CySA+ (CS0-002)2021/2022 100%correct

An analyst needs to forensically examine a Windows machine that was compromised by a threat actor. Intelligence reports state this specific threat actor is characterized by hiding malicious artifacts, especially with alternate data streams. Based on this intelligence, which of the following BEST explains alternate data streams? A. A different way data can be streamlined if the user wants to use less memory on a Windows system for forking resources B. A way to store data on an external drive attached to a Windows machine that is not readily accessible to users C. A windows attribute that provides for forking resources and is potentially used to hide the presence of secret or malicious files inside the file records of a benign file D. A Windows attribute that can be used by attackers to hide malicious files within system memory Correct answer- D. A Windows attribute that can be used by attackers to hide malicious files within system memory An executive assistant wants to onboard a new cloud-based product to help with business analytics and dashboarding. Which of the following would be the BEST integration option for this service? A. Manually log in to the service and upload data files on a regular basis. B. Have the internal development team script connectivity and file transfers to the new service. C. Create a dedicated SFTP site and schedule transfers to ensure file transport security. D. Utilize the cloud product's API for supported and ongoing integrations. Correct answer- D. Utilize the cloud product's API for supported and ongoing integrations Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient. Which of the following controls would have MOST likely prevented this incident? A. SSO B. DLP C. WAF D. VDI Correct answer- B. DLP A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality. Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing? A. Deidentification B. Encoding C. Encryption D. Watermarking Correct answer- A. Deidentification Which of the following are components of the intelligence cycle? (Select TWO). A. Collection B. Normalization C. Response D. Analysis E. Correction F. Dissension Correct answer- A. Collection D. Analysis During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect. Which of the following is the BEST place to acquire evidence to perform data carving? A. The system memory B. The hard drive C. Network packets D. The Windows Registry Correct answer- A. The system memory A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach. Which of the following is the BEST mitigation to prevent unauthorized access? A. Single sign-on B. Mandatory access control C. Multifactor authentication D. Federation E. Privileged access management Correct answer- C. Multifactor authentication An organization wants to move non-essential services into a cloud computing Environment. Management has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following cloud recovery strategies would work BEST to attain the desired outcome? A. Duplicate all services in another instance and load balance between the instances. B. Establish a hot site with active replication to another region within the same cloud provider C. Set up a warm disaster recovery site with the same cloud provider in a different region. D. Configure the systems with a cold site at another cloud provider that can be used for failover. Correct answer- C. Set up a warm disaster recovery site with the same cloud provider in a different region. A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is . The testing is successful, and the security technician is prepared to fully implement the solution. Which of the following actions should the technician take to accomplish this task? A. Add TXT @ "v=spfl mx include:_ -all" to the DNS record. B. Add TXT @ "v=spfl mx include:_ -all" to the email server. C. Add TXT @ "v=spfl mx include:_ -all" to the domain controller. D. Add TXT @ "v=spfl mx include:_ -all" to the web server. Correct answer- A. Add TXT @ "v=spfl mx include:_ -all" to the DNS record. A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities. Which of the following would be BEST to implement to alleviate the CISO's concern? A. DLP B. Encryption C. Test data D. NDA Correct answer- C. Test data A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server. Which of the following should be done to correct the cause of the vulnerability? A. Deploy a WAF in front of the application. B. Implement a software repository management tool. C. Install a HIPS on the server. D. Instruct the developers to use input validation in the code. Correct answer- B. Implement a software repository management tool. Which of the following BEST describes the primary role of a risk assessment as it relates to compliance with risk-based frameworks? A. It demonstrates the organization's mitigation of risks associated with internal threats. B. It serves as the basis for control selection. C. It prescribes technical control requirements D. It is an input to the business impact