151-175

Question 1

A SOC operator is analyzing a log file that contains the following entries:

[06-apr-2021-18:00:06] GET /index.php/../../../../../etc/passwd
[06-apr-2021-18:01:07] GET /index.php/../../../../../etc/shadow
[06-apr-2021-18:01:26] GET /index.php/../../../../../../../../etc/passwd
[06-apr-2021-18:02:16] GET /index.php?varl=;cat /etc/passwd;&var2=7865tgydk

Which of the following explains these log entries?
A. SQL injection and improper input-handling attempts
B. Cross-site scripting and resource exhaustion attempts
C. Command injection and directory traversal attempts
D. Error handling and privilege escalation attempts

Answer 1

C. Command injection and directory traversal attempts

Question 2

A security incident has been resolved. Which of the following BEST describes the importance of the final phase of the incident response plan?

A. It examines and documents how well the team responded, discovers what caused the incident, and determines how the incident can be avoided in the future.
B. It returns the affected systems back into production once systems have been fully patched, data restored, and vulnerabilities addressed.
C. It identifies the incident and the scope of the breach, how it affects the production environment, and the ingress point.
D. It contains the affected systems and disconnects them from the network, preventing further spread of the attack or breach.

Answer 2

A. It examines and documents how well the team responded, discovers what caused the incident, and determines how the incident can be avoided in the future.

Question 3

HOTSPOT -
Select the appropriate attack and remediation from each drop-down list to label the corresponding attack with its remediation.

INSTRUCTIONS -
Not all attacks and remediation actions will be used.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:

Answer 3

Botnet - enable DDOS protection
RAT - Disabl remot access service
Worm - Change default application password
Keylogger - Implement 2FA
Backdoor - Conduct Code Review

Question 4

During the onboarding process, an employee needs to create a password for an intranet account. The password must include ten characters, numbers, and letters, and two special characters. Once the password is created, the company will grant the employee access to other company-owned websites based on the intranet profile. Which of the following access management concepts is the company most likely using to safeguard intranet accounts and grant access to multiple sites based on a user’s intranet account? (Choose two.)

A. Federation
B. Identity proofing
C. Password complexity
D. Default password changes
E. Password manager
F. Open authentication

Answer 4

A. Federation
C. Password complexity

Question 5

SIMULATION -
An attack has occurred against a company.

INSTRUCTIONS -
You have been tasked to do the following:
✑ Identify the type of attack that is occurring on the network by clicking on the attacker’s tablet and reviewing the output.
✑ Identify which compensating controls a developer should implement on the assets, in order to reduce the effectiveness of future attacks by dragging them to the correct server.
All objects will be used, but not all placeholders may be filled. Objects may only be used once.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Answer 5

Word Doc

Question 6

SIMULATION -
A systems administrator needs to install a new wireless network for authenticated guest access. The wireless network should support 802.1X using the most secure encryption and protocol available.

Answer 6

Word Doc

Question 7

HOTSPOT - SIM
An incident has occurred in the production environment.

INSTRUCTIONS -
Analyze the command outputs and identify the type of compromise.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.
Hot Area:

Answer 7

Logic Bomb, Backdoor

Question 8

After a recent security incident, a security analyst discovered that unnecessary ports were open on a firewall policy for a web server. Which of the following firewall polices would be MOST secure for a web server?

A
[Source Destination Port Action]
Any Any TCP 53 Allow
Any Any TCP 80 Allow
Any Any TCP 443 Allow
Any Any Any Any

B
[Source Destination Port Action]
Any Any TCP 53 Deny
Any Any TCP 80 Allow
Any Any TCP 443 Allow
Any Any Any Allow

C
[Source Destination Port Action]
Any Any TCP 80 Deny
Any Any TCP 443 Allow
Any Any Any Allow

D
[Source Destination Port Action]
Any Any TCP 80 Allow
Any Any TCP 443 Allow
Any Any Any Deny

Answer 8

D
[Source Destination Port Action]
Any Any TCP 80 Allow
Any Any TCP 443 Allow
Any Any Any Deny

Question 9

A large bank with two geographically dispersed data centers is concerned about major power disruptions at both locations. Every day each location experiences very brief outages that last for a few seconds. However, during the summer a high risk of intentional brownouts that last up to an hour exists, particularly at one of the locations near an industrial smelter. Which of the following is the BEST solution to reduce the risk of data loss?

A. Dual supply
B. Generator
C. UPS
D. POU
E. Daily backups

Answer 9

C. UPS

Question 10

Which of the following would be the BEST way to analyze diskless malware that has infected a VDI?

A. Shut down the VDI and copy off the event logs.
B. Take a memory snapshot of the running system.
C. Use NetFlow to identify command-and-control IPs.
D. Run a full on-demand scan of the root volume.

Answer 10

B. Take a memory snapshot of the running system.

Question 11

Users are presented with a banner upon each login to a workstation. The banner mentions that users are not entitled to any reasonable expectation of privacy and access is for authorized personnel only. In order to proceed past that banner, users must click the OK button. Which of the following is this an example of?

