while closing an incident involving
various departments within the network?

Question99: Creating an isolated environment in order to test and observe the behavior of unknown software is also
known as:

Question100: As part of the SDLC, software developers are testing the security of a new web application by inputting
large amounts of random data. Which of the following types of testing is being performed?

Question101: When network administrators observe an increased amount of web traffic without an increased number of
financial transactions, the company is MOST likely experiencing which of the following attacks?

Question102: A security analyst is reviewing the following log after enabling key-based authentication.

Given the above information, which of the following steps should be performed NEXT to secure the
system?

Question103: Which of the following commands would a security analyst use to make a copy of an image for forensics
use?

Question104: An insurance company employs quick-response team drivers that carry corporate-issued mobile devices
with the insurance company's app installed on them. Devices are configuration-hardened by an MDM and
kept up to date. The employees use the app to collect insurance claim information and process payments.
Recently, a number of customers have filed complaints of credit card fraud against the insurance company,
which occurred shortly after their payments were processed via the mobile app. The cyber-incident
response team has been asked to investigate. Which of the following is MOST likely the cause?

Question105: A cybersecurity analyst develops a regular expression to find data within traffic that will alarm on a hit.

The SIEM alarms on seeing this data in cleartext between the web server and the database server.

Which of the following types of data would the analyst MOST likely to be concerned with, and to which type
of data classification does it belong?

Question106: Policy allows scanning of vulnerabilities during production hours, but production servers have been
crashing lately due to unauthorized scans performed by junior technicians. Which of the following is the
BEST solution to avoid production server downtime due to these types of scans?

Question107: Which of the following describes why it is important to include scope within the rules of engagement of a
penetration test?

Question108: Which of the following is the MOST secure method to perform dynamic analysis of malware that can sense
when it is in a virtual environment?

Question109: In order to leverage the power of data correlation within Nessus, a cybersecurity analyst needs to write an
SQL statement that will provide how long a vulnerability has been present on the network.
Given the following output table:

Which of the following SQL statements would provide the resulted output needed for this correlation?

Question110: The following IDS log was discovered by a company's cybersecurity analyst:

Which of the following was launched against the company based on the IDS log?

Question111: Which of the following is a feature of virtualization that can potentially create a single point of failure?

Question112: Which of the following systems would be at the GREATEST risk of compromise if found to have an open
vulnerability associated with perfect forward secrecy?

Question113: A cybersecurity analyst is conducting packet analysis on the following:

Which of the following is occurring in the given packet capture?

Question114: Given the following code:

Which of the following types of attacks is occurring in the example above?

Question115: A company has decided to process credit card transactions directly. Which of the following would meet the
requirements for scanning this type of data?

Question116: An analyst is reviewing the following log from the company web server:

Which of the following is this an example of?

Question117: A security analyst received an alert from the antivirus software identifying a complex instance of malware
on a company's network. The company does not have the resources to fully analyze the malware and
determine its effect on the system. Which of the following is the BEST action to take in the incident
recovery and post-incident response process?

Question118: An organization is requesting the development of a disaster recovery plan. The organization has grown
and so has its infrastructure. Documentation, policies, and procedures do not exist. Which of the following
steps should be taken to assist in the development of the disaster recovery plan?

Question119: After reviewing the following packet, a cybersecurity analyst has discovered an unauthorized service is
running on a company's computer.

Which of the following ACLs, if implemented, will prevent further access ONLY to the unauthorized service
and will not impact other services?

Question120: Weeks before a proposed merger is scheduled for completion, a security analyst has noticed unusual
traffic patterns on a file server that contains financial information. Routine scans are not detecting the
signature of any known exploits or malware. The following entry is seen in the ftp server logs:
tftp -I 10.1.1.1 GET fourthquarterreport.xls
Which of the following is the BEST course of action?

Question121: A project lead is reviewing the statement of work for an upcoming project that is focused on identifying
potential weaknesses in the organization's internal and external network infrastructure. As part of the
project, a team of external contractors will attempt to employ various attacks against the organization. The
statement of work specifically addresses the utilization of an automated tool to probe network resources in
an attempt to develop logical diagrams indication weaknesses in the infrastructure.
The scope of activity as described in the statement of work is an example of:

Question122: A cybersecurity analyst is hired to review the security measures implemented within the domain controllers
of a company. Upon review, the cybersecurity analyst notices a brute force attack can be launched against
domain controllers that run on a Windows platform. The first remediation step implemented by the
cybersecurity analyst is to make the account passwords more complex. Which of the following is the NEXT
remediation step the cybersecurity analyst needs to implement?

