886.) A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicate a directory-traversal attack has occurred. Which of the following is the analyst MOST likely seeing? A. http://sample.url.com/Please-visit-out-phising-site,script. B. Http://sample.url.com/acmeotherpageonsite/../../etcshadow C. http;//sampleurl/se;ect-from-database-where-password-null D. http://reditext. sample.url.sampleurl.com/malicious-dnsredirect

B. Http://sample.url.com/acmeotherpageonsite/../../etcshadow

885.) Which of the following explains why RTO is included in a BIA? A. It identifies the amount of allowable downtime for an application or system B. It prioritizes risks so the organization can allocate resources appropriately C. It monetizes the loss of an asset and determines a break-even point for risk mitigation D. It informs the backup approach so that the organization can recover data to a known time

B. It prioritizes risks so the organization can allocate resources appropriately

884.) A Chief Information Security Officer has defined resiliency requirements for a new data center architecture. The requirements are as follows: Critical fileshares will remain accessible during and after a natural disaster Five percent of hard disks can fail at any given time without impacting the data Systems will be forced to shut down gracefully when battery levels are below 20% Which of the following are required to BEST meet these objectives? (select three) A. Fiber switching B. IaC C. NAS D. RAID E. UPS F. Redundant power supplies G. Geographical dispersal H. Snapshots I. Load balancing

D. RAID E. UPS G. Geographical dispersal

878.) An administrator is configuring a firewall rule set for a subnet to only access DHCP, web pages, and SFTP, and to specifically block FTP. Which of the following would BEST accomplish this goal? A. [Permission Source Destination Port] Allow: Any Any 80 Allow: Any Any 443 Allow: Any Any 67 Allow: Any Any 68 Allow: Any Any 22 Deny: Any Any 21 Deny: Any Any B. [Permission Source Destination Port] Allow: Any Any 80 Allow: Any Any 443 Allow: Any Any 67 Allow: Any Any 68 Deny: Any Any 22 Allow: Any Any 21 Deny: Any Any C. [Permission Source Destination Port] Allow: Any Any 80 Allow: Any Any 443 Allow: Any Any 22 Deny: Any Any 67 Deny: Any Any 68 Deny: Any Any 21 Allow: Any Any D. [Permission Source Destination Port] Allow: Any Any 80 Allow: Any Any 443 Deny: Any Any 67 Allow: Any Any 68 Allow: Any Any 22 Allow: Any Any 21 Allow: Any Any

A. [Permission Source Destination Port] Allow: Any Any 80 Allow: Any Any 443 Allow: Any Any 67 Allow: Any Any 68 Allow: Any Any 22 Deny: Any Any 21 Deny: Any Any

873.) Which of the following is the BEST action to foster a consistent and auditable incident response process? A. Incent new hires to constantly update the document with external knowledge B. Publish the document in a central repository that is easily accessible to the organization C. Restrict eligibility to comment on the process to subject matter experts of each IT silo D. Rotate CIRT members to foster a shared responsibility model in the organization

A. Incent new hires to constantly update the document with external knowledge

871.) A recent audit cited a risk involving numerous low-criticality vulnerabilities created by a web application using a third-party library. The development staff state there are still customers using the application even though it is end-of-life and it would be a substantial burden to update the application for compatibility with more secure libraries. Which of the following would be the MOST prudent course of action? A. Accept the risk if there is a clear road map for timely decommission. B. Deny the risk due to the end-of-life status of the application. C. Use containerization to segment the application from other applications to eliminate the risk. D. Outsource the application to a third-party developer group.

