Q&A

Question 1

Which of the following is the software development process by which function, usability, and scenarios are tested against a known set of base
requirements?
A.
Security regression testing
B.
Code review
C.
User acceptance testing
D.
Stress testing

Answer 1

C.
User acceptance testing

Question 2

A security analyst discovers the following firewall log entries during an incident:

Which of the following is MOST likely occurring?
A.
Banner grabbing
B.
Port scanning
C.
Beaconing
D.
Data exfiltration

Answer 2

B.
Port scanning

Question 3

A security analyst is revising a company’s MFA policy to prohibit the use of short message service (SMS) tokens. The Chief Information Officer has
questioned this decision and asked for justification. Which of the following should the analyst provide as justification for the new policy?
A.
SMS relies on untrusted, third-party carrier networks.
B.
SMS tokens are limited to eight numerical characters.
C.
SMS is not supported on all handheld devices in use.
D.
SMS is a cleartext protocol and does not support encryption.

Answer 3

D.
SMS is a cleartext protocol and does not support encryption.

Question 4

During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap
partition on the hard drive that needs to be checked. Which of the following should the analyst use to extract human-readable content from the
partition?
A.
strings
B.
head
C.
fsstat
D.
dd

Answer 4

A.
strings

Question 5

A consultant is evaluating multiple threat intelligence feeds to assess potential risks for a client. Which of the following is the BEST approach for
the consultant to consider when modeling the client’s attack surface?
A.
Ask for external scans from industry peers, look at the open ports, and compare information with the client.
B.
Discuss potential tools the client can purchase to reduce the likelihood of an attack.
C.
Look at attacks against similar industry peers and assess the probability of the same attacks happening.
D.
Meet with the senior management team to determine if funding is available for recommended solutions.

Answer 5

C.
Look at attacks against similar industry peers and assess the probability of the same attacks happening.

Question 6

A development team has asked users to conduct testing to ensure an application meets the needs of the business. Which of the following types
of testing does this describe?
A.
Acceptance testing
B.
Stress testing
C.
Regression testing
D.
Penetration testing

Answer 6

A.
Acceptance testing

Question 7

An analyst receives artifacts from a recent intrusion and is able to pull a domain, IP address, email address, and software version. Which of the
following points of the Diamond Model of Intrusion Analysis does this intelligence represent?
A.
Infrastructure
B.
Capabilities
C.
Adversary
D.
Victims

Answer 7

A.
Infrastructure

Question 8

While conducting a network infrastructure review, a security analyst discovers a laptop that is plugged into a core switch and hidden behind a
desk. The analyst sees the following on the laptop’s screen:
[] [NBT-NS] Poisoned answer sent to 192.169.23.115 for name FILE-SHARE-A (service: File Server)
[] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A
[] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A
[SMBv2] NTLMv2-SSP Client : 192.168.23.115
[SMBv2] NTLMv2-SSP Username : CORP\jsmith
[SMBv2] NTLMv2-SSP Hash : F5DBF769CFEA7…
[] [NBT-NS] Poisoned answer sent to 192.169.23.24 for name FILE-SHARE-A (service: File Server)
[] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A
[] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A
[SMBv2] NTLMv2-SSP Client : 192.168.23.24
[SMBv2] NTLMv2-SSP Username : CORP\progers
[SMBv2] NTLMv2-SSP Hash : 6D093BE2FDD70A…
Which of the following is the BEST action for the security analyst to take?
A.
Force all users in the domain to change their passwords at the next login.
B.
Disconnect the laptop and ask the users jsmith and progers to log out.
C.
Take the FILE-SHARE-A server offline and scan it for viruses.
D.
Initiate a scan of devices on the network to find password-cracking tools.

Answer 8

B.
Disconnect the laptop and ask the users jsmith and progers to log out.

(community vote B 56%, C 19% and A 25%)

Question 9

A Chief Executive Officer (CEO) is concerned the company will be exposed to data sovereignty issues as a result of some new privacy regulations.
To help mitigate this risk, the Chief Information Security Officer (CISO) wants to implement an appropriate technical control. Which of the
following would meet the requirement?
A.
Data masking procedures
B.
Enhanced encryption functions
C.
Regular business impact analysis functions
D.
Geographic access requirements

Answer 9

D.
Geographic access requirements

Question 10

Which of the following is a difference between SOAR and SCAP?
A.
SOAR can be executed faster and with fewer false positives than SCAP because of advanced heuristics.
B.
SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope.
C.
SOAR is less expensive because process and vulnerability remediation is more automated than what SCAP does.
D.
SOAR eliminates the need for people to perform remediation, while SCAP relies heavily on security analysts.

