A security analyst is researching ways to improve the security of a company's email system to mitigate emails that are impersonating company executives. Which of the following would be BEST for the analyst to configure to achieve this objective?

A. A TXT record on the name server for SPF

B. DNSSEC keys to secure replication

C. Domain Keys Identified Mail

D. A sandbox to check incoming mail

A cybersecurity analyst is supporting an incident response effort via threat intelligence. Which of the following is the analyst MOST likely executing?

A. Requirements analysis and collection planning

B. Containment and eradication

C. Recovery and post-incident review

D. Indicator enrichment and research pivoting

A security analyst has discovered malware is spreading across multiple critical systems and is originating from a single workstation, which belongs to a member of the cyberinfrastructure team who has legitimate administrator credentials. An analysis of the traffic indicates the workstation swept the network looking for vulnerable hosts to infect. Which of the following would have worked BEST to prevent the spread of this infection?

A. Vulnerability scans of the network and proper patching

B. A properly configured and updated EDR solution

C. A honeynet used to catalog the anomalous behavior and update the IPS

D. Logical network segmentation and the use of jump boxes

A development team signed a contract that requires access to an on-premises physical server Access must be restricted to authorized users only and cannot be connected to the internet Which of the following solutions would meet this requirement?

A. Establish a hosted SSO

B. Implement a CASB

C. Virtualize the server

D. Air gap the server

A security analyst found the following entry in a server log:
 
The analyst executed netstat and received the following output:
 
Which of the following lines in the output confirms this was successfully executed by the server?

A. 1

B. 2

C. 3

D. 4

E. 5

F. 6

G. 7

An organization needs to limit its exposure to accidental disclosure when employees send emails that contain personal information to recipients outside the company. Which of the following technical controls would BEST accomplish this goal?

A. DLP

B. Encryption

C. Data masking

D. SPF

A user reports a malware alert to the help desk. A technician verifies the alert, determines the workstation is classified as a low-severity device, and uses network controls to block access. The technician then assigns the ticket to a security analyst who will complete the eradication and recovery processes. Which of the following should the security analyst do NEXT?

A. Document the procedures and walkthrough the incident training guide

B. Reverse engineer the malware to determine its purpose and risk to the organization

C. Sanitize the workstation and verify countermeasures are restored

D. Isolate the workstation and issue a new computer to the user

A security analyst is supporting an embedded software team. Which of the following is the best recommendation to ensure proper error handling at runtime?

A. Perform static code analysis.

B. Require application fuzzing.

C. Enforce input validation.

D. Perform a code review.

During an incident response procedure, a security analyst acquired the needed evidence from the hard drive of a compromised machine. Which of the following actions should the analyst perform NEXT to ensure the data integrity of the evidence?

A. Generate hashes for each file from the hard drive.

B. Create a chain of custody document.

C. Determine a timeline of events using correct time synchronization.

D. Keep the cloned hard drive in a safe place.

A company recently hired a new SOC provider and implemented new incident response procedures. Which of the following conjoined approaches would MOST likely be used to evaluate the new implementations for monitoring and incident response at the same time? (Choose two.)

A. Blue-team exercise

B. Disaster recovery exercise

C. Red-team exercise

D. Gray-box penetration test

E. Tabletop exercise

F. Risk assessment

Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity?

A. Reverse engineering

B. Application log collectors

C. Workflow orchestration

D. API integration

E. Scripting

Which of the following SCAP standards provides standardization for measuring and describing the severity of security-related software flaws?

A. OVAL

B. CVSS

C. CVE

D. CCE

A security officer needs to find a solution to the current data privacy and protection gap found in the last security assessment. Which of the following is the most cost-effective solution?

A. Require users to sign NDAs.

B. Create a data minimization plan.

C. Add access control requirements.

D. Implement a data loss prevention solution.

A small marketing firm uses many SaaS applications that hold sensitive information. The firm has discovered terminated employees are retaining access to systems for many weeks after their end date. Which of the following would BEST resolve the issue of lingering access?

A. Perform weekly manual reviews on system access to uncover any issues.

B. Set up a privileged access management tool that can fully manage privileged account access.

C. Implement MFA on cloud-based systems.

D. Configure federated authentication with SSO on cloud provider systems.

An analyst is responding to an incident within a cloud infrastructure. Based on the logs and traffic analysis, the analyst thinks a container has been compromised.
Which of the following should the analyst do FIRST?

