Summer Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

CompTIA CS0-003 CompTIA CyberSecurity Analyst CySA+ Certification Exam Exam Practice Test

Demo: 146 questions
Total 487 questions

CompTIA CyberSecurity Analyst CySA+ Certification Exam Questions and Answers

Question 1

A Chief Information Security Officer (CISO) has determined through lessons learned and an associated after-action report that staff members who use legacy applications do not adequately understand how to differentiate between non-malicious emails and phishing emails. Which of the following should the CISO include in an action plan to remediate this issue?

Options:

A.

Awareness training and education

B.

Replacement of legacy applications

C.

Organizational governance

D.

Multifactor authentication on all systems

Question 2

Which of the following is the best authentication method to secure access to sensitive data?

Options:

A.

An assigned device that generates a randomized code for login

B.

Biometrics and a device with a personalized code for login

C.

Alphanumeric/special character username and passphrase for login

D.

A one-time code received by email and push authorization for login

Question 3

A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system

owners to help determine the best methodology that seeks to promote confidentiality, availability, and integrity of the data being hosted. Which of the following should the security analyst perform first to

categorize and prioritize the respective systems?

Options:

A.

Interview the users who access these systems,

B.

Scan the systems to see which vulnerabilities currently exist.

C.

Configure alerts for vendor-specific zero-day exploits.

D.

Determine the asset value of each system.

Question 4

A security analyst is reviewing a recent vulnerability scan report for a new server infrastructure. The analyst would like to make the best use of time by resolving the most critical vulnerability first. The following information is provided:

Which of the following should the analyst concentrate remediation efforts on first?

Options:

A.

SVR01

B.

SVR02

C.

SVR03

D.

SVR04

Question 5

A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to

reduce risks associated with the application development?

Options:

A.

Perform static analyses using an integrated development environment.

B.

Deploy compensating controls into the environment.

C.

Implement server-side logging and automatic updates.

D.

Conduct regular code reviews using OWASP best practices.

Question 6

Following an attack, an analyst needs to provide a summary of the event to the Chief Information Security Officer. The summary needs to include the who-what-when information and evaluate the effectiveness of the plans in place. Which of the following incident management life cycle processes

does this describe?

Options:

A.

Business continuity plan

B.

Lessons learned

C.

Forensic analysis

D.

Incident response plan

Question 7

An analyst reviews a recent government alert on new zero-day threats and finds the following CVE metrics for the most critical of the vulnerabilities:

CVSS: 3.1/AV:N/AC: L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:W/RC:R

Which of the following represents the exploit code maturity of this critical vulnerability?

Options:

A.

E:U

B.

S:C

C.

RC:R

D.

AV:N

E.

AC:L

Question 8

A security analyst needs to identify the devices in a critical infrastructure network that handles an oil and gas pipeline. The network has devices connected over IPv4 using either HTTP or Modbus protocols running on the standard ports. Which of the following approaches should the analyst use to achieve the objective?

Options:

A.

Employ the IT vulnerability scanner to target ports 80 and 502.

B.

Use banner grabbing with Netcat on TCP ports 80 and 502.

C.

Perform an Nmap -sS -A -p 80,502 scan.

D.

Scan the ICS network using Masscan --open-only -p80,502.

Question 9

A systems administrator receives several reports about emails containing phishing links. The hosting domain is always different, but the URL follows a specific pattern of characters. Which of the following is the best way for the administrator to find more messages that were not reported?

Options:

A.

Search email logs for a regular expression

B.

Open a support ticket with the email hosting provider

C.

Send a memo to all staff asking them to report suspicious emails

D.

Query firewall logs for any traffic with a suspicious website

Question 10

A security analyst would like to integrate two different SaaS-based security tools so that one tool can notify the other in the event a threat is detected. Which of the following should the analyst utilize to best accomplish this goal?

Options:

A.

SMB share

B.

API endpoint

C.

SMTP notification

D.

SNMP trap

Question 11

Which of the following would help to minimize human engagement and aid in process improvement in security operations?

Options:

A.

OSSTMM

B.

SIEM

C.

SOAR

D.

QVVASP

Question 12

You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following.

    There must be one primary server or service per device.

    Only default port should be used

    Non- secure protocols should be disabled.

    The corporate internet presence should be placed in a protected subnet

Instructions :

    Using the available tools, discover devices on the corporate network and the services running on these devices.

You must determine

    ip address of each device

    The primary server or service each device

    The protocols that should be disabled based on the hardening guidelines

Options:

Question 13

Which of the following entities should an incident manager work with to ensure correct processes are adhered to when communicating incident reporting to the general public, as a best practice? (Select two).

Options:

A.

Law enforcement

B.

Governance

C.

Legal

D.

Manager

E.

Public relations

F.

Human resources

Question 14

During a routine review, a security analyst identifies an unusual volume of traffic going to a local network workstation. The analyst extracts the traffic to a pcap file. To analyze the content, the analyst runs the command tcpdump -n -r file.pcap udp and port 53 and receives the following output:

Which of the following conclusions will the analyst reach based on the pcap analysis?

Options:

A.

The traffic captured a meterpreter payload delivery.

B.

The traffic shows data exfiltration.

C.

The traffic identified a Structured Query Language Injection attack.

D.

The traffic Is associated with Domain Name System Security Extensions.

E.

The traffic is normal on a Unix-based network.

Question 15

A company is concerned with finding sensitive file storage locations that are open to the public. The current internal cloud network is flat. Which of the following is the best solution to secure the network?

Options:

A.

Implement segmentation with ACLs.

B.

Configure logging and monitoring to the SIEM.

C.

Deploy MFA to cloud storage locations.

D.

Roll out an IDS.

Question 16

An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?

Options:

A.

Hard disk

B.

Primary boot partition

C.

Malicious tiles

D.

Routing table

E.

Static IP address

Question 17

A security analyst needs to secure digital evidence related to an incident. The security analyst must ensure that the accuracy of the data cannot be repudiated. Which of the following should be implemented?

Options:

A.

Offline storage

B.

Evidence collection

C.

