CS0-002 Topic 4
Q301.An organization supports a large number of remote users. Which of the following is the BEST option to protect the data on the remote users’ laptops?
A. Require the use of VPNs.
B. Require employees to sign an ND
A.
C. Implement a DLP solution.
D. Use whole disk encryption.
Hint answer: D
Q302.A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale for integrating intelligence into hunt operations?
A. It enables the team to prioritize the focus areas and tactics within the company’s environment
B. It provides criticality analyses for key enterprise servers and services
C. It allows analysts to receive routine updates on newly discovered software vulnerabilities
D. It supports rapid response and recovery during and following an incident
Hint answer: A
Q303.A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization. To
BEST resolve the issue, the organization should implement:
A. federated authentication
B. role-based access control
C. manual account reviews
D. multifactor authentication
Hint answer: A
Q304.A custom script currently monitors real-time logs of a SAMIL authentication server to mitigate brute-force attacks. Which of the following is a concern when moving authentication to a cloud service?
A. Logs may contain incorrect information.
B. SAML logging is not supported for cloud-based authentication.
C. Access to logs may be delayed for some time.
D. Log data may be visible to other customers.
Hint answer: C
Q305.A company that uses email for all internal and external communications received a legal notice from a vendor that was disputing a contract award. The company needs to implement a legal hold on the email of users who were involved in the vendor selection process and the awarding of the contract. Which of the following describes the appropriate steps that should be taken to comply with the legal notice?
A. Notify the security team of the legal hold and remove user access to the email accounts.
B. Coordinate with legal counsel and then notify the security team to ensure the appropriate email accounts are frozen.
C. Disable the user accounts that are associated with the legal hold and create new user accounts so they can continue doing business.
D. Encrypt messages that are associated with the legal hold and initiate a chain of custody to ensure admissibility in future legal proceedings.
Hint answer: B
Q306.A security analyst recently discovered two unauthorized hosts on the campus’s wireless network segment from a man-in-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices. Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?
A. Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network
B. Change the SSID, strengthen the passcode, and implement MAC filtering on the wireless router
C. Enable MAC filtering on the wireless router and create a whitelist that allows devices on the network
D. Conduct a wireless survey to determine if the wireless strength needs to be reduced
Hint answer: A
Q307.During a cyber incident, which of the following is the BEST course of action?
A. Switch to using a pre-approved, secure, third-party communication system.
B. Keep the entire company informed to ensure transparency and integrity during the incident.
C. Restrict customer communication until the severity of the breach is confirmed.
D. Limit communications to pre-authorized parties to ensure response efforts remain confidential.
Hint answer: D
Q308.A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company’s server.
Which of the following is the FIRST step the analyst should take?
A. Create a full disk image of the server’s hard drive to look for the file containing the malware.
B. Run a manual antivirus scan on the machine to look for known malicious software.
C. Take a memory snapshot of the machine to capture volatile information stored in memory.
D. Start packet capturing to look for traffic that could be indicative of command and control from the miner.
Hint answer: D
Q309.A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity. Below is a snippet of the log:
Which of the following commands would work BEST to achieve the desired result?
A. grep -v chatter14 chat.log
B. grep -i pythonfun chat.log
C. grep -i javashark chat.log
D. grep -v javashark chat.log
E. grep -v pythonfun chat.log
F. grep -i chatter14 chat.log
Hint answer: F
Q310.A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server.
Which of the following should be done to correct the cause of the vulnerability?
A. Deploy a WAF in front of the application.
B. Implement a software repository management tool.
C. Install a HIPS on the server.
D. Instruct the developers to use input validation in the code.
Hint answer: B
Q311.An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems.
As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue?
A. Copies of prior audits that did not identify the servers as an issue
B. Project plans relating to the replacement of the servers that were approved by management
C. Minutes from meetings in which risk assessment activities addressing the servers were discussed
D. ACLs from perimeter firewalls showing blocked access to the servers
E. Copies of change orders relating to the vulnerable servers
Hint answer: B
Q312.A company’s legal department is concerned that its incident response plan does not cover the countless ways security incidents can occur. They have asked a security analyst to help tailor the response plan to provide broad coverage for many situations. Which of the following is the BEST way to achieve this goal?
A. Focus on incidents that have a high chance of reputation harm.
B. Focus on common attack vectors first.
C. Focus on incidents that affect critical systems.
D. Focus on incidents that may require law enforcement support.
Hint answer: B
Q313.An analyst needs to provide a recommendation that will allow a custom-developed application to have full access to the system’s processors and peripherals but still be contained securely from other applications that will be developed. Which of the following is the BEST technology for the analyst to recommend?
