Annoying Questions Flashcards
(23 cards)
A cybersecurity analyst noticed a significant decrease in system performance across the organization. After investigating the issue, they discovered that the IT department did not follow patch management best practices. Which of the following signs could indicate that the lack of patch management is causing the performance issues?
Unusually high memory consumption could result from unpatched software vulnerabilities causing memory leaks or exploitation, making it a sign that the lack of patch management is causing the performance issues.
An organization is reviewing its incident response plan and wants to improve its overall security posture by streamlining the authentication process for its employees during a security incident. Which of the following approaches can help achieve this goal without compromising security?
Federation allows using a single set of credentials across multiple systems to streamline the authentication process during an incident without compromising security.
A security analyst is looking to improve the company’s vulnerability scanning methods. They are considering different options that will achieve better results. What is the most effective option for the security analyst to perform vulnerability scanning across the organization’s infrastructure?
Cloud-based vulnerability scanning provides a scalable and efficient method for the security analyst to perform vulnerability scanning across the organization’s infrastructure, making it the most effective option.
A security analyst wants to create a dashboard that highlights potential problems or focuses on important activities, trends, or environmental changes. Which of the following is an example of a top 10 list to use in a dashboard?
Traffic volume by a device is an example of a top 10 list that the analyst can use in a dashboard to highlight potential problems or focus on important activities, trends, or environmental changes.
A company’s online ordering system uses cookies to match users to their accounts. As a result, an attacker can easily steal browser cookies and gain access to sensitive information. What type of vulnerability does this situation describe?
Identification and authentication failures are security vulnerabilities where systems or applications fail to verify user identity, allowing unauthorized access properly. This failure can result from weak or easily guessable passwords, lack of multifactor authentication, or insufficient verification of credentials.
The Chief Information Security Officer (CISO) has informed a security analyst that an attacker has compromised a critical system. Upon investigation, the analyst determines that the attacker gained access through an unpatched vulnerability. The analyst recommends implementing compensating controls and isolating the system to prevent further damage. How can the security analyst use compensating controls in this scenario?
The analyst can use compensating controls to isolate the compromised system and prevent the attacker from exploiting the unpatched vulnerability again.
A desk resurfacing company uses a default username and password for their web proxy, and the login page is accessible from the Internet. An attacker can guess the default credentials and access the router. What does this situation describe?
Security misconfiguration refers to configuring a system insecurely, such as using default passwords or leaving unnecessary ports open.
A security administrator uses Maltego for an investigation and wants to identify relationships among different entities. What feature of Maltego would the administrator use?
Maltego uses transforms that automatically collect and apply intelligence data to an investigation, helping investigators quickly identify relationships among entities of many types.
A security administrator is investigating a potential security incident reported by a user. First, the administrator needs to gather information to determine the scope and severity of the incident. Which of the following “5 Ws” should the security administrator use to begin the investigation?
“Where” refers to the location the incident occurred. This information can provide a starting point for the investigation by helping the security administrator identify the affected items and those compromised, such as data, systems, or devices.
A company’s security team wants to receive real-time alerts from its Intrusion Detection System (IDS) whenever a potential threat is detected. Which solution should the team consider to achieve this goal?
Webhooks send real-time alerts by design. They are messages sent automatically from applications to other applications containing information about the event, including the time the event occurred and the associated data.
A security team is analyzing their system and network architecture to improve their security posture. In the context of a potential security incident, which aspect should the team prioritize to effectively detect and respond to various types of unauthorized access to critical systems?
Monitoring network traffic and identifying anomalies can provide insights into unauthorized access or other potential security breaches, making it a more effective method to detect and respond to critical system incidents.
A security analyst identified a critical security incident on the company’s network. The analyst believes the incident could impact the company’s systems and data confidentiality, integrity, and availability. What should be the immediate next step for the security analyst?
Incident declaration and escalation involve notifying the appropriate parties about the incident, including executive management, so they can make informed decisions about how to respond.