assessment Correct answer- B. It serves as the basis for control selection. A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization. To BEST resolve the issue, the organization should implement: A. federated authentication. B. role-based access control. C. manual account reviews D. multifactor authentication. Correct answer- A. federated authentication A security analyst had received information from a third-party intelligence-sharing resource that indicates employee accounts were breached. Which of the following is the NEXT step the analyst should take to address the issue? A. Audit access permissions for all employees to ensure least privilege B. Force a password reset for the impacted employees and revoke any tokens. C. Configure SSO to prevent passwords from going outside the local network. D. Set up prevailed access management to ensure auditing is enabled Correct answer- B. Force a password reset for the impacted employees and revoke any tokens. Bootloader malware was recently discovered on several company workstations. All the workstations run Windows and are current models with UEFI capability. Which of the following UEFI settings is the MOST likely cause of the infections? A. Compatibility mode B. Secure boot mode C. Native mode D. Fast boot mode Correct answer- A. Compatibility mode A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs. Which of the following is the main concern a security analyst should have with this arrangement? A. Making multiple trips between development sites increases the chance of physical damage to the FPGAs. B. Moving the FPGAs between development sites will less the time that is available for security testing. C. Development phases occurring at multiple sites may produce change management issues. D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft. Correct answer- D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft. During routing monitoring, a security analyst discovers several suspicious websites that are communicating with a local host. The analyst queries IP 192.168.50.2 for a 24-hour period: Time SRC DST Domain Bytes 6/26/19 10:01 192.168.50.2 138.10.2.5 50 6/26/19 11:05 192.168.50.2 138.10.2.5 1000 6/26/19 13:09 192.168.50.2 138.10.25.5 1000 6/26/19 15:13 192.168.50.2 172.10.2.5 1000 6/26/19 17:17 192.168.50.2 138.10.45.5 1000 6/26/19 23:45 192.168.50.2 172.10.3.5 50000 6/27/19 10:21 192.168.50.2 138.35.2.5 25 6/27/19 11:25 192.168.50.2 138.35.2.5 25 To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and: A. DST 138.10.2.5 B. DST 138.10.25.5 C. DST 172.10.3.5 D. DST 172.10.45.5 E. DST 175.35.20.5 Correct answer- C. DST 172.10.3.5 During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website. Which of the following would be the MOST appropriate recommendation to prevent he activity from happening in the future? A. An IPS signature modification for the specific IP addresses B. An IDS signature modification for the specific IP addresses C. A firewall rule that will block port 80 traffic D. A firewall rule that will block traffic from the specific IP address Correct answer- D. A firewall rule that will block traffic from the specific IP address Because some clients have reported unauthorized activity of their accounts, a security analyst is reviewing network packet captures from the company's API server. A portion of a capture file is shown below: POST / services/v1_0/Public/M http://schemas.s/soap/envelope/ .,s:Body GetIPLocation+xmlns= request+xmlns:a=+xmlns:i= chema-instance/ s:Body /s:Envelope 192.168.1. 0 192.168.1.22 POST / services/v1_0/Public/M s:PasswordPassword123/a:Password a:ResetPasswordToken+i:nil="true"/a:ShouldImpersonatedAuthenticationBepopulat ed+i:nil="true"/ a:Username/a:Username/request/Login/s:B ody/s:Envelope 192.168.5.66 - - 192.168.4.89 POST / services/v1_0/Public/M s:Envelop+xmlns:s= a:BodyGetIPLocation+xmlns= PAddress 192.168.1.22 POST / services/v1_0/Public/M s:Envelop+xmlns:s= envelope/" a:BodyIsLoggedIn+xmlns+http:/// Request+xmlns:a= p:// XMLSchemasinstance"a:Authenticationa:ApiTokenkmL4Krg2CwwWBan5BReGv 5Djb7syxXTNKcWFuS jd/a:ApiToken a:ImpersonateUserID0/a:ImpersonateUserIDa:LocationID/a:LocationId a:NetworkId4/ a:NetworkId a:ProviderId:' ' 1=1/a:ProviderIda:UserId/aUserId/a:Authentication/request/ IsLoggedIn /s:Body/s: Envelope 192.168.5. 48 192.168.4.89 Which of the following MOST likely explains how the clients' accounts were compromised? A. The clients' authentication tokens were impersonated and replayed. B. The clients' usernames and passwords were transmitted in cleartext. C. An XSS scripting attack was carried out on the server. D. A SQL injection attack was carried out on the server. Correct answer- B. The clients' usernames and passwords were transmitted in cleartext. A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault notification features. Which of the following should be done to prevent this issue from reoccurring? A. Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes down, the other remains powered. B. Install additional batteries in the SAM power supplies with enough capacity to keep the system powered on during maintenance. C. Ensure power configuration is covered in the data center change management policy and have the SAN administrator review this policy D. Install a third power supply in the SAN so loss of any power input does not result in the SAN completely powering off. Correct answer- C. Ensure power configuration is covered in the data center change management policy and have the SAN administrator review this policy A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures. The analyst observes the following plugin output: Antivirus is installed on the remote host: Installation path: C:Program FilesAVProductWin32 Product Engine: 14.12.101 Engine Version: 3.5.71 Scanner does not currently have information about AVProduct version 3.5.71. It may no Longer be supported. The analyst uses the vendor's website to confirm the oldest supported version is correct. Which of the following BEST describes the situation? A. This is a false positive, and the scanning plugin needs to be updated by the vendor. B. This is a true negative, and the new computers have the correct version of the software. C. This is a true positive, and the new computers were imaged with an old version of the software. D. This is a false negative, and the new computers need to be updated by the desktop team. Correct answer- A. This is a false positive, and the scanning plugin needs to be updated by the vendor. While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security. To provide the MOST secure access model in this scenario, the jumpbox should be: A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network. B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate. C. bridged between the IT and operational technology networks to allow authenticated access. D. Placed on the IT side of the network, authenticated, and tunneled into the ICS environment. Correct answer- A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS network. An analyst is participating in the solution analysis process for a cloud hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC. Which of the following is the BEST approach for supply chain assessment when selecting a vendor? A. Gather information from providers, including datacenter specifications and copies of the audit reports. B. Identify SLA requirements for monitoring and logging. C. Consult with senior management for recommendations. D. Perform a proof of concept to identify possible solutions. Correct answer- A. Gather information from providers, including datacenter specifications and copies of the audit reports. A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication. Which of the following will remediate this software vulnerability? A. Enforce unique session IDs for the application. B. Deploy a WAF in front of the web application. C. Check for and enforce the proper domain for the redirect. D. Use a parameterized query to check the credentials. E. Implement email filtering with anti-phishing protection. Correct answer- C. Check for and enforce the proper domain for the redirect. Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII? A. Human resources B. Public relations C. Marketing D. Internal network operations center Correct answer- B. Public relations When attempting to do a stealth scan against a system that does not respond to ping, which of the following Nmap commands BEST accomplishes that goal? A. nmap -sA -o system -noping B. nmap -sT -o system -po C. nmap -sS -o system -po D. nmap -sQ -o system -po Correct answer- C. nmap -sS -o system -po An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets. Which of the following should be considered FIRST prior to disposing of the electronic data? A. Sanitization policy B. Data sovereignty C. Encryption policy D. Retention standards Correct answer- D. Retention standards A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet. Which of the following solutions would meet this requirements? A. Establish a hosted SSO. B. Implement a CASB. C. Virtualize the server. D. Air gap the server. Correct answer- D. Air gap the server A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://malwaresource/ in a phishing email. To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the: A. email server that automatically deletes attached executables. B. IDS to match the malware sample. C. proxy to block all connections to malwaresource D. firewall to block connection attempts to dynamic DNS hosts. Correct answer- C. proxy to block all connections to malwaresource Which of the following assessment methods should be used to analyze how specialized software performs during heavy loads? A. Stress test B. API compatibility test C. Code review D. User acceptance test E. Input validation Correct answer- A. Stress test A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database. Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Select TWO). A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities. B. Remove the servers reported to have high and medium vulnerabilities. C. Tag the computers with critical findings as a business risk acceptance. D. Manually patch the computers on the network, as recommended on the CVE website. E. Harden the hosts on the network, as recommended by the NIST framework. F. Resolve the monthly job issues and test them before applying them to the production network. Correct answer- A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities. F. Resolve the monthly job issues and test them before applying them to the production network. A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization. Which of the following BEST describes the security analyst's goal? A. To create a system baseline B. To reduce the attack surface C. To optimize system performance D. To improve malware detection Correct answer- B. To reduce the attack surface A company recently experienced a break-in, whereby a number of hardware assets were stolen through unauthorized access at the back of the building. Which of the following would BEST prevent this type of theft from occurring in the future? A. Motion detection B. Perimeter fencing C. Monitored security cameras D. Badged entry Correct answer- D. Badged entry An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing requirements. The organization has three environments: development, testing, and production. These environment have interdependencies but must remain relatively segmented. Which of the following methods would BEST secure the company's infrastructure and be the simplest to manage and maintain? A. Create three separate cloud accounts for each environment. Configure account peering and security rules to allow access to and from each environment. B. Create one cloud account with one VPC for all environments. Purchase a virtual firewall and create granular security rules. C. Create one cloud account and three separate VPCs for each environment. Create security rules to allow access to the from each environment. D. Create three separate cloud accounts for each environment and a single core account for network services. Route all traffic through the core account. Correct answer- C. Create one cloud account and three separate VPCs for each environment. Create security rules to allow access to the from each environment. An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform. Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment? A. FaaS B. RTOS C. SoC D. GPS E. CAN bus Correct answer- E. CAN bus A Controller Area Network (CAN bus) is a robust vehicle bus standard designed to allow microcontrollers and devices to communicate with each other's applications without a host computer. It is a message-based protocol, designed originally for multiplex electrical wiring within automobiles to save on copper, but can also be used in many other contexts. For each device the data in a frame is transmitted sequentially but in such a way that if more than one device transmits at the same time the highest priority device is able to continue while the others back off. Frames are received by all devices, including by the transmitting device. A user's computer has been running slowly when the user tries to access web pages. A security analyst runs the command netstat -aon from the command line and receives the following output: LINE PROTOCOL LOCAL ADDRESS FOREIGN ADDRESS STATE 1 TCP 127.0.0.1:.0.0.1:16374 ESTABLISHED 2 TCP 127.0.0.1:8193 127.0.0.1:8192 ESTABLISHED 3 TCP 192.168.0.23:443 185.23.17.119:17207 ESTABLISHED 4 TCP 192.168.0.23:.217.0.14:443 ESTABLISHED 5 TCP 192.168.0.23:6023 185.23.17.120:443 ESTABLISHED 6 TCP 192.168.0.23:7264 10.23.63.217:445 ESTABLISHED Which of the following lines indicates the computer may be compromised? A. Line 1 B. Line 2 C. Line 3 D. Line 4 E. Line 5 F. Liine 6 Correct answer- C. Line 3 Line 3: It is suspicious that that client has established a connection from TCP 443, vice to TCP port 443 on the Web server. An information security analyst is compiling data from a recent penetration test and reviews the following output: Starting Nmap 7.70 ( ) at :06 UTC Nmap scan report for (10.79.95.173) Host is up (0.026s latency) . Not shown : 994 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp Microsoft ftpd 22/tcp open ssh SilverSHielD sshd (protocol 2.0) 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP / UPnP) 443/tcp open https? 691/tcp open resvc? 