During a recent penetration test, the tester discovers large amounts of data were exfiltrated over the course of 12 months via the internet. The penetration tester stops the test to inform the client of the findings. Which of the following should be the client's NEXT step to mitigate the issue? Conduct a full vulnerability scan to identify possible vulnerabilities. Perform containment on the critical servers and resources. Review the firewall and identify the source of the active connection. Disconnect the entire infrastructure from the internet.
A security analyst is designing the appropriate controls to limit unauthorized access to a physical site. The analyst has a directive to utilize the lowest possible budget. Which of the following would BEST meet the requirements? Preventive controls Compensating controls Deterrent controls Detective controls.
A company is looking to migrate some servers to the cloud to minimize its technology footprint. The company has 100 databases that are on premises. Which of the following solutions will require the LEAST management and support from the company? SaaS IaaS PaaS SDN.
Which of the following employee roles is responsible for protecting an organization's collected personal information? CTO DPO CEO DBA.
Against the recommendation of the IT security analyst, a company set all user passwords on a server as `P@55w0rD`. Upon review of the /etc/passwd file, an attacker found the following: alice:a8df3b6c4fd75f0617431fd248f35191df8d237f bob:2d250c5b2976b03d757f324ebd59340df96aa05e chris:ea981ec3285421d014108089f3f3f997ce0f4150
Which of the following BEST explains why the encrypted passwords do not match? Perfect forward secrecy Key stretching Salting Hashing.
After gaining access to a dual-homed (i.e., wired and wireless) multifunction device by exploiting a vulnerability in the device's firmware, a penetration tester then gains shell access on another networked asset. This technique is an example of: privilege escalation. footprinting. persistence. pivoting.
Which of the following should be monitored by threat intelligence researchers who search for leaked credentials? Common Weakness Enumeration OSINT Dark web Vulnerability databases.
A security analyst needs to be able to search and correlate logs from multiple sources in a single tool. Which of the following would BEST allow a security analyst to have this ability? SOAR SIEM Log collectors Network-attached storage.
A security analyst is investigating suspicious traffic on the web server located at IP address 10.10.1.1. A search of the WAF logs reveals the following output:
Which of the following is MOST likely occurring? XSS attack SQLi attack Replay attack XSRF attack.
Which of the following components can be used to consolidate and forward inbound internet traffic to multiple cloud environments though a single firewall? Transit gateway Cloud hot site Edge computing DNS sinkhole.
A DBA reports that several production server hard drives were wiped over the weekend. The DBA also reports that several Linux servers were unavailable due to system files being deleted unexpectedly. A security analyst verified that software was configured to delete data deliberately from those servers. No backdoors to any servers were found. Which of the following attacks was MOST likely used to cause the data loss? Logic bomb Ransomware Fileless virus Remote access Trojans Rootkit.
Digital signatures use asymmetric encryption. This means the message is encrypted with: the sender's private key and decrypted with the sender's public key. the sender's public key and decrypted with the sender's private key the sender's private key and decrypted with the recipient's public key the sender's public key and decrypted with the recipient's private key.
A security engineer was assigned to implement a solution to prevent attackers from gaining access by pretending to be authorized users. Which of the following technologies meets the requirement? SSO IDS MFA TPM.
The Chief Information Security Officer (CISO) has requested that a third-party vendor provide supporting documents that show proper controls are in place to protect customer data. Which of the following would be BEST for the third-party vendor to provide to the CISO? GDPR compliance attestation Cloud Security Alliance materials SOC 2 Type 2 report NIST RMF workbooks.
Which of the following is assured when a user signs an email using a private key? Non-repudiation Confidentiality Availability Authentication.
A systems administrator is troubleshooting a server's connection to an internal web server. The administrator needs to determine the correct ports to use. Which of the following tools BEST shows which ports on the web server are in a listening state? ipconfig ssh ping netstat.
