|Which of the following is the software development process by which function, usability, and scenarios are tested against a known set of base requirements? Security regression testing Code review User acceptance testing Stress testing.
A security analyst discovers the following firewall log entries during an incident:
SYC : SYC : SYC
Which of the following is MOST likely occurring? Banner grabbing Port scanning Beaconing Data exfiltration.
A security analyst is revising a company's MFA policy to prohibit the use of short message service (SMS) tokens. The Chief Information Officer has questioned this decision and asked for justification. Which of the following should the analyst provide as justification for the new policy? SMS relies on untrusted, third-party carrier networks. SMS tokens are limited to eight numerical characters. SMS is not supported on all handheld devices in use. SMS is a cleartext protocol and does not support encryption.
The SOC has received reports of slowness across all workstation network segments. The currently installed antivirus has not detected anything, but a different anti-malware product was just downloaded and has revealed a worm is spreading. Which of the following should be the NEXT step in this incident response? Send a sample of the malware to the antivirus vendor and request urgent signature creation. Begin deploying the new anti-malware on all uninfected systems. Enable an ACL on all VLANs to contain each segment. Compile a list of IoCs so the IPS can be updated to halt the spread.
During the security assessment of a new application, a tester attempts to log in to the application but receives the following message: incorrect password for given username. Which of the following can the tester recommend to decrease the likelihood that a malicious attacker will receive helpful information? Set the web page to redirect to an application support page when a bad password is entered. Disable error messaging for authentication. Recognize that error messaging does not provide confirmation of the correct element of authentication. Avoid using password-based authentication for the application.
Which of the following describes the main difference between supervised and unsupervised machine-learning algorithms that are used in cybersecurity applications? Supervised algorithms can be used to block attacks, while unsupervised algorithms cannot. Supervised algorithms require security analyst feedback, while unsupervised algorithms do not. Unsupervised algorithms are not suitable for IDS systems, while supervised algorithms are. Unsupervised algorithms produce more false positives than supervised algorithms.
During a review of SIEM alerts, a security analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring tool about files from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue? Warn the incident response team that the server can be compromised. Open a ticket informing the development team about the alerts. Check if temporary files are being monitored. Dismiss the alert, as the new application is still being adapted to the environment.
A help desk technician inadvertently sent the credentials of the company's CRM in cleartext to an employee's personal email account. The technician then reset the employee's account using the appropriate process and the employee's corporate email, and notified the security team of the incident. According to the incident response procedure, which of the following should the security team do NEXT? Contact the CRM vendor. Prepare an incident summary report. Perform postmortem data correlation. Update the incident response plan.
A security team implemented a SIEM as part of its security-monitoring program. There is a requirement to integrate a number of sources into the SIEM to provide better context relative to the events being processed. Which of the following BEST describes the result the security team hopes to accomplish by adding these sources? Data enrichment Continuous integration Machine learning Workflow orchestration.
A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:
Which of the following describes what has occurred? The host attempted to download an application from utoftor.com. The host downloaded an application from utoftor.com The host attempted to make a secure connection to utoftor.com The host rejected the connection from utoftor.com.
During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap partition on the hard drive that needs to be checked. Which of the following should the analyst use to extract human-readable content from the partition? strings head fsstat dd.
A Chief Executive Officer (CEO) is concerned the company will be exposed to data sovereignty issues as a result of some new privacy regulations. To help mitigate this risk, the Chief Information Security Officer (CISO) wants to implement an appropriate technical control. Which of the following would meet the requirement? Data masking procedures Enhanced encryption functions Regular business impact analysis functions Geographic access requirements .
An internally developed file-monitoring system identified the following excerpt as causing a program to crash often: char filedata; fp = fopen(`access.log`, `r`); srtcopy (filedata, fp); printf (`%s\n`, filedata);
Which of the following should a security analyst recommend to fix the issue? Open the access.log file in read/write mode. Replace the strcpy function. Perform input sanitization. Increase the size of the file data butter.
The IT department is concerned about the possibility of a guest device infecting machines on the corporate network or taking down the company's single Internet connection. Which of the following should a security analyst recommend to BEST meet the requirements outlined by the IT department? Require the guest machines to install the corporate-owned EDR solution Configure NAC to only allow machines on the network that are patched and have active antivirus Place a firewall in between the corporate network and the guest network Configure the IPS with rules that will detect common malware signatures traveling from the guest network.
A software development team asked a security analyst to review some code for security vulnerabilities. Which of the following would BEST assist the security analyst while performing this task? Static analysis Dynamic analysis Regression testing User acceptance testing.
An organization is focused on restructuring its data governance programs, and an analyst has been tasked with surveying sensitive data within the organization.
