1. The business has been informed of a suspected breach of customer data. The internal audit team, in conjunction with the legal department, has begun working with the cybersecurity team to validate the report. To which of the following response processes should the business adhere during the investigation?

A. The security analysts should not respond to internal audit requests during an active investigation B. The security analysts should report the suspected breach to regulators when an incident occurs C. The security analysts should interview system operators and report their findings to the internal auditors D. The security analysts should limit communication to trusted parties conducting the investigation _________________________________________

2. A software development company in the manufacturing sector has just completed the alpha version of its flagship application. The application has been under development for the past three years. The SOC has seen intrusion attempts made by indicators associated with a particular APT. The company has a hot site location for COOP. Which of the following threats would most likely incur the BIGGEST economic impact for the company? A. DDoS B. ICS destruction C. IP theft D. IPS evasion ________________________________________________________

3. A new policy requires the security team to perform web application and OS vulnerability scans. All of the company's web applications use federated authentication and are accessible via a central portal. Which of the following should be implemented to ensure a more thorough scan of the company's web application, while at the same time reducing false positives? A. The vulnerability scanner should be configured to perform authenticated scans. B. The vulnerability scanner should be installed on the web server. C. The vulnerability scanner should implement OS and network service detection. D. The vulnerability scanner should scan for known and unknown vulnerabilities. _________________________________________________________________

4. An organization is experiencing degradation of critical services and availability of critical external resources. Which of the following can be used to investigate the issue? A. Netflow analysis B. Behavioral analysis C. Vulnerability analysis D. Risk analysis _____________________________________________________________________

5. A cybersecurity analyst has several log files to review. Instead of using grep and cat commands, the analyst decides to find a better approach to analyze the logs. Given a list of tools, which of the following would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output a report? A. Kali B. Splunk C. Syslog D. OSSIM ________________________________________________________________

6. There have been several exploits to critical devices within the network. However, there is currently no process to perform vulnerability analysis. Which of the following should the security analyst implement during production hours to identify critical threats and vulnerabilities? A. Asset inventory of all critical devices B. Vulnerability scanning frequency that does not interrupt workflow C. Daily automated reports of exploited devices D. Scanning of all types of data regardless of sensitivity levels ____________________________________________________________

7. An analyst has noticed unusual activities in the SIEM to a .cn domain name. Which of the following should the analyst use to identify the content of the traffic? A. Log review B. Service discovery C. Packet capture D. DNS harvesting ________________________________________________

8. A zero-day crypto-worm is quickly spreading through the internal network on port 25 and exploiting a software vulnerability found within the email servers. Which of the following countermeasures needs to be implemented as soon as possible to mitigate the worm from continuing to spread? A. Implement a traffic sinkhole. B. Block all known port/services. C. Isolate impacted servers. D. Patch affected systems. _______________________________________________

9. Weeks before a proposed merger is scheduled for completion, a security analyst has noticed unusual traffic patterns on a file server that contains financial information. Routine scans are not detecting the signature of any known exploits or malware. The following entry is seen in the ftp server logs: tftp -I 10.1.1.1 GET fourthquarterreport.xls Which of the following is the BEST course of action? A. Continue to monitor the situation using tools to scan for known exploits. B. Implement an ACL on the perimeter firewall to prevent data exfiltration. C. Follow the incident response procedure associate with the loss of business critical data. D. Determine if any credit card information is contained on the server containing the financials. ___________________________________________________

10. A security analyst at a small regional bank has received an alert that nation states are attempting to infiltrate financial institutions via phishing campaigns. Which of the following techniques should the analyst recommend as a proactive measure to defend against this type of threat? A. Honeypot B. Location-based NAC C. System isolation D. Mandatory access control E. Bastion host ___________________________________________________ 11.A security analyst is concerned that unauthorized users can access confidential data stored in the production server environment. All workstations on a particular network segment have full access to any server in production. Which of the following should be deployed in the production environment to prevent unauthorized access? (Choose two.) A. DLP system B. Honeypot C. Jump box _____________________________________________

12. During the forensic a phase of a security investigation, it was discovered that an attacker was able to find private keys on a poorly secured team shared drive. The attacker used those keys to intercept and decrypt sensitive traffic on a web server. Which of the following describes this type of exploit and the potential remediation? A. Session hijacking; network intrusion detection sensors B. Cross-site scripting; increased encryption key sizes C. Man-in-the-middle; well-controlled storage of private keys D. Rootkit; controlled storage of public keys ____________________________________ 13. A penetration tester is preparing for an audit of critical systems that may impact the security of the environment. This includes the external perimeter and the internal perimeter of the environment. During which of the following processes is this type of information normally gathered? A. Timing B. Scoping C. Authorization D. Enumeration ___________________________________________________________ 14. A red team actor observes it is common practice to allow cell phones to charge on company computers, but access to the memory storage is blocked. Which of the following are common attack techniques that take advantage of this practice? (Choose two.) A. A USB attack that tricks the computer into thinking the connected device is a keyboard, and then sends characters one at a time as a keyboard to launch the attack (a prerecorded series of keystrokes) B. A USB attack that turns the connected device into a rogue access point that spoofs the configured wireless SSIDs C. A Bluetooth attack that modifies the device registry (Windows PCs only) to allow the flash drive to mount, and then launches a Java applet attack D. A Bluetooth peering attack called "Snarfing" that allows Bluetooth connections on blocked device types if physically connected to a USB port E. A USB attack that tricks the system into thinking it is a network adapter, then runs a user password hash gathering utility for offline password cracking