CYSA Test 8

A security analyst needs to identify services in a small, critical infrastructure ICS network. Many components in the network are likely to break if they receive malformed or unusually large requests. Which of the following is the safest method to use when identifying service versions?. Use nmap -sV to identify all assets on the network. Use Burp Suite to conduct service identification. Use nc to manually perform banner grabbing. Use Nessus with restricted concurrent connections.

A web application has a function to retrieve content from an internal URL to identify CSRF attacks in the logs. The security analyst is building a regular expression that will filter out the correctly formatted requests. The target URL is https://10.1.2.3/api, and the receiving API only accepts GET requests and uses a single integer argument named “id.” Which of the following regular expressions should the analyst use to achieve the objective?. ^(?!https://10\.1\.2\.3/api\?id=[0-9]+). ^https://10\.1\.2\.3/api\?id=\d+. (?:^https://10\.1\.2\.3/api\?id=[0-9]+). ^https://10\.1\.2\.3/api\?id=[0-9]+$.

A security analyst needs to identify a computer based on the following requirements to be mitigated: • The attack method is network based with low complexity. • No privileges or user action is needed. • The confidentiality and availability level is high with a low integrity level. Given the following CVSS 3.1 output: Computer1 - CVSS3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H Computer2 - CVSS3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H Computer3 - CVSS3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H Computer4 - CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H Which of the following machines should the analyst mitigate?. Computer1. Computer2. Computer3. Computer4.

An analyst would like to start automatically ingesting IoCs into the EDR tool. Which of the following sources would be the most cost effective for the analyst to use?. Government bulletins. Social media. Dark web. Blogs.

A user clicks on a malicious adware link, and the malware successfully downloads to the machine. The malware has a script that invokes commandand- control activity. Which of the following actions is the best way to contain the incident without any additional impact?. Disable the user account until the malware investigation is complete. Review EDR information to determine whether the file was detected and quarantined locally. Block the server on the proxy and firewall. Submit a recategorization update to the vendor.

During normal security monitoring activities, the following activity was observed: cd C:\Users\Documents\HR\Employees takeown/f .* SUCCESS: Which of the following best describes the potentially malicious activity observed?. Registry changes or anomalies. Data exfiltration. Unauthorized privileges. File configuration changes.

A security manager is looking at a third-party vulnerability metric (SMITTEN) to improve upon the company’s current method that relies on CVSSv3. Given the following: Which of the following vulnerabilities should be prioritized?. Vulnerability 1. Vulnerability 2. Vulnerability 3. Vulnerability 4.

Which of the following should be performed first when creating a BCP to ensure that all critical functions and financial implications have been considered?. Failover test. Tabletop exercise. Security policies. Business impact analysis.

Which of the following best describes root cause analysis?. It describes the tactics, techniques, and procedures used in an incident. It provides a detailed path outlining the origin of an issue and how to eliminate it permanently. It outlines the who-what-when-where-why, which is often used in conjunction with legal proceedings. It generates a report of ongoing activities, including what was done, what is being done, and what will be done next.

A security administrator has found indications of dictionary attacks against the company’s external-facing portal. Which of the following should be implemented to best mitigate the password attacks?. Multifactor authentication. Password complexity. Web application firewall. Lockout policy.

The security team reviews a web server for XSS and runs the following Nmap scan: Which of the following most accurately describes the result of the scan?. An output of characters > and " as the parameters used in the attempt. The vulnerable parameter ID http://172.31.15.2/1.php?id=2 and unfiltered characters returned. The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe. The vulnerable parameter id=2 with a SQL injection attempt.

A security analyst has identified outgoing network traffic leaving the enterprise at odd times. The traffic appears to pivot across network segments and target domain servers. The traffic is then routed to a geographic location to which the company has no association. Which of the following best describes this type of threat?. Hacktivist. Zombie. Insider threat. Nation-state actor.

Based on an internal assessment, a vulnerability management team wants to proactively identify risks to the infrastructure prior to production deployments. Which of the following best supports this approach?. Threat modeling. Penetration testing. Bug bounty. SDLC training.

Which of the following best explains the importance of utilizing an incident response playbook?. It prioritizes the business-critical assets for data recovery. It establishes actions to execute when inputs trigger an event. It documents the organization asset management and configuration. It defines how many disaster recovery sites should be staged.

Which of the following defines the proper sequence of data volatility regarding the evidence collection process, from the most to least volatile?. Routing table, registers, physical memory, archival media, hard disk, physical configuration. Routing table, registers, physical memory, temporary partition, hard disk, physical configuration. Cache, routing table, physical memory, network topology, temporary partition, hard disk. Cache, routing table, physical memory, temporary partition, hard disk, physical configuration.

A security analyst needs to support an organization’s legal case against a threat actor. Which of the following processes provides the best way to assist in the prosecution of the case?. Chain of custody. Evidence gathering. Securing the scene. Forensic analysis.