Which of the following is the MOST accurate method for the security analyst to complete this assignment? Perform an enterprise-wide discovery scan. Consult with an internal data custodian. Review enterprise-wide asset inventory. Create a survey and distribute it to data owners. .
A security analyst is running a tool against an executable of an unknown source. The input supplied by the tool to the executable program and the output from the executable are shown below:
Which of the following should the analyst report after viewing this information? A dynamic library that is needed by the executable is missing. Input can be crafted to trigger an injection attack in the executable. The tool caused a buffer overflow in the executable's memory. The executable attempted to execute a malicious command.
A security analyst needs to develop a brief that will include the latest incidents and the attack phases of the incidents. The goal is to support threat intelligence and identify whether or not the incidents are linked. Which of the following methods would be MOST appropriate to use? The Cyber Kill Chain The MITRE ATT&CK framework An adversary capability model The Diamond Model of Intrusion Analysis.
A security analyst is handling an incident in which ransomware has encrypted the disks of several company workstations. Which of the following would work BEST to prevent this type of incident in the future? Implement a UTM instead of a stateful firewall and enable gateway antivirus. Back up the workstations to facilitate recovery and create a gold image. Establish a ransomware awareness program and implement secure and verifiable backups. Virtualize all the endpoints with daily snapshots of the virtual machines.
A computer hardware manufacturer is developing a new SoC that will be used by mobile devices. The SoC should not allow users or the process to downgrade from a newer firmware to an older one. Which of the following can the hardware manufacturer implement to prevent firmware downgrades? Encryption eFuse Secure Enclave Trusted execution.
A newly appointed Chief Information Security Officer has completed a risk assessment review of the organization and wants to reduce the numerous risks that were identified. Which of the following will provide a trend of risk mitigation? Planning Continuous monitoring Risk response Risk analysis Oversight.
Which of the following allows Secure Boot to be enabled? eFuse UEFI HSM PAM.
A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company's data? Implement UEM on all systems and deploy security software. Implement DLP on all workstations and block company data from being sent outside the company. Implement a CASB and prevent certain types of data from being downloaded to a workstation. Implement centralized monitoring and logging for all company systems.
After a remote command execution incident occurred on a web server, a security analyst found the following piece of code in an XML file:
Which of the following is the BEST solution to mitigate this type of attack? Implement a better level of user input filters and content sanitization. Properly configure XML handlers so they do not process &ent parameters coming from user inputs. Use parameterized queries to avoid user inputs from being processed by the server. Escape user inputs using character encoding conjoined with whitelisting.
A security analyst is generating a list of recommendations for the company's insecure API. Which of the following is the BEST parameter mitigation recommendation? Use TLS for all data exchanges. Use effective authentication and authorization methods. Implement parameterized queries. Validate all incoming data.
A security administrator needs to provide access from partners to an isolated laboratory network inside an organization that meets the following requirements:
* The partners' PCs must not connect directly to the laboratory network
* The tools the partners need to access while on the laboratory network must be available to all partners
* The partners must be able to run analyses on the laboratory network, which may take hours to complete
Which of the following capabilities will MOST likely meet the security objectives of the request? Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis Deployment of a firewall to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis Deployment of a firewall to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis Deployment of a jump box to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis.
A security analyst reviews a recent network capture and notices encrypted inbound traffic on TCP port 465 was coming into the company's network from a database server. Which of the following will the security analyst MOST likely identify as the reason for the traffic on this port? The server is configured to communicate on the secure database standard listener port. Someone has configured an unauthorized SMTP application over SSL. A connection from the database to the web front end is communicating on the port. The server is receiving a secure connection using the new TLS 1.3 standard.
Which of the following is MOST important when developing a threat hunting program?
Understanding penetration testing technique Understanding how to build correlation rules within a SIEM Understanding security software technologies Understanding assets and categories of assets.
A security analyst is investigating an incident related to an alert from the threat detection platform on a host (10.0.1.25) in a staging environment that could be running a cryptomining tool because it is sending traffic to an IP address that is related to Bitcoin.
The network rules for the instance are the following:
Rule Direction Protocol SRC DST Port Description
1. Inbound TCP ANY 10.0.1.25 80 HTTP
2. Inbound TCP ANY 10.0.1.25 443 HTTPS
3. Inbound TCP ANY 10.0.1.0/25 22 SSH
4. Outbound UDP 10.0.1.2510.0.1.2 53 DNS
5. Outbound TCP 10.0.1.25 ANY Any TCP
Which of the following is the BEST way to isolate and triage the host? Remove rules 1, 2, and 3. Remove rules 1, 2, 4, and 5. Remove rules 1. 2, and 5. Remove rules 4 and 5.
