EMT Practice Test

1. Question Content...


Question List

Question1: An organisation is assessing risks so it can prioritize its mitigation actions. Following are the risks and their probability and impact:

Which of the following is the order of priority for risk mitigation from highest to lowest?

Question2:

Question3:

Question4:

Question5:

Question6: A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch.
Which of the following is the MOST appropriate threat classification for these incidents?

Question7:

Question8:

Question9: During an investigation, an incident responder intends to recover multiple pieces of digital medi
Before removing the media, the responder should initiate:

Question10: Which of the following BEST describes how logging and monitoring work when entering into a public cloud relationship with a service provider?

Question11:

Question12:

Question13:

Question14:

Question15: A cybersecurity analyst is establishing a threat hunting and intelligence group at a growing organization. Which of the following is a collaborative resource that would MOST likely be used for this purpose?

Question16:

Question17: A large software company wants to move «s source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business management determines the recovery time objective needs to be within one hour. Which of the following strategies would put the company in the BEST position to achieve the desired recovery time?

Question18: You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.
There must be one primary server or service per device.
Only default port should be used
Non- secure protocols should be disabled.
The corporate internet presence should be placed in a protected subnet
Instructions :
Using the available tools, discover devices on the corporate network and the services running on these devices.
You must determine
ip address of each device
The primary server or service each device
The protocols that should be disabled based on the hardening guidelines

Question19: A newly discovered malware has a known behavior of connecting outbound to an external destination on port 27500 for the purpose of exfiltrating data. The following are four snippets taken from running netstat -anon separate Windows workstations:




Based on the above information, which of the following is MOST likely to be exposed to this malware?

Question20: An employee at an insurance company is processing claims that include patient addresses, clinic visits, diagnosis information, and prescription. While forwarding documentation to the supervisor, the employee accidentally sends the data to a personal email address outside of the company due to a typo. Which of the following types of data has been compromised?

Question21: During a tabletop exercise, it is determined that a security analyst is required to ensure patching and scan reports are available during an incident, as well as documentation of all critical systems.
To which of the following stakeholders should the analyst provide the reports?

Question22: An organizational policy requires one person to input accounts payable and another to do accounts receivable.
A separate control requires one person to write a check and another person to sign all checks greater than
$5,000 and to get an additional signature for checks greater than $10,000. Which of the following controls has the organization implemented?

Question23: An organization is attempting to harden its web servers and reduce the information that might be disclosed by potential attackers. A security analyst is reviewing vulnerability scan results from a recent web server scan.
Portions of the scan results are shown below:

Which of the following lines indicates information disclosure about the host that needs to be remediated?

Question24:

Question25:

Question26: A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.
Which of the following commands would MOST likely indicate if the email is malicious?

Question27:

Question28: A security analyst is reviewing the following log from an email security service.

Which of the following BEST describes the reason why the email was blocked?

Question29:

Question30: A security analyst conducted a risk assessment on an organization's wireless network and identified a high-risk element in the implementation of data confidentially protection. Which of the following is the BEST technical security control to mitigate this risk?

Question31: Due to new regulations, a company has decided to institute an organizational vulnerability management program and assign the function to the security team. Which of the following frameworks would BEST support the program? (Choose two.)

Question32: Company A suspects an employee has been exfiltrating PII via a USB thumb drive. An analyst is tasked with attempting to locate the information on the drive. The PII in question includes the following:

Which of the following would BEST accomplish the task assigned to the analyst?

Question33: Understanding attack vectors and integrating intelligence sources are important components of:

Question34: A hybrid control is one that:

Question35: A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.
Which of the following should the analyst do FIRST?

Question36: It is important to parameterize queries to prevent __________.

Question37:

Question38:

Question39:

Question40:

Question41:

Question42: A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command execution through an integer overflow;

Which of the following controls must be in place to prevent this vulnerability?

Question43:

Question44: A security team wants to make SaaS solutions accessible from only the corporate campus Which of the following would BEST accomplish this goal?

Question45: While reviewing log files, a security analyst uncovers a brute-force attack that is being performed against an external webmail portal. Which of the following would be BEST to prevent this type of attack from beinq successful?

Question46:

Question47:

Question48:

Question49:

Question50: A company office was broken into over the weekend. The office manager contacts the IT security group to provide details on which servers were stolen. The security analyst determines one of the stolen servers contained a list of customer PII information, and another server contained a copy of the credit card transactions processed on the Friday before the break-in. In addition to potential security implications of information that could be gleaned from those servers and the rebuilding/restoring of the data on the stolen systems, the analyst needs to determine any communication or notification requirements with respect to the incident. Which of the following items is MOST important when determining what information needs to be provided, who should be contacted, and when the communication needs to occur.