Which of the following BEST reduces the security risks introduced when running systems that have expired vendor support and lack an immediate replacement? Implement proper network access restrictions. Initiate a bug bounty program. Classify the system as shadow IT. Increase the frequency of vulnerability scans.
Due to unexpected circumstances, an IT company must vacate its main office, forcing all operations to alternate, off-site locations. Which of the following will the company MOST likely reference for guidance during this change? The business continuity plan The retention policy The disaster recovery plan The incident response plan.
While reviewing an alert that shows a malicious request on one web application, a cybersecurity analyst is alerted to a subsequent token reuse moments later on a different service using the same single sign-on method. Which of the following would BEST detect a malicious actor? Utilizing SIEM correlation engines Deploying Netflow at the network border Disabling session tokens for all sites Deploying a WAF for the web server.
Two organizations plan to collaborate on the evaluation of new SIEM solutions for their respective companies. A combined effort from both organizations' SOC teams would speed up the effort. Which of the following can be written to document this agreement? MOU ISA SLA NDA.
The Chief Information Security Officer wants to prevent exfiltration of sensitive information from employee cell phones when using public USB power charging stations. Which of the following would be the BEST solution to implement? DLP USB data blocker USB OTG Disabling USB ports.
The board of directors at a company contracted with an insurance firm to limit the organization's liability. Which of the following risk management practices does this BEST describe? Transference Avoidance Mitigation Acknowledgement.
Which of the following is a risk that is specifically associated with hosting applications in the public cloud? Unsecured root accounts Zero-day Shared tenancy Insider threat.
DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching alternatives to make the cloud environment respond to load fluctuation in a cost-effective way. Which of the following options BEST fulfills the architect's requirements? An orchestration solution that can adjust scalability of cloud assets Use of multipath by adding more connections to cloud storage Cloud assets replicated on geographically distributed regions An on-site backup that is displayed and only used when the load increases.
Which of the following documents provides expectations at a technical level for quality, availability, and responsibilities? EOL SLA MOU EOSL.
Which of the following is an example of transference of risk? Purchasing insurance Patching vulnerable servers Retiring outdated applications Application owner risk sign-off.
An employee received a word processing file that was delivered as an email attachment. The subject line and email content enticed the employee to open the attachment. Which of the following attack vectors BEST matches this malware? Context-aware authentication Simultaneous authentication of equals Extensive authentication protocol Agentless network access control.
Which of the following secure coding techniques makes compromised code more difficult for hackers to use? Obfuscation Normalization Execution Reuse.
As part of a security compliance assessment, an auditor performs automated vulnerability scans. In addition, which of the following should the auditor do to complete the assessment? User behavior analysis Packet captures Configuration reviews Log analysis.
A database administrator wants to grant access to an application that will be reading and writing data to a database. The database is shared by other applications also used by the finance department. Which of the following account types is MOST appropriate for this purpose? Service Shared Generic Admin.
A security analyst generated a file named host1.pcap and shared it with a team member who is going to use it for further incident analysis. Which of the following tools will the other team member MOST likely use to open this file? Autopsy Memdump FTK imager Wireshark.
An application developer accidentally uploaded a company's code-signing certificate private key to a public web server. The company is concerned about malicious use of its certificate. Which of the following should the company do FIRST? Delete the private key from the repository. Verify the public key is not exposed as well. Update the DLP solution to check for private keys. Revoke the code-signing certificate.
An organization implemented a process that compares the settings currently configured on systems against secure configuration guidelines in order to identify any gaps. Which of the following control types has the organization implemented? Compensating Corrective Preventive Detective.
The Chief Information Security Officer directed a risk reduction in shadow IT and created a policy requiring all unsanctioned high-risk SaaS applications to be blocked from user access. Which of the following is the BEST security solution to reduce this risk? CASB VPN concentrator MFA VPC endpoint.
A technician enables full disk encryption on a laptop that will be taken on a business trip. Which of the following does this process BEST protect? Data in transit Data in processing Data at rest Data tokenization.