5060/tcp open sip Barracuda NG Firewall (Status: 200 OK) Nmap done: 1 IP address (1 host up) scanned in 158.22 seconds) The analyst wants to obtain more information about the web-based services that are running on the target. Which of the following MOST likely provide the needed information? A. ping -t B. telnet 10.79.95.173 443 C. ftpd 443 D. tracert 10.79.95.173 Correct answer- B. telnet 10.79.95.173 443 USING TELNET TO TROUBLESHOOT To use telnet to troubleshoot a network application, you need to know at least two things: - The remote server name or IP address. - The port number for the network application you want to test. - If you are only testing basic connectivity to a particular network application, that is all you need to know. - If you want to do more in-depth testing, however, you will need to know specific commands for the protocol you want to test (for example, HTTP or SMTP). A cybersecurity analyst has access to several threat feeds and wants to organize them while simultaneously comparing intelligence against network traffic. Which of the following would BEST accomplish this goal? A. Continuous integration and deployment B. Automation and orchestration C. Static and dynamic analysis D. Information sharing and analysis Correct answer- B. Automation and orchestration ThreatConnect for Automation & Orchestration. Reduce workload and make better security and business decisions with ThreatConnect's intelligence-driven automation and orchestration. Achieve faster, smarter, and repeatable processes with easily accessible intelligence and customizable workflows in one platform. A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices. Which of the following should be used to identify the traffic? A. Carving B. Disk imaging C. Packet analysis D. Memory dump E. Hashing Correct answer- C. Packet analysis An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems. As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue? A. Copies of prior audits that did not identify the servers as an issue B. Project plans relating to the replacement of the servers that were approved by management C. Minutes from meetings in which risk assessment activities addressing the servers were discussed D. ACLs from perimeter firewalls showing blocked access to the servers E. Copies of change orders relating to the vulnerable servers Correct answer- C. Minutes from meetings in which risk assessment activities addressing the servers were discussed An organization was alerted to a possible compromise after its proprietary data was found for sale on the Internet. An alalyst is review the logs from the next-generation UTM in an attempt to find evidence of this breach. Given the following output: Src IP Src DNS Dst IP Dst DNS Port Application 10.50.50.121 8.8.8.8 google... 53 DNS 10.50.50.121 77.88.55.66 443 HTTPS 172.16.52.20 131.52.88.45 -- 53 DNS 10.100.10.45 69.134.21.90 21 FTP 172.16.52.20 131.52.88.45 -- 10999 HTTPS 172.16.52.100 62.30.221.56 42991 SSH 172.16.52.20 131.52.88.45 -- 10999 HTTPS Which of the following should be the focus of the investigation? A. B. C. D. Correct answer- A. A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's server. Which of the following is the FIRST step the analyst should take? A. Create a full disk image of the server's hard drive to look for the file containing the malware. B. Run a manual antivirus scan on the machine to look for known malicious software. C. Take a memory snapshot of the machine to capture volatile information stored in memory. D. Start packet capturing to look for traffic that could be indicative of command and control from the miner. Correct answer- D. Start packet capturing to look for traffic that could be indicative of command and control from the miner. A large organization wants to move account registration services to the cloud to benefit from faster processing and elasticity. Which of the following should be done FIRST to determine the potential risk to the organization? A. Establish a recovery time objective and a recovery point objective for the systems being moved. B. Calculate the resource requirements for moving the systems to the cloud. C. Determine recovery priorities for the assets being moved to the cloud-based systems. D. Identify the business processes that will be migrated and the critically of each one. E. Perform an inventory of the servers that will be moving and assign priority to each one. Correct answer- D. Identify the business processes that will be migrated and the critically of each one. A security analyst is reviewing the following DNS logs as part of security-monitoring activities: FROM 192.168.1.20 A 67.43.45.22 FROM 192.168.1.20 AAAA 2006:67:AD:1FAB::102 FROM 192.168.1.43 A 193.56.221.99 FROM 192.168.1.2 A 241.23.22.11 FROM 192.168.1.211 A 32.56.32.122 FROM 192.168.1.106 A 102.45.33.53 FROM 192.168.1.93 AAAA 2002:10:976: :1 FROM 192.168.1.78 A 122.10.31.87 Which of the following MOST likely occurred? A. The attack used an algorithm to generate command and control information dynamically. B. The attack attempted to contact to verify Internet connectivity. C. The attack used encryption to obfuscate the payload and bypass detection by an IDS. D. The attack caused an internal host to connect to a command and control server. Correct answer- D. The attack caused an internal host to connect to a command and control server A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch. Which of the following is the MOST appropriate threat classification for these incidents? A. Known threat B. Zero day C. Unknown threat D. Advanced persistent threat Correct answer- C. Unknown threat A security analyst is reviewing the following log from an email security service. Rejection type: Drop