CS0-002 Online Training

1. A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet.

Which of the following solutions would meet this requirement?

2. During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.

Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

3. A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer datA. Developers use personal workstations, giving the company little to no visibility into the development activities.

Which of the following would be BEST to implement to alleviate the CISO's concern?

4. Which of the following is the BEST way to share incident-related artifacts to provide non-repudiation?

5. The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives:

✑ Reduce the number of potential findings by the auditors.

✑ Limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations.

✑ Prevent the external-facing web infrastructure used by other teams from coming into scope.

✑ Limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised.

Which of the following would be the MOST effective way for the security team to meet these objectives?

6. A security analyst is investigating malicious traffic from an internal system that attempted to download proxy avoidance software as identified from the firewall logs but the destination IP is blocked and not captured .

Which of the following should the analyst do?

7. A security analyst working in the SOC recently discovered Balances m which hosts visited a specific set of domains and IPs and became infected with malware .

Which of the following is the MOST appropriate action to take in the situation?

8. An executive assistant wants to onboard a new cloud based product to help with business analytics and dashboarding.

When of the following would be the BEST integration option for the service?

9. The computer incident response team at a multinational company has determined that a breach of sensitive data has occurred in which a threat actor has compromised the organization’s email system. Per the incident response procedures, this breach requires notifying the board immediately .

Which of the following would be the BEST method of communication?

10. A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application.

Which of the following is a security concern when using a PaaS solution?

11. A security administrator needs to create an IDS rule to alert on FTP login attempts by root .

Which of the following rules is the BEST solution?

12. Which of the following are components of the intelligence cycle? (Select TWO.)

13. A security analyst receives an alert that highly sensitive information has left the company's network Upon investigation, the analyst discovers an outside IP range has had connections from three servers more than 100 times m the past month. The affected servers are virtual machines.

Which of the following is the BEST course of action?

14. A network attack that is exploiting a vulnerability in the SNMP is detected.

Which of the following should the cybersecurity analyst do FIRST?

15. Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company's API server.

A portion of a capture file is shown below:

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.s/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/">

<request+xmlns:a="http://schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1006 1001 0 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <<a:Password>Password123</a:Password><a:ResetPasswordToken+i:nil="true"/> <a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/><a:Username>[email protected]</a:Username></request></Login></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 11558 1712 2024 192.168.4.89

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/"> <a:IPAddress>516.7.446.605</a:IPAddress><a:ZipCode+i:nil="true"/></request></GetIPLocation></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1003 1011 307 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><IsLoggedIn+xmlns="http://tempuri.org/"> <request+xmlns:a="http://schemas.datacontract.org/2004/07/somesite.web+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:Authentication> <a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</a:ApiToken><a:ImpersonateUserId>0</a:ImpersonateUserId><a:LocationId>161222</a:LocationId> <a:NetworkId>4</a:NetworkId><a:ProviderId>''1=1</a:ProviderId><a:UserId>13026046</a:UserId></a:Authentication></request></IsLoggedIn></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 1378 1209 48 192.168.4.89

Which of the following MOST likely explains how the clients' accounts were compromised?

16. An organization has not had an incident for several month. The Chief information Security Officer (CISO) wants to move to proactive stance for security investigations .

Which of the following would BEST meet that goal?

17. An analyst is investigating an anomalous event reported by the SOC. After reviewing the system logs the analyst identifies an unexpected addition of a user with root-level privileges on the endpoint .

Which of the following data sources will BEST help the analyst to determine whether this event constitutes an incident?

18. A security architect is reviewing the options for performing input validation on incoming web form submissions .

Which of the following should the architect as the MOST secure and manageable option?

19. A security team is implementing a new vulnerability management program in an environment that has a historically poor security posture. The team is aware of issues patch management in the environment and expects a large number of findings .

Which of the following would be the MOST efficient way to increase the security posture of the organization in the shortest amount of time?

20. A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization To BEST resolve the issue, the organization should implement

21. Which of the following should be found within an organization's acceptable use policy?

22. An analyst has been asked to provide feedback regarding the control required by a revised regulatory framework. At this time, the analyst only needs to focus on the technical controls .

Which of the following should the analyst provide an assessment of?

23. HOTSPOT

Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the desk ticket queue.



INSTRUCTIONS

Click on me ticket to see the ticket details Additional content is available on tabs within the ticket

First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button

24. As part of a merger with another organization, a Chief Information Security Officer (CISO) is working with an assessor to perform a risk assessment focused on data privacy compliance. The CISO is primarily concerned with the potential legal liability and fines associated with data privacy.

Based on the CISO's concerns, the assessor will MOST likely focus on:

25. A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:





Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?

26. A human resources employee sends out a mass email to all employees that contains their personnel records. A security analyst is called in to address the concern of the human resources director on how to prevent this from happening in the future.

Which of the following would be the BEST solution to recommend to the director?

27. A cybersecurity analyst has access to several threat feeds and wants to organize them while simultaneously comparing intelligence against network traffic.

Which of the following would BEST accomplish this goal?

28. A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT.

Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis?

29. A security analyst is investigating a compromised Linux server.

The analyst issues the ps command and receives the following output.





Which of the following commands should the administrator run NEXT to further analyze the compromised system?

30. An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.

Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?

31. Which of the following technologies can be used to house the entropy keys for task encryption on desktops and laptops?

32. An analyst identifies multiple instances of node-to-node communication between several endpoints within the 10.200.2.0/24 network and a user machine at the IP address 10.200.2.5. This user machine at the IP address 10.200.2.5 is also identified as initiating outbound communication during atypical business hours with several IP addresses that have recently appeared on threat feeds.