A. Software-based drive encryption
B. Trusted execution environment
C. Unified Extensible Firmware Interface
D. Hardware security module
Hint answer: B
Q314.A cybersecurity analyst is contributing to a team hunt on an organization’s endpoints.
Which of the following should the analyst do FIRST?
A. Write detection logic.
B. Establish a hypothesis.
C. Profile the threat actors and activities.
D. Perform a process analysis.
Hint answer: D
Q315.A security analyst is trying to determine if a host is active on a network. The analyst first attempts the following:
The analyst runs the following command next:
Which of the following would explain the difference in results?
A. ICMP is being blocked by a firewall.
B. The routing tables for ping and hping3 were different.
C. The original ping command needed root permission to execute.
D. hping3 is returning a false positive.
Hint answer: A
Q316.A security analyst is supporting an embedded software team. Which of the following is the BEST recommendation to ensure proper error handling at runtime?
A. Perform static code analysis
B. Require application fuzzing
C. Enforce input validation
D. Perform a code review
Hint answer: B
Q317.A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful. Which of the following should the security analyst perform NEXT?
A. Begin blocking all IP addresses within that subnet
B. Determine the attack vector and total attack surface
C. Begin a kill chain analysis to determine the impact
D. Conduct threat research on the IP addresses
Hint aswer: D
Q318.A compliance officer of a large organization has reviewed the firm’s vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties.
Which of the following would BEST satisfy the objectives defined by the compliance officer? (Choose two.)
A. Executing vendor compliance assessments against the organization’s security controls
B. Executing NDAs prior to sharing critical data with third parties
C. Soliciting third-party audit reports on an annual basis
D. Maintaining and reviewing the organizational risk assessment on a quarterly basis
E. Completing a business impact assessment for all critical service providers
F. Utilizing DLP capabilities at both the endpoint and perimeter levels
Hint answer: A
C
Q319.Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company’s API server. A portion of a capture file is shown below:
Which of the following MOST likely explains how the clients’ accounts were compromised?
A. The clients’ authentication tokens were impersonated and replayed.
B. The clients’ usernames and passwords were transmitted in cleartext.
C. An XSS scripting attack was carried out on the server.
D. A SQL injection attack was carried out on the server.
Hint answer: A
Q320.An organization that uses SPF has been notified emails sent via its authorized third-party partner are getting rejected. A security analyst reviews the DNS entry and sees the following: v=spf1 ip4:180.10.6.5 ip4:180.10.6.10 include:robustmail.com `”all
The organization’s primary mail server IP is 180.10.6.6, and the secondary mail server IP is 180.10.6.5. The organization’s third-party mail provider is `Robust
Mail` with the domain name robustmail.com. Which of the following is the MOST likely reason for the rejected emails?
A. SPF version 1 does not support third-party providers.
B. The primary and secondary email server IP addresses are out of sequence.
C. An incorrect IP version is being used.
D. The wrong domain name is in the SPF record.
Hint answer: B
Q321.A company’s security officer needs to implement geographical IP blocks for nation-state actors from a foreign country. On which of the following should the blocks be implemented?
A. Data loss prevention
B. Network access control
C. Access control list
D. Web content filter
Hint answer: C
Q322.While reviewing a cyber-risk assessment, an analyst notes there are concerns related to FPGA usage. Which of the following statements would BEST convince the analyst’s supervisor to use additional controls?
A. FPGAs are expensive and can only be programmed once. Code deployment safeguards are needed.
B. FPGAs have an inflexible architecture. Additional training for developers is needed.
C. FPGAs are vulnerable to malware installation and require additional protections for their codebase.
D. FPGAs are expensive to produce. Anti-counterfeiting safeguards are needed.
Hint answer: D
Q323.A security analyst is monitoring a company’s network traffic and finds ping requests going to accounting and human resources servers from a SQL server. Upon investigation, the analyst discovers a technician responded to potential network connectivity issues. Which of the following is the BEST way for the security analyst to respond?
A. Report this activity as a false positive, as the activity is legitimate.
B. Isolate the system and begin a forensic investigation to determine what was compromised.
C. Recommend network segmentation to management as a way to secure the various environments.
D. Implement host-based firewalls on all systems to prevent ping sweeps in the future.
Hint answer: A
Q324.Management would like to make changes to the company’s infrastructure following a recent incident in which a malicious insider was able to pivot to another workstation that had access to the server environment. Which of the following controls would work BEST to prevent this type of event from reoccurring?
