March Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

During a company’s most recent incident, a vulnerability in custom software was exploited on an externally facing server by an APT. The lessons-learned report noted the following:

• The development team used a new software language that was not supported by the security team's automated assessment tools.

• During the deployment, the security assessment team was unfamiliar with the new language and struggled to evaluate the software during advanced testing. Therefore, the vulnerability was not detected.

• The current IPS did not have effective signatures and policies in place to detect and prevent runtime attacks on the new application.

To allow this new technology to be deployed securely going forward, which of the following will BEST address these findings? (Choose two.)

A.

Train the security assessment team to evaluate the new language and verify that best practices for secure coding have been followed

B.

Work with the automated assessment-tool vendor to add support for the new language so these vulnerabilities are discovered automatically

C.

Contact the human resources department to hire new security team members who are already familiar with the new language

D.

Run the software on isolated systems so when they are compromised, the attacker cannot pivot to adjacent systems

E.

Instruct only the development team to document the remediation steps for this vulnerability

F.

Outsource development and hosting of the applications in the new language to a third-party vendor so the risk is transferred to that provider

Full Access
Question # 5

An organization wants to consolidate a number of security technologies throughout the organization and standardize a workflow for identifying security issues prioritizing the severity and automating a response Which of the following would best meet the organization's needs'?

A.

MaaS

B.

SIEM

C.

SOAR

D.

CI/CD

Full Access
Question # 6

During a risk assessment, a senior manager inquires about what the cost would be if a unique occurrence would impact the availability of a critical service. The service generates $1 ,000 in revenue for the organization. The impact of the attack would affect 20% of the server's capacity to perform jobs. The organization expects that five out of twenty attacks would succeed during the year. Which of the following is the calculated single loss expectancy?

A.

$200

B.

$800

C.

$5,000

D.

$20,000

Full Access
Question # 7

An organization is performing a risk assessment to prioritize resources for mitigation and remediation based on impact. Which of the following metrics, in addition to the CVSS for each CVE, would best enable the organization to prioritize its efforts?

A.

OS type

B.

OS or application versions

C.

Patch availability

D.

System architecture

E.

Mission criticality

Full Access
Question # 8

Which of the following BEST describes HSM?

A.

A computing device that manages cryptography, decrypts traffic, and maintains library calls

B.

A computing device that manages digital keys, performs encryption/decryption functions, and maintains other cryptographic functions

C.

A computing device that manages physical keys, encrypts devices, and creates strong cryptographic functions

D.

A computing device that manages algorithms, performs entropy functions, and maintains digital signatures

Full Access
Question # 9

An incident response team is responding to a breach of multiple systems that contain Pll and PHI Disclosure of the incident to external entities should be based on:

A.

the responder's discretion.

B.

the public relations policy.

C.

the communication plan.

D.

the senior management team's guidance.

Full Access
Question # 10

A company wants to run a leaner team and needs to deploy a threat management system with minimal human Interaction. Which of the following is the server component of the threat management system that can accomplish this goal?

A.

STIX

B.

OpenlOC

C.

CVSS

D.

TAXll

Full Access
Question # 11

When investigating a compromised system, a security analyst finds the following script in the /tmp directory:

Which of the following attacks is this script attempting, and how can it be mitigated?

A.

This is a password-hijacking attack, and it can be mitigated by using strong encryption protocols.

B.

This is a password-spraying attack, and it can be mitigated by using multifactor authentication.

C.

This is a password-dictionary attack, and it can be mitigated by forcing password changes every 30 days.

D.

This is a credential-stuffing attack, and it can be mitigated by using multistep authentication.

Full Access
Question # 12

An analyst needs to understand how an attacker compromised a server. Which of the following procedures will best deliver the information that is necessary to reconstruct the steps taken by the attacker?

A.

Scan the affected system with an anti-malware tool and check for vulnerabilities with a vulnerability scanner.

B.

Extract the server's system timeline, verifying hashes and network connections during a certain time frame.

C.

Clone the entire system and deploy it in a network segment built for tests and investigations while monitoring the system during a certain time frame.

D.

Clone the server's hard disk and extract all the binary files, comparing hash signatures with malware databases.

Full Access
Question # 13

A user reports a malware alert to the help desk. A technician verities the alert, determines the workstation is classified as a low-severity device, and uses network controls to block access. The technician then assigns the ticket to a security analyst who will complete the eradication and recovery processes. Which of the following should the security analyst do next?

A.

Document the procedures and walk through the incident training guide.

B.

Reverse engineer the malware to determine its purpose and risk to the organization.

C.

Sanitize the workstation and verify countermeasures are restored.

D.

Isolate the workstation and issue a new computer to the user.

Full Access
Question # 14

An employee observes degraded system performance on a Windows workstation. While attempting to access documents, the employee notices the file icons appear abnormal and the file extensions have been changed. The employee instantly shuts down the machine and alerts a supervisor.

