CS0-002 Topic 3
Q201.A security analyst is looking at the headers of a few emails that appear to be targeting all users at an organization:
Which of the following technologies would MOST likely be used to prevent this phishing attempt?
A. DNSSEC
B. DMARC
C. STP
D. S/IMAP
Hint answer: B
Q202.An information security analyst on a threat-hunting team is working with administrators to create a hypothesis related to an internally developed web application.
The working hypothesis is as follows:
✑ Due to the nature of the industry, the application hosts sensitive data associated with many clients and is a significant target.
✑ The platform is most likely vulnerable to poor patching and inadequate server hardening, which expose vulnerable services.
✑ The application is likely to be targeted with SQL injection attacks due to the large number of reporting capabilities within the application.
As a result, the systems administrator upgrades outdated service applications and validates the endpoint configuration against an industry benchmark. The analyst suggests developers receive additional training on implementing identity and access management, and also implements a WAF to protect against SQL injection attacks. Which of the following BEST represents the technique in use?
A. Improving detection capabilities
B. Bundling critical assets
C. Profiling threat actors and activities
D. Reducing the attack surface area
Hint answer: D
Q203.The inability to do remote updates of certificates, keys, software, and firmware is a security issue commonly associated with:
A. web servers on private networks
B. HVAC control systems
C. smartphones
D. firewalls and UTM devices
Hint answer: B
Q204.A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities.
Which of the following would be BEST to implement to alleviate the CISO’s concern?
A. DLP
B. Encryption
C. Test data
D. NDA
Hint answer: C
Q205.A SIEM analyst receives an alert containing the following URL: http:/companywebsite.com/displayPicture?filenamE=../../../../etc/passwd
Which of the following BEST describes the attack?
A. Password spraying
B. Buffer overflow
C. Insecure object access
D. Directory traversal
Hint answer: D
Q206.A small organization has proprietary software that is used internally. The system has not been well maintained and cannot be updated with the rest of the environment. Which of the following is the BEST solution?
A. Virtualize the system and decommission the physical machine.
B. Remove it from the network and require air gapping.
C. Implement privileged access management for identity access.
D. Implement MFA on the specific system.
Hint answer: B
Q207.After a series of Group Policy Object updates, multiple services stopped functioning. The systems administrator believes the issue resulted from a Group Policy
Object update but cannot validate which update caused the issue. Which of the following security solutions would resolve this issue?
A. Privilege management
B. Group Policy Object management
C. Change management
D. Asset management
Hint answer: C
Q208.A team of network security analysts is examining network traffic to determine if sensitive data was exfiltrated. Upon further investigation, the analysts believe confidential data was compromised. Which of the following capabilities would BEST defend against this type of sensitive data exfiltration?
A. Deploy an edge firewall.
B. Implement DLP.
C. Deploy EDR.
D. Encrypt the hard drives.
Hint answer: B
Q209.During a review of SIEM alerts, a security analyst discovers the SIEM is receiving many alerts per day from the file-integrity monitoring tool about files from a newly deployed application that should not change. Which of the following steps should the analyst complete FIRST to respond to the issue?
A. Warn the incident response team that the server can be compromised.
B. Open a ticket informing the development team about the alerts.
C. Check if temporary files are being monitored.
D. Dismiss the alert, as the new application is still being adapted to the environment.
Hint answer: C
Q210.Which of the following are reasons why consumer IoT devices should be avoided in an enterprise environment? (Choose two.)
A. Message queuing telemetry transport does not support encryption.
B. The devices may have weak or known passwords.
C. The devices may cause a dramatic increase in wireless network traffic.
D. The devices may utilize unsecure network protocols.
E. Multiple devices may interfere with the functions of other IoT devices.
F. The devices are not compatible with TLS 1.2.
Hint answer: B
D
Q211.An organization is adopting IoT devices at an increasing rate and will need to account for firmware updates in its vulnerability management programs. Despite the number of devices being deployed, the organization has only focused on software patches so far, leaving hardware-related weaknesses open to compromise.
Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability management programs?
A. Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.
B. Apply all firmware updates as soon as they are released to mitigate the risk of compromise.
C. Sign up for vendor emails and create firmware update change plans for affected devices.
D. Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.
Hint answer: A
Q212.Which of the following organizational initiatives would be MOST impacted by data sovereignty issues?
A. Moving to a cloud-based environment
B. Migrating to locally hosted virtual servers
C. Implementing non-repudiation controls
D. Encrypting local database queries
Hint answer: A
Q213.A security team implemented a SIEM as part of its security-monitoring program. There is a requirement to integrate a number of sources into the SIEM to provide better context relative to the events being processed. Which of the following BEST describes the result the security team hopes to accomplish by adding these sources?
