Chapter 10, 11, 12, 13, 14 PDF

Summary

This document contains a collection of security questions and answers, likely from a university or college course. The questions cover topics such as vulnerabilities, security techniques, and incident response.

Full Transcript

Question #1:
A company is adding a clause to its AUP that states employees are not allowed to modify the
operating system on mobile devices. Which of the following vulnerabilities is the organization
addressing?
A.Cross-site scripting
B.Buffer overflow
C.Jailbreaking (answer)
D.Side loading

Question #2:
Which of the following vulnerabilities is associated with installing software outside of a
manufacturer's approved software repository?
A.Jailbreaking
B.Memory injection
C.Resource reuse
D.Side loading (answer)

Question #3:
A bank insists all of its vendors must prevent data loss on stolen laptops. Which of the following
strategies is the bank requiring?
A.Encryption at rest (answer)
B.Masking
C.Data classification
D.Permission restrictions

Question #4:
Which of the following is a primary security concern for a company setting up a BYOD program?
A.End of life
B.Buffer overflow
C.VM escape
D.Jailbreaking (answer)

Question #5:
A security administrator would like to protect data on employees' laptops. Which of the following
encryption techniques should the security administrator use?
A.Partition
B.Asymmetric
C.Full disk (answer)
D.Database
Question #6:
A security engineer is implementing FDE for all laptops in an organization. Which of the
following are the most important for the engineer to consider as part of the planning process?
(Select two).
A.Key escrow (answer)
B.TPM presence (answer)
C.Digital signatures
D.Data tokenization
E.Public key management
F.Certificate authority linking

Question #7:
A company implemented an MDM policy to mitigate risks after repeated instances of employees
losing company-provided mobile phones. In several cases, the lost phones were used
maliciously to perform social engineering attacks against other employees. Which of the
following MDM features should be configured to best address this issue? (Select two).
A. Screen locks (answer)
B. Remote wipe (answer)
C. Full device encryption
D. Push notifications
E. Application management
F. Geolocation

Question #8:
A user would like to install software and features that are not available with a smartphone's
default software. Which of the following would allow the user to install unauthorized software
and enable new features?
A.SQLI
B.Cross-site scripting
C.Jailbreaking (answer)
D.Side loading

Question #9:
Which of the following is a type of vulnerability that refers to the unauthorized installation of
applications on a device through means other than the official application store?
A.Cross-site scripting
B.Buffer overflow
C.Jailbreaking (answer)
D.Side loading
Chapter 11

Question #1:
A security team is reviewing the findings in a report that was delivered after a third party
performed a penetration test. One of the findings indicated that a web application form field is
vulnerable to cross-site scripting. Which of the following application security techniques should
the security analyst recommend the developer implement to prevent this vulnerability?
A.Secure cookies
B.Version control
C.Input validation (answer)
D.Code signing

Question #2:
A security analyst is investigating an application server and discovers that software on the
server is behaving abnormally. The software normally runs batch jobs locally and does not
generate traffic, but the process is now generating outbound traffic over random high ports.
Which of the following vulnerabilities has likely been exploited in this software?
A.Memory injection (answer)
B.Race condition
C.Side loading
D.SQL injection

Question #3:
A healthcare organization wants to provide a web application that allows individuals to digitally
report health emergencies. Which of the following is the most important consideration during
development?
A.Scalability
B.Availability (answer)
C.Cost
D.Ease of deployment

Question #4:
A company's web filter is configured to scan the URL for strings and deny access when matches
are found. Which of the following search strings should an analyst employ to prohibit access to
unencrypted websites?
A.encryption=off\
B.http:// (answer)
C.www.*.com
D.:443
Question #5:
Which of the following enables the use of an input field to run commands that can view or
manipulate data?
A.Cross-site scripting
B.Side loading
C.Buffer overflow
D.SQL injection (answer)

Question #6:
An organization recently updated its security policy to include the following statement:
Regular expressions are included in source code to remove special characters such as $, |, ;. &,
`, and ? from variables set by forms in a web application.
Which of the following best explains the security technique the organization adopted by making
this addition to the policy?
A.Identify embedded keys
B.Code debugging
C.Input validation (answer)
D.Static code analysis