Which of the following can be inferred from this activity?

33. A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices.

Which of the following should be used to identify the traffic?

34. Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?

35. An organization developed a comprehensive incident response policy. Executive management approved the policy and its associated procedures .

Which of the following activities would be MOST beneficial to evaluate personnel’s familiarity with incident response procedures?

36. Which of the following sets of attributes BEST illustrates the characteristics of an insider threat from a security perspective?

37. A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database.

Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Choose two.)

38. A cybersecurity analyst needs to rearchitect the network using a firewall and a VPN server to achieve the highest level of security.

To BEST complete this task, the analyst should place the:

39. A team of security analysis has been alerted to potential malware activity. The initial examination indicates one of the affected workstations on beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445 .

Which of the following should be the team's NEXT step during the detection phase of this response process?

40. Which of the following technologies can be used to house the entropy keys for disk encryption on desktops and laptops?

41. Bootloader malware was recently discovered on several company workstations. All the workstations run Windows and are current models with UEFI capability.

Which of the following UEFI settings is the MOST likely cause of the infections?

42. A cybersecurity analyst is supposing an incident response effort via threat intelligence .

Which of the following is the analyst MOST likely executing?

43. A small organization has proprietary software that is used internally. The system has not been well maintained and cannot be updated with the rest of the environment.

Which of the following is the BEST solution?

44. Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified network?

45. A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch.

Which of the following is the MOST appropriate threat classification for these incidents?

46. An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply.

Which of the following would BEST identify potential indicators of compromise?

47. A system is experiencing noticeably slow response times, and users are being locked out frequently. An analyst asked for the system security plan and found the system comprises two servers: an application server in the DMZ and a database server inside the trusted domain .

Which of the following should be performed NEXT to investigate the availability issue?

48. The inability to do remote updates of certificates. keys software and firmware is a security issue commonly associated with:

49. A security analyst has discovered trial developers have installed browsers on all development servers in the company's cloud infrastructure and are using them to browse the Internet .

Which of the following changes should the security analyst make to BEST protect the environment?

50. A security analyst recently discovered two unauthorized hosts on the campus's wireless network segment from a man-m-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices.

Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

51. Which of the following will allow different cloud instances to share various types of data with a minimal amount of complexity?

52. An organization needs to limit its exposure to accidental disclosure when employees send emails that contain personal information to recipients outside the company.

Which of the following technical controls would BEST accomplish this goal?

53. During an incident, a cybersecurity analyst found several entries in the web server logs that are related to an IP with a bad reputation.

Which of the following would cause the analyst to further review the incident?

A)





B)





C)





D)





E)

54. An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.

Which of the following would be the MOST appropriate to remediate the controller?

55. An analyst is reviewing a list of vulnerabilities, which were reported from a recent vulnerability scan of a Linux server.

Which of the following is MOST likely to be a false positive?

56. Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient.

Which of the following controls would have MOST likely prevented this incident?

57. A company just chose a global software company based in Europe to implement a new supply chain management solution .

Which of the following would be the MAIN concern of the company?

58. A security analyst discovers a vulnerability on an unpatched web server that is used for testing machine learning on Bing Data sets. Exploitation of the vulnerability could cost the organization $1.5 million in lost productivity. The server is located on an isolated network segment that has a 5% chance of being compromised .

Which of the following is the value of this risk?

59. Which of the following technologies can be used to store digital certificates and is typically used in high-security implementations where integrity is paramount?

60. A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations.

The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization.

Which of the following BEST describes the security analyst's goal?

61. A cybersecurity analyst is responding to an incident. The company’s leadership team wants to attribute the incident to an attack group .

Which of the following models would BEST apply to the situation?

62. A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach.

Which of the following is the BEST mitigation to prevent unauthorized access?

63. A security analyst needs to reduce the overall attack surface.

Which of the following infrastructure changes should the analyst recommend?

64. A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault notification features.

Which of the following should be done to prevent this issue from reoccurring?

65. A security analyst needs to assess the web server versions on a list of hosts to determine which are running a vulnerable version of the software and output that list into an XML file named webserverlist.xml. The host list is provided in a file named webserverlist.txt .

Which of the following Nmap commands would BEST accomplish this goal?

66. A security analyst is reviewing the logs from an internal chat server.

The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity.

Below is a snippet of the log:





Which of the following commands would work BEST to achieve the desired result?

67. Which of the following MOST accurately describes an HSM?

68. A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality.

Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing?

69. An incident responder successfully acquired application binaries off a mobile device for later forensic analysis.

Which of the following should the analyst do NEXT?

70. A security analyst is reviewing the following log from an email security service.





Which of the following BEST describes the reason why the email was blocked?

71. A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's server.

Which of the following is the FIRST step the analyst should take?

72. An organization has not had an incident for several months. The Chief Information Security Officer (CISO) wants to move to a more proactive stance for security investigations .

Which of the following would BEST meet that goal?

73. An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets.

Which of the following should be considered FIRST prior to disposing of the electronic data?

74. A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful .

Which of the following should the security analyst perform NEXT?

75. An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC.

Which of the following is the BEST approach for supply chain assessment when selecting a vendor?

76. Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?

77. A security analyst received an alert from the SIEM indicating numerous login attempts from users outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempts during the same time frame.

Which of the following is the MOST likely cause of this issue?

78. A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats.

Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?

79. A security analyst, who is working for a company that utilizes Linux servers, receives the following results from a vulnerability scan:





Which of the following is MOST likely a false positive?