A. Data enrichment
B. Continuous integration
C. Machine learning
D. Workflow orchestration
Hint answer: A
Q214.While reviewing incident reports from the previous night, a security analyst notices the corporate websites were defaced with political propaganda. Which of the following BEST describes this type of actor?
A. Hacktivist
B. Nation-state
C. Insider threat
D. Organized crime
Hint answer: A
Q215.A development team has asked users to conduct testing to ensure an application meets the needs of the business. Which of the following types of testing does this describe?
A. Acceptance testing
B. Stress testing
C. Regression testing
D. Penetration testing
Hint answer: A
Q216.A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch.
Which of the following is the MOST appropriate threat classification for these incidents?
A. Known threat
B. Zero day
C. Unknown threat
D. Advanced persistent threat
Hint answer: A
Q217.An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization’s production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.
Which of the following would be the MOST appropriate to remediate the controller?
A. Segment the network to constrain access to administrative interfaces.
B. Replace the equipment that has third-party support.
C. Remove the legacy hardware from the network.
D. Install an IDS on the network between the switch and the legacy equipment.
Hint answer: A
Q218.A pharmaceutical company’s marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided.
Which of the following data privacy standards does this violate?
A. Purpose limitation
B. Sovereignty
C. Data minimization
D. Retention
Hint answer: C
Q219.Which of the following secure coding techniques can be used to prevent cross-site request forgery attacks?
A. Input validation
B. Output encoding
C. Parameterized queries
D. Tokenization
Hint answer: A
Q220.The threat intelligence department recently learned of an advanced persistent threat that is leveraging a new strain of malware, exploiting a system router. The company currently uses the same device mentioned in the threat report. Which of the following configuration changes would BEST improve the organization’s security posture?
A. Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
B. Implement an IDS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability
C. Implement an IPS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability
D. Implement an IDS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
Hint answer: C
Q221.A hybrid control is one that:
A. is implemented differently on individual systems
B. is implemented at the enterprise and system levels
C. has operational and technical components
D. authenticates using passwords and hardware tokens
Hint answer: B
Q222.An organization’s Chief Information Security Officer (CISO) has asked department leaders to coordinate on communication plans that can be enacted in response to different cybersecurity incident triggers. Which of the following is a benefit of having these communication plans?
A. They can help to prevent the inadvertent release of damaging information outside the organization.
B. They can help to limit the spread of worms by coordinating with help desk personnel earlier in the recovery phase.
C. They can quickly inform the public relations team to begin coordinating with the media as soon as a breach is detected.
D. They can help to keep the organization’s senior leadership informed about the status of patching during the recovery phase.
Hint answer: A
Q223.A security is responding to an incident on a web server on the company network that is making a large number of outbound requests over DNS. Which of the following is the FIRST step the analyst should take to evaluate this potential indicator of compromise?
A. Run an anti-malware scan on the system to detect and eradicate the current threat
B. Start a network capture on the system to look into the DNS requests to validate command and control traffic
C. Shut down the system to prevent further degradation of the company network
D. Reimage the machine to remove the threat completely and get back to a normal running state
E. Isolate the system on the network to ensure it cannot access other systems while evaluation is underway
Hint answer: D
Q224.Portions of a legacy application are being refactored to discontinue the use of dynamic SQL. Which of the following would be BEST to implement in the legacy application?
A. Input validation
B. SQL injection
C. Parameterized queries
D. Web-application firewall
E. Multifactor authentication
Hint answer: C
Q225.A company has contracted with a software development vendor to design a web portal for customers to access a medical records database. Which of the following should the security analyst recommend to BEST control the unauthorized disclosure of sensitive data when sharing the development database with the vendor?
A. Establish an NDA with the vendor.
B. Enable data masking of sensitive data tables in the database.
C. Set all database tables to read only.
D. Use a de-identified data process for the development database
Hint answer: B
Q226.A host is spamming the network unintentionally. Which of the following control types should be used to address this situation?
A. Managerial
B. Technical
C. Operational
D. Corrective
Hint answer: D
Q227.While preparing for an audit of information security controls in the environment, an analyst outlines a framework control that has the following requirements:
✑ All sensitive data must be classified.
✑ All sensitive data must be purged on a quarterly basis.
✑ Certificates of disposal must remain on file for at least three years.
