cysa+3

54問 • 1年前

問題一覧

QUESTION 200 A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?

tcpdump -n -r packets.pcap host [IP address]

QUESTION 201 A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSV3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?

CVSS:3.0/AV:NIAC:UPR:L/UI:N/S:U/C:H/:HIA:H

QUESTION 202 A security analyst must review a suspicious email to determine its legitimacy. Which of the following should be performed? (Choose two.)

Review the headers from the forwarded email, Examine the SPF, DKIM, and DMARC fields from the original email

QUESTION 203 A vulnerability analyst received a list of system vulnerabilities and needs to evaluate the relevant impact of the exploits on the business. Given the constraints of the current sprint, only three can be remediated. Which of the following represents the least impactful risk, given the CVSS3.1 base scores?

AV:NWAC:H/PR:H/U:RIS:U/C:H/|:H/A:L - Base Score 6.0

QUESTION 204 A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be remediated within a specific amount of time. Which of the following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA?

Integrate an IT service delivery ticketing system to track remediation and closure

QUESTION 205 Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-nmalicious IP address?

Add data enrichment for IPs in the ingestion pipeline

QUESTION 206 An organization was compromised, and the usernames and passwords of all employees were leaked online. Which of the following best describes the remediation that could reduce the impact of this situation?

Multifactor authentication

QUESTION 207 A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

Deploy a scanner sensor on every segment and perform credentialed scans

image*

Watermarking

QUESTION 209 A security administrator needs to import Pll data records from the production environment to the test environment for testing purposes. Which of the following would best protect data confidentiality?

Data masking

QUESTION 210 The email system administrator for an organization configured DKIM signing for all email legitimately sent by the organization. Which of the following would most likely indicate an email is malicious if the company's domain name is used as both the sender and the recipient?

The message fails a DMARC check

QUESTION 211 During an incident involving phishing, a security analyst needs to find the source of the malicious email. Which of the following techniques would provide the analyst with this information?

Header analysis

QUESTION 212 An analyst wants to ensure that users only leverage web-based software that has been pre- approved by the organization. Which of the following should be deployed?

Allowlisting

QUESTION 213 During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

Quarantine the server.

QUESTION 214 An organization recently changed its BC and DR plans. Which of the following would best allow for the incident response team to test the changes without any impact to the business?

Perform a tabletop drill based on previously identified incident scenarios.

QUESTION 215 Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

Configure the servers to forward logs to a SIEM

QUESTION 216 Following a recent security incident, the Chief lnformation Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?

Mean time to detect

QUESTION 217 After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?

Mitigate

QUESTION 218 A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?

Search for other mail users who have received the same file

QUESTION 219 The security analyst received the monthly vulneratbility report. The following findings were included in the report: - Five of the systems only required a reboot to finalize the patch application - Two of the servers are running outdated operating systems and cannot be patched The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?

Compensating controls

image*

Vulnerability B

QUESTION 221 An incident response analyst is taking over an investigation from another analyst. The investigation has been going on for the past few days. Which of the following steps is most important during the transition between the two analysts?

Review the steps that the previous analyst followed.

image*

great.skills

QUESTION 223 A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. Which of the following would best address this issue?

Increasing training and awareness for all staff

image*

Exfiltration

QUESTION 225 A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?

Credentialed scan

QUESTION 226 An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins. Which of the following best represents what occurred?

False negative

Question 227 A cybersecurity analyst is tasked with scanning a web application to understand where the scan will go and whether there are URIS that should be denied access prior to more in-depth scanning. Which of following best fits the type of scanning activity requested?

Discovery scan

QUESTION 228 Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

SLA

Question 229 Which of the following risk management principles is accomplished by purchasing cyber insurance?

Transfer

QUESTION 230 A recent audit of the vulnerability management program outlined the finding for increased awareness of secure coding practices. Which of the following would be best to address the finding?

Establish quarterly SDLC training on the top vulnerabilities for developers

QUESTION 231 An organization has deployed a cloud-based storage system for shared data that is in phase two of the data life cycle. Which of the following controls should the security team ensure are addressed? (Choose two.)

Encryption, Access controls

QUESTION 232 An analyst is conducting routine vulnerability assessments on the company infrastructure. When performing these scans, a business-critical server crashes, and the cause is traced back to the vulnerability scanner. Which of the following is the cause of this issue?

The scanner is running in active mode.

QUESTION 233 An organization's threat inteligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

Implement controls to block execution of untrusted applications

image* 234

Group A

QUESTION 235 A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the company align their security controls around?

MITRE ATTACK

QUESTION 236 Which of the following actions would an analyst most likely perform after an incident has been investigated?

