What is a limitation of cyber security risk insurance?

A. It does not cover the costs to restore stolen identities as a result of a cyber attack

B. It does not cover the costs to hire forensics experts to analyze the cyber attack

C. It does not cover the costs of damage done by third parties as a result of a cyber attack

D. It does not cover the costs to hire a public relations company to help deal with a cyber attack

Refer to the exhibit. Based on the detected vulnerabilities, what is the next recommended mitigation step?

A. Evaluate service disruption and associated risk before prioritizing patches.

B. Perform root cause analysis for all detected vulnerabilities.

C. Remediate all vulnerabilities with descending CVSS score order.

D. Temporarily shut down unnecessary services until patch deployment ends.

Refer to the exhibit. An employee is a victim of a social engineering phone call and installs remote access software to allow an `MS Support` technician to check his machine for malware. The employee becomes suspicious after the remote technician requests payment in the form of gift cards. The employee has copies of multiple, unencrypted database files, over 400 MB each, on his system and is worried that the scammer copied the files off but has no proof of it. The remote technician was connected sometime between 2:00 pm and 3:00 pm over https. What should be determined regarding data loss between the employee's laptop and the remote technician's system?

A. No database files were disclosed

B. The database files were disclosed

C. The database files integrity was violated

D. The database files were intentionally corrupted, and encryption is possible

A security engineer discovers that a spreadsheet containing confidential information for nine of their employees was fraudulently posted on a competitor's website.
The spreadsheet contains names, salaries, and social security numbers. What is the next step the engineer should take in this investigation?

A. Determine if there is internal knowledge of this incident.

B. Check incoming and outgoing communications to identify spoofed emails.

C. Disconnect the network from Internet access to stop the phishing threats and regain control.

D. Engage the legal department to explore action against the competitor that posted the spreadsheet.

A security analyst receives an escalation regarding an unidentified connection on the Accounting A1 server within a monitored zone. The analyst pulls the logs and discovers that a Powershell process and a WMI tool process were started on the server after the connection was established and that a PE format file was created in the system directory. What is the next step the analyst should take?

A. Isolate the server and perform forensic analysis of the file to determine the type and vector of a possible attack

B. Identify the server owner through the CMDB and contact the owner to determine if these were planned and identifiable activities

C. Review the server backup and identify server content and data criticality to assess the intrusion risk

D. Perform behavioral analysis of the processes on an isolated workstation and perform cleaning procedures if the file is malicious

An organization had an incident with the network availability during which devices unexpectedly malfunctioned. An engineer is investigating the incident and found that the memory pool buffer usage reached a peak before the malfunction. Which action should the engineer take to prevent this issue from reoccurring?

A. Disable memory limit.

B. Disable CPU threshold trap toward the SNMP server.

C. Enable memory tracing notifications.

D. Enable memory threshold notifications.

A customer is using a central device to manage network devices over SNMPv2. A remote attacker caused a denial of service condition and can trigger this vulnerability by issuing a GET request for the ciscoFlashMIB OID on an affected device. Which should be disabled to resolve the issue?

A. SNMPv2

B. TCP small services

C. port UDP 161 and 162

D. UDP small services

Refer to the exhibit. An organization is using an internal application for printing documents that requires a separate registration on the website. The application allows format-free user creation, and users must match these required conditions to comply with the company's user creation policy:
✑ minimum length: 3
✑ usernames can only use letters, numbers, dots, and underscores
✑ usernames cannot begin with a number
The application administrator has to manually change and track these daily to ensure compliance. An engineer is tasked to implement a script to automate the process according to the company user creation policy. The engineer implemented this piece of code within the application, but users are still able to create format-free usernames. Which change is needed to apply the restrictions?