80. An organization developed a comprehensive modern response policy Executive management approved the policy and its associated procedures .

Which of the following activities would be MOST beneficial to evaluate personnel's familiarity with incident response procedures?

81. For machine learning to be applied effectively toward security analysis automation, it requires.

82. A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwaresource>/A.php in a phishing email.

To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the.

83. An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing requirements. The organization has three environments: development, testing, and production. These environments have interdependencies but must remain relatively segmented.

Which of the following methods would BEST secure the company's infrastructure and be the simplest to manage and maintain?

84. A security analyst has been alerted to several emails that snow evidence an employee is planning malicious activities that involve employee Pll on the network before leaving the organization.

The security analysis BEST response would be to coordinate with the legal department and:

85. During a cyber incident, which of the following is the BEST course of action?

86. A cybersecurity analyst is currently checking a newly deployed server that has an access control list applied.

When conducting the scan, the analyst received the following code snippet of results:





Which of the following describes the output of this scan?

87. A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.

Which of the following should the analyst do FIRST?

88. After receiving reports latency, a security analyst performs an Nmap scan and observes the following output:





Which of the following suggests the system that produced output was compromised?

89. An organization was alerted to a possible compromise after its proprietary data was found for sale on the Internet. An analyst is reviewing the logs from the next-generation UTM in an attempt to find evidence of this breach.

Given the following output:





Which of the following should be the focus of the investigation?

90. A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets.

Which of the following is the BEST example of the level of sophistication this threat actor is using?

91. A large software company wants to move «s source control and deployment pipelines into a cloud-computing environment. Due to the nature of the business management determines the recovery time objective needs to be within one hour .

Which of the following strategies would put the company in the BEST position to achieve the desired recovery time?

92. Which of the following BEST describes the process by which code is developed, tested, and deployed in small batches?

93. Which of the following is the MOST important objective of a post-incident review?

94. A security analyst wants to identify which vulnerabilities a potential attacker might initially exploit if the network is compromised.

Which of the following would provide the BEST results?

95. Which of the following attacks can be prevented by using output encoding?

96. Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.)

97. During an investigation, an incident responder intends to recover multiple pieces of digital media.

Before removing the media, the responder should initiate:

98. A security analyst is building a malware analysis lab. The analyst wants to ensure malicious applications are not capable of escaping the virtual machines and pivoting to other networks.

To BEST mitigate this risk, the analyst should use.

99. A web developer wants to create a new web part within the company website that aggregates sales from individual team sites. A cybersecurity analyst wants to ensure security measurements are implemented during this process .

Which of the following remediation actions should the analyst take to implement a vulnerability management process?

100. A security analyst is investigating a system compromise. The analyst verities the system was up to date on OS patches at the time of the compromise .

Which of the following describes the type of vulnerability that was MOST likely expiated?

101. An analyst is performing penetration testing and vulnerability assessment activities against a new vehicle automation platform.

Which of the following is MOST likely an attack vector that is being utilized as part of the testing and assessment?

102. An information security analyst observes anomalous behavior on the SCADA devices in a power plant. This behavior results in the industrial generators overheating and destabilizing the power supply.

Which of the following would BEST identify potential indicators of compromise?

103. Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?

104. An analyst is working with a network engineer to resolve a vulnerability that was found in a piece of legacy hardware, which is critical to the operation of the organization's production line. The legacy hardware does not have third-party support, and the OEM manufacturer of the controller is no longer in operation. The analyst documents the activities and verifies these actions prevent remote exploitation of the vulnerability.

Which of the following would be the MOST appropriate to remediate the controller?

105. A small electronics company decides to use a contractor to assist with the development of a new FPGA-based device. Several of the development phases will occur off-site at the contractor's labs.

Which of the following is the main concern a security analyst should have with this arrangement?

106. A security analyst is trying to determine if a host is active on a network.

The analyst first attempts the following:





The analyst runs the following command next:





Which of the following would explain the difference in results?

107. A cybersecurity analyst is contributing to a team hunt on an organization's endpoints.

Which of the following should the analyst do FIRST?

108. A security analyst received a SIEM alert regarding high levels of memory consumption for a critical system. After several attempts to remediate the issue, the system went down. A root cause analysis revealed a bad actor forced the application to not reclaim memory. This caused the system to be depleted of resources.

Which of the following BEST describes this attack?

109. Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.)

110. A cyber-incident response analyst is investigating a suspected cryptocurrency miner on a company's server.

Which of the following is the FIRST step the analyst should take?

111. An information security analyst is compiling data from a recent penetration test and reviews the following output:





The analyst wants to obtain more information about the web-based services that are running on the target.

Which of the following commands would MOST likely provide the needed information?

112. A compliance officer of a large organization has reviewed the firm's vendor management program but has discovered there are no controls defined to evaluate third-party risk or hardware source authenticity. The compliance officer wants to gain some level of assurance on a recurring basis regarding the implementation of controls by third parties.

Which of the following would BEST satisfy the objectives defined by the compliance officer? (Choose two.)

113. An audit has revealed an organization is utilizing a large number of servers that are running unsupported operating systems.

As part of the management response phase of the audit, which of the following would BEST demonstrate senior management is appropriately aware of and addressing the issue?

114. A security analyst is reviewing packet captures from a system that was compromised. The system was already isolated from the network, but it did have network access for a few hours after being compromised.

When viewing the capture in a packet analyzer, the analyst sees the following:





Which of the following can the analyst conclude?