Which of the following forensic evidence will be lost as a result of these actions?

A.

All user actions prior to shutting down the machine

B.

All information stored in the machine's local database

C.

All cached items that are queued to be written to the registry

D.

Volatile artifacts in the system's memory

Full Access
Question # 15

Which of the following are important reasons for performing proactive threat-hunting activities7 (Select two).

A.

To ensure all alerts are fully investigated

B.

To test incident response capabilities

C.

To uncover unknown threats

D.

To allow alerting rules to be more specific

E.

To create a new security baseline

F.

To improve user awareness about security threats

Full Access
Question # 16

An organization is adopting loT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs. Despite the number of devices being deployed, the organization has only focused on software patches so far. leaving hardware-related weaknesses open to compromise. Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management programs?

A.

Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.

B.

Apply all firmware updates as soon as they are released to mitigate the risk of compromise.

C.

Determine an annual patch cadence to ensure all patching occurs at the same time.

D.

Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.

Full Access
Question # 17

A systems administrator believes a user's workstation has been compromised. The workstation's performance has been lagging significantly for the past several hours. The administrator runs the task list

/ v command and receives the following output:

Which of the following should a security analyst recognize as an indicator of compromise?

A.

dwm.exe being executed under the user context

B.

The high usage of vscode. exe * 32

C.

The abnormal behavior of paint.exe

D.

svchost.exe being executed as SYSTEM

Full Access
Question # 18

While monitoring the information security notification mailbox, a security analyst notices several emails were repotted as spam. Which of the following should the analyst do FIRST?

A.

Block the sender In the email gateway.

B.

Delete the email from the company's email servers.

C.

Ask the sender to stop sending messages.

D.

Review the message in a secure environment.

Full Access
Question # 19

An analyst is responding to an incident within a cloud infrastructure Based on the logs and traffic analysis, the analyst thinks a container has been compromised Which of the following should Ihe analyst do FIRST?

A.

Perform threat hunting in other areas of the cloud infrastructure

B.

Contact law enforcement to report the incident

C.

Perform a root cause analysis on the container and the service logs

D.

Isolate the container from production using a predefined policy template

Full Access
Question # 20

A company wants to configure the environment to allow passive network monitonng. To avoid disrupting the sensitive network, which of the following must be supported by the scanner's NIC to assist with the company's request?

A.

Port bridging

B.

Tunnel all mode

C.

Full-duplex mode

D.

Port mirroring

E.

Promiscuous mode

Full Access
Question # 21

An analyst is performing a BIA and needs to consider measures and metrics. Which of the following would help the analyst achieve this objective? (Select two).

A.

Time to reimage the server

B.

Minimum data backup volume

C.

Disaster recovery plan for non-critical services

D.

Maximum downtime before impact is unacceptable

E.

Time required to inform stakeholders about outage

F.

Total time accepted for business process outage

Full Access
Question # 22

Industry partners from critical infrastructure organizations were victims of attacks on their SCADA devices. The attacker was able to gain access to the SCADA by logging in to an account with weak credentials. Which of the following identity and access management solutions would help to mitigate this risk?

A.

Multifactor authentication

B.

Manual access reviews

C.

Endpoint detection and response

D.

Role-based access control

Full Access
Question # 23

Ensuring that all areas of security have the proper controls is a primary reason why organizations use:

A.

frameworks.

B.

directors and officers.

C.

incident response plans.

D.

engineering rigor.

Full Access
Question # 24

A security team has begun updating the risk management plan, incident response plan, and system security plan to ensure compliance with security review guidelines. Which of the following can be executed by internal managers to simulate and validate the proposed changes?

A.

Internal management review

B.

Control assessment

C.

Tabletop exercise

D.

Peer review

Full Access
Question # 25

A security analyst needs to provide the development learn with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport?

A.

CASB

B.

VPC

C.

Federation

D.

VPN

Full Access
Question # 26

A security analyst recently observed evidence of an attack against a company's web server. The analyst investigated the issue but was unable to find an exploit that adequately explained the observations.

Which of the following is the MOST likely cause of this issue?

A.

The security analyst needs updated forensic analysis tools.

B.

The security analyst needs more training on threat hunting and research.

C.

The security analyst has potentially found a zero-day vulnerability that has been exploited.

D.

The security analyst has encountered a polymorphic piece of malware.

Full Access
Question # 27

Members of the sales team are using email to send sensitive client lists with contact information to their personal accounts The company's AUP and code of conduct prohibits this practice. Which of the following configuration changes would improve security and help prevent this from occurring?

A.

Configure the DLP transport rules to provide deep content analysis.

B.

Put employees' personal email accounts on the mail server on a blocklist.

C.

Set up IPS to scan for outbound emails containing names and contact information.

D.

Use Group Policy to prevent users from copying and pasting information into emails.

E.

