A security analyst for a large pharmaceutical company was given credentials from a threat intelligence resources organization for internal users, which contain usernames and valid passwords for company accounts. Which of the following is the first action the analyst should take as part of security operations monitoring?

A. Run scheduled antivirus scans on all employees’ machines to look for malicious processes.

B. Reimage the machines of all users within the group in case of a malware infection.

C. Change all the user passwords to ensure the malicious actors cannot use them.

D. Search the event logs for event identifiers that indicate Mimikatz was used.

A security analyst needs to reduce the overall attack surface. Which of the following infrastructure changes should the analyst recommend?

A. Implement a honeypot.

B. Air gap sensitive systems.

C. Increase the network segmentation.

D. Implement a cloud-based architecture.

Legacy medical equipment, which contains sensitive data, cannot be patched. Which of the following is the BEST solution to improve the equipment’s security posture?

A. Move the legacy systems behind a WAF

B. Implement an air gap for the legacy systems

C. Place the legacy systems in the perimeter network

D. Implement a VPN between the legacy systems and the local network

An information security analyst discovered a virtual machine server was compromised by an attacker. Which of the following should be the FIRST steps to confirm and respond to the incident? (Choose two.)

A. Pause the virtual machine.

B. Shut down the virtual machine.

C. Take a snapshot of the virtual machine.

D. Remove the NIC from the virtual machine.

E. Review host hypervisor log of the virtual machine.

F. Execute a migration of the virtual machine.

While implementing a PKI for a company, a security analyst plans to utilize a dedicated server as the certificate authority that is only used to sign intermediate certificates. Which of the following are the MOST secure states for the certificate authority server when it is not in use? (Choose two.)

A. On a private VLAN

B. Full disk encrypted

C. Powered off

D. Backed up hourly

E. VPN accessible only

F. Air gapped

A development team signed a contract that requires access to an on-premises physical server Access must be restricted to authorized users only and cannot be connected to the internet Which of the following solutions would meet this requirement?

A. Establish a hosted SSO

B. Implement a CASB

C. Virtualize the server

D. Air gap the server

Which of the following describes the difference between intentional and unintentional insider threats?

A. Their access levels will be different.

B. The risk factor will be the same.

C. Their behavior will be different.

D. The rate of occurrence will be the same.

While monitoring the information security notification mailbox, a security analyst notices several emails were reported as spam. Which of the following should the analyst do FIRST?

A. Block the sender in the email gateway.

B. Delete the email from the company’s email servers.

C. Ask the sender to stop sending messages.

D. Review the message in a secure environment.

A digital forensics investigator works from duplicate images to preserve the integrity of the original evidence. Which of the following types of media are MOST volatile and should be preserved? (Choose two.)

A. Memory cache

B. Registry file

C. SSD storage

D. Temporary filesystems

E. Packet decoding

F. Swap volume

A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization. Which of the following BEST describes the security analyst's goal?

A. To create a system baseline

B. To reduce the attack surface

C. To optimize system performance

D. To improve malware detection

During a routine review of service restarts, a security analyst observes the following in a server log:
 
Which of the following is the GREATEST security concern?

A. The daemon’s binary was changed.

B. Four consecutive days of monitoring are skipped in the log.

C. The process identifiers for the running service change.

D. The PIDs are continuously changing.

A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task?

A. dcfldd if=/dev/one of=/mnt/usb/evidence.bin hash=md5, sha1 hashlog=/mnt/usb/evidence.bin.hashlog

B. dd if=/dev/sda of=/mnt/usb/evidence.bin bs=4096; sha5l2sum /mnt/usb/evidence.bin > /mnt/usb/evidence.bin.hash

C. tar -zcf /mnt/usb/evidence.tar.gz / -except /mnt; sha256sum /mnt/usb/evidence.tar.gz > /mnt/usb/evidence.tar.gz.hash

D. find / -type f -exec cp {} /mnt/usb/evidence/ ; sha1sum /mnt/usb/evidence/* > /mnt/usb/evidence/evidence.hash

Which of the following sources would a security analyst rely on to provide relevant and timely threat information concerning the financial services industry?

A. Real-time and automated firewall rules subscriptions

B. Open-source intelligence, such as social media and blogs

C. Information sharing and analysis membership

D. Common vulnerability and exposure bulletins

A proposed network architecture requires systems to be separated from each other logically based on defined risk levels. Which of the following explains the reason why an architect would set up the network this way?

