Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide? Review of security requirements. Compliance checks. Decomposing the application. Security by design.
Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations? Log Retention Log Rotation Maximum Log Size Threshold Value.
Which of the following best describes the key elements of a successful information security program? Business impact analysis, asset and change management, and security communication plan. Security policy implementation, assignment of roles and responsibilities, and information asset classification. Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies. Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems.
A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to reduce risks associated with the application development? Perform static analyses using an integrated development environment. Deploy compensating controls into the environment. Implement server-side logging and automatic updates. Conduct regular code reviews using OWASP best practices.
While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the following controls is most likely preventing the analyst from finding the proper memory address of the piece of malicious code? Address space layout randomization. Data execution prevention. Stack canary. Code obfuscation.
Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response? To ensure the report is legally acceptable in case it needs to be presented in court. To present a lessons-learned analysis for the incident response team. To ensure the evidence can be used in a postmortem analysis. To prevent the possible loss of a data source for further root cause analysis.
During the log analysis phase, the following suspicious command is detected (Picture).
Which of the following is being attempted? RCE ICMP Tunneling Smurf Attack.
A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:
* DNS traffic while a tunneling session is active.
* The mean time between queries is less than one second.
* The average query length exceeds 100 characters.
Which of the following attacks most likely occurred? DNS Exfiltration DNS Spoofing DNS Zone Transfer DNS Poisoning.
An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration? CIS Benchmarks PCI DSS OWASP Top Ten ISO 27001.
During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee's personal email. Which of the following should the analyst recommend be done first? Place a legal hold on the employee's mailbox. Enable filtering on the web proxy. Disable the public email access with CASB. Configure a deny rule on the firewall.
After completing a review of network activity, the threat-hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily at 10:00 p.m. Which of the following is potentially occurring? Irregular peer-to-peer communication A rogue device on the network Abnormal OS process behavior Data exfiltration.
A vulnerability scanner generates the following output (Picture).
The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities. Which of the following should the analyst prioritize first for remediation? Oracle JDK Cisco Webex Redis Server SSL Self-signed Certificate.
A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take? Instruct the firewall engineer that a rule needs to be added to block this external server. Escalate the event to an incident and notify the SOC manager of the activity. Notify the incident response team that there is a DDoS attack occurring. Identify the IP/hostname for the requests and look at the related activity.
An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply.
Which of the following would BEST identify potential indicators of compromise? Use Burp Suite to capture packets to the SCADA device's IP. Use tcpdump to capture packets from the SCADA device IP. Use Wireshark to capture packets between SCADA devices and the management system. Use Nmap to capture packets from the management system to the SCADA devices.
An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.
Which of the following would be the MOST appropriate to remediate the controller? Segment the network to constrain access to administrative interfaces. Replace the equipment that has third-party support. Remove the legacy hardware from the network. Install an IDS on the network between the switch and the legacy equipment.
A security analyst is trying to determine if a host is active on a network. The analyst first attempts the following:
$ ping 192.168.1.4
4 packets transmitted, 0 packets received, 100.0% packet loss
The analyst runs the following command next:
$ sudo hping3 -c 4 -n -i 192.168.1.4
4 packets transmitted, 4 packets received, 0% loss
Which of the following would explain the difference in results? A firewall is blocking ICMP. The routing tables for ping and hping3 were different. The original ping command needed root permission to execute. hping3 is returning a false positive.
A cybersecurity analyst contributes to a team hunt on an organization's endpoints.
Which of the following should the analyst do FIRST? Write detection logic. Establish a hypothesis. Profile the threat actors and activities. Perform a process analysis.
A security analyst received an SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application not to reclaim memory. This caused the system to be depleted of resources.
Which of the following BEST describes this attack? Injection attack Memory corruption Denial of service Array attack.
Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.) Parameterized queries Session management Input validation Output encoding Data protection Authentication.
A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's server.
Which of the following is the FIRST step the analyst should take? Create a full disk image of the server's hard drive to look for the file containing the malware. Run a manual antivirus scan on the machine to look for known malicious software. Take a memory snapshot of the machine to capture volatile information stored in memory. Start packet capturing to look for traffic that could be indicative of command and control from the miner.
A company brings in a consultant to make improvements to its website. After the consultant leaves. A web developer notices unusual activity on the website and submits a suspicious file containing the following code to the security team (Picture).
Which of the following did the consultant do? Implanted a backdoor Implemented privilege escalation Implemented clickjacking Patched the web server.
After a third-party consulting firm did a security assessment, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert
fatigue. Which of the following is the best possible outcome that this effort hopes to achieve? SIEM ingestion logs are reduced by 20%. Phishing alerts drop by 20%. False positive rates drop to 20%. The MTTR decreases by 20%.
A security analyst has been alerted to several emails showing evidence that an employee is planning malicious activities on the network involving employee Pll
before leaving the organization. The security analysis BEST response would be to coordinate with the legal department and: The public relations department. The senior leadership. Law enforcement. The human resources department.
During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect.
Which of the following is the BEST place to acquire evidence to perform data carving? The system memory The hard drive Network packets The Windows Registry.
A security analyst is reviewing packet captures from a compromised system. The system was already isolated from the network but had access for a few hours after being compromised. When viewing the capture in a packet analyzer, the analyst sees the following (Picture).
Which of the following can the analyst conclude? Malware is attempting to beacon to 128.50.100.3. The system is running a DoS attack against ajgidwle.com. The system is scanning ajgidwle.com for PII. Data is being exfiltrated over DNS.
|