After examining a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using? Header analysis File carving Metadata analysis Data recovery.
Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets? Data custodian Data owner Data processor Senior management.
A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:
Which of the following commands should the administrator run NEXT to further analyze the compromised system? strace /proc/1301 rpm -V openssh-server /bin/ls -1 /proc/1301/exe kill -9 1301.
During an audit, several customer order forms v/ere found to contain inconsistencies between the actual price of an item and the amount charged to the customer. Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products. Which of the following would be the BEST way to locate this issue? Reduce the session timeout threshold. Deploy MFA for access to the web server. Implement input validation. Run a static code scan.
A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst to provide to the security manager, who would then communicate the risk factors to the senior management team? (Choose two.)
Probability Adversary capability Attack vector Impact Classification Indicators of compromise.
An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC. Which of the following is the BEST approach for supply chain assessment when selecting a vendor? Gather information from providers, including data center specifications and copies of audit reports Identify SLA requirements for monitoring and logging Consult with the senior management team for recommendations Perform a proof of concept to identify possible solutions.
A security analyst discovers the accounting department is hosting an accounts receivable form on a public document service. Anyone with the link can access it. Which of the following threats applies to this situation? Potential data loss to external users Loss of public/private key management Cloud-based authentication attack Insufficient access logging.
An organization's Chief Information Security Officer has asked department leaders to coordinate on communication plans that can be enacted in response to different cybersecurity incident triggers.
Which of the following is a benefit of having these communication plans? They can help to prevent the inadvertent release of damaging information outside the organization They can help to limit the spread of worms by coordinating with help desk personnel earlier in the recovery phase. They can quickly inform the public relations team to begin coordinating with the media as soon as a breach is detected They can help to keep the organization’s senior leadership informed about the status of patching during the recovery phase.
During a routine log review, a security analyst has found the following commands that cannot be identified from the Bash history log on the root user:
Which of the following commands should the analyst investigate FIRST? Line 1 Line 2 Line 4 Line 5 Line 6 Line 3.
A company has contracted with a software development vendor to design a web portal for customers to access a medical records database. Which of the following should the security analyst recommend to BEST control the unauthorized disclosure of sensitive data when sharing the development database with the vendor? Establish an NDA with the vendor. Enable data masking of sensitive data tables in the database. Set all database tables to read only. Use a de-identified data process for the development database.
A company creates digitally signed packages for its devices. Which of the following BEST describes the method by which the security packages are delivered to the company’s customers? Anti-tamper mechanism SELinux Trusted firmware updates eFuse.
A financial institution's business unit plans to deploy a new technology in a manner that violates existing information security standards. Which of the following actions should the Chief Information Security Officer (CISO) take to manage any type of violation? Enforce the existing security standards and controls. Perform a risk analysis and qualify the risk with legal. Perform research and propose a better technology. Enforce the standard permits.
A security analyst needs to assess the web-server versions on a list of hosts to determine which are running a vulnerable version of the software and then output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt. Which of the following Nmap commands would BEST accomplish this goal? nmap –iL webserverlist.txt –sC –p 443 –oX webserverlist.xml nmap –iL webserverlist.txt –sV –p 443 –oX webserverlist.xml nmap –iL webserverlist.txt –F –p 443 –oX weberserverlist.xml nmap --takefile webserverlist.txt --outputfileasXML webserverlist.xml --scanports 443.
A company recently hired a new SOC provider and implemented new incident response procedures. Which of the following conjoined approaches would MOST likely be used to evaluate the new implementations for monitoring and incident response at the same time? (Choose two.) Blue-team exercise Disaster recovery exercise Red-team exercise Gray-box penetration test Tabletop exercise Risk assessment.
A security analyst is reviewing WAF logs and notes requests against the corporate website are increasing and starting to impact the performance of the web server. The security analyst queries the logs for requests that triggered an alert on the WAF but were not blocked. Which of the following possible TTP combinations might warrant further investigation? (Choose two.) Requests identified by a threat intelligence service with a bad reputation Requests sent from the same IP address using different user agents Requests blocked by the web server per the input sanitization Failed log-in attempts against the web application Requests sent by NICs with outdated firmware Existence of HTTP/501 status codes generated to the same IP address.
Which of the following is a difference between SOAR and SCAP? SOAR can be executed faster and with fewer false positives than SCAP because of advanced heuristics. SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope. SOAR is less expensive because process and vulnerability remediation is more automated than what SCAP does. SOAR eliminates the need for people to perform remediation, while SCAP relies heavily on security analysts.
Which of the following APT adversary archetypes represent non-nation-state threat actors? (Choose two.) Kitten Panda Tiger Jackal Bear Spider.