A. modify code to return error on restrictions def return false_user(username, minlen)

B. automate the restrictions def automate_user(username, minlen)

C. validate the restrictions, def validate_user(username, minlen)

D. modify code to force the restrictions, def force_user(username, minlen)

An employee who often travels abroad logs in from a first-seen country during non-working hours. The SIEM tool generates an alert that the user is forwarding an increased amount of emails to an external mail domain and then logs out. The investigation concludes that the external domain belongs to a competitor. Which two behaviors triggered UEBA? (Choose two.)

A. domain belongs to a competitor

B. log in during non-working hours

C. email forwarding to an external domain

D. log in from a first-seen country

E. increased number of sent mails

The incident response team was notified of detected malware. The team identified the infected hosts, removed the malware, restored the functionality and data of infected systems, and planned a company meeting to improve the incident handling capability. Which step was missed according to the NIST incident handling guide?

A. Contain the malware

B. Install IPS software

C. Determine the escalation path

D. Perform vulnerability assessment

An engineer notices that every Sunday night, there is a two-hour period with a large load of network activity. Upon further investigation, the engineer finds that the activity is from locations around the globe outside the organization's service area. What are the next steps the engineer must take?

A. Assign the issue to the incident handling provider because no suspicious activity has been observed during business hours.

B. Review the SIEM and FirePower logs, block all traffic, and document the results of calling the call center.

C. Define the access points using StealthWatch or SIEM logs, understand services being offered during the hours in question, and cross-correlate other source events.

D. Treat it as a false positive, and accept the SIEM issue as valid to avoid alerts from triggering on weekends.

What is a benefit of key risk indicators?

A. clear perspective into the risk position of an organization

B. improved visibility on quantifiable information

C. improved mitigation techniques for unknown threats

D. clear procedures and processes for organizational risk

Employees receive an email from an executive within the organization that summarizes a recent security breach and requests that employees verify their credentials through a provided link. Several employees report the email as suspicious, and a security analyst is investigating the reports. Which two steps should the analyst take to begin this investigation? (Choose two.)

A. Evaluate the intrusion detection system alerts to determine the threat source and attack surface.

B. Communicate with employees to determine who opened the link and isolate the affected assets.

C. Examine the firewall and HIPS configuration to identify the exploited vulnerabilities and apply recommended mitigation.

D. Review the mail server and proxy logs to identify the impact of a potential breach.

E. Check the email header to identify the sender and analyze the link in an isolated environment.

A security architect is working in a processing center and must implement a DLP solution to detect and prevent any type of copy and paste attempts of sensitive data within unapproved applications and removable devices. Which technical architecture must be used?

A. DLP for data in motion

B. DLP for removable data

C. DLP for data in use

D. DLP for data at rest

An analyst is alerted for a malicious file hash. After analysis, the analyst determined that an internal workstation is communicating over port 80 with an external server and that the file hash is associated with Duqu malware. Which tactics, techniques, and procedures align with this analysis?

A. Command and Control, Application Layer Protocol, Duqu

B. Discovery, Remote Services: SMB/Windows Admin Shares, Duqu

C. Lateral Movement, Remote Services: SMB/Windows Admin Shares, Duqu

D. Discovery, System Network Configuration Discovery, Duqu

A security manager received an email from an anomaly detection service, that one of their contractors has downloaded 50 documents from the company's confidential document management folder using a company-owned asset al039-ice-4ce687TL0500. A security manager reviewed the content of downloaded documents and noticed that the data affected is from different departments. What are the actions a security manager should take?

A. Measure confidentiality level of downloaded documents.

B. Report to the incident response team.

C. Escalate to contractor’s manager.

D. Communicate with the contractor to identify the motives.

A cloud engineer needs a solution to deploy applications on a cloud without being able to manage and control the server OS. Which type of cloud environment should be used?

A. IaaS

B. PaaS

C. DaaS

D. SaaS

An engineer receives a report that indicates a possible incident of a malicious insider sending company information to outside parties. What is the first action the engineer must take to determine whether an incident has occurred?

