Chapter 3 Flashcards by Kj Roberge

Chief information security officer wants to disable a functionality on a business critical web application that is vulnerable to RCE in order to maintain the minimum risk level with minimal increased cost which of the following risk treatments. Best describes with CISO is looking for.

Mitigate

How well did you know this?

Not at all

Perfectly

Security analyst can review the windows registry on end points to get insights into

System critical configuration items

How well did you know this?

Not at all

Perfectly

An analyst is trying to capture anonymous traffic from a compromise house, which of the following are the best tools for achieving the objective

TCP dump wire shark

How well did you know this?

Not at all

Perfectly

A security analyst text and email server that had been compromised in in the internal network. You have been reporting messages in their inbox and unusual network which of the following incident response should perform next.

Containment

How well did you know this?

Not at all

Perfectly

Which of the following can be used to learn more about TTP’s used by cyber criminals

MITRE ATT& CK

How well did you know this?

Not at all

Perfectly

Which of the following will most likely ensure that Mission critical services are available in the event of an incident?

Business continuity plan

How well did you know this?

Not at all

Perfectly

The cyber security analyst is doing triage in an SIEM and notices that the timestamp between the firewall and the host under investigation are off by 43 minutes, which of the following is the most likely scenario occurring with the timestamps

The NTP server is not configured on the host

How well did you know this?

Not at all

Perfectly

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline which of the following should the analyst focus on in order to move the incident forward

Impact

How well did you know this?

Not at all

Perfectly

A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack which of the following best describes the current stage of the cyber killer chain that actor is currently operating in.

Exploitation

How well did you know this?

Not at all

Perfectly

A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant companies security policies are shown below security policy one 006 vulnerability management the company she’ll use CVS SV 3.1 base score metrics exploit ability and impact to prioritize, their remediation of security, vulnerabilities and situations where a choice must be made between confidentiality and availability. The company shall prioritize confidentiality over dataavailability of systems and data. The company shall prioritize patching of pebbly, available systems and services over patching of internally available system, according to the security policy, which of the vulnerability should be the highest priority to patch.

Name.shield CVSS 3.1/AV;and/AC; L/PR; N/UI; N/S; you/C; H/I; N/a; N external system

How well did you know this?

Not at all

Perfectly

Company is in the middle of an incident and the customer data has been breached. Which of the following should the Company contact first

legal on the event of a data breach involving customer information legal team should be contacted first

How well did you know this?

Not at all

Perfectly

During an incident in which a user machine was compromised and analyst recovered a binary file that potentially causes exploitation, which of the following techniques could be used for their analysis

Static analysis

How well did you know this?

Not at all

Perfectly

During a cyber security incident, one of the web servers at the perimeter network was affected by ransom, which of the following actions should be performed immediately

Quarantine the server

How well did you know this?

Not at all

Perfectly

During an extended holiday break a company suffered a security incident. This information was properly relayed to appropriate personal and a timely manner, and the server was up-to-date and configured with appropriate auditing and logging the Chief information. Security officer wants to find out precisely what happened which of the following actions should the analyst take first

Clone the virtual server for forensic analysis

How well did you know this?

Not at all

Perfectly

A chief information security officer has requested a dashboard to share critically vulnerability management goals with the company leadership which of the following would be best to include in the dashboard

KPI key performance indicator is the most appropriate element to include in the dashboards KPI’s are measurable values that help progress toward achieving specific business or security goals

How well did you know this?

Not at all

Perfectly

Given the following CVS S string CVSS; 3.0/AV; N/AC; L/PR; N/UI; N/S; you/C; H/I; H/a; H

The vulnerability is network based

How well did you know this?

Not at all

Perfectly

When starting an investigation, which of the following must be done first

Secure scene

How well did you know this?

Not at all

Perfectly

The security analyst received the monthly vulnerability report. The following findings were included in the report. A five of the systems only required a reboot to finalize the patch application. B2 of the servers are running outdated operating systems, and cannot be patched. The analyst determines that the only way to ensure these service cannot be compromised is to isolate them. Which of the following approaches will best minimize. The risk of the servers is being compromised.

Compensating controls

How well did you know this?

Not at all

Perfectly

Hey SOC analyst is analyzing traffic on a network. It notices an unauthorized scan, which of the following types of activities is being observed.

A potential precursor to attack

How well did you know this?

