Summary

This document contains a collection of security questions and answers, likely from a university or college course. The questions cover topics such as vulnerabilities, security techniques, and incident response.

Full Transcript

Question #1: A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing? A.Cross-site scripting B.Buffer overflow C.Jailbreaking (answer) D.Side loading Questio...

Question #1: A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing? A.Cross-site scripting B.Buffer overflow C.Jailbreaking (answer) D.Side loading Question #2: Which of the following vulnerabilities is associated with installing software outside of a manufacturer's approved software repository? A.Jailbreaking B.Memory injection C.Resource reuse D.Side loading (answer) Question #3: A bank insists all of its vendors must prevent data loss on stolen laptops. Which of the following strategies is the bank requiring? A.Encryption at rest (answer) B.Masking C.Data classification D.Permission restrictions Question #4: Which of the following is a primary security concern for a company setting up a BYOD program? A.End of life B.Buffer overflow C.VM escape D.Jailbreaking (answer) Question #5: A security administrator would like to protect data on employees' laptops. Which of the following encryption techniques should the security administrator use? A.Partition B.Asymmetric C.Full disk (answer) D.Database Question #6: A security engineer is implementing FDE for all laptops in an organization. Which of the following are the most important for the engineer to consider as part of the planning process? (Select two). A.Key escrow (answer) B.TPM presence (answer) C.Digital signatures D.Data tokenization E.Public key management F.Certificate authority linking Question #7: A company implemented an MDM policy to mitigate risks after repeated instances of employees losing company-provided mobile phones. In several cases, the lost phones were used maliciously to perform social engineering attacks against other employees. Which of the following MDM features should be configured to best address this issue? (Select two). A. Screen locks (answer) B. Remote wipe (answer) C. Full device encryption D. Push notifications E. Application management F. Geolocation Question #8: A user would like to install software and features that are not available with a smartphone's default software. Which of the following would allow the user to install unauthorized software and enable new features? A.SQLI B.Cross-site scripting C.Jailbreaking (answer) D.Side loading Question #9: Which of the following is a type of vulnerability that refers to the unauthorized installation of applications on a device through means other than the official application store? A.Cross-site scripting B.Buffer overflow C.Jailbreaking (answer) D.Side loading Chapter 11 Question #1: A security team is reviewing the findings in a report that was delivered after a third party performed a penetration test. One of the findings indicated that a web application form field is vulnerable to cross-site scripting. Which of the following application security techniques should the security analyst recommend the developer implement to prevent this vulnerability? A.Secure cookies B.Version control C.Input validation (answer) D.Code signing Question #2: A security analyst is investigating an application server and discovers that software on the server is behaving abnormally. The software normally runs batch jobs locally and does not generate traffic, but the process is now generating outbound traffic over random high ports. Which of the following vulnerabilities has likely been exploited in this software? A.Memory injection (answer) B.Race condition C.Side loading D.SQL injection Question #3: A healthcare organization wants to provide a web application that allows individuals to digitally report health emergencies. Which of the following is the most important consideration during development? A.Scalability B.Availability (answer) C.Cost D.Ease of deployment Question #4: A company's web filter is configured to scan the URL for strings and deny access when matches are found. Which of the following search strings should an analyst employ to prohibit access to unencrypted websites? A.encryption=off\ B.http:// (answer) C.www.