A company is experiencing a malware attack within its network. A security engineer notices many of the
impacted assets are connecting outbound to a number of remote destinations and exfiltrating data. The security
engineer also see that deployed, up-to-date antivirus signatures are ineffective. Which of the following is the
BEST approach to prevent any impact to the company from similar attacks in the future? IDS signatures
Data loss prevention
Port security
Sinkholing. While monitoring the information security notification mailbox, a security analyst notices several emails were
repotted as spam. Which of the following should the analyst do FIRST? Block the sender In the email gateway.
Delete the email from the company's email servers.
Ask the sender to stop sending messages.
Review the message in a secure environment. Which of the following BEST describes HSM?
A computing device that manages cryptography, decrypts traffic, and maintains library calls
A computing device that manages digital keys, performs encryption/decryption functions, and maintains other cryptographic functions A computing device that manages physical keys, encrypts devices, and creates strong cryptographic
functions
A computing device that manages algorithms, performs entropy functions, and maintains digital
signatures. Which of the following is the greatest security concern regarding ICS? The involved systems are generally hard to identify.
The systems are configured for automatic updates, leading to device failure.
The systems are oftentimes air gapped, leading to fileless malware attacks.
Issues on the systems cannot be reversed without rebuilding the systems. Which of the following is the BEST option to protect a web application against CSRF attacks?
Update the web application to the latest version.
Set a server-side rate limit for CSRF token generation.
Avoid the transmission of CSRF tokens using cookies.
Configure the web application to only use HTTPS and TLS 1.3. Which of the following describes the mam difference between supervised and unsupervised machine-learning
algorithms that are used in cybersecurity applications?
Supervised algorithms can be used to block attacks, while unsupervised algorithms cannot.
Supervised algorithms require security analyst feedback, while unsupervised algorithms do not.
Unsupervised algorithms are not suitable for IDS systems, white supervised algorithms are
Unsupervised algorithms produce more false positives. Than supervised algorithms. A security analyst is reviewing the network security monitoring logs listed below Which of the following is the analyst most likely observing? (Select two). 10.1.1.128 sent potential malicious traffic to the web server. 10.1.1.128 sent malicious requests, and the alert is a false positive 10.1.1.129 successfully exploited a vulnerability on the web server 10.1.1.129 sent potential malicious requests to the web server 10.1.1.129 can determine mat port 443 is being used 10.1.1.130 can potentially obtain information about the PHP version. During an incident investigation, a security analyst discovers the web server is generating an unusually high
volume of logs The analyst observes the following response codes:
• 20% of the logs are 403
• 20% of the logs are 404
• 50% of the logs are 200
• 10% of the logs are other codes
The server generates 2MB of logs on a daily basis, and the current day log is over 200MB. Which of the
following commands should the analyst use to identify the source of the activity? cat access_log Igrep " 403 "
cat access_log Igrep " 200 "
cat access_log Igrep " 100 "
cat access_log Igrep " 4 04 "
cat access_log Igrep " 204 ". While investigating reports or issues with a web server, a security analyst attempts to log in remotely and
recedes the following message:
The analyst accesses the server console, and the following console messages are displayed:
The analyst is also unable to log in on the console. While reviewing network captures for the server, the
analyst sees many packets with the following signature: Which of the following is the BEST step for the analyst to lake next in this situation? loguri cu out of memory & kill the process. Load the network captures into a protocol analyzer to further investigate the communication with
128.30.100.23, as this may be a botnet command server
After ensuring network captures from the server are saved isolate the server from the network take a
memory snapshot, reboot and log in to do further analysis.
Corporate data is being exfilltrated from the server Reboot the server and log in to see if it contains any
sensitive data.
Cryptomining malware is running on the server and utilizing an CPU and memory. Reboot the server
and disable any cron Jobs or startup scripts that start the mining software. A security analyst is reviewing WAF alerts and sees the following request:
Request="GET /public/report.html?iewt=9064 AND 1=1 UNION ALL SELECT 1,NULL,table_name FROM information_schema.tables WHERE 2>1-
-/**/; HTTP/1.1 Host=mysite.com
Which of the following BEST describes the attack? SQL injection
LDAP injection
Command injection
Denial of service. During a routine review of service restarts a security analyst observes the following in a server log: Which of the following is the GREATEST security concern?
The daemon's binary was AChanged
Four consecutive days of monitoring are skipped in the tog
The process identifiers for the running service change
The PIDs are continuously changing. Which of the following describes the difference between intentional and unintentional insider threats'?
Their access levels will be different
The risk factor will be the same
Their behavior will be different
The rate of occurrence will be the same. Which of the following are the MOST likely reasons lo include reporting processes when updating an incident
response plan after a breach? (Select TWO).
To establish a clear chain of command
To meet regulatory requirements for timely reporting
To limit reputation damage caused by the breach
To remediate vulnerabilities that led to the breach
To isolate potential insider threats
To provide secure network design changes. A security analyst is reviewing port scan data that was collected over the course of several months. The
following data represents the trends:
Which of the following is the BEST action for the security analyst to take after analyzing the trends? intrebarea #35 din V23 Review the system configurations to determine if port 445 needs to be open.
Assume there are new instances of Apache in the environment.
Investigate why the number of open SSH ports varied during the six months.
Raise a concern to a supervisor regarding possible malicious use Of port 8443. Industry partners from critical infrastructure organizations were victims of attacks on their SCADA devices.
The attacker was able to gain access to the SCADA by logging in to an account with weak credentials. Which
of the following identity and access management solutions would help to mitigate this risk?
Multifactor authentication
Manual access reviews
Endpoint detection and response
Role-based access control. A company wants to ensure confidential data from its storage media files is sanitized so the drives cannot oe
reused. Which of the following is the BEST approach?
Degaussing
Shredding
Formatting
Encrypting. A company is aiming to test a new incident response plan. The management team has made it clear that the
initial test should have no impact on the environment. The company has limited
resources to support testing. Which of the following exercises would be the best approach?
Tabletop scenarios
Capture the flag
Red team vs. blue team
Unknown-environment penetration test. Which of the following lines from this output most likely indicates that attackers could quickly use brute force
and determine the negotiated secret session key? TLS_RSA_WITH_DES_CBC_SHA 56
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128 DH (1024 bits)
TLS_RSA_WITH_AES_256_CBC_SHA 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA256 DH (2048 bits). Chief Information Security Officer has asked for a list of hosts that have critical and high-severity findings
as referenced in the CVE database. Which of the following tools would produce the assessment output needed
to satisfy this request?
Nessus
Nikto
Fuzzer
Wireshark
Prowler. a risk assessment concludes that the perimeter network has the highest potential for compromise by an
attacker, and it is labeled as a critical risk environment. Which of the following is a valid compensating control
to reduce the volume of valuable information in the perimeter network that an attacker could gain using active
reconnaissance techniques?
A control that demonstrates that all systems authenticate using the approved authentication method
A control that demonstrates that access to a system is only allowed by using SSH
A control that demonstrates that firewall rules are peer reviewed for accuracy and approved before
deployment
A control that demonstrates that the network security policy is reviewed and updated yearly.
|