115. It is important to parameterize queries to prevent:

116. A security analyst reviews the following aggregated output from an Nmap scan and the border firewall ACL:





Which of the following should the analyst reconfigure to BEST reduce organizational risk while maintaining current functionality?

117. During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.

Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

118. A security analyst has received reports of very slow, intermittent access to a public-facing corporate server.

Suspecting the system may be compromised, the analyst runs the following commands:





Based on the output from the above commands, which of the following should the analyst do NEXT to further the investigation?

119. A Chief Information Security Officer (CISO) wants to upgrade an organization's security posture by improving proactive activities associated with attacks from internal and external threats.

Which of the following is the MOST proactive tool or technique that feeds incident response capabilities?

120. While planning segmentation for an ICS environment, a security engineer determines IT resources will need access to devices within the ICS environment without compromising security.

To provide the MOST secure access model in this scenario, the jumpbox should be.

121. A development team uses open-source software and follows an Agile methodology with two-week sprints. Last month, the security team filed a bug for an insecure version of a common library. The DevOps team updated the library on the server, and then the security team rescanned the server to verify it was no longer vulnerable. This month, the security team found the same vulnerability on the server.

Which of the following should be done to correct the cause of the vulnerability?

122. A security analyst is reviewing the logs from an internal chat server. The chat.log file is too large to review manually, so the analyst wants to create a shorter log file that only includes lines associated with a user demonstrating anomalous activity.

Below is a snippet of the log:





Which of the following commands would work BEST to achieve the desired result?

123. An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC.

Which of the following is the BEST approach for supply chain assessment when selecting a vendor?

124. A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is comptiA.org. The testing is successful, and the security technician is prepared to fully implement the solution.

Which of the following actions should the technician take to accomplish this task?

125. A security analyst on the threat-hunting team has developed a list of unneeded, benign services that are currently running as part of the standard OS deployment for workstations. The analyst will provide this list to the operations team to create a policy that will automatically disable the services for all workstations in the organization.

Which of the following BEST describes the security analyst's goal?

126. Which of the following roles is ultimately responsible for determining the classification levels assigned to specific data sets?

127. A security analyst suspects a malware infection was caused by a user who downloaded malware after clicking http://<malwaresource>/A.php in a phishing email.

To prevent other computers from being infected by the same malware variation, the analyst should create a rule on the.

128. An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets.

Which of the following should be considered FIRST prior to disposing of the electronic data?

129. A security analyst is evaluating two vulnerability management tools for possible use in an organization. The analyst set up each of the tools according to the respective vendor's instructions and generated a report of vulnerabilities that ran against the same target server.

Tool A reported the following:





Tool B reported the following:





Which of the following BEST describes the method used by each tool? (Choose two.)

130. A security analyst received an alert from the SIEM indicating numerous login attempts from users outside their usual geographic zones, all of which were initiated through the web-based mail server. The logs indicate all domain accounts experienced two login attempts during the same time frame.

Which of the following is the MOST likely cause of this issue?

131. During an investigation, a security analyst identified machines that are infected with malware the antivirus was unable to detect.

Which of the following is the BEST place to acquire evidence to perform data carving?

132. A cybersecurity analyst has access to several threat feeds and wants to organize them while simultaneously comparing intelligence against network traffic.

Which of the following would BEST accomplish this goal?

133. A storage area network (SAN) was inadvertently powered off while power maintenance was being performed in a datacenter. None of the systems should have lost all power during the maintenance. Upon review, it is discovered that a SAN administrator moved a power plug when testing the SAN's fault notification features.

Which of the following should be done to prevent this issue from reoccurring?

134. A security analyst is providing a risk assessment for a medical device that will be installed on the corporate network. During the assessment, the analyst discovers the device has an embedded operating system that will be at the end of its life in two years. Due to the criticality of the device, the security committee makes a risk- based policy decision to review and enforce the vendor upgrade before the end of life is reached.

Which of the following risk actions has the security committee taken?

135. During a cyber incident, which of the following is the BEST course of action?

136. Which of the following BEST describes the process by which code is developed, tested, and deployed in small batches?

137. Which of the following types of policies is used to regulate data storage on the network?

138. A security team wants to make SaaS solutions accessible from only the corporate campus.

Which of the following would BEST accomplish this goal?

139. Data spillage occurred when an employee accidentally emailed a sensitive file to an external recipient.

Which of the following controls would have MOST likely prevented this incident?

140. A security analyst has received information from a third-party intelligence-sharing resource that indicates employee accounts were breached.

Which of the following is the NEXT step the analyst should take to address the issue?

141. A security analyst is building a malware analysis lab. The analyst wants to ensure malicious applications are not capable of escaping the virtual machines and pivoting to other networks.

To BEST mitigate this risk, the analyst should use.

142. A security analyst for a large financial institution is creating a threat model for a specific threat actor that is likely targeting an organization's financial assets.

Which of the following is the BEST example of the level of sophistication this threat actor is using?

143. Bootloader malware was recently discovered on several company workstations. All the workstations run Windows and are current models with UEFI capability.

Which of the following UEFI settings is the MOST likely cause of the infections?

144. The security team at a large corporation is helping the payment-processing team to prepare for a regulatory compliance audit and meet the following objectives:

✑ Reduce the number of potential findings by the auditors.

✑ Limit the scope of the audit to only devices used by the payment-processing team for activities directly impacted by the regulations.

✑ Prevent the external-facing web infrastructure used by other teams from coming into scope.

✑ Limit the amount of exposure the company will face if the systems used by the payment-processing team are compromised.

Which of the following would be the MOST effective way for the security team to meet these objectives?