Integrity validation

D.

Legal hold

Question 18

A healthcare organization must develop an action plan based on the findings from a risk assessment. The action plan must consist of risk categorization and prioritization.

INSTRUCTIONS

-

Click on the audit report and risk matrix to review their contents.

Assign a categorization to each risk and determine the order in which the findings must be prioritized for remediation according to the risk rating score.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Options:

Question 19

Which of the following is most appropriate to use with SOAR when the security team would like to automate actions across different vendor platforms?

Options:

A.

STIX/TAXII

B.

APIs

C.

Data enrichment

D.

Threat feed

Question 20

An employee is no longer able to log in to an account after updating a browser. The employee usually has several tabs open in the browser. Which of

the following attacks was most likely performed?

Options:

A.

RFI

B.

LFI

C.

CSRF

D.

XSS

Question 21

A laptop that is company owned and managed is suspected to have malware. The company implemented centralized security logging. Which of the following log sources will confirm the malware infection?

Options:

A.

XDR logs

B.

Firewall logs

C.

IDS logs

D.

MFA logs

Question 22

A security analyst has just received an incident ticket regarding a ransomware attack. Which of the following would most likely help an analyst properly triage the ticket?

Options:

A.

Incident response plan

B.

Lessons learned

C.

Playbook

D.

Tabletop exercise

Question 23

After updating the email client to the latest patch, only about 15% of the workforce is able to use email. Windows 10 users do not experience issues, but Windows 11 users have constant issues. Which of the

following did the change management team fail to do?

Options:

A.

Implementation

B.

Testing

C.

Rollback

D.

Validation

Question 24

A security team identified several rogue Wi-Fi access points during the most recent network scan. The network scans occur once per quarter. Which of the following controls would best all ow the organization to identity rogue

devices more quickly?

Options:

A.

Implement a continuous monitoring policy.

B.

Implement a BYOD policy.

C.

Implement a portable wireless scanning policy.

D.

Change the frequency of network scans to once per month.

Question 25

A security analyst scans a host and generates the following output:

Which of the following best describes the output?

Options:

A.

The host is unresponsive to the ICMP request.

B.

The host Is running a vulnerable mall server.

C.

The host Is allowlng unsecured FTP connectlons.

D.

The host is vulnerable to web-based exploits.

Question 26

A report contains IoC and TTP information for a zero-day exploit that leverages vulnerabilities in a specific version of a web application. Which of the following actions should a SOC analyst take first after receiving the report?

Options:

A.

Implement a vulnerability scan to determine whether the environment is at risk.

B.

Block the IP addresses and domains from the report in the web proxy and firewalls.

C.

Verify whether the information is relevant to the organization.

D.

Analyze the web application logs to identify any suspicious or malicious activity.

Question 27

A security audit for unsecured network services was conducted, and the following output was generated:

Which of the following services should the security team investigate further? (Select two).

Options:

A.

21

B.

22

C.

23

D.

636

E.

1723

F.

3389

Question 28

Which of the following is the best framework for assessing how attackers use techniques over an infrastructure to exploit a target’s information assets?

Options:

A.

Structured Threat Information Expression

B.

OWASP Testing Guide

C.

Open Source Security Testing Methodology Manual

D.

Diamond Model of Intrusion Analysis

Question 29

An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

Options:

A.

Beaconinq

B.

Domain Name System hijacking

C.

Social engineering attack

D.

On-path attack

E.

Obfuscated links

F.

Address Resolution Protocol poisoning

Question 30

A security analyst is reviewing the following alert that was triggered by FIM on a critical system:

Which of the following best describes the suspicious activity that is occurring?

Options:

A.

A fake antivirus program was installed by the user.

B.

A network drive was added to allow exfiltration of data

C.

A new program has been set to execute on system start

D.

The host firewall on 192.168.1.10 was disabled.

Question 31

A systems administrator is reviewing the output of a vulnerability scan.

INSTRUCTIONS

Review the information in each tab.

Based on the organization ' s environment architecture and remediation standards,

select the server to be patched within 14 days and select the appropriate technique

and mitigation.

Options:

Question 32

A company is deploying new vulnerability scanning software to assess its systems. The current network is highly segmented, and the networking team wants to minimize the number of unique firewall rules. Which of the following scanning techniques would be most efficient to achieve the objective?

Options:

A.

Deploy agents on all systems to perform the scans.

B.

Deploy a central scanner and perform non-credentialed scans.

C.

Deploy a cloud-based scanner and perform a network scan.

D.

Deploy a scanner sensor on every segment and perform credentialed scans.

Question 33

An organization ' s threat intelligence team notes a recent trend in adversary privilege escalation procedures. Multiple threat groups have been observed utilizing native Windows tools to bypass system controls and execute commands with privileged credentials. Which of the following controls would be most effective to reduce the rate of success of such attempts?

Options:

A.

Disable administrative accounts for any operations.

B.

Implement MFA requirements for all internal resources.

C.

Harden systems by disabling or removing unnecessary services.

D.

Implement controls to block execution of untrusted applications.

Question 34

During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee ' s

personal email. Which of the following should the analyst recommend be done first?

Options:

A.

Place a legal hold on the employee ' s mailbox.

B.

Enable filtering on the web proxy.

C.

Disable the public email access with CASB.

D.

Configure a deny rule on the firewall.

Question 35

Which of the following is an important aspect that should be included in the lessons-learned step after an incident?

Options:

A.

Identify any improvements or changes in the incident response plan or procedures

B.

Determine if an internal mistake was made and who did it so they do not repeat the error

C.

Present all legal evidence collected and turn it over to iaw enforcement

D.

Discuss the financial impact of the incident to determine if security controls are well spent

Question 36

A SOC receives several alerts indicating user accounts are connecting to the company’s identity provider through non-secure communications. User credentials for accessing sensitive, business-critical systems could be exposed. Which of the following logs should the SOC use when determining malicious intent?

Options:

A.

DNS

B.

tcpdump

C.

Directory

D.