Question51: A routine vulnerability scan detected a known vulnerability in a critical enterprise web application. Which of the following would be the BEST next step?

Question52: Portions of a legacy application are being refactored to discontinue the use of dynamic SQL Which of the following would be BEST to implement in the legacy application?

Question53: An organization prohibits users from logging in to the administrator account. If a user requires elevated permissions. the user's account should be part of an administrator group, and the user should escalate permission only as needed and on a temporary basis. The organization has the following reporting priorities when reviewing system activity:
* Successful administrator login reporting priority - high
* Failed administrator login reporting priority - medium
* Failed temporary elevated permissions - low
* Successful temporary elevated permissions - non-reportable
A security analyst is reviewing server syslogs and sees the following:
Which of the following events is the HIGHEST reporting priority?

Question54: A security analyst is attempting to resolve an incident in which highly confidential company pricing information was sent to clients. It appears this information was unintentionally sent by an employee who attached it to public marketing material. Which of the following configuration changes would work BEST to limit the risk of this incident being repeated?

Question55:

Question56:

Question57:

Question58:

Question59:

Question60:

Question61:

Question62: A system administrator who was using an account with elevated privileges deleted a large amount of log files generated by a virtual hypervisor in order to free up disk space.
These log files are needed by the security team to analyze the health of the virtual machines.
Which of the following compensating controls would help prevent this from reoccurring? (Select two.)

Question63: A security analyst is looking at the headers of a few emails that appear to be targeting all users at an organization:


Which of the following technologies would MOST likely be used to prevent this phishing attempt?

Question64: While reviewing firewall logs, a security analyst at a military contractor notices a sharp rise in activity from a foreign domain known to have well-funded groups that specifically target the company's R&D department. Historical data reveals other corporate assets were previously targeted. This evidence MOST likely describes:

Question65: An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.
Which of the following would be the MOST appropriate to remediate the controller?

Question66:

Question67:

Question68: A company's incident response team is handling a threat that was identified on the network. Security analysts have determined a web server is making multiple connections from TCP port 445 outbound to servers inside its subnet as well as at remote sites. Which of the following is the MOST appropriate next step in the incident response plan?

Question69:

Question70: Which of the following is MOST important when developing a threat hunting program?

Question71:

Question72: A security analyst discovers a vulnerability on an unpatched web server that is used for testing machine learning on Bing Data sets. Exploitation of the vulnerability could cost the organization $1.5 million in lost productivity. The server is located on an isolated network segment that has a 5% chance of being compromised. Which of the following is the value of this risk?

Question73: Which of the following would a security engineer recommend to BEST protect sensitive system data from being accessed on mobile devices?

Question74: A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's server.
Which of the following is the FIRST step the analyst should take?

Question75: A company's application development has been outsourced to a third-party development team. Based on the SLA.
The development team must follow industry best practices for secure coding. Which of the following is the BEST way to verify this agreement?

Question76: A software patch has been released to remove vulnerabilities from company's software.
A security analyst has been tasked with testing the software to ensure the vulnerabilities have been remediated and the application is still functioning properly.
Which of the following tests should be performed NEXT?

Question77: During an audit several customer order forms were found to contain inconsistencies between the actual price of an item and the amount charged to the customer Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products Which of the following would be the BEST way to locate this issue?

Question78: A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following commands:

Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?

Question79: Which of the following BEST explains the function of trusted firmware updates as they relate to hardware assurance?

Question80: A Chief Executive Officer (CEO) is concerned the company will be exposed to data sovereignty issues as a result of some new privacy regulations to help mitigate this risk. The Chief Information Security Officer (CISO) wants to implement an appropriate technical control. Which of the following would meet the requirement?

Question81:

Question82: A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output.

Which of the following commands should the administrator run NEXT to further analyze the compromised system?

Question83:

Question84:

Question85:

Question86:

Question87:

Question88: The Chief information Officer of a large cloud software vendor reports that many employees are falling victim to phishing emails because they appear to come from other employees. Which of the following would BEST prevent this issue

Question89:

Question90: The software development team pushed a new web application into production for the accounting department. Shortly after the application was published, the head of the accounting department informed IT operations that the application was not performing as intended. Which of the following SDLC best practices was missed?

Question91:

Question92:

Question93: The security configuration management policy states that all patches must undergo testing procedures before being moved into production. The security analyst notices a single web application server has been downloading and applying patches during non-business hours without testing. There are no apparent adverse reactions, server functionality does not seem to be affected, and no malware was found after a scan.
Which of the following actions should the analyst take?

Question94:

Question95:

Question96: A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company's data?

Question97:

Question98:

Question99: A cybersecurity analyst was asked to discover the hardware address of 30 networked assets.
From a command line, which of the following tools would be used to provide ARP scanning and reflects the MOST efficient method for accomplishing the task?

