CySA+ 231 More Questions with 100% Correct Answers, 100% Accurate , Rated A+. 2022/2023

Document Content and Description Below

CySA+ 231 More Questions with 100% Correct Answers An organization has recently recovered from an incident where a managed switch had been accessed and reconfigured without authorization by an insi... der. The incident response team is working on developing a lessons learned report with recommendations. Which of the following recommendations will BEST prevent the same attack from occurring in the future? A. Remove and replace the managed switch with an unmanaged one. B. Implement a separate logical network segment for management interfaces. C. Install and configure NAC services to allow only authorized devices to connect to the network. D. Analyze normal behavior on the network and configure the IDS to alert on deviations from normal. -Answer- B A cybersecurity analyst is reviewing the current BYOD security posture. The users must be able to synchronize their calendars, email, and contacts to a smartphone or other personal device. The recommendation must provide the most flexibility to users. Which of the following recommendations would meet both the mobile data protection efforts and the business requirements described in this scenario? A. Develop a minimum security baseline while restricting the type of data that can be accessed. B. Implement a single computer configured with USB access and monitored by sensors. C. Deploy a kiosk for synchronizing while using an access list of approved users. D. Implement a wireless network configured for mobile device access and monitored by sensors. -Answer- D A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is the FIRST thing the analyst must do to ensure the integrity of the hard drive while performing the analysis? A. Make a copy of the hard drive. B. Use write blockers. C. Run rm -R command to create a hash. D. Install it on a different machine and explore the content. -Answer- B File integrity monitoring states the following files have been changed without a written request or approved change. The following change has been made: chmod 777 -Rv /usr Which of the following may be occurring? A. The ownership pf /usr has been changed to the current user. B. Administrative functions have been locked from users.C. Administrative commands have been made world readable/ -Answer- C A security analyst has created an image of a drive from an incident. Which of the following describes what the analyst should do NEXT? A. The analyst should create a backup of the drive and then hash the drive. B. The analyst should begin analyzing the image and begin to report findings. C. The analyst should create a hash of the image and compare it to the original drive's hash. D. The analyst should create a chain of custody document and notify stakeholders. - Answer- C A cybersecurity analyst is currently investigating a server outage. The analyst has discovered the following value was entered for the username: 0xbfff601a. Which of the following attacks may be occurring? A. Buffer overflow attack B. Man-in-the-middle attack C. Smurf attack D. Format string attack -Answer- D External users are reporting that a web application is slow and frequently times out when attempting to submit information. Which of the following software development best practices would have helped prevent this issue? A. Stress testing B. Regression testing C. Input validation D. Fuzzing -Answer- A An analyst has initiated an assessment of an organization's security posture. As a part of this review, the analyst would like to determine how much information about the organization is exposed externally. Which of the following techniques would BEST help the analyst accomplish this goal? (Select two.) A. Fingerprinting B. DNS query log reviews C. Banner grabbing D. Internet searches E. Intranet portal reviews F. Sourcing social network sites G. Technical control audits -Answer- DF A cybersecurity professional typed in a URL and discovered the admin panel for the ecommerce application is accessible over the open web with the default password. Which of the following is the MOST secure solution to remediate this vulnerability? A. Rename the URL to a more obscure name, whitelist all corporate IP blocks, and require two-factor authentication.B. Change the default password, whitelist specific source IP addresses, and require two-factor authentication. C. Whitelist all corporate IP blocks, require an alphanumeric passphrase for the default password, and require two-factor authentication. D. Change the username and default password, whitelist specific source IP addresses, and require two-factor authentication. -Answer- D An organization is requesting the development of a disaster recovery plan. The organization has grown and so has its infrastructure. Documentation, policies, and procedures do not exist. Which of the following steps should be taken to assist in the development of the disaster recovery plan? A. Conduct a risk assessment. B. Develop a data retention policy. C. Execute vulnerability scanning. D. Identify assets. -Answer- D A company wants to update its acceptable use policy (AUP) to ensure it relates to the newly implemented password standard, which requires sponsored authentication of guest wireless devices. Which of the following is MOST likely to be incorporated in the AUP? A. Sponsored guest passwords must be at least ten characters in length and contain