Pre-Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > CompTIA > CompTIA CySA+ > CS0-003

CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Question and Answers

Question # 4

An attacker recently gained unauthorized access to a financial institution ' s database, which contains confidential information. The attacker exfiltrated a large amount of data before being detected and blocked. A security analyst needs to complete a root cause analysis to determine how the attacker was able to gain access. Which of the following should the analyst perform first?

A.

Document the incident and any findings related to the attack for future reference.

B.

Interview employees responsible for managing the affected systems.

C.

Review the log files that record all events related to client applications and user access.

D.

Identify the immediate actions that need to be taken to contain the incident and minimize damage.

Full Access
Question # 5

Which of the following is the most important factor to ensure accurate incident response reporting?

A.

A well-defined timeline of the events

B.

A guideline for regulatory reporting

C.

Logs from the impacted system

D.

A well-developed executive summary

Full Access
Question # 6

While reviewing the web server logs, a security analyst notices the following snippet:

.. \ .. / .. \ .. /boot.ini

Which of the following Is belng attempted?

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of /etc/passwd

Full Access
Question # 7

A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:

Which of the following vulnerability types is the security analyst validating?

A.

Directory traversal

B.

XSS

C.

XXE

D.

SSRF

Full Access
Question # 8

A systems administrator receives several reports about emails containing phishing links. The hosting domain is always different, but the URL follows a specific pattern of characters. Which of the following is the best way for the administrator to find more messages that were not reported?

A.

Search email logs for a regular expression

B.

Open a support ticket with the email hosting provider

C.

Send a memo to all staff asking them to report suspicious emails

D.

Query firewall logs for any traffic with a suspicious website

Full Access
Question # 9

Which of the following best describes the key elements of a successful information security program?

A.

Business impact analysis, asset and change management, and security communication plan

B.

Security policy implementation, assignment of roles and responsibilities, and information asset classification

C.

Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies

D.

Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems

Full Access
Question # 10

Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

A.

MOU

B.

NDA

C.

BIA

D.

SLA

Full Access
Question # 11

A security analyst has identified outgoing network traffic leaving the enterprise at odd times. The traffic appears to pivot across network segments and target domain servers. The traffic is then routed to a geographic location to which the company has no association. Which of the following best describes this type of threat?

A.

Hacktivist

B.

Zombie

C.

Insider threat

D.

Nation-state actor

Full Access
Question # 12

An organization has noticed large amounts of data are being sent out of its network. An

analyst is identifying the cause of the data exfiltration.

INSTRUCTIONS

Select the command that generated the output in tabs 1 and 2.

Review the output text in all tabs and identify the file responsible for the malicious

behavior.

If at any time you would like to bring back the initial state of the simulation, please click

the Reset All button.

Full Access
Question # 13

A Chief Information Security Officer wants to lock down the users ' ability to change applications that are installed on their Windows systems. Which of the following is the best enterprise-level solution?

A.

HIPS

B.

GPO

C.

Registry

D.

DLP

Full Access
Question # 14

Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer ' s customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

A.

Isolate Joe ' s PC from the network

B.

Reimage the PC based on standard operating procedures

C.

Initiate a remote wipe of Joe ' s PC using mobile device management

D.

Perform no action until HR or legal counsel advises on next steps

Full Access
Question # 15

An MSSP received several alerts from customer 1, which caused a missed incident response deadline for customer 2. Which of the following best describes the document that was violated?

A.

KPI

B.

SLO

C.

SLA

D.

MOU

Full Access
Question # 16

A security analyst has found a moderate-risk item in an organization ' s point-of-sale application. The organization is currently in a change freeze window and has decided that the risk is not high enough to correct at this time. Which of the following inhibitors to remediation does this scenario illustrate?

A.

Service-level agreement

B.

Business process interruption

C.

Degrading functionality

D.

Proprietary system

Full Access
Question # 17

An organization is planning to adopt a zero-trust architecture. Which of the following is most aligned with this approach?

A.

Network segmentation to separate sensitive systems from the rest of the network.

B.

Whitelisting specific IP addresses that are allowed to access the network.

C.

Trusting users who successfully authenticate once with multifactor authentication.

D.

Automatically trusting internal network communications over external traffic.

Full Access
Question # 18

Which of the following in the digital forensics process is considered a critical activity that often includes a graphical representation of process and operating system events?

A.

Registry editing

B.

Network mapping

C.

Timeline analysis

D.

Write blocking

Full Access
Question # 19

Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the patch cannot be deployed due to planned, routine system upgrades Which of the following is the best method to remediate the bugs?

A.

Reschedule the upgrade and deploy the patch

B.

Request an exception to exclude the patch from installation

C.

Update the risk register and request a change to the SLA

D.

Notify the incident response team and rerun the vulnerability scan

Full Access
Question # 20

Based on an internal assessment, a vulnerability management team wants to proactively identify risks to the infrastructure prior to production deployments. Which of the following best supports this approach?

A.

Threat modeling

B.

Penetration testing

C.

Bug bounty

D.

SDLC training

Full Access
Question # 21

A company ' s internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of these incidents from reoccurring and has provided the developers with better security training. However, the company cannot allocate any more internal resources to the issue. Which of the following are the best options to help identify flaws within the system? (Select two).