*.com D.:443 Question #5: Which of the following enables the use of an input field to run commands that can view or manipulate data? A.Cross-site scripting B.Side loading C.Buffer overflow D.SQL injection (answer) Question #6: An organization recently updated its security policy to include the following statement: Regular expressions are included in source code to remove special characters such as $, |, ;. &, `, and ? from variables set by forms in a web application. Which of the following best explains the security technique the organization adopted by making this addition to the policy? A.Identify embedded keys B.Code debugging C.Input validation (answer) D.Static code analysis Question #7: Which of the following involves an attempt to take advantage of database misconfigurations? A. Buffer overflow B. SQL injection (answer) C. VM escape D. Memory injection Question #8: An organization's internet-facing website was compromised when an attacker exploited a buffer overflow. Which of the following should the organization deploy to best protect against similar attacks in the future? A.NGFW B.WAF (answer) C.TLS D.SD-WAN Question #9: Which of the following risks can be mitigated by HTTP headers? A. SQLi B. XSS (answer) C. DoS D. SSL Question #10: A company tested and validated the effectiveness of network security appliances within the corporate network. The IDS detected a high rate of SQL injection attacks against the company's servers, and the company's perimeter firewall is at capacity. Which of the following would be the best action to maintain security and reduce the traffic to the perimeter firewall? A. Set the appliance to IPS mode and place it in front of the company firewall. (answer) B. Convert the firewall to a WAF and use IPSec tunnels to increase throughput. C. Set the firewall to fail open if it is overloaded with traffic and send alerts to the SIEM. D. Configure the firewall to perform deep packet inspection and monitor TLS traffic Question #11: While investigating a recent security breach an analyst finds that an attacker gained access by SQL injection through a company website. Which of the following should the analyst recommend to the website developers to prevent this from reoccurring? A. Secure cookies B. Input sanitization (answer) C. Code signing D. Blocklist Question #12: A vendor needs to remotely and securely transfer files from one server to another using the command line. Which of the following protocols should be implemented to allow for this type of access? (Select two). A. SSH (answer) B. SNMP C. RDP D. SFTP (answer) Question #13: An organization implemented cloud-managed IP cameras to monitor building entry points and sensitive areas. The service provider enables direct TCP/IP connection to stream live video footage from each camera. The organization wants to ensure this stream is encrypted and authenticated. Which of the following protocols should be implemented to best meet this objective? A. SSH B. SRTP (answer) C. S/MIME D. PPTP Question #14: A website user is locked out of an account after clicking an email link and visiting a different website. Web server logs show the user's password was changed, even though the user did not change the password. Which of the following is the most likely cause? A. Cross-site request forgery (answer) B. Directory traversal C. ARP poisoning D. SQL injection Question #15: Which of the following examples would be best mitigated by input sanitization? A.alert("Warning!"); (answer) B.nmap -p- 10.11.1.130 C.Email message: "Click this link to get your free gift card." D.Browser message: "Your connection is not private Question #16: An organization recently started hosting a new service that customers access through a web portal. A security engineer needs to add to the existing security devices a new solution to protect this new service. Which of the following is the engineer most likely to deploy? A.Layer 4 firewall B.NGFW C.WAF (answer) D.UTM Question #17: While investigating a possible incident, a security analyst discovers the following log entries: 67.118.34.157 ---- [28/Jul/2022:10:26:59-0300] "GET /query.php?q-wireless%20headphones/ HTTP/1.0" 200 12737132.18.222.103 ----[28/Jul/2022:10:27:10-0300] "GET /query.php?q=123 INSERT INTO users VALUES ('temp', 'pass123')#/HTTP/1.0" 200 935 12.45.101.121- [28/Jul/2022:10:27:22-0300] "GET /query.php?q=mp3%20players | HTTP/1.0" 200 14650 Which of the following should the analyst do first? A.Implement a WAF B.Disable the query.php script C.Block brute-force attempts on temporary users D.Check the users table for new accounts (answer) Question #18: Which of the following is a type of vulnerability that involves inserting scripts into web-based applications in order to take control of the client's web browser? A.SQL injection B.Cross-site scripting (answer) C.Zero-day exploit D.On-path attack Chapter 12 Question #1: A security practitioner completes a vulnerability assessment on a company's network and finds several vulnerabilities, which the operations team remediates. Which of the following should be done next? A.Conduct an audit. B.Initiate a penetration test. C.Rescan the network. (answer) D.Submit a report. Question #2: An employee receives a text message that appears to have been sent by the payroll department and is asking for credential verification. Which of the following social engineering techniques are being attempted? (Choose two.) A.Typosquatting C.Impersonation (answer) D.Vishing E.Smishing (answer) Question #3: One of the company's vendors sent an analyst a security bulletin that recommends a BIOS update. Which of the following vulnerability types is being addressed by the patch? A.Virtualization B.Firmware (answer) C.Application D.Operating system Question #4: Which of the following is a