a symbol. B. The corporate network should have a wireless infrastructure that uses open authentication standards. C. Guests using the wireless network should provide valid identification when registering their wireless devices. D. The network should authenticate all guest users using 802.1x backed by a RADIUS or LDAP server. -Answer- C An analyst was tasked with providing recommendations of technologies that are PKI X.509 compliant for a variety of secure functions. Which of the following technologies meet the compatibility requirement? (Select three.) A. 3DES B. AES C. IDEA D. PKCS E. PGP F. SSL/TLS G. TEMPEST -Answer- BDF After completing a vulnerability scan, the following output was noted: Which of the following vulnerabilities has been identified? A. PKI transfer vulnerability. B. Active Directory encryption vulnerability. C. Web application cryptography vulnerability. D. VPN tunnel vulnerability. -Answer- CA security analyst is adding input to the incident response communication plan. A company officer has suggested that if a data breach occurs, only affected parties should be notified to keep an incident from becoming a media headline. Which of the following should the analyst recommend to the company officer? A. The first responder should contact law enforcement upon confirmation of a security incident in order for a forensics team to preserve chain of custody. B. Guidance from laws and regulations should be considered when deciding who must be notified in order to avoid fines and judgements from non-compliance. C. An externally hosted website should be prepared in advance to ensure that when an incident occurs victims have timely access to notifications from a noncompromised recourse. D. The HR department should have information security personnel who are involved in the investigation of the incident sign non-disclosure agreements so the company cannot be held liable for customer data that might be viewed during an investigation. -Answer- A A company has recently launched a new billing invoice website for a few key vendors. The cybersecurity analyst is receiving calls that the website is performing slowly and the pages sometimes time out. The analyst notices the website is receiving millions of requests, causing the service to become unavailable. Which of the following can be implemented to maintain the availability of the website? A. VPN B. Honeypot C. Whitelisting D. DMZ E. MAC filtering -Answer- C A security audit revealed that port 389 has been used instead of 636 when connecting to LDAP for the authentication of users. The remediation recommended by the audit was to switch the port to 636 wherever technically possible. Which of the following is the BEST response? A. Correct the audit. This finding is a well-known false positive; the services that typically run on 389 and 636 are identical. B. Change all devices and servers that support it to 636, as encrypted services run by default on 636. C. Change all devices and servers that support it to 636, as 389 is a reserved port that requires root access and can expose the server to privilege escalation attacks. D. Correct the audit. This finding is accurate, but the correct remediation is to update encryption keys on each of the servers to match port 636. -Answer- B A company that is hiring a penetration tester wants to exclude social engineering from the list of authorized activities. Which of the following documents should include these details?A. Acceptable use policy B. Service level agreement C. Rules of engagement D. Memorandum of understanding E. Master service agreement -Answer- C A reverse engineer was analyzing malware found on a retailer's network and found code extracting track data in memory. Which of the following threats did the engineer MOST likely uncover? A. POS malware B. Rootkit C. Key logger D. Ransomware -Answer- A Due to new regulations, a company has decided to institute an organizational vulnerability management program and assign the function to the security team. Which of the following frameworks would BEST support the program? (Select two.) A. COBIT B. NIST C. ISO 27000 series D. ITIL E. OWASP -Answer- BD A system administrator recently deployed and verified the installation of a critical patch issued by the company's primary OS vendor. This patch was supposed to remedy a vulnerability that would allow an adversary to remotely execute code from over the network. However, the administrator just ran a vulnerability assessment of networked systems, and each of them still reported having the same vulnerability. Which of the following is the MOST likely explanation for this? A. The administrator entered the wrong IP range for the assessment. B. The administrator did not wait long enough after applying the patch to run the assessment. C. The patch did not remediate the vulnerability. D. The vulnerability assessment returned false positives. -Answer- C A security analyst is creating baseline system images to remediate vulnerabilities found in different operating systems. Each image needs to be scanned before it is deployed. The security analyst must ensure the configurations match industry standard benchmarks and the process can be repeated frequently. Which of the following vulnerability options would BEST create the process requirements? A. Utilizing an operating system SCAP plugin B. Utilizing an authorized credential scan C. Utilizing a non-credential scan D. Utilizing a known malware plugin -Answer- AA cybersecurity analyst is retained by a firm for an open investigation. Upon arrival, the cybersecurity analyst reviews several security logs. Given the following snippet of code: Which of the following combinations BEST describes the situation and recommendations to be made for this situation? A. The cybersecurity analyst has discovered host 192.168.0.101 using Windows Task Scheduler at 13:30 to runnc.exe; recommend proceeding with the next step of removing the host from the network. B. The cybersecurity analyst has discovered host 192.168.0.101 to be running thenc.exe file at 13:30 using the auto cron job remotely, there are no recommendations since this is not a threat currently. C. The cybersecurity analyst has discovered host 192.168.0.101 is beaconing every day at 13:30 using thenc.exe file; recommend proceeding with the next step of removing the host from the network. D. The security analyst has discovered host 192.168.0.101 is a rogue device on the network, recommend proceeding with the next step of removing the host from the network. -Answer- A An analyst wants to use a command line tool to identify open ports and running services on a host along with the application that is associated with those services and port. Which of the following should the analyst use? A. Wireshark B. Qualys C. netstat D. nmap E. ping -Answer- nmap In order to meet regulatory compliance objectives for the storage of PHI, vulnerability scans must be conducted on a continuous basis. The last completed scan of the network returned 5,682 possible vulnerabilities. The Chief Information Officer (CIO) would like to establish a remediation plan to resolve all known issues. Which of the following is the BEST way to proceed? A. Attempt to identify all false positives and exceptions, and then resolve all remaining items. B. Hold off on additional scanning until the current list of vulnerabilities have been resolved. C. Place assets that handle PHI in a sandbox environment, and then resolve all vulnerabilities. D. Reduce the scan to items identified as critical in the asset inventory, and resolve these issues first. -Answer- D An administrator has been investigating the way in which an actor had been exfiltrating confidential data from a web server to a foreign host. After a thorough forensic review, the administrator determined the server's BIOS had been modified by rootkit installation. After removing the rootkit and flashing the BIOS to a known goodstate, which of the following would BEST protect against future adversary access to the BIOS, in case another rootkit is installed? A. Anti-malware application B. Host-based IDS C. TPM data sealing D. File integrity monitoring -Answer- C A security analyst is reviewing the following log after enabling key-based authentication. Given the above information, which of the following steps should be performed NEXT to secure the system? A. Disable anonymous SSH logins. B. Disable password authentication for SSH. C. Disable SSHv1. D. Disable remote root SSH logins. -Answer- B A cybersecurity analyst has received a report that multiple systems are experiencing slowness as a result of a DDoS attack. Which of the following would be the BEST action for the cybersecurity analyst to perform? A. Continue monitoring critical systems. B. Shut down all server interfaces. C. Inform management of the incident. D. Inform users regarding the affected systems. -Answer- C A security analyst has been asked to remediate a server vulnerability. Once the analyst has located a patch for the vulnerability, which of the following should happen NEXT? A. Start the change control process. B. Rescan to ensure the vulnerability still exists. C. Implement continuous monitoring. D. Begin the incident response process. -Answer- A A software assurance lab is performing a dynamic assessment on an application by automatically generating and inputting different, random data sets to attempt to cause an error/failure condition. Which of the following software assessment capabilities is the lab performing AND during which phase of the SDLC should this occur? (Select two.) A. Fuzzing B. Behavior modeling C. Static code analysis D. Prototyping phase E. Requirements phase F. Planning phase -Answer- AD Law enforcement has contacted a corporation's legal counsel because correlated data from a breach shows the organization as the common denominator from allindicators of compromise. An employee overhears the conversation between legal counsel and law enforcement, and then posts a comment about it on social media. The media then starts contacting other employees about the breach. Which of the following steps should be taken to prevent further disclosure of information about the breach? A. Perform security awareness training about incident communication. B. Request all employees verbally commit to an NDA about the breach. C. Temporarily disable employee access to social media D. Have law enforcement meet with employees. -Answer- A A recent vulnerability scan found four vulnerabilities on an organization's public Internetfacing IP addresses. Prioritizing in order to reduce the risk of a breach to the organization, which of the following should be remediated FIRST? A. A cipher that is known to be cryptographically weak. B. A website using a self-signed SSL certificate. C. A buffer overflow that allows remote code execution. D. An HTTP response that reveals an internal IP address. -Answer- C A