This framework control is MOST likely classified as:
A. prescriptive
B. risk-based
C. preventive
D. corrective
Hint answer: C
Q228.A developer wrote a script to make names and other PII data unidentifiable before loading a database export into the testing system. Which of the following describes the type of control that is being used?
A. Data encoding
B. Data masking
C. Data loss prevention
D. Data classification
Hint answer: B
Q229.A company’s security administrator needs to automate several security processes related to testing for the existence of changes within the environment.
Conditionally, other processes will need to be created based on input from prior processes. Which of the following is the BEST method for accomplishing this task?
A. Machine learning and process monitoring
B. Continuous integration and configuration management
C. API integration and data enrichment
D. Workflow orchestration and scripting
Hint answer: D
Q230.SIMULATION –
You are a penetration tester who is reviewing the system hardening guidelines for a company’s distribution center. The company’s hardening guidelines indicate the following:
✑ There must be one primary server or service per device.
✑ Only default ports should be used.
✑ Non-secure protocols should be disabled.
✑ The corporate Internet presence should be placed in a protected subnet.
INSTRUCTIONS –
Using the tools available, discover devices on the corporate network and the services that are running on these devices.
You must determine:
✑ The IP address of each device.
✑ The primary server or service of each device.
✑ The protocols that should be disabled based on the hardening guidelines.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hint answer:
Q231.Which of the following BEST describes the primary role of a risk assessment as it relates to compliance with risk-based frameworks?
A. It demonstrated the organization’s mitigation of risks associated with internal threats.
B. It serves as the basis for control selection.
C. It prescribes technical control requirements.
D. It is an input to the business impact assessment.
Hint answer: B
Q232.A vulnerability scanner has identified an out-of-support database software version running on a server. The software update will take six to nine months to complete. The management team has agreed to a one-year extended support contract with the software vendor. Which of the following BEST describes the risk treatment in this scenario?
A. The extended support mitigates any risk associated with the software.
B. The extended support contract changes this vulnerability finding to a false positive.
C. The company is transferring the risk for the vulnerability to the software vendor.
D. The company is accepting the inherent risk of the vulnerability.
Hint answer: D
Q233.Which of the following BEST explains hardware root of trust?
A. It uses the processor security extensions to protect the OS from malicious software installation.
B. It prevents side-channel attacks that can take advantage of speculative execution vulnerabilities.
C. It ensures the authenticity of firmware and software during the boot process until the OS is loaded.
D. It has been implemented as a mitigation to the Spectre and Meltdown hardware vulnerabilities.
Hint answer: C
Q234.A company wants to outsource a key human-resources application service to remote employees as a SaaS-based cloud solution. The company’s GREATEST concern should be the SaaS provider’s:
A. SLA for system uptime.
B. DLP procedures.
C. logging and monitoring capabilities.
D. data protection capabilities.
Hint answer: D
Q235.A security analyst is reviewing the network security monitoring logs listed below:
Which of the following is the analyst MOST likely observing? (Choose two.)
A. 10.1.1.128 sent potential malicious traffic to the web server.
B. 10.1.1.128 sent malicious requests, and the alert is a false positive.
C. 10.1.1.129 successfully exploited a vulnerability on the web server.
D. 10.1.1.129 sent potential malicious requests to the web server.
E. 10.1.1.129 sent non-malicious requests, and the alert is a false positive.
F. 10.1.1.130 can potentially obtain information about the PHP version.
Hint answer: D
F
Q236.A company’s data is still being exfiltered to business competitors after the implementation of a DLP solution. Which of the following is the most likely reason why the data is still being compromised?
A. Printed reports from the database contain sensitive information
B. DRM must be implemented with the DLP solution
C. Users are not labeling the appropriate data sets
D. DLP solutions are only effective when they are implemented with disk encryption
Hint answer: C
Q237.A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT.
Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis?
A. Attack vectors
B. Adversary capability
C. Diamond Model of Intrusion Analysis
D. Kill chain
E. Total attack surface
Hint answer: B
Q238.A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk-based policy decision to review and enforce the vendor upgrade before the end of life is reached.
Which of the following risk actions has the security committee taken?
A. Risk exception
B. Risk avoidance
C. Risk tolerance
D. Risk acceptance
Hint answer: D
Q239.An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.
Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?
A. FaaS
B. RTOS
C. SoC
D. GPS
E. CAN bus
Hint answer: B
Q240.A cybersecurity analyst is dissecting an intrusion down to the specific techniques and wants to organize them in a logical manner. Which of the following frameworks would BEST apply in this situation?