A. AUP
B. NDA
C. SLA
D. MOU

Answer 11

A. AUP

Question 12

The Chief Information Security Officer is concerned about employees using personal email rather than company email to communicate with clients and sending sensitive business information and PII. Which of the following would be the BEST solution to install on the employees’ workstations to prevent information from leaving the company’s network?

A. HIPS
B. DLP
C. HIDS
D. EDR

Answer 12

B. DLP

Question 13

On the way into a secure building, an unknown individual strikes up a conversation with an employee. The employee scans the required badge at the door while the unknown individual holds the door open, seemingly out of courtesy, for the employee. Which of the following social engineering techniques is being utilized?

A. Shoulder surfing
B. Watering-hole attack
C. Tailgating
D. Impersonation

Answer 13

C. Tailgating

Question 14

Two hospitals merged into a single organization. The privacy officer requested a review of all records to ensure encryption was used during record storage, in compliance with regulations. During the review, the officer discovered that medical diagnosis codes and patient names were left unsecured. Which of the following types of data does this combination BEST represent?

A. Personal health information
B. Personally identifiable information
C. Tokenized data
D. Proprietary data

Answer 14

A. Personal health information

Question 15

A company discovered that terabytes of data have been exfiltrated over the past year after an employee clicked on an email link. The threat continued to evolve and remain undetected until a security analyst noticed an abnormal amount of external connections when the employee was not working. Which of the following is the MOST likely threat actor?

A. Shadow IT
B. Script kiddies
C. APT
D. Insider threat

Answer 15

C. APT

Question 16

An untrusted SSL certificate was discovered during the most recent vulnerability scan. A security analyst determines the certificate is signed properly and is a valid wildcard. This same certificate is installed on the other company servers without issue. Which of the following is the MOST likely reason for this finding?

A. The required intermediate certificate is not loaded as part of the certificate chain.
B. The certificate is on the CRL and is no longer valid.
C. The corporate CA has expired on every server, causing the certificate to fail verification.
D. The scanner is incorrectly configured to not trust this certificate when detected on the server.

Answer 16

A. The required intermediate certificate is not loaded as part of the certificate chain.

Question 17

A company wants to improve end users’ experiences when they log in to a trusted partner website. The company does not want the users to be issued separate credentials for the partner website. Which of the following should be implemented to allow users to authenticate using their own credentials to log in to the trusted partner’s website?

A. Directory service
B. AAA server
C. Federation
D. Multifactor authentication

Answer 17

C. Federation

Question 18

A company is under investigation for possible fraud. As part of the investigation, the authorities need to review all emails and ensure data is not deleted. Which of the following should the company implement to assist in the investigation?

A. Legal hold
B. Chain of custody
C. Data loss prevention
D. Content filter

Answer 18

A. Legal hold

Question 19

A user wanted to catch up on some work over the weekend but had issues logging in to the corporate network using a VPN. On Monday, the user opened a ticket for this issue but was able to log in successfully. Which of the following BEST describes the policy that is being implemented?

A. Time-based logins
B. Geofencing
C. Network location
D. Password history

Answer 19

A. Time-based logins

Question 20

A major political party experienced a server breach. The hacker then publicly posted stolen internal communications concerning campaign strategies to give the opposition party an advantage. Which of the following BEST describes these threat actors?

A. Semi-authorized hackers
B. State actors
C. Script kiddies
D. Advanced persistent threats

Answer 20

B. State actors

Question 21

A company is required to continue using legacy software to support a critical service. Which of the following BEST explains a risk of this practice?

A. Default system configuration
B. Unsecure protocols
C. Lack of vendor support
D. Weak encryption

Answer 21

C. Lack of vendor support

Question 22

A security analyst has been tasked with ensuring all programs that are deployed into the enterprise have been assessed in a runtime environment. Any critical issues found in the program must be sent back to the developer for verification and remediation. Which of the following BEST describes the type of assessment taking place?

A. Input validation
B. Dynamic code analysis
C. Fuzzing
D. Manual code review

Answer 22

B. Dynamic code analysis

Question 23

Which of the following can work as an authentication method and as an alerting mechanism for unauthorized access attempts?

A. Smart card
B. Push notifications
C. Attestation service
D. HMAC-based
E. one-time password

Answer 23

B. Push notifications

Question 24

A company has a flat network in the cloud. The company needs to implement a solution to segment its production and non-production servers without migrating servers to a new network. Which of the following solutions should the company implement?

A. Intranet
B. Screened subnet
C. VLAN segmentation
D. Zero Trust

Answer 24

C. VLAN segmentation

Question 25

The president of a regional bank likes to frequently provide SOC tours to potential investors. Which of the following policies BEST reduces the risk of malicious activity occurring after a tour?

A. Password complexity
B. Acceptable use
C. Access control
D. Clean desk

Answer 25

D. Clean desk