A. EDR
B. DLP
C. NAC
D. IPS
Hint answer: A
Q325.A company uses self-signed certificates when sending emails to recipients within the company. Users are calling the help desk because they are getting warnings when attempting to open emails sent by internal users. A security analyst checks the certificates and sees the following:
Issued to: user@company.com –
Issued by: certServer.company.com
Valid from: 1/1/2020 to 1/1/2030
Which of the following should the security analyst conclude?
A. user@company.com is a malicious insider.
B. The valid dates are too far apart and are generating the alerts.
C. certServer has been compromised.
D. The root certificate was not installed in the trusted store.
Hint answer: D
Q326.A company recently hired a new SOC provider and implemented new incident response procedures. Which of the following conjoined approaches would MOST likely be used to evaluate the new implementations for monitoring and incident response at the same time? (Choose two.)
A. Blue-team exercise
B. Disaster recovery exercise
C. Red-team exercise
D. Gray-box penetration test
E. Tabletop exercise
F. Risk assessment
Hint answer: A
C
Q327.A managed security service provider (MSSP) has alerted a user that an account was added to the local administrator group for the servers named EC2AMAZ-
HG87B4 and EC2AMAZ-B643M2. A security analyst logs in to the cloud provider’s graphical user interface to determine the IP addresses of the servers and sees the following data:
Which of the following changes to the current architecture would work BEST to help the analyst to troubleshoot future alerts?
A. Rename all hosts to the value listed in the instance ID field.
B. Create a standard naming convention for all hostnames.
C. Create an asset tag that identifies each instance by hostname.
D. Instruct the MSSP to add the platform name from the cloud console to all alerts.
Hint answer: B
Q328.A company recently experienced similar network attacks. To determine whether the attacks were identical, the company should gather a list of IPs domains, and files and use:
A. behavior data.
B. the Diamond Model of Intrusion Analysis.
C. the attack kill chain.
D. the reputational data.
Hint answer: A
Q329.A small marketing firm uses many SaaS applications that hold sensitive information. The firm has discovered terminated employees are retaining access to systems for many weeks after their end date. Which of the following would BEST resolve the issue of lingering access?
A. Perform weekly manual reviews on system access to uncover any issues.
B. Set up a privileged access management tool that can fully manage privileged account access.
C. Implement MFA on cloud-based systems.
D. Configure federated authentication with SSO on cloud provider systems.
Hint answer: D
Q340.A security analyst needs to obtain the footprint of the network. The footprint must identify the following information:
✑ TCP and UDP services running on a targeted system
✑ Types of operating systems and versions
✑ Specific applications and versions
Which of the following tools should the analyst use to obtain the data?
A. Prowler
B. Nmap
C. Reaver
D. ZAP
Hint answer: B
Q341.A penetration tester physically enters a datacenter and attaches a small device to a switch. As part of the tester’s effort to evaluate which nodes are present on the network, the tester places the network adapter in promiscuous mode and logs traffic for later analysis. Which of the following is the tester performing?
A. Credentialed scanning
B. Passive scanning
C. Protocol analysis
D. SCAP scanning
E. Network segmentation
Hint answer: B
Q342.An organization recently discovered a malware sample on an internal server. IoCs showed the malware sample was running on port 27573. The incident response team successfully removed the malware from the server, but the organization is now concerned about other instances of the malware being installed on another server. The following network traffic was captured after the known malware was assumed to be eradicated:
Which of the following can the organization conclude?
A. The malware was installed on servers 192.168.1.102, 192.168.1.103, and 192.168.1.104.
B. Only the server at 192.168.1.103 has an indication of a possible compromise.
C. Only the server at 192.168.1.104 has an indication of a possible compromise.
D. Both servers 192.168.1.101 and 192.168.1.134 indicate a possible compromise.
E. The server at 192.168.1.134 is exfiltrating data in 25KB files to servers throughout the organization.
Hint answer: D
Q343.A proposed network architecture requires systems to be separated from each other logically based on defined risk levels. Which of the following explains the reason why an architect would set up the network this way?
A. To complicate the network and frustrate a potential malicious attacker
B. To create a design that simplifies the supporting network
C. To reduce the attack surface of those systems by segmenting the network based on risk
D. To reduce the number of IP addresses that are used on the network
Hint answer: C
Q344.A security analyst receives a CVE bulletin, which lists several products that are used in the enterprise. The analyst immediately deploys a critical security patch.
Which of the following BEST describes the reason for the analyst’s immediate action?