Question100:

Question101:

Question102:

Question103: A security analyst is performing a stealth black-box audit of the local WiFi network and is running a wireless sniffer to capture local WiFi network traffic from a specific wireless access point. The SSID is not appearing in the sniffing logs of the local wireless network traffic. Which of the following is the best action that should be performed NEXT to determine the SSID?

Question104:

Question105: A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the following output:

Which of the following is the MOST likely reason for this vulnerability?

Question106: A security analyst needs to provide the development team with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport?

Question107: The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit, requests for new users at the last minute. causing the help desk to scramble to create accounts across many different Interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company's assets?

Question108: A system administrator is doing network reconnaissance of a company's external network to determine the vulnerability of various services that are running. Sending some sample traffic to the external host, the administrator obtains the following packet capture:

Based on the output, which of the following services should be further tested for vulnerabilities?

Question109:

Question110:

Question111:

Question112: Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the desk ticket queue.
INSTRUCTIONS
Click on me ticket to see the ticket details Additional content is available on tabs within the ticket First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu If at any time you would like to bring back the initial state of the simulation, please click the Reset All button

Question113: A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities.
Which of the following would be BEST to implement to alleviate the CISO's concern?

Question114: In the development stage of the incident response policy, the security analyst needs to determine the stakeholders for the policy. Who of the following would be the policy stakeholders?

Question115: An analyst is reviewing the following output as part of an incident:

Which of the Wowing is MOST likely happening?

Question116: After reading about data breaches at a competing company, senior leaders in an organization have grown increasingly concerned about social engineering attacks. They want to increase awareness among staff regarding this threat, but do not want to use traditional training methods because they regard these methods as ineffective. Which of the following approaches would BEST meet the requirements?

Question117: A cybersecurity analyst is currently checking a newly deployed server that has an access control list applied.
When conducting the scan, the analyst received the following code snippet of results:

Which of the following describes the output of this scan?

Question118: The Cruel Executive Officer (CEO) of a large insurance company has reported phishing emails that contain malicious links are targeting the entire organza lion Which of the following actions would work BEST to prevent against this type of attack?

Question119: Some hard disks need to be taken as evidence for further analysis during an incident response Which of the following procedures must be completed FIRST for this type of evtdertce acquisition?

Question120:

Question121:

Question122: During the security assessment of a new application, a tester attempts to log in to the application but receives the following message incorrect password for given username. Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information?

Question123:

Question124:

Question125: A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs.
Which of the following is the main concern a security analyst should have with this arrangement?

Question126:

Question127: A security analyst receives an alert from the SIEM about a possible attack happening on the network The analyst opens the alert and sees the IP address of the suspected server as 192.168.54.66. which is part of the network 192 168 54 0/24. The analyst then pulls all the command history logs from that server and sees the following

Which of the following activities is MOST likely happening on the server?

Question128:

Question129: For machine learning to be applied effectively toward security analysis automation, it requires .

Question130: During routine monitoring, a security analyst discovers several suspicious websites that are communicating with a local host. The analyst queries for IP 192.168.50.2 for a 24-hour period:

To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and __________.

Question131:

Question132: A company's blocklist has outgrown the current technologies in place. The ACLS are at maximum, and the IPS signatures only allow a certain
amount of space for domains to be added, creating the need for multiple signatures.
Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance?

Question133:

Question134: A security architect is reviewing the options for performing input validation on incoming web form submissions. Which of the following should the architect as the MOST secure and manageable option?

Question135: A security analyst is responding to an incident on a web server on the company network that is making a large number of outbound requests over DNS Which of the following is the FIRST step the analyst should take to evaluate this potential indicator of compromise'?

Question136:

Question137: A software development team asked a security analyst to review some code for security vulnerabilities. Which of the following would BEST assist the security analyst while performing this task?

Question138:

Question139: In system hardening, which of the following types of vulnerability scans would work BEST to verify the scanned device meets security policies?

Question140:

Question141: An organization's internal department frequently uses a cloud provider to store large amounts of sensitive data.
A threat actor has deployed a virtual machine to at the use of the cloud hosted hypervisor, the threat actor has escalated the access rights. Which of the following actions would be BEST to remediate the vulnerability?

Question142: A cybersecurity analyst traced the source of an attack to compromised user credentials. Log analysis revealed that the attacker successfully authenticated from an unauthorized foreign country. Management asked the security analyst to research and implement a solution to help mitigate attacks based on compromised passwords.
Which of the following should the analyst implement?

Question143:

Question144: A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application.
Which of the following is a security concern when using a PaaS solution?