hardware-specific vulnerability? A.Firmware version (answer) B.Buffer overflow C.SQL injection Question #5: Several employees received a fraudulent text message from someone claiming to be the Chief Executive Officer (CEO). The message stated: "I'm in an airport right now with no access to email. I need you to buy gift cards for employee recognition awards. Please send the gift cards to the following email address." Which of the following are the best responses to this situation? (Choose two). A.Cancel current employee recognition gift cards. B.Add a smishing exercise to the annual company training. (answer) C.Issue a general email warning to the company. (answer) D.Have the CEO change phone numbers. E.Conduct a forensic investigation on the CEO's phone. F.Implement mobile device management. Question #6: Malware spread across a company's network after an employee visited a compromised industry blog. Which of the following best describes this type of attack? A.Impersonation B.Disinformation C.Watering-hole (answer) D.Smishing Question #7: Which of the following scenarios describes a possible business email compromise attack? A.An employee receives a gift card request in an email that has an executive's name in the display field of the email. (answer) B.Employees who open an email attachment receive messages demanding payment in order to access files. C.A service desk employee receives an email from the HR director asking for log-in credentials to a cloud administrator account. D.An employee receives an email with a link to a phishing site that is designed to look like the company's email portal. Question #8: After reviewing the following vulnerability scanning report: Server:192.168.14.6 Service: Telnet Port: 23 Protocol: TCP Status: Open Severity: High Vulnerability: Use of an insecure network protocol A security analyst performs the following test: nmap -p 23 192.168.14.6-script telnet-encryption PORT STATE SERVICE REASON 23/tcp open telnet syn-ack I telnet encryption: |_ Telnet server supports encryption Which of the following would the security analyst conclude for this reported vulnerability? A.It is a false positive. (answer) B.A rescan is required. C.It is considered noise. Question #9: An attacker posing as the Chief Executive Officer calls an employee and instructs the employee to buy gift cards. Which of the following techniques is the attacker using? A.Smishing B.Phishing C.Impersonating (answer) D.Whaling Question #10: An employee clicked a link in an email from a payment website that asked the employee to update contact information. The employee entered the log-in information but received a "page not found" error message. Which of the following types of social engineering attacks occurred? A.Brand impersonation B.Pretexting C.Typosquatting D.Phishing (answer) Question #11: A company hired a consultant to perform an offensive security assessment covering penetration testing and social engineering. Which of the following teams will conduct this assessment activity? A.White B.Purple C.Blue D.Red (answer) Question #12: After a recent vulnerability scan, a security engineer needs to harden the routers within the corporate network. Which of the following is the most appropriate to disable? A.Console access B.Routing protocols C.VLANS D.Web-based administration (answer) Question #13: Which of the following is used to quantitatively measure the criticality of a vulnerability? A.CVE B.CVSS (answer) C.CIA D.CERT Question #14: Which of the following provides the details about the terms of a test with a third-party penetration tester? A.Rules of engagement (answer) B.Supply chain analysis C.Right to audit clause D.Due diligence Question #15: A company is expanding its threat surface program and allowing individuals to security test the company's internet-facing application. The company will compensate researchers based on the vulnerabilities discovered. Which of the following best describes the program the company is setting up? A.Open-source intelligence B.Bug bounty (answer) C.Red team D.Penetration testing Question #16: An organization wants a third-party vendor to do a penetration test that targets a specific device. The organization has provided basic information about the device. Which of the following best describes this kind of penetration test? A.Partially known environment (answer) B.Unknown environment C.Integrated D.Known environment Question #17: A penetration tester begins an engagement by performing port and service scans against the client environment according to the rules of engagement. Which of the following reconnaissance types is the tester performing? A.Active (answer) B.Passive C.Defensive D.Offensive Question #18: While troubleshooting a firewall configuration, a technician determines that a "deny any" policy should be added to the bottom of the ACL. The technician updates the policy, but the new policy causes several company servers to become unreachable. Which of the following actions would prevent this issue? A.Documenting the new policy in a