145. During routine monitoring, a security analyst discovers several suspicious websites that are communicating with a local host.

The analyst queries for IP 192.168.50.2 for a 24-hour period:





To further investigate, the analyst should request PCAP for SRC 192.168.50.2 and.

146. For machine learning to be applied effectively toward security analysis automation, it requires .

147. A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices.

Which of the following should be used to identify the traffic?

148. Which of the following sets of attributes BEST illustrates the characteristics of an insider threat from a security perspective?

149. A security analyst has observed several incidents within an organization that are affecting one specific piece of hardware on the network. Further investigation reveals the equipment vendor previously released a patch.

Which of the following is the MOST appropriate threat classification for these incidents?

150. An incident responder successfully acquired application binaries off a mobile device for later forensic analysis.

Which of the following should the analyst do NEXT?

151. A security analyst needs to reduce the overall attack surface.

Which of the following infrastructure changes should the analyst recommend?

152. A security analyst is reviewing the following log from an email security service.





Which of the following BEST describes the reason why the email was blocked?

153. A user's computer has been running slowly when the user tries to access web pages.

A security analyst runs the command netstat -aon from the command line and receives the following output:





Which of the following lines indicates the computer may be compromised?

154. As part of an exercise set up by the information security officer, the IT staff must move some of the network systems to an off-site facility and redeploy them for testing. All staff members must ensure their respective systems can power back up and match their gold image. If they find any inconsistencies, they must formally document the information.

Which of the following BEST describes this test?

155. A security analyst is reviewing a web application. If an unauthenticated user tries to access a page in the application, the user is redirected to the login page. After successful authentication, the user is then redirected back to the original page. Some users have reported receiving phishing emails with a link that takes them to the application login page but then redirects to a fake login page after successful authentication.

Which of the following will remediate this software vulnerability?

156. A Chief Information Security Officer (CISO) is concerned the development team, which consists of contractors, has too much access to customer data. Developers use personal workstations, giving the company little to no visibility into the development activities.

Which of the following would be BEST to implement to alleviate the CISO's concern?

157. A company was recently awarded several large government contracts and wants to determine its current risk from one specific APT.

Which of the following threat modeling methodologies would be the MOST appropriate to use during this analysis?

158. A security analyst is reviewing vulnerability scan results and notices new workstations are being flagged as having outdated antivirus signatures.

The analyst observes the following plugin output:

Antivirus is installed on the remote host:

Installation path: C:Program FilesAVProductWin32

Product Engine: 14.12.101

Engine Version: 3.5.71

Scanner does not currently have information about AVProduct version 3.5.71. It may no longer be supported.

The engine version is out of date. The oldest supported version from the vendor is 4.2.11.

The analyst uses the vendor's website to confirm the oldest supported version is correct.

Which of the following BEST describes the situation?

159. A SIEM solution alerts a security analyst of a high number of login attempts against the company's webmail portal. The analyst determines the login attempts used credentials from a past data breach.

Which of the following is the BEST mitigation to prevent unauthorized access?

160. A product manager is working with an analyst to design a new application that will perform as a data analytics platform and will be accessible via a web browser. The product manager suggests using a PaaS provider to host the application.

Which of the following is a security concern when using a PaaS solution?

161. Because some clients have reported unauthorized activity on their accounts, a security analyst is reviewing network packet captures from the company's API server.

A portion of a capture file is shown below:

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.s/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/">

<request+xmlns:a="http://schemas.somesite.org"+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1006 1001 0 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <<a:Password>Password123</a:Password><a:ResetPasswordToken+i:nil="true"/> <a:ShouldImpersonatedAuthenticationBePopulated+i:nil="true"/><a:Username>[email protected]</a:Username></request></Login></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 11558 1712 2024 192.168.4.89

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetIPLocation+xmlns="http://tempuri.org/"> <a:IPAddress>516.7.446.605</a:IPAddress><a:ZipCode+i:nil="true"/></request></GetIPLocation></s:Body></s:Envelope> 192.168.1.22 --api.somesite.com 200 0 1003 1011 307 192.168.1.22

POST /services/v1_0/Public/Members.svc/soap <s:Envelope+xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><IsLoggedIn+xmlns="http://tempuri.org/"> <request+xmlns:a="http://schemas.datacontract.org/2004/07/somesite.web+xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:Authentication> <a:ApiToken>kmL4krg2CwwWBan5BReGv5Djb7syxXTNKcWFuSjd</a:ApiToken><a:ImpersonateUserId>0</a:ImpersonateUserId><a:LocationId>161222</a:LocationId> <a:NetworkId>4</a:NetworkId><a:ProviderId>''1=1</a:ProviderId><a:UserId>13026046</a:UserId></a:Authentication></request></IsLoggedIn></s:Body></s:Envelope> 192.168.5.66 --api.somesite.com 200 0 1378 1209 48 192.168.4.89

Which of the following MOST likely explains how the clients' accounts were compromised?

162. A monthly job to install approved vendor software updates and hot fixes recently stopped working. The security team performed a vulnerability scan, which identified several hosts as having some critical OS vulnerabilities, as referenced in the common vulnerabilities and exposures (CVE) database.

Which of the following should the security team do NEXT to resolve the critical findings in the most effective manner? (Choose two.)

163. A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality.

Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing?

164. A network attack that is exploiting a vulnerability in the SNMP is detected.

Which of the following should the cybersecurity analyst do FIRST?

165. An organization is moving its infrastructure to the cloud in an effort to meet the budget and reduce staffing requirements. The organization has three environments: development, testing, and production. These environments have interdependencies but must remain relatively segmented.