A. Perform threat hunting in other areas of the cloud infrastructure.

B. Contact law enforcement to report the incident.

C. Perform a root cause analysis on the container and the service logs.

D. Isolate the container from production using a predefined policy template.

Which of the following types of controls defines placing an ACL on a file folder?

A. Technical control

B. Confidentiality control

C. Managerial control

D. Operational control

A financial organization has offices located globally. Per the organization's policies and procedures, all executives who conduct business overseas must have their mobile devices checked for malicious software or evidence of tampering upon their return. The information security department oversees this process, and no executive has had a device compromised. The Chief Information Security Officer wants to implement an additional safeguard to protect the organization's data.
Which of the following controls would work BEST to protect the privacy of the data if a device is stolen?

A. Implement a mobile device wiping solution for use if a device is lost or stolen.

B. Install a DLP solution to track data flow.

C. Install an encryption solution on all mobile devices.

D. Train employees to report a lost or stolen laptop to the security department immediately.

While conducting a network infrastructure review, a security analyst discovers a laptop that is plugged into a core switch and hidden behind a desk. The analyst sees the following on the laptop's screen:
[*] [NBT-NS] Poisoned answer sent to 192.169.23.115 for name FILE-SHARE-A (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A
[*] [LLMNR] Poisoned answer sent to 192.168.23.115 for name FILE-SHARE-A
[SMBv2] NTLMv2-SSP Client : 192.168.23.115
[SMBv2] NTLMv2-SSP Username : CORPjsmith
[SMBv2] NTLMv2-SSP Hash : F5DBF769CFEA7...
[*] [NBT-NS] Poisoned answer sent to 192.169.23.24 for name FILE-SHARE-A (service: File Server)
[*] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A
[*] [LLMNR] Poisoned answer sent to 192.168.23.24 for name FILE-SHARE-A
[SMBv2] NTLMv2-SSP Client : 192.168.23.24
[SMBv2] NTLMv2-SSP Username : CORPprogers
[SMBv2] NTLMv2-SSP Hash : 6D093BE2FDD70A...
Which of the following is the BEST action for the security analyst to take?

A. Force all users in the domain to change their passwords at the next login.

B. Disconnect the laptop and ask the users jsmith and progers to log out.

C. Take the FILE-SHARE-A server offline and scan it for viruses.

D. Initiate a scan of devices on the network to find password-cracking tools.

An internally developed file-monitoring system identified the following excerpt as causing a program to crash often: char filedata[100]; fp = fopen(`access.log`, `r`); srtcopy (filedata, fp); printf (`%sn`, filedata);
Which of the following should a security analyst recommend to fix the issue?

A. Open the access.log file in read/write mode.

B. Replace the strcpy function.

C. Perform input sanitization.

D. Increase the size of the file data butter.

A Chief Information Security Officer (CISO) is concerned about new privacy regulations that apply to the company. The CISO has tasked a security analyst with finding the proper control functions to verify that a user's data is not altered without the user's consent. Which of the following would be an appropriate course of action?

A. Automate the use of a hashing algorithm after verified users make changes to their data.

B. Use encryption first and then hash the data at regular, defined times.

C. Use a DLP product to monitor the data sets for unauthorized edits and changes.

D. Replicate the data sets at regular intervals and continuously compare the copies for unauthorized changes.

Which of the following BEST explains the function of trusted firmware updates as they relate to hardware assurance?

A. Trusted firmware updates provide organizations with development, compilation, remote access, and customization for embedded devices.

B. Trusted firmware updates provide organizations with security specifications, open-source libraries, and custom tools for embedded devices.

C. Trusted firmware updates provide organizations with remote code execution, distribution, maintenance, and extended warranties for embedded devices.

D. Trusted firmware updates provide organizations with secure code signing, distribution, installation, and attestation for embedded devices.

A security analyst is evaluating two vulnerability management tools for possible use in an organization. The analyst set up each of the tools according to the respective vendor’s instructions and generated a report of vulnerabilities that ran against the same target server.
Tool A reported the following:
 
Tool B reported the following:
 
Which of the following best describes the method used by each tool? (Choose two.)

A. Tool A is agent based.

B. Tool A used fuzzing logic to test vulnerabilities.

C. Tool A is unauthenticated.

D. Tool B utilized machine learning technology.

E. Tool B is agent based.

F. Tool B is unauthenticated.

An analyst receives artifacts from a recent intrusion and is able to pull a domain, IP address, email address, and software version. Which of the following points of the Diamond Model of Intrusion Analysis does this intelligence represent?

