91. A security analyst has determined that the user interface on an embedded device is vulnerable to common SQL injections. The device is unable to be replaced, and the software cannot be upgraded. Which of the following should the security analyst recommend to add additional security to this device? A. The security analyst should recommend this device be placed behind a WAF. B. The security analyst should recommend an IDS be placed on the network segment. C. The security analyst should recommend this device regularly export the web logs to a SIEM system. D. The security analyst should recommend this device be included in regular vulnerability scans My guess: B Others answer: A __________________________________________________ 92. A security analyst is performing a review of Active Directory and discovers two new user accounts in the accounting department. Neither of the users has elevated permissions, but accounts in the group are given access to the company's sensitive financial management application by default. Which of the following is the BEST course of action? A. Follow the incident response plan for the introduction of new accounts B. Disable the user accounts C. Remove the accounts' access privileges to the sensitive application D. Monitor the outbound traffic from the application for signs of data exfiltration E. Confirm the accounts are valid and ensure role-based permissions are appropriate My guess: B Others answer: E __________________________________________________ Which of the following principles describes how a security analyst should communicate during an incident? A. The communication should be limited to trusted parties only. B. The communication should be limited to security staff only. C. The communication should come from law enforcement. D. The communication should be limited to management only. My guess: A Others answer: A __________________________________________________ 94. A computer has been infected with a virus and is sending out a beacon to command and control server through an unknown service. Which of the following should a security technician implement to drop the traffic going to the command and control server and still be able to identify the infected host through firewall logs? A. Sinkhole B. Block ports and services C. Patches D. Endpoint security My guess: B Others answer: A __________________________________________________ 96. A cybersecurity analyst has been asked to follow a corporate process that will be used to manage vulnerabilities for an organization. The analyst notices the policy has not been updated in three years. Which of the following should the analyst check to ensure the policy is still accurate? A. Threat intelligence reports B. Technical constraints C. Corporate minutes D. Governing regulations My guess: D Others answer: A __________________________________________________ 99. A web application has a newly discovered vulnerability in the authentication method used to validate known company users. The user ID of Admin with a password of "password" grants elevated access to the application over the Internet. Which of the following is the BEST method to discover the vulnerability before a production deployment? A. Manual peer review B. User acceptance testing C. Input validation D. Stress test the application My guess: D Others answer: C __________________________________________________ 100. Which of the following represent the reasoning behind careful selection of the timelines and time-of-day boundaries for an authorized penetration test? (Select TWO). A. To schedule personnel resources required for test activities B. To determine frequency of team communication and reporting C. To mitigate unintended impacts to operations D. To avoid conflicts with real intrusions that may occur E. To ensure tests have measurable impact to operations My guess: C & D Others answer: A & C