cybersecurity analyst has several SIEM event logs to review for possible APT activity. The analyst was given several items that include lists of indicators for both IP addresses and domains. Which of the following actions is the BEST approach for the analyst to perform? A. Use the IP addresses to search through the event logs. B. Analyze the trends of the events while manually reviewing to see if any of the indicators match. C. Create an advanced query that includes all of the indicators, and review any of the matches. D. Scan for vulnerabilities with exploits known to have been used by an APT. -AnswerB A system administrator has reviewed the following output: Which of the following can a system administrator infer from the above output? A. The company email server is running a non-standard port. B. The company email server has been compromised. C. The company is running a vulnerable SSH server. D. The company web server has been compromised. -Answer- A An analyst finds that unpatched servers have undetected vulnerabilities because the vulnerability scanner does not have the latest set of signatures. Management directed the security team to have personnel update the scanners with the latest signatures at least 24 hours before conducting any scans, but the outcome is unchanged. Which of the following is the BEST logical control to address the failure? A. Configure a script to automatically update the scanning tool. B. Manually validate that the existing update is being performed. C. Test vulnerability remediation in a sandbox before deploying. D. Configure vulnerability scans to run in credentialed mode. -Answer- AA cybersecurity analyst has received an alert that well-known "call home" messages are continuously observed by network sensors at the network boundary. The proxy firewall successfully drops the messages. After determining the alert was a true positive, which of the following represents the MOST likely cause? A. Attackers are running reconnaissance on company resources. B. An outside command and control system is attempting to reach an infected system. C. An insider is trying to exfiltrate information to a remote network. D. Malware is running on a company system. -Answer- B After scanning the main company's website with the OWASP ZAP tool, a cybersecurity analyst is reviewing the following warning: The analyst reviews a snippet of the offending code: Which of the following is the BEST course of action based on the above warning and code snippet? A. The analyst should implement a scanner exception for the false positive. B. The system administrator should disable SSL and implement TLS. C. The developer should review the code and implement a code fix. D. The organization should update the browser GPO to resolve the issue. -Answer- D An alert has been distributed throughout the information security community regarding a critical Apache vulnerability. Which of the following courses of action would ONLY identify the known vulnerability? A. Perform an unauthenticated vulnerability scan on all servers in the environment. B. Perform a scan for the specific vulnerability on all web servers. C. Perform a web vulnerability scan on all servers in the environment. D. Perform an authenticated scan on all web servers in the environment. -Answer- B As part of an upcoming engagement for a client, an analyst is configuring a penetration testing application to ensure the scan complies with information defined in the SOW. Which of the following types of information should be considered based on information traditionally found in the SOW? (Select two.) A. Timing of the scan B. Contents of the executive summary report C. Excluded hosts D. Maintenance windows E. IPS configuration F. Incident response policies -Answer- AC An organization wants to remediate vulnerabilities associated with its web servers. An initial vulnerability scan has been performed, and analysts are reviewing the results. Before starting any remediation, the analysts want to remove false positives to avoid spending time on issues that are not actual vulnerabilities. Which of the following would be an indicator of a likely false positive? A. Reports show the scanner compliance plug-in is out-of-date. B. Any items labeled 'low' are considered informational only.C. The scan result version is different from the automated asset inventory. D. 'HTTPS' entries indicate the web page is encrypted securely. -Answer- B Company A permits visiting business partners from Company B to utilize Ethernet ports available in Company A's conference rooms. This access is provided to allow partners the ability to establish VPNs back to Company B's network. The security architect for Company A wants to ensure partners from Company B are able to gain direct Internet access from available ports only, while Company A employees can gain access to the Company A internal network from those same ports. Which of the following can be employed to allow this? A. ACL B. SIEM C. MAC D. NAC E. SAML -Answer- D After reviewing the following packet, a cybersecurity analyst has discovered an unauthorized service is running on a company's computer. Which of the following ACLs, if implemented, will prevent further access ONLY to the unauthorized service and will not impact other services? A. DENY TCP ANY HOST 10.38.219.20 EQ 3389 B. DENY IP HOST 10.38.219.20 ANY EQ 25 C. DENY IP HOST192.168.1.10 HOST 10.38.219.20 EQ 3389 D. DENY TCP ANY HOST 192.168.1.10 EQ 25 -Answer- A