A leader on the vulnerability management team is trying to reduce the team's workload by automating some simple but time-consuming tasks. Which of the following activities should the team leader consider first?

A. Assigning a custom recommendation for each finding

B. Analyzing false positives

C. Rendering an additional executive report

D. Regularly checking agent communication with the central console

Which of the following best describes the actions taken by an organization after the resolution of an incident that addresses issues and reflects on the growth opportunities for future incidents?

A. Lessons learned

B. Scrum review

C. Root cause analysis

D. Regulatory compliance

Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the tables below:
 
 
Which of the following should the security analyst prioritize for remediation?

A. rogers

B. brady

C. brees

D. manning

A security analyst received an alert regarding multiple successful MFA log-ins for a particular user. When reviewing the authentication logs, the analyst sees the following:
 
Which of the following are most likely occurring, base on the MFA logs? (Choose two.)

A. Dictionary attack

B. Push phishing

C. Impossible geo-velocity

D. Subscriber identity module swapping

E. Rogue access point

F. Password spray

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

A. Identify any improvements or changes in the incident response plan or procedures

B. Determine if an internal mistake was made and who did it so they do not repeat the error

C. Present all legal evidence collected and turn it over to iaw enforcement

D. Discuss the financial impact of the incident to determine if security controls are well spent

A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?

A. Service-level agreement

B. Change management plan

C. Incident response plan

D. Memorandum of understanding

Which of the following statements best describes the MITRE ATT&CK framework?

A. It provides a comprehensive method to test the security of applications.

B. It provides threat intelligence sharing and development of action and mitigation strategies.

C. It helps identify and stop enemy activity by highlighting the areas where an attacker functions.

D. It tracks and understands threats and is an open-source project that evolves.

E. It breaks down intrusions into a clearly defined sequence of phases.

A cybersecurity analyst is recording the following details:
•	ID
•	Name
•	Description
•	Classification of information
•	Responsible party
In which of the following documents is the analyst recording this information?

A. Risk register

B. Change control documentation

C. Incident response playbook

D. Incident response plan

A company has decided to expose several systems to the internet. The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below:
 
Which of the following systems should be prioritized for patching?

A. brown

B. grey

C. blane

D. sullivan

An organization's email account was compromised by a bad actor. Given the following information:
 
Which of the following is the length of time the team took to detect the threat?

A. Data masking

B. Hashing

C. Watermarking

D. Encoding

An analyst is reviewing system logs while threat hunting:
 
Which of the following hosts should be investigated first?

A. PC1

B. PC2

C. PC3

D. PC4

E. PC5

Given the following CVSS string:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Which of the following attributes correctly describes this vulnerability?

A. A user is required to exploit this vulnerability.

B. The vulnerability is network based.

C. The vulnerability does not affect confidentiality.

D. The complexity to exploit the vulnerability is high.

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Choose two.)

A. Performing dynamic application security testing

B. Reviewing the code

C. Fuzzing the application

D. Debugging the code

E. Implementing a coding standard

F. Implementing IDS

A regulated organization experienced a security breach that exposed a list of customer names with corresponding PII data. Which of the following is the best reason for developing the organization's communication plans?

A. For the organization’s public relations department to have a standard notification

B. To ensure incidents are immediately reported to a regulatory agency

C. To automate the notification to customers who were impacted by the breach

D. To have approval from executive leadership on when communication should occur

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

A. A mean time to remediate of 30 days

B. A mean time to detect of 45 days

C. A mean time to respond of 15 days

D. Third-party application testing

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

A. Scan the employee’s computer with virus and malware tools

B. Review the actions taken by the employee and the email related to the event

C. Contact human resources and recommend the termination of the employee

D. Assign security awareness training to the employee involved in the incident

Which of the following is a commonly used four-component framework to communicate threat actor behavior?

A. STRIDE

B. Diamond Model of Intrusion Analysis

C. Cyber Kill Chain

D. MITRE ATT&CK

To minimize the impact of a security incident, a cybersecurity analyst has configured audit settings in the organization’s cloud services. Which of the following security controls has the analyst configured?

A. Preventive

B. Corrective

C. Directive

D. Detective

The security team reviews a web server for XSS and runs the following Nmap scan:
 
Which of the following most accurately describes the result of the scan?

A. An output of characters > and ” as the parameters used m the attempt

B. The vulnerable parameter ID http://172.31.15.2/1.php?id-2 and unfiltered characters returned

C. The vulnerable parameter and unfiltered or encoded characters passed > and ” as unsafe

D. The vulnerable parameter and characters > and ” with a reflected XSS attempt

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

A. Firewall logs

B. Indicators of compromise

C. Risk assessment

D. Access control lists

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

A. C2 beaconing activity

B. Data exfiltration

C. Anomalous activity on unexpected ports

D. Network host IP address scanning

E. A rogue network device

The security team at a company, which was a recent target of ransomware, compiled a list of hosts that were identified as impacted and in scope for this incident. Based on the following host list:
 
Which of the following systems was most pivotal to the threat actor in its distribution of the encryption binary via Group Policy?

A. SQL01

B. WK10-Sales07

C. WK7-Plant01

D. DCEast01

E. HQAdmin9

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

A. SLA

B. LOI

C. MOU

D. KPI

An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is the best step for the security team to take to ensure compliance with the request?