A. Pyramid of Pain
B. MITRE ATT&CK
C. Diamond Model of Intrusion Analysis
D. CVSS v3.0
Hint answer: B
Q241.A cybersecurity analyst is responding to an incident. The company’s leadership team wants to attribute the incident to an attack group. Which of the following models would BEST apply to the situation?
A. Intelligence cycle
B. Diamond Model of Intrusion Analysis
C. Kill chain
D. MITRE ATT&CK
Hint answer: D
Q242.A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication. Which of the following will remediate this software vulnerability?
A. Enforce unique session IDs for the application.
B. Deploy a WAF in front of the web application.
C. Check for and enforce the proper domain for the redirect.
D. Use a parameterized query to check the credentials.
E. Implement email filtering with anti-phishing protection.
Hint answer: C
Q243.While reviewing log files, a security analyst uncovers a brute-force attack that is being performed against an external webmail portal. Which of the following would be BEST to prevent this type of attack from being successful?
A. Create a new rule in the IDS that triggers an alert on repeated login attempts
B. Implement MFA on the email portal using out-of-band code delivery
C. Alter the lockout policy to ensure users are permanently locked out after five attempts
D. Leverage password filters to prevent weak passwords on employee accounts from being exploited
E. Configure a WAF with brute-force protection rules in block mode
Hint answer: B
Q244.A security analyst reviews SIEM logs and detects a well-known malicious executable running in a Windows machine. The up-to-date antivirus cannot detect the malicious executable. Which of the following is the MOST likely cause of this issue?
A. The malware is fileless and exists only in physical memory
B. The malware detects and prevents its own execution in a virtual environment
C. The antivirus does not have the malware’s signature
D. The malware is being executed with administrative privileges
Hint answer: A
Q245.During a routine log review, a security analyst has found the following commands that cannot be identified from the Bash history log on the root user:
Which of the following commands should the analyst investigate FIRST?
A. Line 1
B. Line 2
C. Line 3
D. Line 4
E. Line 5
F. Line 6
Hint answer: E
Q246.A remote code execution vulnerability was discovered in the RDP. An organization currently uses RDP for remote access to a portion of its VDI environment. The analyst verified network-level authentication is enabled. Which of the following is the BEST remediation for this vulnerability?
A. Verify the threat intelligence feed is updated with the latest solutions.
B. Verify the system logs do not contain indicator of compromise.
C. Verify the latest endpoint-protection signature is in place.
D. Verify the corresponding patch for the vulnerability is installed.
Hint answer: D
Q247.A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that:
A. enables remote code execution that is being exploited in the wild
B. enables data leakage but is not known to be in the environment
C. enables lateral movement and was reported as a proof of concept
D. affected the organization in the past but was probably contained and eradicated
Hint answer: A
Q248.A security analyst wants to capture large amounts of network data that will be analyzed at a later time. The packet capture does not need to be in a format that is readable by humans, since it will be put into a binary file called `packetCapture`. The capture must be as efficient as possible, and the analyst wants to minimize the likelihood that packets will be missed. Which of the following commands will BEST accomplish the analyst’s objectives?
A. tcpdump ג€”w packetCapture
B. tcpdump ג€”a packetCapture
C. tcpdump ג€”n packetCapture
D. nmap ג€”v > packetCapture
E. nmap ג€”oA > packetCapture
Hint answer: A
Q249.An incident response team is responding to a breach of multiple systems that contain PII and PHI. Disclosing the incident to external entities should be based on:
A. the responder’s discretion
B. the public relations policy
C. the communication plan
D. senior management’s guidance
Hint answer: C
Q250.When investigating a compromised system, a security analyst finds the following script in the /tmp directory:
Which of the following attacks is this script attempting, and how can it be mitigated?
A. This is a password-hijacking attack, and it can be mitigated by using strong encryption protocols.
B. This is a password-spraying attack, and it can be mitigated by using multifactor authentication.
C. This is a password-dictionary attack, and it can be mitigated by forcing password changes every 30 days.
D. This is a credential-stuffing attack, and it can be mitigated by using multistep authentication.
Hint answer: B
Q251.An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST step to confirm and respond to the incident?
A. Pause the virtual machine,
B. Shut down the virtual machine.
C. Take a snapshot of the virtual machine.
D. Remove the NIC from the virtual machine.
E. Review host hypervisor log of the virtual machine.
F. Execute a migration of the virtual machine.
Hint answer: A
Q252.A critical server was compromised by malware, and all functionality was lost. Backups of this server were taken; however, management believes a logic bomb may have been injected by a rootkit. Which of the following should a security analyst perform to restore functionality quickly?