A. Nation-state hackers are targeting the region.
B. A new vulnerability was discovered by a vendor.
C. A known exploit was discovered.
D. A new zero-day threat needs to be addressed.
E. There is an insider threat.
Hint answer: C
Q345.To prioritize the morning’s work, an analyst is reviewing security alerts that have not yet been investigated. Which of the following assets should be investigated
FIRST?
A. The workstation of a developer who is installing software on a web server.
B. A new test web server that is in the process of initial installation.
C. An accounting supervisor’s laptop that is connected to the VPN
D. The laptop of the vice president that is on the corporate LAN
Hint answer: D
Q346.In response to a potentially malicious email that was sent to the Chief Financial Officer (CFO), an analyst reviews the logs and identifies a questionable attachment using a hash comparison. The logs also indicate the attachment was already opened. Which of the following should the analyst do NEXT?
A. Create a sinkhole to block the originating server.
B. Utilize the EDR platform to isolate the CFO’s machine.
C. Perform malware analysis on the attachment.
D. Reimage the CFO’s laptop.
Hint answer: B
Q347.A security team identified some specific known tactics and techniques to help mitigate repeated credential access threats, such as account manipulation and brute forcing. Which of the following frameworks or models did the security team MOST likely use to identify the tactics and techniques?
A. MITRE ATT&CK
B. ITIL
C. Kill chain
D. Diamond Model of Intrusion Analysis
Hint answer: A
Q348.The development team has created a new employee application to allow the 35,000 staff members to communicate via video, chat rooms, and microblogs from anywhere in the world. The application was tested by a small user group, and the code reviews were completed. Which of the following is the best NEXT step the development team should take?
A. Run the application through a web-application vulnerability scanner.
B. Complete an additional round of code reviews to maintain project integrity.
C. Stress test the application to ensure its ability to support the employee population.
D. Isolate the application servers on premises to protect the communication methods.
Hint answer: C
Q349.The Chief Information Officer (CIO) of a large cloud software vendor reports that many employees are falling victim to phishing emails because they appear to come from other employees. Which of the following would BEST prevent this issue?
A. Include digital signatures on messages originating within the company.
B. Require users to authenticate to the SMTP server.
C. Implement DKIM to perform authentication that will prevent this issue.
D. Set up an email analysis solution that looks for known malicious links within the email.
Hint answer: C
Q350.A user reports a malware alert to the help desk. A technician verifies the alert, determines the workstation is classified as a low-severity device, and uses network controls to block access. The technician then assigns the ticket to a security analyst who will complete the eradication and recovery processes. Which of the following should the security analyst do NEXT?
A. Document the procedures and walk through the incident training guide.
B. Reverse engineer the malware to determine its purpose and risk to the organization.
C. Sanitize the workstation and verify countermeasures are restored.
D. Isolate the workstation and issue a new computer to the user.
Hint answer: C
Q351.A company’s Chief Information Security Officer (CISO) published an Internet usage policy that prohibits employees from accessing unauthorized websites. The IT department whitelisted websites used for business needs. The CISO wants the security analyst to recommend a solution that would improve security and support employee morale. Which of the following security recommendations would allow employees to browse non-business-related websites?
A. Implement a virtual machine alternative.
B. Develop a new secured browser.
C. Configure a personal business VLAN.
D. Install kiosks throughout the building.
Hint answer: C
Q352.A security analyst is concerned that a third-party application may have access to user passwords during authentication. Which of the following protocols should the application use to alleviate the analyst’s concern?
A. LDAPS
B. MFA
C. SAML
D. SHA-1
Hint answer: C
Q353.An organization’s network administrator uncovered a rogue device on the network that is emulating the characteristics of a switch. The device is trunking protocols and inserting tagging values to control the flow of traffic at the data link layer. Which of the following BEST describes the attack?
A. DNS pharming
B. VLAN hopping
C. Spoofing
D. Injection attack
Hint answer: B
Q354.Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the BEST solution to improve the equipment’s security posture?
A. Move the legacy systems behind a WAF.
B. Implement an air gap for the legacy systems.
C. Place the legacy systems in the DMZ.
D. Implement a VPN between the legacy systems and the local network.
Hint answer: B
Q355.A security analyst discovers the accounting department is hosting an accounts receivable form on a public document service. Anyone with the link can access it.
Which of the following threats applies to this situation?
A. Potential data loss to external users
B. Loss of public/private key management
C. Cloud-based authentication attack
D. Insufficient access logging
Hint answer: A
Q356.To validate local system-hardening requirements, which of the following types of vulnerability scans would work BEST to verify the scanned device meets security policies?