A.

Deploying a WAF

B.

Performing a forensic analysis

C.

Contracting a penetration test

D.

Holding a tabletop exercise

E.

Creating a bug bounty program

F.

Implementing threat modeling

Full Access
Question # 22

When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

A.

RADIUS

B.

SDN

C.

ZTNA

D.

SWG

Full Access
Question # 23

A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve

this issue?

A.

Credentialed scan

B.

External scan

C.

Differential scan

D.

Network scan

Full Access
Question # 24

During a security test, a security analyst found a critical application with a buffer overflow vulnerability. Which of the following would be best to mitigate the vulnerability at the application level?

A.

Perform OS hardening.

B.

Implement input validation.

C.

Update third-party dependencies.

D.

Configure address space layout randomization.

Full Access
Question # 25

An analyst is conducting monitoring against an authorized team that win perform adversarial techniques. The analyst interacts with the team twice per day to set the stage for the techniques to be used. Which of the following teams is the analyst a member of?

A.

Orange team

B.

Blue team

C.

Red team

D.

Purple team

Full Access
Question # 26

A security analyst performs a vulnerability scan on the corporate assets and finds the following vulnerabilities:

System | Vulnerability | CVSS Severity Score

System A | Buffer overflow | 9.5

System B | Remote code execution | 9.8

System C | DDoS | 8.2

System D | XSS | 8.6

The vulnerability manager reviews the analyst’s recommendations and asks the analyst to add more information in order to confirm prioritization. Which of the following best explains the reason the manager requests more information?

A.

Host criticality is unknown.

B.

SLA information is missing.

C.

Existing KPIs were not measured.

D.

Zero-day vulnerabilities were excluded.

Full Access
Question # 27

An incident response team found indicators of compromise on a critical server. The team needs to isolate the server and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

A.

Hard disk

B.

Primary boot partition

C.

Malicious files

D.

Routing table

E.

Static IP address

Full Access
Question # 28

The Chief Information Security Officer for an organization recently received approval to install a new EDR solution. Following the installation, the number of alerts that require remediation by an analyst has tripled. Which of the following should the organization utilize to best centralize the workload for the internal security team? (Select two).

A.

SOAR

B.

SIEM

C.

MSP

D.

NGFW

E.

XDR

F.

DLP

Full Access
Question # 29

A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

Which of the following best describes the suspicious activity that is occurring?

A.

A fake antivirus program was installed by the user.

B.

A network drive was added to allow exfiltration of data

C.

A new program has been set to execute on system start

D.

The host firewall on 192.168.1.10 was disabled.

Full Access
Question # 30

A security analyst needs to identify the devices in a critical infrastructure network that handles an oil and gas pipeline. The network has devices connected over IPv4 using either HTTP or Modbus protocols running on the standard ports. Which of the following approaches should the analyst use to achieve the objective?

A.

Employ the IT vulnerability scanner to target ports 80 and 502.

B.

Use banner grabbing with Netcat on TCP ports 80 and 502.

C.

Perform an Nmap -sS -A -p 80,502 scan.

D.

Scan the ICS network using Masscan --open-only -p80,502.

Full Access
Question # 31

A security analyst performs a vulnerability scan. Given the following findings:

Which of the following machines should the analyst address first? (Select two).

A.

Server1

B.

Server2

C.

server3

D.

Server4

E.

Server5

F.

Server 6

Full Access
Question # 32

A company ' s user accounts have been compromised. Users are also reporting that the company ' s internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?

A.

There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access

B.

An on-path attack is being performed by someone with internal access that forces users into port 80

C.

The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80

D.

An error was caused by BGP due to new rules applied over the company ' s internal routers

Full Access
Question # 33

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

A.

Firewall logs

B.

Indicators of compromise

C.

Risk assessment

D.

Access control lists

Full Access
Question # 34

Which of the following items should be included in a vulnerability scan report? (Choose two.)

A.

Lessons learned

B.

Service-level agreement

C.

Playbook

D.

Affected hosts

E.

Risk score

F.

Education plan

Full Access
Question # 35

The security team at a company, which was a recent target of ransomware, compiled a list of hosts that were identified as impacted and in scope for this incident. Based on the following host list:

Which of the following systems was most pivotal to the threat actor in its distribution of the encryption binary via Group Policy?

A.

SQL01

B.

WK10-Sales07

C.

WK7-Plant01

D.

DCEast01

E.

HQAdmin9

Full Access
Question # 36

An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is the first step for the security team to take to ensure compliance with the request?

A.

Disclose the request to other vendors.

B.

Notify the departments involved to preserve potentially relevant information.

C.

Establish a chain of custody, starting with the attorney’s request.

D.

Back up the mailboxes on the server and provide the attorney with a copy.

Full Access
Question # 37

During an internal code review, software called " ACE " was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is in a legacy, third-party vendor resource that is used by the ACE software. ACE is used worldwide and is essential for many businesses in this industry. Developers informed the Chief Information Security Officer that removal of the vulnerability will take time. Which of the following is the first action to take?

A.

Look for potential loCs in the company.

B.

Inform customers of the vulnerability.

C.

Remove the affected vendor resource from the ACE software.

D.