Which of the following methods would BEST secure the company's infrastructure and be the simplest to manage and maintain?

166. A pharmaceutical company's marketing team wants to send out notifications about new products to alert users of recalls and newly discovered adverse drug reactions. The team plans to use the names and mailing addresses that users have provided.

Which of the following data privacy standards does this violate?

167. A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.

Which of the following commands would MOST likely indicate if the email is malicious?

168. A development team signed a contract that requires access to an on-premises physical server. Access must be restricted to authorized users only and cannot be connected to the Internet.

Which of the following solutions would meet this requirement?

169. SIMULATION

You are a cybersecurity analyst tasked with interpreting scan data from Company A's servers. You must verify the requirements are being met for all of the servers and recommend changes if you find they are not.

The company's hardening guidelines indicate the following:

• TLS 1.2 is the only version of TLS running.

• Apache 2.4.18 or greater should be used.

• Only default ports should be used.



INSTRUCTIONS

Using the supplied data, record the status of compliance with the company's guidelines for each server.

The question contains two parts: make sure you complete Part 1 and Part 2. Make recommendations for issues based ONLY on the hardening guidelines provided.

170. A cybersecurity analyst is currently checking a newly deployed server that has an access control list applied.

When conducting the scan, the analyst received the following code snippet of results:





Which of the following describes the output of this scan?

171. A system’s authority to operate (ATO) is set to expire in four days. Because of other activities and limited staffing, the organization has neglected to start reauthentication activities until now.

The cybersecurity group just performed a vulnerability scan with the partial set of results shown below:





Based on the scenario and the output from the vulnerability scan, which of the following should the security team do with this finding?

172. An organization suspects it has had a breach, and it is trying to determine the potential impact.

The organization knows the following:

✑ . The source of the breach is linked to an IP located in a foreign country.

✑ . The breach is isolated to the research and development servers.

✑ . The hash values of the data before and after the breach are unchanged.

✑ . The affected servers were regularly patched, and a recent scan showed no vulnerabilities.

Which of the following conclusions can be drawn with respect to the threat and impact? (Choose two.)

173. A system is experiencing noticeably slow response times, and users are being locked out frequently. An analyst asked for the system security plan and found the system comprises two servers: an application server in the DMZ and a database server inside the trusted domain.

Which of the following should be performed NEXT to investigate the availability issue?

174. Ann, a user, reports to the security team that her browser began redirecting her to random sites while using her Windows laptop. Ann further reports that the OS shows the C: drive is out of space despite having plenty of space recently. Ann claims she not downloaded anything.

The security team obtains the laptop and begins to investigate, noting the following:

✑ File access auditing is turned off.

✑ When clearing up disk space to make the laptop functional, files that appear to be cached web pages are immediately created in a temporary directory, filling up the available drive space.

✑ All processes running appear to be legitimate processes for this user and machine.

✑ Network traffic spikes when the space is cleared on the laptop.

✑ No browser is open.

Which of the following initial actions and tools would provide the BEST approach to determining what is happening?

175. A security architect is reviewing the options for performing input validation on incoming web form submissions.

Which of the following should the architect as the MOST secure and manageable option?

176. A security administrator needs to create an IDS rule to alert on FTP login attempts by root.

Which of the following rules is the BEST solution?

177. The computer incident response team at a multinational company has determined that a breach of sensitive data has occurred in which a threat actor has compromised the organization’s email system. Per the incident response procedures, this breach requires notifying the board immediately.

Which of the following would be the BEST method of communication?

178. During an investigation, an incident responder intends to recover multiple pieces of digital media. Before removing the media, the responder should initiate:

179. A malicious hacker wants to gather guest credentials on a hotel 802.11 network.

Which of the following tools is the malicious hacker going to use to gain access to information found on the hotel network?

180. A security analyst received an email with the following key:

Xj3XJ3LLc

A second security analyst received an email with following key:

3XJ3xjcLLC

The security manager has informed the two analysts that the email they received is a key that allows access to the company’s financial segment for maintenance.

This is an example of:

181. Which of the following is the BEST way to share incident-related artifacts to provide non-repudiation?

182. A security analyst has a sample of malicious software and needs to know what the sample does?. The analyst runs the sample in a carefully controlled and monitored virtual machine to observe the software behavior.

Which of the following malware analysis approaches is this?

183. An analyst is reviewing a list of vulnerabilities, which were reported from a recent vulnerability scan of a Linux server.

Which of the following is MOST likely to be a false positive?

184. A security analyst, who is working for a company that utilizes Linux servers, receives the following results from a vulnerability scan:





Which of the following is MOST likely a false positive?

185. Which of the following should be found within an organization's acceptable use policy?

186. An analyst identifies multiple instances of node-to-node communication between several endpoints within the 10.200.2.0/24 network and a user machine at the IP address 10.200.2.5. This user machine at the IP address 10.200.2.5 is also identified as initiating outbound communication during atypical business hours with several IP addresses that have recently appeared on threat feeds.

Which of the following can be inferred from this activity?

187. A system administrator is doing network reconnaissance of a company’s external network to determine the vulnerability of various services that are running.

Sending some sample traffic to the external host, the administrator obtains the following packet capture:





Based on the output, which of the following services should be further tested for vulnerabilities?

188. Ransomware is identified on a company's network that affects both Windows and MAC hosts. The command and control channel for encryption for this variant uses TCP ports from 11000 to 65000. The channel goes to good1. Iholdbadkeys.com, which resolves to IP address 72.172.16.2.