Rejection Description: IP found in RBL Event time: Today at 16:06 Rejection information From address: To address: IP address 192.167.28.243 Remote server name: 192.167.28.243 Which of the following best describes the reason why the email was blocked? A. To address is invalid. B. The email originated from the URL. C. The IP address and the remote server name are the same. D. The IP address was blacklisted. E. The From address is invalid Correct answer- D. The IP address was blacklisted. An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability. Which of the following would be the MOST appropriate to remediate the controller? A. Segment the network to constrain access to administrative interfaces. B. Replace the equipment that has third-party support. C. Remove the legacy hardware from the network. D. Install an IDS on the network between the switch and the legacy equipment. Correct answer- D. Install an IDS on the network between the switch and the legacy equipment. Which of the following BEST describes the process by which code is developed, tested, and deployed in small batches? A. Agile B. Waterfall C. SDLC D. Dynamic code analysis Correct answer- C. SDLC A compliance officer of a large organization has reviewed the firm's vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties. Which of the following would BEST satisfy the objectives defined by the compliance officer? (Select TWO). A. Executing vendor compliance assessments against the organization's security controls B. Executing NDAs prior to sharing critical data with third parties C. Soliciting third-party audit reports on an annual basis D. Maintaining and reviewing the organization risk assessment on a quarterly basis E. Completing a business impact assessment for all critical service providers F. Utilizing DLP capabilities at both the endpoint and perimeter levels Correct answer- A. Executing vendor compliance assessments against the organization's security controls E. Completing a business impact assessment for all critical service providers It is important to parameterize queries to prevent: A. the execution of unauthorized actions against a data base. B. a memory overflow that executes code with elevated privileges. C. the establishment of a web shell that would allow unauthorized access. D. the queries from using an outdated library with security vulnerabilities. Correct answer- A. the execution of unauthorized actions against a data base. A security analyst is building a malware analysis lab. The analyst wants to ensure malicious applications and not capable of escaping the virtual machines and pivoting to other networks. To BEST mitigate this risk, the analyst should use: A. an 802.11ac wireless bridge to create an air gap. B. a managed switch to segment the lab into a separate VLAN. C. a firewall to isolate the lab network from all other networks. D. an unmanaged switch to segment the environments from one another. Correct answer- B. a managed switch to segment the lab into a separate VLAN. A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT. Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis? A. Attack vectors B. Adversary capability C. Diamond Model of Intrusion Analysis D. Kill chain E. Total attack surface Correct answer- B. Adversary capability A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviewed the email and decides to download the attachment to be a Linux sandbox for review. Which of the following commands would MOST likely indicate if the email is malicious? A. sha256sum B. file C. strings D. cat Correct answer- A. sha256sum A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised. When viewing the capture in a packet analyzer, the analyst sees the following: 11:03:09. IP 10.1.1.10.47787 128.50.100.3.53:48202+ A? .334- 54-2343.985-334- 5643.1123- K. 11:03:09. IP 10.1.1.10.47788 128.50.100.3.53:49675+ A? R.437- 96-6523.212-635- 6538.2426- R. 11:03:09. IP 10.1.1.10.47789 128.50.100.3.53:50986+ A? nc.485- 63-5278.802-632- 5841.68951- P. 11:03:09. IP 10.1.1.10.47790 128.50.100.3.53:51567+ A? .471-96- 2354.313-654- 9254.3698- M. Which of the following can the analyst conclude? A. Malware is attempting to beacon to 128.50.100.3 B. The system is running a DoS attack against C. The system is scanning for PII. D. Data is being exfiltrated over DNS. Correct answer- C. The system is scanning for PII. A security analyst received a series of antivirus alerts from a workstation segment, and users reported ransomware messages. During lessons-learned activities, the analyst determines the antivirus was able to alert to abnormal behavior but did not stop this newest variant of ransomware. Which of the following actions should be taken to BEST mitigate the effects of this type of threat in the future? A. Enabling sandboxing technology B. Purchasing cyber-insurance C. Enabling application blacklisting D. Installing a firewall between the workstations and Internet Correct answer- A. Enabling sandboxing technology Which of the following technologies can be used to house the entropy keys for