A. SCAP
B. SAST
C. DAST
D. DACS
Hint answer: A
Q357.A security analyst needs to perform a search for connections with a suspicious IP on the network traffic. The company collects full packet captures at the Internet gateway and retains them for one week. Which of the following will enable the analyst to obtain the BEST results?
A. tcpdump ג€”n ג€”r internet.pcap host
B. strings internet.pcap | grep
C. grep ג€”a
D. npcapd internet.pcap | grep
Hint answer: A
Q358.A Chief Executive Officer (CEO) is concerned about the company’s intellectual property being leaked to competitors. The security team performed an extensive review but did not find any indication of an outside breach. The data sets are currently encrypted using the Triple Data Encryption Algorithm. Which of the following courses of action is appropriate?
A. Limit all access to the sensitive data based on geographic access requirements with strict role-based access controls.
B. Enable data masking and reencrypt the data sets using AES-256.
C. Ensure the data is correctly classified and labeled, and that DLP rules are appropriate to prevent disclosure.
D. Use data tokenization on sensitive fields, reencrypt the data sets using AES-256, and then create an MD5 hash.
Hint answer: C
Q359.A company recently experienced financial fraud, which included shared passwords being compromised and improper levels of access being granted. The company has asked a security analyst to help improve its controls. Which of the following will MOST likely help the security analyst develop better controls?
A. An evidence summarization
B. An incident response plan
C. A lessons-learned report
D. An indicator of compromise
Hint answer:
Q360.While reviewing network security events within a company, a security engineer notices a number of machines:
✑ Do not have minimum security requirements, such as AV updates
✑ Have different configurations that deviate from the corporate standard
✑ Are missing several critical security patches
Which of the following is the BEST solution to ensure machines that are introduced to the company’s network meet the above security requirements?
A. Port security
B. Network access control
C. MAC filtering
D. Access control list
Hint answer: B
Q361.Which of the following is a best practice when sending a file/data to another individual in an organization?
A. When encrypting, split the file, and then compress each file.
B. Encrypt and then compress the file.
C. Encrypt the file but do not compress it.
D. Compress and then encrypt the file.
Hint answer: D
Q362.An analyst has received a notification about potential malicious activity against a web server. The analyst logs in to a central log collection server and runs the following command: `cat access.log.1 | grep `union`. The output shown below appears:
<68.71.54.117> `” `” [31/Jan/2020:10:02:31 `”0400] `Get /cgi-bin/backend1.sh?id=%20union%20select%20192.168.60.50 HTTP/1.1`
Which of the following attacks has occurred on the server?
A. Cross-site request forgery
B. SQL injection
C. Cross-site scripting
D. Directory traversal
Hint answer: B
Q363.A company’s change management team has asked a security analyst to review a potential change to the email server before it is released into production. The analyst reviews the following change request:
Which of the following is the MOST likely reason for the change?
A. To reject email from servers that are not listed in the SPF record
B. To reject email from email addresses that are not digitally signed.
C. To accept email to the company’s domain.
D. To reject email from users who are not authenticated to the network.
Hint answer: A
Q364.An organization has been seeing increased levels of malicious traffic. A security analyst wants to take a more proactive approach to identify the threats that are acting against the organization’s network. Which of the following approaches should the security analyst recommend?
A. Use the MITRE ATT&CK framework to develop threat models.
B. Conduct internal threat research and establish indicators of compromise.
C. Review the perimeter firewall rules to ensure rule-set accuracy.
D. Use SCAP scans to monitor for configuration changes on the network.
Hint answer: B
Q365.While investigating an incident in a company’s SIEM console, a security analyst found hundreds of failed SSH login attempts, which all occurred in rapid succession. The failed attempts were followed by a successful login on the root user. Company policy allows systems administrators to manage their systems only from the company’s internal network using their assigned corporate logins. Which of the following are the BEST actions the analyst can take to stop any further compromise? (Choose two.)
A. Add a rule on the affected system to block access to port TCP/22.
B. Reset the passwords for all accounts on the affected system.
C. Add a rule on the perimeter firewall to block the source IP address.
D. Configure /etc/sshd_config to deny root logins and restart the SSHD service.
E. Configure /etc/passwd to deny root logins and restart the SSHD service.
F. Add a rule on the network IPS to block SSH user sessions
Hint answer: B
D
Q366.A company creates digitally signed packages for its devices. Which of the following BEST describes the method by which the security packages are delivered to the company’s customers?