A security analyst was called to investigate a file received directly from a hardware manufacturer. The analyst is trying to determine whether the file was modified in transit before installation on the user's computer. Which of the following can be used to safely assess the file? Check the hash of the installation file. Match the file names. Verify the URL download location. Verify the code signing certificate.
A help desk technician receives a phone call from someone claiming to be a part of the organization's cybersecurity incident response team. The caller asks the technician to verify the network's internal firewall IP Address. Which of the following is the technician's BEST course of action? Direct the caller to stop by the help desk in person and hang up declining any further requests from the caller. Ask for the caller's name, verify the person's identity in the email directory, and provide the requested information over the phone. Write down the phone number of the caller if possible, the name of the person requesting the information, hang up, and notify the organization's cybersecurity officer. Request the caller send an email for identity verification and provide the requested information via email to the caller.
Which of the following would BEST provide detective and corrective controls for thermal regulation? A smoke detector A fire alarm An HVAC system A fire suppression system Guards.
Which of the following is a benefit of including a risk management framework into an organization's security approach? It defines expected service levels from participating supply chain partners to ensure system outages are remediated in a timely manner It defines expected service levels from participating supply chain partners to ensure system outages are remediated in a timely manner It provides legal assurances and remedies in the event a data breach occurs. It incorporates control, development, policy, and management activities into IT operations.
An organization maintains several environments in which patches are developed and tested before being deployed to an operational status. Which of the following is the environment in which patches will be deployed just prior to being put into an operational status? Development Test Production Staging.
During a trial, a judge determined evidence gathered from a hard drive was not admissible. Which of the following BEST explains this reasoning? The forensic investigator forgot to run a checksum on the disk image after creation. The chain of custody form did not note time zone offsets between transportation regions. The computer was turned off, and a RAM image could not be taken at the same time. The hard drive was not properly kept in an antistatic bag when it was moved.
An organization wants to implement a biometric system with the highest likelihood that an unauthorized user will be denied access. Which of the following should the organization use to compare biometric solutions? FRR Difficulty of use Cost FAR CER.
A company recently experienced a significant data loss when proprietary information was leaked to a competitor. The company took special precautions by using proper labels; however, email filter logs do not have any record of the incident. An investigation confirmed the corporate network was not breached, but documents were downloaded from an employee's COPE tablet and passed to the competitor via cloud storage. Which of the following is the BEST remediation for this data leak? User training CASB MDM DLP.
An attacker was eavesdropping on a user who was shopping online. The attacker was able to spoof the IP address associated with the shopping site. Later, the user received an email regarding the credit card statement with unusual purchases. Which of the following attacks took place? On-path attack Protocol poisoning Domain hijacking Bluejacking.
A company is considering transitioning to the cloud. The company employs individuals from various locations around the world. The company does not want to increase its on premises infrastructure blueprint and only wants to pay for additional compute power required. Which of the following solutions would BEST meet the needs of the company? Private cloud Hybrid environment Managed security service provider Hot backup site.
After multiple on premises security solutions were migrated to the cloud, the incident response time increased. The analysts are spending a long time trying to trace information on different cloud consoles and correlating data in different formats. Which of the following can be used to optimize the incident response time? CASB VPC SWG CMS.
Which of the following control types would be BEST to use in an accounting department to reduce losses from fraudulent transactions? Recovery Deterrent Corrective Detective.
A company is receiving emails with links to phishing sites that look very similar to the company's own website address and content. Which of the following is the BEST way for the company to mitigate this attack? Create a honeynet to trap attackers who access the VPN with credentials obtained by phishing. Generate a list of domains similar to the company's own and implement a DNS sinkhole for each. Disable POP and IMAP on all Internet-facing email servers and implement SMTPS. Use an automated tool to flood the phishing websites with fake usernames and passwords.
A SOC operator is receiving continuous alerts from multiple Linux systems indicating that unsuccessful SSH attempts to a functional user ID have been attempted on each one of them in a short period of time. Which of the following BEST explains this behavior? Rainbow table attack Password spraying Logic bomb Malware bot.
