Pg21 Flashcards
(17 cards)
Which of the following best describe the external requirements that are imposed for incident management communication? (Choose two).
A. Law enforcement involvement
B. Compliance with regulatory requirements
C. Transparency to stockholders
D. Defined SLAs regarding services
E. Industry advocacy group participation
F. Framework guidelines
Compliance with regulatory requirements
Framework guidelines
A security analyst observes a high volume of SYN flags from an unexpected source toward a web application server within one hour. The traffic is not flagging for any exploit signatures.
Which of the following scenarios best describes this activity?
A. A legitimate connection is continuously attempting to establish a connection with a downed web server.
B. A script kiddie is attempting to execute a DDoS through a ping flood attack.
C. An attacker is executing reconnaissance activities by mapping which ports are open and closed.
D. A web exploit attempt is likely occurring and the security analyst is not seeing it.
An attacker is executing reconnaissance activities by mapping which ports are open and closed.
Which of the following features is a key component of Zero Trust architecture?
A. Single strong source of user identity
B. Implementation of IT governance
C. Business continuity plan
D. Quality assurance
E. Internal auditing process
Single strong source of user identity
An organization wants to establish a disaster recovery plan for critical applications that are hosted on premises. Which of the following is the first step to prepare for supporting this new requirement?
A. Choose a vendor to utilize for the disaster recovery location.
B. Establish prioritization of continuity from data and business owners.
C. Negotiate vendor agreements to support disaster recovery capabilities.
D. Advise the leadership team that a geographical area for recovery must be defined.
Establish prioritization of continuity from data and business owners.
A junior security analyst opened ports on the company’s firewall, and the company experienced a data breach. Which of the following most likely caused the data breach?
A. Environmental hacktivist
B. Accidental insider threat
C. Nation-state
D. Organized crime group
Accidental insider threat
When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?
A. OpenID
B. SDN
C. ZTNA
D. SWG
OpenID
An analyst produces a weekly endpoint status report for the management team. The report Includes specific details for each endpoint in relation to organizational baselines. Which of the following best describes the report type?
A. Forensics
B. Mitigation
C. Vulnerability
D. Compliance
Compliance
A user is suspected of violating policy by logging in to a Linux VM during non-business hours. Which of the following system files is the best way to track the user’s activities?
A. /var/log/secure
B. /etc/motd
C. /var/log/messages
D. /etc/passwd
/var/log/secure
A user’s computer is performing slower than the day before, and unexpected windows continually open and close. The user did not install any new programs, and after the user restarted the desktop, the issue was not resolved. Which of the following incident response actions should be taken next?
A. Restart in safe mode and start a virus scan.
B. Disconnect from the network and leave the PC turned on.
C. Contain the device and implement a legal hold.
D. Reformat and reimage the OS.
Disconnect from the network and leave the PC turned on.
Which of the following risk management decisions should be considered after evaluating all other options?
A. Transfer
B. Acceptance
C. Mitigation
D. Avoidance
Acceptance
A security analyst finds an application that cannot enforce the organization’s password policy. An exception is granted. As a compensating control, all users must confirm that their passwords comply with the organization’s policy. Which of the following types of compensating controls is the organization using?
A. Corrective
B. Managerial
C. Technical
D. Detective
Managerial
A company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of code:
SELECT * From user_data WHERE Username = 0 and userid= 1 or 1=1;–
Which of the following controls would be best to implement?
A. Deploy a wireless application protocol.
B. Remove the end-of-life component.
C. Implement proper access control.
D. Validate user input.
Validate user input.
A security analyst provides the management team with an after action report for a security incident. Which of the following is the management team most likely to review in order to correct validated issues with the incident response processes?
A. Tabletop exercise
B. Lessons learned
C. Root cause analysis
D. Forensic analysis
Lessons learned
An organization performs software assurance activities and reviews some web framework code that uses exploitable jquery modules. Which of the following tools or techniques should the organization use to help identify these issues?
A. Security Content Automation Protocol
B. Application fuzzing
C. Common weakness enumeration
D. Static analysis
Static analysis
An organization has implemented code into a production environment. During a routine test, a penetration tester found that some of the code had a backdoor implemented causing a developer to make changes outside of the change management windows. Which of the following is the best way to prevent this issue?
A. SDLC training
B. Dynamic analysis
C. Debugging
D. Source code review
Source code review
An analyst reviews the following web server log entries:
%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd
No attacks or malicious attempts have been discovered. Which of the following most likely describes what took place?
A. A SQL injection query took place to gather information from a sensitive file.
B. A PHP injection was leveraged to ensure that the sensitive file could be accessed.
C. Base64 was used to prevent the IPS from detecting the fully encoded string.
D. Directory traversal was performed to obtain a sensitive file for further reconnaissance.
Directory traversal was performed to obtain a sensitive file for further reconnaissance.
An organization is preparing for a disaster recovery exercise. Which of the following actions should be implemented first?
A. Gather all internal stakeholders and review the actions according to the defined incident playbook.
B. Coordinate the supporting staff for the recovery process to ensure availability at the recovery site.
C. Ensure that the vendor for the disaster recovery site is scheduled to support the recovery.
D. Identify a business-critical system and test by failing over to the disaster recovery location.
Gather all internal stakeholders and review the actions according to the defined incident playbook.