Develop a compensating control until the issue can be fixed permanently.

Full Access
Question # 38

An organization has tracked several incidents that are listed in the following table:

Which of the following is the organization ' s MTTD?

A.

140

B.

150

C.

160

D.

180

Full Access
Question # 39

Several reports with sensitive information are being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

A.

Implement step-up authentication for administrators.

B.

Improve employee training and awareness.

C.

Increase password complexity standards.

D.

Deploy mobile device management.

Full Access
Question # 40

An analyst is examining events in multiple systems but is having difficulty correlating data points. Which of the following is most likely the issue with the system?

A.

Access rights

B.

Network segmentation

C.

Time synchronization

D.

Invalid playbook

Full Access
Question # 41

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

A.

Enrich the SIEM-ingested data to include all data required for triage.

B.

Schedule a task to disable alerting when vulnerability scans are executing.

C.

Filter all alarms in the SIEM with low severity.

D.

Add a SOAR rule to drop irrelevant and duplicated notifications.

Full Access
Question # 42

An organization ' s threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

A.

Disable administrative accounts for any operations.

B.

Implement MFA requirements for all internal resources.

C.

Harden systems by disabling or removing unnecessary services.

D.

Implement controls to block execution of untrusted applications.

Full Access
Question # 43

An analyst is reviewing a dashboard from the company ' s SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

A.

MITRE ATT & CK

B.

OSSTMM

C.

Diamond Model of Intrusion Analysis

D.

OWASP

Full Access
Question # 44

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:

CVSS: 3.1/AV:N/AC: L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R

Which of the following represents the exploit code maturity of this critical vulnerability?

A.

E:U

B.

S:C

C.

RC:R

D.

AV:N

E.

AC:L

Full Access
Question # 45

A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

A.

Implementing multifactor authentication on the server OS

B.

Hashing user passwords on the web application

C.

Performing input validation before allowing submission

D.

Segmenting the network between the users and the web server

Full Access
Question # 46

Which of the following makes STIX and OpenloC information readable by both humans and machines?

A.

XML

B.

URL

C.

OVAL

D.

TAXII

Full Access
Question # 47

During a routine review, a security analyst identifies an unusual volume of traffic going to a local network workstation. The analyst extracts the traffic to a pcap file. To analyze the content, the analyst runs the command tcpdump -n -r file.pcap udp and port 53 and receives the following output:

Which of the following conclusions will the analyst reach based on the pcap analysis?

A.

The traffic captured a meterpreter payload delivery.

B.

The traffic shows data exfiltration.

C.

The traffic identified a Structured Query Language Injection attack.

D.

The traffic Is associated with Domain Name System Security Extensions.

E.

The traffic is normal on a Unix-based network.

Full Access
Question # 48

Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the tables below:

Which of the following should the security analyst prioritize for remediation?

A.

rogers

B.

brady

C.

brees

D.

manning

Full Access
Question # 49

A security analyst reviews the following Arachni scan results for a web application that stores PII data:

Which of the following should be remediated first?

A.

SQL injection

B.

RFI

C.

XSS

D.

Code injection

Full Access
Question # 50

A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?

A.

Instruct the firewall engineer that a rule needs to be added to block this external server.

B.

Escalate the event to an incident and notify the SOC manager of the activity.

C.

Notify the incident response team that a DDoS attack is occurring.

D.

Identify the IP/hostname for the requests and look at the related activity.

Full Access
Question # 51

Which of the following are process improvements that can be realized by implementing a SOAR solution? (Select two).

A.

Minimize security attacks

B.

Itemize tasks for approval

C.

Reduce repetitive tasks

D.

Minimize setup complexity

E.

Define a security strategy

F.

Generate reports and metrics

Full Access
Question # 52

During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

A.

Clone the virtual server for forensic analysis

B.

Log in to the affected server and begin analysis of the logs

C.

Restore from the last known-good backup to confirm there was no loss of connectivity

D.

Shut down the affected server immediately

Full Access
Question # 53

Which of the following is a benefit of the Diamond Model of Intrusion Analysis?

A.

It provides analytical pivoting and identifies knowledge gaps.

B.

It guarantees that the discovered vulnerability will not be exploited again in the future.

C.

It provides concise evidence that can be used in court

D.

It allows for proactive detection and analysis of attack events

Full Access
Question # 54

A security manager has decided to form a special group of analysts who participate in both penetration testing and defending the company ' s network infrastructure during exercises. Which of the following teams should the group form in order to achieve this goal?

A.

Blue team

B.

Purple team

C.

Red team

D.

Green team

Full Access
Question # 55

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

A.

OSSTMM

B.

SIEM

C.

SOAR

D.

QVVASP

Full Access
Question # 56

Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms?

A.

STIX/TAXII

B.

APIs

C.

Data enrichment

D.

Threat feed

Full Access
Question # 57

A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

A.

Change the display filter to f cp. accive. pore

B.

Change the display filter to tcg.port=20

C.

Change the display filter to f cp-daca and follow the TCP streams

D.

