A reverse engineer was analyzing malware found on a retailer's network and found code extracting track data in memory. Which of the following threats did the engineer MOST likely uncover?

A. POS malware

B. Rootkit

C. Key logger

D. Ransomware

A company has recently launched a new billing invoice website for a few key vendors. The cybersecurity analyst is receiving calls that the website is performing slowly and the pages sometimes time out. The analyst notices the website is receiving millions of requests, causing the service to become unavailable. Which of the following can be implemented to maintain the availability of the website?

A. VPN

B. Honeypot

C. Whitelisting

D. DMZ

E. MAC filtering

An alert has been distributed throughout the information security community regarding a critical Apache vulnerability. Which of the following courses of action would ONLY identify the known vulnerability?

A. Perform an unauthenticated vulnerability scan on all servers in the environment.

B. Perform a scan for the specific vulnerability on all web servers.

C. Perform a web vulnerability scan on all servers in the environment.

D. Perform an authenticated scan on all web servers in the environment.

A cybersecurity analyst is investigating an incident report concerning a specific user workstation. The workstation is exhibiting high CPU and memory usage, even when first started, and network bandwidth usage is extremely high. The user reports that applications crash frequently, despite the fact that no significant changes in work habits have occurred. An antivirus scan reports no known threats. Which of the following is the MOST likely reason for this?

A. Advanced persistent threat

B. Zero day

C. Trojan

D. Logic bomb

A technician recently fixed a computer with several viruses and spyware programs on it and notices the Internet settings were set to redirect all traffic through an unknown proxy. This type of attack is known as which of the following?

A. Phishing

B. Social engineering

C. Man-in-the-middle

D. Shoulder surfing

After reading about data breaches at a competing company, senior leaders in an organization have grown increasingly concerned about social engineering attacks. They want to increase awareness among staff regarding this threat, but do not want to use traditional training methods because they regard these methods as ineffective. Which of the following approaches would BEST meet the requirements?

A. Classroom training on the dangers of social media followed by a test and gift certificates for any employee getting a perfect score.

B. Simulated phishing emails asking employees to reply to the email with their updated phone number and office location

C. A poster contest to raise awareness of PII and asking employees to provide examples of data breaches and consequences

D. USB drives randomly placed inside and outside the organization that contain a pop-up warning to any users who plug the drive into their computer

An analyst has noticed unusual activities in the SIEM to a .cn domain name. Which of the following should the analyst use to identify the content of the traffic?

A. Log review

B. Service discovery

C. Packet capture

D. DNS harvesting

The service desk has received several calls from the remote workforce group stating they have experienced degradation in services The security analyst discovers all the remote laptops have become infected with a known virus that was introduced by a known application weakness. Which of the following is the
BEST course of action to ensure the remote workers do not experience this issue in the future?

A. Communicate to the remote workers that company laptops are for work purposes only.

B. Configure the devices to access the Internet through the corporate network only.

C. Ensure devices receive software updates and definitions upon connecting to the internal network.

D. Develop and configure a whitelist on each laptop for authored, business-related websites only.

A network technician is concerned that an attacker is attempting to penetrate the network, and wants to set a rule on the firewall to prevent the attacker from learning which IP addresses are valid on the network. Which of the following protocols needs to be denied?

A. TCP

B. SMTP

C. ICMP

D. ARP

A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website.
During the troubleshooting process, the network administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine.
Which of the following describes the type of attack the proxy has been legitimately programmed to perform?

A. Transitive access

B. Spoofing

C. Man-in-the-middle

D. Replay

A security incident has been created after noticing unusual behavior from a Windows domain controller. The server administrator has discovered that a user logged in to the server with elevated permissions, but the user's account does not follow the standard corporate naming scheme. There are also several other accounts in the administrators group that do not follow this naming scheme. Which of the following is the possible cause for this behavior and the BEST remediation step?

A. The Windows Active Directory domain controller has not completed synchronization, and should force the domain controller to sync.

B. The server has been compromised and should be removed from the network and cleaned before reintroducing it to the network.

C. The server administrator created user accounts cloning the wrong user ID, and the accounts should be removed from administrators and placed in an employee group.

D. The naming scheme allows for too many variations, and the account naming convention should be updates to enforce organizational policies.

During a tabletop exercise, it is determined that a security analyst is required to ensure patching and scan reports are available during an incident, as well as documentation of all critical systems. To which of the following stakeholders should the analyst provide the reports?

A. Management

B. Affected vendors

C. Security operations

D. Legal

A security administrator uses FTK to take an image of a hard drive that is under investigation. Which of the following processes are used to ensure the image is the same as the original disk? (Choose two.)