A. Analyze environmental threats and causes

B. Inform the product security incident response team to investigate further

C. Analyze the precursors and indicators

D. Inform the computer security incident response team to investigate further

The physical security department received a report that an unauthorized person followed an authorized individual to enter a secured premise. The incident was documented and given to a security specialist to analyze. Which step should be taken at this stage?

A. Determine the assets to which the attacker has access

B. Identify assets the attacker handled or acquired

C. Change access controls to high risk assets in the enterprise

D. Identify movement of the attacker in the enterprise

A security expert is investigating a breach that resulted in a $32 million loss from customer accounts. Hackers were able to steal API keys and two-factor codes due to a vulnerability that was introduced in a new code a few weeks before the attack. Which step was missed that would have prevented this breach?

A. use of the Nmap tool to identify the vulnerability when the new code was deployed

B. implementation of a firewall and intrusion detection system

C. implementation of an endpoint protection system

D. use of SecDevOps to detect the vulnerability during development

A SOC team is informed that a UK-based user will be traveling between three countries over the next 60 days. Having the names of the 3 destination countries and the user's working hours, what must the analyst do next to detect an abnormal behavior?

A. Create a rule triggered by 3 failed VPN connection attempts in an 8-hour period

B. Create a rule triggered by 1 successful VPN connection from any nondestination country

C. Create a rule triggered by multiple successful VPN connections from the destination countries

D. Analyze the logs from all countries related to this user during the traveling period

A payroll administrator noticed unexpected changes within a piece of software and reported the incident to the incident response team. Which actions should be taken at this step in the incident response workflow?

A. Classify the criticality of the information, research the attacker’s motives, and identify missing patches

B. Determine the damage to the business, extract reports, and save evidence according to a chain of custody

C. Classify the attack vector, understand the scope of the event, and identify the vulnerabilities being exploited

D. Determine the attack surface, evaluate the risks involved, and communicate the incident according to the escalation plan

DRAG DROP -
An organization lost connectivity to critical servers, and users cannot access business applications and internal websites. An engineer checks the network devices to investigate the outage and determines that all devices are functioning. Drag and drop the steps from the left into the sequence on the right to continue investigating this issue. Not all options are used.
Select and Place:
 

An engineer detects an intrusion event inside an organization's network and becomes aware that files that contain personal data have been accessed. Which action must be taken to contain this attack?

A. Disconnect the affected server from the network.

B. Analyze the source.

C. Access the affected server to confirm compromised files are encrypted.

D. Determine the attack surface.

Refer to the exhibit. Where is the MIME type that should be followed indicated?

A. x-test-debug

B. strict-transport-security

C. x-xss-protection

D. x-content-type-options

Refer to the exhibit. How must these advisories be prioritized for handling?

A. The highest priority for handling depends on the type of institution deploying the devices

B. Vulnerability #2 is the highest priority for every type of institution

C. Vulnerability #1 and vulnerability #2 have the same priority

D. Vulnerability #1 is the highest priority for every type of institution

Engineers are working to document, list, and discover all used applications within an organization. During the regular assessment of applications from the HR backup server, an engineer discovered an unknown application. The analysis showed that the application is communicating with external addresses on a non- secure, unencrypted channel. Information gathering revealed that the unknown application does not have an owner and is not being used by a business unit. What are the next two steps the engineers should take in this investigation? (Choose two.)

A. Determine the type of data stored on the affected asset, document the access logs, and engage the incident response team.

B. Identify who installed the application by reviewing the logs and gather a user access log from the HR department.

C. Verify user credentials on the affected asset, modify passwords, and confirm available patches and updates are installed.

D. Initiate a triage meeting with department leads to determine if the application is owned internally or used by any business unit and document the asset owner.

An organization installed a new application server for IP phones. An automated process fetched user credentials from the Active Directory server, and the application will have access to on-premises and cloud services. Which security threat should be mitigated first?