Which of the following is the MOST effective way to prevent any newly infected systems from actually encrypting the data on connected network drives while causing the least disruption to normal Internet traffic?

189. A human resources employee sends out a mass email to all employees that contains their personnel records. A security analyst is called in to address the concern of the human resources director on how to prevent this from happening in the future.

Which of the following would be the BEST solution to recommend to the director?

190. Risk management wants IT to implement a solution that will permit an analyst to intercept, execute, and analyze potentially malicious files that are downloaded from the Internet.

Which of the following would BEST provide this solution?

191. Joe, a penetration tester, used a professional directory to identify a network administrator and ID administrator for a client’s company. Joe then emailed the network administrator, identifying himself as the ID administrator, and asked for a current password as part of a security exercise.

Which of the following techniques were used in this scenario?

192. A web developer wants to create a new web part within the company website that aggregates sales from individual team sites. A cybersecurity analyst wants to ensure security measurements are implemented during this process.

Which of the following remediation actions should the analyst take to implement a vulnerability management process?

193. A security team is implementing a new vulnerability management program in an environment that has a historically poor security posture. The team is aware of issues patch management in the environment and expects a large number of findings.

Which of the following would be the MOST efficient way to increase the security posture of the organization in the shortest amount of time?

194. Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified network?

195. A company just chose a global software company based in Europe to implement a new supply chain management solution.

Which of the following would be the MAIN concern of the company?

196. HOTSPOT

Welcome to the Enterprise Help Desk System. Please work the ticket escalated to you in the desk ticket queue.



INSTRUCTIONS

Click on me ticket to see the ticket details Additional content is available on tabs within the ticket

First, select the appropriate issue from the drop-down menu. Then, select the MOST likely root cause from second drop-down menu

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button

197. An employee in the billing department accidentally sent a spreadsheet containing payment card data to a recipient outside the organization. The employee intended to send the spreadsheet to an internal staff member with a similar name and was unaware of the mistake until the recipient replied to the message In addition to retraining the employee, which of the following would prevent this from happening in the future?

198. A security analyst was alerted to a tile integrity monitoring event based on a change to the vhost-paymonts .conf file.

The output of the diff command against the known-good backup reads as follows





Which of the following MOST likely occurred?

199. A security analyst recently discovered two unauthorized hosts on the campus's wireless network segment from a man-m-the-middle attack. The security analyst also verified that privileges were not escalated, and the two devices did not gain access to other network devices.

Which of the following would BEST mitigate and improve the security posture of the wireless network for this type of attack?

200. A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability Company policy prohibits using portable media or mobile storage. The security analyst is trying to determine which user caused the malware to get onto the system.

Which of the following registry keys would MOST likely have this information?

201. A security analyst is reviewing the network security monitoring logs listed below:





Which of the following is the analyst MOST likely observing? (Select TWO).

202. In web application scanning, static analysis refers to scanning:

203. A security analyst discovered a specific series of IP addresses that are targeting an organization. None of the attacks have been successful.

Which of the following should the security analyst perform NEXT?

204. Which of the following technologies can be used to store digital certificates and is typically used in high security implementations where integrity is paramount?

205. CORRECT TEXT

SIMULATION

Malware is suspected on a server in the environment.

The analyst is provided with the output of commands from servers in the environment and needs to review all output files in order to determine which process running on one of the servers may be malware.



INSTRUCTIONS

Servers 1, 2, and 4 are clickable. Select the Server and the process that host the malware.

If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

206. An organization developed a comprehensive modern response policy Executive management approved the policy and its associated procedures.

Which of the following activities would be MOST beneficial to evaluate personnel's familiarity with incident response procedures?

207. A team of security analysts has been alerted to potential malware activity. The initial examination indicates one of the affected workstations is beaconing on TCP port 80 to five IP addresses and attempting to spread across the network over port 445.

Which of the following should be the team’s NEXT step during the detection phase of this response process?

208. The SFTP server logs show thousands of failed login attempts from hundreds of IP addresses worldwide.

Which of the following controls would BEST protect the service?

209. A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of vulnerability that should be disseminated FIRST is one that:

210. Which of the following BEST describes the process by which code is developed, tested, and deployed in small batches?

211. An analyst performs a routine scan of a host using Nmap and receives the following output:





Which of the following should the analyst investigate FIRST?

212. A large amount of confidential data was leaked during a recent security breach. As part of a forensic investigation, the security team needs to identify the various types of traffic that were captured between two compromised devices.

Which of the following should be used to identify the traffic?

213. During an investigation, a security analyst determines suspicious activity occurred during the night shift over the weekend. Further investigation reveals the activity was initiated from an internal IP going to an external website.

Which of the following would be the MOST appropriate recommendation to prevent the activity from happening in the future?

214. An organization's Chief Information Security Officer (CISO) has asked department leaders to coordinate on communication plans that can be enacted in response to different cybersecurity incident triggers.

Which of the following is a benefit of having these communication plans?

215. CORRECT TEXT

While investigating an incident in a company's SIEM console, a security analyst found hundreds of failed SSH login attempts, which all occurred in rapid succession. The failed attempts were followed by a successful login on the root user Company policy allows systems administrators to manage their systems only from the company's internal network using their assigned corporate logins.

Which of the following are the BEST actions the analyst can take to stop any further compromise? (Select TWO).

A Configure /etc/sshd_config to deny root logins and restart the SSHD service.