Question123: A security administrator has uncovered a covert channel used to exfiltrate confidential data from an internal
database server through a compromised corporate web server. Ongoing exfiltration is accomplished by
embedding a small amount of data extracted from the database into the metadata of images served by the
web server. File timestamps suggest that the server was initially compromised six months ago using a
common server misconfiguration. Which of the following BEST describes the type of threat being used?

Question124: A database administrator contacts a security administrator to request firewall changes for a connection to a
new internal application.
The security administrator notices that the new application uses a port typically monopolized by a virus.
The security administrator denies the request and suggests a new port or service be used to complete the
application's task.
Which of the following is the security administrator practicing in this example?

Question125: Given a packet capture of the following scan:

Which of the following should MOST likely be inferred on the scan's output?

Question126: A computer has been infected with a virus and is sending out a beacon to command and control server
through an unknown service. Which of the following should a security technician implement to drop the
traffic going to the command and control server and still be able to identify the infected host through
firewall logs?

Question127: An HR employee began having issues with a device becoming unresponsive after attempting to open an
email attachment. When informed, the security analyst became suspicious of the situation, even though
there was not any unusual behavior on the IDS or any alerts from the antivirus software. Which of the
following BEST describes the type of threat in this situation?

Question128: Management wants to scan servers for vulnerabilities on a periodic basis. Management has decided that
the scan frequency should be determined only by vendor patch schedules and the organization's
application deployment schedule. Which of the following would force the organization to conduct an out-of-
cycle vulnerability scan?

Question129: A newly discovered malware has a known behavior of connecting outbound to an external destination on
port 27500 for the purposes of exfiltrating data. The following are four snippets taken from running
netstat -anon separate Windows workstations:




Based on the above information, which of the following is MOST likely to be exposed to this malware?

Question130: A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel.
Unfortunately, the company's asset inventory is not current. Which of the following techniques would a
cybersecurity analyst perform to find all affected servers within an organization?

Question131: An analyst wants to use a command line tool to identify open ports and running services on a host along
with the application that is associated with those services and port. Which of the following should the
analyst use?

Question132: Following a recent security breach, a post-mortem was done to analyze the driving factors behind the
breach. The cybersecurity analysis discussed potential impacts, mitigations, and remediations based on
current events and emerging threat vectors tailored to specific stakeholders. Which of the following is this
considered to be?

Question133: A new policy requires the security team to perform web application and OS vulnerability scans. All of the
company's web applications use federated authentication and are accessible via a central portal. Which of
the following should be implemented to ensure a more thorough scan of the company's web application,
while at the same time reducing false positives?

Question134: A computer at a company was used to commit a crime. The system was seized and removed for further
analysis. Which of the following is the purpose of labeling cables and connections when seizing the
computer system?

Question135: An analyst is observing unusual network traffic from a workstation. The workstation is communicating with
a known malicious site over an encrypted tunnel. A full antivirus scan with an updated antivirus signature
file does not show any sign of infection. Which of the following has occurred on the workstation?

Question136: A penetration tester is preparing for an audit of critical systems that may impact the security of the
environment. This includes the external perimeter and the internal perimeter of the environment. During
which of the following processes is this type of information normally gathered?

Question137: A security analyst is creating baseline system images to remediate vulnerabilities found in different
operating systems. Each image needs to be scanned before it is deployed. The security analyst must
ensure the configurations match industry standard benchmarks and the process can be repeated
frequently. Which of the following vulnerability options would BEST create the process requirements?

Question138: A security analyst is conducting traffic analysis and observes an HTTP POST to the company's main web
server. The POST header is approximately 1000 bytes in length. During transmission, one byte is delivered
every ten seconds. Which of the following attacks is the traffic indicative of?

Question139: The Chief Information Security Officer (CISO) asked for a topology discovery to be conducted and verified
against the asset inventory. The discovery is failing and not providing reliable or complete data. The syslog
shows the following information:

Which of the following describes the reason why the discovery is failing?