Move outbound emails containing names and contact information to a sandbox for further examination.

Full Access
Question # 28

Which of the following is an advantage of continuous monitoring as a way to help protect an enterprise?

A.

Continuous monitoring leverages open-source tools, thereby reducing cost to the organization.

B.

Continuous monitoring responds to active Intrusions without requiring human assistance.

C.

Continuous monitoring blocks malicious activity by connecting to real-lime threat feeds.

D.

Continuous monitoring uses automation to identify threats and alerts in real time

Full Access
Question # 29

An analyst is responding 10 an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the held. Maiware was loaded on the device via the installation of a third-party software package The analyst has baselined the device Which of the following should the analyst do to BEST mitigate future attacks?

A.

Implement MDM

B.

Update the maiware catalog

C.

Patch the mobile device's OS

D.

Block third-party applications

Full Access
Question # 30

An organization completed an internal assessment of its policies and procedures. The audit team identified a deficiency in the policies and procedures for PH. Which of the following should be the first step to secure the organization's Pll?

A.

Complete Pll training within the organization.

B.

Contact all Pll data owners within the organization.

C.

Identify what type of Pll is on the network.

D.

Formalize current Pll documentation.

Full Access
Question # 31

An analyst reviews the most recent vulnerability management report and notices a firewall with 99.98% required uptime is reporting different firmware versions on scans than were reported in previous scans. The vendor released new firewall firmware a few months ago. Which of the following will the analyst most likely do next given the requirements?

A.

Request to route traffic through a secondary firewall

B.

Check for change tickets.

C.

Perform a credentialed scan

D.

Request an exception to the uptime policy.

Full Access
Question # 32

A security administrator needs to provide access from partners to an Isolated laboratory network inside an organization that meets the following requirements:

• The partners' PCs must not connect directly to the laboratory network.

• The tools the partners need to access while on the laboratory network must be available to all partners

• The partners must be able to run analyses on the laboratory network, which may take hours to complete

Which of the following capabilities will MOST likely meet the security objectives of the request?

A.

Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis

B.

Deployment of a firewall to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools tor analysis

C.

Deployment of a firewall to allow access to the laboratory network and use of VDI In persistent mode to provide the necessary tools for analysis

D.

Deployment of a jump box to allow access to the Laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis

Full Access
Question # 33

A company employee downloads an application from the internet. After the installation, the employee begins experiencing noticeable performance issues, and files are appearing on the desktop.

Which of the following processes will the security analyst Identify as the MOST likely indicator of system compromise given the processes running in Task Manager?

A.

Chrome.exe

B.

Word.exe

C.

Explorer.exe

D.

mstsc.exe

E.

taskmgr.exe

Full Access
Question # 34

Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the value of:

A.

vulnerability scanning.

B.

threat hunting.

C.

red learning.

D.

penetration testing.

Full Access
Question # 35

Given the output below:

#nmap 7.70 scan initiated Tues, Feb 8 12:34:56 2022 as: nmap -v -Pn -p 80,8000,443 --script http-* -oA server.out 192.168.220.42 Which of the following is being performed?

A.

Cross-site scripting

B.

Local file inclusion attack

C.

Log4] check

D.

Web server enumeration

Full Access
Question # 36

An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from an Nmap scan of a web server:

Which of the following ports should be closed?

A.

22

B.

80

C.

443

D.

1433

Full Access
Question # 37

An application has been updated to fix a vulnerability. Which of the following would ensure that previously patched vulnerabilities have not been reintroduced?

A.

Stress testing

B.

Regression testing

C.

Code review

D.

Peer review

Full Access
Question # 38

A security engineer is reviewing security products that identify malicious actions by users as part of a company's insider threat program. Which of the following is the most appropriate product category for this purpose?

A.

SCAP

B.

SOAR

C.

UEBA

D.

WAF

Full Access
Question # 39

A security analyst scans the company's external IP range and receives the following results from one of the hosts:

Which of the following best represents the security concern?

A.

A remote communications port is exposed.

B.

The FTP port should be using TCP only.

C.

Microsoft RDP is accepting connections on TCP.

D.

The company's DNS server is exposed to everyone.

Full Access
Question # 40

A company is experiencing a malware attack within its network. A security engineer notices many of the impacted assets are connecting outbound to a number of remote destinations and exfiltrating data. The security engineer also see that deployed, up-to-date antivirus signatures are ineffective. Which of the following is the BEST approach to prevent any impact to the company from similar attacks in the future?

A.

IDS signatures

B.

Data loss prevention

C.

Port security

D.

Sinkholing

Full Access
Question # 41

An organization has a strict policy that if elevated permissions are needed, users should always run commands under their own account, with temporary administrator privileges if necessary. A security analyst is reviewing syslog entries and sees the following:

Which of the following entries should cause the analyst the MOST concern?

A.