IDS

Question 37

The security team at a company, which was a recent target of ransomware, compiled a list of hosts that were identified as impacted and in scope for this incident. Based on the following host list:

Which of the following systems was most pivotal to the threat actor in its distribution of the encryption binary via Group Policy?

Options:

A.

SQL01

B.

WK10-Sales07

C.

WK7-Plant01

D.

DCEast01

E.

HQAdmin9

Question 38

An analyst receives alerts that state the following traffic was identified on the perimeter network firewall:

Which of the following best describes the indicator of compromise that triggered the alerts?

Options:

A.

Anomalous activity

B.

Bandwidth saturation

C.

Cryptomining

D.

Denial of service

Question 39

A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output:

Which of the following hosts should be patched first, based on the metrics?

Options:

A.

host01

B.

host02

C.

host03

D.

host04

Question 40

A security analyst needs to identify an asset that should be remediated based on the following information:

    File ServerCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H/

    Web ServerCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/

    Mail Server (corrected from “Mall server”)CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/

    Domain ControllerCVSS:3.1/AV:N/AC:L/PR:R/UI:R/S:U/C:H/I:H/A:H/

Which of the following assets should the analyst remediate first?

Options:

A.

Mail server

B.

Domain controller

C.

Web server

D.

File server

Question 41

An organization discovered a data breach that resulted in Pll being released to the public. During the lessons learned review, the panel identified discrepancies regarding who was responsible for external reporting, as well as the timing requirements. Which of the following actions would best address the reporting issue?

Options:

A.

Creating a playbook denoting specific SLAs and containment actions per incident type

B.

Researching federal laws, regulatory compliance requirements, and organizational policies to document specific reporting SLAs

C.

Defining which security incidents require external notifications and incident reporting in addition to internal stakeholders

D.

Designating specific roles and responsibilities within the security team and stakeholders to streamline tasks

Question 42

An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?

Options:

A.

CIS Benchmarks

B.

PCI DSS

C.

OWASP Top Ten

D.

ISO 27001

Question 43

A security analyst is trying to validate the results of a web application scan with Burp Suite. The security analyst performs the following:

Which of the following vulnerabilitles Is the securlty analyst trylng to valldate?

Options:

A.

SQL injection

B.

LFI

C.

XSS

D.

CSRF

Question 44

A company recently experienced a security incident. The security team has determined

a user clicked on a link embedded in a phishing email that was sent to the entire company. The link resulted in a malware download, which was subsequently installed and run.

INSTRUCTIONS

Part 1

Review the artifacts associated with the security incident. Identify the name of the malware, the malicious IP address, and the date and time when the malware executable entered the organization.

Part 2

Review the kill chain items and select an appropriate control for each that would improve the security posture of the organization and would have helped to prevent this incident from occurring. Each

control may only be used once, and not all controls will be used.

Firewall log:

File integrity Monitoring Report:

Malware domain list:

Vulnerability Scan Report:

Phishing Email:

Options:

Question 45

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed:

Which of the following tuning recommendations should the security analyst share?

Options:

A.

Set an HttpOnlvflaq to force communication by HTTPS

B.

Block requests without an X-Frame-Options header

C.

Configure an Access-Control-Allow-Origin header to authorized domains

D.

Disable the cross-origin resource sharing header

Question 46

K company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of code:

SELECT ’ From userjdata WHERE Username = 0 and userid8 1 or 1=1;—

Which of the following controls would be best to implement?

Options:

A.

Deploy a wireless application protocol.

B.

Remove the end-of-life component.

C.

Implement proper access control.

D.

Validate user input.

Question 47

After a risk assessment, a server was found hosting a vulnerable legacy system that has the following characteristics:

• There is no patch or official fix available from the vendor.

• There is no official support provided by the vendor.

• Customers consider the system mission critical.

Which of the following actions will best decrease the risk posed by the legacy system?

Options:

A.

Decommission the server immediately and find a new solution to replace the legacy system.

B.

Implement firewall rules to block inbound connections and allow outbound traffic.

C.

Install and configure a web application firewall tailored to the legacy server.

D.

Apply compensating controls, including isolation, restricted access, and continuous monitoring.

Question 48

While reviewing web server logs, a security analyst discovers the following suspicious line:

Which of the following is being attempted?

Options:

A.

Remote file inclusion

B.

Command injection

C.

Server-side request forgery

D.

Reverse shell

Question 49

The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company:

Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?

Options:

A.

Vulnerability A

B.

Vulnerability B

C.

Vulnerability C

D.

Vulnerability D

Question 50

A security analyst reviews a SIEM alert related to a suspicious email and wants to verify the authenticity of the message:

SPF = PASS

DKIM = FAIL

DMARC = FAIL

Which of the following did the analyst most likely discover?

Options:

A.

An insider threat altered email security records to mask suspicious DNS resolution traffic.

B.

The message was sent from an authorized mail server but was not signed.

C.

Log normalization corrupted the data as it was brought into the central repository.

D.

The email security software did not process all of the records correctly.

Question 51

A security analyst is identifying vulnerabilities in laptops. Users often take their laptops out of the office while traveling, and the vulnerability scan metrics are inaccurate. Which of the following changes should the analyst propose to reduce the MTTD to fewer than four days?

Options:

A.

Deploy agents to all endpoints to scan daily for vulnerabilities.

B.

Configure the network vulnerability scan job to use credentials.

C.

Change the vulnerability scanner configuration to perform network scans more than once per day.

D.

Increase the scan maximum running time to four days to wait for missing endpoints.

Question 52

Several vulnerability scan reports have indicated runtime errors as the code is executing. The dashboard that lists the errors has a command-line interface for developers to check for vulnerabilities. Which of the following will enable a developer to correct this issue? (Select two).

Options:

A.

Performing dynamic application security testing

B.

Reviewing the code

C.

Fuzzing the application

D.

Debugging the code

E.

Implementing a coding standard

F.

Implementing IDS

Question 53

A disgruntled open-source developer has decided to sabotage a code repository with a logic bomb that will act as a wiper. Which of the following parts of the Cyber Kill Chain does this act exhibit?