A. Validate the folder and file directory listings on both.

B. Check the hash value between the image and the original.

C. Boot up the image and the original systems to compare.

D. Connect a write blocker to the imaging device.

E. Copy the data to a disk of the same size and manufacturer.

An analyst is reviewing the following log from the company web server:
 
Which of the following is this an example of?

A. Online rainbow table attack

B. Offline brute force attack

C. Offline dictionary attack

D. Online hybrid attack

A company has been a victim of multiple volumetric DoS attacks. Packet analysis of the offending traffic shows the following:
 
Which of the following mitigation techniques is MOST effective against the above attack?

A. The company should contact the upstream ISP and ask that RFC1918 traffic be dropped.

B. The company should implement a network-based sinkhole to drop all traffic coming from 192.168.1.1 at their gateway router.

C. The company should implement the following ACL at their gateway firewall: DENY IP HOST 192.168.1.1 170.43.30.0/24.

D. The company should enable the DoS resource starvation protection feature of the gateway NIPS.

An organization is conducting penetration testing to identify possible network vulnerabilities. The penetration tester has received the following output from the latest scan:
 
The penetration tester knows the organization does not use Timbuktu servers and wants to have Nmap interrogate the ports on the target in more detail. Which of the following commands should the penetration tester use NEXT?

A. nmap “”sV 192.168.1.13 “”p1417

B. nmap “”sS 192.168.1.13 “”p1417

C. sudo nmap “”sS 192.168.1.13

D. nmap 192.168.1.13 “”v

A cybersecurity analyst develops a regular expression to find data within traffic that will alarm on a hit.
 
The SIEM alarms on seeing this data in cleartext between the web server and the database server.
 
Which of the following types of data would the analyst MOST likely to be concerned with, and to which type of data classification does it belong?

A. Credit card numbers that are PCI

B. Social security numbers that are PHI

C. Credit card numbers that are PII

D. Social security numbers that are PII

Joe, an analyst, has received notice that a vendor who is coming in for a presentation will require access to a server outside the network. Currently, users are only able to access remote sites through a VPN connection. Which of the following should Joe use to BEST accommodate the vendor?

A. Allow incoming IPSec traffic into the vendor’s IP address.

B. Set up a VPN account for the vendor, allowing access to the remote site.

C. Turn off the firewall while the vendor is in the office, allowing access to the remote site.

D. Write a firewall rule to allow the vendor to have access to the remote site.

An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of the following would be an indicator of a likely false positive?

A. Reports show the scanner compliance plug-in is out-of-date.

B. Any items labeled “˜low’ are considered informational only.

C. The scan result version is different from the automated asset inventory.

D. “˜HTTPS’ entries indicate the web page is encrypted securely.

A security analyst is reviewing the following log after enabling key-based authentication.
 
Given the above information, which of the following steps should be performed NEXT to secure the system?

A. Disable anonymous SSH logins.

B. Disable password authentication for SSH.

C. Disable SSHv1.

D. Disable remote root SSH logins.

A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST?

A. Contact the Office of Civil Rights (OCR) to report the breach

B. Notify the Chief Privacy Officer (CPO)

C. Activate the incident response plan

D. Put an ACL on the gateway router

Which of the following principles describes how a security analyst should communicate during an incident?

A. The communication should be limited to trusted parties only.

B. The communication should be limited to security staff only.

C. The communication should come from law enforcement.

D. The communication should be limited to management only.

A manufacturing company has decided to participate in direct sales of its products to consumers. The company decides to use a subdomain of its main site with its existing cloud service provider as the portal for e-commerce. After launch, the site is stable and functions properly, but after a robust day of sales, the site begins to redirect to a competitor's landing page. Which of the following actions should the company's security team take to determine the cause of the issue and minimize the scope of impact?

A. Engage a third party to provide penetration testing services to see if an exploit can be found

B. Check DNS records to ensure Cname or alias records are in place for the subdomain

C. Query the cloud provider to determine the nature of the DNS attack and find out which other clients are affected

D. Check the DNS records to ensure a correct MX record is established for the subdomain

Joe, a penetration tester, used a professional directory to identify a network administrator and ID administrator for a client's company. Joe then emailed the network administrator, identifying himself as the ID administrator, and asked for a current password as part of a security exercise. Which of the following techniques were used in this scenario?

A. Enumeration and OS fingerprinting

B. Email harvesting and host scanning

C. Social media profiling and phishing

D. Network and host scanning

An executive tasked a security analyst to aggregate past logs, traffic, and alerts on a particular attack vector. The analyst was then tasked with analyzing the data and making predictions on future complications regarding this attack vector. Which of the following types of analysis is the security analyst MOST likely conducting?