Navigate to the File menu and select FTP from the Export objects option

Full Access
Question # 58

A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

A.

function x() { info=$(geoiplookup $1) & & echo " $1 | $info " }

B.

function x() { info=$(ping -c 1 $1 | awk -F " / " ’END{print $5}’) & & echo " $1 | $info " }

C.

function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F " .in-addr " ’{print $1} ' ).origin.asn.cymru.com TXT +short) & & echo " $1 | $info " }

D.

function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) & & echo " $1 | $info " }

Full Access
Question # 59

While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the following controls is most likely preventing the analyst from finding the proper memory address of the piece of malicious code?

A.

Address space layout randomization

B.

Data execution prevention

C.

Stack canary

D.

Code obfuscation

Full Access
Question # 60

A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that crypto mining is occurring. Which of the following indicators would

most likely lead the team to this conclusion?

.

A.

High GPU utilization

B.

Bandwidth consumption

C.

Unauthorized changes

D.

Unusual traffic spikes

Full Access
Question # 61

A security analyst is reviewing events that occurred during a possible compromise. The analyst obtains the following log:

Which of the following is most likely occurring, based on the events in the log?

A.

An adversary is attempting to find the shortest path of compromise.

B.

An adversary is performing a vulnerability scan.

C.

An adversary is escalating privileges.

D.

An adversary is performing a password stuffing attack..

Full Access
Question # 62

While a security analyst for an organization was reviewing logs from web servers. the analyst found several successful attempts to downgrade HTTPS sessions to use cipher modes of operation susceptible to padding oracle attacks. Which of the following combinations of configuration changes should the organization make to remediate this issue? (Select two).

A.

Configure the server to prefer TLS 1.3.

B.

Remove cipher suites that use CBC.

C.

Configure the server to prefer ephemeral modes for key exchange.

D.

Require client browsers to present a user certificate for mutual authentication.

E.

Configure the server to require HSTS.

F.

Remove cipher suites that use GCM.

Full Access
Question # 63

The developers recently deployed new code to three web servers. A daffy automated external device scan report shows server vulnerabilities that are failure items according to PCI DSS.

If the venerability is not valid, the analyst must take the proper steps to get the scan clean.

If the venerability is valid, the analyst must remediate the finding.

After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and Remediation Action for each server listed using the drop-down options.

INTRUCTIONS:

The simulation includes 2 steps.

Step1:Review the information provided in the network diagram and then move to the STEP 2 tab.

STEP 2: Given the Scenario, determine which remediation action is required to address the vulnerability.

Full Access
Question # 64

Which of the following best explains the importance of the implementation of a secure software development life cycle in a company with an internal development team?

A.

Increases the product price by using the implementation as a piece of marketing

B.

Decreases the risks of the software usage and complies with regulatory requirements

C.

Improves the agile process and decreases the amount of tests before the final deployment

D.

Transfers the responsibility for security flaws to the vulnerability management team

Full Access
Question # 65

After reviewing the final report for a penetration test, a cybersecurity analyst prioritizes the remediation for input validation vulnerabilities. Which of the following attacks is the analyst seeking to prevent?

A.

DNS poisoning

B.

Pharming

C.

Phishing

D.

Cross-site scripting

Full Access
Question # 66

An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

A.

SOAR

B.

SIEM

C.

SLA

D.

IoC

Full Access
Question # 67

A security analyst performs forensic analysis of a user’s computer. The analyst immediately orders the user to leave the computer powered on and not interact with it until further notice. Which of the following best describes the reason for the analyst’s orders?

A.

To prevent loss of sensitive data due to misuse

B.

To preserve artifacts related to the incident

C.

To validate that the security tools are installed and up to date

D.

To ensure there is a legal hold on the computer

Full Access
Question # 68

You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.

    There must be one primary server or service per device.

    Only default port should be used

    Non- secure protocols should be disabled.

    The corporate internet presence should be placed in a protected subnet

Instructions :

    Using the available tools, discover devices on the corporate network and the services running on these devices.

You must determine

    ip address of each device

    The primary server or service each device

    The protocols that should be disabled based on the hardening guidelines

Full Access
Question # 69

An organization ' s email account was compromised by a bad actor. Given the following Information:

Which of the following is the length of time the team took to detect the threat?

A.

25 minutes

B.

40 minutes

C.

45 minutes

D.

2 hours

Full Access
Question # 70

When starting an investigation, which of the following must be done first?

A.

Notify law enforcement

B.

Secure the scene

C.

Seize all related evidence

D.

Interview the witnesses

Full Access
Question # 71

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

A.

Impact

B.

Vulnerability score

C.

Mean time to detect

D.

Isolation

Full Access
Question # 72

A network analyst notices a long spike in traffic on port 1433 between two IP addresses on opposite sides of a WAN connection. Which of the following is the most likely cause?

A.

A local red team member is enumerating the local RFC1918 segment to enumerate hosts.

B.

A threat actor has a foothold on the network and is sending out control beacons.

C.

An administrator executed a new database replication process without notifying the SOC.

D.

An insider threat actor is running Responder on the local segment, creating traffic replication.

Full Access
Question # 73

Which of the following are the most relevant factors related to vulnerability management reporting and communication within an organization?

A.

Risk assessment, asset inventory, business impact analysis, and business continuity plans

B.

Patch availability, mean time to remediate, dependencies, and disaster recovery plans

C.

