QUESTION 21
Which difficulty occurs when log messages are compared from two devices separated by a Layer 3 device that performs Network Address Translation?
A. IP addresses in the log messages do not match.
B. Timestamps of the log messages are different.
C. Log messages contain incorrect information.
D. IP addresses in the log messages match.
Correct Answer: A
QUESTION 22
A compliance analyst has received a complaint from a customer regarding personal data being held by the company unlawfully, despite the customer’s request for it to be deleted. The company, based in Europe, must adhere to the strict GDPR guidelines. The only data collected by the company in this case is the email address “[email protected]”. How should the compliance analyst act on the case?
A. Delete the data if the customer is from the EU.
B. Do not delete the data – this email is not considered PII.
C. Delete the data regardless of where customer is from.
D. Notify legal team about data compliance breach.
Correct Answer: C
QUESTION 23
Which event artifact is used to identify HTTP GET requests for a specific file?
A. HTTP status code
B. destination IP address
C. TCP ACK
D. URI
Correct Answer: D
QUESTION 24
A compliance officer at a healthcare company has received a complaint from a patient regarding sensitive health information being retained by the company, despite the patient’s request for it to be deleted. The company operates in the United States and is subject to HIPAA regulations. The only data retained by the company in this case is a medical record ID, which does not directly include the patient’s name or other identifiers. Which action should the compliance officer take?
A. Delete the data immediately, as all healthcare-related data must be purged upon request.
B. Do not delete the data, as the medical record ID alone is not classified as PHI under HIPAA.
C. Retain the data, since HIPAA requires all data to be kept indefinitely, regardless of any request.
D. Delete the data only if the medical record ID can be linked to the patient’s identity.
Correct Answer: B
QUESTION 25
An analyst interprets the output report from a malware analysis tool in a sandbox environment. The report reveals malware activities, including modification of HKLMSoftware registry keys to establish persistence, creation of encrypted outbound connections to multiple IP addresses on port 443, injection of malicious code into svchost.exe and other critical system processes, and setup of tasks in Task Scheduler to ensure execution at system startup. Which action should be prioritized for further investigation?
A. Inspect Task Scheduler tasks and decrypt outbound connections.
B. Examine code injection in svchost.exe and monitor outbound traffic.
C. Decrypt outbound connections and analyze registry key modifications.
D. Analyze svchost.exe code injection and registry key modifications.
Correct Answer: B
QUESTION 26
A small retail company wants to secure customer data by balancing security, budget, and performance. A basic security without significant latency and hardware upgrades approach must be applied. How does packet filtering compare to other technologies in this regard?
A. Packet filtering efficiently analyzes headers and payloads, and deep packet inspection focuses on payloads.
B. Packet filtering provides basic control by examining headers, and stateful firewalls rely on connection tracking.
C. Packet filtering allows packets based on rules, and intrusion detection relies heavily on threat fingerprint signatures.
D. Packet filtering offers comprehensive traffic control, and denylisting provides basic blocking of unknown threats.
Correct Answer: B
QUESTION 27
What describes the difference when comparing attack surface and vulnerability in practice?
A. The attack surface is the SQL injection targeted on the database, and the database tables are the vulnerabilities that might be exploited.
B. Patching SMB vulnerability is an attack surface reduction, and the open unused ports are the vulnerabilities within the system.
C. A SMB server that can allow remote code execution is a vulnerability, and closing port 139 is an attack surface reduction.
D. Updating the OS reduces the attack surface, and installing separate optional patches remediates and solves vulnerabilities within the system.
Correct Answer: C
QUESTION 28
A company recently encountered a breach. Critical services went through a disturbance and the integrity of the data was altered. An engineer is investigating the issue and searching through the logs in the SIEM. Which phase of the incident response is an engineer working on?
A. post-incident and lessons learned
B. recovery and restoration
C. detection and analysis
D. containment and eradication
Correct Answer: C
QUESTION 29
During a quarterly vulnerability scan, a security analyst discovered unused uncommon ports open and in a listening state. Further investigation showed that the unknown application was communicating with an external IP address on an encrypted channel. A deeper analysis revealed a command and control communication on an infected server. At which step of the Cyber Kill Chain was the attack detected?
A. Weaponization
B. Actions on Objectives
C. Exploitation
D. Delivery
Correct Answer: B
QUESTION 30
What is corroborating evidence?