Question140: Which of the following stakeholders would need to be aware of an e-discovery notice received by the
security office about an ongoing case within the manufacturing department?

Question141: A security analyst is reviewing packet captures for a specific server that is suspected of containing
malware and discovers the following packets:

Which of the following traffic patterns or data would be MOST concerning to the security analyst?

Question142: A cybersecurity analyst has received a report that multiple systems are experiencing slowness as a result
of a DDoS attack. Which of the following would be the BEST action for the cybersecurity analyst to
perform?

Question143: On which of the following organizational resources is the lack of an enabled password or PIN a common
vulnerability?

Question144: A recent vulnerability scan found four vulnerabilities on an organization's public Internet-facing IP
addresses. Prioritizing in order to reduce the risk of a breach to the organization, which of the following
should be remediated FIRST?

Question145: A security analyst is reviewing IDS logs and notices the following entry:

Which of the following attacks is occurring?

Question146: Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o:" followed by
a company name, product name, and version. Which of the following would this string help an
administrator to identify?

Question147: When reviewing network traffic, a security analyst detects suspicious activity:

Based on the log above, which of the following vulnerability attacks is occurring?

Question148: A security analyst has been asked to remediate a server vulnerability. Once the analyst has located a
patch for the vulnerability, which of the following should happen NEXT?

Question149: A security analyst begins to notice the CPU utilization from a sinkhole has begun to spike. Which of the
following describes what may be occurring?

Question150: An organization has a policy prohibiting remote administration of servers where web services are running.
One of the Nmap scans is shown here:

Given the organization's policy, which of the following services should be disabled on this server?

Question151: A technician recently fixed a computer with several viruses and spyware programs on it and notices the
Internet settings were set to redirect all traffic through an unknown proxy. This type of attack is known as
which of the following?

Question152: A malicious user is reviewing the following output:
root:~#ping 192.168.1.137
6 4 bytes from 192.168.2.1 icmp_seq=1 ttl=63 time=1.58 ms
6 4 bytes from 192.168.2.1 icmp_seq=2 ttl=63 time=1.45 ms
root: ~#
Based on the above output, which of the following is the device between the malicious user and the target?

Question153: Management is concerned with administrator access from outside the network to a key server in the
company. Specifically, firewall rules allow access to the server from anywhere in the company. Which of
the following would be an effective solution?

Question154: Which of the following countermeasures should the security administrator apply to MOST effectively
mitigate Bootkit-level infections of the organization's workstation devices?

Question155: The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on which
to base the security program. The CISO would like to achieve a certification showing the security program
meets all required best practices. Which of the following would be the BEST choice?

Question156: Due to new regulations, a company has decided to institute an organizational vulnerability management
program and assign the function to the security team. Which of the following frameworks would BEST
support the program? (Select two.)

Question157: While a threat intelligence analyst was researching an indicator of compromise on a search engine, the
web proxy generated an alert regarding the same indicator. The threat intelligence analyst states that
related sites were not visited but were searched for in a search engine. Which of the following MOST likely
happened in this situation?

Question158: In reviewing firewall logs, a security analyst has discovered the following IP address, which several
employees are using frequently:
152.100.57.18
The organization's servers use IP addresses in the 192.168.0.1/24 CIDR. Additionally, the analyst has
noticed that corporate data is being stored at this new location. A few of these employees are on the
management and executive management teams. The analyst has also discovered that there is no record
of this IP address or service in reviewing the known locations of managing system assets. Which of the
following is occurring in this scenario?

Question159: A web application has a newly discovered vulnerability in the authentication method used to validate
known company users. The user ID of Admin with a password of "password" grants elevated access to the
application over the Internet. Which of the following is the BEST method to discover the vulnerability before
a production deployment?

Question160: During a recent audit, there were a lot of findings similar to and including the following:

Which of the following would be the BEST way to remediate these findings and minimize similar findings in
the future?

Question161: A list of vulnerabilities has been reported in a company's most recent scan of a server. The security analyst
must review the vulnerabilities and decide which ones should be remediated in the next change window
and which ones can wait or may not need patching. Pending further investigation. Which of the following
vulnerabilities should the analyst remediate FIRST?