A. To complicate the network and frustrate a potential malicious attacker

B. To create a design that simplifies the supporting network

C. To reduce the attack surface of those systems by segmenting the network based on risk

D. To reduce the number of IP addresses that are used on the network

A company's application development has been outsourced to a third-party development team. Based on the SLA, the development team must follow industry best practices for secure coding. Which of the following is the BEST way to verify this agreement?

A. Input validation

B. Security regression testing

C. Application fuzzing

D. User acceptance testing

E. Stress testing

Ensuring that all areas of security have the proper controls is a primary reason why organizations use:

A. frameworks.

B. directors and officers.

C. incident response plans.

D. engineering rigor.

A security analyst discovers suspicious host activity while performing monitoring activities. The analyst pulls a packet capture for the activity and sees the following:
 
Follow TCP stream:
 
Which of the following describes what has occurred?

A. The host attempted to download an application from utoftor.com.

B. The host downloaded an application from utoftor.com.

C. The host attempted to make a secure connection to utoftor.com.

D. The host rejected the connection from utoftor.com.

An organization has a policy that requires servers to be dedicated to one function and unneeded services to be disabled. Given the following output from an Nmap scan of a web server:
 
Which of the following ports should be closed?

A. 21

B. 80

C. 443

D. 1433

A security analyst is investigating an incident related to an alert from the threat detection platform on a host (10.0.1.25) in a staging environment that could be running a cryptomining tool because it is sending traffic to an IP address that is related to Bitcoin.
The network rules for the instance are the following:
 
Which of the following is the BEST way to isolate and triage the host?

A. Remove rules 1, 2, and 3.

B. Remove rules 1, 2, 4, and 5.

C. Remove rules 1, 2, 3, 4, and 5.

D. Remove rules 1. 2, and 5.

E. Remove rules 1, 4, and 5.

F. Remove rules 4 and 5.

An organization is experiencing issues with emails that are being sent to external recipients. Incoming emails to the organization are working fine. A security analyst receives the following screenshot of an email error from the help desk:
 
The analyst then checks the email server and sees many of the following messages in the logs:
 
Which of the following is MOST likely the issue?

A. SPF is failing.

B. The DMARC queue is full.

C. The DKIM private key has expired.

D. Port 25 is not open.

A security analyst was transferred to an organization's threat-hunting team to track specific activity throughout the enterprise environment. The analyst must observe and assess the number of times this activity occurs and aggregate the results. Which of the following is the BEST threat-hunting method for the analyst to use?

A. Stack counting

B. Searching

C. Clustering

D. Grouping

A security analyst is supporting an embedded software team. Which of the following is the best recommendation to ensure proper error handling at runtime?

A. Perform static code analysis.

B. Require application fuzzing.

C. Enforce input validation.

D. Perform a code review.

A software developer is correcting the error-handling capabilities of an application following the initial coding of the fix. Which of the following would the software developer MOST likely perform to validate the code prior to pushing it to production?

A. Web-application vulnerability scan

B. Static analysis

C. Packet inspection

D. Penetration test

A Chief Information Security Officer (CISO) is concerned developers have too much visibility into customer data. Which of the following controls should be implemented to BEST address these concerns?

A. Data masking

B. Data loss prevention

C. Data minimization

D. Data sovereignty

A new prototype for a company’s flagship product was leaked on the internet. As a result, the management team has locked out all USB dives. Optical drive writers are not present on company computers. The sales team has been granted an exception to share sales presentation files with third parties. Which of the following would allow the IT team to determine which devices are USB enabled?

A. Asset tagging

B. Device encryption

C. Data loss prevention

D. SIEM logs

A security analyst is reviewing the event logs on an air-gapped workstation. The analyst knows the system is used regularly for classified work. Additionally, the analyst knows multiple users locked themselves out and required a password reset. When reviewing the logs, the security analyst is surprised to see that these incidents were not recorded in the logs. Which of the following is the best remediation for this issue?

A. Modify the local group policy to use advanced logging.

B. Install third-party software to log the events remotely.

C. Require users to log a trouble ticket when failures occur.

D. Ensure the analyst has the correct permissions to view the logs.

A company creates digitally signed packages for its devices. Which of the following BEST describes the method by which the security packages are delivered to the company’s customers?