change request and submitting the request to change management B.Testing the policy in a non-production environment before (answer) enabling the policy in the production network C.Disabling any intrusion prevention signatures on the 'deny any* policy prior to enabling the new policy D.Including an 'allow any1 policy above the 'deny any* policy Question #19: After a security awareness training session, a user called the IT help desk and reported a suspicious call. The suspicious caller stated that the Chief Financial Officer wanted credit card information in order to close an invoice. Which of the following topics did the user recognize from the training? A.Insider threat B.Email phishing C.Social engineering (answer) D.Executive whaling Question #20: Which of the following would help ensure a security analyst is able to accurately measure the overall risk to an organization when a new vulnerability is disclosed? A.A full inventory of all hardware and software (answer) B.Documentation of system classifications C.A list of system owners and their departments D.Third-party risk assessment documentation Question #21: Which of the following teams combines both offensive and defensive testing techniques to protect an organization's critical systems? A. Red B. Blue C. Purple (answer) D. Yellow Question #22: The local administrator account for a company's VPN appliance was unexpectedly used to log in to the remote management interface. Which of the following would have most likely prevented this from happening? A.Using least privilege B.Changing the default password (answer) C.Assigning individual user IDs (answer) D.Reviewing logs more frequently Question #23: An employee receives a text message from an unknown number claiming to be the company's Chief Executive Officer and asking the employee to purchase several gift cards. Which of the following types of attacks does this describe? A.Vishing B.Smishing (answer) C.Pretexting D.Phishing Question #24: A company is working with a vendor to perform a penetration test. Which of the following includes an estimate about the number of hours required to complete the engagement? A.SOW (answer) B.BPA C.SLA D.NDA Question #25: Which of the following penetration testing teams is focused only on trying to compromise an organization using an attacker's tactics? A. White B. Red (answer) C. Purple D. Blue Question #26: A manager receives an email that contains a link to receive a refund. After hovering over the link, the manager notices that the domain's URL points to a suspicious link. Which of the following security practices helped the manager to identify the attack? A. End user training (answer) B. Policy review C. URL scanning D. Plain text email Question #27: Which of the following most impacts an administrator's ability to address CVEs discovered on a server? A. Rescanning requirements B. Patch availability (answer) C. Organizational impact D. Risk tolerance Question #28: After conducting a vulnerability scan, a systems administrator notices that one of the identified vulnerabilities is not present on the systems that were scanned. Which of the following describes this example? A. False positive (answer) B. False negative C. True positive D. True negative Question #29: A security analyst is reviewing the source code of an application in order to identify misconfigurations and vulnerabilities. Which of the following kinds of analysis best describes this review? A. Dynamic B. Static (answer) C. Gap D. Impact Question #30: A software developer would like to ensure the source code cannot be reverse engineered or debugged. Which of the following should the developer consider? A. Version control B. Obfuscation toolkit (answer) C. Code reuse D. Continuous integration E. Stored procedures Question #31: Which of the following is the most important security concern when using legacy systems to provide production service? A. Instability B. Lack of vendor support (answer) C. Loss of availability D. Use of insecure protocols Question #32: An employee in the accounting department receives an email containing a demand for payment for services performed by a vendor. However, the vendor is not in the vendor management database. Which of the following is this scenario an example of? A. Pretexting B. Impersonation C. Ransomware D. Invoice scam (answer) Question #33: Which of the following best describes a penetration test that resembles an actual external attack? A.Known environment B.Partially known environment C.Bug bounty D.Unknown environment (answer) Question #34: Which of the following environments utilizes a subset of customer data and is most likely to be used to assess the impacts of major system upgrades and demonstrate system features? A. Development B. Test C. Production D. Staging (answer) Question #35: Which of the following can a security director use to prioritize vulnerability patching within a company's IT Environment? A. SOAR B. CVSS (answer) C. SIEM D. CVE Question #36: Which of the following is a common source of unintentional