Not at all

Perfectly

A laptop that is company owned and managed is suspected to have Malware the company implemented centralized security logging which of the following log sources will confirm the malware infection

XDR logs

How well did you know this?

Not at all

Perfectly

During an incident, some LLCs of possible ransom contamination were found in a group of servers and a segment of the network, which of the following steps should be taken next

Isolation

How well did you know this?

Not at all

Perfectly

The user is flagged for consistently consuming a high volume of network bandwidth over the past week during the investigation the security analyst funds to the following websites Gmail bites out 525984 which of the following data flows. Should the analyst investigate first.

gmail.com

How well did you know this?

Not at all

Perfectly

An analyst investigated website and produce the following, which of the following in taxes, the analyst use discover the application versions on this vulnerability

NMAP -SV -T4 -F insecure.org

How well did you know this?

Not at all

Perfectly

While reviewing Web server logs and analyst notices several entities with the same time stamps, but all contain all characters in the request line which of the following steps should be taken next

Determine what attack the odd characters are indicative of

How well did you know this?

Not at all

Perfectly

A company runs a website that allows public posts recently some uses report that when visiting the website pop-ups appear asking the users for credentials which of the following is the most likely caused the issue

XSS cross site scripting allows attack to inject, malicious scripts into webpages read by others in this case pop-up is asking for financials are likely the result of a script injected into a public post a classic sign of XSS

During an internal code review software called “ace? Was discovered to have a vulnerability that allows the execution of arbitrary code. The vulnerability is in a legacy, third-party vendor resource that is used by the software ace is worldwide and is the central for many businesses in this industry developers informed the chief information, security officer that Removal the vulnerability will take time which of the following is the first action to take.

Develop a coping control until the issue can be fixed permanently

A chief finance officer receives an email from someone who is possibly impersonating the companies, chief executive officer and requesting a financial operation which of the following shouldn’t analyst used to verify whether the email is an impersonation attempt

DKIM Domin keys identified mail is an email authentication mechanism that helps verify the legitimacy of the center by using cryptographic signature associated with the sending when unable DKM ads additional signature to outgoing emails, which recipients can use to confirm that the email has not been altered and is genuinely from the main claims to be by checking the signature and determine if the email is legitimate from the companies or if it’s an impersonation attempt

A security analyst is reviewing a packet capture and wire short that contains an FTP session from a potentially compromise machine. The analyst sets the following display filter FTP the analyst considered there are several RETR request with 226 transfer complete responses, but the packet list pain is not showing the packet containing the file transfer itself which of the following can the analyst perform to see the entire contents of the downloaded files

Change the display filter to FTP tech data and follow the TCP streams

The system is administration needs to gather security events with reputable patterns from Lenox log files which of the following would the administration of most likely use for the task

A regular expression,in bash A regular expression, red X and bash is an ideal choice for searching and extracting patterns from long files on Linux systems regular expressions which can be used with commands like grip said or oak to search and extract information from log files allow the system administrator to define patterns that match specific tech or events in the logs and it easy to identify repeatable security events based on these patterns

The chief information security officer has outlined several requirements for a new vulnerability scanning project. It must use minimal network. Bandwidth must use minimalist resources must provide accurate near real time. Updates must not have any stored credentials in the configuration on the scanner, which of the following vulnerability scanning methods wouldbe best to meet these requirements.

Agent

The company security team is updating a section of the reporting policy that pertains inappropriate use of resources, e.g. and employee who installs crypto minors on workstation in the office besides the security team which of the following group should the issue be escalated to Frst in order to comply with industry, best practice

Legal department

Vulnerability skin of a web server that is exposed to the Internet was recently completed a security analysis reviewing the results of vector strings which of the following vulnerability should be patched first

Vulnerability one to determine which vulnerability should be passed first we need to assess each CVS vector strings criticality by looking at key factors that contribute to the vulnerability severity such as the attack, factor attack, complexity, percentages required, and the impact metrics confidentiality, integrity, and availability a breakdown of Beach vulnerability one accessible, low complexity no privileges required. No user interaction needed high confidentiality impact, low integrity, and availability impact.