A. Anti-tamper mechanism
B. SELinux
C. Trusted firmware updates
D. eFuse
Hint answer: C
Q367.Employees of a large financial company are continuously being infected by strands of malware that are not detected by EDR tools. Which of the following is the
BEST security control to implement to reduce corporate risk while allowing employees to exchange files at client sites?
A. MFA on the workstations
B. Additional host firewall rules
C. VDI environment
D. Hard drive encryption
E. Network access control
F. Network segmentation
Hint answer: C
Q368.A security analyst is reviewing the following DNS logs as part of security-monitoring activities:
Which of the following MOST likely occurred?
A. The attack used an algorithm to generate command and control information dynamically
B. The attack attempted to contact www.google.com to verify Internet connectivity
C. The attack used encryption to obfuscate the payload and bypass detection by an IDS
D. The attack caused an internal host to connect to a command and control server
Hint answer: A
Q369.The threat intelligence department recently learned of an advanced persistent threat that is leveraging a new strain of malware, exploiting a system router. The company currently uses the same device mentioned in the threat report. Which of the following configuration changes would BEST improve the organization’s security posture?
A. Implement an IPS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
B. Implement an IDS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability
C. Implement an IPS rule that contains the IP addresses from the advanced persistent threat and patch the routers to protect against the vulnerability
D. Implement an IDS rule that contains content for the malware variant and patch the routers to protect against the vulnerability
Hint answer: A
Q370.A financial institution’s business unit plans to deploy a new technology in a manner that violates existing information security standards. Which of the following actions should the Chief Information Security Officer (CISO) take to manage any type of violation?
A. Enforce the existing security standards and controls
B. Perform a risk analysis and qualify the risk with legal
C. Perform research and propose a better technology
D. Enforce the standard permits
Hint answer: B
Q371.Which of the following are components of the intelligence cycle? (Choose two.)
A. Collection
B. Normalization
C. Response
D. Analysis
E. Correction
F. Dissension
Hint answer: A
D
Q372.A cybersecurity analyst is investigating a potential incident affecting multiple systems on a company’s internal network. Although there is a negligible impact to performance, the following symptoms are present on each of the affected systems:
✑ Existence of a new and unexpected svchost.exe process
✑ Persistent, outbound TCP/IP connections to an unknown external host with routine keep-alives transferred
✑ DNS query logs showing successful name resolution for an Internet-resident dynamic DNS domain
If this situation remains unresolved, which of the following will MOST likely occur?
A. The affected hosts may participate in a coordinated DDoS attack upon command
B. An adversary may leverage the affected hosts to reconfigure the company’s router ACLs
C. Key files on the affected hosts may become encrypted and require ransom payment for unlock
D. The adversary may attempt to perform a man-in-the-middle attack
Hint answer: A
Q373.A company is moving from the use of web servers hosted in an internal datacenter to a containerized cloud platform. An analyst has been asked to identify indicators of compromise in the containerized environment. Which of the following would BEST indicate a running container has been compromised?
A. A container from an approved software image has drifted
B. An approved software orchestration container is running with root privileges
C. A container from an approved software image has stopped responding
D. A container from an approved software image fails to start
Hint answer: A
Q374.Which of the following MOST accurately describes an HSM?
A. An HSM is a low-cost solution for encryption
B. An HSM can be networked based or a removable USB
C. An HSM is slower at encrypting than software
D. An HSM is explicitly used for MFA
Hint answer: B
Q375.An organization is assessing risks so it can prioritize its mitigation actions. Following are the risks and their probability and impact:
Which of the following is the order of priority for risk mitigation from highest to lowest?
A. A, B, C, D
B. A, D, B, C
C. B, C, A, D
D. C, B, D, A
E. D, A, C, B
Hint answer: B
Q376.A security analyst is investigating malicious traffic from an internal system that attempted to download proxy avoidance as identified from the firewall logs, but the destination IP is blocked and not captured. Which of the following should the analyst do?
A. Shut down the computer
B. Capture live data using Wireshark
C. Take a snapshot
D. Determine if DNS logging is enabled
E. Review the network logs
Hint answer: D
Q377.An organization wants to mitigate against risks associated with network reconnaissance. ICMP is already blocked at the firewall; however, a penetration testing team has been able to perform reconnaissance against the organization’s network and identify active hosts. An analyst sees the following output from a packet capture:
Which of the following phrases from the output provides information on how the testing team is successfully getting around the ICMP firewall rule?
A. flags=RA indicates the testing team is using a Christmas tree attack
B. ttl=64 indicates the testing team is setting the time to live below the firewall’s threshold
C. 0 data bytes indicates the testing team is crafting empty ICMP packets
D. NO FLAGS are set indicates the testing team is using hping
Hint answer: D
Q378.Which of the following should a database administrator implement to BEST protect data from an untrusted server administrator?