The new Chief Technology Officer (CTO) is seeking recommendations for network monitoring services for the local intranet. The CTO would like the capability to monitor all traffic to and from the gateway, as well as the capability to block certain content. Which of the following recommendations would meet the needs of the organization? A. Recommend setup of IP filtering on both the internal and external interfaces of the gateway router. B. Recommend installation of an IDS on the internal interface and a firewall on the external interface of the gateway router. C. Recommend installation of a firewall on the internal interface and a NIDS on the external interface of the gateway router. D. Recommend installation of an IPS on both the internal and external interfaces of the gateway router. -Answer- C While a threat intelligence analyst was researching an indicator of compromise on a search engine, the web proxy generated an alert regarding the same indicator. The threat intelligence analyst states that related sites were not visited but were searched for in a search engine. Which of the following MOST likely happened in this situation? A. The analyst is not using the standard approved browser. B. The analyst accidently clicked a link related to the indicator.C. The analyst has prefetch enabled on the browser in use. D. The alert in unrelated to the analyst's search. -Answer- C Which of the following remediation strategies are MOST effective in reducing the risk of a network-based compromise of embedded ICS? (Select two.) A. Patching B. NIDS C. Segmentation D. Disabling unused services E. Firewalling -Answer- CD A university wants to increase the security posture of its network by implementing vulnerability scans of both centrally managed and student/employee laptops. The solution should be able to scale, provide minimum false positives and high accuracy of results, and be centrally managed through an enterprise console. Which of the following scanning topologies is BEST suited for this environment? A. A passive scanning engine located at the core of the network infrastructure B. A combination of cloud-based and server-based scanning engines C. A combination of server-based and agent-based scanning engines D. An active scanning engine installed on the enterprise console -Answer- D A cybersecurity analyst is completing an organization's vulnerability report and wants it to reflect assets accurately. Which of the following items should be in the report? A. Processor utilization B. Virtual hosts C. Organizational governance D. Log disposition E. Asset isolation -Answer- B A threat intelligence feed has posted an alert stating there is a critical vulnerability in the kernel. Unfortunately, the company's asset inventory is not current. Which of the following techniques would a cybersecurity analyst perform to find all affected servers within an organization? A. A manual log review from data sent to syslog B. An OS fingerprinting scan across all hosts C. A packet capture of data traversing the server network D. A service discovery scan on the network -Answer- B A technician is running an intensive vulnerability scan to detect which ports are open to exploit. During the scan, several network services are disabled and production is affected. Which of the following sources would be used to evaluate which network service was interrupted? A. Syslog B. Network mapping C. Firewall logsD. NIDS -Answer- A A software patch has been released to remove vulnerabilities from company's software. A security analyst has been tasked with testing the software to ensure the vulnerabilities have been remediated and the application is still functioning properly. Which of the following tests should be performed NEXT? A. Fuzzing B. User acceptance testing C. Regression testing D. Penetration testing -Answer- C During a routine review of firewall logs, an analyst identified that an IP address from the organization's server subnet had been connecting during nighttime hours to a foreign IP address, and had been sending between 150 and 500 megabytes of data each time. This had been going on for approximately one week, and the affected server was taken offline for forensic review. Which of the following is MOST likely to drive up the incident's impact assessment? A. PII of company employees and customers was exfiltrated. B. Raw financial information about the company was accessed. C. Forensic review of the server required fall-back on a less efficient service. D. IP addresses and other network-related configurations were exfiltrated. E. The local root password for the affected server was compromised. -Answer- A A security analyst is performing a forensic analysis on a machine that was the subject of some historic SIEM alerts. The analyst noticed some network connections utilizing SSL on non-common ports, copies of svchost.exe and cmd.exe in %TEMP% folder, and RDP files that had connected to external IPs. Which of the following threats has the security analyst uncovered? A. DDoS B. APT C. Ransomware D. Software vulnerability -Answer- B A threat intelligence analyst who works for a technology firm received this report from a vendor. "There has been an intellectual property theft campaign executed against organizations in the technology industry. Indicators for this activity are unique to each intrusion. The information that appears to be targeted is R&D data. The data exfiltration appears to occur over months via