Question #7:
Which of the following involves an attempt to take advantage of database misconfigurations?
A. Buffer overflow
B. SQL injection (answer)
C. VM escape
D. Memory injection

Question #8:
An organization's internet-facing website was compromised when an attacker exploited a buffer
overflow. Which of the following should the organization deploy to best protect against similar
attacks in the future?
A.NGFW
B.WAF (answer)
C.TLS
D.SD-WAN

Question #9:
Which of the following risks can be mitigated by HTTP
headers?
A. SQLi
B. XSS (answer)
C. DoS
D. SSL
Question #10:
A company tested and validated the effectiveness of network security appliances within the
corporate network. The IDS detected a high rate of SQL injection attacks against the company's
servers, and the company's perimeter firewall is at capacity. Which of the following would be the
best action to maintain security and reduce the traffic to the perimeter firewall?
A. Set the appliance to IPS mode and place it in front of the company firewall. (answer)
B. Convert the firewall to a WAF and use IPSec tunnels to increase throughput.
C. Set the firewall to fail open if it is overloaded with traffic and send alerts to the SIEM.
D. Configure the firewall to perform deep packet inspection and monitor TLS traffic

Question #11:
While investigating a recent security breach an analyst finds that an attacker gained access by
SQL injection through a company website. Which of the following should the analyst
recommend to the website developers to prevent this from reoccurring?
A. Secure cookies
B. Input sanitization (answer)
C. Code signing
D. Blocklist

Question #12:
A vendor needs to remotely and securely transfer files from one server to another using the
command line. Which of the following protocols should be implemented to allow for this type of
access? (Select two).
A. SSH (answer)
B. SNMP
C. RDP
D. SFTP (answer)

Question #13:
An organization implemented cloud-managed IP cameras to monitor building entry points and
sensitive areas. The service provider enables direct TCP/IP connection to stream live video
footage from each camera. The organization wants to ensure this stream is encrypted and
authenticated. Which of the following protocols should be implemented to best meet this
objective?
A. SSH
B. SRTP (answer)
C. S/MIME
D. PPTP
Question #14:
A website user is locked out of an account after clicking an email link and visiting a different
website. Web server logs show the user's password was changed, even though the user did not
change the password. Which of the following is the most likely cause?
A. Cross-site request forgery (answer)
B. Directory traversal
C. ARP poisoning
D. SQL injection

Question #15:
Which of the following examples would be best mitigated by input sanitization?
A.alert("Warning!"); (answer)
B.nmap -p- 10.11.1.130
C.Email message: "Click this link to get your free gift card."
D.Browser message: "Your connection is not private

Question #16:
An organization recently started hosting a new service that customers access through a web
portal. A security engineer needs to add to the existing security devices a new solution to
protect this new service. Which of the following is the engineer most likely to deploy?
A.Layer 4 firewall
B.NGFW
C.WAF (answer)
D.UTM

Question #17:
While investigating a possible incident, a security analyst discovers the following log entries:
67.118.34.157 ---- [28/Jul/2022:10:26:59-0300] "GET /query.php?q-wireless%20headphones/
HTTP/1.0" 200 12737132.18.222.103 ----[28/Jul/2022:10:27:10-0300] "GET /query.php?q=123
INSERT INTO users VALUES ('temp', 'pass123')#/HTTP/1.0" 200 935
12.45.101.121- [28/Jul/2022:10:27:22-0300] "GET /query.php?q=mp3%20players | HTTP/1.0"
200
14650
Which of the following should the analyst do first?
A.Implement a WAF
B.Disable the query.php script
C.Block brute-force attempts on temporary users
D.Check the users table for new accounts (answer)

Question #18:
Which of the following is a type of vulnerability that involves inserting scripts into web-based
applications in order to take control of the client's web browser?
A.SQL injection
B.Cross-site scripting (answer)
C.Zero-day exploit
D.On-path attack

Chapter 12

Question #1:
A security practitioner completes a vulnerability assessment on a company's network and finds
several vulnerabilities, which the operations team remediates. Which of the following should be
done next?
A.Conduct an audit.
B.Initiate a penetration test.
C.Rescan the network. (answer)
D.Submit a report.

