CYSA+

A security analyst scanned an internal company subnet and discovered a host with the following Nmap output: Nmap -Pn 10.233.117.0/24 Host is up (0.0021s latency) Not shown: 967 filtered ports PORT STATE SERVICE 22/tcp open ssh 135/tcp open msrpc 445/tcp open microsoft-ds 137/tcp open netbios-ns 3389/tcp open ms-term-serv Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?. Port 22. Port 135. Port 445. Port 3389.

A security analyst is inspecting the header of an email that is presumed to be malicious. The header reads: Received: from sonic306-20.navigator.mail.company.com (77.21.102.11) by mx.google.com with ESMTPS id qu22a111129667eaa.101.2020.02.21.01.22.55 for <version=TLS1.0 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128>; Mon, 21 Feb 2020 01:22:55 -0600 (MST) From: smith@yahoo.com To: jones@gmail.com Subject: Resume Attached Which of the following is inconsistent with the rest of the header and should be treated as suspicious?. The use of a TLS cipher. The sender's email address. The destination email server. The subject line.

A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability. Company policy prohibits using portable media or mobile storage. The security analyst is trying to determine which user caused the malware to get onto the system. Which of the following registry keys would most likely have this information?. HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Run. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. HKEY_USERS\\Software\Microsoft\Windows\explorer\MountPoints2. HKEY_USERS\\Software\Microsoft\Internet Explorer\Typed URLs. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\iusb3hub.

A security analyst is evaluating two vulnerability management tools for possible use in an organization. The analyst set up each of the tools according to the respective vendor's instructions and generated a report of vulnerabilities that ran against the same target server. Tool A reported the following: The target host (192.168.10.13) is missing the following patches: CRITICAL KB50227328: Windows Server 2016 June 2019 Cumulative Update CRITICAL KB50255293: Windows Server 2016 July 2019 Cumulative Update HIGH MS19-055: Cumulative Security Update for Edge (2863871) Tool B reported the following: Methods GET HEAD OPTIONS POST TRACE are allowed on 192.168.10.13:80 192.168.10.13:443 uses a self-signed certificate Apache 4.2.x < 4.2.28 Contains Multiple Vulnerabilities Which of the following best describes the method used by each tool? (Choose two.). Tool A is agent based. Tool A used fuzzing logic to test vulnerabilities. Tool A is unauthenticated. Tool B utilized machine learning technology. Tool B is agent based. Tool B is unauthenticated.

A network appliance manufacturer is building a new generation of devices and would like to include chipset security improvements. The management team wants the security team to implement a method to prevent security weaknesses that could be reintroduced by downgrading the firmware version on the chipset. Which of the following would meet this objective?. UEFI. A Hardware security module. eFUSE. Certificate signed updates.

An analyst received an alert regarding an application spawning a suspicious command shell process. Upon further investigation, the analyst observes the following registry change occurring immediately after the suspicious event: Action: Registry Write Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy Registry Value: EnableFirewall Registry Data: 0 Which of the following was the suspicious event able to accomplish?. Impair defenses. Establish persistence. Bypass file access controls. Implement beaconing.

A security analyst recently implemented a new vulnerability scanning platform. The initial scan of 438 hosts found the following vulnerabilities: • 210 critical • 1,854 high • 1,786 medium • 48 low The analyst is unsure how to handle such a large-scale remediation effort. Which of the following would be the next logical step?. Identify the assets with a high value and remediate all vulnerabilities on those hosts. Perform remediation activities for all critical and high vulnerabilities first. Perform a risk calculation to determine the probability and magnitude of exposure. Identify the vulnerabilities that affect the most systems and remediate them first.

A large company would like a security analyst to recommend a solution that will allow only company laptops to connect to the corporate network. Which of the following technologies should the analyst recommend?. UEBA. DLP. NAC. EDR.

An analyst is reviewing the following output: if (searchname != null) { %> employee <%searchname%> not found <% } Vulnerability found: Improper neutralization of script-related HTML tag Which of the following was most likely used to discover this?. Reverse engineering using a debugger. A static analysis vulnerability scan. A passive vulnerability scan. A database vulnerability scan.

The SFTP server logs show thousands of failed login attempts from hundreds of IP addresses worldwide. Which of the following controls would BEST protect the service?. Whitelisting authorized IP addresses. Blacklisting unauthorized IP addresses. Enforcing more complex password requirements. Establishing a sinkhole service.