corporate credential leakage in cloud environments? A. Code repositories (answer) B. Dark web C. Threat feeds D. State actors E. Vulnerability databases Question #37: Which of the following would best explain why a security analyst is running daily vulnerability scans on all corporate endpoints? A. To track the status of patching installations (answer) B.To find shadow IT cloud deployments C. To continuously the monitor hardware inventory D.To hunt for active attackers in the network Question #38: Which of the following methods would most likely be used to identify legacy systems? A.Bug bounty program B.Vulnerability scan (answer) C.Package monitoring D.Dynamic analysis Question #39: A new employee logs in to the email system for the first time and notices a message from human resources about onboarding. The employee hovers over a few of the links within the email and discovers that the links do not correspond to links associated with the company. Which of the following attack vectors is most likely being used? A.Business email B.Social engineering (answer) C.Unsecured network D.Default credentials Question #40: An important patch for a critical application has just been released, and a systems administrator is identifying all of the systems requiring the patch. Which of the following must be maintained in order to ensure that all systems requiring the patch are updated? A.Asset inventory (answer) B.Network enumeration C.Data certification D.Procurement process Question #41: Which of the following types of identification methods can be performed on a deployed application during runtime? A.Dynamic analysis (answer) B.Code review C.Package monitoring D.Bug bounty Question #42: A company relies on open-source software libraries to build the software used by its customers. Which of the following vulnerability types would be the most difficult to remediate due to the company's reliance on open source libraries? A.Buffer overflow B.SQL injection C.Cross-site scripting D.Zero day (answer) Question #43: A small business uses kiosks on the sales floor to display product information for customers. A security team discovers the kiosks use end-of-life operating systems. Which of the following is the security team most likely to document as a security implication of the current architecture? A.Patch availability (answer) B.Product software compatibility C.Ease of recovery D.Cost of replacement Chapter 13 Question #1: Which of the following should a security administrator adhere to when setting up a new set of firewall rules? A.Disaster recovery plan B.Incident response procedure C.Business continuity plan D.Change management procedure (answer) Question #2: Security controls in a data center are being reviewed to ensure data is properly protected and that human life considerations are included. Which of the following best describes how the controls should be set up? A.Remote access points should fail closed. B.Logging controls should fail open. C.Safety controls should fail open. (answer) D.Logical security controls should fail closed. Question #3: A technician needs to apply a high-priority patch to a production system. Which of the following steps should be taken first? A.Air gap the system. B. Move the system to a different network segment. C.Create a change control request. (answer) D.Apply the patch to the system. Question #4: After a company was compromised, customers initiated a lawsuit. The company's attorneys have requested that the security team initiate a legal hold in response to the lawsuit. Which of the following describes the action the security team will most likely be required to take? A.Retain the emails between the security team and affected customers for 30 days. B.Retain any communications related to the security breach until further notice. (answer) C.Retain any communications between security members during the breach response. D.Retain all emails from the company to affected customers for an indefinite period of time. Question #5: A company is concerned about weather events causing damage to the server room and downtime. Which of the following should the company consider? A. Clustering servers B. Geographic dispersion (answer) C. Load balancers D. Off-site backups Question #6: A company decided to reduce the cost of its annual cyber insurance policy by removing the coverage for ransomware attacks. Which of the following analysis elements did the company most likely use in making this decision? A.MTTR B.RTO C.ARO (answer) D.MTBF Question #7: Which of the following is required for an organization to properly manage its restore process in the event of system failure? A.IRP B.DRP (answer) C.RPO D.SDLC Question #8: A company is developing a business continuity strategy and needs to determine how many staff members would be required to sustain the business in the case of a disruption. Which of the following best describes this step? A.Capacity planning (answer) B.Redundancy C.Geographic dispersion D.Tabletop exercise Question #9: An organization is building a new backup