Question #2:
An employee receives a text message that appears to have been sent by the payroll department
and is asking for credential verification. Which of the following social
engineering techniques are being attempted? (Choose two.)
A.Typosquatting
C.Impersonation (answer)
D.Vishing
E.Smishing (answer)

Question #3:
One of the company's vendors sent an analyst a security bulletin that recommends a BIOS
update. Which of the following vulnerability types is being addressed by the patch?
A.Virtualization
B.Firmware (answer)
C.Application
D.Operating system

Question #4:
Which of the following is a hardware-specific vulnerability?
A.Firmware version (answer)
B.Buffer overflow
C.SQL injection

Question #5:
Several employees received a fraudulent text message from someone claiming to be the Chief
Executive Officer (CEO). The message stated: "I'm in an airport right now with no access to
email. I need you to buy gift cards for employee recognition awards. Please send the gift cards
to the following email address."
Which of the following are the best responses to this situation? (Choose two).
A.Cancel current employee recognition gift cards.
B.Add a smishing exercise to the annual company training. (answer)
C.Issue a general email warning to the company. (answer)
D.Have the CEO change phone numbers.
E.Conduct a forensic investigation on the CEO's phone. F.Implement mobile device
management.

Question #6:
Malware spread across a company's network after an employee visited a compromised industry
blog. Which of the following best describes this type of attack?
A.Impersonation
B.Disinformation
C.Watering-hole (answer)
D.Smishing

Question #7:
Which of the following scenarios describes a possible business email compromise attack?
A.An employee receives a gift card request in an email that has an executive's name in the
display field of the email. (answer)
B.Employees who open an email attachment receive messages demanding payment in order to
access files.
C.A service desk employee receives an email from the HR director asking for log-in credentials
to a cloud administrator account.
D.An employee receives an email with a link to a phishing site that is designed to look like the
company's email portal.

Question #8:
After reviewing the following vulnerability scanning report:
Server:192.168.14.6
Service: Telnet
Port: 23 Protocol: TCP
Status: Open Severity: High
Vulnerability: Use of an insecure network protocol
A security analyst performs the following test:
nmap -p 23 192.168.14.6-script telnet-encryption
PORT STATE SERVICE REASON
23/tcp open telnet syn-ack
I telnet encryption:
|_ Telnet server supports encryption
Which of the following would the security analyst conclude for this reported
vulnerability?
A.It is a false positive. (answer)
B.A rescan is required.
C.It is considered noise.

Question #9:
An attacker posing as the Chief Executive Officer calls an employee and instructs the employee
to buy gift cards. Which of the following techniques is the attacker using?
A.Smishing
B.Phishing
C.Impersonating (answer)
D.Whaling

Question #10:
An employee clicked a link in an email from a payment website that asked the employee to
update contact information. The employee entered the log-in information but received a "page
not found" error message. Which of the following types of social engineering attacks occurred?
A.Brand impersonation
B.Pretexting
C.Typosquatting
D.Phishing (answer)

Question #11:
A company hired a consultant to perform an offensive security assessment covering penetration
testing and social engineering. Which of the following teams will conduct this assessment
activity?
A.White
B.Purple
C.Blue
D.Red (answer)

Question #12:
After a recent vulnerability scan, a security engineer needs to harden the routers within the
corporate network. Which of the following is the most appropriate to disable?
A.Console access
B.Routing protocols
C.VLANS
D.Web-based administration (answer)

Question #13:
Which of the following is used to quantitatively measure the criticality of a vulnerability?
A.CVE
B.CVSS (answer)
C.CIA
D.CERT

Question #14:
Which of the following provides the details about the terms of a test with a third-party
penetration tester?
A.Rules of engagement (answer)
B.Supply chain analysis
C.Right to audit clause
D.Due diligence

Question #15:
A company is expanding its threat surface program and allowing individuals to security test the
company's internet-facing
application. The company will compensate researchers based on the vulnerabilities discovered.
Which of the following best describes the program the company is setting up?
A.Open-source intelligence
B.Bug bounty (answer)
C.Red team
D.Penetration testing

Question #16:
An organization wants a third-party vendor to do a penetration test that targets a specific device.
The organization has provided basic information about the device. Which of the following best
describes this kind of penetration test?
A.Partially known environment (answer)
B.Unknown environment
C.Integrated
D.Known environment