Options:

A.

Reconnaissance

B.

Weaponization

C.

Exploitation

D.

Installation

Question 54

A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?

Options:

A.

The current scanners should be migrated to the cloud

B.

Cloud-specific misconfigurations may not be detected by the current scanners

C.

Existing vulnerability scanners cannot scan laaS systems

D.

Vulnerability scans on cloud environments should be performed from the cloud

Question 55

To minimize the impact of a security incident in a heavily regulated company, a cybersecurity analyst has configured audit settings in the organization ' s cloud services. Which of the following security controls has the analyst configured?

Options:

A.

Preventive

B.

Corrective

C.

Directive

D.

Detective

Question 56

A cybersecurity analyst has been assigned to the threat-hunting team to create a dynamic detection strategy based on behavioral analysis and attack patterns. Which of the following best describes what the analyst will be creating?

Options:

A.

Bots

B.

loCs

C.

TTPs

D.

Signatures

Question 57

Which of the following risk management principles is accomplished by purchasing cyber insurance?

Options:

A.

Accept

B.

Avoid

C.

Mitigate

D.

Transfer

Question 58

A recent vulnerability scan resulted in an abnormally large number of critical and high findings that require patching. The SLA requires that the findings be remediated within a specific amount of time. Which of the following is the best approach to ensure all vulnerabilities are patched in accordance with the SLA?

Options:

A.

Integrate an IT service delivery ticketing system to track remediation and closure.

B.

Create a compensating control item until the system can be fully patched.

C.

Accept the risk and decommission current assets as end of life.

D.

Request an exception and manually patch each system.

Question 59

A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server

logs for evidence of exploitation of that particular vulnerability?

Options:

A.

/etc/ shadow

B.

curl localhost

C.

; printenv

D.

cat /proc/self/

Question 60

Which of the following best describes the key elements of a successful information security program?

Options:

A.

Business impact analysis, asset and change management, and security communication plan

B.

Security policy implementation, assignment of roles and responsibilities, and information asset classification

C.

Disaster recovery and business continuity planning, and the definition of access control requirements and human resource policies

D.

Senior management organizational structure, message distribution standards, and procedures for the operation of security management systems

Question 61

Given the following CVSS string-

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:H

Which of the following attributes correctly describes this vulnerability?

Options:

A.

A user is required to exploit this vulnerability.

B.

The vulnerability is network based.

C.

The vulnerability does not affect confidentiality.

D.

The complexity to exploit the vulnerability is high.

Question 62

Executives at an organization email sensitive financial information to external business partners when negotiating valuable contracts. To ensure the legal validity of these messages, the cybersecurity team recommends a digital signature be added to emails sent by the executives. Which of the following are the primary goals of this recommendation? (Select two).

Options:

A.

Confidentiality

B.

Integrity

C.

Privacy

D.

Anonymity

E.

Non-repudiation

F.

Authorization

Question 63

A high volume of failed RDP authentication attempts was logged on a critical server within a one-hour period. All of the attempts originated from the same remote IP address and made use of a single valid domain user account. Which of the following would be the most effective mitigating control to reduce the rate of success of this brute-force attack?

Options:

A.

Enabling a user account lockout after a limited number of failed attempts

B.

Installing a third-party remote access tool and disabling RDP on all devices

C.

Implementing a firewall block for the remote system ' s IP address

D.

Increasing the verbosity of log-on event auditing on all devices

Question 64

A security analyst found the following vulnerability on the company’s website:

< INPUT TYPE=“IMAGE” SRC=“javascript:alert(‘test’);” >

Which of the following should be implemented to prevent this type of attack in the future?

Options:

A.

Input sanitization

B.

Output encoding

C.

Code obfuscation

D.

Prepared statements

Question 65

An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?

Options:

A.

Scope

B.

Weaponization

C.

CVSS

D.

Asset value

Question 66

Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?

Options:

A.

SLA

B.

LOI

C.

MOU

D.

KPI

Question 67

Which of the following would eliminate the need for different passwords for a variety or internal application?

Options:

A.

CASB

B.

SSO

C.

PAM

D.

MFA

Question 68

Which of the following is the most appropriate action a security analyst to take to effectively identify the most security risks associated with a locally hosted server?

Options:

A.

Run the operating system update tool to apply patches that are missing.

B.

Contract an external penetration tester to attempt a brute-force attack.

C.

Download a vendor support agent to validate drivers that are installed.

D.

Execute a vulnerability scan against the target host.

Question 69

An analyst needs to provide recommendations based on a recent vulnerability scan:

Which of the following should the analyst recommend addressing to ensure potential vulnerabilities are identified?

Options:

A.

SMB use domain SID to enumerate users

B.

SYN scanner

C.

SSL certificate cannot be trusted

D.

Scan not performed with admin privileges

Question 70

A security analyst is viewing a recorded session that captured suspicious activity:

scanning 192.168.10.10...

scan timing: about 10% done...

...

scan completed (4 host up); scanned 4 hosts in 1348 sec.

HOSt Port State Service

192.168.10.10 1 closed unknown

192.168.10.20 1 closed unknown

192.168.10.30 1 closed unknown

192.168.10.40 1 closed unknown

Which of the following best describes the activity shown?

Options:

A.

UDP scan

B.

SYN scan

C.

XMAS tree scan

D.

Half-open scan

Question 71

During a security incident at a healthcare facility, an unauthorized user downloads multiple patients’ PHI records. Which of the following is the best reason for the healthcare facility to communicate with the affected patients regarding the incident?

Options:

A.

To meet regulatory requirements

B.

To appease the stakeholders

C.

To avoid legal liability

D.

To get support from law enforcement

Question 72

The analyst reviews the following endpoint log entry:

Which of the following has occurred?

Options:

A.

Registry change

B.

Rename computer

C.

New account introduced

D.

Privilege escalation

Question 73

An organization wants to establish a disaster recovery plan for critical applications that are hosted on premises. Which of the following is the first step to prepare for supporting this new requirement?

Options:

A.

Choose a vendor to utilize for the disaster recovery location.

