cysa+ 801-850. w.

A production environment with “blue” and “green” deployments in parallel, with one live and one updated to the newest code, is an example of what type of pipeline?. A. Continuous integration. B. Waterfall. C. Spiral. D. Continuous delivery.

Juan wants to audit filesystem activity in Windows and configures Windows filesystem auditing. What setting can he set to know if a file was changed or not using Windows file auditing?. A. Set Detect Change. B. Set Validate File Versions. C. Set Audit Modifications. D. None of the above.

Naomi wants to analyze URLs found in her passive DNS monitoring logs to find DGA (domain generation algorithm) generated command and control links. What techniques are most likely to be useful for this?. A. WHOIS lookups and NXDOMAIN queries of suspect URLs. B. Querying URL whitelists. C. DNS probes of command-and-control networks. D. Natural language analysis of domain names.

Lucca is reviewing bash command history logs on a system that he suspects may have been used as part of a breach. He discovers the following grep command run inside of the /users directory by an administrative user. What will the command find? Grep -r "sudo" /home/users/ | grep "bash.log". A. All occurrences of the sudo command on the system. B. All occurrences of root logins by users. C. All occurrences of the sudo command in bash log files in user home directories. D. All lines that do not contain the word sudo or bash.log in user directories.

Chris wants to run John the Ripper against a Linux system’s passwords. What does he need to attempt password recovery on the system?. A. Both /etc/passwd and /etc/shadow. B. /etc/shadow. C. /etc/passwd. D. Chris cannot recover passwords; only hashes are stored.

Charles needs to review the permissions set on a directory structure on a Window system he is investigating to determine whether the system contains unauthorized privileges. Which Sysinternals tool will provide him with this functionality?. A. DiskView. B. AccessEnum. C. du. D. AccessChk.

Mei is planning to deploy rogue access point detection capabilities for her network. If she wants to deploy the most effective detection capability she can, which of the following detection types should she deploy first?. A. Authorized MAC. B. Authorized SSID. C. Authorized channel. D. Authorized vendor.

The company that Brian works for processes credit cards and is required to be compliant with PCI DSS. If Brian’s company experiences a breach of card data, what type of disclosure will they be required to provide?. A. Notification to local law enforcement. B. Notification to their acquiring bank. C. Notification to federal law enforcement. D. Notification to Visa and MasterCard.

Lauren wants to create a backup of Linux permissions before making changes to the Linux workstation she is attempting to remediate. What Linux tool can she use to back up the permissions of an entire directory on the system?. A. chbkup. B. getfacl. C. aclman. D. There is not a common Linux permission backup tool.

Jessica wants to access a macOS FileVault 2–encrypted drive. Which of the following methods is not a possible means of unlocking the volume?. A. Change the FileVault key using a trusted user account. B. Retrieve the key from memory while the volume is mounted. C. Acquire the recovery key. D. Extract the keys from iCloud.

Cynthia wants to build scripts to detect malware beaconing behavior. Which of the following is not a typical means of identifying malware beaconing behavior on a network?. A. Persistence of the beaconing. B. Beacon protocol. C. Beaconing interval. D. Removal of known traffic.

Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage?. A. SNMP. B. Portmon. C. Packet sniffing. D. NetFlow.

James wants to determine whether other Windows systems on his network are infected with the same malware package that he has discovered on the workstation he is analyzing. He has removed the system from his network by unplugging its network cable, as required by corporate policy. He knows that the system has previously exhibited beaconing behavior and wants to use that behavior to identify other infected systems. How can he safely create a fingerprint for this beaconing without modifying the infected system?. A. Plug the system in to the network and capture the traffic quickly at the firewall using Wireshark or tcpdump. B. Plug the system into an isolated switch and use a span port or tap and Wireshark/ tcpdump to capture traffic. C. Review the ARP cache for outbound traffic. D. Review the Windows Firewall log for traffic logs.

While investigating a system error, Lauren runs the df command on a Linux box that she is the administrator for. What problem and likely cause should she identify based on this listing? # df -h /var/ Filesystem Size Used Avail Use% Mounted on /dev/sda1 40G 11.2G 28.8 28% / /dev/sda2 3.9G 3.9G 0 100% /var. A. The var partition is full and needs to be wiped. B. Slack space has filled up and needs to be purged. C. The var partition is full, and logs should be checked. D. The system is operating normally and will fix the problem after a reboot.

As Lauren prepares her organization’s security practices and policies, she wants to address as many threat vectors as she can using an awareness program. Which of the following threats can be most effectively dealt with via awareness?. A. Attrition. B. Impersonation. C. Improper usage. D. Web.

Scott wants to recover user passwords for systems as part of a forensic analysis effort. If he wants to test for the broadest range of passwords, which of the following modes should he run John the Ripper in?. A. Single crack mode. B. Wordlist mode. C. Incremental mode. D. External mode.

During a forensic investigation, Lukas discovers that he needs to capture a virtual machine that is part of the critical operations of his company’s website. If he cannot suspend or shut down the machine for business reasons, what imaging process should he follow?. A. Perform a snapshot of the system, boot it, suspend the copied version, and copy the directory it resides in. B. Copy the virtual disk files and then use a memory capture tool. C. Escalate to management to get permission to suspend the system to allow a true forensic copy. D. Use a tool like the Volatility Framework to capture the live machine completely.

Mika, a computer forensic examiner, receives a PC and its peripherals that were seized as forensic evidence during an investigation. After she signs off on the chain of custody log and starts to prepare for her investigation, one of the first things she notes is that each cable and port was labeled with a color-coded sticker by the on-site team. Why are the items labeled like this?. A. To ensure chain of custody. B. To ensure correct reassembly. C. To allow for easier documentation of acquisition. D. To tamper-proof the system.

Laura needs to create a secure messaging capability for her incident response team. Which of the following methods will provide her with a secure messaging tool?. A. Text messaging. B. A Jabber server with TLS enabled. C. Email with TLS enabled. D. A messaging application that uses the Signal protocol.

Lakshman needs to sanitize hard drives that will be leaving his organization after a lease is over. The drives contained information that his organization classifies as sensitive data that competitors would find valuable if they could obtain it. Which choice is the most appropriate to ensure that data exposure does not occur during this process?. A. Clear, validate, and document. B. Purge the drives. C. Purge, validate, and document. D. The drives must be destroyed to ensure no data loss.

Selah is preparing to collect a forensic image for a Macintosh computer running the Mojave operating system. What hard drive format is she most likely to encounter?. A. FAT32. B. MacFAT. C. APFS. D. HFS+.

During a forensic analysis of an employee’s computer as part of a human resources investigation into misuse of company resources, Tim discovers a program called Eraser installed on the PC. What should Tim expect to find as part of his investigation?. A. A wiped C: drive. B. Antiforensic activities. C. All slack space cleared. D. Temporary files and Internet history wiped.