A. evidence that relies on an extrapolation to a conclusion of fact, such as fingerprints
B. evidence that can be presented in court in the original form, such as an exact copy of a hard drive
C. evidence that tends to support a theory or an assumption deduced by some initial evidence
D. evidence that can be provided to cyber police for further restrictive actions over threat actors
Correct Answer: C
QUESTION 31
A network engineer informed a security team of a large amount of traffic and suspicious activity from an unknown source to the company DMZ server. The security team reviewed the data and identified a potential DDoS attempt. According to NIST, at which phase of incident response is the security team?
A. recovery
B. preparation
C. detection and analysis
D. containment and eradication
Correct Answer: C
QUESTION 32
An engineer is examining a particular network traffic sample from multiple sources aggregated into an alert via the company SlEM. These observations are noted within said alert: an increase in outbound traffic volume at 2 AM, multiple admin account sign-ins from geographically disparate locations, a series of encrypted file uploads to a recently blacklisted domain, and alert triggers from the DLP for unauthorized file types. What is occurring?
A. An administrator is conducting system updates and testing encryption protocols during off hours.
B. A security breach is occurring that involves potential data exfiltration through unauthorized and suspicious channels.
C. Disaster recovery plans are being activated, involving data replication to an offsite location for backup purposes.
D. Employees from global offices are collaborating on a project that requires extensive file sharing activities.
Correct Answer: B
QUESTION 33
A data privacy officer at a marketing firm has received a request from a former client to delete all personally sensitive information held by the company. The firm operates globally and follows international data protection standards. The only information retained about the client is a unique customer ID which is not directly tied to the name, address, or any other identifiable details. Which action should the data privacy officer take?
A. Delete the data immediately to comply with all global privacy regulations.
B. Delete the data if the customer ID is stored alongside additional information that can identify the client.
C. Retain the data, as a customer ID by itself does not qualify as PSI under international standards.
D. Consult the legal team, as customer IDs are always considered PSI and cannot be retained.
Correct Answer: C
QUESTION 34
What is the difference between an attack vector and an attack surface?
A. The attack surface defines the number of existing vulnerabilities available, and the attack vector determines the difficulty of available exploits.
B. The attack vector targets security weaknesses, and the attack surface is where an adversary attempts to gain entry across those weaknesses.
C. Attack vectors are flaws in configuration, and the attack surface is the system or software that has such flaws.
D. The attack surface is tactics, techniques, and procedures used by the threat actor, and the attack vector is the system hardware.
Correct Answer: B
QUESTION 35
An analyst received a ticket about degraded processing capability for one of the HR department’s servers. On the same day, an engineer noticed disabled antivirus software and could not determine when or why it occurred. According to the NIST Incident Handling Guide, what is the next phase of this investigation?
A. detection
B. recovery
C. eradication
D. analysis
Correct Answer: D
QUESTION 36
An engineer wants to gather events from multiple DMZ networks and use that information for Wireshark. The engineer decides to implement span ports for the organization to collect all required traffic. What is the benefit of choosing span ports over tap devices?
A. There is no negative performance.
B. They provide full fidelity for monitoring.
C. It is difficult to oversubscribe.
D. A maintenance window is not needed.
Correct Answer: D
QUESTION 37
What is the impact of asymmetric cryptography on security?
A. increased efficiency due to one key for encrypting and decrypting the data
B. easier to decrypt due to segmented traffic
C. improved security due to two different keys
D. vulnerable due to weak communication security
Correct Answer: C
QUESTION 38
What is the purpose of port scanning?
A. identify the Internet Protocol of the target system
B. identify legitimate users of a system
C. determine if the network is up or down
D. identify which ports and services are open on the target host
Correct Answer: D
QUESTION 39
What matches the regular expression r(ege)+x?
A. rx
B. r(ege)x
C. rege+x
D. regeegex
Correct Answer: D
QUESTION 40
What is the impact of false negative alerts when compared to true negative alerts?
A. A false negative is an event that alerts for injection attack when no attack is happening, and a true negative is an attack that happens and an alert that is appropriately raised.
B. A false negative is someone trying to hack into the system and no alert is raised, and a true negative is an event that never happened and an alert was not raised.
C. A true negative is an alert for an exploit attempt when no attack was detected, and a false negative is when no attack happens and an alert is still raised.
D. A true negative is a legitimate attack that triggers a brute force alert, and a false negative is when no alert and no attack is occurring.
Correct Answer: B
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.