Question145: A cybersecurity analyst was hired to resolve a security issue within a company after it was reported that many employee account passwords had been compromised. Upon investigating the incident, the cybersecurity analyst found that a brute force attack was launched against the company. Which of the following remediation actions should the cybersecurity analyst recommend to senior management to address these security issues?

Question146: The steering committee for information security management annually reviews the security incident register for the organization to look for trends and systematic issues The steering committee wants to rank the risks based on past incidents to improve the security program for next year Below is the incident register for the organization.

Which of the following should the organization consider investing in FIRST due to the potential impact of availability?

Question147:

Question148: An analyst receives artifacts from a recent Intrusion and is able to pull a domain, IP address, email address, and software version. When of the following points of the Diamond Model of Intrusion Analysis does this intelligence represent?

Question149:

Question150:

Question151:

Question152:

Question153: A security analyst receives an alert to expect increased and highly advanced cyberattacks originating from a foreign country that recently had sanctions implemented. Which of the following describes the type of threat actors that should concern the security analyst?

Question154: An incident response team is responding to a breach of multiple systems that contain Pll and PHI Disclosure of the incident to external entities should be based on:

Question155: After examine a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using?

Question156: A security analyst is trying to determine if a host is active on a network. The analyst first attempts the following:

The analyst runs the following command next:

Which of the following would explain the difference in results?

Question157:

Question158: A security analyst received several service tickets reporting that a company storefront website is not accessible by internal domain users. However, external users are accessing the website without issue. Which of the following is the MOST likely reason for this behavior?

Question159:

Question160:

Question161: A security analyst is reviewing the following web server log:

Which of the following BEST describes the issue?

Question162:

Question163:

Question164:

Question165: A cybersecurity consultant is reviewing the following output from a vulnerability scan against a newly installed MS SQL Server 2012 that is slated to go into production in one week:

Based on the above information, which of the following should the system administrator do?
(Select TWO).

Question166: Following a recent security breach, a post-mortem was done to analyze the driving factors behind the breach. The cybersecurity analysis discussed potential impacts, mitigations, and remediations based on current events and emerging threat vectors tailored to specific stakeholders. Which of the following is this considered to be?

Question167:

Question168: A company has contracted with a software development vendor to design a web portal for customers to access a medical records database. Which of the following should the security analyst recommend to BEST control the unauthorized disclosure of sensitive data when sharing the development database with the vendor?

Question169: A security analyst receives a mobile device with symptoms of a virus infection. The virus is morphing whenever it is from sandbox to sandbox to analyze. Which of the following will help to identify the number of variations through the analysis life cycle?

Question170: A security analyst is trying to determine if a host is active on a network. The analyst first attempts the following:

The analyst runs the following command next:

Which of the following would explain the difference in results?

Question171:

Question172:

Question173:

Question174:

Question175:

Question176:

Question177: A vulnerability assessment solution is hosted in the cloud This solution will be used as an accurate inventory data source for both the configuration management database and the governance nsk and compliance tool An analyst has been asked to automate the data acquisition Which of the following would be the BEST way to acqutre the data'

Question178: A threat intelligence analyst who is working on the SOC floor has been forwarded an email that was sent to one of the executives in business development. The executive mentions the email was from the Chief Executive Officer (CEO), who was requesting an emergency wire transfer.
This request was unprecedented. Which of the following threats MOST accurately aligns with this behavior?

Question179:

Question180: A company experienced a security compromise due to the inappropriate disposal of one of its hardware appliances. Sensitive information stored on the hardware appliance was not removed prior to disposal. Which of the following is the BEST manner in which to dispose of the hardware appliance?

Question181: A Chief Information Security Officer has asked for a list of hosts that have critical and high-severity findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request?

Question182: During an incident, a cybersecurity analyst found several entries in the web server logs that are related to an IP with a bad reputation. Which of the following would cause the analyst to further review the incident?

Question183:

Question184: An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets.
Which of the following should be considered FIRST prior to disposing of the electronic data?

Question185: A security analyst is performing a review of Active Directory and discovers two new user accounts in the accounting department. Neither of the users has elevated permissions, but accounts in the group are given access to the company's sensitive financial management application by default.
Which of the following is the BEST course of action?

Question186:

Question187:

Question188:

Question189:

Question190: A list of vulnerabilities has been reported in a company's most recent scan of a server. The security analyst must review the vulnerabilities and decide which ones should be remediated in the next change window and which ones can wait or may not need patching. Pending further investigation. Which of the following vulnerabilities should the analyst remediate FIRST?

Question191:

Question192: An application contains the following log entries in a file named "authlog.log":

A security analyst has been asked to parse the log file and print out all valid usernames. Which of the following achieves this task?

Question193:

Question194:

Question195:

Question196:

Question197: A security administrator needs to create an IDS rule to alert on FTP login attempts by root. Which of the following rules is the BEST solution?