A. Data deidentification
B. Data encryption
C. Data masking
D. Data minimization
Hint answer: B
Q379.The help desk notified a security analyst that emails from a new email server are not being sent out. The new email server was recently added to the existing ones. The analyst runs the following command on the new server:
Given the output, which of the following should the security analyst check NEXT?
A. The DNS name of the new email server
B. The version of SPF that is being used
C. The IP address of the new email server
D. The DMARC policy
Hint answer: C
Q380.A security analyst working in the SOC recently discovered instances in which hosts visited a specific set of domains and IPs and became infected with malware.
Which of the following is the MOST appropriate action to take in this situation?
A. Implement an IPS signature for the malware and update the blacklisting for the associated domains and IPs
B. Implement an IPS signature for the malware and another signature request to block all the associated domains and IPs
C. Implement a change request to the firewall setting to not allow traffic to and from the IPs and domains
D. Implement an IPS signature for the malware and a change request to the firewall setting to not allow traffic to and from the origin IPs subnets and second-level domains
Hint answer: D
Q381.A bad actor bypasses authentication and reveals all records in a database through an SQL injection. Implementation of which of the following would work BEST to prevent similar attacks in the future?
A. Strict input validation
B. Blacklisting
C. SQL patching
D. Content filtering
E. Output encoding
Hint answer: A
Q382.As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack scenarios derived from the available threat intelligence information. After forming the basis of the scenario, which of the following may the threat hunter construct to establish a framework for threat assessment?
A. Critical asset list
B. Threat vector
C. Attack profile
D. Hypothesis
Hint answer: D
Q383.A security analyst is required to stay current with the most recent threat data and intelligence reports. When gathering data, it is MOST important for the data to be:
A. proprietary and timely
B. proprietary and accurate
C. relevant and deep
D. relevant and accurate
Hint answer: D
Q384.A large organization wants to move account registration services to the cloud to benefit from faster processing and elasticity. Which of the following should be done FIRST to determine the potential risk to the organization?
A. Establish a recovery time objective and a recovery point objective for the systems being moved
B. Calculate the resource requirements for moving the systems to the cloud
C. Determine recovery priorities for the assets being moved to the cloud-based systems
D. Identify the business processes that will be migrated and the criticality of each one
E. Perform an inventory of the servers that will be moving and assign priority to each one
Hint answer: D
Q385.A security engineer is reviewing security products that identify malicious actions by users as part of a company’s insider threat program. Which of the following is the MOST appropriate product category for this purpose?
A. SCAP
B. SOAR
C. UEBA
D. WAF
Hint answer: C
Q386.A security analyst is probing a company’s public-facing servers for vulnerabilities and obtains the following output:
Which of the following changes should the analyst recommend FIRST?
A. Implement File Transfer Protocol Secure on the upload server
B. Disable anonymous login on the web server
C. Configure firewall changes to close port 445 on 124.45.23.112
D. Apply a firewall rule to filter the number of requests per second on port 80 on 124.45.23.108
Hint answer: C
Q387.A threat intelligence analyst has received multiple reports that are suspected to be about the same advanced persistent threat. To which of the following steps in the intelligence cycle would this map?
A. Dissemination
B. Analysis
C. Feedback
D. Requirements
E. Collection
Hint answer: E
Q388.A security analyst is attempting to utilize the following threat intelligence for developing detection capabilities:
APT X’s approach to a target would be sending a phishing email to the target after conducting active and passive reconnaissance. Upon successful compromise, APT X conducts internal reconnaissance and attempts to move laterally by utilizing existing resources. When APT X finds data that aligns to its objectives, it stages and then exfiltrates data sets in sizes that can range from 1GB to 5GB. APT X also establishes several backdoors to maintain a C2 presence in the environment.
In which of the following phases in this APT MOST likely to leave discoverable artifacts?
A. Data collection/exfiltration
B. Defensive evasion
C. Lateral movement
D. Reconnaissance
Hint answer: A
Q389.A security analyst is reviewing the following requirements for new time clocks that will be installed in a shipping warehouse:
✑ The clocks must be configured so they do not respond to ARP broadcasts.
✑ The server must be configured with static ARP entries for each clock.
Which of the following types of attacks will this configuration mitigate?