False-positive rates, alert volume and characteristics, mean time to detect, and skills inventory

D.

Risk severity levels, timelines, dependencies, and remediation ownership

Full Access
Question # 74

The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

A.

Vulnerability A

B.

Vulnerability B

C.

Vulnerability C

D.

Vulnerability D

Full Access
Question # 75

Which of the following is a circumstance in which a security operations manager would most likely consider using automation?

A.

The generation of NIDS rules based on received STIX messages

B.

The fulfillment of privileged access requests to enterprise domain controllers

C.

The verification of employee identities prior to initial PKI enrollment

D.

The analysis of suspected malware binaries captured by an email gateway

Full Access
Question # 76

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to

reduce risks associated with the application development?

A.

Perform static analyses using an integrated development environment.

B.

Deploy compensating controls into the environment.

C.

Implement server-side logging and automatic updates.

D.

Conduct regular code reviews using OWASP best practices.

Full Access
Question # 77

A SIEM alert is triggered based on execution of a suspicious one-liner on two workstations in the organization ' s environment. An analyst views the details of these events below:

Which of the following statements best describes the intent of the attacker, based on this one-liner?

A.

Attacker is escalating privileges via JavaScript.

B.

Attacker is utilizing custom malware to download an additional script.

C.

Attacker is executing PowerShell script " AccessToken.psr.

D.

Attacker is attempting to install persistence mechanisms on the target machine.

Full Access
Question # 78

A web application has a function to retrieve content from an internal URL to identify CSRF attacks in the logs. The security analyst is building a regular expression that will filter out the correctly formatted requests. The target URL is https://10.1.2.3/api, and the receiving API only accepts GET requests and uses a single integer argument named " id. " Which of the following regular expressions should the analyst use to achieve the objective?

A.

(?!https://10\.1\.2\.3/api\?id=[0-9]+)

B.

" https://10\.1\.2\.3/api\?id=\d+

C.

(?: " https://10\.1\.2\.3/api\?id-[0-9]+)

D.

https://10\.1\.2\.3/api\?id«[0-9J$

Full Access
Question # 79

Given the following CVSS string-

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:H

Which of the following attributes correctly describes this vulnerability?

A.

A user is required to exploit this vulnerability.

B.

The vulnerability is network based.

C.

The vulnerability does not affect confidentiality.

D.

The complexity to exploit the vulnerability is high.

Full Access
Question # 80

A network security analyst for a large company noticed unusual network activity on a critical system. Which of the following tools should the analyst use to analyze network traffic to search for malicious activity?

A.

WAF

B.

Wireshark

C.

EDR

D.

Nmap

Full Access
Question # 81

After a risk assessment, a server was found hosting a vulnerable legacy system that has the following characteristics:

• There is no patch or official fix available from the vendor.

• There is no official support provided by the vendor.

• Customers consider the system mission critical.

Which of the following actions will best decrease the risk posed by the legacy system?

A.

Decommission the server immediately and find a new solution to replace the legacy system.

B.

Implement firewall rules to block inbound connections and allow outbound traffic.

C.

Install and configure a web application firewall tailored to the legacy server.

D.

Apply compensating controls, including isolation, restricted access, and continuous monitoring.

Full Access
Question # 82

Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting the organization?

A.

To establish what information is allowed to be released by designated employees

B.

To designate an external public relations firm to represent the organization

C.

To ensure that all news media outlets are informed at the same time

D.

To define how each employee will be contacted after an event occurs

Full Access
Question # 83

Which of the following best describes the importance of KPIs in an incident response exercise?

A.

To identify the personal performance of each analyst

B.

To describe how incidents were resolved

C.

To reveal what the team needs to prioritize

D.

To expose which tools should be used

Full Access
Question # 84

Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

A.

Review Of security requirements

B.

Compliance checks

C.

Decomposing the application

D.

Security by design

Full Access
Question # 85

A security analyst needs to provide evidence of regular vulnerability scanning on the company ' s network for an auditing process. Which of the following is an example of a tool that can produce such evidence?

A.

OpenVAS

B.

Burp Suite

C.

Nmap

D.

Wireshark

Full Access
Question # 86

An organization wants to establish a disaster recovery plan for critical applications that are hosted on premises. Which of the following is the first step to prepare for supporting this new requirement?

A.

Choose a vendor to utilize for the disaster recovery location.

B.

Establish prioritization of continuity from data and business owners.

C.

Negotiate vendor agreements to support disaster recovery capabilities.

D.

Advise the leadership team that a geographical area for recovery must be defined.

Full Access
Question # 87

Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?

A.

MITRE ATTACK

B.

Cyber Kill Cham

C.

OWASP

D.

STIXTAXII

Full Access
Question # 88

Which of the following explains the importance of a timeline when providing an incident response report?

A.

The timeline contains a real-time record of an incident and provides information that helps to simplify a postmortem analysis.

B.

An incident timeline provides the necessary information to understand the actions taken to mitigate the threat or risk.

C.

The timeline provides all the information, in the form of a timetable, of the whole incident response process including actions taken.

D.

An incident timeline presents the list of commands executed by an attacker when the system was compromised, in the form of a timetable.