A. Trend analysis

B. Behavior analysis

C. Availability analysis

D. Business analysis

A cybersecurity analyst wants to use ICMP ECHO_REQUEST on a machine while using Nmap. Which of the following is the correct command to accomplish this?

A. $ nmap “”PE 192.168.1.7

B. $ ping –PE 192.168.1.7

C. $ nmap –traceroute 192.168.1.7

D. $ nmap “”PO 192.168.1.7

Company A permits visiting business partners from Company B to utilize Ethernet ports available in Company A's conference rooms. This access is provided to allow partners the ability to establish VPNs back to Company B's network. The security architect for Company A wants to ensure partners from Company B are able to gain direct Internet access from available ports only, while Company A employees can gain access to the Company A internal network from those same ports. Which of the following can be employed to allow this?

A. ACL

B. SIEM

C. MAC

D. NAC

E. SAML

During a review of security controls, an analyst was able to connect to an external, unsecured FTP server from a workstation. The analyst was troubleshooting and reviewed the ACLs of the segment firewall the workstation is connected to:
 
Based on the ACLs above, which of the following explains why the analyst was able to connect to the FTP server?

A. FTP was explicitly allowed in Seq 8 of the ACL.

B. FTP was allowed in Seq 10 of the ACL.

C. FTP was allowed as being included in Seq 3 and Seq 4 of the ACL.

D. FTP was allowed as being outbound from Seq 9 of the ACL.

During a routine review of firewall logs, an analyst identified that an IP address from the organization's server subnet had been connecting during nighttime hours to a foreign IP address, and had been sending between 150 and 500 megabytes of data each time. This had been going on for approximately one week, and the affected server was taken offline for forensic review. Which of the following is MOST likely to drive up the incident's impact assessment?

A. PII of company employees and customers was exfiltrated.

B. Raw financial information about the company was accessed.

C. Forensic review of the server required fall-back on a less efficient service.

D. IP addresses and other network-related configurations were exfiltrated.

E. The local root password for the affected server was compromised.

While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts were observed communicating with an external IP address over port 80 constantly. An incident was declared, and an investigation was launched. After interviewing the affected users, the analyst determined the activity started right after deploying a new graphic design suite. Based on this information, which of the following actions would be the appropriate NEXT step in the investigation?

A. Update all antivirus and anti-malware products, as well as all other host-based security software on the servers the affected users authenticate to.

B. Perform a network scan and identify rogue devices that may be generating the observed traffic. Remove those devices from the network.

C. Identify what the destination IP address is and who owns it, and look at running processes on the affected hosts to determine if the activity is malicious or not.

D. Ask desktop support personnel to reimage all affected workstations and reinstall the graphic design suite. Run a virus scan to identify if any viruses are present.

Given the following log snippet:
 
Which of the following describes the events that have occurred?

A. An attempt to make an SSH connection from “superman” was done using a password.

B. An attempt to make an SSH connection from 192.168.1.166 was done using PKI.

C. An attempt to make an SSH connection from outside the network was done using PKI.

D. An attempt to make an SSH connection from an unknown IP address was done using a password.

After implementing and running an automated patching tool, a security administrator ran a vulnerability scan that reported no missing patches found. Which of the following BEST describes why this tool was used?

A. To create a chain of evidence to demonstrate when the servers were patched.

B. To harden the servers against new attacks.

C. To provide validation that the remediation was active.

D. To generate log data for unreleased patches.

A security analyst is adding input to the incident response communication plan. A company officer has suggested that if a data breach occurs, only affected parties should be notified to keep an incident from becoming a media headline. Which of the following should the analyst recommend to the company officer?

A. The first responder should contact law enforcement upon confirmation of a security incident in order for a forensics team to preserve chain of custody.

B. Guidance from laws and regulations should be considered when deciding who must be notified in order to avoid fines and judgements from non-compliance.

C. An externally hosted website should be prepared in advance to ensure that when an incident occurs victims have timely access to notifications from a non- compromised recourse.

D. The HR department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that might be viewed during an investigation.

An HR employee began having issues with a device becoming unresponsive after attempting to open an email attachment. When informed, the security analyst became suspicious of the situation, even though there was not any unusual behavior on the IDS or any alerts from the antivirus software. Which of the following
BEST describes the type of threat in this situation?

A. Packet of death

B. Zero-day malware

C. PII exfiltration

D. Known virus

While a threat intelligence analyst was researching an indicator of compromise on a search engine, the web proxy generated an alert regarding the same indicator. The threat intelligence analyst states that related sites were not visited but were searched for in a search engine. Which of the following MOST likely happened in this situation?