An end user forwarded an email with a file attachment to the SOC for review. The SOC analysts think the file was specially crafted for the target. Which of the following investigative actions would best determine if the attachment was malicious?. Review the file in Virus Total to determine if the domain is associated with any phishing. Review the email header to analyze the DKIM, DMARC, and SPF values. Review the source IP address in AbuseIPDB. Review the attachment’s behavior in a sandbox environment while running Wireshark.

Which of the following is instituting a security policy that users must lock their systems when stepping away from their desks an example of?. Configuration management. Compensating control. Awareness, education, and training. Administrative control.

A cybersecurity analyst is recommending a solution to ensure emails that contain links or attachments are tested before they reach a mail server. Which of the following will the analyst most likely recommend?. Sandboxing. MFA. DKIM. Vulnerability scan.

Executives at an organization email sensitive financial information to external business partners when negotiating valuable contracts. To ensure the legal validity of these messages, the cybersecurity team recommends a digital signature be added to emails sent by the executives. Which of the following are the primary goals of this recommendation? (Choose two.). Confidentiality. Integrity. Privacy. Anonymity. Non-reduplication. Authorization.

A security analyst needs to identify an asset that should be remediated based on the following information: Which of the following assets should the analyst remediate first?. Mail server. Domain controller. Web server. File server.

A security analyst runs tcpdump on the 10.203.10.22 machine and observes thousands of packets as shown below: Which of the following activities explains the tcpdump output?. Incoming nmap -sA scan. hping3 --udp scan over the network. C2 communications leaving the network. Malware beaconing.

Which of the following is the best metric to use when reviewing and addressing findings that caused an incident?. Mean time to restore. Mean time to respond. Mean time to remediate. Mean time to detect.

A cybersecurity analyst is setting up a security control that monitors network traffic and produces an active response to a security event. Which of the following tools is the analyst configuring?. EDR. IPS. CASB. WAF.

A security analyst working for an airline is prioritizing vulnerabilities found on a system. The system has the following requirements: • Can store periodically audited documents required for takeoffs and landings • Can keep critical records regarding the company’s operations • Data can be made public upon request and authorization Which of the following vulnerabilities should be remediated first?. A broken access control vulnerability impacting data integrity. A heap overflow vulnerability impacting the system’s usability. A DoS vulnerability impacting the system’s availability. A zero-day vulnerability impacting the system’s confidentiality.

Which of the following are process improvements that can be realized by implementing a SOAR solution? (Choose two.). Minimize security attacks. Itemize tasks for approval. Reduce repetitive tasks. Minimize setup complexity. Define a security strategy. Generate reports and metrics.

Which of the following best describe the external requirements that are imposed for incident management communication? (Choose two). Law enforcement involvement. Compliance with regulatory requirements. Transparency to stockholders. Defined SLAs regarding services. Industry advocacy group participation. Framework guidelines.

A security analyst observes a high volume of SYN flags from an unexpected source toward a web application server within one hour. The traffic is not flagging for any exploit signatures. Which of the following scenarios best describes this activity?. A legitimate connection is continuously attempting to establish a connection with a downed web server. A script kiddie is attempting to execute a DDoS through a ping flood attack. An attacker is executing reconnaissance activities by mapping which ports are open and closed. A web exploit attempt is likely occurring and the security analyst is not seeing it.

Which of the following features is a key component of Zero Trust architecture?. Single strong source of user identity. Implementation of IT governance. Business continuity plan. Quality assurance. Internal auditing process.

An organization wants to establish a disaster recovery plan for critical applications that are hosted on premises. Which of the following is the first step to prepare for supporting this new requirement?. Choose a vendor to utilize for the disaster recovery location. Establish prioritization of continuity from data and business owners. Negotiate vendor agreements to support disaster recovery capabilities. Advise the leadership team that a geographical area for recovery must be defined.

A junior security analyst opened ports on the company’s firewall, and the company experienced a data breach. Which of the following most likely caused the data breach?. Environmental hacktivist. Accidental insider threat. Nation-state. Organized crime group.

When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?. OpenID. SDN. ZTNA. SWG.

An analyst produces a weekly endpoint status report for the management team. The report Includes specific details for each endpoint in relation to organizational baselines. Which of the following best describes the report type?. Forensics. Mitigation. Vulnerability. Compliance.

A user is suspected of violating policy by logging in to a Linux VM during nonbusiness hours. Which of the following system files is the best way to track the user’s activities?. /var/log/secure. /etc/motd. /var/log/messages. /etc/passwd.

A user’s computer is performing slower than the day before, and unexpected windows continually open and close. The user did not install any new programs, and after the user restarted the desktop, the issue was not resolved. Which of the following incident response actions should be taken next?. Restart in safe mode and start a virus scan. Disconnect from the network and leave the PC turned on. Contain the device and implement a legal hold. Reformat and reimage the OS.