A. Work backward, restoring each backup until the server is clean
B. Restore the previous backup and scan with a live boot anti-malware scanner
C. Stand up a new server and restore critical data from backups
D. Offload the critical data to a new server and continue operations
Hint answer: B
Q253.A security manager has asked an analyst to provide feedback on the results of a penetration test. After reviewing the results, the manager requests information regarding the possible exploitation of vulnerabilities. Which of the following information data points would be MOST useful for the analyst to provide to the security manager, who would then communicate the risk factors to senior management? (Choose two.)
A. Probability
B. Adversary capability
C. Attack vector
D. Impact
E. Classification
F. Indicators of compromise
Hint answer: AD
Q254.An analyst performs a routine scan of a host using Nmap and receives the following output:
Which of the following should the analyst investigate FIRST?
A. Port 21
B. Port 22
C. Port 23
D. Port 80
Hint answer: C
Q255.A forensic analyst took an image of a workstation that was involved in an incident. To BEST ensure the image is not tampered with, the analyst should use:
A. hashing
B. backup tapes
C. a legal hold
D. chain of custody
Hint answer: A
Q256.An organization is experiencing issues with emails that are being sent to external recipients. Incoming emails to the organization are working fine. A security analyst receives the following screenshot of an email error from the help desk:
The analyst then checks the email server and sees many of the following messages in the logs:
Error 550 `” Message rejected –
Which of the following is MOST likely the issue?
A. SPF is failing.
B. The DMARC queue is full.
C. The DKIM private key has expired.
D. Port 25 is not open.
Hint answer: A
Q256.A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet.
Which of the following solutions would meet this requirement?
A. Establish a hosted SSO.
B. Implement a CASB.
C. Virtualize the server.
D. Air gap the server.
Hint answer: D
Q257.When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal?
A. nmap “”sA “”O
B. nmap “”sT “”O60.
C. nmap “”sS “”O
D. nmap “”sQ “”O
Hint answer: C
Q258.A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser.
The product manager suggests using a PaaS provider to host the application.
Which of the following is a security concern when using a PaaS solution?
A. The use of infrastructure-as-code capabilities leads to an increased attack surface.
B. Patching the underlying application server becomes the responsibility of the client.
C. The application is unable to use encryption at the database level.
D. Insecure application programming interfaces can lead to data compromise.
Hint answer: D
Q259.A SIEM solution alerts a security analyst of a high number of login attempts against the company’s webmail portal. The analyst determines the login attempts used credentials from a past data breach.
Which of the following is the BEST mitigation to prevent unauthorized access?
A. Single sign-on
B. Mandatory access control
C. Multifactor authentication
D. Federation
E. Privileged access management
Hint answer: C
Q260.A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output:
Antivirus is installed on the remote host:
Installation path: C:\Program Files\AVProduct\Win32\
Product Engine: 14.12.101 –
Engine Version: 3.5.71 –
Scanner does not currently have information about AVProduct version 3.5.71. It may no longer be supported.
The engine version is out of date. The oldest supported version from the vendor is 4.2.11.
The analyst uses the vendor’s website to confirm the oldest supported version is correct.
Which of the following BEST describes the situation?
A. This is a false positive, and the scanning plugin needs to be updated by the vendor.
B. This is a true negative, and the new computers have the correct version of the software.
C. This is a true positive, and the new computers were imaged with an old version of the software.
D. This is a false negative, and the new computers need to be updated by the desktop team.
Hint answer: C
Q261.As part of an exercise set up by the information security officer, the IT staff must move some of the network systems to an off-site facility and redeploy them for testing. All staff members must ensure their respective systems can power back up and match their gold image. If they find any inconsistencies, they must formally document the information.
Which of the following BEST describes this test?
A. Walk through
B. Full interruption
C. Simulation
D. Parallel
Hint answer: C
Q262.A user’s computer has been running slowly when the user tries to access web pages. A security analyst runs the command netstat -aon from the command line and receives the following output:
Which of the following lines indicates the computer may be compromised?
A. Line 1
B. Line 2
C. Line 3
D. Line 4
E. Line 5
F. Line 6
Hint answer: C
Q263.A security analyst is reviewing the following log from an email security service.
Which of the following BEST describes the reason why the email was blocked?
A. The To address is invalid.
B. The email originated from the www.spamfilter.org URL.
C. The IP address and the remote server name are the same.
D. The IP address was blacklisted.
E. The From address is invalid.
Hint answer: D
Q264.An incident responder successfully acquired application binaries off a mobile device for later forensic analysis.