Question198: The help desk noticed a security analyst that emails from a new email server are not being sent out. The new email server was recently added to the existing ones. The analyst runs the following command on the new server.

Given the output, which of the following should the security analyst check NEXT?

Question199: A cybersecurity analyst is reviewing log data and sees the output below:

Which of the following technologies MOST likely generated this log?

Question200:

Question201: After completing a vulnerability scan, the following output was noted:

Which of the following vulnerabilities has been identified?

Question202:

Question203:

Question204: Which of the following is the BEST security practice to prevent ActiveX controls from running malicious code on a user's web application?

Question205:

Question206: A company employee downloads an application from the internet. After the installation, the employee begins experiencing noticeable performance issues, and files are appearing on the desktop.

Which of the following processes will the secuhty analyst Identify as the MOST likely indicator of system compromise given the processes running in Task Manager?

Question207:

Question208:

Question209:

Question210:

Question211:

Question212: A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.
Which of the following should the analyst do FIRST?

Question213:

Question214: A security analyst is reviewing port scan data that was collected over the course of several months. The following data represents the trends:

Which of the following is the BEST action for the security analyst to take after analyzing the trends?

Question215: The primary difference in concern between remediating identified vulnerabilities found in general- purpose IT network servers and that of SCADA systems is that:

Question216: The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files:
Locky.js
xerty.ini
xerty.lib
Further analysis indicates that when the .zip file is opened, it is installing a new version of ransomware on the devices. Which of the following should be done FIRST to prevent data on the company NAS from being encrypted by infected devices?

Question217: A security analyst is auditing firewall rules with the goal of scanning some known ports to check the firewall's behavior and responses. The analyst executes the following commands:

The analyst then compares the following results for port 22:
nmap returns "Closed"
hping3 returns "flags=RA"
Which of the following BEST describes the firewall rule?

Question218: A security analyst needs to provide the development team with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport?

Question219: A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets.
Which of the following is the BEST example of the level of sophistication this threat actor is using?

Question220:

Question221: A project lead is reviewing the statement of work for an upcoming project that is focused on identifying potential weaknesses in the organization's internal and external network infrastructure.
As part of the project, a team of external contractors will attempt to employ various attacks against the organization. The statement of work specifically addresses the utilization of an automated tool to probe network resources in an attempt to develop logical diagrams indication weaknesses in the infrastructure.
The scope of activity as described in the statement of work is an example of:

Question222: A company recently experienced financial fraud, which included shared passwords being compromised and improper levels of access being granted The company has asked a security analyst to help improve its controls.
Which of the following will MOST likely help the security analyst develop better controls?

Question223: An analyst is reviewing a list of vulnerabilities, which were reported from a recent vulnerability scan of a Linux server.
Which of the following is MOST likely to be a false positive?

Question224:

Question225: An analyst is conducting a log review and identifies the following snippet in one of the logs:

Which of the following MOST likely caused this activity?

Question226: A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk- based policy decision to review and enforce the vendor upgrade before the end of life is reached.
Which of the following risk actions has the security committee taken?

Question227:

Question228: A security analyst is attempting to resolve an incident in which highly confidential company pricing information was sent to clients. It appears this information was unintentionally sent by an employee who attached it to public marketing material. Which of the following configuration changes would work BEST to limit the risk of this incident being repeated?

Question229:

Question230: Joe, a penetration tester, used a professional directory to identify a network administrator and ID administrator for a client's company. Joe then emailed the network administrator, identifying himself as the ID administrator, and asked for a current password as part of a security exercise. Which of the following techniques were used in this scenario?

Question231: While conducting a cloud assessment, a security analyst performs a Prowler scan, which generates the following within the report:

Based on the Prowler report, which of the following is the BEST recommendation?

Question232: An analyst is reviewing the following output as part of an incident:

Which of the Wowing is MOST likely happening?

Question233: A company uses a managed IDS system, and a security analyst has noticed a large volume of brute force password attacks originating from a single IP address. The analyst put in a ticket with the IDS provider, but no action was taken for 24 hours, and the attacks continued. Which of the following would be the BEST approach for the scenario described?

Question234:

Question235: When reviewing a compromised authentication server, a security analyst discovers the following hidden file:

Further analysis shows these users never logged in to the server. Which of the following types of attacks was used to obtain the file and what should the analyst recommend to prevent this type of attack from reoccurring?

Question236:

Question237: A security analyst positively identified the threat, vulnerability, and remediation. The analyst is ready to implement the corrective control. Which of the following would be the MOST inhibiting to applying the fix?

Question238: An organization is conducting penetration testing to identify possible network vulnerabilities. The penetration tester has already identified active hosts in the network and is now scanning individual hosts to determine if any are running a web server. The output from the latest scan is shown below:

Which of the following commands would have generated the output above?