A tax organization is working on a solution to validate the online submission of documents. The solution should be carried on a portable USB device that should be inserted on any computer that is transmitting a transaction securely. Which of the following is the BEST certificate for these requirements? User certificate Self-signed certificate Computer certificate Root certificate.
A routine audit of medical billing claims revealed that several claims were submitted without the subscriber's knowledge. A review of the audit logs for the medical billing company's system indicated a company employee downloaded customer records and adjusted the direct deposit information to a personal bank account. Which of the following does this action describe? Insider threat Social engineering Third-party risk Data breach.
A recent audit cited a risk involving numerous low-criticality vulnerabilities created by a web application using a third-party library. The development staff state there are still customers using the application even though it is end of life and it would be a substantial burden to update the application for compatibility with more secure libraries. Which of the following would be the MOST prudent course of action? Accept the risk if there is a clear road map for timely decommission. Deny the risk due to the end-of-life status of the application. Use containerization to segment the application from other applications to eliminate the risk Outsource the application to a third-party developer group.
A security analyst is evaluating solutions to deploy an additional layer of protection for a web application. The goal is to allow only encrypted communications without relying on network devices. Which of the following can be implemented? HTTP security header DNSSEC implementation SRTP S/MIME.
A company labeled some documents with the public sensitivity classification. This means the documents can be accessed by: employees of other companies and the press. all members of the department that created the documents only the company's employees and those listed in the document. only the individuals listed in the documents.
Which of the following is the MOST relevant security check to be performed before embedding third-party libraries in developed code? Check to see if the third party has resources to create dedicated development and staging environments. Verify the number of companies that downloaded the third-party code and the number of contributions on the code repository. Assess existing vulnerabilities affecting the third-party code and the remediation efficiency of the libraries' developers. Read multiple penetration-testing reports for environments running software that reused the library.
A help desk technician receives an email from the Chief Information Officer (CIO) asking for documents. The technician knows the CIO is on vacation for a few weeks. Which of the following should the technician do to validate the authenticity of the email? Check the metadata in the email header of the received path in reverse order to follow the email's path Hover the mouse over the CIO's email address to verify the email address. Look at the metadata in the email header and verify the ג€From:ג€ line matches the CIO's email address. Forward the email to the CIO and ask if the CIO sent the email requesting the documents.
A company needs to validate its updated incident response plan using a real-world scenario that will test decision points and relevant incident response actions without interrupting daily operations. Which of the following would BEST meet the company's requirements? Red-team exercise Capture-the-flag exercise Tabletop exercise Phishing exercise.
Security analysts are conducting an investigation of an attack that occurred inside the organization's network. An attacker was able to collect network traffic between workstations throughout the network. The analysts review the following logs
The Layer 2 address table has hundreds of entries similar to the ones above. Which of the following attacks has MOST likely occurred? SQL injection DNS spoofing MAC flooding ARP poisoning.
A security policy states that common words should not be used as passwords. A security auditor was able to perform a dictionary attack against corporate credentials. Which of the following controls was being violated? Password complexity Password history Password reuse Password length.
A security analyst has been tasked with creating a new Wi-Fi network for the company. The requirements received by the analyst are as follows:
• Must be able to differentiate between users connected to Wi-Fi
• The encryption keys need to change routinely without interrupting the users or forcing re-authentication
• Must be able to integrate with RADIUS
• Must not have any open SSIDs
Which of the following options BEST accommodates these requirements? WPA2-Enterprise WPA3-PSK 802.11n WPS.
A junior security analyst is reviewing web server logs and identifies the following pattern in the log file:
Which of the following types of attacks is being attempted and how can it be mitigated? XSS. implement a SIEM CSRF. implement an IPS Directory traversal implement a WAF SQL infection, implement an IDS.