B.

Establish prioritization of continuity from data and business owners.

C.

Negotiate vendor agreements to support disaster recovery capabilities.

D.

Advise the leadership team that a geographical area for recovery must be defined.

Question 74

A security analyst is reviewing the findings of the latest vulnerability report for a company ' s web application. The web application accepts files for a Bash script to be processed if the files match a given hash. The analyst is able to submit files to the system due to a hash collision. Which of the following should the analyst suggest to mitigate the vulnerability with the fewest changes to the current script and infrastructure?

Options:

A.

Deploy a WAF to the front of the application.

B.

Replace the current MD5 with SHA-256.

C.

Deploy an antivirus application on the hosting system.

D.

Replace the MD5 with digital signatures.

Question 75

A security analyst is investigating an unusually high volume of requests received on a web server. Based on the following command and output:

access_log - [21/May/2024 13:19:06] " GET /newyddion HTTP/1.1 " 404 -

access_log - [21/May/2024 13:19:06] " GET /1970 HTTP/1.1 " 404 -

access_log - [21/May/2024 13:19:06] " GET /dopey HTTP/1.1 " 404 -

...

Which of the following best describes the activity that the analyst will confirm?

Options:

A.

SQL injection

B.

Directory brute force

C.

Remote command execution

D.

Cross-site scripting

Question 76

Which of the following risk management decisions should be considered after evaluating all other options?

Options:

A.

Transfer

B.

Acceptance

C.

Mitigation

D.

Avoidance

Question 77

A Chief Information Security Officer wants to map all the attack vectors that the company faces each day. Which of the following recommendations should the company align their security controls around?

Options:

A.

OSSTMM

B.

Diamond Model Of Intrusion Analysis

C.

OWASP

D.

MITRE ATT & CK

Question 78

Several incidents have occurred with a legacy web application that has had little development work completed. Which of the following is the most likely cause of the incidents?

Options:

A.

Misconfigured web application firewall

B.

Data integrity failure

C.

Outdated libraries

D.

Insufficient logging

Question 79

A web application team notifies a SOC analyst that there are thousands of HTTP/404 events on the public-facing web server. Which of the following is the next step for the analyst to take?

Options:

A.

Instruct the firewall engineer that a rule needs to be added to block this external server.

B.

Escalate the event to an incident and notify the SOC manager of the activity.

C.

Notify the incident response team that a DDoS attack is occurring.

D.

Identify the IP/hostname for the requests and look at the related activity.

Question 80

Which of the following are process improvements that can be realized by implementing a SOAR solution? (Select two).

Options:

A.

Minimize security attacks

B.

Itemize tasks for approval

C.

Reduce repetitive tasks

D.

Minimize setup complexity

E.

Define a security strategy

F.

Generate reports and metrics

Question 81

An analyst suspects cleartext passwords are being sent over the network. Which of the following tools would best support the analyst ' s investigation?

Options:

A.

OpenVAS

B.

Angry IP Scanner

C.

Wireshark

D.

Maltego

Question 82

The Chief Information Security Officer (CISO) of a large management firm has selected a cybersecurity framework that will help the organization demonstrate its investment in tools and systems to protect its data. Which of the following did the CISO most likely select?

Options:

A.

PCI DSS

B.

COBIT

C.

ISO 27001

D.

ITIL

Question 83

A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below:

Which of the following has most likely occurred?

Options:

A.

An Office document with a malicious macro was opened.

B.

A credential-stealing website was visited.

C.

A phishing link in an email was clicked

D.

A web browser vulnerability was exploited.

Question 84

While performing a dynamic analysis of a malicious file, a security analyst notices the memory address changes every time the process runs. Which of the following controls is most likely preventing the analyst from finding the proper memory address of the piece of malicious code?

Options:

A.

Address space layout randomization

B.

Data execution prevention

C.

Stack canary

D.

Code obfuscation

Question 85

A security analyst needs to mitigate a known, exploited vulnerability related not

tack vector that embeds software through the USB interface. Which of the following should the analyst do first?

Options:

A.

Conduct security awareness training on the risks of using unknown and unencrypted USBs.

B.

Write a removable media policy that explains that USBs cannot be connected to a company asset.

C.

Check configurations to determine whether USB ports are enabled on company assets.

D.

Review logs to see whether this exploitable vulnerability has already impacted the company.

Question 86

A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?

Options:

A.

grep [IP address] packets.pcapB cat packets.pcap | grep [IP Address]

B.

tcpdump -n -r packets.pcap host [IP address]

C.

strings packets.pcap | grep [IP Address]

Question 87

A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script:

Which of the following scripting languages was used in the script?

Options:

A.

PowerShel

B.

Ruby

C.

Python

D.

Shell script

Question 88

Which of the following techniques can help a SOC team to reduce the number of alerts related to the internal security activities that the analysts have to triage?

Options:

A.

Enrich the SIEM-ingested data to include all data required for triage.

B.

Schedule a task to disable alerting when vulnerability scans are executing.

C.

Filter all alarms in the SIEM with low severity.

D.

Add a SOAR rule to drop irrelevant and duplicated notifications.

Question 89

A security analyst performs a vulnerability scan on corporate assets and finds the following vulnerabilities:

System A: Buffer overflow — CVSS severity score 9.6

System B: Remote code execution — CVSS severity score 9.8

System C: DDoS — CVSS severity score 8.2

System D: Cross-site scripting — CVSS severity score 8.6

The vulnerability manager reviews the analyst’s recommendations and asks the analyst to add more information in order to confirm prioritization. Which of the following best explains the reason the manager requests more information?

Options:

A.

Host criticality is unknown.

B.

SLA information is missing.

C.

Existing KPIs were not measured.

D.

Zero-day vulnerabilities were excluded.

Question 90

A security analyst reviews the following Arachni scan results for a web application that stores PII data:

Which of the following should be remediated first?

Options:

A.

SQL injection

B.

RFI

C.

XSS

D.

Code injection

Question 91

While reviewing the web server logs, a security analyst notices the following snippet:

.. \ .. / .. \ .. /boot.ini

Which of the following Is belng attempted?