A security analyst needs to recommend a solution that will allow users at a company to access cloud-based SaaS services but also prevent them from uploading and exfiltrating data. Which of the following solutions should the security analyst recommend?. CASB. MFA. VPN. VPS. DLP.

A team of network security analysts is examining network traffic to determine if sensitive data was exfiltrated. Upon further investigation, the analysts believe confidential data was compromised. Which of the following capabilities would BEST defend against this type of sensitive data exfiltration?. Deploy an edge firewall. Implement DLP. Deploy EDR. Encrypt the hard drives.

During an incident investigation, a security analyst discovers the web server is generating an unusually high volume of logs. The analyst observes the following response codes: • 20% of the logs are 403 • 20% of the logs are 404 • 50% of the logs are 200 • 10% of the logs are other codes The server generates 2MB of logs on a daily basis, and the current day log is over 200MB. Which of the following commands should the analyst use to identify the source of the activity?. cat access_log |grep " 403 ". cat access_log |grep " 200 ". eat access_log |grep " 100 ". cat access_log |grep " 404 ". cat access_log |grep " 204 ".

A security operations manager wants to build out an internal threat-hunting capability. Which of the following should be the first priority when creating a threat-hunting program?. Establishing a hypothesis about which threats are targeting which systems. Profiling common threat actors and activities to create a list of IOCs. Ensuring logs are sent to a centralized location with search and filtering capabilities. Identifying critical assets that will be used to establish targets for threat-hunting activities.

A Chief Information Security Officer is concerned that contract developers may be able to steal the code used to design the company’s latest application since they are able to pull code from a cloud-based repository directly to laptops that are not owned by the company. Which of the following solutions would best protect the company code from being stolen?. MDM. SCA. CASB. VDI.

A web-based front end for a business intelligence application uses pass-through authentication to authenticate users. The application then uses a service account to perform queries and look up data in a database. A security analyst discovers employees are accessing data sets they have not been authorized to use. Which of the following will fix the cause of the issue?. Change the security model to force the users to access the database as themselves. Parameterize queries to prevent unauthorized SQL queries against the database. Configure database security logging using syslog or a SIEM. Enforce unique session IDs so users do not get a reused session ID.

Which of the following best describes the process by which code is developed, tested, and deployed in small batches?. Agile. Waterfall. SDLC. Dynamic code analysis.

A security analyst is reviewing the logs and notices the following entries: ' or 1=1 admin" or "1" = "1 admin" or "1" = "1"# admin' or '1' = '1' /* Which of the following most likely occurred?. LDAP injection. clickjacking. XSS. SQLi.

Which of the following is a reason to take a DevSecOps approach to a software assurance program?. To find and fix security vulnerabilities earlier in the development process. To speed up user acceptance testing in order to deliver the code to production faster. To separate continuous integration from continuous development in the SDLC. To increase the number of security-related bug fixes worked on by developers.

While investigating reports of issues with a web server, a security analyst attempts to log in remotely and receives the following message: [root@localhost /root]# ssh user1@10.254.2.25 Connection timed out. The analyst accesses the server console, and the following console messages are displayed: Out of memory: Kill process 3448(httpd) score 41 or sacrifice child Killed process 3448(httpd) totle-vm:74716kB, anon-rss: 23456kB, file-rss:1683kB Out of memory: Kill process 3449(httpd) score 41 or sacrifice child Killed process 3449(httpd) totle-vm:74634kB, anon-rss: 28542kB, file-rss:1357kB Out of memory: Kill process 3452(httpd) score 41 or sacrifice child Killed process 3452(httpd) totle-vm:73466kB, anon-rss: 29753kB, file-rss:1925kB The analyst is also unable to log in on the console. While reviewing network captures for the server, the analyst sees many packets with the following signature: 10.254.2.25.6781 > 128.50.100.23.80 10.254.2.25.6782 > 128.50.100.23.80 10.254.2.25.6783 > 128.50.100.23.80 10.254.2.25.6784 > 128.50.100.23.80 Which of the following is the best step for the analyst to take next in this situation?. Load the network captures into a protocol analyzer to further investigate the communication with 128.50.100.23, as this may be a botnet command server. After ensuring network captures from the server are saved, isolate the server from the network, take a memory snapshot, reboot, and log in to do further analysis. Corporate data is being exfiltrated from the server. Reboot the server and log in to see if it contains any sensitive data. Cryptomining malware is running on the server and utilizing all CPU and memory. Reboot the server and disable any cron jobs or startup scripts that start the mining software.