B. Add a rule on the network IPS to block SSH user sessions

C. Configure /etc/passwd to deny root logins and restart the SSHD service.

D. Reset the passwords for all accounts on the affected system.

E. Add a rule on the perimeter firewall to block the source IP address.

F. Add a rule on the affected system to block access to port TCP/22.

216. The computer incident response team at a multinational company has determined that a breach of sensitive data has occurred in which a threat actor has compromised the organization’s email system. Per the incident response procedures, this breach requires notifying the board immediately.

Which of the following would be the BEST method of communication?

217. A security analyst is attempting to utilize the blowing threat intelligence for developing detection capabilities:





In which of the following phases is this APT MOST likely to leave discoverable artifacts?

218. Which of the following software security best practices would prevent an attacker from being able to run arbitrary SQL commands within a web application? (Choose two.)

219. A web-based front end for a business intelligence application uses pass-through authentication to authenticate users. The application then uses a service account, to perform queries and look up data m a database A security analyst discovers employees are accessing data sets they have not been authorized to use.

Which of the following will fix the cause of the issue?

220. A security analyst needs to develop a brief that will include the latest incidents and the attack phases of the incidents. The goal is to support threat intelligence and identify whether or not the incidents are linked.

Which of the following methods would be MOST appropriate to use?

221. A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a timely manner when an employee leaves the organization.

To BEST resolve the issue, the organization should implement

222. A threat feed notes malicious actors have been infiltrating companies and exfiltration data to a specific set of domains Management at an organization wants to know if it is a victim.

Which of the following should the security analyst recommend to identity this behavior without alerting any potential malicious actors?

223. A security analyst was alerted to a tile integrity monitoring event based on a change to the vhost-paymonts .conf file.

The output of the diff command against the known-good backup reads as follows:





Which of the following MOST likely occurred?

224. Which of the following are components of the intelligence cycle? (Select TWO.)

225. A security technician is testing a solution that will prevent outside entities from spoofing the company's email domain, which is comptiA.org. The testing is successful, and the security technician is prepared to fully implement the solution.

Which of the following actions should the technician take to accomplish this task?

226. A development team is testing a new application release. The team needs to import existing client PHI data records from the production environment to the test environment to test accuracy and functionality.

Which of the following would BEST protect the sensitivity of this data while still allowing the team to perform the testing?

227. An organization is upgrading its network and all of its workstations. The project will occur in phases, with infrastructure upgrades each month and workstation installs every other week. The schedule should accommodate the enterprise-wide changes, while minimizing the impact to the network.

Which of the following schedules BEST addresses these requirements?

228. A Chief Executive Officer (CEO) is concerned about the company’s intellectual property being leaked to competitors. The security team performed an extensive review but did not find any indication of an outside breach. The data sets are currently encrypted using the Triple Data Encryption Algorithm.

Which of the following courses of action is appropriate?

229. A security analyst is investigating a malware infection that occurred on a Windows system. The system was not connected to a network and had no wireless capability Company policy prohibits using portable media or mobile storage. The security analyst is trying to determine which user caused the malware to get onto the system.

Which of the following registry keys would MOST likely have this information?

230. Which of the following should a database administrator implement to BEST protect data from an untrusted server administrator?

231. While analyzing network traffic, a security analyst discovers several computers on the network are connecting to a malicious domain that was blocked by a DNS sinkhole. A new private IP range is now visible, but no change requests were made to add it.

Which of the following is the BEST solution for the security analyst to implement?

232. A security analyst has a sample of malicious software and needs to know what the sample does. The analyst runs the sample in a carefully controlled and monitored virtual machine to observe the software behavior.

Which of the following malware analysis approaches is this?

233. A security analyst is generating a list of recommendations for the company's insecure API.

Which of the following is the BEST parameter mitigation rec?

234. The steering committee for information security management annually reviews the security incident register for the organization to look for trends and systematic issues. The steering committee wants to rank the risks based on past incidents to improve the security program for next year Below is the incident register for the organization.





Which of the following should the organization consider investing in FIRST due to the potential impact of availability?

235. Which of the following technologies can be used to house the entropy keys for disk encryption on desktops and laptops?

236. During an incident investigation, a security analyst acquired a malicious file that was used as a backdoor but was not detected by the antivirus application. After performing a reverse-engineering procedure, the analyst found that part of the code was obfuscated to avoid signature detection.

Which of the following types of instructions should the analyst use to understand how the malware was obfuscated and to help deobfuscate it?

237. A user's computer has been running slowly when the user tries to access web pages.

A security analyst runs the command netstat -aon from the command line and receives the following output:





Which of the following lines indicates the computer may be compromised?

238. An information security analyst is reviewing backup data sets as part of a project focused on eliminating archival data sets.

Which of the following should be considered FIRST prior to disposing of the electronic data?

239. A security analyst is investigating a system compromise. The analyst verities the system was up to date on OS patches at the time of the compromise.

Which of the following describes the type of vulnerability that was MOST likely expiated?

240. Which of the following would MOST likely be included in the incident response procedure after a security breach of customer PII?

241. An analyst is reviewing the following code output of a vulnerability scan:





Which of the following types of vulnerabilities does this MOST likely represent?

242. A user receives a potentially malicious email that contains spelling errors and a PDF document. A security analyst reviews the email and decides to download the attachment to a Linux sandbox for review.

Which of the following commands would MOST likely indicate if the email is malicious?

243. A security analyst is reviewing the following web server log:





Which of the following BEST describes the issue?

244. A remote code execution vulnerability was discovered in the RDP. An organization currently uses RDP for remote access to a portion of its VDI environment. The analyst verified network-level authentication is enabled.

Which of the following is the BEST remediation for this vulnerability?