Question239:

Question240: An organization has recently found some of its sensitive information posted to a social media site.
An investigation has identified large volumes of data leaving the network with the source traced back to host 192.168.1.13. An analyst performed a targeted Nmap scan of this host with the results shown below:

Subsequent investigation has allowed the organization to conclude that all of the well-known, standard ports are secure. Which of the following services is the problem?

Question241: Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the desk ticket queue.
INSTRUCTIONS
Click on me ticket to see the ticket details Additional content is available on tabs within the ticket
First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button

Question242: Which of following allows Secure Boot to be enabled?

Question243:

Question244: A security analyst has received reports of very slow, intermittent access to a public-facing corporate server.
Suspecting the system may be compromised, the analyst runs the following commands:

Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?

Question245: A bad actor bypasses authentication and reveals all records in a database through an SQL injection.
Implementation of which of the following would work BEST to prevent similar attacks in

Question246:

Question247: Which of the following BEST articulates the benefit of leveraging SCAP in an organization's cybersecurity analysis toolset?

Question248: Which of the following is a best practice when sending a file/data to another individual in an organization?

Question249:

Question250: A company's modem response team is handling a threat that was identified on the network Security analysts have as at remote sites. Which of the following is the MOST appropriate next step in the incident response plan?

Question251: An organization has a policy prohibiting remote administration of servers where web services are running.
One of the Nmap scans is shown here:

Given the organization's policy, which of the following services should be disabled on this server?

Question252:

Question253:

Question254: Given the following code:

Which of the following types of attacks is occurring in the example above?

Question255: A company has several internal-only, web-based applications on the internal network. Remote employees are allowed to connect to the internal corporate network with a company-supplied VPN client. During a project to upgrade the internal application, contractors were hired to work on a database server and were given copies of the VPN client so they could work remotely. A week later, a security analyst discovered an internal web-server had been compromised by malware that originated from one of the contractor's laptops. Which of the following changes should be made to BEST counter the threat presented in this scenario?

Question256: An information security analyst is compiling data from a recent penetration test and reviews the following output:

The analyst wants to obtain more information about the web-based services that are running on the target.
Which of the following commands would MOST likely provide the needed information?

Question257: During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.
Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

Question258: A security administrator needs to create an IDS rule to alert on FTP login attempts by root. Which of the following rules is the BEST solution?

Question259: An organization discovers motherboards within the environment that appear to have been physically altered during the manufacturing process. Which of the following is the BEST course of action to mitigate the risk of this reoccurring?

Question260: The inability to do remote updates of certificates, keys, software, and firmware is a security issue commonly associated with:

Question261: A company has contracted with a software development vendor to design a web portal for customers to access a medical records database. Which of the following should the security analyst recommend to BEST control the unauthorized disclosure of sensitive data when sharing the development database with the vendor?

Question262: A system administrator is doing network reconnaissance of a company's external network to determine the vulnerability of various services that are running. Sending some sample traffic to the external host, the administrator obtains the following packet capture:

Based on the output, which of the following services should be further tested for vulnerabilities?

Question263: A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verity that a user's data is not altered without the user's consent Which of the following would be an appropriate course of action?

Question264:

Question265: Due to continued support of legacy applications, an organization's enterprise password complexity rules are inadequate for its required security posture. Which of the following is the BEST compensating control to help reduce authentication compromises?

Question266:

Question267:

Question268:

Question269:

Question270:

Question271:

Question272: A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integration intelligence into hunt operations?

Question273: When reviewing a compromised authentication server, a security analyst discovers the following hidden file:

Further analysis shows these users never logged in to the server. Which of the following types of attacks was used to obtain the file and what should the analyst recommend to prevent this type of attack from reoccurring?

Question274: A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised. When viewing the capture in a packet analyzer, the analyst sees the following:

Which of the following can the analyst conclude?

Question275:

Question276: A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:

Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?

Question277:

Question278: A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities The type of vulnerability that should be disseminated FIRST is one that:

Question279: A security analyst for a large pharmaceutical company was given credentials from a threat intelligence resources organisation for Internal users, which contain usernames and valid passwords for company accounts.
Which of the following is the FIRST action the analyst should take as part of security operations monitoring?

Question280: An organization wants to harden its web servers. As part of this goal, leadership has directed that vulnerability scans be performed, and the security team should remediate the servers according to industry best practices. The team has already chosen a vulnerability scanner and performed the necessary scans, and now the team needs to prioritize the fixes. Which of the following would help to prioritize the vulnerabilities for remediation in accordance with industry best practices?

Question281: A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch.
Which of the following is the MOST appropriate threat classification for these incidents?