Full Access
Question # 89

Executives at an organization email sensitive financial information to external business partners when negotiating valuable contracts. To ensure the legal validity of these messages, the cybersecurity team recommends a digital signature be added to emails sent by the executives. Which of the following are the primary goals of this recommendation? (Select two).

A.

Confidentiality

B.

Integrity

C.

Privacy

D.

Anonymity

E.

Non-repudiation

F.

Authorization

Full Access
Question # 90

During an incident, analysts need to rapidly investigate by the investigation and leadership teams. Which of the following best describes how PII should be safeguarded during an incident?

A.

Implement data encryption and close the data so only the company has access.

B.

Ensure permissions are limited in the investigation team and encrypt the data.

C.

Implement data encryption and create a standardized procedure for deleting data that is no longer needed.

D.

Ensure that permissions are open only to the company.

Full Access
Question # 91

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

A.

C2 beaconing activity

B.

Data exfiltration

C.

Anomalous activity on unexpected ports

D.

Network host IP address scanning

E.

A rogue network device

Full Access
Question # 92

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

A.

Business continuity plan

B.

Vulnerability management plan

C.

Disaster recovery plan

D.

Asset management plan

Full Access
Question # 93

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

A.

Offline storage

B.

Evidence collection

C.

Integrity validation

D.

Legal hold

Full Access
Question # 94

During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?

A.

The risk would not change because network firewalls are in use.

B.

The risk would decrease because RDP is blocked by the firewall.

C.

The risk would decrease because a web application firewall is in place.

D.

The risk would increase because the host is external facing.

Full Access
Question # 95

A company patches its servers using automation software. Remote SSH or RDP connections are allowed to the servers only from the service account used by the automation software. All servers are in an internal subnet without direct access to or from the internet. An analyst reviews the following vulnerability summary:

Which of the following vulnerability IDs should the analyst address first?

A.

1

B.

2

C.

3

D.

4

Full Access
Question # 96

Which of the following is a KPI that is used to monitor or report on the effectiveness of an incident response reporting and communication program?

A.

Incident volume

B.

Mean time to detect

C.

Average time to patch

D.

Remediated incidents

Full Access
Question # 97

Which of the following best explains the importance of network microsegmentation as part of a Zero Trust architecture?

A.

To allow policies that are easy to manage and less granular

B.

To increase the costs associated with regulatory compliance

C.

To limit how far an attack can spread

D.

To reduce hardware costs with the use of virtual appliances

Full Access
Question # 98

A security operations center receives the following alerts related to an organization ' s cloud tenant:

Which of the following should an analyst do first to identify the initial compromise?

A.

Search audit logs for all activity under project staging-01 and correlate any actions against VM edoif j34.

B.

Search audit logs for userjdoe12@myorg.com and correlate the successful API requests on project staging-oi.

C.

Review audit logs for any successful compute instance actions targeting project staging-oi during the time of the alerts.

D.

Review logs for any audit action targeting compute instance APIs during the time of the alerts on VM fd03lf .

Full Access
Question # 99

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

A.

Set an Http Only flag to force communication by HTTPS.

B.

Block requests without an X-Frame-Options header.

C.

Configure an Access-Control-Allow-Origin header to authorized domains.

D.

Disable the cross-origin resource sharing header.

Full Access
Question # 100

An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

A.

To satisfy regulatory requirements for incident reporting

B.

To hold other departments accountable

C.

To identify areas of improvement in the incident response process

D.

To highlight the notable practices of the organization ' s incident response team

Full Access
Question # 101

An incident responder was able to recover a binary file through the network traffic. The binary file was also found in some machines with anomalous behavior. Which of the following processes most likely can be performed to understand the purpose of the binary file?

A.

File debugging

B.

Traffic analysis

C.

Reverse engineering

D.

Machine isolation

Full Access
Question # 102

A security analyst is responding to an indent that involves a malicious attack on a network. Data closet. Which of the following best explains how are analyst should properly document the incident?

A.

Back up the configuration file for alt network devices

B.

Record and validate each connection

C.

Create a full diagram of the network infrastructure

D.

Take photos of the impacted items

Full Access
Question # 103

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

A.

Beaconing

B.

Cross-site scripting

C.

Buffer overflow

D.

PHP traversal

Full Access
Question # 104

A company has decided to expose several systems to the internet, The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below:

Which of the following systems should be prioritized for patching?

A.

brown

B.

grey

C.

blane

D.

sullivan

Full Access
Question # 105

A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed more quickly about new patches. Which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly? (Select two).

A.

Hostname

B.

Missing KPI

C.

CVE details

D.

POC availability

E.

loCs

F.

npm identifier

Full Access
Question # 106

A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

A.

Corrective controls

B.

Compensating controls

C.

Operational controls

D.

Administrative controls

Full Access
Question # 107

A sales application was remediated to address a critical vulnerability. The process took five business hours and was ultimately successful. However, the change advisory board informed the company’s leadership team that the process resulted in a considerable financial loss. Which of the following best explains the reason for the financial loss?

A.

The loss is a normal cost of operations that relies on IT.

B.

The Chief Information Officer did not notify the board members.

C.

The IT team should have hired a penetration testing team before patching.

D.

The maintenance window was not properly communicated or scheduled.

