1. A computer has been infected with a virus and is sending out a beacon to command and control server through an unknown service. Which of the following should a security technician implement to drop the traffic going to the command and control server and still be able to identify the infected host through firewall logs? A. Sinkhole B. Block ports and services C. Patches D. Endpoint security

2. Given the following output from a Linux machine: file2cable -i eth0 -f file.pcap Which of the following BEST describes what a security analyst is trying to accomplish? A. The analyst is attempting to measure bandwidth utilization on interface eth0. B. The analyst is attempting to capture traffic on interface eth0. C. The analyst is attempting to replay captured data from a PCAP file. D. The analyst is attempting to capture traffic for a PCAP file. E. The analyst is attempting to use a protocol analyzer to monitor network traffic

3. An analyst was testing the latest version of an internally developed CRM system. The analyst created a basic user account. Using a few tools in Kali's latest distribution, the analyst was able to access configuration files, change permissions on folders and groups, and delete and create new system objects. Which of the following techniques did the analyst use to perform these unauthorized activities? A. Impersonation B. Privilege escalation C. Directory traversal D. Input injection

4. While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts were observed communicating with an external IP address over port 80 constantly. An incident was declared, and an investigation was launched. After interviewing the affected users, the analyst determined the activity started right after deploying a new graphic design suite. Based on this information, which of the following actions would be the appropriate NEXT step in the investigation? A. Update all antivirus and anti-malware products, as well as all other host-based security software on the servers the affected users authenticate to. B. Perform a network scan and identify rogue devices that may be generating the observed traffic. Remove those devices from the network. C. Identify what the destination IP address is and who owns it, and look at running processes on the affected hosts to determine if the activity is malicious or not. D. Ask desktop support personnel to reimage all affected workstations and reinstall the graphic design suite. Run a virus scan to identify if any viruses are present.

5. A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST? A. Contact the Office of Civil Rights (OCR) to report the breach B. Notify the Chief Privacy Officer (CPO) C. Activate the incident response plan D. Put an ACL on the gateway router

6. A business-critical application is unable to support the requirements in the current password policy because it does not allow the use of special characters. Management does not want to accept the risk of a possible security incident due to weak password standards. Which of the following is an appropriate means to limit the risks related to the application? A. A compensating control B. Altering the password policy C. Creating new account management procedures D. Encrypting authentication traffic

7. A threat intelligence analyst who works for a financial services firm received this report: "There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called "LockMaster" by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector." The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Select TWO). A. Advise the firewall engineer to implement a block on the domain B. Visit the domain and begin a threat assessment C. Produce a threat intelligence message to be disseminated to the company D. Advise the security architects to enable full-disk encryption to protect the MBR E. Advise the security analysts to add an alert in the SIEM on the string "LockMaster" F. Format the MBR as a precaution

8. The security operations team is conducting a mock forensics investigation. Which of the following should be the FIRST action taken after seizing a compromised workstation? A. Activate the escalation checklist B. Implement the incident response plan C. Analyze the forensic image D. Perform evidence acquisition

9. A cybersecurity analyst has identified a new mission-essential function that utilizes a public cloud-based system. The analyst needs to classify the information processed by the system with respect to CIA. Which of the following should provide the CIA classification for the information? A. The cloud provider B. The data owner C. The cybersecurity analyst D. The system administrator