Question282: A threat hurting team received a new loC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated NEXT?

Question283:

Question284: A worm was detected on multiple PCs within the remote office. The security analyst recommended that the remote office be blocked from the corporate network during the incident response. Which of the following processes BEST describes this recommendation?

Question285: A company's domain has been spooled in numerous phishing campaigns. An analyst needs to determine the company is a victim of domain spoofing, despite having a DMARC record that should tell mailbox providers to ignore any email that fails DMARC upon review of the record, the analyst finds the following:

Which of the following BEST explains the reason why the company's requirements are not being processed correctly by mailbox providers?

Question286:

Question287: A human resources employee sends out a mass email to all employees that contains their personnel records. A security analyst is called in to address the concern of the human resources director on how to prevent this from happening in the future.
Which of the following would be the BEST solution to recommend to the director?

Question288:

Question289: A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:

Which of the following commands should the administrator run NEXT to further analyze the compromised system?

Question290: An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.
Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?

Question291:

Question292:

Question293: A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs.
Which of the following is the main concern a security analyst should have with this arrangement?

Question294: Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified network?

Question295: A security analyst was alerted to a tile integrity monitoring event based on a change to the vhost-paymonts .conf file The output of the diff command against the known-good backup reads as follows

Which of the following MOST likely occurred?

Question296: A cybersecurity analyst has been asked to follow a corporate process that will be used to manage vulnerabilities for an organization. The analyst notices the policy has not been updated in three years. Which of the following should the analyst check to ensure the policy is still accurate?

Question297:

Question298:

Question299:

Question300: A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets.
Which of the following is the BEST example of the level of sophistication this threat actor is using?

Question301: An organization discovers motherboards within the environment that appear to have been physically altered during the manufacturing process. Which of the following is the BEST course of action to mitigate the risk of this reoccurring?

Question302: A security analyst working in the SOC recently discovered Balances m which hosts visited a specific set of domains and IPs and became infected with malware. Which of the following is the MOST appropriate action to take in the situation?

Question303: You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.
There must be one primary server or service per device.
Only default port should be used
Non- secure protocols should be disabled.
The corporate internet presence should be placed in a protected subnet
Instructions :
Using the available tools, discover devices on the corporate network and the services running on these devices.
You must determine
ip address of each device
The primary server or service each device
The protocols that should be disabled based on the hardening guidelines

Question304:

Question305: A security analyst reviews the latest reports from the company's vulnerability scanner and discovers the following:

Which of the following changes should the analyst recommend FIRST?

Question306: A cybersecurity analyst needs to determine whether a large file named access log from a web server contains the following loC:
../../../../bin/bash
Which of the following commands can be used to determine if the string is present in the log?

Question307: A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats.
Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?

Question308:

Question309:

Question310:

Question311:

Question312:

Question313:

Question314: A security analyst recently discovered two unauthorized hosts on the campus's wireless network segment from a man-in-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices. Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

Question315:

Question316:

Question317:

Question318:

Question319: A recent audit included a vulnerability scan that found critical patches released 60 days prior were not applied to servers in the environment. The infrastructure team was able to isolate the issue and determined it was due to a service being disabled on the server running the automated patch management application. Which of the following would be the MOST efficient way to avoid similar audit findings in the future?

Question320: A cybersecurity analyst was asked to review several results of web vulnerability scan logs.
Given the following snippet of code:

Which of the following BEST describes the situation and recommendations to be made?

Question321:

Question322:

Question323:

Question324:

Question325: An application server runs slowly and then triggers a high CPU alert. After investigating, a security analyst finds an unauthorized program is running on the server. The analyst reviews the application log below.

Which of the following conclusions is supported by the application log?

Question326: Which indicators can be used to detect further occurrences of a data exfiltration incident. The analyst determines backups were not performed during this time and reviews the following:

Which of the following should the analyst review to find out how the data was exfilltrated?

Question327: A security analyst is reviewing a suspected phishing campaign that has targeted an organisation. The organization has enabled a few email security technologies in the last year: however, the analyst believes the security features are not working. The analyst runs the following command:
> dig domain._domainkey.comptia.orq TXT
Which of the following email protection technologies is the analyst MOST likely validating?

Question328:

Question329: A security analyst was alerted to a tile integrity monitoring event based on a change to the vhost-paymonts .conf file The output of the diff command against the known-good backup reads as follows

Which of the following MOST likely occurred?

Question330:

Question331: A finance department employee has received a message that appears to have been sent from the Chief Financial Officer (CFO), asking the employee to perform a wire transfer. Analysis of the email shows the message came from an external source and is fraudulent. Which of the following would work BEST to improve the likelihood of employees quickly recognizing fraudulent emails?

