1. Which of the following principles describes how a security analyst should communicate during an incident? A. The communication should be limited to trusted parties only. B. The communication should be limited to security staff only. C. The communication should come from law enforcement. D. The communication should be limited to management only.

2. A computer has been infected with a virus and is sending out a beacon to command and control server through an unknown service. Which of the following should a security technician implement to drop the traffic going to the command and control server and still be able to identify the infected host through firewall logs? A. Sinkhole B. Block ports and services C. Patches D. Endpoint security

3. Given the following output from a Linux machine: file2cable -i eth0 -f file.pcap Which of the following BEST describes what a security analyst is trying to accomplish? A. The analyst is attempting to measure bandwidth utilization on interface eth0. B. The analyst is attempting to capture traffic on interface eth0. C. The analyst is attempting to replay captured data from a PCAP file. D. The analyst is attempting to capture traffic for a PCAP file. E. The analyst is attempting to use a protocol analyzer to monitor network traffic

4. An analyst was testing the latest version of an internally developed CRM system. The analyst created a basic user account. Using a few tools in Kali's latest distribution, the analyst was able to access configuration files, change permissions on folders and groups, and delete and create new system objects. Which of the following techniques did the analyst use to perform these unauthorized activities? A. Impersonation B. Privilege escalation C. Directory traversal D. Input injection

5. While reviewing proxy logs, the security analyst noticed a suspicious traffic pattern. Several internal hosts were observed communicating with an external IP address over port 80 constantly. An incident was declared, and an investigation was launched. After interviewing the affected users, the analyst determined the activity started right after deploying a new graphic design suite. Based on this information, which of the following actions would be the appropriate NEXT step in the investigation? A. Update all antivirus and anti-malware products, as well as all other host-based security software on the servers the affected users authenticate to. B. Perform a network scan and identify rogue devices that may be generating the observed traffic. Remove those devices from the network. C. Identify what the destination IP address is and who owns it, and look at running processes on the affected hosts to determine if the activity is malicious or not. D. Ask desktop support personnel to reimage all affected workstations and reinstall the graphic design suite. Run a virus scan to identify if any viruses are present.

6. A SIEM analyst noticed a spike in activities from the guest wireless network to several electronic health record (EHR) systems. After further analysis, the analyst discovered that a large volume of data has been uploaded to a cloud provider in the last six months. Which of the following actions should the analyst do FIRST? A. Contact the Office of Civil Rights (OCR) to report the breach B. Notify the Chief Privacy Officer (CPO) C. Activate the incident response plan D. Put an ACL on the gateway router

7. A business-critical application is unable to support the requirements in the current password policy because it does not allow the use of special characters. Management does not want to accept the risk of a possible security incident due to weak password standards. Which of the following is an appropriate means to limit the risks related to the application? A. A compensating control B. Altering the password policy C. Creating new account management procedures D. Encrypting authentication traffic

8. A threat intelligence analyst who works for a financial services firm received this report: "There has been an effective waterhole campaign residing at www.bankfinancecompsoftware.com. This domain is delivering ransomware. This ransomware variant has been called "LockMaster" by researchers due to its ability to overwrite the MBR, but this term is not a malware signature. Please execute a defensive operation regarding this attack vector." The analyst ran a query and has assessed that this traffic has been seen on the network. Which of the following actions should the analyst do NEXT? (Select TWO). A. Advise the firewall engineer to implement a block on the domain B. Visit the domain and begin a threat assessment C. Produce a threat intelligence message to be disseminated to the company D. Advise the security architects to enable full-disk encryption to protect the MBR E. Advise the security analysts to add an alert in the SIEM on the string "LockMaster" F. Format the MBR as a precaution

9. The security operations team is conducting a mock forensics investigation. Which of the following should be the FIRST action taken after seizing a compromised workstation? A. Activate the escalation checklist B. Implement the incident response plan C. Analyze the forensic image D. Perform evidence acquisition

10. A cybersecurity analyst has identified a new mission-essential function that utilizes a public cloud-based system. The analyst needs to classify the information processed by the system with respect to CIA. Which of the following should provide the CIA classification for the information? A. The cloud provider B. The data owner C. The cybersecurity analyst D. The system administrator

11. The business has been informed of a suspected breach of customer data. The internal audit team, in conjunction with the legal department, has begun working with the cybersecurity team to validate the report. To which of the following response processes should the business adhere during the investigation? A. The security analysts should not respond to internal audit requests during an active investigation B. The security analysts should report the suspected breach to regulators when an incident occurs C. The security analysts should interview system operators and report their findings to the internal auditors D. The security analysts should limit communication to trusted parties conducting the investigation

12. A software development company in the manufacturing sector has just completed the alpha version of its flagship application. The application has been under development for the past three years. The SOC has seen intrusion attempts made by indicators associated with a particular APT. The company has a hot site location for COOP. Which of the following threats would most likely incur the BIGGEST economic impact for the company? A. DDoS B. ICS destruction C. IP theft D. IPS evasion

12. A new policy requires the security team to perform web application and OS vulnerability scans. All of the company's web applications use federated authentication and are accessible via a central portal. Which of the following should be implemented to ensure a more thorough scan of the company's web application, while at the same time reducing false positives? A. The vulnerability scanner should be configured to perform authenticated scans. B. The vulnerability scanner should be installed on the web server. C. The vulnerability scanner should implement OS and network service detection. D. The vulnerability scanner should scan for known and unknown vulnerabilities.