A. The analyst is not using the standard approved browser.

B. The analyst accidently clicked a link related to the indicator.

C. The analyst has prefetch enabled on the browser in use.

D. The alert in unrelated to the analyst’s search.

A cybersecurity analyst is hired to review the security measures implemented within the domain controllers of a company. Upon review, the cybersecurity analyst notices a brute force attack can be launched against domain controllers that run on a Windows platform. The first remediation step implemented by the cybersecurity analyst is to make the account passwords more complex. Which of the following is the NEXT remediation step the cybersecurity analyst needs to implement?

A. Disable the ability to store a LAN manager hash.

B. Deploy a vulnerability scanner tool.

C. Install a different antivirus software.

D. Perform more frequent port scanning.

E. Move administrator accounts to a new security group.

A security analyst is running a routine vulnerability scan against a web farm. The farm consists of a single server acting as a load-balancing reverse proxy and offloads cryptographic processes to the backend servers. The backend servers consist of four servers that process the inquiries for the front end.
 
A web service SSL query of each server responds with the same output:
Connected (0x000003)
depth=0 /0=farm.company.com/CN=farm.company.com/OU=Domain Control Validated
Which of the following results BEST addresses these findings?

A. Advise the application development team that the SSL certificates on the backend servers should be revoked and reissued to match their hostnames

B. Notify the application development team of the findings and advise management of the results

C. Create an exception in the vulnerability scanner, as the results and false positives and can be ignored safely

D. Require that the application development team renews the farm certificate and includes a wildcard for the “˜local’ domain in the certificate SAN field

After scanning the main company's website with the OWASP ZAP tool, a cybersecurity analyst is reviewing the following warning:
 
The analyst reviews a snippet of the offending code:
 
Which of the following is the BEST course of action based on the above warning and code snippet?

A. The analyst should implement a scanner exception for the false positive.

B. The system administrator should disable SSL and implement TLS.

C. The developer should review the code and implement a code fix.

D. The organization should update the browser GPO to resolve the issue.

A cyber-incident response team is responding to a network intrusion incident on a hospital network. Which of the following must the team prepare to allow the data to be used in court as evidence?

A. Computer forensics form

B. HIPAA response form

C. Chain of custody form

D. Incident form

A logistics company's vulnerability scan identifies the following vulnerabilities on Internet-facing devices in the DMZ:
✑ SQL injection on an infrequently used web server that provides files to vendors
✑ SSL/TLS not used for a website that contains promotional information
The scan also shows the following vulnerabilities on internal resources:
✑ Microsoft Office Remote Code Execution on test server for a human resources system
✑ TLS downgrade vulnerability on a server in a development network
In order of risk, which of the following should be patched FIRST?

A. Microsoft Office Remote Code Execution

B. SQL injection

C. SSL/TLS not used

D. TLS downgrade

A vulnerability scan has returned the following information:
 
Which of the following describes the meaning of these results?

A. There is an unknown bug in a Lotus server with no Bugtraq ID.

B. Connecting to the host using a null session allows enumeration of share names.

C. Trend Micro has a known exploit that must be resolved or patched.

D. No CVE is present, so it is a false positive caused by Lotus running on a Windows server.

A university wants to increase the security posture of its network by implementing vulnerability scans of both centrally managed and student/employee laptops.
The solution should be able to scale, provide minimum false positives and high accuracy of results, and be centrally managed through an enterprise console.
Which of the following scanning topologies is BEST suited for this environment?

A. A passive scanning engine located at the core of the network infrastructure

B. A combination of cloud-based and server-based scanning engines

C. A combination of server-based and agent-based scanning engines

D. An active scanning engine installed on the enterprise console

A security analyst is assisting with a computer crime investigation and has been asked to secure a PC and deliver it to the forensic lab. Which of the following items would be MOST helpful to secure the PC? (Choose three.)

A. Tamper-proof seals

B. Faraday cage

C. Chain of custody form

D. Drive eraser

E. Write blockers

F. Network tap

G. Multimeter

The business has been informed of a suspected breach of customer data. The internal audit team, in conjunction with the legal department, has begun working with the cybersecurity team to validate the report. To which of the following response processes should the business adhere during the investigation?