A. Anti-tamper mechanism

B. SELinux

C. Trusted firmware updates

D. eFuse

During the threat modeling process for a new application that a company is launching, a security analyst needs to define methods and items to take into consideration. Which of the following are part of a known threat modeling method?

A. Threat profile, infrastructure and application vulnerabilities, security strategy and plans

B. Purpose, objective, scope, team management, cost, roles and responsibilities

C. Spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege

D. Human impact, adversary’s motivation, adversary’s resources, adversary’s methods

While conducting a network infrastructure review, a security analyst discovers a laptop that is plugged into a core switch and hidden behind a desk. The analyst sees the following on the laptop's screen:
[*] [NBT-NS] Poisoned answer sent to 192.169.23.115 for name FILE-SHARE-A (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A
[*] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A
[SMBv2] NTLMv2-SSP Client : 192.168.23.115
[SMBv2] NTLMv2-SSP Username : CORPjsmith
[SMBv2] NTLMv2-SSP Hash : F5DBF769CFEA7...
[*] [NBT-NS] Poisoned answer sent to 192.169.23.24 for name FILE-SHARE-A (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A
[*] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A
[SMBv2] NTLMv2-SSP Client : 192.168.23.24
[SMBv2] NTLMv2-SSP Username : CORPprogers
[SMBv2] NTLMv2-SSP Hash : 6D093BE2FDD70A...
Which of the following is the BEST action for the security analyst to take?

A. Force all users in the domain to change their passwords at the next login.

B. Disconnect the laptop and ask the users jsmith and progers to log out.

C. Take the FILE-SHARE-A server offline and scan it for viruses.

D. Initiate a scan of devices on the network to find password-cracking tools.

A cybersecurity analyst is supporting an incident response effort via threat intelligence. Which of the following is the analyst MOST likely executing?

A. Requirements analysis and collection planning

B. Containment and eradication

C. Recovery and post-incident review

D. Indicator enrichment and research pivoting

The help desk is having difficulty keeping up with all onboarding and offboarding requests. Managers often submit requests for new users at the last minute, causing the help desk to scramble to create accounts across many different interconnected systems. Which of the following solutions would work BEST to assist the help desk with the onboarding and offboarding process while protecting the company's assets?

A. MFA

B. CASB

C. SSO

D. RBAC

Which of the following attack techniques has the GREATEST likelihood of quick success against Modbus assets?

A. Remote code execution

B. Buffer overflow

C. Unauthenticated commands

D. Certificate spoofing

A development team recently released a new version of a public-facing website for testing prior to production. The development team is soliciting the help of various teams to validate the functionality of the website due to its high visibility. Which of the following activities best describes the process the development team is initiating?

A. Static analysis

B. Stress testing

C. Code review

D. User acceptance testing

An analyst performs a routine scan of a host using Nmap and receives the following output:
 
Which of the following should the analyst investigate FIRST?

A. Port 21

B. Port 22

C. Port 23

D. Port 80

A company employee downloads an application from the internet. After the installation, the employee begins experiencing noticeable performance issues, and files are appearing on the desktop:
 
Which of the following processes will the security analyst identify as the MOST likely indicator of system compromise given the processes running in Task Manager?

A. Chrome.exe

B. Word.exe

C. Explorer.exe

D. mstsc.exe

E. taskmgr.exe

Which of the following solutions is the BEST method to prevent unauthorized use of an API?

A. HTTPS

B. Geofencing

C. Rate limiting

D. Authentication

A security analyst is probing a company’s public-facing servers for vulnerabilities and obtains the following output:
 
Which of the following changes should the analyst recommend FIRST?

A. Implement File Transfer Protocol Secure on the upload server.

B. Disable anonymous login on the web server.

C. Configure firewall changes to close port 445 on 124.45.23.112.

D. Apply a firewall rule to filter the number of requests per second on port 80 on 124.45.23.108.

An organization prohibits users from logging in to the administrator account. If a user requires elevated permissions, the user's account should be part of an administrator group, and the user should escalate permission only as needed and on a temporary basis. The organization has the following reporting priorities when reviewing system activity:
✑ Successful administrator login reporting priority `" high
✑ Failed administrator login reporting priority `" medium
✑ Failed temporary elevated permissions `" low
✑ Successful temporary elevated permissions `" non-reportable
A security analyst is reviewing server syslogs and sees the following:
 
Which of the following events is the HIGHEST reporting priority?