Question #17:
A penetration tester begins an engagement by performing port and service scans against the
client environment according to the rules of engagement. Which of the following reconnaissance
types is the tester performing?
A.Active (answer)
B.Passive
C.Defensive
D.Offensive
Question #18:
While troubleshooting a firewall configuration, a technician determines that a "deny any" policy
should be added to the bottom of the ACL. The technician updates the policy, but the new policy
causes several company servers to become unreachable. Which of the following actions would
prevent this issue?
A.Documenting the new policy in a change request and submitting the request to change
management
B.Testing the policy in a non-production environment before (answer)
enabling the policy in the production network
C.Disabling any intrusion prevention signatures on the 'deny any* policy prior to enabling the
new policy
D.Including an 'allow any1 policy above the 'deny any* policy

Question #19:
After a security awareness training session, a user called the IT help desk and reported a
suspicious call. The suspicious caller stated that the Chief Financial Officer wanted credit card
information in order to close an invoice. Which of the following topics did the user recognize
from the training?
A.Insider threat
B.Email phishing
C.Social engineering (answer)
D.Executive whaling

Question #20:
Which of the following would help ensure a security analyst is able to accurately measure the
overall risk to an organization when a new vulnerability is disclosed?
A.A full inventory of all hardware and software (answer)
B.Documentation of system classifications
C.A list of system owners and their departments
D.Third-party risk assessment documentation

Question #21:
Which of the following teams combines both offensive and defensive testing techniques to
protect an organization's critical systems?
A. Red
B. Blue
C. Purple (answer)
D. Yellow

Question #22:
The local administrator account for a company's VPN appliance was unexpectedly used to log in
to the remote management interface. Which of the following would have most likely prevented
this from happening?
A.Using least privilege
B.Changing the default password (answer)
C.Assigning individual user IDs (answer)
D.Reviewing logs more frequently

Question #23:
An employee receives a text message from an unknown number claiming to be the company's
Chief Executive Officer and asking the employee to purchase several gift cards. Which of the
following types of attacks does this describe?
A.Vishing
B.Smishing (answer)
C.Pretexting
D.Phishing

Question #24:
A company is working with a vendor to perform a penetration test. Which of the following
includes an estimate about the number of hours required to complete the engagement?
A.SOW (answer)
B.BPA
C.SLA
D.NDA

Question #25:
Which of the following penetration testing teams is focused only on trying to compromise an
organization using an attacker's tactics?
A. White
B. Red (answer)
C. Purple
D. Blue

Question #26:
A manager receives an email that contains a link to receive a refund. After hovering over the
link, the manager notices that the domain's URL points to a suspicious link. Which of the
following security practices helped the manager to identify the attack?
A. End user training (answer)
B. Policy review
C. URL scanning
D. Plain text email
Question #27:
Which of the following most impacts an administrator's ability to address CVEs discovered on a
server?
A. Rescanning requirements
B. Patch availability (answer)
C. Organizational impact
D. Risk tolerance

Question #28:
After conducting a vulnerability scan, a systems administrator notices that one of the identified
vulnerabilities is not present on the systems that were scanned. Which of the following
describes this example?
A. False positive (answer)
B. False negative
C. True positive
D. True negative

Question #29:
A security analyst is reviewing the source code of an application in order to identify
misconfigurations and vulnerabilities. Which of the following kinds of analysis best describes this
review?
A. Dynamic
B. Static (answer)
C. Gap
D. Impact

Question #30:
A software developer would like to ensure the source code cannot be reverse engineered or
debugged. Which of the following should the developer consider?
A. Version control
B. Obfuscation toolkit (answer)
C. Code reuse
D. Continuous integration
E. Stored procedures

Question #31:
Which of the following is the most important security concern when using legacy systems to
provide production service?
A. Instability
B. Lack of vendor support (answer)
C. Loss of availability
D. Use of insecure protocols
Question #32:
An employee in the accounting department receives an email containing a demand for payment
for services performed by a vendor. However, the vendor is not in the vendor management
database. Which of the following is this scenario an example of?
A. Pretexting
B. Impersonation
C. Ransomware
D. Invoice scam (answer)

Question #33:
Which of the following best describes a penetration test
that resembles an actual external attack?
A.Known environment
B.Partially known environment
C.Bug bounty
D.Unknown environment (answer)