data center with cost-benefit as the primary requirement and RTO and RPO values of two days. Which of the following types of sites is the best for this scenario? A.Real-time recovery B.Hot C. Cold D.Warm (answer) Question #10: A company is planning a disaster recovery site and needs to ensure that a single natural disaster would not result in the complete loss of regulated backup data. Which of the following should the company consider? A.Geographic dispersion (answer) B.Platform diversity C. Hot site D.Load balancing Question #11: Which of the following best describes configuring devices to log to an off-site location for possible future reference? A.Log aggregation B.DLP C.Archiving (answer) D.SCAP Question #12: Which of the following tasks is typically included in the BIA process? A.Estimating the recovery time of systems (answer) B.Identifying the communication strategy C.Evaluating the risk management plan D.Establishing the backup and recovery procedures E.Developing the incident response plan Question #13: A systems administrator would like to deploy a change to a production system. Which of the following must the administrator submit to demonstrate that the system can be restored to a working state in the event of a performance issue? A. Backout plan (answer) B. Impact analysis C. Test procedure D. Approval procedure Question #14: Which of the following describes effective change management procedures? A. Approving the change after a successful deployment B. Having a backout plan when a patch fails (answer) C. Using a spreadsheet for tracking changes D. Using an automatic change control bypass for security updates Question #15: A company that is located in an area prone to hurricanes is developing a disaster recovery plan and looking at site considerations that allow the company to immediately continue operations. Which of the following is the best type of site for this company? A. Cold B. Tertiary C. Warm D. Hot (answer) Question #16: An organization would like to calculate the time needed to resolve a hardware issue with a server. Which of the following risk management processes describes this example? A. Recovery point objective B. Mean time between failures C. Recovery time objective D. Mean time to repair (answer) Question #17: A systems administrator wants to implement a backup solution. The solution needs to allow recovery of the entire system, including the operating system, in case of a disaster. Which of the following backup types should the administrator consider? A. Incremental B. Storage area network C. Differential D. Image (answer) Question #18: A security team created a document that details the order in which critical systems should be brought back online after a major outage. Which of the following documents did the team create? A. Communication plan B. Incident response plan C. Data retention policy D. Disaster recovery plan (answer) Question #19: The Chief Information Security Officer of an organization needs to ensure recovery from ransomware would likely occur within the organization's agreed-upon RPOS and RTOS. Which of the following backup scenarios would best ensure recovery? A. Hourly differential backups stored on a local SAN array B. Daily full backups stored on premises in magnetic offline media (answer) C. Daily differential backups maintained by a third-party cloud provider D. Weekly full backups with daily incremental stored on a NAS drive Question #20: A business needs a recovery site but does not require immediate failover. The business also wants to reduce the workload required to recover from an outage. Which of the following recovery sites is the best option? A.Hot B.Cold C.Warm (answer) D.Geographically dispersed Question #21: An IT manager is putting together a documented plan describing how the organization will keep operating in the event of a global incident. Which of the following plans is the IT manager creating? A.Business continuity (answer) B.Physical security C.Change management D.Disaster recovery Chapter 14 Question #1: During an investigation, an incident response team attempts to understand the source of an incident. Which of the following incident response activities describes this process? A.Analysis (answer) B.Lessons learned C.Detection D.Containment Question #2: Which of the following is the phase in the incident response process when a security analyst reviews roles and responsibilities? A.Preparation (answer) B.Recovery C.Lessons learned D.Analysis Question #3: A newly appointed board member with cybersecurity knowledge wants the board of directors to receive a quarterly report detailing the number of incidents that impacted the organization. The systems administrator is creating a way to present the data to the board of directors. Which of the following should the systems administrator use? A.Packet captures B.Vulnerability scans C.Metadata D.Dashboard (answer) Question #4: A cyber operations team informs a security analyst about a new tactic malicious actors are using to compromise networks. SIEM alerts