<100>2 2020-01-10T19:33:41.002z webserver su 201 32001 = BOM ' su vi httpd.conf' failed for joe

B.

<100>2 2020-01-10T20:36:36.0010z financeserver su 201 32001 = BOM ' sudo vi users.txt success

C.

<100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ' su vi syslog.conf failed for jos

D.

<100> 2020-01-10T19:34..002z financeserver su 201 32001 = BOM ' su vi success

E.

<100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ' su vi httpd.conf' success

Full Access
Question # 42

A routine vulnerability scan detected a known vulnerability in a critical enterprise web application. Which of the following would be the BEST next step?

A.

Submit a change request to have the system patched

B.

Evaluate the risk and criticality to determine it further action is necessary

C.

Notify a manager of the breach and initiate emergency procedures.

D.

Remove the application from production and Inform the users.

Full Access
Question # 43

An organization is required to be able to consume multiple threat feeds simultaneously and to provide actionable intelligence to various teams. The organization would also like to be able to leverage the intelligence to enrich security event data. Which of the following functions would most likely help the security analyst meet the organization's requirements?

A.

Vulnerability management

B.

Risk management

C.

Detection and monitoring

D.

Incident response

Full Access
Question # 44

A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify:

A.

detection and prevention capabilities to improve.

B.

which systems were exploited more frequently.

C.

possible evidence that is missing during forensic analysis.

D.

which analysts require more training.

E.

the time spent by analysts on each of the incidents.

Full Access
Question # 45

Which of the following is the BEST option to protect a web application against CSRF attacks?

A.

Update the web application to the latest version.

B.

Set a server-side rate limit for CSRF token generation.

C.

Avoid the transmission of CSRF tokens using cookies.

D.

Configure the web application to only use HTTPS and TLS 1.3.

Full Access
Question # 46

A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:

Which of the following describes what has occurred?

A.

The host attempted to download an application from utoftor.com.

B.

The host downloaded an application from utoftor.com.

C.

The host attempted to make a secure connection to utoftor.com.

D.

The host rejected the connection from utoftor.com.

Full Access
Question # 47

Which of the following attack techniques has the GREATEST likelihood of quick success against Modbus assets?

A.

Remote code execution

B.

Buffer overflow

C.

Unauthenticated commands

D.

Certificate spoofing

Full Access
Question # 48

Which of the following APT adversary archetypes represent non-nation-state threat actors? (Select TWO)

A.

Kitten

B.

Panda

C.

Tiger

D.

Jackal

E.

Bear

F.

Spider

Full Access
Question # 49

A security analyst performed a targeted system vulnerability scan to obtain critical information. After the output result, the analyst used the OVAL XML language to review and calculate the discovered risk. Which of the following types of scans did the security analyst perform?

A.

Active

B.

Network map

C.

Passive

D.

External

Full Access
Question # 50

During an audit, several customer order forms were found to contain inconsistencies between the actual price of an item and the amount charged to the customer. Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products. Which of the following would be the best way to locate this issue?

A.

Reduce the session timeout threshold

B.

Deploy MFA for access to the web server.

C.

Implement input validation.

D.

Run a dynamic code analysis.

Full Access
Question # 51

Due to a rise m cyberattackers seeking PHI, a healthcare company that collects highly sensitive data from millions of customers is deploying a solution that will ensure the customers' data is protected by the organization internally and externally Which of the following countermeasures can BEST prevent the loss of customers' sensitive data?

A.

Implement privileged access management

B.

Implement a risk management process

C.

Implement multifactor authentication

D.

Add more security resources to the environment

Full Access
Question # 52

A forensic examiner is investigating possible malware compromise on an active endpoint device. Which of the following steps should the examiner perform first?

A.

Verify the hash value of the image with the value of the copy.

B.

Use a write blocker to create an image of the hard drive.

C.

Create a memory dump from RAM.

D.

Download and apply the latest AV signature.

E.

Reimage the hard drive and apply the latest updates.

Full Access
Question # 53

Which of the following is the best method to review and assess the security of the cloud service models used by a company on multiple CSPs?

A.

Unifying and migrating all services in a single CSP

B.

Executing an API hardening process on the CSPs' endpoints

C.

Integrating the security benchmarks of the CSPs with a CASB

D.

Deploying cloud instances using Nikto and OpenVAS

Full Access
Question # 54

A security analyst is reviewing the network security monitoring logs listed below:

Which of the following is the analyst most likely observing? (Select two).

A.

10.1.1.128 sent potential malicious traffic to the web server.

B.

10.1.1.128 sent malicious requests, and the alert is a false positive

C.

10.1.1.129 successfully exploited a vulnerability on the web server

D.

10.1.1.129 sent potential malicious requests to the web server

E.

10.1.1.129 can determine mat port 443 is being used

F.