C. Use containerization to segment the application from other applications to eliminate the risk.

868.) A security proposal was set up to track requests for remote access by creating a baseline of the users’ common sign-in properties. When a baseline deviation is detected, an MFA challenge will be triggered. Which of the following should be configured in order to deploy the proposal? A. Context-aware authentication B. Simultaneous authentication of equals C. Extensive authentication protocol D. Agentless network access control

A. Context-aware authentication

867.) Which of the following is a benefit of including a risk management framework into an organization’s security approach? A. It defines expected service levels from participating supply chain partners to ensure system outages are remediated in a timely manner B. It defines specific vendor products that have been tested and approved for use in a secure environment C. It provides legal assurances and remedies in the event a data breach occurs D. It incorporates control, development, policy, and management activities into IT operations

A. It defines expected service levels from participating supply chain partners to ensure system outages are remediated in a timely manner

866.) During a recent incident, an external attacker was able to exploit an SMB vulnerability over the internet. Which of the following action items should a security analyst perform First to prevent this from occurring again? A. Check for any recent SMB CVE’s B. Install AV on the affected server C. Block unneeded TCP 445 connections D. Deploy a NIDS in the affected subnet

C. Block unneeded TCP 445 connections

Exam Winter 2023 Flashcards by Louis Naylor III

920.) Which of the following control types fixes a previously identified issue and mitigates a risk?

A. Detective
B. Corrective
C. Preventative
D. Finalized

B. Corrective

How well did you know this?

Not at all

Perfectly

919.) A technician enables full disk encryption on a laptop that will be taken on a business trip. Which of the following does this process BEST protect?
A. Data in transit
B. Data in processing
C. Data at rest
D. Data tokenization

C. Data at rest

How well did you know this?

Not at all

Perfectly

918.) A security analyst needs to implement an MDM solution for BYOD users that will allow the company to retain control over company emails residing on the devices and limit data exfiltration that might occur if the devices are lost or stolen. Which of the following would BEST meet these requirements? (Select TWO).
A. Full device encryption
B. Network usage rules
C. Geofencing
D. Containerization
E. Application whitelisting
F. Remote control

A. Full device encryption
D. Containerization

How well did you know this?

Not at all

Perfectly

917.) A company is working on mobile device security after a report revealed that users granted non-verified software access to corporate data. Which of the following is the MOST effective security control to mitigate this risk?
A. Block access to application stores
B. Implement OTA updates
C. Update the BYOD policy
D. Deploy a uniform firmware

C. Update the BYOD policy

How well did you know this?

Not at all

Perfectly

916.) While investigating a recent security incident, a security analyst decides to view all network connections on a particular server. Which of the following would provide the desired information?
A. arp
B. nslookup
C. netstat
D. nmap

C. netstat

How well did you know this?

Not at all

Perfectly

915.) A Chief Information Security Officer wants to ensure the organization is validating and checking the integrity of zone transfers. Which of the following solutions should be implemented?
A. DNSSEC
B. LDAPS
C. NGFW

A. DNSSEC

How well did you know this?

Not at all

Perfectly

914.) Which of the following is the MOST effective way to detect security flaws present on third-party libraries embedded on software before it is released into production?
A. Employ different techniques for server and client-side validations
B. Use a different version control system for third-party libraries
C. Implement a vulnerability scan to assess dependencies earlier on SDLC
D. Increase the number of penetration tests before software release

C. Implement a vulnerability scan to assess dependencies earlier on SDLC

How well did you know this?

Not at all

Perfectly

913.) Which of the following is a risk that is specifically associated with hosting applications in the public cloud?
A. Unsecured root accounts
B. Zero-day
C. Shared tenancy
D. Insider threat

C. Shared tenancy

How well did you know this?

Not at all

Perfectly

912.) An untrusted SSL certificate was discovered during the most recent vulnerability scan. A security analyst determines the certificate is signed properly and is a valid wildcard. This same certificate is installed on other company servers without issue. Which of the following is the MOST likely reason for this finding?
A. The required intermediate certificate is not loaded as part of the certificate chain
B. The certificate is on the CRL and is no longer valid
C. The corporate CA has expired on every server, causing the certificate to fail verification
D. The scanner is incorrectly configured to not trust this certificate when detected on the server

A. The required intermediate certificate is not loaded as part of the certificate chain

How well did you know this?