Question #34:
Which of the following environments utilizes a subset of customer data and is most likely to be
used to assess the impacts of major system upgrades and demonstrate system features?
A. Development
B. Test
C. Production
D. Staging (answer)

Question #35:
Which of the following can a security director use to prioritize vulnerability patching within a
company's IT Environment?
A. SOAR
B. CVSS (answer)
C. SIEM
D. CVE

Question #36:
Which of the following is a common source of unintentional corporate credential leakage in
cloud environments?
A. Code repositories (answer)
B. Dark web
C. Threat feeds
D. State actors
E. Vulnerability databases
Question #37:
Which of the following would best explain why a security analyst is running daily vulnerability
scans on all corporate endpoints?
A. To track the status of patching installations (answer)
B.To find shadow IT cloud deployments
C. To continuously the monitor hardware inventory
D.To hunt for active attackers in the network

Question #38:
Which of the following methods would most likely be used to identify legacy systems?
A.Bug bounty program
B.Vulnerability scan (answer)
C.Package monitoring
D.Dynamic analysis

Question #39:
A new employee logs in to the email system for the first time and notices a message from
human resources about onboarding. The employee hovers over a few of the links within the
email and discovers that the links do not correspond to links associated with the company.
Which of the following attack vectors is most likely being used?
A.Business email
B.Social engineering (answer)
C.Unsecured network
D.Default credentials

Question #40:
An important patch for a critical application has just been released, and a systems administrator
is identifying all of the systems requiring the patch. Which of the following must be maintained in
order to ensure that all systems requiring the patch are updated?
A.Asset inventory (answer)
B.Network enumeration
C.Data certification
D.Procurement process

Question #41:
Which of the following types of identification methods can be performed on a deployed
application during runtime?
A.Dynamic analysis (answer)
B.Code review
C.Package monitoring D.Bug bounty
Question #42:
A company relies on open-source software libraries to build the software used by its customers.
Which of the following vulnerability types would be the most difficult to remediate due to the
company's reliance on open source libraries?
A.Buffer overflow
B.SQL injection
C.Cross-site scripting
D.Zero day (answer)

Question #43:
A small business uses kiosks on the sales floor to display product information for customers. A
security team discovers the kiosks use end-of-life operating systems. Which of the following is
the security team most likely to document as a security implication of the current architecture?
A.Patch availability (answer)
B.Product software compatibility
C.Ease of recovery
D.Cost of replacement

Chapter 13

Question #1:
Which of the following should a security administrator adhere to when setting up a new set of
firewall rules?
A.Disaster recovery plan
B.Incident response procedure
C.Business continuity plan
D.Change management procedure (answer)

Question #2:
Security controls in a data center are being reviewed to ensure data is properly protected and
that human life considerations are included. Which of the following best describes how the
controls should be set up?
A.Remote access points should fail closed.
B.Logging controls should fail open.
C.Safety controls should fail open. (answer)
D.Logical security controls should fail closed.

Question #3:
A technician needs to apply a high-priority patch to a production system. Which of the following
steps should be taken first?
A.Air gap the system.
B. Move the system to a different network segment.
C.Create a change control request. (answer)
D.Apply the patch to the system.

Question #4:
After a company was compromised, customers initiated a lawsuit. The company's attorneys
have requested that the security team initiate a legal hold in response to the lawsuit. Which of
the following describes the action the security team will most likely be required to take?
A.Retain the emails between the security team and affected customers for 30 days.
B.Retain any communications related to the security breach until further notice. (answer)
C.Retain any communications between security members during the breach response.
D.Retain all emails from the company to affected customers for an indefinite period of time.

Question #5:
A company is concerned about weather events causing damage to the server room and
downtime. Which of the following should the company consider?
A. Clustering servers
B. Geographic dispersion (answer)
C. Load balancers
D. Off-site backups

Question #6:
A company decided to reduce the cost of its annual cyber insurance policy by removing the
coverage for
ransomware attacks. Which of the following analysis elements did the company most likely use
in making this decision?
A.MTTR
B.RTO
C.ARO (answer)
D.MTBF

Question #7:
Which of the following is required for an organization to properly manage its restore process in
the event of system failure?
A.IRP
B.DRP (answer)
C.RPO
D.SDLC
Question #8:
A company is developing a business continuity strategy and needs to determine how many staff
members would be required to sustain the business in the case of a disruption. Which of the
following best describes this step?
A.Capacity planning (answer)
B.Redundancy
C.Geographic dispersion
D.Tabletop exercise