disk encryption on desktops and laptops? A. Self-encryption drive B. Bus encryption C. TPM D. HSM Correct answer- C. TPM An incident responder successfully acquired application binaries off a mobile device for later forensic analysis. Which of the following should the analyst do NEXT? A. Decompile each binary to derive the source code. B. Perform a factory reset on the affected mobile device. C. Compute SHA-256 hashes for each binary. D. Encrypt the binaries using an authenticated AES-256 mode of operation. E. Inspect the permissions manifests within each application. Correct answer- D. Encrypt the binaries using an authenticated AES-256 mode of operation. For machine learning to be applied effectively toward security analysis automation, it requires: A. relevant training data. B. a threat feed API. C. a multicore, multiprocessor system. D. anomalous traffic signatures. Correct answer- D. anomalous traffic signatures. A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL: Server1 Server2 PC1 PC2 22/tcp open 3389/tcp open 80/tcp open 80/tcp open 80/tcp open 53/udp open 443/tcp open 1443/tcp open open Firewall ACL 10 permit tcp from:any to: 15 permit udp from:lan-net to: 16 permit udp from:any to: 20 permit tcp from:any to: 25 permit tcp from:lan-net to:any www 26 permit tcp from:lan-net to:any:ssl 27 permit tcp from:any to pc2:mssql 30 permit tcp from:any to server1:ssh 100 deny ip any any Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality? A. PC1 B. PC2 C. Server1 D. Server2 E. Firewall Correct answer- E. Firewall A cybersecurity analyst is contributing to a team hunt on an organization's endpoints. Which of the following should the analyst do FIRST? A. Write detection logic. B. Establish a hypothesis. C. Profile the threat actors and activities. D. Perform a process analysis. Correct answer- B. Establish a hypothesis. A pharmaceutical company's marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided. Which of the following data privacy standards does this violate? A. Purpose limitation B. Sovereignty C. Data minimization D. Retention Correct answer- A. Purpose limitation Which of the following sets of attributes BEST illustrates the characteristics of an insider threat from a security perspective? A. Unauthorized, unintentional, benign B. Unauthorized, intentional, malicious C. Authorized, intentional, malicious D. Authorized, unintentional, benign Correct answer- C. Authorized, intentional, malicious Which of the following types of policies is used to regulate data storage on the network? A. Password B. Acceptable use C. Account management D. Retention Correct answer- D. Retention Which of the following would a security engineer recommend to BEST protect sensitive system data from being accessed on mobile devices? A. Use a UEFI boot password. B. Implement a self-encrypted disk C. Configure filesystem encryption. D. Enable Secure Boot using TPM Correct answer- C. Configure filesystem encryption. A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets. Which of the following is the BEST example of the level of sophistication this threat actor is using? A. Social media accounts attributed to the threat actor B. Custom malware attributed to the threat actor from prior attacks C. Email addresses and phone numbers tied to the threat actor D. Network assets used in previous attacks attributed to the threat actor E. IP addresses used by the threat actor for command and control Correct answer- B. Custom malware attributed to the threat actor from prior attacks A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application. Which of the following is a security concern when using a PaaS solution? A. The use of infrastructure-as-code capabilities leads to an increased attack surface. B. Patching the underlying application server becomes the responsibility of the client. C. The application is unable to use encryption at the database level. D. Insecure application programming interfaces can lead to data compromise. Correct answer- B. Patching the underlying application server becomes the responsibility of the client. A security analyst has discovered that developers have installed browsers on all development servers in the company's cloud infrastructure and are using them to browse the internet. Which of the following changes should the security analyst make to BEST protect the environment? A. Create a security rule that blocks Internet access in the development VPC. B. Place a jumpbox in between the developers' workstation and the development VPC. C. Remove the administrator's profile from the developer user group in identity and access management. D. Create an alert that is triggered when a developer installs an application on a server. Correct answer- A. Create a security rule that blocks Internet access in the development VPC. Which of the following technologies can be used to store digital certificates and is typically used in high security implementations where integrity is paramount? A. HSM B. eFuse C. UEFI D. Self-encrypting drive Correct answer- A. HSM