have not yet been configured. Which of the following best describes what the security analyst should do to identify this behavior? A.Digital forensics B.E-discovery C.Incident response D.Threat hunting (answer) Question #5: A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic coming from an employee's corporate laptop. The security analyst has determined that additional data about the executable running on the machine is necessary to continue the investigation. Which of the following logs should the analyst use as a data source? A.Application B.IPS/IDS C.Network D.Endpoint (answer) Question #6: Which of the following describes a security alerting and monitoring tool that collects system, application, and network logs from multiple sources in a centralized system? A.SIEM (answer) B.DLP C.IDS D.SNMP Question #7: Which of the following exercises should an organization use to improve its incident response process? A.Tabletop (answer) B.Replication C.Failover D.Recovery Question #8: Which of the following describes the reason root cause analysis should be conducted as part of incident response? A. To gather loCs for the investigation B.To discover which systems have been affected C. To eradicate any trace of malware on the network D.To prevent future incidents of the same nature (answer) Question #9: A security operations center determines that the malicious activity detected on a server is normal. Which of the following activities describes the act of ignoring detected activity in the future? A.Tuning (answer) B.Aggregating C.Quarantining D.Archiving Question #10: Which of the following is the best way to consistently determine on a daily basis whether security settings on servers have been modified? A.Automation (answer) B.Compliance checklist C.Attestation D.Manual audit Question #11: A security manager created new documentation to use in response to various types of security incidents. Which of the following is the next step the manager should take? A.Set the maximum data retention policy. B.Securely store the documents on an air-gapped network. C.Review the documents' data classification policy. D.Conduct a tabletop exercise with the team. (answer) Question #12: A security analyst receives alerts about an internal system sending a large amount of unusual DNS queries to systems on the internet over short periods of time during non-business hours. Which of the following is most likely occurring? A.A worm is propagating across the network. B.Data is being exfiltrated. (answer) C.A logic bomb is deleting data. D.Ransomware is encrypting files. Question #13: Which of the following incident response activities ensures evidence is properly handled? A. E-discovery B. Chain of custody (answer) C. Legal hold D. Preservation Question #14: A security analyst is investigating an alert that was produced by endpoint protection software. The analyst determines this event was a false positive triggered by an employee who attempted to download a file. Which of the following is the most likely reason the download was blocked? A. A misconfiguration in the endpoint protection software (answer) B. A zero-day vulnerability in the file C. A supply chain attack on the endpoint protection vendor D. Incorrect file permissions Question #15: The CIRT is reviewing an incident that involved a human resources recruiter exfiltration sensitive company data. The CIRT found that the recruiter was able to use HTTP over port 53 to upload documents to a web server. Which of the following security infrastructure devices could have identified and blocked this activity? A. WAF utilizing SSL decryption B. NGFW utilizing application inspection (answer) C. UTM utilizing a threat feed D. SD-WAN utilizing IPSec Question #16: An accounting clerk sent money to an attacker's bank account after receiving fraudulent instructions to use a new account. Which of the following would most likely prevent this activity in the future? A. Standardizing security incident reporting B. Executing regular phishing campaigns C. Implementing insider threat detection measures D. Updating processes for sending wire transfers (answer) Question #17: Various stakeholders are meeting to discuss their hypothetical roles and responsibilities in a specific situation such as a security incident or major disaster. Which of the following best describes this meeting? A. Penetration test B. Continuity of operations planning C. Tabletop exercise (answer) D. Simulation Question #18: A new vulnerability enables a type of malware that allows the unauthorized movement of data from a system. Which of the following would detect this behavior? A.Implementing encryption B.Monitoring outbound traffic (answer) C.Using default settings D.Closing all open ports Question #19: A cybersecurity incident response team at a large company receives notification that malware is present on several corporate desktops. No known indicators of compromise have been found on the network. Which of the following should the team do first to secure the environment? A. Contain