Chapter 4

Question 1

During a security test, the security analyst found a critical application with a buffer over a vulnerability, which of the following would be the best way to mitigate the vulnerability at the application level

Answer 1

Implement input validation

Question 2

Doing a training exercise, a security analyst must determine the vulnerabilities for prioritize, the angle reviews, the following vulnerability scan output which of the following issues should the analyst address first

Answer 2

Allows anonymous read access to/etc./password

Question 3

During a security scanning a security analyst finds the same vulnerabilities in a critical application which of the following recommendations would best mitigate this problem if applied along the SDLC phase

Answer 3

Use application security scanning as part of the pipeline for the CI/CD flow

Question 4

An analysis aspects clear text passwords are being sent over the network which of the following tools were best support the analyst investigation

Answer 4

Wireshark

Question 5

Which of the following is an important aspect that should be included in the lessons learned step-by-step after an incident

Answer 5

Identify any improvements or changes in the incident response, plan or procedures

Question 6

Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting the organization

Answer 6

To establish what information is allowed to be released by designated employees

Question 7

The security endless has found the following suspicious DNS traffic while analyzing a packet capture DNS traffic while in session is active. The meantime between queries is less than one second. The average length exceeds 100 characters which of the following attacks most likely occurred.

Answer 7

DNS exfiltration

Question 8

An organization needs to bring in data, collected and aggregation from various and points which of the following is the best tool to deploy to help analysts gather the data

Answer 8

EDR

Question 9

A SOC manager is establishing a reporting process to manage vulnerabilities which of the following would best solution to identify a potential loss incurred by an issue

Answer 9

Risk score

Question 10

An analyst reviewed the following web server log entries parentheses two parentheses two parentheses 2/etc/password

No attack or malicious attempts have been discovered which of the following most likely describes what took place

Answer 10

Directories transversal was performed to obtain a sensitive file for further reconnaissance

Question 11

A SOC receive several alerts, indicating user accounts are connecting to the companies identity provider through non-secure communications user credentials for accessing sensitive business critical systems could be exposed which of the following. Should the SOC use when determining, malicious intent.

Answer 11

IDS

Question 12

Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms

Answer 12

API

Question 13

Which of the following actions with an analyst most likely performed after an incident has been investigated

Answer 13

Root cause analysis

Question 14

A security analyst scans a host and generates the following output. HTTP it works.

Answer 14

The host is vulnerable to web based exploits

Question 15

A list of IOC’s release by government Kitty organization contains the SHA 256 hash for Microsoft signed legitimate binary SVC host.EXC, which of the following best describes result of security teams add this indicator to their detection signatures

Answer 15

This indicator would fire on the majority of Windows devices

Question 16

A true finance officer receive an email from someone who is possibly in person in the company, chief executive officer and requesting a financial operation. Which of the following should the analysis used to verify whether the email is an impersonation attempt.

Answer 16

DKIM

Question 17

Organization has activated the CSIRT security analyst use a single virtual server was compromised and immediately isolated from the network which of the following should the CSIRT conduct next

Answer 17

Take a snapshot of the comprised server and verify its integrity

Question 18

A security analyst is writing a shell script to identify IP addresses from the same country which of the following functions would help analyst achieve the objective

Answer 18

Gio IP look up

Question 19

Which of the following best describes the key elements of a successful information security program

Answer 19

Security policy, implementation, assignment of rules and responsibilities information asset classification

Question 20

Based on an internal assessment of vulnerability management team wants to proactively identify risks to the infrastructure prior to production appointments, which of the following best supports this approach

Answer 20

Threaten modeling

Question 21

The chief information security officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach, the IT security team is required to come up with priorities for the program, which is the best priority based on common attack frameworks

Answer 21

Reduce the administrator and privileged access accounts

Question 22

An IDS is triggered during after hours operations, the indicator records, and a no abnormal amount of sin request being sent to port 21 from numerous external systems a security analyst reports this information to the IR team for further investigation, which of the following best describes this incident

Answer 22

DDOS attack through the FTP port

Question 23

Which of the following is the benefit of the diamond model of intrusion analysis?

Answer 23

It provides analytical, pivoting and identifies knowledge gaps

Question 24

Security analyst identified the following suspicious entry on host based IDS logs which of the following shell scripts should the endless use to most accurately confirm what activity is going on

Answer 24

Netstat -antp | grep 8080>dev/null&&echo “ malicious activity” || echo “ok”

Question 25

An organizations email account was compromised by a bad actor at 8:45 recipients email started learning the organizations helpdesk about the email At 9:10, the IRT was assembled Lead a call bridge was established in the chief information. Security officer declared an incident. Which of the following is the length of time it took for the team to detect the threat.

Answer 25

25 minutes

Question 26

Assistant administrator needs to gather security events with reputable patterns from Lenox log files, which of the following would diminish most likely use for the task

Answer 26

A regular expression and bash

Question 27

A virtual web server in a server pool was infected with Mauer after an analyst use the Internet to research system issue after the server was rebuilt and added back to the server. Pool reported issues with the website, indicating the site could not be trusted which of the following is the most likely cause of the server issue?