13. An organization is experiencing degradation of critical services and availability of critical external resources. Which of the following can be used to investigate the issue? A. Netflow analysis B. Behavioral analysis C. Vulnerability analysis D. Risk analysis

14. A cybersecurity analyst has several log files to review. Instead of using grep and cat commands, the analyst decides to find a better approach to analyze the logs. Given a list of tools, which of the following would provide a more efficient way for the analyst to conduct a timeline analysis, do keyword searches, and output a report? A. Kali B. Splunk C. Syslog D. OSSIM

15. There have been several exploits to critical devices within the network. However, there is currently no process to perform vulnerability analysis. Which of the following should the security analyst implement during production hours to identify critical threats and vulnerabilities? A. Asset inventory of all critical devices B. Vulnerability scanning frequency that does not interrupt workflow C. Daily automated reports of exploited devices D. Scanning of all types of data regardless of sensitivity levels

16. An analyst has noticed unusual activities in the SIEM to a .cn domain name. Which of the following should the analyst use to identify the content of the traffic? A. Log review B. Service discovery C. Packet capture D. DNS harvesting

17. A zero-day crypto-worm is quickly spreading through the internal network on port 25 and exploiting a software vulnerability found within the email servers. Which of the following countermeasures needs to be implemented as soon as possible to mitigate the worm from continuing to spread? A. Implement a traffic sinkhole. B. Block all known port/services. C. Isolate impacted servers. D. Patch affected systems.

18. Weeks before a proposed merger is scheduled for completion, a security analyst has noticed unusual traffic patterns on a file server that contains financial information. Routine scans are not detecting the signature of any known exploits or malware. The following entry is seen in the ftp server logs: tftp -I 10.1.1.1 GET fourthquarterreport.xls Which of the following is the BEST course of action? A. Continue to monitor the situation using tools to scan for known exploits. B. Implement an ACL on the perimeter firewall to prevent data exfiltration. C. Follow the incident response procedure associate with the loss of business critical data. D. Determine if any credit card information is contained on the server containing the financials.

19. A security analyst at a small regional bank has received an alert that nation states are attempting to infiltrate financial institutions via phishing campaigns. Which of the following techniques should the analyst recommend as a proactive measure to defend against this type of threat? A. Honeypot B. Location-based NAC C. System isolation D. Mandatory access control E. Bastion host 20.A security analyst is concerned that unauthorized users can access confidential data stored in the production server environment. All workstations on a particular network segment have full access to any server in production. Which of the following should be deployed in the production environment to prevent unauthorized access? (Choose two.) A. DLP system B. Honeypot C. Jump box

21. During the forensic a phase of a security investigation, it was discovered that an attacker was able to find private keys on a poorly secured team shared drive. The attacker used those keys to intercept and decrypt sensitive traffic on a web server. Which of the following describes this type of exploit and the potential remediation? A. Session hijacking; network intrusion detection sensors B. Cross-site scripting; increased encryption key sizes C. Man-in-the-middle; well-controlled storage of private keys D. Rootkit; controlled storage of public keys 22. A penetration tester is preparing for an audit of critical systems that may impact the security of the environment. This includes the external perimeter and the internal perimeter of the environment. During which of the following processes is this type of information normally gathered? A. Timing B. Scoping C. Authorization D. Enumeration 23. A red team actor observes it is common practice to allow cell phones to charge on company computers, but access to the memory storage is blocked. Which of the following are common attack techniques that take advantage of this practice? (Choose two.) A. A USB attack that tricks the computer into thinking the connected device is a keyboard, and then sends characters one at a time as a keyboard to launch the attack (a prerecorded series of keystrokes) B. A USB attack that turns the connected device into a rogue access point that spoofs the configured wireless SSIDs C. A Bluetooth attack that modifies the device registry (Windows PCs only) to allow the flash drive to mount, and then launches a Java applet attack D. A Bluetooth peering attack called "Snarfing" that allows Bluetooth connections on blocked device types if physically connected to a USB port E. A USB attack that tricks the system into thinking it is a network adapter, then runs a user password hash gathering utility for offline password cracking