Full Access
Question # 108

An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Full Access
Question # 109

Which of the following is a commonly used four-component framework to communicate threat actor behavior?

A.

STRIDE

B.

Diamond Model of Intrusion Analysis

C.

Cyber Kill Chain

D.

MITRE ATT & CK

Full Access
Question # 110

A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

A.

SQL injection

B.

LFI

C.

XSS

D.

CSRF

Full Access
Question # 111

A security analyst recently used Arachni to perform a vulnerability assessment of a newly developed web application. The analyst is concerned about the following output:

[+] XSS: In form input ' txtSearch ' with action https://localhost/search.aspx

[-] XSS: Analyzing response #1...

[-] XSS: Analyzing response #2...

[-] XSS: Analyzing response #3...

[+] XSS: Response is tainted. Looking for proof of the vulnerability.

Which of the following is the most likely reason for this vulnerability?

A.

The developer set input validation protection on the specific field of search.aspx.

B.

The developer did not set proper cross-site scripting protections in the header.

C.

The developer did not implement default protections in the web application build.

D.

The developer did not set proper cross-site request forgery protections.

Full Access
Question # 112

An analyst has discovered the following suspicious command:

Which of the following would best describe the outcome of the command?

A.

Cross-site scripting

B.

Reverse shell

C.

Backdoor attempt

D.

Logic bomb

Full Access
Question # 113

An analyst receives an alert for suspicious IIS log activity and reviews the following entries:

2024-05-23 15:57:05 10.203.10.16 HEAT / - 80 - 10.203.10.17 DirBuster-1.0-RC1+(http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)

...

Which of the following will the analyst infer from the logs?

A.

An attacker is performing network lateral movement.

B.

An attacker is conducting reconnaissance of the website.

C.

An attacker is exfiltrating data from the network.

D.

An attacker is cloning the website.

Full Access
Question # 114

During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue?

A.

Legacy system

B.

Business process interruption

C.

Degrading functionality

D.

Configuration management

Full Access
Question # 115

A Chief Information Security Officer wants to implement security by design, starting …… vulnerabilities, including SQL injection, FRI, XSS, etc. Which of the following would most likely meet the requirement?

A.

Reverse engineering

B.

Known environment testing

C.

Dynamic application security testing

D.

Code debugging

Full Access
Question # 116

A security analyst is reviewing a recent vulnerability scan report for a new server infrastructure. The analyst would like to make the best use of time by resolving the most critical vulnerability first. The following information is provided:

Which of the following should the analyst concentrate remediation efforts on first?

A.

SVR01

B.

SVR02

C.

SVR03

D.

SVR04

Full Access
Question # 117

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

A.

A mean time to remediate of 30 days

B.

A mean time to detect of 45 days

C.

A mean time to respond of 15 days

D.

Third-party application testing

Full Access
Question # 118

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

A.

Set an HttpOnlvflaq to force communication by HTTPS

B.

Block requests without an X-Frame-Options header

C.

Configure an Access-Control-Allow-Origin header to authorized domains

D.

Disable the cross-origin resource sharing header

Full Access
Question # 119

An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?

A.

DLP

B.

NAC

C.

EDR

D.

NIDS

Full Access
Question # 120

A security analyst reviews a SIEM alert related to a suspicious email and wants to verify the authenticity of the message:

SPF = PASS

DKIM = FAIL

DMARC = FAIL

Which of the following did the analyst most likely discover?

A.

An insider threat altered email security records to mask suspicious DNS resolution traffic.

B.

The message was sent from an authorized mail server but was not signed.

C.

Log normalization corrupted the data as it was brought into the central repository.

D.

The email security software did not process all of the records correctly.

Full Access
Question # 121

A company is in the process of implementing a vulnerability management program. no-lich of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?

A.

Non-credentialed scanning

B.

Passive scanning

C.

Agent-based scanning

D.

Credentialed scanning

Full Access
Question # 122

An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has:

• created the initial evidence log.

• disabled the wireless adapter on the device.

• interviewed the employee, who was unable to identify the website that was accessed

• reviewed the web proxy traffic logs.

Which of the following should the analyst do to remediate the infected device?

A.

Update the system firmware and reimage the hardware.

B.

Install an additional malware scanner that will send email alerts to the analyst.

C.

Configure the system to use a proxy server for Internet access.

D.

Delete the user profile and restore data from backup.

Full Access
Question # 123

During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee ' s

personal email. Which of the following should the analyst recommend be done first?

A.

Place a legal hold on the employee ' s mailbox.

B.

Enable filtering on the web proxy.

C.

Disable the public email access with CASB.

D.

Configure a deny rule on the firewall.

Full Access
Question # 124

During a recent site survey. an analyst discovered a rogue wireless access point on the network. Which of the following actions should be taken first to protect the network while preserving evidence?

A.

Run a packet sniffer to monitor traffic to and from the access point.

B.

Connect to the access point and examine its log files.

C.

Identify who is connected to the access point and attempt to find the attacker.

D.

Disconnect the access point from the network

Full Access
Question # 125

Which of the following explains why a company might reprioritize a vulnerability score? (Select two.)

A.

System criticality

B.

Alert volume

C.

Unexpected outage

D.

Threat intelligence

E.

Patch availability

F.