Answer 27

The digital certificate on the web server was self signed

Question 28

A security analyst identifies a device on which different mower was detected multiple times even after the systems were scanned and clean several times, which of the following actions would be most effective to ensure the device does not have residual malware

Answer 28

Replace the hard drive and reimage the device

Question 29

A security analyst is reviewing the findings of the latest vulnerability report for a company’s Web application web application accepts files for a bash script to be processed. If the file matches a given has the analyst is able to submit files to the system due to has collision, which of the following, should the analyst adjust to the creative of vulnerability with a few changes to the current script and infrastructure.

Answer 29

 Replace the current MD five with SHA256

Question 30

A security analyst is performing an investigation involving multiple targeted window mower binary analyst wants to gather intelligence without disclosing information to the attackers, which of the following actions would allow the analyst to achieve the objective

Answer 30

Upload the binary to an air gap sandbox for analysis

Question 31

Which of the following document should link to the recovery point objectives and recovery time objectives on critical services

Answer 31

Disaster recovery plan

Question 32

The security analyst has found a moderate risk item and an organizations point of sale application. The organization is currently in a freeze window and has decided that the risk is not high enough to correct at this time which of the following inhibitors to remediation does the scenario illustrate

Answer 32

Business process interruption

Question 33

A pen penetration tester submitted data to a form in a web application which enabled penetration tester to retrieve user credentials which of the following should be recommended for mediation of this application vulnerability

Answer 33

Performing input validation before allowing submission

Question 34

The security administrator has been notified by the IT operations department that some vulnerability reports contain and complete list of findings which of the following methods should be used to resolve this issue

Answer 34

Credentialed scan 

Question 35

The threat hunters seeks to identify new persistence, mechanisms installed on an organizations environment, and collecting scheduled task for all enterprise workstations. The following host details are aggregated which of the following should the hundred perform first base details above

Answer 35

Caught a copy of task hw.exe impacted host

Question 36

An attacker has just gained access to the sis log server on a land reviewing the log entries has allowed attacked a prioritized possible target which of the following is an example of

Answer 36

Passive network foot printing

Question 37

An analyst is remediating. I was associated with the recent incident. The analyst has isolated the vulnerability, and is actively removing it from the system which of the following steps of the process does this describe

Answer 37

Eradication

Question 38

Following a recent security incident, the chief information security officer is concerned with improving visibility and reporting of malicious actors in the environment goals to reduce the time to prevent lateral movement and potential data exfiltration which of the following techniques will best achieve the improvement

Answer 38

Mean time to detect

Question 39

Which of the following attack methodology framework should a cyber security analyst used to identify similar TTP is utilized by nation state actors

Answer 39

MITRE attack matrix

Question 40

An incident response team found IOC‘s in a critical server. The team needs to isolate and collect technical evidence or further investigation which of the following pieces of data should be collected first or preserve sensitive information before isolating the server.

Answer 40

Routing Table

Question 41

The security team is concerned about recently for the DOS attack against the company website which of the following controls best mitigate the attacks

Answer 41

Roll out a CDN

Question 42

An incident response team receives an alert to start an investigation of an Internet outage outage is preventing all users and multiple occasions from accessing external SAAS resources team determines the organization was impacted by a DDOS attack which of the following should the team review first

Answer 42

DNS

Question 43

Security analyst is trying to identify if possible network addresses from different source networks belonging to the same company in region, which of the following shell scripts functions the goal

Answer 43

{dig grep PTR origin.ask.cymru.com

Question 44

A newly hired security manager in an SSC wants to improve efficiency by automated routine tasks which of the following SOC tasks is most suitable for automation

Answer 44

 generating incident reports and notifying the appropriate stakeholders

Question 45

A weekly WAF report shows that a daily strike occurred in the same subnet and open source review indicates the IP address addresses belong to legitimate Internet service provider, but have been flagged for D DOS and reconnaissance scanning in the past year which of the following actions should an SOC analyst take Frst in response to these traffic uptick activities

Answer 45

Review the network logs to identify the context of traffic and what action was taken

Question 46

An organization discovered a data breach that resulted in PI being released to the public during the lessons learning review. The family identified discrepancies regarding who is responsible for external reporting as well as timing requirements which of the following actions would best address the reporting issue.

Answer 46

Researching federal laws, regulatory compliance requirements and organizational policies to document specific reporting SLAs

Question 47

A third-party assessment of a recent incident determined that the incident response team spent too long trying to get the scope needed for the incident timeline and too much time was spent search searching for false positive which of the following. Should the team work on first

Answer 47

Detection tuning

Question 48

The security analyst reviews, the latest vulnerability scan and observed that their vulnerability was similar to CVSS3 scores, but different base score metrics which of the following attack factor should the analyst remediate first

Answer 48

AV:N

Question 49

To minimize the impact of security incident, a cyber security analyst has configured audit settings. That organization is cloud services, which of the following security controls has the analyst configured.

Answer 49

Detective