Question #9:
An organization is building a new backup data center with cost-benefit as the primary
requirement and RTO and RPO values of two days. Which of the following types of sites is the
best for this scenario?
A.Real-time recovery
B.Hot
C. Cold
D.Warm (answer)

Question #10:
A company is planning a disaster recovery site and needs to ensure that a single natural
disaster would not result in the complete loss of regulated backup data. Which of the following
should the company consider?
A.Geographic dispersion (answer)
B.Platform diversity
C. Hot site
D.Load balancing

Question #11:
Which of the following best describes configuring devices to log to an off-site location for
possible future reference?
A.Log aggregation
B.DLP
C.Archiving (answer)
D.SCAP

Question #12:
Which of the following tasks is typically included in the BIA process?
A.Estimating the recovery time of systems (answer)
B.Identifying the communication strategy
C.Evaluating the risk management plan
D.Establishing the backup and recovery procedures
E.Developing the incident response plan
Question #13:
A systems administrator would like to deploy a change to a production system. Which of the
following must the administrator submit to demonstrate that the system can be restored to a
working state in the event of a performance issue?
A. Backout plan (answer)
B. Impact analysis
C. Test procedure
D. Approval procedure

Question #14:
Which of the following describes effective change management procedures?
A. Approving the change after a successful deployment
B. Having a backout plan when a patch fails (answer)
C. Using a spreadsheet for tracking changes
D. Using an automatic change control bypass for security updates

Question #15:
A company that is located in an area prone to hurricanes is developing a disaster recovery plan
and looking at site
considerations that allow the company to immediately continue operations. Which of the
following is the best type of site for this company?
A. Cold
B. Tertiary
C. Warm
D. Hot (answer)

Question #16:
An organization would like to calculate the time needed to resolve a hardware issue with a
server. Which of the following risk management processes describes this example?
A. Recovery point objective
B. Mean time between failures
C. Recovery time objective
D. Mean time to repair (answer)

Question #17:
A systems administrator wants to implement a backup solution. The solution needs to allow
recovery of the entire system, including the operating system, in case of a disaster. Which of the
following backup types should the administrator consider?
A. Incremental
B. Storage area network
C. Differential
D. Image (answer)

Question #18:
A security team created a document that details the order in which critical systems should be
brought back online after a major outage. Which of the following documents did the team
create?
A. Communication plan
B. Incident response plan
C. Data retention policy
D. Disaster recovery plan (answer)

Question #19:
The Chief Information Security Officer of an organization needs to ensure recovery from
ransomware would likely occur within the organization's agreed-upon RPOS and RTOS. Which
of the following backup scenarios would best ensure recovery?
A. Hourly differential backups stored on a local SAN array
B. Daily full backups stored on premises in magnetic offline media (answer)
C. Daily differential backups maintained by a third-party cloud provider
D. Weekly full backups with daily incremental stored on a NAS drive

Question #20:
A business needs a recovery site but does not require immediate failover. The business also
wants to reduce the workload required to recover from an outage. Which of the following
recovery sites is the best option?
A.Hot
B.Cold
C.Warm (answer)
D.Geographically dispersed

Question #21:
An IT manager is putting together a documented plan describing how the organization will keep
operating in the event of a global incident. Which of the following plans is the IT
manager creating?
A.Business continuity (answer)
B.Physical security
C.Change management
D.Disaster recovery
Chapter 14

Question #1:
During an investigation, an incident response team attempts to understand the source of an
incident. Which of the following incident response activities describes this process?
A.Analysis (answer)
B.Lessons learned
C.Detection
D.Containment

Question #2:
Which of the following is the phase in the incident response process when a security analyst
reviews roles and responsibilities?
A.Preparation (answer)
B.Recovery
C.Lessons learned
D.Analysis

Question #3:
A newly appointed board member with cybersecurity knowledge wants the board of directors to
receive a quarterly report
detailing the number of incidents that impacted the organization. The systems administrator is
creating a way to present the data to the board of directors. Which of the following should the
systems administrator use?
A.Packet captures
B.Vulnerability scans
C.Metadata
D.Dashboard (answer)