10.1.1.130 can potentially obtain information about the PHP version

Full Access
Question # 55

A security analyst is reviewing a new Internet portal that will be used for corporate employees to obtain their pay statements. Corporate policy classifies pay statement information as confidential, and it must be protected by MFA. Which of the following would best fulfill the MFA requirement while keeping the portal accessible from the internet?

A.

Obtaining home public IP addresses of corporate employees to implement source IP restrictions and requiring a username and password

B.

Requiring the internet portal to be accessible from only the corporate SSO internet endpoint and requiring a smart card and PIN

C.

Moving the internet portal server to a DMZ that is only accessible from the corporate VPN and requiring a username and password

D.

Distributing a shared password that must be provided before the internet portal loads and requiring a username and password

Full Access
Question # 56

During a review of SIEM alerts, a securrty analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring toot about files from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue7

A.

Warn the incident response team that the server can be compromised

B.

Open a ticket informing the development team about the alerts

C.

Check if temporary files are being monitored

D.

Dismiss the alert, as the new application is still being adapted to the environment

Full Access
Question # 57

An analyst needs to provide recommendations based on a recent vulnerability scan:

Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified?

A.

SMB use domain SID to enumerate users

B.

SYN scanner

C.

SSL certificate cannot be trusted

D.

Scan not performed with admin privileges

Full Access
Question # 58

During an audit several customer order forms were found to contain inconsistencies between the actual price of an item and the amount charged to the customer Further investigation narrowed the cause of the issue to manipulation of the public-facing web form used by customers to order products Which of the following would be the BEST way to locate this issue?

A.

Reduce the session timeout threshold

B.

Deploy MFA for access to the web server

C.

Implement input validation

D.

Run a static code scan

Full Access
Question # 59

A company's blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance?

A.

Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network.

B.

Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed

C.

Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist.

D.

Review the current blocklist to determine which domains can be removed from the list and then update the ACLs

Full Access
Question # 60

Which of the following is a difference between SOAR and SCAP?

A.

SOAR can be executed taster and with fewer false positives than SCAP because of advanced heunstics

B.

SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope

C.

SOAR is less expensive because process and vulnerability remediation is more automated than what SCAP does

D.

SOAR eliminates the need for people to perform remediation, while SCAP relies heavily on security analysts

Full Access
Question # 61

After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a Group Policy Object update but cannot validate which update caused the Issue. Which of the following security solutions would resolve this issue?

A.

Privilege management

B.

Group Policy Object management

C.

Change management

D.

Asset management

Full Access
Question # 62

Which of the following is the best method to ensure secure boot UEFI features are enabled to prevent boot malware?

A.

Enable secure boot in the hardware and reload the operating system.

B.

Reconfigure the system's MBR and enable NTFS.

C.

Set I-JEFI to legacy mode and enable security features.

D.

Convert the legacy partition table to UEFI and repair the operating system.

Full Access
Question # 63

During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in confirmed malware activity The analyst also notes there is no other alert in place for this traffic After resolving the security incident, which of the following would be the BEST action for the analyst to take to increase the chance of detecting this traffic in the future?

A.

Share details of the security incident with the organization's human resources management team

B.

Note the security incident so other analysts are aware the traffic is malicious

C.

Communicate the security incident to the threat team for further review and analysis

D.

Report the security incident to a manager for inclusion in the daily report

Full Access
Question # 64

An email analysis system notifies a security analyst that the following message was quarantined and requires further review.

Which of the following actions should the security analyst take?

A.

Release the email for delivery due to its importance.

B.

Immediately contact a purchasing agent to expedite.

C.

Delete the email and block the sender.

D.

Purchase the gift cards and submit an expense report.

Full Access
Question # 65

Several operator workstations are exhibiting unusual behavior, including applications loading slowly, temporary files being overwritten, and reboot notifications to apply antivirus signatures. During an investigation, an analyst finds evidence of Bitcoin mining. Which of the following is the first step the analyst should take to prevent further spread of the mining operation?

A.

Reboot each host that is exhibiting the behaviors.

B.

Enable the host-based firewalls to prevent further activity.

C.

Quarantine all the impacted hosts for forensic analysis.

D.

Notify users to turn off all affected devices.

Full Access
Question # 66

Which of the following would best protect sensitive data If a device is stolen?

A.

Remote wipe of drive

B.

Self-encrypting drive

C.

Password-protected hard drive

D.

Bus encryption

Full Access
Question # 67

Which of the following BEST explains the function of a managerial control?

A.

To help design and implement the security planning, program development, and maintenance of the security life cycle

B.

To guide the development of training, education, security awareness programs, and system maintenance

C.

To create data classification, risk assessments, security control reviews, and contingency planning

D.

To ensure tactical design, selection of technology to protect data, logical access reviews, and the implementation of audit trails

Full Access
Question # 68

A small organization has proprietary software that is used internally. The system has not been wen maintained and cannot be updated with the rest or the environment. Which of the following is the BEST solution?