the impacted hosts. (answer) B. Add the malware to the application blocklist. C. Segment the core database server. D. Implement firewall rules to block outbound beaconing Question #20: A security analyst discovers that a large number of employee credentials had been stolen and were being sold on the dark web. The analyst investigates and discovers that some hourly employee credentials were compromised, but salaried employee credentials were not affected. Most employees clocked in and out while they were inside the building using one of the kiosks connected to the network. However, some clocked out and recorded their time after leaving to go home. Only those who clocked in and out while inside the building had credentials stolen. Each of the kiosks are on different floors, and there are multiple routers, since the business segments environments for certain business functions. Hourly employees are required to use a website called acmetimekeeping.com to clock in and out. This website is accessible from the internet. Which of the following is the most likely reason for this compromise? A.A brute-force attack was used against the time-keeping website to scan for common passwords. B.A malicious actor compromised the time-keeping website with malicious code using an unpatched vulnerability on the site, stealing the credentials. C.The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials and then passed them through to the real site. (answer) D.ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine. Question #21: Callers speaking a foreign language are using company phone numbers to make unsolicited phone calls to a partner organization. A security analyst validates through phone system logs that the calls are occurring and the numbers are not being spoofed. Which of the following is the most likely explanation? A. The executive team is traveling internationally and trying to avoid roaming charges. B. The company's SIP server security settings are weak. C. Disgruntled employees are making calls to the partner organization. D. The service provider has assigned multiple companies the same numbers. (answer) Question #22: A growing company would like to enhance the ability of its security operations center to detect threats but reduce the amount of manual work required for the security analysts. Which of the following would best enable the reduction in manual work? A. SOAR (answer) B. SIEM C. MDM D. DLP Question #23: Which of the following is a reason why a forensic specialist would create a plan to preserve data after an incident and prioritize the sequence for performing forensic analysis? A.Order of volatility (answer) B.Preservation of event logs C.Chain of custody D.Compliance with legal hold Question #24: An analyst is reviewing an incident in which a user clicked on a link in a phishing email. Which of the following log sources would the analyst utilize to determine whether the connection was successful? A. Network (answer) B. System C. Application D. Authentication Question #25: Which of the following is the final step of the incident response process? A. Lessons learned (answer) B. Eradication C. Containment D. Recovery Question #26: Which of the following should a security operations center use to improve its incident response procedure? A.Playbooks (answer) B.Frameworks C.Baselines D.Benchmarks Question #27: Which of the following describes an executive team that is meeting in a boardroom and testing the company's incident response plan? A.Continuity of operations B.Capacity planning C.Tabletop exercise (answer) D.Parallel processing Question #28: Which of the following alert types is the most likely to be ignored over time? A.True positive B.True negative C.False positive (answer) D.False negative Question #29: A security analyst is investigating a workstation that is suspected of outbound communication to a command-and-control server. During the investigation, the analyst discovered that logs on the endpoint were deleted. Which of the following logs would the analyst most likely look at next? A.IPS B.Firewall (answer) C.ACL D.Windows security Question #30: An organization experiences a cybersecurity incident involving a command-and-control server. Which of the following logs should be analyzed to identify the impacted host? (Select two). A.Application B.Authentication D.Network (answer) E.Firewall (answer) Question #31: Which of the following phases of an incident response involves generating reports? A.Recovery B.Preparation C.Lessons learned (answer) D.Containment Question #32: Which of the following strategies should an organization use to efficiently manage and analyze multiple types of logs? A.Deploy a SIEM solution (answer) B.Create custom scripts to aggregate and analyze logs C.Implement EDR technology D.Install a unified threat management appliance Question #33: Which of the following should be used to aggregate log data in order to create alerts and detect anomalous activity? A.SIEM (answer) B.WAF C.Network taps D.IDS

Use Quizgecko on...
Browser
Browser