Which of the following should the analyst do NEXT?
A. Decompile each binary to derive the source code.
B. Perform a factory reset on the affected mobile device.
C. Compute SHA-256 hashes for each binary.
D. Encrypt the binaries using an authenticated AES-256 mode of operation.
E. Inspect the permissions manifests within each application.
Hint answer: C
Q265.Which of the following sets of attributes BEST illustrates the characteristics of an insider threat from a security perspective?
A. Unauthorized, unintentional, benign
B. Unauthorized, intentional, malicious
C. Authorized, intentional, malicious
D. Authorized
Hint answer: C
Q266.A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices.
Which of the following should be used to identify the traffic?
A. Carving
B. Disk imaging
C. Packet analysis
D. Memory dump
E. Hashing
Hint answer: C
Q267.During routine monitoring, a security analyst discovers several suspicious websites that are communicating with a local host. The analyst queries for IP
192.168.50.2 for a 24-hour period:
To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and __________.
A. DST 138.10.2.5.
B. DST 138.10.25.5.
C. DST 172.10.3.5.
D. DST 172.10.45.5.
E. DST 175.35.20.5.
Hint answer: C
Q268.For machine learning to be applied effectively toward security analysis automation, it requires __________.
A. relevant training data.
B. a threat feed API.
C. a multicore, multiprocessor system.
D. anomalous traffic signatures.
Hint answer: A
Q269.During an incident, a cybersecurity analyst found several entries in the web server logs that are related to an IP with a bad reputation. Which of the following would cause the analyst to further review the incident?
A. BadReputationIp – – [2019-04-12 10:43Z] ג€GET /etc/passwdג€ 403 1023
B. BadReputationIp – – [2019-04-12 10:43Z] ג€GET /index.html?src=../.ssh/id_rsaג€ 401 17044
C. BadReputationIp – – [2019-04-12 10:43Z] ג€GET /a.php?src=/etc/passwdג€ 403 11056
D. BadReputationIp – – [2019-04-12 10:43Z] ג€GET /a.php?src=../../.ssh/id_rsaג€ 200 15036
E. BadReputationIp – – [2019-04-12 10:43Z] ג€GET /favicon.ico?src=../usr/share/iconsג€ 200 19064
Hint answer: D
Q270.A threat feed notes malicious actors have been infiltrating companies and exfiltrating data to a specific set of domains. Management at an organization wants to know if it is a victim. Which of the following should the security analyst recommend to identify this behavior without alerting any potential malicious actors?
A. Create an IPS rule to block these domains and trigger an alert within the SIEM tool when these domains are requested.
B. Add the domains to a DNS sinkhole and create an alert in the SIEM tool when the domains are queried
C. Look up the IP addresses for these domains and search firewall logs for any traffic being sent to those IPs over port 443
D. Query DNS logs with a SIEM tool for any hosts requesting the malicious domains and create alerts based on this information
Hint answer: D
Q271.An application server runs slowly and then triggers a high CPU alert. After investigating, a security analyst finds an unauthorized program is running on the server.
The analyst reviews the application log below.
Which of the following conclusions is supported by the application log?
A. An attacker was attempting to perform a DoS attack against the server
B. An attacker was attempting to download files via a remote command execution vulnerability
C. An attacker was attempting to perform a buffer overflow attack to execute a payload in memory
D. An attacker was attempting to perform an XSS attack via a vulnerable third-party library
Hint answer: B
Q272.A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality.
Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing?
A. Deidentification
B. Encoding
C. Encryption
D. Watermarking
Hint answer: A
Q273.A web-based front end for a business intelligence application uses pass-through authentication to authenticate users. The application then uses a service account to perform queries and look up data in a database. A security analyst discovers employees are accessing data sets they have not been authorized to use. Which of the following will fix the cause of the issue?
A. Change the security model to force the users to access the database as themselves
B. Parameterize queries to prevent unauthorized SQL queries against the database
C. Configure database security logging using syslog or a SIEM
D. Enforce unique session IDs so users do not get a reused session ID
Hint answer: A
Q274.SIMULATION –
Malware is suspected on a server in the environment.
The analyst is provided with the output of commands from servers in the environment and needs to review all output files in order to determine which process running on one of the servers may be malware.
INSTRUCTIONS –
Servers 1, 2, and 4 are clickable. Select the Server and the process that host the malware.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hint answer: Server 4, svchost.exe
Q275.An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply.