Options:

A.

Directory traversal

B.

Remote file inclusion

C.

Cross-site scripting

D.

Remote code execution

E.

Enumeration of /etc/passwd

Question 92

An analyst is suddenly unable to enrich data from the firewall. However, the other open intelligence feeds continue to work. Which of the following is the most likely reason the firewall feed stopped working?

Options:

A.

The firewall service account was locked out.

B.

The firewall was using a paid feed.

C.

The firewall certificate expired.

D.

The firewall failed open.

Question 93

An analyst discovers unusual outbound connections to an IP that was previously blocked at the web proxy and firewall. Upon further investigation, it appears that the proxy and firewall rules that were in place were removed by a service account that is not recognized. Which of the following parts of the Cyber Kill Chain does this describe?

Options:

A.

Delivery

B.

Command and control

C.

Reconnaissance

D.

Weaporization

Question 94

Which of the following in the digital forensics process is considered a critical activity that often includes a graphical representation of process and operating system events?

Options:

A.

Registry editing

B.

Network mapping

C.

Timeline analysis

D.

Write blocking

Question 95

Which of the following best explains the importance of utilizing an incident response playbook?

Options:

A.

It prioritizes the business-critical assets for data recovery.

B.

It establishes actions to execute when inputs trigger an event.

C.

It documents the organization asset management and configuration.

D.

It defines how many disaster recovery sites should be staged.

Question 96

A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application:

getconnection (database01, " alpha " , " AXTV. 127GdCx94GTd " ) ;

Which of the following is the most likely vulnerability in this system?

Options:

A.

Lack of input validation

B.

SQL injection

C.

Hard-coded credential

D.

Buffer overflow attacks

Question 97

A small company does no! have enough staff to effectively segregate duties to prevent error and fraud in payroll management. The Chief Information Security Officer (CISO) decides to maintain and review logs and audit trails to mitigate risk. Which of the following did the CISO implement?

Options:

A.

Corrective controls

B.

Compensating controls

C.

Operational controls

D.

Administrative controls

Question 98

Patches for two highly exploited vulnerabilities were released on the same Friday afternoon. Information about the systems and vulnerabilities is shown in the tables below:

Which of the following should the security analyst prioritize for remediation?

Options:

A.

rogers

B.

brady

C.

brees

D.

manning

Question 99

Options:

A.

Disaster recovery plan

B.

Business impact analysis

C.

Playbook

D.

Backup plan

Question 100

A security analyst needs to identify a computer based on the following requirements to be mitigated:

    The attack method is network-based with low complexity.

    No privileges or user action is needed.

    The confidentiality and availability level is high, with a low integrity level.

Given the following CVSS 3.1 output:

    Computer1: CVSS3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H

    Computer2: CVSS3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

    Computer3: CVSS3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H

    Computer4: CVSS3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Which of the following machines should the analyst mitigate?

Options:

A.

Computer1

B.

Computer2

C.

Computer3

D.

Computer4

Question 101

A sales application was remediated to address a critical vulnerability. The process took five business hours and was ultimately successful. However, the change advisory board informed the company’s leadership team that the process resulted in a considerable financial loss. Which of the following best explains the reason for the financial loss?

Options:

A.

The loss is a normal cost of operations that relies on IT.

B.

The Chief Information Officer did not notify the board members.

C.

The IT team should have hired a penetration testing team before patching.

D.

The maintenance window was not properly communicated or scheduled.

Question 102

An organization ' s email account was compromised by a bad actor. Given the following Information:

Which of the following is the length of time the team took to detect the threat?

Options:

A.

25 minutes

B.

40 minutes

C.

45 minutes

D.

2 hours

Question 103

Which of the following describes the best reason for conducting a root cause analysis?

Options:

A.

The root cause analysis ensures that proper timelines were documented.

B.

The root cause analysis allows the incident to be properly documented for reporting.

C.

The root cause analysis develops recommendations to improve the process.

D.

The root cause analysis identifies the contributing items that facilitated the event

Question 104

An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?

Options:

A.

Beaconing

B.

Cross-site scripting

C.

Buffer overflow

D.

PHP traversal

Question 105

Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?

Options:

A.

MOU

B.

NDA

C.

BIA

D.

SLA

Question 106

A security analyst performs a vulnerability scan. Given the following findings:

Which of the following machines should the analyst address first? (Select two).

Options:

A.

Server1

B.

Server2

C.

server3

D.

Server4

E.

Server5

F.

Server 6

Question 107

Which of the following explains how MTTD can affect IR reporting and communication?

Options:

A.

Having a shorter MTTD reduces the potential impact of an incident.

B.

Improved MTTD ensures the leadership team is made aware of threats before exploitation.

C.

The MTTD defines the maximum time allowed between detection and response.

D.

MTTD is part of regulatory compliance and outlines an approved process for reporting.

Question 108

Which of the following explains how MTTD can affect incident response reporting and communication?

Options:

A.

Having a shorter MTTD reduces the potential impact of an incident.

B.

Improved MTTD ensures the leadership team is made aware of threats before exploitation.

C.

MTTD defines the maximum time allowed between detection and response.

D.

MTTD is part of regulatory compliance and outlines an approved process for reporting.

Question 109

A security analyst has received an incident case regarding malware spreading out of control on a customer ' s network. The analyst is unsure how to respond. The configured EDR has automatically obtained a sample of the malware and its signature. Which of the following should the analyst perform next to determine the type of malware, based on its telemetry?

Options:

A.

Cross-reference the signature with open-source threat intelligence.

B.

Configure the EDR to perform a full scan.

C.

Transfer the malware to a sandbox environment.

D.

Log in to the affected systems and run necstat.

Question 110

Which of the following is the best way to provide realistic training for SOC analysts?

Options:

A.

Phishing assessments

B.

OpenVAS

C.

Attack simulation

D.

SOAR

E.

Honeypot

Question 111

A company was able to reduce triage time by focusing on historical trend analysis. The business partnered with the security team to achieve a 50% reduction in phishing attempts year over year. Which of the following action plans led to this reduced triage time?