Root cause analysis

QUESTION 237 After completing a review of network activity, the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily at 10:00 p.m. Which of the following is potentially occurring?

Data exfiltration

look at image 1st* The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities. Which of the following should the analyst prioritize first for remediation?

Redis Server

QUESTION 239 A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?

Identify the IP/hostname for the requests and look at the related activity

QUESTION 245 A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output:

host03

QUESTION 246 A security analyst receives an alert for suspicious activity on a company laptop. An excerpt of the log is shown below:

An Office document with a malicious macro was opened.

QUESTION 247 During an incident, a security analyst discovers a large amount of PIl has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee's personal email. Which of the following should the analyst recommend be done first?

Place a legal hold on the employee's mailbox.

QUESTION 248 An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?

Passive network foot printing

QUESTION 249 After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?

The MTTR decreases by 20%.

QUESTION 250 A security analyst has found the following suspicious DNS traffic while analyzing a packet capture: - DNS traffic while a tunneling session is active. The mean time between queries is less than one second. - The average query length exceeds 100 characters. Which of the following attacks most likely occurred?

DNS exfiltration

QUESTION 251 Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

SLA

image* 252

RCE

QUESTION 253 An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?

CIS Benchmarks

QUESTION 254 A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been compromised. Which of the following steps should the administrator take next?

Follow the company's incident response plan.

QUESTION 255 A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to reduce risks associated with the application development?

Conduct regular code reviews using OWASP best practices.

image* 256

23, 636

QUESTION 257 Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

Threshold value

QUESTION 258 Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?

CASB

security+1

security+1

security+2

security+2

security+6

security+6

security+7

security+7

security+8

security+8

security+9

security+9

security+10

security+10

security+11

security+11

security+12

security+12

cysa+1

cysa+1

cysa+2

cysa+2

A+1

A+1

問題一覧

tcpdump -n -r packets.pcap host [IP address]

CVSS:3.0/AV:NIAC:UPR:L/UI:N/S:U/C:H/:HIA:H

QUESTION 202 A security analyst must review a suspicious email to determine its legitimacy. Which of the following should be performed? (Choose two.)

Review the headers from the forwarded email, Examine the SPF, DKIM, and DMARC fields from the original email

AV:NWAC:H/PR:H/U:RIS:U/C:H/|:H/A:L - Base Score 6.0

Integrate an IT service delivery ticketing system to track remediation and closure

QUESTION 205 Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-nmalicious IP address?

Add data enrichment for IPs in the ingestion pipeline

Multifactor authentication

Deploy a scanner sensor on every segment and perform credentialed scans

image*

Watermarking

Data masking

The message fails a DMARC check

Header analysis

QUESTION 212 An analyst wants to ensure that users only leverage web-based software that has been pre- approved by the organization. Which of the following should be deployed?

Allowlisting

QUESTION 213 During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?

Quarantine the server.

QUESTION 214 An organization recently changed its BC and DR plans. Which of the following would best allow for the incident response team to test the changes without any impact to the business?

Perform a tabletop drill based on previously identified incident scenarios.

Configure the servers to forward logs to a SIEM

Mean time to detect

Mitigate

Search for other mail users who have received the same file

Compensating controls

image*

Vulnerability B

Review the steps that the previous analyst followed.

image*

great.skills

Increasing training and awareness for all staff

image*

Exfiltration

Credentialed scan

False negative

Discovery scan

QUESTION 228 Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

SLA

Question 229 Which of the following risk management principles is accomplished by purchasing cyber insurance?

Transfer

Establish quarterly SDLC training on the top vulnerabilities for developers

Encryption, Access controls

The scanner is running in active mode.

Implement controls to block execution of untrusted applications

image* 234

Group A

MITRE ATTACK

QUESTION 236 Which of the following actions would an analyst most likely perform after an incident has been investigated?

Root cause analysis

Data exfiltration

look at image 1st* The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities. Which of the following should the analyst prioritize first for remediation?

Redis Server

Identify the IP/hostname for the requests and look at the related activity

host03

QUESTION 246 A security analyst receives an alert for suspicious activity on a company laptop. An excerpt of the log is shown below:

An Office document with a malicious macro was opened.

Place a legal hold on the employee's mailbox.

Passive network foot printing

The MTTR decreases by 20%.

DNS exfiltration

QUESTION 251 Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

SLA

image* 252

RCE

CIS Benchmarks

Follow the company's incident response plan.

Conduct regular code reviews using OWASP best practices.

image* 256

23, 636

QUESTION 257 Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

Threshold value

QUESTION 258 Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?

CASB