Answer 10

B.
SOAR has a wider breadth of capability using orchestration and automation, while SCAP is more limited in scope.

Question 11

An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following
output from an Nmap scan of a web server:
Which of the following ports should be closed?
A.
21
B.
80
C.
443
D.
1433

Answer 11

D.
1433

Question 12

An organization is upgrading its network and all of its workstations. The project will occur in phases, with infrastructure upgrades each month and
workstation installs every other week. The schedule should accommodate the enterprise-wide changes, while minimizing the impact to the
network. Which of the following schedules BEST addresses these requirements?
A.
Monthly vulnerability scans, biweekly topology scans, daily host discovery scans
B.
Monthly topology scans, biweekly host discovery scans, monthly vulnerability scans
C.
Monthly host discovery scans, biweekly vulnerability scans, monthly topology scans
D.
Monthly topology scans, biweekly host discovery scans, weekly vulnerability scans

Answer 12

B.
Monthly topology scans, biweekly host discovery scans, monthly vulnerability scans

Question 13

While reviewing incident reports from the previous night, a security analyst notices the corporate websites were defaced with political propaanda. Which of the following BEST describes this type of actor?
A. Hacktivist
B. Nation-state
C. Insider threat
D. Organized crime

Answer 13

A. Hacktivist

Question 14

A security analyst is performing a Diamond Model analysis of an incident the company had last quarter. A potential benefit of this activity is that it
can identify:
A.
detection and prevention capabilities to improve.
B.
which systems were exploited more frequently.
C.
possible evidence that is missing during forensic analysis.
D.
which analysts require more training.
E.
the time spent by analysts on each of the incidents.

Answer 14

A.
detection and prevention capabilities to improve.

Question 15

An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which
of the following attack vectors is the vulnerability MOST likely targeting?
A.
SCADA
B.
CAN bus
C.
Modbus
D.
IoT

Question 16

An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which
of the following attack vectors is the vulnerability MOST likely targeting?
A.
SCADA
B.
CAN bus
C.
Modbus
D.
IoT

Answer 16

B.
CAN bus
(more than likely D, see below explanation:
“Some of the most critical IoT deployments are those found on vehicles and drones. These systems have a dramatic impact on the safety
of human life and should be carefully monitored for security issues.” CySA+ Study Guide Mike Chapple, David Seidl
IoT include CAN bus and Modbus.)

Question 17

An internally developed file-monitoring system identified the following excerpt as causing a program to crash often: char filedata[100]; fp =
fopen(access.log, r); srtcopy (filedata, fp); printf (%s\n, filedata);
Which of the following should a security analyst recommend to fix the issue?
A.
Open the access.log file in read/write mode.
B.
Replace the strcpy function.
C.
Perform input sanitization.
D.
Increase the size of the file data butter.

Answer 17

A.
Open the access.log file in read/write mode.

(not confident in this answer, do your own due dilligence)

Question 18

A company’s legal and accounting teams have decided it would be more cost-effective to offload the risks of data storage to a third party. The IT
management team has decided to implement a cloud model and has asked the security team for recommendations. Which of the following will
allow all data to be kept on the third-party network?
A.
VDI
B.
SaaS
C.
CASB
D.
FaaS

Answer 18

B.
SaaS

Question 19

A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and
sees the following:
Which of the following describes what has occurred?
A.
The host attempted to download an application from utoftor.com.
B.
The host downloaded an application from utoftor.com.
C.
The host attempted to make a secure connection to utoftor.com.
D.
The host rejected the connection from utoftor.com.

Answer 19

B.
The host downloaded an application from utoftor.com.

Question 20

A security team implemented a SIEM as part of its security-monitoring program. There is a requirement to integrate a number of sources into the
SIEM to provide better context relative to the events being processed. Which of the following BEST describes the result the security team hopes to
accomplish by adding these sources?
A.
Data enrichment
B.
Continuous integration
C.
Machine learning
D.
Workflow orchestration

Answer 20

A.
Data enrichment

Question 21

Which of the following organizational initiatives would be MOST impacted by data sovereignty issues?
A.
Moving to a cloud-based environment
B.
Migrating to locally hosted virtual servers
C.
Implementing non-repudiation controls
D.
Encrypting local database queries

Answer 21

A.
Moving to a cloud-based environment

Question 22

A help desk technician inadvertently sent the credentials of the company’s CRM in cleartext to an employee’s personal email account. The
technician then reset the employee’s account using the appropriate process and the employee’s corporate email, and notified the security team of
the incident. According to the incident response procedure, which of the following should the security team do NEXT?
A.
Contact the CRM vendor.
B.
Prepare an incident summary report.
C.
Perform postmortem data correlation.
D.
Update the incident response plan.

Answer 22

B.
Prepare an incident summary report.

Question 23

Which of the following is MOST dangerous to the client environment during a vulnerability assessment/penetration test?
A.
There is a longer period of time to assess the environment.
B.
The testing is outside the contractual scope.
C.
There is a shorter period of time to assess the environment.
D.
No status reports are included with the assessment.

Answer 23

B.
The testing is outside the contractual scope.

Question 24

An organization is adopting IoT devices at an increasing rate and will need to account for firmware updates in its vulnerability management
programs. Despite the number of devices being deployed, the organization has only focused on software patches so far, leaving hardware-related
weaknesses open to compromise.
Which of the following best practices will help the organization to track and deploy trusted firmware updates as part of its vulnerability
management programs?
A.
Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.
B.
Apply all firmware updates as soon as they are released to mitigate the risk of compromise.
C.
Sign up for vendor emails and create firmware update change plans for affected devices.
D.
Implement an automated solution that detects when vendors release firmware updates and immediately deploy updates to production.