Options:

A.

Patching

B.

Configuration management

C.

Awareness, education, and training

D.

Threat modeling

Question 112

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

Options:

A.

Business continuity plan

B.

Vulnerability management plan

C.

Disaster recovery plan

D.

Asset management plan

Question 113

Several critical bugs were identified during a vulnerability scan. The SLA risk requirement is that all critical vulnerabilities should be patched within 24 hours. After sending a notification to the asset owners, the patch cannot be deployed due to planned, routine system upgrades Which of the following is the best method to remediate the bugs?

Options:

A.

Reschedule the upgrade and deploy the patch

B.

Request an exception to exclude the patch from installation

C.

Update the risk register and request a change to the SLA

D.

Notify the incident response team and rerun the vulnerability scan

Question 114

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

Options:

A.

Mean time to detect

B.

Number of exploits by tactic

C.

Alert volume

D.

Quantity of intrusion attempts

Question 115

Which of the following security operations tasks are ideal for automation?

Options:

A.

Suspicious file analysis: Look for suspicious-looking graphics in a folder. Create subfolders in the original folder based on category of graphics found. Move the suspicious graphics to the appropriate subfolder

B.

Firewall IoC block actions:Examine the firewall logs for IoCs from the most recently published zero-day exploitTake mitigating actions in the firewall to block the behavior found in the logsFollow up on any false positives that were caused by the block rules

C.

Security application user errors:Search the error logs for signs of users having trouble with the security applicationLook up the user ' s phone numberCall the user to help with any questions about using the application

D.

Email header analysis:Check the email header for a phishing confidence metric greater than or equal to fiveAdd the domain of sender to the block listMove the email to quarantine

Question 116

A company ' s internet-facing web application has been compromised several times due to identified design flaws. The company would like to minimize the risk of these incidents from reoccurring and has provided the developers with better security training. However, the company cannot allocate any more internal resources to the issue. Which of the following are the best options to help identify flaws within the system? (Select two).

Options:

A.

Deploying a WAF

B.

Performing a forensic analysis

C.

Contracting a penetration test

D.

Holding a tabletop exercise

E.

Creating a bug bounty program

F.

Implementing threat modeling

Question 117

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

Options:

A.

Information sharing organization

B.

Blogs/forums

C.

Cybersecuritv incident response team

D.

Deep/dark web

Question 118

A security analyst has identified outgoing network traffic leaving the enterprise at odd times. The traffic appears to pivot across network segments and target domain servers. The traffic is then routed to a geographic location to which the company has no association. Which of the following best describes this type of threat?

Options:

A.

Hacktivist

B.

Zombie

C.

Insider threat

D.

Nation-state actor

Question 119

A vulnerability analyst is writing a report documenting the newest, most critical vulnerabilities identified in the past month. Which of the following public MITRE repositories would be best to review?

Options:

A.

Cyber Threat Intelligence

B.

Common Vulnerabilities and Exposures

C.

Cyber Analytics Repository

D.

ATT & CK

Question 120

When undertaking a cloud migration of multiple SaaS applications, an organization’s systems administrators struggled with the complexity of extending identity and access management to cloud-based assets. Which of the following service models would have reduced the complexity of this project?

Options:

A.

RADIUS

B.

SDN

C.

ZTNA

D.

SWG

Question 121

The Chief Information Security Officer for an organization recently received approval to install a new EDR solution. Following the installation, the number of alerts that require remediation by an analyst has tripled. Which of the following should the organization utilize to best centralize the workload for the internal security team? (Select two).

Options:

A.

SOAR

B.

SIEM

C.

MSP

D.

NGFW

E.

XDR

F.

DLP

Question 122

A company has decided to expose several systems to the internet, The systems are currently available internally only. A security analyst is using a subset of CVSS3.1 exploitability metrics to prioritize the vulnerabilities that would be the most exploitable when the systems are exposed to the internet. The systems and the vulnerabilities are shown below:

Which of the following systems should be prioritized for patching?

Options:

A.

brown

B.

grey

C.

blane

D.

sullivan

Question 123

ID

Source

Destination

Protocol

Service

1

172.16.1.1

172.16.1.10

ARP

AddrResolve

2

172.16.1.10

172.16.1.20

TCP 135

RPC Kerberos

3

172.16.1.10

172.16.1.30

TCP 445

SMB WindowsExplorer

4

172.16.1.30

5.29.1.5

TCP 443

HTTPS Browser.exe

5

11.4.11.28

172.16.1.1

TCP 53

DNS Unknown

6

20.109.209.108

172.16.1.1

TCP 443

HTTPS WUS

7

172.16.1.25

bank.backup.com

TCP 21

FTP FileZilla

Which of the following represents the greatest concerns with regard to potential data exfiltration? (Select two.)

Options:

A.

1

B.

2

C.

3

D.

4

E.

5

F.

6

G.

7

Question 124

An incident response analyst is investigating the root cause of a recent malware outbreak. Initial binary analysis indicates that this malware disables host security services and performs cleanup routines on it infected hosts, including deletion of initial dropper and removal of event log entries and prefetch files from the host. Which of the following data sources would most likely reveal evidence of the root cause?

(Select two).

Options:

A.

Creation time of dropper

B.

Registry artifacts

C.

EDR data

D.

Prefetch files

E.

File system metadata

F.

Sysmon event log

Question 125

A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network.

Which of the following metrics should the team lead include in the briefs?

Options:

A.

Mean time between failures

B.

Mean time to detect

C.

Mean time to remediate

D.

Mean time to contain

Question 126

A security analyst needs to provide evidence of regular vulnerability scanning on the company ' s network for an auditing process. Which of the following is an example of a tool that can produce such evidence?

Options:

A.

OpenVAS

B.

Burp Suite

C.

Nmap

D.