An analyst is creating the final vulnerability report from one of the companies customers the customer asks for a scanning profile with the CVS S score of seven or higher the analyst has confirmed that there is no finding for missing database patches, even if the false positives have been emulated by manual checks which of the following is the most probable reason for the missing scan result

The server was off-line at the moment of the skin

Which of the following attack methodology for Mark should a cyber security analyst used to identify similar. TTP’s utilized by nation state actors

MITRE ATT& CK matrix

An organization would like to ensure it’s cloud, and the structure has a harden configuration requirement is to create a server image that can be employed with template which of the following is the best resource to ensure a secure configuration

CIS benchmarks

Do reports unauthorized activity that was occurring on the internal network and analysis performing network discovery. The analyst runs and scam against a corporate network to evaluate, which devices were operating in the environment, given the output, which of the following wishes to the analyst look at first.

POWP 1_aloa.lan parentheses 192.168.86.56

An incident response team receives an alert to start an investigation of Internet outage. The outage is preventing all users and multiple locations from accessing external SAAS resources the team determines the organization was impacted by a DDOS attack which of the following logs should the team review first.

DNS

A security analyst needs to support an organizations legal case against a threat actor, which of the following processes provides the best way to assist in the prosecution of the case

The chain of custody

Which of the following is often used to keep the number of alerts to a manager level when establishing a process to track and analyze violations

Threshold value

A security analyst needs to develop a solution to protect a high value asset from an exploit like a recent zero day attack which of the following best describes the risk management strategy

mitigate

an incident response team found IOC is on a critical server. The team needs to isolate and collect technical evidence for further investigation which of the following pieces of data should be collected first in orange preserve sensitive information before isolating the server.

Routing Table

A security analyst observes, a high volume of sin flags from an unexpected source tab toward a web application server within one hour. The traffic is not flagged for any exploit signatures, which of the following scenarios. Best describes this activity.

An attacker is executing your constant activities by mapping which courts are open and closed

Chief information security officer has decided the cost of protection asset is greater than the cost of losing the asset which of the following risk management principles is a CISO following

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available plate being used to deliver ransom which of the following factors when an analyst most likely communicate as the reason for escalation

Weaponization

Which of the following choices is most likely to cause obstacles and vulnerability remediation

Proprietary systems proprietary systems are the most likely to cause obstacles and vulnerability remediation proprietary systems, often involve custom applications or hardware they may not have readily available patches or the patches may not be updated as frequently for those widely used systems. These systems may also have unique configurations or dependency that make applying patches more complex and there may be limited vendor support or documentation available for mediation.

Company is in the process of implementing a vulnerability management program, and there are concerns about being granted the security team access assistance of data which of the following methods to reduce access to assistance provide the most accurate vulnerability scan results

Agent based scanning

NSIEM alert is triggered based on the execution of suspicious one liner down to workstations in the organization, which of the following best describes the intent of the attacker based on this line

Tucker is executing power shell script access token.PS one?

Which of the following best describes the external requirements that are imposed for an incident management communication

Compliance with regulatory requirements Framework guidelines

A security measure needs to import PI data records from the production environment to the test environment for testing purposes, which of the following best protect data confidentiality

Data masking

Which of the following would a security and less most likely used to compare to TPS between different known adversaries of an organization?

MITREATT&CK

A security analyst observed the following activities in chronological order protocol, violation alerts on external firewall, unauthorized internal scanning activity changes in the outbound network performance, which of the following best describes the goal of the actor

Data exfiltration

A company that has geographic, diverse, workforce and dynamic IPS once to implement of vulnerability scan method with reduce network traffic, which of the following best of this requirement

Agent based

An analysis remediating items associated with a recent incident. The analyst has isolated the vulnerability, and is actively removing it from the system which of the following steps of the process does this describe

Eradication

A company is implementing a vulnerability management program and moving from an on premise environment to a hybrid IAS cloud environment, which of the following implications should be considered on the new hybrid environment

Cloud specific miss configurations may not be detected by the Current scanners

Which of the following is the best metric for an organization to focus on given recent investments in SIEMSOAR and a ticket system?

Meantime to detect

An analyst is reviewing the vulnerability report I must make recommendations to the executive team. The analyst finds the most systems can be upgraded with a reboot, resulting in single downtime window however, two the critical systems cannot be upgraded due to vendor appliance. The company does not have access to, which of the following inhibitors to remediation due systems and associated vulnerability best represent.