A.

virtualize the system and decommission the physical machine.

B.

Remove it from the network and require air gapping.

C.

Implement privileged access management for identity access.

D.

Implement MFA on the specific system.

Full Access
Question # 69

Which of the following best explains why it is important for companies to implement both privacy and security policies?

A.

Private data is insecure by design, so different programs ensure both policies are addressed.

B.

Security policies will automatically ensure the data complies with privacy regulations.

C.

Privacy policies will satisfy all regulations to secure consumer and sensitive company data.

D.

Both policies have some overlap, but the differences can have regulatory consequences.

Full Access
Question # 70

To prioritize the morning's work, an analyst is reviewing security alerts that have not yet been investigated. Which of the following assets should be investigated FIRST?

A.

The workstation of a developer who is installing software on a web server

B.

A new test web server that is in the process of initial installation

C.

An accounting supervisor's laptop that is connected to the VPN

D.

The laptop of the vice president that is on the corporate LAN

Full Access
Question # 71

Which of the following, BEST explains the function of TPM?

A.

To provide hardware-based security features using unique keys

B.

To ensure platform confidentiality by storing security measurements

C.

To improve management of the OS installation.

D.

To implement encryption algorithms for hard drives

Full Access
Question # 72

A security analyst is reviewing WAF alerts and sees the following request:

Which of the following BEST describes the attack?

A.

SQL injection

B.

LDAP injection

C.

Command injection

D.

Denial of service

Full Access
Question # 73

A Chief Information Security Officer has asked for a list of hosts that have critical and high-severity findings as referenced in the CVE database. Which of the following tools would produce the assessment output needed to satisfy this request?

A.

Nessus

B.

Nikto

C.

Fuzzer

D.

Wireshark

E.

Prowler

Full Access
Question # 74

A vulnerability assessment solution is hosted in the cloud This solution will be used as an accurate inventory data source for both the configuration management database and the governance nsk and compliance tool An analyst has been asked to automate the data acquisition Which of the following would be the BEST way to acqutre the data'

A.

CSV export

B.

SOAR

C.

API

D.

Machine learning

Full Access
Question # 75

An organization prohibits users from logging in to the administrator account. If a user requires elevated permissions. the user's account should be part of an administrator group, and the user should escalate permission only as needed and on a temporary basis. The organization has the following reporting priorities when reviewing system activity:

• Successful administrator login reporting priority - high

• Failed administrator login reporting priority - medium

• Failed temporary elevated permissions - low

• Successful temporary elevated permissions - non-reportable

A security analyst is reviewing server syslogs and sees the following:

Which of the following events is the HIGHEST reporting priority?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 76

A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-side vulnerabilities:

Which of the following is the MOST likely solution to the listed vulnerability?

A.

Enable the browser's XSS filter.

B.

Enable Windows XSS protection

C.

Enable the browser's protected pages mode

D.

Enable server-side XSS protection

Full Access
Question # 77

A security analyst works for a biotechnology lab that is planning to release details about a new cancer treatment. The analyst has been instructed to tune the SIEM softvare and IPS in preparation for the

announcement. For which of the following concerns will the analyst most likely be monitoring?

A.

Intellectual property loss

B.

PII loss

C.

Financial information loss

D.

PHI loss

Full Access
Question # 78

A security officer needs to find the most cost-effective solution to the current data privacy and protection gap found in the last security assessment. Which of the following is the BEST recommendation?

A.

Require users to sign NDAs

B.

Create a data minimization plan.

C.

Add access control requirements.

D.

Implement a data loss prevention solution.

Full Access
Question # 79

Which of the following is a vulnerability associated with the Modbus protocol?

A.

Weak encryption

B.

Denial of service

C.

Unchecked user input

D.

Lack of authentication

Full Access
Question # 80

Which of the following factors would determine the regulations placed on data under data sovereignty laws?

A.

What the company intends to do with the data it owns

B.

The company's data security policy

C.

The type of data the company stores

D.

The data laws of the country in which the company is located

Full Access
Question # 81

A network appliance manufacturer is building a new generation of devices and would like to include chipset security improvements. The management team wants the security team to implement a method to prevent security weaknesses that could be reintroduced by downgrading the firmware version on the chipset. Which of the following would meet this objective?

A.

UEFI

B.

A hardware security module

C.

eFUSE

D.

Certificate signed updates

Full Access
Question # 82

At which of the following phases of the SDLC shoukJ security FIRST be involved?

A.

Design

B.

Maintenance

C.

Implementation

D.

Analysis

E.

Planning

F.

Testing

Full Access
Question # 83

A security analyst notices the following proxy log entries:

Which of the following is the user attempting to do based on the log entries?

A.

Use a DoS attack on external hosts.

B.

Exfiltrate data.

C.

Scan the network.

D.

Relay email.

