10. A security analyst received a compromised workstation. The workstation's hard drive may contain evidence of criminal activities. Which of the following is the FIRST thing the analyst must do to ensure the integrity of the hard drive while performing the analysis? A. Make a copy of the hard drive. B. Use write blockers. C. Run rm -R command to create a hash. D. Install it on a different machine and explore the content. My guess: C Others answer: B __________________________________________________ 20. A company wants to update its acceptable use policy (AUP) to ensure it relates to the newly implemented password standard, which requires sponsored authentication of guest wireless devices. Which of the following is MOST likely to be incorporated in the AUP? A. Sponsored guest passwords must be at least ten characters in length and contain a symbol. B. The corporate network should have a wireless infrastructure that uses open authentication standards. C. Guests using the wireless network should provide valid identification when registering their wireless devices. D. The network should authenticate all guest users using 802.1x backed by a RADIUS or LDAP server. My guess: B Others answer: C __________________________________________________ 23. A security analyst is adding input to the incident response communication plan. A company officer has suggested that if a data breach occurs, only affected parties should be notified to keep an incident from becoming a media headline. Which of the following should the analyst recommend to the company officer? A. The first responder should contact law enforcement upon confirmation of a security incident in order for a forensics team to preserve chain of custody. B. Guidance from laws and regulations should be considered when deciding who must be notified in order to avoid fines and judgements from non-compliance. C. An externally hosted website should be prepared in advance to ensure that when an incident occurs victims have timely access to notifications from a noncompromised recourse. D. The HR department should have information security personnel who are involved in the investing My guess: B Others answer: A __________________________________________________ 41. A security analyst has been asked to remediate a server vulnerability. Once the analyst has located a patch for the vulnerability, which of the following should happen NEXT? A. Start the change control process. B. Rescan to ensure the vulnerability still exists. C. Implement continuous monitoring. D. Begin the incident response process. My guess: B Others answer: A __________________________________________________ 43. Law enforcement has contacted a corporation's legal counsel because correlated data from a breach shows the organization as the common denominator from all indicators of compromise. An employee overhears the conversation between legal counsel and law enforcement, and then posts a comment about it on social media. The media then starts contacting other employees about the breach. Which of the following steps should be taken to prevent further disclosure of information about the breach? A. Perform security awareness training about incident communication. B. Request all employees verbally commit to an NDA about the breach. C. Temporarily disable employee access to social media D. Have law enforcement meet with employees. My guess: B Others answer: A __________________________________________________ 44. A cybersecurity analyst has several SIEM event logs to review for possible APT activity. The analyst was given several items that include lists of indicators for both IP addresses and domains. Which of the following actions is the BEST approach for the analyst to perform? A. Use the IP addresses to search through the event logs. B. Analyze the trends of the events while manually reviewing to see if any of the indicators match. C. Create an advanced query that includes all of the indicators, and review any of the matches. D. Scan for vulnerabilities with exploits known to have been used by an APT. My guess: C Others answer: B __________________________________________________ An analyst finds that unpatched servers have undetected vulnerabilities because the vulnerability scanner does not have the latest set of signatures. Management directed the security team to have personnel update the scanners with the latest signatures at least 24 hours before conducting any scans, but the outcome is unchanged. Which of the following is the BEST logical control to address the failure? A. Configure a script to automatically update the scanning tool. B. Manually validate that the existing update is being performed. C. Test vulnerability remediation in a sandbox before deploying. D. Configure vulnerability scans to run in credentialed mode. My guess: D Others answer: A __________________________________________________