Which of the following would BEST identify potential indicators of compromise?
A. Use Burp Suite to capture packets to the SCADA device’s IP.
B. Use tcpdump to capture packets from the SCADA device IP.
C. Use Wireshark to capture packets between SCADA devices and the management system.
D. Use Nmap to capture packets from the management system to the SCADA devices.
Hint answer: C
Q276.A general contractor has a list of contract documents containing critical business data that are stored at a public cloud provider. The organization’s security analyst recently reviewed some of the storage containers and discovered most of the containers are not encrypted. Which of the following configurations will provide the
MOST security to resolve the vulnerability?
A. Upgrading TLS 1.2 connections to TLS 1.3
B. Implementing AES-256 encryption on the containers
C. Enabling SHA-256 hashing on the containers
D. Implementing the Triple Data Encryption Algorithm at the file level
Hint answer: B
Q277.Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?
A. Data custodian
B. Data owner
C. Data processor
D. Senior management
Hint answer: B
Q278.A security analyst receives an alert from the SIEM about a possible attack happening on the network. The analyst opens the alert and sees the IP address of the suspected server as 192.168.54.66, which is part of the network 192.168.54.0/24. The analyst then pulls all the command history logs from that server and sees the following:
Which of the following activities is MOST likely happening on the server?
A. A vulnerability scan
B. Enumeration
C. Fuzzing
D. A MITM attack
Hint answer: B
Q279.During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.
Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?
A. An IPS signature modification for the specific IP addresses
B. An IDS signature modification for the specific IP addresses
C. A firewall rule that will block port 80 traffic
D. A firewall rule that will block traffic from the specific IP addresses
Hint answer: D
Q280.A security analyst is auditing firewall rules with the goal of scanning some known ports to check the firewall’s behavior and responses. The analyst executes the following commands:
The analyst then compares the following results for port 22:
✑ nmap returns `Closed`
✑ hping3 returns `flags=RA`
Which of the following BEST describes the firewall rule?
A. DNAT ג€”-to-destination 1.1.1.1:3000
B. REJECT with ג€”-tcp-reset
C. LOG ג€”-log-tcp-sequence
D. DROP
Hint answer: B
Q281.A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN’s fault notification features.
Which of the following should be done to prevent this issue from reoccurring?
A. Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes down, the other remains powered.
B. Install additional batteries in the SAN power supplies with enough capacity to keep the system powered on during maintenance operations.
C. Ensure power configuration is covered in the datacenter change management policy and have the SAN administrator review this policy.
D. Install a third power supply in the SAN so loss of any power intuit does not result in the SAN completely powering off.
Hint answer: C
Q282.SIMULATION –
Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the help desk ticket queue.
INSTRUCTIONS –
Click on the ticket to see the ticket details. Additional content is available on tabs within the ticket.
First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hint answer: Issue ג€” High memory Utilization
Caused by ג€” wuaucit.exe
Q283.As part of a review of incident response plans, which of the following is MOST important for an organization to understand when establishing the breach notification period?
A. Organizational policies
B. Vendor requirements and contracts
C. Service-level agreements
D. Legal requirements
Hint answer: D
Q284.A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:
Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?
A. PC1
B. PC2
C. Server1
D. Server2
E. Firewall
Hint answer: E
Q285.An organization used a third party to conduct a security audit and discovered several deficiencies in the cybersecurity program. The findings noted many external vulnerabilities that were not caught by the vulnerability scanning software, numerous weaknesses that allowed lateral movement, and gaps in monitoring that did not detect the activity of the auditors. Based on these findings, which of the following would be the BEST long-term enhancement to the security program?
A. Quarterly external penetration testing
B. Monthly tabletop scenarios
C. Red-team exercises
D. Audit exercises
Hint answer: C
Q286.During a review of vulnerability scan results, an analyst determines the results may be flawed because a control-baseline system, which is used to evaluate a scanning tool’s effectiveness, was reported as not vulnerable. Consequently, the analyst verifies the scope of the scan included the control-baseline host, which was available on the network during the scan. The use of a control-baseline endpoint in this scenario assists the analyst in confirming:
A. verification of mitigation.
B. false positives.
C. false negatives.
D. the criticality index.
E. hardening validation.
Hint answer: C
Q287.A Chief Security Officer (CSO) is working on the communication requirements for an organization’s incident response plan. In addition to technical response activities, which of the following is the main reason why communication must be addressed in an effective incident response program?