During a security breach, a security administrator identifies the stakeholders affected by the incident. What next step should the administrator take to ensure effective communication with the stakeholders?
Developing a communication plan on stakeholder needs and interests is essential for effective communication. Building strong relationships with stakeholders is crucial and is successful by providing accurate and timely information, listening to feedback, and responding to requests.
A security analyst is reviewing web vulnerability assessment output and needs to identify anomalies that indicate a possible data exfiltration attempt. Which activity would be most useful for detecting this type of behavior?
Beaconing refers to a network traffic pattern involving periodic communication between an infected system and an attacker’s command and control server. This pattern can indicate data exfiltration attempts, as the compromised system might send sensitive data to the attacker regularly.
A toy unicorn production conglomerate has notified an employee of termination, effective next week. The furious employee sends a barrage of user-level queries to the company’s vulnerable database application, which services a publicly accessible web application server. The queries did not disclose any information, but the employee succeeded in making the database corrupt its data store and rendered the business application non-functional. What kind of vulnerability is the angry employee exploiting?
Software and data integrity failures refer to the compromise of software or data integrity, such as through malware or hacking. A database server experiencing data corruption is having a data integrity failure.
A security auditor reviews the compliance reports of an organization to evaluate their adherence to regulations and standards. What information can typically be in this type of report?
Compliance reports often include employee training records as evidence of compliance with regulations and standards.
A cybersecurity analyst reviews the output of a web vulnerability assessment. The analyst notices some irregularities in the system and needs to determine the cause. Which of the following indicators should they focus on?
Identifying abnormal process behavior, such as unexpected resource consumption or unauthorized network connections, can help the analyst detect potential security issues stemming from web vulnerabilities.
A record label’s web application allows aspiring artists to schedule appointments with the producer. However, the application runs on outdated software and represents a security risk, but the software is also critical for the label to discover new talent. Therefore, the record label company requests that the software vendor address the security risks while instructing internal IT personnel to limit the software’s access to its internal network. What kind of risk response does this represent?
Risk mitigation describes reducing exposure to risk items by implementing mitigating controls to ensure that technical business operations remain safe.
A security analyst discovered that an attacker used a spear-phishing email containing a malicious attachment. Which phase of the cyber kill chain does this action represent?
The attacker used a spear-phishing email to deliver the exploit during the delivery phase to gain access to the system.
A cyber security team is looking for a way to improve their threat intelligence usage. They have subscribed to several threat feeds, but they want to get a comprehensive view of the threats facing their organization. What technology can they use to accomplish this?
Threat feed combination aggregates threat intelligence from multiple sources to gain a more comprehensive view of the threat landscape.
A privately owned mid-size municipal solid waste landfill has experienced a severe data breach, and the IT security team is working to prevent future breaches. As the team analyzes traffic, they discover that the attacker was able to gain access through a previously unknown and publicly accessible entry point. The team decides to map out all of the devices, both public and private, on the landfill’s infrastructure. What form of discovery does this represent?
Network discovery is identifying and mapping all devices connected to a network, including IP addresses and device types. Since the company is mapping both the internal and external networks, they are performing network discovery tasks.
A cybersecurity analyst who works for a large corporation has been analyzing a recent cyber attack that targeted his company’s network. The analyst is using both the Cyber Kill Chain and Open Source Security Testing Methodology Manual (OSSTMM) frameworks to analyze the attack. What is the main difference between the Cyber Kill Chain and OSSTMM frameworks in incident response and management?
The Cyber Kill Chain framework primarily identifies and analyzes the various stages of a cyber attack, whereas the OSSTMM framework evaluates an organization’s security practices’ maturity level.
A security analyst working for a large financial institution became concerned about a security incident that could compromise sensitive customer information. As part of the incident response process, their team conducted a tabletop exercise to identify areas for improvement in the incident response plan. What is the purpose of reviewing lessons learned after a security incident?
When organizations review the lessons learned after a security incident, they can identify areas for improvement in the incident response plan.