Question332: A security analyst is generating a list of recommendations for the company's insecure API. Which of the following is the BEST parameter mitigation rec

Question333: A security team is implementing a new vulnerability management program in an environment that has a historically poor security posture. The team is aware of issues patch management in the environment and expects a large number of findings. Which of the following would be the MOST efficient way to increase the security posture of the organization in the shortest amount of time?

Question334: A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-side vulnerabilities:

Which of the following is the MOST likely solution to the listed vulnerability?

Question335: The IT department at a growing law firm wants to begin using a third-party vendor for vulnerability monitoring and mitigation. The executive director of the law firm wishes to outline the assumptions and expectations between the two companies. Which of the following documents might be referenced in the event of a security breach at the law firm?

Question336:

Question337:

Question338:

Question339: Portions of a legacy application are being refactored to discontinue the use of dynamic SQL Which of the following would be BEST to implement in the legacy application?

Question340: A new policy requires the security team to perform web application and OS vulnerability scans. All of the company's web applications use federated authentication and are accessible via a central portal. Which of the following should be implemented to ensure a more thorough scan of the company's web application, while at the same time reducing false positives?

Question341:

Question342: While investigating reports or issues with a web server, a security analyst attempts to log in remotely and recedes the following message:

The analyst accesses the server console, and the following console messages are displayed:

The analyst is also unable to log in on the console. While reviewing network captures for the server, the analyst sees many packets with the following signature:

Which of the following is the BEST step for the analyst to lake next in this situation?

Question343:

Question344: A cybersecurity analyst has identified a new mission-essential function that utilizes a public cloud- based system. The analyst needs to classify the information processed by the system with respect to CIA. Which of the following should provide the CIA classification for the information?

Question345:

Question346: While investigating reports or issues with a web server, a security analyst attempts to log in remotely and recedes the following message:

The analyst accesses the server console, and the following console messages are displayed:

The analyst is also unable to log in on the console. While reviewing network captures for the server, the analyst sees many packets with the following signature:

Which of the following is the BEST step for the analyst to lake next in this situation?

Question347:

Question348: Some hard disks need to be taken as evidence for further analysis during an incident response Which of the following procedures must be completed FIRST for this type of evtdertce acquisition?

Question349: In web application scanning, static analysis refers to scanning:

Question350: When reviewing network traffic, a security analyst detects suspicious activity:

Based on the log above, which of the following vulnerability attacks is occurring?

Question351:

Question352: A security analyst gathered forensics from a recent intrusion in preparation for legal proceedings.
The analyst used EnCase to gather the digital forensics, cloned the hard drive, and took the hard drive home for further analysis. Which of the following did the security analyst violate?

Question353: During an investigation, an analyst discovers the following rule in an executive's email client:
IF * TO <
[email protected]> THEN mailto: <[email protected]> SELECT FROM 'sent' THEN DELETE FROM <[email protected]> The executive is not aware of this rule. Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident?

Question354: A security analyst is trying to determine if a host is active on a network. The analyst first attempts the following:

The analyst runs the following command next:

Which of the following would explain the difference in results?

Question355:

Question356:

Question357: During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.
Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

Question358: Given the following access log:

Which of the following accurately describes what this log displays?

Question359:

Question360:

Question361: A company that is hiring a penetration tester wants to exclude social engineering from the list of authorized activities.
Which of the following documents should include these details?

Question362:

Question363:

Question364:

Question365:

Question366:

Question367:

Question368:

Question369: A cybersecurity analyst is hired to review the security posture of a company. The cybersecurity analyst notices a very high network bandwidth consumption due to SYN floods from a small number of IP addresses.
Which of the following would be the BEST action to take to support incident response?

Question370: A security analyst is reviewing the following Internet usage trend report:

Which of the following usernames should the security analyst investigate further?

Question371:

Question372:

Question373: A security analyst begins to notice the CPU utilization from a sinkhole has begun to spike. Which of the following describes what may be occurring?

Question374: Which of the following is an advantage of SOAR over SIEM?

Question375:

Question376:

Question377: Which of the following data security controls would work BEST to prevent real Pll from being used in an organization's test cloud environment?

Question378: An organization is experiencing issues with emails that are being sent to external recipients Incoming emails to the organization are working fine. A security analyst receives the following screenshot ot email error from the help desk.

The analyst the checks the email server and sees many of the following messages in the logs.
Error 550 - Message rejected
Which of the following is MOST likely the issue?

Question379:

Question380: Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the value of:

Question381: A security analyst implemented a solution that would analyze the attacks that the organization's firewalls failed to prevent. The analyst used the existing systems to enact the solution and executed the following command:
$ sudo nc -1 -v -e maildaemon.py 25 > caplog.txt
Which of the following solutions did the analyst implement?