A. Public relations must receive information promptly in order to notify the community.
B. Improper communications can create unnecessary complexity and delay response actions.
C. Organizational personnel must only interact with trusted members of the law enforcement community.
D. Senior leadership should act as the only voice for the incident response team when working with forensics teams.
Hint answer: B
Q288.An organization that handles sensitive financial information wants to perform tokenization of data to enable the execution of recurring transactions. The organization is most interested in a secure, built-in device to support its solution. Which of the following would MOST likely be required to perform the desired function?
A. TPM
B. eFuse
C. FPGA
D. HSM
E. UEFI
Hint answer: A
Q289.A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database.
Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Choose two.)
A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities.
B. Remove the servers reported to have high and medium vulnerabilities.
C. Tag the computers with critical findings as a business risk acceptance.
D. Manually patch the computers on the network, as recommended on the CVE website.
E. Harden the hosts on the network, as recommended by the NIST framework.
F. Resolve the monthly job issues and test them before applying them to the production network.
Hint answer: A
F
Q290.A security analyst needs to reduce the overall attack surface.
Which of the following infrastructure changes should the analyst recommend?
A. Implement a honeypot.
B. Air gap sensitive systems.
C. Increase the network segmentation.
D. Implement a cloud-based architecture.
Hint answer: C
Q291.Which of the following policies would state an employee should not disable security safeguards, such as host firewalls and antivirus, on company systems?
A. Code of conduct policy
B. Account management policy
C. Password policy
D. Acceptable use policy
Hint answer: D
Q292.A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources.
Which of the following BEST describes this attack?
A. Injection attack
B. Memory corruption
C. Denial of service
D. Array attack
Hint answer: C
Q293.An organization has the following risk mitigation policy:
✑ Risks with a probability of 95% or greater will be addressed before all others regardless of the impact.
✑ All other prioritization will be based on risk value.
The organization has identified the following risks:
Which of the following is the order of priority for risk mitigation from highest to lowest?
A. A, B, D, C
B. A, B, C, D
C. D, A, B, C
D. D, A, C, B
Hint answer: A
Q294.Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?
A. Human resources
B. Public relations
C. Marketing
D. Internal network operations center
Hint answer: B
Q295.A Chief Information Security Officer (CISO) wants to upgrade an organization’s security posture by improving proactive activities associated with attacks from internal and external threats.
Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?
A. Development of a hypothesis as part of threat hunting
B. Log correlation, monitoring, and automated reporting through a SIEM platform
C. Continuous compliance monitoring using SCAP dashboards
D. Quarterly vulnerability scanning using credentialed scans
Hint answer: A
Q296.Which of the following would a security engineer recommend to BEST protect sensitive system data from being accessed on mobile devices?
A. Use a UEFI boot password
B. Implement a self-encrypted disk
C. Configure filesystem encryption
D. Enable Secure Boot using TPM
Hint answer: C
Q297.An organization developed a comprehensive incident response policy. Executive management approved the policy and its associated procedures. Which of the following activities would be MOST beneficial to evaluate personnel’s familiarity with incident response procedures?
A. A simulated breach scenario involving the incident response team
B. Completion of annual information security awareness training by all employees
C. Tabletop activities involving business continuity team members
D. Completion of lessons-learned documentation by the computer security incident response team
E. External and internal penetration testing by a third party
Hint answer: A
Q298.During an investigation, an analyst discovers the following rule in an executive’s email client:
IF * TO
SELECT FROM ‘sent’ THEN DELETE FROM
The executive is not aware of this rule. Which of the following should the analyst do FIRST to evaluate the potential impact of this security incident?
A. Check the server logs to evaluate which emails were sent to
B. Use the SIEM to correlate logging events from the email server and the domain server
C. Remove the rule from the email client and change the password
D. Recommend that management implement SPF and DKIM
Hint answer: A
Q299.A security analyst implemented a solution that would analyze the attacks that the organization’s firewalls failed to prevent. The analyst used the existing systems to enact the solution and executed the following command:
$ sudo nc -1 `”v `”e maildaemon.py 25 > caplog.txt
Which of the following solutions did the analyst implement?
A. Log collector
B. Crontab mail script
C. Sinkhole
D. Honeypot
Hint answer: A
Q300.A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization’s financial assets.
Which of the following is the BEST example of the level of sophistication this threat actor is using?
A. Social media accounts attributed to the threat actor
B. Custom malware attributed to the threat actor from prior attacks
C. Email addresses and phone numbers tied to the threat actor
D. Network assets used in previous attacks attributed to the threat actor
E. IP addresses used by the threat actor for command and control
Hint answer: B