A dynamic application vulnerability scan identified that code injection could be performed using a web form. Which of the following will be the BEST remediation to prevent this vulnerability? Implement input validations. Deploy MFA. Utilize a WAF. Configure HIPS.
An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:
• Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users.
• Internal users in question were changing their passwords frequently during that time period.
• A jump box that several domain administrator users use to connect to remote devices was recently compromised.
• The authentication method used in the environment is NTLM.
Which of the following types of attacks is MOST likely being used to gain unauthorized access? Pass-the-hash Brute-force Directory traversal Replay.
A security administrator has discovered that workstations on the LAN are becoming infected with malware. The cause of the infections appears to be users receiving phishing emails that are bypassing the current email-filtering technology. As a result, users are being tricked into clicking on malicious URLs, as no internal controls currently exist in the environment to evaluate their safety.
Which of the following would be BEST to implement to address the issue? Forward proxy HIDS Awareness training A jump server IPS.
A security manager needs to assess the security posture of one of the organization's vendors. The contract with the vendor does not allow for auditing of the vendor's security controls. Which of (he following should the manager request to complete the assessment? A service-level agreement A business partnership agreement A SOC 2 Type 2 report A memorandum of understanding.
A company Is planning to install a guest wireless network so visitors will be able to access the Internet. The stakeholders want the network to be easy to connect to so time is not wasted during meetings. The WAPs are configured so that power levels and antennas cover only the conference rooms where visitors will attend meetings. Which of the following would BEST protect the company's Internal wireless network against visitors accessing company resources? Configure the guest wireless network to be on a separate VLAN from the company's internal wireless network Change the password for the guest wireless network every month. Decrease the power levels of the access points for the guest wireless network. Enable WPA2 using 802.1X for logging on to the guest wireless network.
Per company security policy, IT staff members are required to have separate credentials to perform administrative functions using just-in-time permissions. Which of the following solutions is the company Implementing? Privileged access management SSO RADIUS Attribute-based access control.
An organization is moving away from the use of client-side and server-side certificates for EAR The company would like for the new EAP solution to have the ability to detect rogue access points. Which of the following would accomplish these requirements? PEAP EAP-FAST EAP-TLS EAP-TTLS.
A Chief Information Officer is concerned about employees using company-issued laptops lo steal data when accessing network shares. Which of the following should the company Implement? DLP CASB HIDS EDR UEFI.
Which of the following function as preventive, detective, and deterrent controls to reduce the risk of physical theft? (Choose two.) Mantraps Security guards Fences Signage Motion sensors Bollards.
A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats.
Which of the following is the MOST proactive tool or technique that feeds incident response capabilities? Development of a hypothesis as part of threat hunting Log correlation, monitoring, and automated reporting through a SIEM platform Continuous compliance monitoring using SCAP dashboards Quarterly vulnerability scanning using credentialed scans.
A systems engineer is building a new system for production. Which of the following is the FINAL step to be performed prior to promoting to production? Disable unneeded services Install the latest security patches Run a vulnerability scan. Encrypt all disks.
A company recently experienced a major breach. An investigation concludes that customer credit card data was stolen and exfiltrated through a dedicated business partner connection to a vendor, who is not held to the same security contral standards. Which of the following is the MOST likely source of the breach? Side channel Supply chain Cryptographic downgrade Malware.
Which of the following authentication methods sends out a unique password to be used within a specific number of seconds? TOTP Biometrics Kerberos LDAP.
Which of the following BEST describes the method a security analyst would use to confirm a file that is downloaded from a trusted security website is not altered in transit or corrupted using a verified checksum? Hashing Salting Integrity Digital signature.
Hackers recently attacked a company's network and obtained several unfavorable pictures from the Chief Executive Officer's workstation. The hackers are threatening to send the images to the press if a ransom is not paid. Which of the following is impacted the MOST? Identify theft Data loss Data exfiltration Reputation.