uniform TTPs. Please execute a defensive operation regarding this attack vector." Which of the following combinations suggests how the threat should MOST likely be classified and the type of analysis that would be MOST helpful in protecting against this activity? A. Polymorphic malware and secure code analysis B. Insider threat and indicator analysis C. APT and behavioral analysisD. Ransomware and encryption -Answer- C The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files: Locky.js xerty.ini xerty.lib Further analysis indicates that when the .zip file is opened, it is installing a new version of ransomware on the devices. Which of the following should be done FIRST to prevent data on the company NAS from being encrypted by infected devices? A. Disable access to the company VPN. B. Email employees instructing them not to open the invoice attachment. C. Set permissions on file shares to read-only. D. Add the URL included in the .js file to the company's web proxy filter. -Answer- B After running a packet analyzer on the network, a security analyst has noticed the following output: Which of the following is occurring? A. A ping sweep B. A port scan C. A network map D. A service discover -Answer- B A network technician is concerned that an attacker is attempting to penetrate the network, and wants to set a rule on the firewall to prevent the attacker from learning which IP addresses are valid on the network. Which of the following protocols needs to be denied? A. TCP B. SMTP C. ICMP D. ARP -Answer- C A database administrator contacts a security administrator to request firewall changes for a connection to a new internal application. The security administrator notices that the new application uses a port typically monopolized by a virus. The security administrator denies the request and suggests a new port or service be used to complete the application's task. Which of the following is the security administrator practicing in this example? A. Explicit deny B. Port security C. Access control lists D. Implicit deny -Answer- CA network administrator is attempting to troubleshoot an issue regarding certificates on a secure website. During the troubleshooting process, the network administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine. Which of the following describes the type of attack the proxy has been legitimately programmed to perform? A. Transitive access B. Spoofing C. Man-in-the-middle D. Replay -Answer- C A company discovers an unauthorized device accessing network resources through one of many network drops in a common area used by visitors. The company decides that it wants to quickly prevent unauthorized devices from accessing the network but policy prevents the company from making changes on every connecting client. Which of the following should the company implement? A. Port security B. WPA2 C. Mandatory Access Control D. Network Intrusion Prevention -Answer- A Which of the following is a control that allows a mobile application to access and manipulate information which should only be available by another application on the same mobile device (e.g. a music application posting the name of the current song playing on the device on a social media site)? A. Co-hosted application B. Transitive trust C. Mutually exclusive access D. Dual authentication -Answer- B A technician receives a report that a user's workstation is experiencing no network connectivity. The technician investigates and notices the patch cable running the back of the user's VoIP phone is routed directly under the rolling chair and has been smashed flat over time. Which of the following is the most likely cause of this issue? A. Cross-talk B. Electromagnetic interference C. Excessive collisions D. Split pairs -Answer- C A project lead is reviewing the statement of work for an upcoming project that is focused on identifying potential weaknesses in the organization's internal andexternal network infrastructure. As part of the project, a team of external contractors will attempt to employ various attacks against the organization. The statement of work specifically addresses the utilization of an automated tool to probe network resources in an attempt to develop logical diagrams indication weaknesses in the infrastructure. The scope of activity as described in the statement of work is an example of: A. session hijacking B. vulnerability scanning C. social engineering D. penetration testing E. friendly DoS -Answer- D A technician recently fixed a computer with several viruses and spyware programs on it and notices the Internet settings were set to redirect all traffic through an unknown proxy. This type of attack is known as which of the following? A. Phishing B. Social engineering C. Man-in-the-middle D. Shoulder surfing -Answer- C An application development company released a new version of its software to the public. A few days after the release, the company is notified by end users that the application is notably slower, and older security bugs have reappeared in the new release. The development team has decided to include the security analyst during their next development cycle to help address the reported issues. Which of the following should the security analyst focus on to remedy the existing reported problems? A. The security analyst should perform security regression testing during each application development cycle. B. The security analyst should perform end user acceptance security