Which of the following risk management decisions should be considered after evaluating all other options?. Transfer. Acceptance. Mitigation. Avoidance.

A security analyst finds an application that cannot enforce the organization’s password policy. An exception is granted. As a compensating control, all users must confirm that their passwords comply with the organization’s policy. Which of the following types of compensating controls is the organization using?. Corrective. Managerial. Technical. Detective.

A company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of code: SELECT * From user_data WHERE Username = 0 and userid= 1 or 1=1;-- Which of the following controls would be best to implement?. Deploy a wireless application protocol. Remove the end-of-life component. Implement proper access control. Validate user input.

A security analyst provides the management team with an after action report for a security incident. Which of the following is the management team most likely to review in order to correct validated issues with the incident response processes?. Tabletop exercise. Lessons learned. Root cause analysis. Forensic analysis.

A security analyst needs to prioritize vulnerabilities for patching. Given the following vulnerability and system information: Which of the following systems should the analyst patch?. 1. 2. 3. 4. 5. 6.

During a packet capture review, a security analyst identifies the output below as suspicious: Which of the following best describes the type of activity the analyst has identified?. Ping sweep. Port scan. DoS attack. Beaconing.

An organization performs software assurance activities and reviews some web framework code that uses exploitable jquery modules. Which of the following tools or techniques should the organization use to help identify these issues?. Security Content Automation Protocol. Application fuzzing. Common weakness enumeration. Static analysis.

An organization has implemented code into a production environment. During a routine test, a penetration tester found that some of the code had a backdoor implemented causing a developer to make changes outside of the change management windows. Which of the following is the best way to prevent this issue?. SDLC training. Dynamic analysis. Debugging. Source code review.

An analyst reviews the following web server log entries: %2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd No attacks or malicious attempts have been discovered. Which of the following most likely describes what took place?. A SQL injection query took place to gather information from a sensitive file. A PHP injection was leveraged to ensure that the sensitive file could be accessed. Base64 was used to prevent the IPS from detecting the fully encoded string. Directory traversal was performed to obtain a sensitive file for further reconnaissance.

An organization is preparing for a disaster recovery exercise. Which of the following actions should be implemented first?. Gather all internal stakeholders and review the actions according to the defined incident playbook. Coordinate the supporting staff for the recovery process to ensure availability at the recovery site. Ensure that the vendor for the disaster recovery site is scheduled to support the recovery. Identify a business-critical system and test by failing over to the disaster recovery location.

As part of an incident investigation, an analyst creates a detailed document that describes all activities, timelines, root causes, and mitigation actions. Which of the following reports is the analyst creating?. Lessons learned. Business impact analysis. Tabletop exercise. Change control.

A third-party assessment of a recent incident determined that the incident response team spent too long trying to get the scope needed for the incident timeline and too much time was spent searching for false positives. Which of the following should the team work on first?. Playbook edits. Ticket system automation. Detection tuning. Standard operating procedure refinement.

A security analyst is developing a script to filter firewall vulnerabilities. The script will impact the integrity of data hosted on devices connected to networks. Which of the following is a CVSS v4.0 that the analyst can use to test a true positive for the script?. AV:L/AC:H/AT:N/PR:L/VI:H/VC:H/VA:H/SC:N/SI:N/SA:N. AV:N/AC:L/AT:N/PR:N/VI:N/VC:N/VA:N/SC:N/SI:H/SA:L. AV:P/AC:L/AT:N/PR:H/VI:L/VC:L/VA:L/SC:N/SI:N/SA:N. AV:A/AC:L/AT:N/PR:H/VI:N/VC:L/VA:L/SC:N/SI:N/SA:H.

An analyst wants to detect outdated software packages on a server. Which of the following methodologies will achieve this objective?. Data loss prevention. Configuration management. Common vulnerabilities and exposures. Credentialed scanning.

A systems administrator receives several reports about emails containing phishing links. The hosting domain is always different, but the URL follows a specific pattern of characters. Which of the following is the best way for the administrator to find more messages that were not reported?. Search email logs for a regular expression. Open a support ticket with the email hosting provider. Send a memo to all staff asking them to report suspicious emails. Query firewall logs for any traffic with a suspicious website.

A security analyst receives an alert with the following packet capture attached: Which of the following has occurred?. sslscan reconnaissance. A password stuffing attack. An Nmap scan. An nc reverse shell.

A company runs a website that allows public posts. Recently, some users report that when visiting the website, pop-ups appear asking the users for their credentials. Which of the following is the most likely cause of this issue?. Rootkit. SQL injection. CSRF. XSS.

A security manager has decided to form a special group of analysts who participate in both penetration testing and defending the company's network infrastructure during exercises. Which of the following teams should the group form in order to achieve this goal?. Blue team. Purple team. Red team. Green team.