Not at all

Perfectly

911.) A security analyst is receiving several alerts per user and is trying to determine if various logins are malicious. The security analyst would like to create a baseline of normal operations and reduce noise. Which of the following actions should the security analyst perform?
A. Adjust the data flow from authentication sources to the SIEM
B. Disable email alerting and review the SIEM directly
C. Adjust the sensitivity levels of the SIEM correlation engine
D. Utilize behavioral analysis to enable the SIEMs learning mode

C. Adjust the sensitivity levels of the SIEM correlation engine

How well did you know this?

Not at all

Perfectly

910.) An organization is planning to roll out a new mobile device policy and issue each employee a new laptop. These laptops would access the users’ corporate operating system remotely and allow them to use the laptops for purposes outside of their job roles. Which of the following deployment models is being utilized?
A. MDM and application management
B. BYOD and containers
C. COPE and VDI
D. CYOD and VMs

C. COPE and VDI

How well did you know this?

Not at all

Perfectly

909.) Which of the following BEST helps to demonstrate integrity during a forensic investigation?
A. Event logs
B. Encryption
C. Hashing
D. Snapshots

C. Hashing

How well did you know this?

Not at all

Perfectly

908.) A forensic analyst needs to prove that data has not been tampered with since it was collected. Which of the following methods will the analyst MOST likely use?
A. Look for tampering on the evidence collection bag
B. Encrypt the collected data using asymmetric encryption
C. Ensure proper procedures for chain of custody are being followed
D. Calculate the checksum using a hashing algorithm

D. Calculate the checksum using a hashing algorithm

How well did you know this?

Not at all

Perfectly

907.) A SOC operator is receiving continuous alerts from multiple Linux systems indicating that unsuccessful SSH to a functional user ID have been attempted on each one of them in a short period of time. Which of the following BEST explains this behavior?
A. Rainbow table attack
B. Password spraying
C. Logic bomb
D. Malware bot

B. Password spraying

How well did you know this?

Not at all

Perfectly

906.) An enterprise has hired an outside security firm to conduct penetration testing on its network and applications. The firm has only been given the documentation available to the customers of the applications. Which of the following BEST represents the type of testing that will occur?
A. Bug bounty
B. Black-box
C. Gray-box
D. White-box

C. Gray-box

How well did you know this?

Not at all

Perfectly

905.) A major political party experienced a server breach. The hacker then publicly posted stolen internal communications concerning campaign strategies to give the opposition party an advantage. Which of the following BEST describes these threat actors?
A. Semi-authorized hackers
B. State actors
C. Script kiddies
D. Advanced persistent threats

B. State actors

How well did you know this?

Not at all

Perfectly

904.) Which of the following is the MOST likely reason for securing an air-gapped laboratory HVAC system?
A. To avoid data leakage
B. To protect surveillance logs
C. To ensure availability
D. To facilitate third-party access

A. To avoid data leakage

How well did you know this?

Not at all

Perfectly

903.) After gaining access to a dual-homed multifunction device by exploiting a vulnerability in the device’s firmware, a penetration tester then gains shell access on another networked asset. This technique is an example of:
A. privilege escalation
B. footprinting
C. persistence
D. pivoting

A. privilege escalation

How well did you know this?

Not at all

Perfectly

902.) Which of the following is used to ensure that evidence is admissible in legal proceedings when it is collected and provided to the authorities?
A. Chain of custody
B. Legal hold
C. Event log
D. Artifacts

A. Chain of custody

How well did you know this?

Not at all

Perfectly

901.) The Chief Information Security Officer (CISO) of a bank recently updated the incident response policy. The CISO is concerned that members of the incident response team do not understand their roles. The bank wants to test the policy but with the least amount of resources or impact. Which of the following BEST meets the requirements?
A. Warm site failover
B. Tabletop walk-through
C. Parallel path testing
D. Full outage simulation

B. Tabletop walk-through

How well did you know this?

Not at all

Perfectly

900.) Which of the following processes will eliminate data using a method that will allow the storage device to be reused after the process is complete?
A. Pulverizing
B. Overwriting
C. Shredding
D. Degaussing

B. Overwriting

How well did you know this?