Which of the following is a reason for correctly identifying APTs that might be targeting an organization?. APTs’ passion for social justice will make them ongoing and motivated attackers. APTs utilize methods and technologies differently than other threats. APTs are primarily focused on financial gain and are widely available over the internet. APTs lack sophisticated methods, but their dedication makes them persistent.

A security operations manager wants some recommendations for improving security monitoring. The security team currently uses past events to create an IoC list for monitoring. Which of the following is the best suggestion for improving monitoring capabilities?. Update the IPS and IDS with the latest rule sets from the provider. Create an automated script to update the IPS and IDS rule sets. Use an automated subscription to select threat feeds for IDS. Implement an automated malware solution on the IPS.

After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a Group Policy Object update but cannot validate which update caused the issue. Which of the following security solutions would resolve this issue?. Privilege management. Group Policy Object management. Change management. Asset management.

A large company wants to address frequent outages on critical systems with a secure configurations program. The Chief Information Security Officer (CISO) has asked the analysts to conduct research and make recommendations for a cost-effective solution with the least amount of disruption to the business. Which of the following would be the best way to achieve these goals?. Adopt the CIS security controls as a framework, apply configurations to all assets, and then notify asset owners of the change. Coordinate with asset owners to assess the impact of the CIS critical security controls, perform testing, and then implement across the enterprise. Recommend multiple security controls depending on business unit needs, and then apply configurations according to the organization’s risk tolerance. Ask asset owners which configurations they would like, compile the responses, and then present all options to the CISO for approval to implement.

A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database. Which of the following should the security team do next to resolve the critical findings in the most effective manner? (Choose two.). Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities. Remove the servers reported to have high and medium vulnerabilities. Tag the computers with critical findings as a business risk acceptance. Manually patch the computers on the network, as recommended on the CVE website. Harden the hosts on the network, as recommended by the NIST framework. Resolve the monthly job issues and test them before applying them to the production network.

A consumer credit card database was compromised, and multiple representatives are unable to review the appropriate customer information. Which of the following should the cybersecurity analyst do first?. Start the containment effort. Confirm the incident. Notify local law enforcement officials. Inform the senior management team.

After running the cat file01.bin | hexdump -C command, a security analyst reviews the following output snippet: 00000000 ff d8 ffe0 00 10 4a 46 49 46 00 01 01 00 00 01 |......JFIF......| Which of the following digital-forensics techniques is the analyst using?. Reviewing the file hash. Debugging the binary file. Implementing file carving. Verifying the file type. Utilizing reverse engineering.

A security analyst for a large pharmaceutical company was given credentials from a threat intelligence resources organization for internal users, which contain usernames and valid passwords for company accounts. Which of the following is the first action the analyst should take as part of security operations monitoring?. Run scheduled antivirus scans on all employees’ machines to look for malicious processes. Reimage the machines of all users within the group in case of a malware infection. Change all the user passwords to ensure the malicious actors cannot use them. Search the event logs for event identifiers that indicate Mimikatz was used.

Security awareness and compliance programs are most effective at reducing the likelihood and impact of attacks from: advanced persistent threats. corporate spies. hacktivists. insider threats.

A security technician configured a NIDS to monitor network traffic. Which of the following is a condition in which harmless traffic is classified as a potential network attack?. True Positive. True Negative. False Positive. False Negative.

Which of the following is the greatest security concern regarding ICS?. The involved systems are generally hard to identify. The systems are configured for automatic updates, leading to device failure. The systems are oftentimes air gapped, leading to fileless malware attacks. Issues on the systems cannot be reversed without rebuilding the systems.

Which of the following is the best method to ensure secure boot UEFI features are enabled to prevent boot malware?. Enable secure boot in the hardware and reload the operating system. Reconfigure the system's MBR and enable NTFS. Set UEFI to legacy mode and enable security features. Convert the legacy partition table to UEFI and repair the operating system.

Members of the sales team are using email to send sensitive client lists with contact information to their personal accounts. The company's AUP and code of conduct prohibits this practice. Which of the following configuration changes would improve security and help prevent this from occurring?. Configure the DLP transport rules to provide deep content analysis. Put employees' personal email accounts on the mail server on a blocklist. Set up IPS to scan for outbound emails containing names and contact information. Use Group Policy to prevent users from copying and pasting information into emails. Move outbound emails containing names and contact information to a sandbox for further examination.

During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap partition on the hard drive that needs to be checked. Which of the following should the analyst use to extract human-readable content from the partition?. Strings. head. fsstat. dd.