Public relations

Full Access
Question # 126

A corporation wants to implement an agent-based endpoint solution to help:

    Flag various threats

    Review vulnerability feeds

    Aggregate data

    Provide real-time metrics by using scripting languages

Which of the following tools should the corporation implement to reach this goal?

A.

DLP

B.

Heuristics

C.

SOAR

D.

NAC

Full Access
Question # 127

A security operations center analyst is reviewing a scan report and must prioritize items for remediation based on severity:

The Chief Information Security Officer requires the following:

• Encryption in transit

• Encryption at rest

• Encryption of customer data

Which of the following databases should the analyst remediate first?

A.

Databaset

B.

Database2

C.

Database3

D.

Database4

Full Access
Question # 128

During an incident, some loCs of possible ransomware contamination were found in a group of servers in a segment of the network. Which of the following steps should be taken next?

A.

Isolation

B.

Remediation

C.

Reimaging

D.

Preservation

Full Access
Question # 129

Which of the following is the most important reason a company would use APIs instead of scripts to enable communication between tools from different vendors?

A.

To reduce integration maintenance

B.

To use a tool that was built in-house

C.

To allow for more customization

D.

To secure the CI/CD pipeline

Full Access
Question # 130

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

A.

TO provide metrics and test continuity controls

B.

To verify the roles of the incident response team

C.

To provide recommendations for handling vulnerabilities

D.

To perform tests against implemented security controls

Full Access
Question # 131

An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?

A.

Passive network foot printing

B.

OS fingerprinting

C.

Service port identification

D.

Application versioning

Full Access
Question # 132

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user ' s workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

A.

Create a timeline of events detailinq the date stamps, user account hostname and IP information associated with the activities

B.

Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

C.

Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identity the case as an HR-related investigation

D.

Notify the SOC manager for awareness after confirmation that the activity was intentional

Full Access
Question # 133

An analyst receives threat intelligence regarding potential attacks from an actor with seemingly unlimited time and resources. Which of the following best describes the threat actor attributed to the malicious activity?

A.

Insider threat

B.

Ransomware group

C.

Nation-state

D.

Organized crime

Full Access
Question # 134

While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?

A.

If appropriate logging levels are set

B.

NTP configuration on each system

C.

Behavioral correlation settings

D.

Data normalization rules

Full Access
Question # 135

An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

A.

DKIM

B.

SPF

C.

SMTP

D.

DMARC

Full Access
Question # 136

Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?

A.

Join an information sharing and analysis center specific to the company ' s industry.

B.

Upload threat intelligence to the IPS in STIX/TAXII format.

C.

Add data enrichment for IPS in the ingestion pipleline.

D.

Review threat feeds after viewing the SIEM alert.

Full Access
Question # 137

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

A.

Information sharing organization

B.

Blogs/forums

C.

Cybersecuritv incident response team

D.

Deep/dark web

Full Access
Question # 138

Which of the following attributes is part of the Diamond Model of Intrusion Analysis?

A.

Delivery

B.

Weaponization

C.

Command and control

D.

Capability

Full Access
Question # 139

An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is the best option for the security analyst to configure to improve the efficiency of security operations?

A.

Configure a new SIEM specific to the management of the hosted environment.

B.

Subscribe to a threat feed related to the vendor ' s application.

C.

Use a vendor-provided API to automate pulling the logs in real time.

D.

Download and manually import the logs outside of business hours.

Full Access
Question # 140

Which Of the following techniques would be best to provide the necessary assurance for embedded software that drives centrifugal pumps at a power Plant?

A.

Containerization

B.

Manual code reviews

C.

Static and dynamic analysis

D.

Formal methods

Full Access
Question # 141

The SOC received a threat intelligence notification indicating that an employee ' s credentials were found on the dark web. The user ' s web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor

authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

A.

Perform a forced password reset.

B.

Communicate the compromised credentials to the user.

C.

Perform an ad hoc AV scan on the user ' s laptop.

D.

Review and ensure privileges assigned to the user ' s account reflect least privilege.

E.

Lower the thresholds for SOC alerting of suspected malicious activity.

Full Access
Question # 142

An analyst suspects cleartext passwords are being sent over the network. Which of the following tools would best support the analyst ' s investigation?

A.

OpenVAS

B.

Angry IP Scanner

C.

Wireshark

D.

Maltego

Full Access
Question # 143

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being

used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

A.

Leave the proxy as is.

B.

Decomission the proxy.

C.

Migrate the proxy to the cloud.

D.

Patch the proxy

Full Access
Question # 144

Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?

A.

The lead should review what is documented in the incident response policy or plan

B.

Management level members of the CSIRT should make that decision

C.

The lead has the authority to decide who to communicate with at any time

D.

Subject matter experts on the team should communicate with others within the specified area of expertise

Full Access
Question # 145

Which of the following evidence collection methods is most likely to be acceptable in court cases?

A.

Copying all access files at the time of the incident

B.

Creating a file-level archive of all files

C.

Providing a full system backup inventory

D.

Providing a bit-level image of the hard drive

Full Access
Question # 146

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following

would best aid in decreasing the workload without increasing staff?

A.

SIEM

B.

XDR

C.

SOAR

D.

EDR

Full Access