Proprietary systems

Which of the following would help an analyst to quickly find out whether the IP addresses in a SIEM alert is known malicious IP

add data enrichment for IPS in the ingestion pipeline

The security analyst is assisting a software engineer with the development of a custom loan collection and learning tool SIEM for a proprietary system. The analyst is concerned that the tool will not detect non-attacks and behavioral IOCS’s, which of the following should be configured in order to resolve the issue?

In a great with an open source intelligence threat feed

Which of the following best describes action taken by an organization after the resolution of an incident that addresses issues and reflects in the grow growth opportunities for future incidents

Lessons learned

An incident response analyst notices multiple emails, traversing the network with that target only the administrative of the company. The email contains a concealed URL that leads to an unknown website and another country which of the following best describes what is happening.

Social engineering attack Obfuscated links

Security analyst needs to provide evidence of regular vulnerability, scanning on the companies network for an auditing process which of the following is an example of a tool that can produce such evidence

Open VAS

During an incident involving fishing, a security analyst needs to find the source of the malicious email which of the following technique should provide the analyst with this information

Header analysis

Which of the following best describes the document that defines the expectation to network customers will be patching only between the hours of 2 AM and 4 AM

SLA

The company has a following security requirements no public IDs all data secured at rest no insecure/protocol after our scan is completed of security analyst receive reports several configurations are putting the company at risk given the following cloud scanner output which of the following the analyst recommended be updated first meet security requirements and reduce risk

VM_PRD_B

A security analyst must preserve a system hard drive that was involved in all litigation request. Which of the following is the best method to ensure the data on the device is not modified.

Generate a hash value and make a backup image

After recent vulnerability report for a server is presented a business must decide whether to secure the companies, web-based storefront or shut it down. The developer is not able to fix the CD vulnerability because of patch is nonexistent yet which of the following is the best option for the business

Put a WAF in front of the storefront

Executives at an organization, email sensitive financial information to external business partners were negotiating valuable contracts to ensure the legal validity of these security team recommends additional signature be added the email sent by the executives which of the following are the primary goals of this recommendation

Integrity authorization

A cyber security analyst setting up a security control that monitors network traffic and produces an active response to security event which of the following tools is the analyst configuring

IPS

Which of the following characteristics ensures the security of an automated information system is the most effective and economical

Originally designed to provide necessary security

A red team engineer discovered that analyzing multiple pieces of less instead of public information results and knowledge of a sensitive piece of confidential information which of the following best describes the security entry issue

Inference inference encourages when an attacker to use a sensitive information by analyzing correlating multiple pieces of less sensitive or public data. This indirect disclosure is significant concern and security and privacy.

Virtual web server in a server, pool is infected with malware. After an analyst used the Internet to research a system issue. The server was rebuilt and addded back with the website, indicating the site could not be trusted which of the following is most likely cause of the server issue.

The digital certificate on the web server was self signed

During normal security monitoring, activities activity was discovered CD space C; backlash users backlash documents backlash HR backlash employees take on/F.*Success

Unauthorized privileges take owner as a command used to take ownership of file directories to take command with the F option specifies the file or directory to take ownership of

Which of the following risk management principles is accomplished deported by purchasing cyber insurance

Transfer

Security analyst is reviewing the finance the latest vulnerability report for companies by Location application accepts files for a bash script to be processed. If the files match has the analyst is able to submit files to the system due to has collision which of the following should the analyst suggest to initiate vulnerability with the fewest changes to the current scripture infrastructure.

Replace the Current MD five with an SHA256

A payroll department employee was the target of fishing act in which the attacker impersonated department director and requested the direct deposit information should be updated to a new account after a deposit was made into the unauthorized account which of the following is the first action the incident response to you when they received notification of the attack

Review the actions taken by the employee in the email related to the event

High volume is failed RDP authentication attempts was logged in a critical server within a one hour period all of the attempts or originated from the same IP address and made use of a single valid domain user account which of the following would be the most effective mitigating control to reduce the success of this brute force attack

Enabling user account lockout after a limited number of failed attempts

Which of the following is the best way to begin preparation for report titled what we learned regarding a recent involving a cyber security breach

Determine the sophistication of the audience the report is meant for

The security analyst has found a moderate risk item in an organizations point of sale application organization is currently in a freeze window and has decided that the risk is not high enough to correct at this time which of the following inhibitor remediation does the scenario illustrate

Business process interruption

During an incident a security analyst discoveries a large amount of PI has been emailed externally from an employee to a public email address. The analyst finds that the external email is employee personal email. Which of the following should the analyst recommend them first