A. aligning access control policies

B. exfiltration during data transfer

C. attack using default accounts

D. data exposure from backups

Refer to the exhibit. Two types of clients are accessing the front ends and the core database that manages transactions, access control, and atomicity. What is the threat model for the SQL database?

A. An attacker can initiate a DoS attack.

B. An attacker can read or change data.

C. An attacker can transfer data to an external server.

D. An attacker can modify the access logs.

The incident response team receives information about the abnormal behavior of a host. A malicious file is found being executed from an external USB flash drive.
The team collects and documents all the necessary evidence from the computing resource. What is the next step?

A. Conduct a risk assessment of systems and applications

B. Isolate the infected host from the rest of the subnet

C. Install malware prevention software on the host

D. Analyze network traffic on the host’s subnet

After a recent malware incident, the forensic investigator is gathering details to identify the breach and causes. The investigator has isolated the affected workstation. What is the next step that should be taken in this investigation?

A. Analyze the applications and services running on the affected workstation.

B. Compare workstation configuration and asset configuration policy to identify gaps.

C. Inspect registry entries for recently executed files.

D. Review audit logs for privilege escalation events.

Where do threat intelligence tools search for data to identify potential malicious IP addresses, domain names, and URLs?

A. customer data

B. internal database

C. internal cloud

D. Internet

A SOC team receives multiple alerts by a rule that detects requests to malicious URLs and informs the incident response team to block the malicious URLs requested on the firewall. Which action will improve the effectiveness of the process?

A. Block local to remote HTTP/HTTPS requests on the firewall for users who triggered the rule.

B. Inform the user by enabling an automated email response when the rule is triggered.

C. Inform the incident response team by enabling an automated email response when the rule is triggered.

D. Create an automation script for blocking URLs on the firewall when the rule is triggered.

The network operations center has identified malware, created a ticket within their ticketing system, and assigned the case to the SOC with high-level information.
A SOC analyst was able to stop the malware from spreading and identified the attacking host. What is the next step in the incident response workflow?

A. eradication and recovery

B. post-incident activity

C. containment

D. detection and analysis

Refer to the exhibit. An engineer is analyzing this Vlan0392-int12-239.pcap file in Wireshark after detecting a suspicious network activity. The origin header for the direct IP connections in the packets was initiated by a google chrome extension on a WebSocket protocol. The engineer checked message payloads to determine what information was being sent off-site but the payloads are obfuscated and unreadable. What does this STIX indicate?

A. The extension is not performing as intended because of restrictions since ports 80 and 443 should be accessible

B. The traffic is legitimate as the google chrome extension is reaching out to check for updates and fetches this information

C. There is a possible data leak because payloads should be encoded as UTF-8 text

D. There is a malware that is communicating via encrypted channels to the command and control server

DRAG DROP -
Drag and drop the telemetry-related considerations from the left onto their cloud service models on the right.
Select and Place:
 

A SIEM tool fires an alert about a VPN connection attempt from an unusual location. The incident response team validates that an attacker has installed a remote access tool on a user's laptop while traveling. The attacker has the user's credentials and is attempting to connect to the network.
What is the next step in handling the incident?

A. Block the source IP from the firewall

B. Perform an antivirus scan on the laptop

C. Identify systems or services at risk

D. Identify lateral movement

Refer to the exhibit. Where are the browser page rendering permissions displayed?

A. x-frame-options

B. x-xss-protection

C. x-content-type-options

D. x-test-debug

Refer to the exhibit. Rapid Threat Containment using Cisco Secure Network Analytics (Stealthwatch) and ISE detects the threat of malware-infected 802.1x authenticated endpoints and places that endpoint into a quarantine VLAN using Adaptive Network Control policy. Which method was used to signal ISE to quarantine the endpoints?

A. SNMP

B. syslog

C. REST API

D. pxGrid

A company launched an e-commerce website with multiple points of sale through internal and external e-stores. Customers access the stores from the public website, and employees access the stores from the intranet with an SSO. Which action is needed to comply with PCI standards for hardening the systems?