Question #4:
A cyber operations team informs a security analyst about a new tactic malicious actors are using
to compromise networks. SIEM alerts have not yet been configured. Which of the following best
describes what the security analyst should do to identify this behavior?
A.Digital forensics
B.E-discovery
C.Incident response
D.Threat hunting (answer)
Question #5:
A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic
coming from an employee's corporate laptop. The security analyst has determined that
additional data about the executable running on the machine is necessary to continue the
investigation. Which of the following logs should the analyst use as a data source?
A.Application
B.IPS/IDS
C.Network
D.Endpoint (answer)

Question #6:
Which of the following describes a security alerting and monitoring tool that collects system,
application, and network logs from multiple sources in a centralized system?
A.SIEM (answer)
B.DLP
C.IDS
D.SNMP

Question #7:
Which of the following exercises should an organization use to improve its incident response
process?
A.Tabletop (answer)
B.Replication
C.Failover
D.Recovery

Question #8:
Which of the following describes the reason root cause analysis should be conducted as part of
incident response?
A. To gather loCs for the investigation
B.To discover which systems have been affected
C. To eradicate any trace of malware on the network
D.To prevent future incidents of the same nature (answer)

Question #9:
A security operations center determines that the malicious activity detected on a server is
normal. Which of the following activities describes the act of ignoring detected activity in the
future?
A.Tuning (answer)
B.Aggregating
C.Quarantining
D.Archiving
Question #10:
Which of the following is the best way to consistently determine on a daily basis whether
security settings on servers have been modified?
A.Automation (answer)
B.Compliance checklist
C.Attestation
D.Manual audit

Question #11:
A security manager created new documentation to use in response to various types of security
incidents. Which of the following is the next step the manager should take?
A.Set the maximum data retention policy.
B.Securely store the documents on an air-gapped network.
C.Review the documents' data classification policy.
D.Conduct a tabletop exercise with the team. (answer)

Question #12:
A security analyst receives alerts about an internal system sending a large amount of unusual
DNS queries to systems on the internet over short periods of time during non-business hours.
Which of the following is most likely occurring?
A.A worm is propagating across the network.
B.Data is being exfiltrated. (answer)
C.A logic bomb is deleting data.
D.Ransomware is encrypting files.

Question #13:
Which of the following incident response activities ensures evidence is properly handled?
A. E-discovery
B. Chain of custody (answer)
C. Legal hold
D. Preservation

Question #14:
A security analyst is investigating an alert that was produced by endpoint protection software.
The analyst determines this event was a false positive triggered by an employee who attempted
to download a file. Which of the following is the most likely reason the download was blocked?
A. A misconfiguration in the endpoint protection software (answer)
B. A zero-day vulnerability in the file
C. A supply chain attack on the endpoint protection vendor
D. Incorrect file permissions
Question #15:
The CIRT is reviewing an incident that involved a human resources recruiter exfiltration
sensitive company data. The CIRT found that the recruiter was able to use HTTP over port 53 to
upload documents to a web server. Which of the following security infrastructure devices could
have identified and blocked this activity?
A. WAF utilizing SSL decryption
B. NGFW utilizing application inspection (answer)
C. UTM utilizing a threat feed
D. SD-WAN utilizing IPSec

Question #16:
An accounting clerk sent money to an attacker's bank account after receiving fraudulent
instructions to use a new account. Which of the following would most likely prevent this activity
in the future?
A. Standardizing security incident reporting
B. Executing regular phishing campaigns
C. Implementing insider threat detection measures
D. Updating processes for sending wire transfers (answer)

Question #17:
Various stakeholders are meeting to discuss their hypothetical roles and responsibilities in a
specific situation such as a security incident or major disaster. Which of the following best
describes this meeting?
A. Penetration test
B. Continuity of operations planning
C. Tabletop exercise (answer)
D. Simulation

Question #18:
A new vulnerability enables a type of malware that allows the unauthorized movement of data
from a system. Which of the following would detect this behavior?
A.Implementing encryption
B.Monitoring outbound traffic (answer)
C.Using default settings
D.Closing all open ports

