Chapter 1

Question 1

A cyber security team lead is developing metrics to present in the weekly executive briefs executives are interested in knowing how long it takes to stop the spread of malware that enters the network which of the following metrics should the team lead include in the briefs ?

Answer 1

Meantime to remediate 

Question 2

A regulated organization experienced a security breach that exposed a list of customer names with corresponding PII data which of the following is the best reason for developing the organization communications plans

Answer 2

To ensure incidents are immediately reported to a regulatory agency

Question 3

Which of the following actions with an analyst most likely perform after an incident has been investigated

Answer 3

Root cause analysis

Question 4

System administrator needs to gather security events with repeatable patterns from Linox log files which of the following would the administrator most likely use for this task?

Answer 4

A regular expression in bash

Question 5

Which of the following best describes the actions taken by an organization after the resolution of an incident that addresses issues and reflects on the grow growth opportunities for future incidents

Answer 5

Lessons learned

Question 6

I managed security service provider is having difficulty retaining talent due to an increased increasing workload caused by a client doubling the number of devices connected to the network, which of the following words best and decreasing the workload without increasing the staff

Answer 6

SOAR

Question 7

An organization discovered a data breach that resulted in PII being released to the public during the lessons learned review the identified discrepancies regarding who was responsible for external reporting as well as the timing requirements. Which of the following actions would best address the reporting issue.

Answer 7

Researching federal laws, regulatory compliance requirements and organizational policies to document specific reporting SLAs

Question 8

A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls which of the following would best address this issue

Answer 8

Increased training and awareness for all staff

Question 9

Which of the following is a commonly used for component framework to communicate threat act behavior

Answer 9

Diamond model of intrusion analysis

Question 10

Security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals which of the following will best achieve the goal and maximize results

Answer 10

Single pain of glass

Question 11

The security team needs to demonstrate how prepared the team is in the event of a cyber attack, which of the following would best demonstrate a real world incident without impacting operations

Answer 11

Gather all internal incident response, party members, and perform a simulation

Question 12

A regulated organization experienced a security breach that exposed a list of customer names with corresponding PII data which of the following is the best reason for developing the organizations communications plans

Answer 12

To ensure instance are immediately reported to a regulatory agency

Question 13

Chief information security officer wants to lock down the user’s ability to change applications that are installed on their window systems. Which of the following is the best enterprise level solution

Answer 13

GPO

Question 14

A chief information, security officer, CISO is concerned that a specific threat actor who is known to target the companies business type, may be able to breach the network and remain inside of it for an extended period of time which of the following techniques should be performed to meet the CISO goals

Answer 14

Adversary emulation

Question 15

A security analyst needs to provide evidence of regular vulnerability, scanning on the companies network for an auditing process which of the following is an example of a tool that can produce such evidence

Answer 15

Open VAS

Question 16

A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path, transversal, and cross site scripting, which of the following tools with the security team most likely recommend to perform this test

Answer 16

OWASPZAP

Question 17

A company has a primary control in place to restrict access to sensitive data database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control.

Answer 17

Deploying an additional layer of access controls to verify authorized individuals

Question 18

Which of the following is the best metric to use when reviewing an addressing findings that caused an incident?

Answer 18

Meantime to remediate MTTR

Question 19

While reviewing the Web server logs, a security analyst notices the following snippet boot.INI, which of the following is being attempted

Answer 19

Directory transversal attack in this type of attack the attacker try to navigate outside the web route directory by using sequences, which attempt to move up directories. The goal is to access files that are normally restricted such as a boot INI on Windows systems which gains which contains boot configuration information this indicates an attempt to access sensitive fileson the server through directory navigation.

Question 20

A security analyst needs to identify services in a small critical infrastructure network ICS many components in this network are likely to break if they received malformed or unusually large requests, which of the following is the safest method to use when identifying service versions

Answer 20

 Use Nessus with restricted concurrent connections

Question 21

The vulnerability analyst is writing a report, documenting the newest most critical vulnerabilities identified in the past month which of the following public MITRE repositories would be best to review

Answer 21

Common vulnerabilities and exposures the common vulnerabilities and exposures CVE repository maintained by MITRE is a public list of known cyber security vulnerabilities

Question 22

An incident response analyst is investigating the root cause of recent malware outbreak initial binary analysis indicates that this Malware, disabled host, security services and performs, cleanup routines on its infected hosts, including deletion of initial dropper and removal of event log entries and pre-fetch files from the host, which of the following data sources would most likely reveal evidence of the root cause

Answer 22

Registry artifacts file system meta data

Question 23

Which of the following would best mitigate the effects of a new ransom ware attack that was not properly stopped by the company antivirus

Answer 23

Deploy sandboxing

Question 24

The cyber security analyst is participating with the DLP project team to classify the organization which of the following is the primary purpose for classifying data

Answer 24

To establish the value of data to the organization

Question 25

An organization is conducting a pilot deployment of an e-commerce application. The application source code is not available which of the following strategy is should an analyst recommend to evaluate the security of the software.