testing during each application development cycle. C. The security analyst should perform secure coding practices during each application development cycle. D. The security analyst should perform application fuzzing to locate application vulnerabilities during each application development cycle. -Answer- A A security administrator determines several months after the first instance that a local privileged user has been routinely logging into a server interactively as "root" and browsing the Internet. The administrator determines this by performing an annual review of the security logs on that server. For which of the following security architecture areas should the administrator recommend review and modification? (Select TWO). A. Log aggregation and analysis B. Software assurance C. Encryption D. Acceptable use policiesE. Password complexity F. Network isolation and separation -Answer- AD Which of the following principles describes how a security analyst should communicate during an incident? A. The communication should be limited to trusted parties only. B. The communication should be limited to security staff only. C. The communication should come from law enforcement. D. The communication should be limited to management only. -Answer- A Which of the following actions should occur to address any open issues while closing an incident involving various departments within the network? A. Incident response plan B. Lessons learned report C. Reverse engineering process D. Chain of custody documentation -Answer- B A security analyst has determined that the user interface on an embedded device is vulnerable to common SQL injections. The device is unable to be replaced, and the software cannot be upgraded. Which of the following should the security analyst recommend to add additional security to this device? A. The security analyst should recommend this device be placed behind a WAF. B. The security analyst should recommend an IDS be placed on the network segment. C. The security analyst should recommend this device regularly export the web logs to a SIEM system. D. The security analyst should recommend this device be included in regular vulnerability scans. -Answer- A A security analyst is performing a review of Active Directory and discovers two new user accounts in the accounting department. Neither of the users has elevated permissions, but accounts in the group are given access to the company's sensitive financial management application by default. Which of the following is the BEST course of action? A. Follow the incident response plan for the introduction of new accounts B. Disable the user accounts C. Remove the accounts' access privileges to the sensitive application D. Monitor the outbound traffic from the application for signs of data exfiltration E. Confirm the accounts are valid and ensure role-based permissions are appropriate - Answer- E Several users have reported that when attempting to save documents in team folders, the following message is received: The File Cannot Be Copied or Moved - Service Unavailable. Upon further investigation, it is found that the syslog server is not obtaining log events from the file server to which the users are attempting to copy files. Which of the following is the MOST likely scenario causing these issues?A. The network is saturated, causing network congestion B. The file server is experiencing high CPU and memory utilization C. Malicious processes are running on the file server D. All the available space on the file server is consumed -Answer- A A computer has been infected with a virus and is sending out a beacon to command and control server through an unknown service. Which of the following should a security technician implement to drop the traffic going to the command and control server and still be able to identify the infected host through firewall logs? A. Sinkhole B. Block ports and services C. Patches D. Endpoint security -Answer- A Which of the following is MOST effective for correlation analysis by log for threat management? A. PCAP B. SCAP C. IPS D. SIEM -Answer- D A cybersecurity analyst has been asked to follow a corporate process that will be used to manage vulnerabilities for an organization. The analyst notices the policy has not been updated in three years. Which of the following should the analyst check to ensure the policy is still accurate? A. Threat intelligence reports B. Technical constraints C. Corporate minutes D. Governing regulations -Answer- A Creating a lessons learned report following an incident will help an analyst to communicate which of the following information? (Select TWO) A. Root cause analysis of the incident and the impact it had on the organization B. Outline of the detailed reverse engineering steps for management to review C. Performance data from the impacted servers and endpoints to report to management D. Enhancements to the policies and practices that will improve business responses E. List of IP addresses, applications, and assets -Answer- AD Which of the following policies BEST explains the purpose of a data ownership policy? A. The policy should describe the roles and responsibilities between users and managers, and the management of specific data types. B. The policy should establish the protocol for retaining information types based on regulatory or business needs. C. The policy should document practices that users m [Show More]

Last updated: 1 year ago

Preview 1 out of 54 pages