A. 2 2020-01-10T20:36:01.010Z financeserver sudo 201 32001 – BOM ‘sudo vi users.txt’ success

B. 2 2020-01-10T21:18:34.002Z adminserver sudo 201 32001 – BOM ‘sudo more /etc/passwords’ success

C. 2 2020-01-10T19:33:48.002Z webserver su 201 32001 – BOM ‘su’ success

D. 2 2020-01-10T21:53:11.002Z financeserver su 201 32001 – BOM ‘su vi syslog.conf failed for joe

Given the Nmap request below:
 
Which of the following actions will an attacker be able to initiate directly against this host?

A. Password sniffing

B. ARP spoofing

C. A brute-force attack

D. An SQL injection

A host is spamming the network unintentionally. Which of the following control types should be used to address this situation?

A. Managerial

B. Technical

C. Operational

D. Corrective

A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application. Which of the following is a security concern when using a PaaS solution?

A. The use of infrastructure-as-code capabilities leads to an increased attack surface.

B. Patching the underlying application server becomes the responsibility of the client.

C. The application is unable to use encryption at the database level.

D. Insecure application programming interfaces can lead to data compromise.

A company uses an FTP server to support its critical business functions. The FTP server is configured as follows:
✑ The FTP service is running with the data directory configured in /opt/ftp/data.
✑ The FTP server hosts employees' home directories in /home.
✑ Employees may store sensitive information in their home directories.
An IoC revealed that an FTP directory traversal attack resulted in sensitive data loss. Which of the following should a server administrator implement to reduce the risk of current and future directory traversal attacks targeted at the FTP server?

A. Implement file-level encryption of sensitive files.

B. Reconfigure the FTP server to support FTPS.

C. Run the FTP server in a chroot environment.

D. Upgrade the FTP server to the latest version.

To validate local system-hardening requirements, which of the following types of vulnerability scans would work BEST to verify the scanned device meets security policies?

A. SCAP

B. SAST

C. DAST

D. DACS

A security analyst has received reports of very slow, intermittent access to a public-facing corporate server. Suspecting the system may be compromised, the analyst runs the following commands:
 
Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?

A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.

B. Examine the server logs for further indicators of compromise of a web application.

C. Run kill -9 1325 to bring the load average down so the server is usable again.

D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.

An organization is experiencing security incidents in which a systems administrator is creating unauthorized user accounts. A security analyst has created a script to snapshot the system configuration each day. Following is one of the scripts: cat /etc/passwd > daily_$(date +"%m_%d_%Y")
This script has been running successfully every day. Which of the following commands would provide the analyst with additional useful information relevant to the above script?

A. diff daily_11_03_2019 daily_11_04_2019

B. ps ג€”ef | grep admin > daily_process_$(date +%m_%d_%Y”)

C. more /etc/passwd > daily_$(date +%m_%d_%Y_%H:%M:%S”)

D. la ג€”lai /usr/sbin > daily_applications

A security analyst who works in the SOC receives a new requirement to monitor for indicators of compromise. Which of the following is the first action the analyst should take in this situation?

A. Develop a dashboard to track the indicators of compromise.

B. Develop a query to search for the indicators of compromise.

C. Develop a new signature to alert on the indicators of compromise.

D. Develop a new signature to block the indicators of compromise.

Which of the following organizational initiatives would be MOST impacted by data sovereignty issues?

A. Moving to a cloud-based environment

B. Migrating to locally hosted virtual servers

C. Implementing non-repudiation controls

D. Encrypting local database queries

A company recently experienced a breach of sensitive information that affects customers across multiple geographical regions. Which of the following roles would be BEST suited to determine the breach notification requirements?

A. Legal counsel

B. Chief Security Officer

C. Human resources

D. Law enforcement

A Chief Information Officer wants to implement a BYOD strategy for all company laptops and mobile phones. The Chief Information Security Officer is concerned with ensuring all devices are patched and running some sort of protection against malicious software. Which of the following existing technical controls should a security analyst recommend to BEST meet all the requirements?

A. EDR

B. Port security

C. NAC

D. Segmentation

During an incident response procedure, a security analyst collects a hard drive to analyze a possible vector of compromise. There is a Linux swap partition on the hard drive that needs to be checked. Which of the following should the analyst use to extract human-readable content from the partition?

A. strings

B. head

C. fsstat

D. dd