Question #19:
A cybersecurity incident response team at a large company receives notification that malware is
present on several corporate desktops. No known indicators of compromise have been found on
the network. Which of the following should the team do first to secure the environment?
A. Contain the impacted hosts. (answer)
B. Add the malware to the application blocklist.
C. Segment the core database server.
D. Implement firewall rules to block outbound beaconing

Question #20:
A security analyst discovers that a large number of employee credentials had been stolen and
were being sold on the dark web. The analyst investigates and discovers that some hourly
employee credentials were compromised, but salaried employee credentials were not affected.
Most employees clocked in and out while they were inside the building using one of the kiosks
connected to the network. However, some clocked out and recorded their time after leaving to
go home. Only those who clocked in and out while inside the building had credentials stolen.
Each of the kiosks are on different floors, and there are multiple routers, since the business
segments environments for certain business functions. Hourly employees are required to use a
website called acmetimekeeping.com to clock in and out. This website is accessible from the
internet. Which of the following is the most likely reason for this compromise?
A.A brute-force attack was used against the time-keeping website to scan for common
passwords.
B.A malicious actor compromised the time-keeping website with malicious code using an
unpatched vulnerability on the site, stealing the credentials.
C.The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a
malicious domain that intercepted the credentials and then passed them through to the real site.
(answer)
D.ARP poisoning affected the machines in the building and caused the kiosks to send a copy of
all the submitted credentials to a malicious machine.

Question #21:
Callers speaking a foreign language are using company phone numbers to make unsolicited
phone calls to a partner organization. A security analyst validates through phone system logs
that the calls are occurring and the numbers are not being spoofed. Which of the following is the
most likely explanation?
A. The executive team is traveling internationally and trying to avoid roaming charges.
B. The company's SIP server security settings are weak.
C. Disgruntled employees are making calls to the partner organization.
D. The service provider has assigned multiple companies the same numbers. (answer)

Question #22:
A growing company would like to enhance the ability of its security operations center to detect
threats but reduce the amount of manual work required for the security analysts. Which of the
following would best enable the reduction in manual work?
A. SOAR (answer)
B. SIEM
C. MDM D. DLP
Question #23:
Which of the following is a reason why a forensic specialist would create a plan to preserve data
after an incident and prioritize the sequence for performing forensic analysis?
A.Order of volatility (answer)
B.Preservation of event logs
C.Chain of custody
D.Compliance with legal hold

Question #24:
An analyst is reviewing an incident in which a user clicked on a link in a phishing email. Which
of the following log sources would the analyst utilize to determine whether the connection was
successful?
A. Network (answer)
B. System
C. Application
D. Authentication

Question #25:
Which of the following is the final step of the incident response process?
A. Lessons learned (answer)
B. Eradication
C. Containment
D. Recovery

Question #26:
Which of the following should a security operations center use to improve its incident response
procedure?
A.Playbooks (answer)
B.Frameworks
C.Baselines
D.Benchmarks

Question #27:
Which of the following describes an executive team that is meeting in a boardroom and testing
the company's incident response plan?
A.Continuity of operations
B.Capacity planning
C.Tabletop exercise (answer)
D.Parallel processing
Question #28:
Which of the following alert types is the most likely to be
ignored over time?
A.True positive
B.True negative
C.False positive (answer)
D.False negative

Question #29:
A security analyst is investigating a workstation that is suspected of outbound communication to
a command-and-control server. During the investigation, the analyst discovered that logs on the
endpoint were deleted. Which of the following logs would the analyst most likely look at next?
A.IPS
B.Firewall (answer)
C.ACL
D.Windows security

Question #30:
An organization experiences a cybersecurity incident involving a command-and-control server.
Which of the following logs should be analyzed to identify the impacted host? (Select two).
A.Application
B.Authentication
D.Network (answer)
E.Firewall (answer)

Question #31:
Which of the following phases of an incident response involves generating reports?
A.Recovery
B.Preparation
C.Lessons learned (answer)
D.Containment

Question #32:
Which of the following strategies should an organization use to efficiently manage and analyze
multiple types of logs?
A.Deploy a SIEM solution (answer)
B.Create custom scripts to aggregate and analyze logs
C.Implement EDR technology
D.Install a unified threat management appliance
Question #33:
Which of the following should be used to aggregate log data in order to create alerts and detect
anomalous activity?
A.SIEM (answer)
B.WAF
C.Network taps
D.IDS