A. The security analysts should not respond to internal audit requests during an active investigation

B. The security analysts should report the suspected breach to regulators when an incident occurs

C. The security analysts should interview system operators and report their findings to the internal auditors

D. The security analysts should limit communication to trusted parties conducting the investigation

A vulnerability scan returned the following results for a web server that hosts multiple wiki sites:
Apache-HTTPD-cve-2014-023: Apache HTTPD: mod_cgid denial of service CVE-2014-0231
Due to a flaw found in mod_cgid, a server using mod_cgid to host CGI scripts could be vulnerable to a DoS attack caused by a remote attacker who is exploiting a weakness in non-standard input, causing processes to hang indefinitely.
 
The security analyst has confirmed the server hosts standard CGI scripts for the wiki sites, does not have mod_cgid installed, is running Apache 2.2.22, and is not behind a WAF. The server is located in the DMZ, and the purpose of the server is to allow customers to add entries into a publicly accessible database.
Which of the following would be the MOST efficient way to address this finding?

A. Place the server behind a WAF to prevent DoS attacks from occurring.

B. Document the finding as a false positive.

C. Upgrade to the newest version of Apache.

D. Disable the HTTP service and use only HTTPS to access the server.

Law enforcement has contacted a corporation's legal counsel because correlated data from a breach shows the organization as the common denominator from all indicators of compromise. An employee overhears the conversation between legal counsel and law enforcement, and then posts a comment about it on social media. The media then starts contacting other employees about the breach. Which of the following steps should be taken to prevent further disclosure of information about the breach?

A. Perform security awareness training about incident communication.

B. Request all employees verbally commit to an NDA about the breach.

C. Temporarily disable employee access to social media

D. Have law enforcement meet with employees.

A security analyst is reviewing output from a CVE-based vulnerability scanner. Before conducting the scan, the analyst was careful to select only Windows-based servers in a specific datacenter. The scan revealed that the datacenter includes 27 machines running Windows 2003 Server Edition (Win2003SE). In 2015, there were 36 new vulnerabilities discovered in the Win2003SE environment. Which of the following statements are MOST likely applicable? (Choose two.)

A. Remediation is likely to require some form of compensating control.

B. Microsoft’s published schedule for updates and patches for Win2003SE have continued uninterrupted.

C. Third-party vendors have addressed all of the necessary updates and patches required by Win2003SE.

D. The resulting report on the vulnerability scan should include some reference that the scan of the datacenter included 27 Win2003SE machines that should be scheduled for replacement and deactivation.

E. Remediation of all Win2003SE machines requires changes to configuration settings and compensating controls to be made through Microsoft Security Center’s Win2003SE Advanced Configuration Toolkit.

A company has monthly scheduled windows for patching servers and applying configuration changes. Out-of-window changes can be done, but they are discouraged unless absolutely necessary. The systems administrator is reviewing the weekly vulnerability scan report that was just released. Which of the following vulnerabilities should the administrator fix without waiting for the next scheduled change window?

A. The administrator should fix dns (53/tcp). BIND “˜NAMED’ is an open-source DNS server from ISC.org. The BIND-based NAMED server (or DNS servers) allow remote users to query for version and type information.

B. The administrator should fix smtp (25/tcp). The remote SMTP server is insufficiently protected against relaying. This means spammers might be able to use the company’s mail server to send their emails to the world.

C. The administrator should fix http (80/tcp). An information leak occurs on Apache web servers with the UserDir module enabled, allowing an attacker to enumerate accounts by requesting access to home directories and monitoring the response.

D. The administrator should fix http (80/tcp). The “˜greeting.cgi’ script is installed. This CGI has a well-known security flaw that lets anyone execute arbitrary commands with the privileges of the http daemon.

E. The administrator should fix general/tcp. The remote host does not discard TCP SYN packets that have the FIN flag set. Depending on the kind of firewall a company is using, an attacker may use this flaw to bypass its rules.

An organization has recently found some of its sensitive information posted to a social media site. An investigation has identified large volumes of data leaving the network with the source traced back to host 192.168.1.13. An analyst performed a targeted Nmap scan of this host with the results shown below:
 
Subsequent investigation has allowed the organization to conclude that all of the well-known, standard ports are secure. Which of the following services is the problem?

A. winHelper

B. ssh

C. rpcbind

D. timbuktu-serv1

E. mysql

When reviewing the system logs, the cybersecurity analyst noticed a suspicious log entry: wmic /node: HRDepartment1 computersystem get username
Which of the following combinations describes what occurred, and what action should be taken in this situation?

A. A rogue user has queried for users logged in remotely. Disable local access to network shares.

B. A rogue user has queried for the administrator logged into the system. Attempt to determine who executed the command.

C. A rogue user has queried for the administrator logged into the system. Disable local access to use cmd prompt.

D. A rogue user has queried for users logged into in remotely. Attempt to determine who executed the command.