A. Mask PAN numbers

B. Encrypt personal data

C. Encrypt access

D. Mask sales details

Which action should be taken when the HTTP response code 301 is received from a web application?

A. Update the cached header metadata.

B. Confirm the resource’s location.

C. Increase the allowed user limit.

D. Modify the session timeout setting.

DRAG DROP -
Drag and drop the mitigation steps from the left onto the vulnerabilities they mitigate on the right.
Select and Place:
 

An engineer has created a bash script to automate a complicated process. During script execution, this error occurs: permission denied. Which command must be added to execute this script?

A. chmod +x ex.sh

B. source ex.sh

C. chroot ex.sh

D. sh ex.sh

A company recently completed an internal audit and discovered that there is CSRF vulnerability in 20 of its hosted applications. Based on the audit, which recommendation should an engineer make for patching?

A. Identify the business applications running on the assets

B. Update software to patch third-party software

C. Validate CSRF by executing exploits within Metasploit

D. Fix applications according to the risk scores

An engineer returned to work and realized that payments that were received over the weekend were sent to the wrong recipient. The engineer discovered that the
SaaS tool that processes these payments was down over the weekend. Which step should the engineer take first?

A. Utilize the SaaS tool team to gather more information on the potential breach

B. Contact the incident response team to inform them of a potential breach

C. Organize a meeting to discuss the services that may be affected

D. Request that the purchasing department creates and sends the payments manually

Refer to the exhibit. An engineer must tune the Cisco IOS device to mitigate an attack that is broadcasting a large number of ICMP packets. The attack is sending the victim's spoofed source IP to a network using an IP broadcast address that causes devices in the network to respond back to the source IP address. Which action does the engineer recommend?

A. Use command ip verify reverse-path interface

B. Use global configuration command service tcp-keepalives-out

C. Use subinterface command no ip directed-broadcast

D. Use logging trap 6

A malware outbreak is detected by the SIEM and is confirmed as a true positive. The incident response team follows the playbook to mitigate the threat. What is the first action for the incident response team?

A. Assess the network for unexpected behavior

B. Isolate critical hosts from the network

C. Patch detected vulnerabilities from critical hosts

D. Perform analysis based on the established risk factors

What is the difference between process orchestration and automation?

A. Orchestration combines a set of automated tools, while automation is focused on the tools to automate process flows.

B. Orchestration arranges the tasks, while automation arranges processes.

C. Orchestration minimizes redundancies, while automation decreases the time to recover from redundancies.

D. Automation optimizes the individual tasks to execute the process, while orchestration optimizes frequent and repeatable processes.

An organization is using a PKI management server and a SOAR platform to manage the certificate lifecycle. The SOAR platform queries a certificate management tool to check all endpoints for SSL certificates that have either expired or are nearing expiration. Engineers are struggling to manage problematic certificates outside of PKI management since deploying certificates and tracking them requires searching server owners manually. Which action will improve workflow automation?

A. Implement a new workflow within SOAR to create tickets in the incident response system, assign problematic certificate update requests to server owners, and register change requests.

B. Integrate a PKI solution within SOAR to create certificates within the SOAR engines to track, update, and monitor problematic certificates.

C. Implement a new workflow for SOAR to fetch a report of assets that are outside of the PKI zone, sort assets by certification management leads and automate alerts that updates are needed.

D. Integrate a SOAR solution with Active Directory to pull server owner details from the AD and send an automated email for problematic certificates requesting updates.

An analyst received multiple alerts on the SIEM console of users that are navigating to malicious URLs. The analyst needs to automate the task of receiving alerts and processing the data for further investigations. Three variables are available from the SIEM console to include in an automation script: console_ip, api_token, and reference_set_name. What must be added to this script to receive a successful HTTP response?
#!/usr/bin/python
import sys
import requests

A. {1}, {2}

B. {1}, {3}

C. console_ip, api_token

D. console_ip, reference_set_name