A. Spoofing
B. Overflows
C. Rootkits
D. Sniffing
Hint answer: A
Q390.During an incident investigation, a security analyst acquired a malicious file that was used as a backdoor but was not detected by the antivirus application. After performing a reverse-engineering procedure, the analyst found that part of the code was obfuscated to avoid signature detection. Which of the following types of instructions should the analyst use to understand how the malware was obfuscated and to help deobfuscate it?
A. MOV
B. ADD
C. XOR
D. SUB
E. MOVL
Hint answer: C
Q391.An organization wants to move non-essential services into a cloud computing environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome?
A. Duplicate all services in another instance and load balance between the instances
B. Establish a hot site with active replication to another region within the same cloud provider
C. Set up a warm disaster recovery site with the same cloud provider in a different region
D. Configure the systems with a cold site at another cloud provider that can be used for failover
Hint answer: C
Q392.A company’s senior human resources administrator left for another position, and the assistant administrator was promoted into the senior position. On the official start day, the new senior administrator planned to ask for extended access permissions but noticed the permissions were automatically granted on that day. Which of the following describes the access management policy in place at the company?
A. Mandatory-based
B. Host-based
C. Federated access
D. Role-based
Hint answer: D
Q393.An analyst is searching a log for potential credit card leaks. The log stores all data encoded in hexadecimal. Which of the following commands will allow the security analyst to confirm the incident?
A. cat log |xxd ג€”r ג€”p | egrep ג€”v ‘[0-9]{16}’
B. egrep ‘(3[0-9]){16}’ log
C. cat log |xxd ג€”r ג€”p | egrep ‘[0-9]{16}’
D. egrep ‘[0-9]{16}’ log |xxd
Hint answer: C
Q394.An analyst is reviewing the following code output of a vulnerability scan:
Which of the following types of vulnerabilities does this MOST likely represent?
A. A XSS vulnerability
B. An HTTP response split vulnerability
C. A credential bypass vulnerability
D. A carriage-return, line-feed vulnerability
Hint answer: A
Q395.The Chief Information Officer (CIO) for a large manufacturing organization has noticed a significant number of unknown devices with possible malware infections are on the organization’s corporate network. Which of the following would work BEST to prevent the issue?
A. Reconfigure the NAC solution to prevent access based on a full device profile and ensure antivirus is installed.
B. Segment the network to isolate all systems that contain highly sensitive information, such as intellectual property.
C. Implement certificate validation on the VPN to ensure only employees with the certificate can access the company network.
D. Update the antivirus configuration to enable behavioral and real-time analysis on all systems within the network.
Hint answer: A
Q396.Which of the following sources would a security analyst rely on to provide relevant and timely threat information concerning the financial services industry?
A. Real-time and automated firewall rules subscriptions
B. Open-source intelligence, such as social media and blogs
C. Information sharing and analysis membership
D. Common vulnerability and exposure bulletins
Hint answer: C
Q397.The Chief Executive Officer (CEO) of a large insurance company has reported phishing emails that contain malicious links are targeting the entire organization.
Which of the following actions would work BEST to prevent against this type of attack?
A. Turn on full behavioral analysis to avert an infection.
B. Implement an EDR mail module that will rewrite and analyze email links.
C. Reconfigure the EDR solution to perform real-time scanning of all files.
D. Ensure EDR signatures are updated every day to avert infection.
E. Modify the EDR solution to use heuristic analysis techniques for malware.
Hint answer: B
Q398.Which of the following session management techniques will help to prevent a session identifier from being stolen via an XSS attack?
A. Ensuring the session identifier length is sufficient
B. Creating proper session identifier entropy
C. Applying a secure attribute on session cookies
D. Utilizing transport layer encryption on all requests
E. Implementing session cookies with the HttpOnly flag
Hint answer: E
Q399.A security analyst needs to assess the web server versions on a list of hosts to determine which are running a vulnerable version of the software and output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt. Which of the following Nmap commands would
BEST accomplish this goal?
A. nmap -iL webserverlist.txt -sC -p 443 -oX webserverlist.xml
B. nmap -iL webserverlist.txt -sV -p 443 -oX webserverlist.xml
C. nmap -iL webserverlist.txt -F -p 443 -oX webserverlist.xml
D. nmap –takefile webserverlist.txt –outputfileasXML webserverlist.xml “scanports 443
Hint answer: B
Q400.An analyst wants to identify hosts that are connecting to the external FTP servers and what, if any, passwords are being used. Which of the following commands should the analyst use?
A. tcpdump ג€”X dst port 21
B. ftp ftp.server ג€”p 21
C. nmap ג€”o ftp.server ג€”p 21
D. telnet ftp.server 21
Hint answer: A