A. Infrastructure

B. Capabilities

C. Adversary

D. Victims

A security team wants to make SaaS solutions accessible from only the corporate campus. Which of the following would BEST accomplish this goal?

A. Geotagging

B. IP restrictions

C. Reverse proxy

D. Single sign-on

A security analyst at an organization is reviewing vulnerability reports from a newly deployed vulnerability management platform. The organization is not receiving information about devices that rarely connect to the network. Which of the following will the analyst most likely do to obtain vulnerability information about these devices?

A. Add administrator credentials to mobile devices.

B. Utilize cloud-based agents.

C. Deploy a VPC in front of a NAC.

D. Implement MDM.

A manufacturing company uses a third-party service provider for Tier 1 security support. One of the requirements is that the provider must only source talent from its own country due to geopolitical and national security interests. Which of the following can the manufacturing company implement to ensure the third-party service provider meets this requirement?

A. Implement a secure supply chain program with governance.

B. Implement blacklisting for IP addresses from outside the country

C. Implement strong authentication controls for all contractors.

D. Implement user behavior analytics for key staff members.

While monitoring the information security notification mailbox, a security analyst notices several emails were reported as spam. Which of the following should the analyst do FIRST?

A. Block the sender in the email gateway.

B. Delete the email from the company’s email servers.

C. Ask the sender to stop sending messages.

D. Review the message in a secure environment.

A security analyst needs to assess the web-server versions on a list of hosts to determine which are running a vulnerable version of the software and then output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt. Which of the following Nmap commands would BEST accomplish this goal?

A. nmap –iL webserverlist.txt –sC –p 443 –oX webserverlist.xml

B. nmap –iL webserverlist.txt –sV –p 443 –oX webserverlist.xml

C. nmap –iL webserverlist.txt –F –p 443 –oX weberserverlist.xml

D. nmap –takefile webserverlist.txt –outputfileasXML webserverlist.xml –scanports 443

A security analyst reviews a recent network capture and notices encrypted inbound traffic on TCP port 465 was coming into the company's network from a database server. Which of the following will the security analyst MOST likely identify as the reason for the traffic on this port?

A. The server is configured to communicate on the secure database standard listener port.

B. Someone has configured an unauthorized SMTP application over SSL.

C. A connection from the database to the web front end is communicating on the port.

D. The server is receiving a secure connection using the new TLS 1.3 standard.

An email analysis system notifies a security analyst that the following message was quarantined and requires further review.
From:
CEO@CompTIA.org

A. Release the email for delivery due to its importance.

B. Immediately contact a purchasing agent to expedite.

C. Delete the email and block the sender.

D. Purchase the gift cards and submit an expense report

While observing several host machines, a security analyst notices a program is overwriting data to a buffer. Which of the following controls will best mitigate this issue?

A. Data execution prevention

B. Output encoding

C. Prepared statements

D. Parameterized queries

The Chief Information Officer of a large cloud software vendor reports that many employees are falling victim to phishing emails because they appear to come from other employees. Which of the following would BEST prevent this issue?

A. Include digital signatures on messages originating within the company.

B. Require users to authenticate to the SMTP server.

C. Implement DKIM to perform authentication that will prevent the issue.

D. Set up an email analysis solution that looks for known malicious links within the email.

A security team has begun updating the risk management plan, incident response plan, and system security plan to ensure compliance with security review guidelines. Which of the following can be executed by internal managers to simulate and validate the proposed changes?

A. Internal management review

B. Control assessment

C. Tabletop exercise

D. Peer review

A security analyst inspects the header of an email that is presumed to be malicious and sees the following:
 
Which of the following is inconsistent with the rest of the header and should be treated as suspicious?

A. The use of a TLS cipher

B. The sender’s email address

C. The destination email server

D. The subject line

A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:
 
Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?

A. PC1

B. PC2

C. Server1

D. Server2

E. Firewall

A security analyst reviews SIEM logs and detects a well-known malicious executable running in a Windows machine. The up-to-date antivirus cannot detect the malicious executable. Which of the following is the MOST likely cause of this issue?

A. The malware fileless and exists only in physical memory.

B. The malware detects and prevents its own execution in a virtual environment

C. The antivirus does not have the malware’s signature.

D. The malware is being executed with administrative privileges.

During an incident, an analyst works closely with specific team members. Which of the following best explains why communication is limited to specific team members?