Answer 24

A.
Utilize threat intelligence to guide risk evaluation activities and implement critical updates after proper testing.

Question 25

A company's blocklist has outgrown the current technologies in place. The ACLs are at maximum, and the IPS signatures only allow a certain amount of space for domains to be added, creating the need for multiple signatures. Which of the following configuration changes to the existing controls would be the MOST appropriate to improve performance? A. Implement a host-file-based solution that will use a list of all domains to deny for all machines on the network. B. Create an IDS for the current blocklist to determine which domains are showing activity and may need to be removed. C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it. D. Review the current blocklist to determine which domains can be removed from the list and then update the ACLs and IPS signatures.

Answer 25

C. Review the current blocklist and prioritize it based on the level of threat severity. Add the domains with the highest severity to the blocklist and remove the lower-severity threats from it.

Question 26

A company is experiencing a malware attack within its network. A security engineer notices many of the impacted assets are connecting outbound to a number of remote destinations and exfiltrating data. The security engineer also sees that deployed, up-to-date antivirus signatures are ineffective. Which of the following is the BEST approach to prevent any impact to the company from similar attacks in the future? A. IDS signatures B. Data loss prevention C. Port security D. Sinkholing

Answer 26

B. Data loss prevention

Question 27

The steering committee for information security management annually reviews the security incident register for the organization to look for trends and systematic issues. The steering committee wants to rank the risks based on past incidents to improve the security program for next year. Below is the incident register for the organization: Which of the following should the organization consider investing in FIRST due to the potential impact of availability? A. Hire a managed service provider to help with vulnerability management B. Build a warm site in case of system outages C. Invest in a failover and redundant system, as necessary D. Hire additional staff for the IT department to assist with vulnerability management and log review

Answer 27

C. Invest in a failover and redundant system, as necessary

Question 28

The IT department is concerned about the possibility of a guest device infecting machines on the corporate network or taking down the company's single Internet connection. Which of the following should a security analyst recommend to BEST meet the requirements outlined by the IT department? A. Require the guest machines to install the corporate-owned EDR solution B. Configure NAC to only allow machines on the network that are patched and have active antivirus C. Place a firewall in between the corporate network and the guest network D. Configure the IPS with rules that will detect common malware signatures traveling from the guest network

Answer 28

B. Configure NAC to only allow machines on the network that are patched and have active antivirus

Question 29

Following a recent security breach, a company decides to investigate account usage to ensure privileged accounts are only being utilized during typical business hours. During the investigation, a security analyst determines an account was consistently utilized in the middle of the night. Which of the following actions should the analyst take NEXT? A. Disable the privileged account. B. Initiate the incident response plan. C. Report the discrepancy to human resources. D. Review the activity with the user.

Answer 29

B. Initiate the incident response plan.

Question 30

Which of the following are reasons why consumer IoT devices should be avoided in an enterprise environment? (Choose two.) A. Message queuing telemetry transport does not support encryption. B. The devices may have weak or known passwords. C. The devices may cause a dramatic increase in wireless network traffic. D. The devices may utilize unsecure network protocols. E. Multiple devices may interfere with the functions of other IoT devices. F. The devices are not compatible with TLS 1.2.

Answer 30

B. The devices may have weak or known passwords. D. The devices may utilize unsecure network protocols.

Question 31

In response to an audit finding, a company's Chief Information Officer (CIO) instructed the security department to increase the security posture of the vulnerability management program. Currently, the company's vulnerability management program has the following attributes: ✑ It is unauthenticated. ✑ It is at the minimum interval specified by the audit framework. ✑ It only scans well-known ports. Which of the following would BEST increase the security posture of the vulnerability management program? A. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans. B. Expand the ports being scanned to include all ports. Keep the scan interval at its current level. Enable authentication and perform credentialed scans. C. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Continue unauthenticated scanning. D. Continue scanning the well-known ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans.

Answer 31

A. Expand the ports being scanned to include all ports. Increase the scan interval to a number the business will accept without causing service interruption. Enable authentication and perform credentialed scans.

Question 32

A financial organization has offices located globally. Per the organization's policies and procedures, all executives who conduct business overseas must have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect the organization's data. Which of the following controls would work BEST to protect the privacy of the data if a device is stolen? A. Implement a mobile device wiping solution for use if a device is lost or stolen. B. Install a DLP solution to track data flow. C. Install an encryption solution on all mobile devices. D. Train employees to report a lost or stolen laptop to the security department immediately.

Question 33

A company recently experienced a breach of sensitive information that affects customers across multiple geographical regions. Which of the following roles would be BEST suited to determine the breach notification requirements? A. Legal counsel B. Chief Security Officer C. Human resources D. Law enforcement (this is q 76, still need to add 33-75

Answer 33

A. Legal counsel