Pg14 Flashcards
(18 cards)
A cybersecurity analyst is recommending a solution to ensure emails that contain links or attachments are tested before they reach a mail server. Which of the following will the analyst most likely recommend?
A. Sandboxing
B. MFA
C. DKIM
D. Vulnerability scan
Sandboxing
An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R
Which of the following represents the exploit code maturity of this critical vulnerability?
A. E:U
B. S:C
C. RC:R
D. AV:N
E. AC:L
E:U
A security analyst detects an email server that had been compromised in the internal network. Users have been reporting strange messages in their email inboxes and unusual network traffic. Which of the following incident response steps should be performed next?
A. Preparation
B. Validation
C. Containment
D. Eradication
Containment
When investigating a potentially compromised host, an analyst observes that the process BGInfo.exe (PID 1024), a Sysinternals tool used to create desktop backgrounds containing host details, has been running for over two days. Which of the following activities will provide the best insight into this potentially malicious process, based on the anomalous behavior?
A. Changes to system environment variables
B. SMB network traffic related to the system process
C. Recent browser history of the primary user
D. Activities taken by PID 1024
Activities taken by PID 1024
Which of the following evidence collection methods is most likely to be acceptable in court cases?
A. Copying all access files at the time of the incident
B. Creating a file-level archive of all files
C. Providing a full system backup inventory
D. Providing a bit-level image of the hard drive
Providing a bit-level image of the hard drive
A cybersecurity analyst has recovered a recently compromised server to its previous state. Which of the following should the analyst perform next?
A. Eradication
B. Isolation
C. Reporting
D. Forensic analysis
Forensic analysis
A cybersecurity analyst has been assigned to the threat-hunting team to create a dynamic detection strategy based on behavioral analysis and attack patterns. Which of the following best describes what the analyst will be creating?
A. Bots
B. IoCs
C. TTPs
D. Signatures
TTPs
Which of the following would eliminate the need for different passwords for a variety of internal applications?
A. CASB
B. SSO
C. PAM
D. MFA
SSO
Which of the following best explains the importance of communicating with staff regarding the official public communication plan related to incidents impacting the organization?
A. To establish what information is allowed to be released by designated employees
B. To designate an external public relations firm to represent the organization
C. To ensure that all news media outlets are informed at the same lime
D. To define how each employee will be contacted after an event occurs
To establish what information is allowed to be released by designated employees
Which of the following would most likely be used to update a dashboard that integrates with multiple vendor tools?
A. Webhooks
B. Extensible Markup Language
C. Threat feed combination
D. JavaScript Object Notation
Webhooks
An organization has a critical financial application hosted online that does not allow event logging to send to the corporate SIEM. Which of the following is the best option for the security analyst to configure to improve the efficiency of security operations?
A. Configure a new SIEM specific to the management of the hosted environment.
B. Subscribe to a threat feed related to the vendor’s application.
C. Use a vendor-provided API to automate pulling the logs in real time.
D. Download and manually import the logs outside of business hours.
Use a vendor-provided API to automate pulling the logs in real time.
After an incident, a security analyst needs to perform a forensic analysis to report complete information to a company stakeholder. Which of the following is most likely the goal of the forensic analysis in this case?
A. Provide a full picture of the existing risks.
B. Notify law enforcement of the incident.
C. Further contain the incident.
D. Determine root cause information.
Determine root cause information.
Which of the following is the most important reason for an incident response team to develop a formal incident declaration?
A. To require that an incident be reported through the proper channels
B. To identify and document staff who have the authority to decrease an incident
C. To allow for public disclosure of a security event impacting the organization
D. To establish the department that responsible for responding to an incident
To require that an incident be reported through the proper channels
An organization has establish a formal change management process after experiencing several critical system failures over the past year. Which of the following are key factors that the change management process will include in order to reduce the impact of system failures? (Choose two.)
A. Ensure users the document system recovery plan prior to deployment.
B. Perform a full system-level backup following the change.
C. Leverage an audit tool to identify changes that are being made.
D. Identify assets with dependence that could be impacted by the change.
E. Require diagrams to be completed for all critical systems.
F. Ensure that all assets are properly listed in the inventory management system.
Ensure users the document system recovery plan prior to deployment.
Identify assets with dependence that could be impacted by the change.
An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work. Which of the following is the most likely reason in the firewall feed stopped working?
A. The firewall service account was locked out.
B. The firewall was using a paid feed.
C. The firewall certificate expired.
D. The firewall failed open.
The firewall certificate expired
A security analyst would like to integrate two different SaaS-based security toots so that one tool can notify the other in the event a threat is detected. Which of the following should the analyst utilize to best accomplish this goal?
A. SMB share
B. API endpoint
C. SMTP notification
D. SNMP trap
API endpoint
An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the initial hash of the evidence drive does not match the resultant hash of the imaged copy. Which of the following best describes the reason for the conflicting investigative findings?
A. Chain of custody was not maintained for the evidence drive.
B. Legal authorization was not obtained prior to seizing the evidence drive.
C. Data integrity of the imaged drive could not be verified.
D. Evidence drive imaging was performed without a write blocker.
Evidence drive imaging was performed without a write blocker.
A development team is preparing to roll out a beta version of a web application and wants to quickly test for vulnerabilities, including SQL injection, path traversal, and cross-site scripting. Which of the following tools would the security team most likely recommend to perform this test?
A. Hashcat
B. OpenVAS
C. OWASP ZAP
D. Nmap
OWASP ZAP