Full Access
Question # 84

While reviewing system logs, a network administrator discovers the following entry:

Which of the following occurred?

A.

An attempt was made to access a remote workstation.

B.

The PsExec services failed to execute.

C.

A remote shell failed to open.

D.

A user was trying to download a password file from a remote system.

Full Access
Question # 85

An analyst receives artifacts from a recent Intrusion and is able to pull a domain, IP address, email address, and software version. When of the following points of the Diamond Model of Intrusion Analysis does this intelligence represent?

A.

Infrastructure

B.

Capabilities

C.

Adversary

D.

Victims

Full Access
Question # 86

During the threat modeling process for a new application that a company is launching, a security analyst needs to define methods and items to take into consideralion Wtiich of the following are part of a known threat modeling method?

A.

Threat profile, infrastructure and application vulnerabilities, security strategy and plans

B.

Purpose, objective, scope, (earn management, cost, roles and responsibilities

C.

Spoofing tampering, repudiation, information disclosure, denial of service elevation of privilege

D.

Human impact, adversary's motivation, adversary's resources, adversary's methods

Full Access
Question # 87

A security officer needs to find the most cost-effective solution to the current data privacy and protection gap found in the last security assessment Which of the following is the BEST recommendation?

A.

Require users to sign NDAs

B.

Create a data minimization plan.

C.

Add access control requirements

D.

Implement a data loss prevention solution

Full Access
Question # 88

After detecting possible malicious external scanning, an internal vulnerability scan was performed, and a critical server was found with an outdated version of JBoss. A legacy application that is running depends on that version of JBoss. Which of the following actions should be taken FIRST to prevent server compromise and business disruption at the same time?

A.

Make a backup of the server and update the JBoss server that is running on it.

B.

Contact the vendor for the legacy application and request an updated version.

C.

Create a proper DMZ for outdated components and segregate the JBoss server.

D.

Apply visualization over the server, using the new platform to provide the JBoss service for the legacy application as an external service.

Full Access
Question # 89

A security analyst is researching ways to improve the security of a company's email system to mitigate emails that are impersonating company executives. Which of the following would be BEST for the analyst to configure to achieve this objective?

A.

A TXT record on the name server for SPF

B.

DNSSEC keys to secure replication

C.

Domain Keys identified Man

D.

A sandbox to check incoming mad

Full Access
Question # 90

Which of the following types of controls defines placing an ACL on a file folder?

A.

Technical control

B.

Confidentiality control

C.

Managerial control

D.

Operational control

Full Access
Question # 91

A company wants to ensure confidential data from its storage media files is sanitized so the drives cannot oe reused. Which of the following is the BEST approach?

A.

Degaussing

B.

Shredding

C.

Formatting

D.

Encrypting

Full Access
Question # 92

A cybersecurity analyst is researching operational data to develop a script that will detect the presence of a threat on corporate assets. Which of the following contains the most useful information to produce this script?

A.

API documentation

B.

Protocol analysis captures

C.

MITRE ATT&CK reports

D.

OpenloC files

Full Access
Question # 93

A computer hardware manufacturer developing a new SoC that will be used by mobile devices. The SoC should not allow users or the process to downgrade from a newer firmware to an older one. Which of the following can the hardware manufacturer implement to prevent firmware downgrades?

A.

Encryption

B.

eFuse

C.

Secure Enclave

D.

Trusted execution

Full Access
Question # 94

A security is reviewing a vulnerability scan report and notes the following finding:

As part of the detection and analysis procedures, which of the following should the analyst do NEXT?

A.

Patch or reimage the device to complete the recovery

B.

Restart the antiviruses running processes

C.

Isolate the host from the network to prevent exposure

D.

Confirm the workstation's signatures against the most current signatures.

Full Access
Question # 95

An organization has the following risk mitigation policies

• Risks without compensating controls will be mitigated first it the nsk value is greater than $50,000

• Other nsk mitigation will be pnontized based on risk value.

The following risks have been identified:

Which of the following is the ordei of priority for risk mitigation from highest to lowest?

A.

A, C, D, B

B.

B, C, D, A

C.

C, B, A, D

D.

C. D, A, B

E.

D, C, B, A

Full Access
Question # 96

The Chief Information Security Officer (CISO) of a large financial institution is seeking a solution that will block a predetermined set of data points from being transferred or downloaded by employees. The CISO also wants to track the data assets by name, type, content, or data profile.

Which of the following BEST describes what the CIS wants to purchase?

A.

Asset tagging

B.

SIEM

C.

File integrity monitor

D.

DLP

Full Access
Question # 97

During an incident investigation, a security analyst discovers the web server is generating an unusually high volume of logs The analyst observes the following response codes:

• 20% of the logs are 403

• 20% of the logs are 404

• 50% of the logs are 200

• 10% of the logs are other codes

The server generates 2MB of logs on a daily basis, and the current day log is over 200MB. Which of the following commands should the analyst use to identify the source of the activity?