Answer 25

Penetration testing

Question 26

An end user forwarded an email with a file attachment to the SOC for review. The SOC analyst think the file was specifically crafted for the target which of the following investigative actions would best determine if the attachment was malicious.

Answer 26

Review the attachments behavior in a sandbox environment while running wire shark

Question 27

Which of the following is instituting a security policy that users must lock their systems when stepping away from their desks an example of

Answer 27

Administrative control

Question 28

A security analyst is writing a shell script to identify IP addresses from the same country which of the following functions would help the analyst achieve the objective

Answer 28

Geo IP look up

Question 29

Systems administrator receives several reports about emails containing fishing links hosting domain is always different, but the URL follows a specific pattern of characters which of the following is the best way for the administrator to find more messages that were not reported

Answer 29

Search email logs for a regular expression

Question 30

An analyst is designing a message system for a bank. The analyst wants to include a feature that allows the recipient of a message to prove to a third-party is that the message came from the sender, which of the following information security goals is the analyst most likely trying to achieve.

Answer 30

Non-repudiation

Question 31

Chief information, security officer, CISO wants to disable a functionality on a business critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost which of the following risk treatments. Best describes with the CISO is looking for.

Answer 31

 mitigate

Question 32

During an incident, a security analyst discovers a large amount of PII has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employees personal email. Which of the following should the analyst recommend be done first

Answer 32

Place a legal hold on the employee’s mailbox

Question 33

The security analyst is working on a server patch management policy that will allow the infrastructure team to be informed Moore quickly about new patches, which of the following most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly

Answer 33

Host name, CVE details

Question 34

ASOC analyst is analyzing traffic on a network and notices an unauthorized scan, which of the following types of activities is being observed

Answer 34

Potential precursor to an attack

Question 35

Thousands of computers were compromised in a breach, but the vulnerability that caused the compromise was detected only on three computers during the latest vulnerability, scan and analyst conducts, and after action review to determine why the vulnerability was not detected on Moore computers the analyst recreates the following configuration that was used to scan the network, which of the following best explains the reason the vulnerability was only found on three computer computers 

Answer 35

Lack of concurrent threads dedicated the configuration indicates that only 1/3 is used during the scan. This means that the scan is conducted sequential which greatly limits its efficiency in scanning larger network. If thousands of computers need to be scanned only using one thread results in a very slow process, and may need devices may not be scanned within an allocated time increasing the number of concurrent threads allows for parallel scanning, which is essential for effectively covering large networks in a timely manner.

Question 36

Results of an SOC customer service evaluation indicate high levels of satisfaction with the inconsistent services provided after regular working hours to address this SOC lead draft a document establishing customer expectations regarding the SOC’s performance and quality of services, which of the following documents most likely fit description

Answer 36

Service level agreement

Question 38

A security analyst must assist the IT department with creating a faced plan for vulnerability patching that meet established SLA which of the following vulnerability management elements will best assist with prioritizing a successful plan

Answer 38

Risk score

Question 39

The company security team is updating a section of the reporting policy that pertains to inappropriate use of resources, e.g. an employee who installs crypto miners on workstations in the office beside the security team which of the following groups should the issue be escalated to First in order to comply with industry, best practices

Answer 39

Legal department

Question 40

Two employees in the finance department installed a freeware application that contained embedded Mauer the network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off the computers until the security team could be contacted about the issue which of the following is the first stepthe incident response staff member should take when they arrive

Answer 40

Segment the entire department from the network and review each computer off-line

Question 41

An analyst wants to detect outdated software packages on a server, which of the following methodologies will achieve this objective

Answer 41

Credential, credential, scanning

Question 42

An organization has established a formal change management process after experiencing several critical system failures over the past year, which of the following are key factors that the change management process will include in order to reduce the impact of system failures

Answer 42

Ensure the users document system recovery plan prior to deployment identify assets with dependence that could be impacted by the change

Question 43

A corporation wants to implement an agent based endpoint solution to help flag. Various threats of you vulnerability feeds aggregate data provide real time metrics by using script language which of the following tools should be. Should the corporation implement to reach this goal

Answer 43

S O AR

Question 44

Which of the following phases of the cyber kill chain involves the adversary, attempting to establish communication with a successfully exploited target

Answer 44

 command control

Question 45

ASOC analyst wants to improve the proactive detection of malicious emails before they are delivered to a destination inbox which of the following is the best approach the SOC analyst can recommend

Answer 45

Validate and quarantine emails with invalid DKIM and SPF headers

Question 46

During an incident, some MOCS of possible ransom contamination were found in a group of servers and the segment of the network which of the following steps should be taken next

Answer 46

Isolation

Question 47

Which of the following choices is most likely to cause obstacles in vulnerability remediation

Answer 47

 proprietary systems

Question 48

System that provides the user interface for a critical server has potentially been corrupted by Malware, which of the following is the best recommendation to ensure business continuity

Answer 48

 system isolation