Which of the following describes the main difference between supervised and unsupervised machine-learning algorithms that are used in cybersecurity applications?. Supervised algorithms can be used to block attacks, while unsupervised algorithms cannot. Supervised algorithms require security analyst feedback, while unsupervised algorithms do not. Unsupervised algorithms are not suitable for IDS systems, while supervised algorithms are. Unsupervised algorithms produce more false positives than supervised algorithms.

A security analyst notices the following proxy log entries: Received From: (proxy) 192.168.2.1>/ Usr/local/var/logs/access.log Rule: 5022 fired (level 10) > 0 192.168.2.101 TCP_DENIED/403 1382 CONNECT 63.51.205.114:25 NONE/text/html 2 192.168.2.101 TCP_DENIED/403 1378 CONNECT 12.19.101.4:25 NONE/text/html 0 192.168.2.101 TCP_DENIED/403 1390 GET http://www.ebay.com/ NONE/text/html 3 192.168.2.101 TCP_DENIED/403 1378 CONNECT 16.9.161.24:25 NONE/text/html 5 192.168.2.101 TCP_DENIED/403 1392 GET http://www.news.com/ NONE/text/html Which of the following is the user attempting to do based on the log entries?. Use a DoS attack on external hosts. Exfiltrate data. Scan the network. Relay email.

During an investigation, an analyst discovers a server is vulnerable to an attack against an application that processes XML input. Which of the following controls must be in place to prevent such an attack?. Filter all inputs, applying the allow list concept for each parameter from XML content. Enable an XML external entity and escape each parameter that is received through the XML file. Implement parameterized queries for each XML parser. Disable document type definitions completely using the proper method for each parser.

During an incident, an analyst works closely with specific team members. Which of the following best explains why communication is limited to specific team members?. To determine when information can be released. To provide rules and regulations on reporting requirements. To prevent an inadvertent release of information. To determine who can participate.

A company's Chief Information Security Officer (CISO) is concerned about the integrity of some highly confidential files. Any changes to these files must be tied back to a specific authorized user's activity session. Which of the following is the best technique to address the CISO's concerns?. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for unauthorized changes. Regularly use SHA-256 to hash the directory containing the sensitive information. Monitor the files for unauthorized changes. Place a legal hold on the files. Require authorized users to abide by a strict time context access policy. Monitor the files for unauthorized changes. Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.

During a risk assessment, a senior manager inquires about what the cost would be if a unique occurrence would impact the availability of a critical service. The service generates $1,000 in revenue for the organization. The impact of the attack would affect 20% of the server's capacity to perform jobs. The organization expects that five out of twenty attacks would succeed during the year. Which of the following is the calculated single loss expectancy?. $200. $800. $5,000. $20,000.

During an audit, several customer order forms were found to contain inconsistencies between the actual price of an item and the amount charged to the customer. Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products. Which of the following would be the best way to locate this issue?. Reduce the session timeout threshold. Deploy MFA for access to the web server. Implement input validation. Run a dynamic code analysis.

A security analyst is reviewing vulnerability scans from an organization’s internet-facing web services. The following is from an output file called ssl-test_webapps.compnia.org: SCAN RESULTS FOR webapps.compnia.org:443 - 52.165.16.154 * Certificates Information: Hostname sent for SNI: webapps.compnia.org Number of Certificates detected: 1 Certificate #0 ( _RSAPublicKey ) SHA1 Fingerprint: 441756aa3a5b1a21fb84698072b3427bf4607117 Common Name: ,compnia.org Public Key Algorithm: _RSAPublicKey Signature Algorithm: sha256 Key Size: 2048 Exponential: 65537 USE Subject Alternative Names: ['*.compnia.org'] Certificate #0 - Extensions OCSP Must-Staple: NOT SUPPORTED - Extension not found Certificate Transparency: OK - 3 SCTs included Certificate #0 - OCSP Stapling NOT SUPPORTED - Server did not send back an OCSP response * SSL 3.0 Cipher Suites: Attempted to connect using 80 cipher suites. The server accepted the following 10 cipher suites: TLS_RSA_WITH_AES_128_CBC_SHA 128 TLS_RSA_WITH_AES_128_CBC_MD5 128 TLS_RSA_WITH_DES_CBC_SHA 56 TLS_RSA_WITH_AES_256_CBC_SHA 256 TLS_RSA_WITH_AES_256_CBC_SHA 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA 168 * TLS 1.0 Cipher Suites: Attempted to connect using 80 cipher suites. The server accepted the following 10 cipher suites: TLS_RSA_WITH_AES_128_CBC_SHA 128 TLS_RSA_WITH_AES_128_CBC_MD5 128 TLS_RSA_WITH_DES_CBC_SHA 56 TLS_RSA_WITH_AES_256_CBC_SHA 256 TLS_RSA_WITH_AES_256_CBC_SHA 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA 168 TLS_DHE_RSA_WITH_DES_CBC_SHA 56 DH (1024 bits) TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256 DH (1024 bits) TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits) TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 168 DH (1024 bits) TLS_DHE_RSA_WITH_AES_256_CCM_SHA256 DH (2048 bits) The group of cipher suites supported by the server has the following properties: Forward Secrecy Ok - Supported Legacy RC4 Algorithm INSECURE - Supported Which of the following lines from this output most likely indicates that attackers could quickly use brute force and determine the negotiated secret session key?. TLS_RSA_WITH_DES_CBC_SHA 56. TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits). TLS_RSA_WITH_AES_256_CBC_SHA 256. TLS_DHE_RSA_WITH_AES_256_GCM_SHA256 DH (2048 bits).