Not at all

Perfectly

899.) The database administration team is requesting guidance for a secure solution that will ensure confidentiality of cardholder data at rest only in certain fields in the database schema. The requirement is to substitute a sensitive data field with an non-sensitive field that is rendered useless if a data breach occurs. Which of the following is the BEST solution to meet the requirement?
A. Tokenization
B. Masking
C. Full disk encryption
D. Mirroring

A. Tokenization

How well did you know this?

Not at all

Perfectly

898.) Which of the following can work as an authentication method and as an alerting mechanism for unauthorized access attempts?
A. Smart card
B. Push notifications
C. Attestation service
D. HMAC-based, one-time password

D. HMAC-based, one-time password

How well did you know this?

Not at all

Perfectly

897.) A recent phishing campaign resulted in several compromised user accounts. The security incident response team has been tasked with reducing the manual labor of filtering through all the phishing emails as they arrive and blocking the sender’s email address, along with other time-consuming mitigation actions. Which of the following can be configured to streamline those tasks?
A. SOAR playbook
B. MDM policy
C. Firewall rules
D. URL filter
E. SIEM data collection

A. SOAR playbook

How well did you know this?

Not at all

Perfectly

896.) During a security incident investigation, an analyst consults the company’s SIEM and sees an event concerning high traffic to a known, malicious command-and-control server. The analyst would like to determine the number of company workstations that may be impacted by this issue. Which of the following can provide this information? A. WAF logs B. DNS logs C. System logs D. Application logs

C. System logs

895.) Which of the following is an effective tool to stop or prevent the exfiltration of data from a network? A. DLP B. NIDS C. TPM D. FDE

A. DLP

894.) Which of the following is a security best practice that ensures the integrity of aggregated log files within a SIEM? A. Set up hashing on the source log file servers that complies with local regulatory requirements. B. Back up the aggregated log files at least two times a day or as stated by local regulatory requirements. C. Write protect the aggregated log files and move them to an isolated server with limited access D. Back up the source log files and archive them for at least six years or in accordance with local regulatory requirements

A. Set up hashing on the source log file servers that complies with local regulatory requirements.

893.) Which of the following technologies is used to actively monitor for specific file types being transmitted on the network? A. File integrity monitoring B. Honeynets C. Tcpreplay D. Data loss prevention

A. File integrity monitoring

892.) Which of the following secure coding techniques makes compromised code more difficult for hackers to use? A. Obfuscation B. Normalization C. Execution D. Reuse

A. Obfuscation

891.) A company is implementing BYOD and wants to ensure all users have access to the same cloud-based services. Which of the following would BEST allow the company to meet this requirement? A. IaaS B. PaaS C. MaaS D. SaaS

B. PaaS

890.) A company was recently breached. Part of the company’s new cybersecurity strategy is to centralize the logs from all security devices. Which of the following components forwards the logs to a central source? A. Log enrichment B. Log aggregation C. Log parser D. Log collector

D. Log collector

889.) After a recent external audit, the compliance team provided a list of several non-compliant, in-scope hosts that were not encrypting cardholder data at rest. Which of the following compliance frameworks would address the compliance team’s GREATEST concern? A. PCI DSS B. GDPR C. ISO 27001 D. NIST CSF

A. PCI DSS

888.) Which of the following actions would be recommended to improve an incident response process? A. Train the team to identify the difference between events and incidents B. Modify access so the IT team has full access to the compromised assets C. Contact the authorities if a cybercrime is suspected D. Restrict communication surrounding the response to the IT team

A. Train the team to identify the difference between events and incidents

887.) A Chief Security Officer is looking for a solution that can provide increased scalability and flexibility for back-end infrastructure, allowing it to be updated and modified without disruption to services. The security architect would like the solution selected to reduce the back-end server resources and has highlighted that session persistence is not important for the applications running on the back-end servers. Which of the following would BEST meet the requirements? A. Reverse proxy B. Automated patch management C. Snapshots D. NIC teaming

A. Reverse proxy

886.) A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicate a directory-traversal attack has occurred. Which of the following is the analyst MOST likely seeing? A. http://sample.url.com/

Exam Winter 2023 Flashcards

(167 cards)