Place a legal hold on the employee’s mailbox

Which of the following is the most important factor to ensure accurate incident response reporting

A well defined timeline of the event

Which of the following statements best describes the MITRE attack framework

it helps identify and stop enemy activity by highlighting the areas where an attacker functions

Which of the following best explains the importance of the implementation of a secure software development, life cycle, and a company with an internal development team

Decreases the risk of the software usage and complies with regulatory requirements

Employee received a phishing email that contained now returning the company which of the following is the best way for a security analyst to get more details about the malware and avoid disclosing information

Use a local sandbox and a micro segmented environment

An analyst receives threat intelligence regarding potential attack, so I’m an actor with seemingly unlimited time and resources, which of the following best describes if the actor attributed to the malicous activity

Nation State

A company user accounts have been compromised. Users are also reporting the companies internal portal is sometimes only accessible through HP and other times it is only accessible through HDP, which of the following most likely describes this observed activity.

And on path attack is being performed by someone with internal access that forces users to port 80

A chief information security officer wants to map all the attack factors that the company faces each day which of the following recommendation should the company align their security controls around

MITRE attack

The security analyst is identifying, outgoing network traffic, leaving the enterprise at odd times and traffic appears to pivot across network segments in target to main service. The traffic is gratitude, geographical location to which the company has the association, which of the following best describes this type of threat.

Nation, state actor

Based on internal assessment of vulnerability management team wants to proactively identify risks to the infrastructure prior to production deployment, which of the following best supports approach

Threaten modeling

A SSC analyst observes your conscience activity from an IP address the activity Falls part of short burse towards a low number of targets and open social review shows that the IP has a better reputation. The perimeter of firewall logs indicate the inbound traffic was allowed the destination house or high value assets with ADR agents installed, which of the following is the best action for the SS to take to protect against any further activity from the source IP.

Create a SIEM signature to trigger on any activity from the source, IP subnet detected by the web proxy or firewalls for immediate notifications

After a security assessment was done by a third-party consulting firm the sub security program recommended integrating DLPNCASB to reduce analyst alert fatigue which of the following is the best possible outcome that this effect helps to achieve

False positive rates drop to 20%

No us our high volume of fail RDP authentication attempts have been logged in a critical server. All the authentication attempts originate from the same IP address and made use of a single valid domain user account, which of the following mitigating controls with most effective to reduce the rate of success for this brute force attack

configure user account lockout after aluminum number of failed attempts and block inbound to Port 3389 TCP from uncharted remote IP address addresses at the perimeter firewall

The security analyst is reviewing a recent vulnerability scan report for a new server and infrastructure the analyst would like to make the best use of time by resolving the most critical vulnerability. Following information is provided which of the following should the analyst concentrate remediation efforts on first.

SVR02

Which of the following responsibilities is legal team have during the incident management event

Review and approve new contract acquired as a result of the event and advise the incident response team matters related to regulatory reporting

Which of the following threat modeling procedures is in the OWASP web training testing guide

Decomposing the application

A security analyst has received an incident case regarding mower, spreading out of control, and customers network. The analyst is unsure how to respond. Configured EDR has automatically obtained a sample of the mower and his signature which of the following should the endless form next to determine the type of metal work based on it’s telemetry

Cross reference to signature with open source threaten intelligence

Executives want to compare certain metrics from the most recent and last reporting. Determine whether the metrics are increasing or decreasing, which of the following would provide the necessary information to satisfy this request.

Trending analysis

An e-commerce organization recently experienced a cyber attack during lessons learned meeting the cyber security moist request that the RTO is prioritized, which of the following is the greatest concern

Availability

After several tabletop exercises, the security team is under performing against MTTRNMTTD which of the following would help to achieve improved performance

Lessons learned

Which of the following is the most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms

APIs

An organization was compromised, and the usernames and passwords of employees were released online which of the following best describes the remediation that could reduce the impact of the situation

Password changes

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from knownsources

Unintentional insider threat

An organization plans to use an advanced machine learning tool as a central collection server the tool will perform data, aggregation, and analysis which of the following should the organization implement

SIEM

A associate manager is establishing a reporting process to manage vulnerabilities which of the following would be the best solution to identify potential loss incurred by an issue

Risk score

Chapter 3 Flashcards

(104 cards)