A. Publicly disclose the request to other vendors

B. Notify the departments involved to preserve potentially relevant information

C. Establish a chain of custody starting with the attorney’s request

D. Back up the mailboxes on the server and provide the attorney with a copy

A small company does not have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

A. Corrective controls

B. Compensating controls

C. Operational controls

D. Administrative controls

The management team requests monthly KPI reports on the company’s cybersecurity program. Which of the following KPIs would identify how long a security threat goes unnoticed in the environment?

A. Employee turnover

B. Intrusion attempts

C. Mean time to detect

D. Level of preparedness

An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

A. Beaconing

B. Domain Name System hijacking

C. Social engineering attack

D. On-path attack

E. Obfuscated links

F. Address Resolution Protocol poisoning

After reviewing the final report for a penetration test, a cybersecurity analyst prioritizes the remediation for input validation vulnerabilities. Which of the following attacks is the analyst seeking to prevent?

A. DNS poisoning

B. Pharming

C. Phishing

D. Cross-site scripting

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

A. Take a snapshot of the compromised server and verify its integrity

B. Restore the affected server to remove any malware

C. Contact the appropriate government agency to investigate

D. Research the malware strain to perform attribution

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

A. Reduce the administrator and privileged access accounts

B. Employ a network-based IDS

C. Conduct thorough incident response

D. Enable SSO to enterprise applications

The SOC received a threat intelligence notification indicating that an employee’s credentials were found on the dark web. The user’s web and log-in activities were reviewed for malicious or anomalous connections, data uploads/downloads, and exploits. A review of the controls confirmed multifactor authentication was enabled. Which of the following should be done first to mitigate impact to the business networks and assets?

A. Perform a forced password reset.

B. Communicate the compromised credentials to the user.

C. Perform an ad hoc AV scan on the user’s laptop.

D. Review and ensure privileges assigned to the user’s account reflect least privilege.

E. Lower the thresholds for SOC alerting of suspected malicious activity

A security analyst scans a host and generates the following output:
 
Which of the following best describes the output?

A. The host is unresponsive to the ICMP request.

B. The host is running a vulnerable mail server.

C. The host is allowing unsecured FTP connections.

D. The host is vulnerable to web-based exploits.

A security analyst is reviewing the findings of the latest vulnerability report for a company’s web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?

A. Deploy a WAF to the front of the application.

B. Replace the current MD5 with SHA-256.

C. Deploy an antivirus application on the hosting system.

D. Replace the MD5 with digital signatures.

A threat hunter seeks to identify new persistence mechanisms installed in an organization’s environment. In collecting scheduled tasks from all enterprise workstations, the following host details are aggregated:
 
Which of the following actions should the hunter perform first based on the details above?

A. Acquire a copy of taskhw.exe from the impacted host.

B. Scan the enterprise to identify other systems with taskhdw.exe present.

C. Perform a public search for malware reports on the taskhw.exe.

D. Change the account that runs the taskhw.exe scheduled task.

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

A. Data enrichment

B. Security control plane

C. Threat feed combination

D. Single pane of glass

A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?

A. Potential precursor to an attack

B. Unauthorized peer-to-peer communication

C. Rogue device on the network

D. System updates.

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

A. Create a timeline of events detailing the date stamps, user account hostname and IP information associated with the activities

B. Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

C. Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identify the case as an HR-related investigation

D. Notify the SOC manager for awareness after confirmation that the activity was intentional

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

A. Log retention

B. Log rotation

C. Maximum log size

D. Threshold value

A penetration tester submitted data to a form in a web application, which enabled the penetration tester to retrieve user credentials. Which of the following should be recommended for remediation of this application vulnerability?

A. Implementing multifactor authentication on the server OS

B. Hashing user passwords on the web application

C. Performing input validation before allowing submission

D. Segmenting the network between the users and the web server

A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?

A. config.ini

B. ntds.dit

C. Master boot record

D. Registry

An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

A. Exploitation

B. Reconnaissance

C. Command and control

D. Actions on objectives

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L

B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H

D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R
Which of the following represents the exploit code maturity of this critical vulnerability?

A. E:U

B. S:C

C. RC:R

D. AV:N

E. AC:L

Which of the following can be used to learn more about TTPs used by cybercriminals?

A. ZenMAP

B. MITRE ATT&CK

C. National Institute of Standards and Technology

D. theHarvester

A vulnerability scanner generates the following output:
 
The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities. Which of the following should the analyst prioritize first for remediation?

A. Oracle JDK

B. Cisco Webex

C. Redis Server

D. SSL Self-signed Certificate

An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

A. DKIM

B. SPF

C. SMTP

D. DMARC

The email system administrator for an organization configured DKIM signing for all email legitimately sent by the organization. Which of the following would most likely indicate an email is malicious if the company's domain name is used as both the sender and the recipient?

A. The message fails a DMARC check

B. The sending IP address is the hosting provider

C. The signature does not meet corporate standards

D. The sender and reply address are different

Which of the following best describes the key elements of a successful information security program?

A. Business impact analysis, asset and change management, and security communication plan

B. Security policy implementation, assignment of roles and responsibilities, and information asset classification

C. Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies

D. Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems

A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?

A. There is an issue with the SSL certificate causing port 443 to become unavailable for HTTPS access

B. An on-path attack is being performed by someone with internal access that forces users into port 80

C. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80

D. An error was caused by BGP due to new rules applied over the company’s internal routers

A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?

A. The current scanners should be migrated to the cloud

B. Cloud-specific misconfigurations may not be detected by the current scanners

C. Existing vulnerability scanners cannot scan IaaS systems

D. Vulnerability scans on cloud environments should be performed from the cloud