Wireshark

Question 127

A company discovers that its proprietary information is being sold on the dark web. A security analyst uses threat hunting to search for signs of compromise. After running a network packet capture tool, the analyst identifies millions of packets similar to the following:

Internet Protocol Version 4, src: 192.168.1.2, dst: 104.21.75.76

Internet Control Message Protocol

Type: 8 Echo request

Code: 0

Checksum: 0x34db [correct]

Sequence number: 3362

No response seen

Data: 64 bytes

Data payload: 0e1bS8…157ea2054af44…9865b34857a05…24b45824…

The analyst does not detect or identify any other abnormalities. Which of the following is most likely the malicious activity in this scenario?

Options:

A.

An insider is using an IP command-and-control channel to sell proprietary information.

B.

A threat actor is performing exfiltration over an alternative protocol.

C.

A machine was infected with a virus that is trying to propagate.

D.

A hacktivist is conducting an ICMP DDoS attack against the company.

Question 128

An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?

Options:

A.

SOAR

B.

SIEM

C.

SLA

D.

IoC

Question 129

A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.

Instructions:

Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.

For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.

Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server to the results.

The Linux Web Server, File-Print Server and Directory Server are draggable.

If at any time you would like to bring back the initial state of the simulation, please select the Reset All button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

Options:

Question 130

An organization has tracked several incidents that are listed in the following table:

Which of the following is the organization ' s MTTD?

Options:

A.

140

B.

150

C.

160

D.

180

Question 131

During a tabletop exercise, engineers discovered that an ICS could not be updated due to hardware versioning incompatibility. Which of the following is the most likely cause of this issue?

Options:

A.

Legacy system

B.

Business process interruption

C.

Degrading functionality

D.

Configuration management

Question 132

Several reports with sensitive information are being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?

Options:

A.

Implement step-up authentication for administrators.

B.

Improve employee training and awareness.

C.

Increase password complexity standards.

D.

Deploy mobile device management.

Question 133

The SOC receives a number of complaints regarding a recent uptick in desktop error messages that are associated with workstation access to an internal web application. An analyst, identifying a recently modified XML file on the web server, retrieves a copy of this file for review, which contains the following code:

Which of The following XML schema constraints would stop these desktop error messages from appearing?

Options:

A.

A white background with black text AI-generated content may be incorrect.

B.

A white background with black text AI-generated content may be incorrect.

C.

A white background with black text AI-generated content may be incorrect.

D.

A screenshot of a computer code AI-generated content may be incorrect.

Question 134

An XSS vulnerability was reported on one of the public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

Options:

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Question 135

Which of the following best describes the importance of KPIs in an incident response exercise?

Options:

A.

To identify the personal performance of each analyst

B.

To describe how incidents were resolved

C.

To reveal what the team needs to prioritize

D.

To expose which tools should be used

Question 136

A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following

would best aid in decreasing the workload without increasing staff?

Options:

A.

SIEM

B.

XDR

C.

SOAR

D.

EDR

Question 137

While configuring a SIEM for an organization, a security analyst is having difficulty correlating incidents across different systems. Which of the following should be checked first?

Options:

A.

If appropriate logging levels are set

B.

NTP configuration on each system

C.

Behavioral correlation settings

D.

Data normalization rules

Question 138

A vulnerability scan shows the following vulnerabilities in the environment:

At the same time, the following security advisory was released:

" A zero-day vulnerability with a CVSS score of 10 may be affecting your web server. The vendor is working on a patch or workaround. "

Which of the following actions should the security analyst take first?

Options:

A.

Contact the web systems administrator and request that they shut down the asset.

B.

Monitor the patch releases for all items and escalate patching to the appropriate team.

C.

Run the vulnerability scan again to verify the presence of the critical finding and the zero-day vulnerability in the environment.

D.

Forward the advisory to the web security team and initiate the prioritization strategy for the other vulnerabilities.

Question 139

When starting an investigation, which of the following must be done first?

Options:

A.

Notify law enforcement

B.

Secure the scene

C.

Seize all related evidence

D.

Interview the witnesses

Question 140

An analyst is reviewing processes running on a Windows host. The analyst reviews the following information:

Which of the following processes should the analyst review first?

Options:

A.

533

B.

740

C.

768

D.

1100

Question 141

An analyst is reviewing a dashboard from the company ' s SIEM and finds that an IP address known to be malicious can be tracked to numerous high-priority events in the last two hours. The dashboard indicates that these events relate to TTPs. Which of the following is the analyst most likely using?

Options:

A.

MITRE ATT & CK

B.

OSSTMM

C.

Diamond Model of Intrusion Analysis

D.

OWASP

Question 142

AXSS vulnerability was reported on one of the non-sensitive/non-mission-critical public websites of a company. The security department confirmed the finding and needs to provide a recommendation to the application owner. Which of the following recommendations will best prevent this vulnerability from being exploited? (Select two).

Options:

A.

Implement an IPS in front of the web server.

B.

Enable MFA on the website.

C.

Take the website offline until it is patched.

D.

Implement a compensating control in the source code.

E.

Configure TLS v1.3 on the website.

F.

Fix the vulnerability using a virtual patch at the WAF.

Question 143

A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device ' s operating system. Which of the following best meets this

requirement?

Options:

A.

SIEM

B.

CASB

C.

SOAR

D.

EDR

Question 144

An analyst wants to detect outdated software packages on a server. Which of the following methodologies will achieve this objective?

Options:

A.

Data loss prevention

B.

Configuration management

C.

Common vulnerabilities and exposures

D.

Credentialed scanning

Question 145

An analyst is imaging a hard drive that was obtained from the system of an employee who is suspected of going rogue. The analyst notes that the initial hash of the evidence drive does not match the resultant hash of the imaged copy. Which of the following best describes the reason for the conflicting investigative findings?

Options:

A.

Chain of custody was not maintained for the evidence drive.

B.

Legal authorization was not obtained prior to seizing the evidence drive.

C.

Data integrity of the imaged drive could not be verified.

D.

Evidence drive imaging was performed without a write blocker.

Question 146

Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?

Options:

A.

Review Of security requirements

B.

Compliance checks

C.

Decomposing the application

D.

Security by design

Demo: 146 questions
Total 487 questions