A software company is analyzing a process that detects software vulnerabilities at the earliest stage possible. The goal is to scan the source looking for unsecure practices and weaknesses before the application is deployed in a runtime environment. Which of the following would BEST assist the company with this objective? Use fuzzing testing Use a web vulnerability scanner Use static code analysis Use a penetration-testing OS.
A new plug-and-play storage device was installed on a PC in the corporate environment. Which of the following safeguards will BEST help to protect the PC from malicious files on the storage device? Change the default settings on the PC. Define the PC firewall rules to limit access. Encrypt the disk on the storage device. Plug the storage device in to the UPS.
As part of the lessons-learned phase, the SOC is tasked with building methods to detect if a previous incident is happening again. Which of the following would allow the security analyst to alert the SOC if an event is reoccurring? Creating a playbook within the SOAR Implementing rules in the NGFW Updating the DLP hash database Publishing a new CRL with revoked certificates.
A grocery store is expressing security and reliability concerns regarding the on-site backup strategy currently being performed by locally attached disks. The main concerns are the physical security of the backup media and the durability of the data stored on these devices Which of the following is a cost-effective approach to address these concerns? Enhance resiliency by adding a hardware RAID. Move data to a tape library and store the tapes off-site Install a local network-attached storage. Migrate to a cloud backup solution.
Which of the following provides a catalog of security and privacy controls related to the United States federal information systems? GDPR PCI DSS ISO 27000 NIST 800-53.
During an investigation, the incident response team discovers that multiple administrator accounts were suspected of being compromised. The host audit logs indicate a repeated brute-force attack on a single administrator account followed by suspicious logins from unfamiliar geographic locations.
Which of the following data sources would be BEST to use to assess the accounts impacted by this attack? User behavior analytics Dump files Bandwidth monitors Protocol analyzer output.
A systems analyst determines the source of a high number of connections to a web server that were initiated by ten different IP addresses that belong to a network block in a specific country. Which of the following techniques will the systems analyst MOST likely implement to address this issue? Content filter SIEM Firewall rules DLP.
Which of the following environments typically hosts the current version configurations and code, compares user-story responses and workflow, and uses a modified version of actual data for testing? Development Staging Production Test.
A Chief Information Officer receives an email stating a database will be encrypted within 24 hours unless a payment of $20,000 is credited to the account mentioned In the email. This BEST describes a scenario related to: whaling. smishing. spear phishing vishing.
A help desk technician receives an email from the Chief Information Officer (C/O) asking for documents. The technician knows the CIO is on vacation for a few weeks. Which of the following should the technician do to validate the authenticity of the email? Check the metadata in the email header of the received path in reverse order to follaw the email’s path. Hover the mouse over the CIO's email address to verify the email address. Look at the metadata in the email header and verify the "From." line matches the CIO's email address. Forward the email to the CIO and ask if the CIO sent the email requesting the documents.
A backdoor was detected on the containerized application environment. The investigation detected that a zero-day vulnerability was introduced when the latest container image version was downloaded from a public registry. Which of the following is the BEST solution to prevent this type of incident from occurring again? Enforce the use of a controlled trusted source of container images Deploy an IPS solution capable of detecting signatures of attacks targeting containers Define a vulnerability scan to assess container images before being introduced on the environment Create a dedicated VPC for the containerized environment.
Which of the following are the MOST likely vectors for the unauthorized inclusion of vulnerable code in a software company’s final software releases? (Select TWO.) Unsecure protocols Use of penetration-testing utilities Weak passwords Included third-party libraries Vendors/supply chain Outdated anti-malware software.
Which of the following would MOST likely be identified by a credentialed scan but would be missed by an uncredentialed scan? Vulnerabilities with a CVSS score greater than 6.9. Critical infrastructure vulnerabilities on non-IP protocols. CVEs related to non-Microsoft systems such as printers and switches. Missing patches for third-party software on Windows workstations and servers.
An organization's Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect data, including ensuring backups are properly maintained. Which of the following roles would MOST likely include these responsibilities? Data protection officer Data owner Backup administrator Data custodian Internal auditor.
|