A.

cat access_log Igrep " 403 "

B.

cat access_log Igrep " 200 "

C.

cat access_log Igrep " 100 "

D.

cat access_log Igrep " 4 04 "

E.

cat access_log Igrep " 204 "

Full Access
Question # 98

The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit, requests for new users at the last minute. causing the help desk to scramble to create accounts across many different Interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company's assets?

A.

MFA

B.

CASB

C.

SSO

D.

RBAC

Full Access
Question # 99

A technician working at company.com received the following email:

After looking at the above communication, which of the following should the technician recommend to the security team to prevent exposure of sensitive information and reduce the risk of corporate data being stored on non-corporate assets?

A.

Forwarding of corporate email should be disallowed by the company.

B.

A VPN should be used to allow technicians to troubleshoot computer issues securely.

C.

An email banner should be implemented to identify emails coming from external sources.

D.

A rule should be placed on the DLP to flag employee IDs and serial numbers.

Full Access
Question # 100

During a review of the vulnerability scan results on a server, an information security analyst notices the following:

The MOST appropriate action for the analyst to recommend to developers is to change the web server so:

A.

It only accepts TLSvl 2

B.

It only accepts cipher suites using AES and SHA

C.

It no longer accepts the vulnerable cipher suites

D.

SSL/TLS is offloaded to a WAF and load balancer

Full Access
Question # 101

A security analyst was transferred to an organization's threat-hunting team to track specific activity throughout the enterprise environment The analyst must observe and assess the number ot times this activity occurs and aggregate the results. Which of the following is the BEST threat-hunting method for the analyst to use?

A.

Stack counting

B.

Searching

C.

Clustering

D.

Grouping

Full Access
Question # 102

A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application. Which of the following is a security concern when using a PaaS solution?

A.

The use of infrastructure-as-code capabilities leads to an increased attack surface.

B.

Patching the underlying application server becomes the responsibility of the client.

C.

The application is unable to use encryption at the database level.

D.

Insecure application programming interfaces can lead to data compromise.

Full Access
Question # 103

An analyst is reviewing email headers to determine if an email has been sent from a legitimate sender. The organization uses SPF to validate email origination. Which of the following most likely indicates an invalid originator?

A.

Received-SPF: neutral

B.

Received-SPF: none

C.

Received-SPF softfail

D.

Received-SPF: error

Full Access
Question # 104

A security analyst is supporting an embedded software team. Which of the following is the best recommendation to ensure proper error handling at runtime?

A.

Perform static code analysis.

B.

Require application fuzzing.

C.

Enforce input validation.

D.

Perform a code review.

Full Access
Question # 105

A threat feed disclosed a list of files to be used as an loC for a zero-day vulnerability. A cybersecurity analyst decided to include a custom lookup for these files on the endpoint's log-in script as a mechanism to:

A.

automate malware signature creation.

B.

close the threat intelligence cycle loop.

C.

generate a STIX object for the TAXII server

D.

improve existing detection capabilities.

Full Access
Question # 106

Wncn ol the following provides an automated approach 10 checking a system configuration?

A.

SCAP

B.

CI/CD

C.

OVAL

D.

Scripting

E.

SOAR

Full Access
Question # 107

Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the best solution to improve the equipment's security posture?

A.

Move the legacy systems behind a WAR

B.

Implement an air gap for the legacy systems.

C.

Place the legacy systems in the perimeter network.

D.

Implement a VPN between the legacy systems and the local network.

Full Access
Question # 108

A company notices unknown devices connecting to the internal network and would like to implement a solution to block all non-corporate managed machines. Which of the following solutions would be best to accomplish this goal?

A.

WPA2 for W1F1 networks

B.

NAC with 802.1X implementation

C.

Extensible Authentication Protocol

D.

RADIUS with challenge/response

Full Access
Question # 109

A team of network security analysts is examining network traffic to determine if sensitive data was exfiltrated. Upon further investigation, the analysts believe confidential data was compromised. Which of the following capabilities would BEST defend against this type of sensitive data exfiltration?

A.

Deploy an edge firewall.

B.

Implement DLP

C.

Deploy EDR.

D.

Encrypt the hard drives

Full Access
Question # 110

A security analyst needs to automate the incident response process for malware infections. When the following logs are generated, an alert email should automatically be sent within 30 minutes:

Which of the following is the best way for the analyst to automate alert generation?

A.

Deploy a signature-based IDS

B.

Install a UEBA-capable antivirus

C.

Implement email protection with SPF

D.

Create a custom rule on a SIEM

Full Access
Question # 111

Which of the following is the best reason why organizations need operational security controls?

A.

To supplement areas that other controls cannot address

B.

To limit physical access to areas that contain sensitive data

C.

To assess compliance automatically against a secure baseline

D.

To prevent disclosure by potential insider threats

Full Access