During the onboarding process for a new vendor, a security analyst obtains a copy of the vendor’s latest penetration test summary: Performed by: Vendor Red Team Last performed: 14 days ago | Severity | Finding count | |----------------- |---------------------| | Critical | 2 | | High | 5 | | Medium | 3 | | Low | 2 | | Informational | 4 | Which of the following recommendations should the analyst make first?. Perform a more recent penetration test. Continue vendor onboarding. Disclose details regarding the findings. Have a neutral third party perform a penetration test.

A security analyst is reviewing malware files without running them. Which of the following analysis types is the security analyst using?. Dynamic. Sandbox. Static. Heuristic.

A security analyst is reviewing the event logs on an air-gapped workstation. The analyst knows the system is used regularly for classified work. Additionally, the analyst knows multiple users locked themselves out and required a password reset. When reviewing the logs, the security analyst is surprised to see that these incidents were not recorded in the logs. Which of the following is the best remediation for this issue?. Modify the local group policy to use advanced logging. Install third-party software to log the events remotely. Require users to log a trouble ticket when failures occur. Ensure the analyst has the correct permissions to view the logs.

The SOC has received reports of slowness across all workstation network segments. The currently installed antivirus has not detected anything, but a different anti-malware product was just downloaded and has revealed a worm is spreading. Which of the following should be the NEXT step in this incident response?. Send a sample of the malware to the antivirus vendor and request urgent signature creation. Begin deploying the new anti-malware on all uninfected systems. Enable an ACL on all VLANs to contain each segment. Compile a list of IoCs so the IPS can be updated to halt the spread.

An analyst is reviewing email headers to determine if an email has been sent from a legitimate sender. The organization uses SPF to validate email origination. Which of the following most likely indicates an invalid originator?. Received-SPF: neutral. Received-SPF: none. Received-SPF: softfail. Received-SPF: error.

Which of the following SCAP standards provides standardization for measuring and describing the severity of security-related software flaws?. OVAL. CVSS. CVE. CCE.

A security analyst at an organization is reviewing vulnerability reports from a newly deployed vulnerability management platform. The organization is not receiving information about devices that rarely connect to the network. Which of the following will the analyst most likely do to obtain vulnerability information about these devices?. Add administrator credentials to mobile devices. Utilize cloud-based agents. Deploy a VPC in front of a NAC. Implement MDM.

An analyst needs to provide recommendations based on the following vulnerability report: | Plug-in name | Severity | Exploit available | |---------------------------------------------------------------------------|-------------|------------------------| | SSL certificate signed using weak hashing algorithm | Medium | Yes | | PHP 7.1.x <7.1.25 multiple vulnerabilities | High | Yes | | RHEL 7 : qemu-kvm (RHSA-2020:1208) | Critical | No | | TLS version 1.0 protocol detection | High | No | Which of the following vulnerabilities should the analyst recommend addressing first?. SSL certificate signed using weak hashing algorithm. TLS version 1.0 protocol detection. PHP 7.1.x <7.1.25 multiple vulnerabilities. RHEL 7 : qemu-kvm (RHSA-2020:1208).

During a review of vulnerability scan results, an analyst determines the results may be flawed because a control-baseline system, which is used to evaluate a scanning tool’s effectiveness, was reported as not vulnerable. Consequently, the analyst verifies the scope of the scan included the control-baseline host, which was available on the network during the scan. The use of a control-baseline endpoint in this scenario assists the analyst in confirming: verification of mitigation. false positives. false negatives. the criticality index. hardening validation.