Pg10 Flashcards
(17 cards)
Topic 1
While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?
A. If appropriate logging levels are set
B. NTP configuration on each system
C. Behavioral correlation settings
D. Data normalization rules
NTP configuration on each system
During a scan of a web server in the perimeter network, a vulnerability was identified that could be exploited over port 3389. The web server is protected by a WAF. Which of the following best represents the change to overall risk associated with this vulnerability?
A. The risk would not change because network firewalls are in use
B. The risk would decrease because RDP is blocked by the firewall
C. The risk would decrease because a web application firewall is in place
D. The risk would increase because the host is external facing
The risk would increase because the host is external facing
Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Choose two.)
A. Performing dynamic application security testing
B. Reviewing the code
C. Fuzzing the application
D. Debugging the code
E. Implementing a coding standard
F. Implementing IDS
Debugging the code
Reviewing the code
A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls and two-factor authentication. Which of the following does this most likely describe?
A. System hardening
B. Hybrid network architecture
C. Continuous authorization
D. Secure access service edge
System hardening
A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?
A. Offline storage
B. Evidence collection
C. Integrity validation
D. Legal hold
Integrity validation
A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?
A. The NTP server is not configured on the host
B. The cybersecurity analyst is looking at the wrong information
C. The firewall is using UTC time
D. The host with the logs is offline
The NTP server is not configured on the host
A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?
A. Scan the employee’s computer with virus and malware tools
B. Review the actions taken by the employee and the email related to the event
C. Contact human resources and recommend the termination of the employee
D. Assign security awareness training to the employee involved in the incident
Review the actions taken by the employee and the email related to the event
A security analyst has found the following suspicious DNS traffic while analyzing a packet capture:
- DNS traffic while a tunneling session is active.
- The mean time between queries is less than one second.
- The average query length exceeds 100 characters.
Which of the following attacks most likely occurred?
A. DNS exfiltration
B. DNS spoofing
C. DNS zone transfer
D. DNS poisoning
DNS exfiltration
A small company does not have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?
A. Corrective controls
B. Compensating controls
C. Operational controls
D. Administrative controls
Compensating controls
An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?
A. DKIM
B. SPF
C. SMTP
D. DMARC
SPF
A laptop that is company owned and managed is suspected to have malware. The company implemented centralized security logging. Which of the following log sources will confirm the malware infection?
A. XDR logs
B. Firewall legs
C. IDS logs
D. MFA logs
XDR logs
Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?
A. To provide metrics and test continuity controls
B. To verify the roles of the incident response team
C. To provide recommendations for handling vulnerabilities
D. To perform tests against implemented security controls
To provide metrics and test continuity controls
A security analyst has prepared a vulnerability scan that contains all of the company’s functional subnets. During the initial scan users reported that network printers began to print pages that contained unreadable text and icons. Which of the following should the analyst do to ensure this behavior does not occur during subsequent vulnerability scans?
A. Perform non-credentialed scans
B. Ignore embedded web server ports
C. Create a tailored scan for the printer subnet
D. Increase the threshold length of the scan timeout
Create a tailored scan for the printer subnet
A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project:
- Must use minimal network bandwidth
- Must use minimal host resources
- Must provide accurate, near real-time updates
- Must not have any stored credentials in configuration on the scanner
Which of the following vulnerability scanning methods should be used to best meet these requirements?
A. Internal
B. Agent
C. Active
D. Uncredentialed
Agent
An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of the following attacks was most likely performed?
A. RFI
B. LFI
C. CSRF
D. XSS
CSRF
Which of the following does “federation” most likely refer to within the context of identity and access management?
A. Facilitating groups of users in a similar function or profile to system access that requires elevated or conditional access
B. An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains
C. Utilizing a combination of what you know who you are, and what you have to grant authentication to a user
D. Correlating one’s identity with the attributes and associated applications the user has access to
An authentication mechanism that allows a user to utilize one set of credentials to access multiple domains
The Chief Information Security Officer for an organization recently received approval to install a new EDR solution. Following the installation, the number of alerts that require remediation by an analyst has tripled. Which of the following should the organization utilize to best centralize the workload for the internal security team? (Choose two.)
A. SOAR
B. SIEM
C. MSP
D. NGFW
E. XDR
F. DLP
SOAR
SIEM