A. To determine when information can be released

B. To provide rules and regulations on reporting requirements

C. To prevent an inadvertent release of information

D. To determine who can participate

A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons-learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware. Which of the following actions should be taken to BEST mitigate the effects of this type of threat in the future?

A. Enabling sandboxing technology

B. Purchasing cyber insurance

C. Enabling application blacklisting

D. Installing a firewall between the workstations and internet

A company uses self-signed certificates when sending emails to recipients within the company. Users are calling the help desk because they are getting warnings when attempting to open emails sent by internal users. A security analyst checks the certificates and sees the following
 
Which of the following should the security analyst conclude?

A. user@company.com is a malicious insider.

B. The valid dates are too far apart and are generating the alerts

C. certServer has been compromised

D. The root certificate was not installed in the trusted store.

A security analyst sees the following OWASP ZAP output from a scan that was performed against a modern version of Windows while testing for client-side vulnerabilities:
 
Which of the following is the MOST likely solution to the listed vulnerability?

A. Enable the browser’s XSS filter.

B. Enable Windows XSS protection.

C. Enable the private browsing mode.

D. Enable server-side XSS protection.

A company's Chief Information Officer wants to use a CASB solution to ensure policies are being met during cloud access. Due to the nature of the company's business and risk appetite, the management team elected to not store financial information in the cloud. A security analyst needs to recommend a solution to mitigate the threat of financial data leakage into the cloud. Which of the following should the analyst recommend?

A. Utilize the CASB to enforce DLP data-at-rest protection for financial information that is stored on premises.

B. Do not utilize the CASB solution for this purpose, but add DLP on premises for data in motion.

C. Utilize the CASB to enforce DLP data-in-motion protection for financial information moving to the cloud.

D. Do not utilize the CASB solution for this purpose, but add DLP on premises for data at rest.

A company's domain has been spoofed in numerous phishing campaigns. An analyst needs to determine why the company is a victim of domain spoofing, despite having a DMARC record that should tell mailbox providers to ignore any email that fails DMARC. Upon review of the record, the analyst finds the following: v=DMARC1; p=none; fo=0; rua=mailto:
security@company.com
; ruf=mailto:
security@company.com
; adkim=r; rf=afrf; ri=86400;
Which of the following BEST explains the reason why the company's requirements are not being processed correctly by mailbox providers?

A. The DMARC record’s DKIM alignment tag is incorrectly configured.

B. The DMARC record’s policy tag is incorrectly configured.

C. The DMARC record does not have an SPF alignment tag.

D. The DMARC record’s version tag is set to DMARC1 instead of the current version, which is DMARC3.

A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve the highest level of security. To BEST complete this task, the analyst should place the:

A. firewall behind the VPN server.

B. VPN server parallel to the firewall

C. VPN server behind the firewall.

D. VPN on the firewall.

When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal?

A. nmap –sA –O -noping

B. nmap –sT –O -Pn

C. nmap –sS –O -Pn

D. nmap –sQ –O -Pn

A threat hunting team received a new IoC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated NEXT?

A. The whitelist

B. The DNS

C. The blocklist

D. The IDS signature

The security team decides to meet informally to discuss and test their response plan for potential security breaches and emergency situations. Which of the following types of training will the security team perform?

A. Tabletop exercise

B. Red-team attack

C. System assessment implementation

D. Blue-team training

E. White-team engagement

Forming a hypothesis, looking for indicators of compromise, and using the findings to proactively improve detection capabilities are examples of the value of:

A. vulnerability scanning.

B. threat hunting.

C. red teaming.

D. penetration testing.

A company has started planning the implementation of a vulnerability management procedure. However, its security maturity level is low. So there are some prerequisites to complete before risk calculation and prioritization.
Which of the following should be completed FIRST?

A. A business impact analysis

B. A system assessment

C. Communication of the risk factors

D. A risk identification process

A small business does not have enough staff in the accounting department to segregate duties. The comptroller writes the checks for the business and reconciles them against the ledger. To ensure there is no fraud occurring, the business conducts quarterly reviews in which a different officer in the business compares all the cleared checks against the ledger. Which of the following BEST describes this type of control?

A. Deterrent

B. Preventive

C. Compensating

D. Detective

Which of the following techniques can be implemented to safeguard the confidentiality of sensitive information while allowing limited access to authorized individuals?

A. Deidentification

B. Hashing

C. Masking

D. Salting