QUESTION 101
What is the role of indicator of attack in an investigation?
A. It identifies unusual activity on a system or network.
B. It helps answer the questions of what is happening and why.
C. It is a proactive approach to detect issues at an early stage.
D. It focuses only on forensic analysis.
Correct Answer: B
QUESTION 102
What is a difference between authorization and authentication from an access control perspective?
A. Authorization tracks if a certain user is authenticated within the system, and authentication is responsible for identifying the authorization method.
B. Authorization defines the author of a specific resource, and authentication gives access to the resource itself.
C. Authentication is when the system validates if the user is valid, and authorization enforces and provides resources assigned and required.
D. Authentication is responsible for accounting access on system resources, and the authorization process defines if a user is allowed to author the resource,
Correct Answer: C
QUESTION 103
A security team received a ticket regarding a potentially malicious file found on a company server. A security team confirmed that the file is malicious and identified it as a new trojan. According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this type of incident?
A. Isolate the infected endpoint from the network.
B. Collect public information on the malware behavior.
C. Perform forensics analysis on the infected endpoint.
D. Prioritize incident handling based on the impact.
Correct Answer: A
QUESTION 104
What is a difference between antivirus and antimalware security systems?
A. Antivirus deals with well-known threats, such as Trojans and viruses, and antimalware typically focuses on newer threats, such as polymorphic malware and malware delivered by zero-day exploits.
B. Antimalware protects users from lingering, predictable yet dangerous malware, and antivirus protects users from the latest, currently in the wild exploits.
C. Antimalware offers the minimum layer of protection against classic viruses like keyloggers, and antivirus utilizes heuristic-based detection to proactively find source codes that indicate a threat.
D. Antivirus updates rules faster, hence having the best protection against new malware, and antimalware is best for trojans and crypto-malware types of threats.
Correct Answer: A
QUESTION 105
A security engineer must implement IPS inside a DMZ organization. One of the requirements is to be able to block suspicious traffic based on a triggered signature in real life. IPS will be connected behind DMZ firewalls directly to core switches. Which traffic integration must be done to complete this project?
A. mirroring
B. inline
C. tap
D. passive
Correct Answer: B
QUESTION 106
Which type of attack is used to eavesdrop on a conversation between two victims?
A. Replay
B. man-in-the-middle
C. dictionary
D. known-plaintext
Correct Answer: B
QUESTION 107
What is the difference between an exploit and a vulnerability?
A. An exploit is a function that takes advantage of risks to steal or damage assets, and a vulnerability is a threat.
B. A vulnerability is a flaw in a system, and an exploit is a way to use this flaw.
C. An exploit is a potential for loss or disruption of an asset, and a vulnerability is an attack that threat actors use.
D. A vulnerability is a gap in a rule that intruders use, and an exploit is a weakness in the system.
Correct Answer: B
QUESTION 108
An engineer must analyze a security event from last month. The engineer has access to a PCAP file collected from traffic mirroring and NetFlow data. The engineer must perform checks quickly on a busy network segment without knowing details. Which source of data must be used for analysis?
A. NetFlow because it has all needed data
B. both sources, first NetFlow because collection is easy, then PCAP
C. PCAP file because it is easy to track all activity for the last month
D. both sources, first PCAP based on a simple query, then NetFlow
Correct Answer: B
QUESTION 109
For which items is an end-point application greylist used?
A. items that have been installed with a baseline
B. items before being established as harmful or malicious
C. items that have been established as authorized
D. items that have been established as malicious
Correct Answer: B
QUESTION 110
To facilitate a reliable public key exchange in a system with participants, which protocol should be employed?
A. Direct Secure Messaging
B. Blockchain-Based Key Distribution
C. Public Key Infrastructure
D. Dynamic Key Generation
Correct Answer: C
QUESTION 111
What is a difference between mandatory access control (MAC) and discretionary access control (DAC)?
A. DAC provides non-discretionary access required by any user within the organization, and MAC filters by job and operational roles.
B. DAC grants required access only to administrative users, and MAC affects the whole organization without exceptions.
C. MAC grants access based on data confidentiality levels, and DAC grants access based on identity.
D. MAC provides access by mandatory operational requirements, and DAC grants access based on authorization.
Correct Answer: C
QUESTION 112
What is the purpose of SOC metrics?
A. SOC metrics measure the confidentiality, integrity, and availability of the organization.
B. SOC metrics are threat level indicators of a given cyberattack and its vector.
C. SOC metrics are assurance indicators of how secure each component is from cyberattacks.
D. SOC metrics measure the performance of the Security Operations Center.
Correct Answer: D
QUESTION 113
A compliance team is identifying protected data flowing from the network for an organization that works with multiple healthcare facilities to hire medical specialists worldwide. The organization stores intellectual property for external hires, encypts the data, and provides on-demand access through a formal approval process. Which type of protected data should be identified by the compliance team?
A. Personally Identifiable Information
B. Personal Health Information
C. Copyright Data
D. Patent Data
Correct Answer: A
QUESTION 114
What is the impact of a ransomware infection?
A. User must pay ransom to decrypt data.
B. Data on infected endpoints is encrypted.
C. Encrypted data cannot be restored from backup.
D. Multiple connections are made to external C&C servers.
Correct Answer: B
QUESTION 115
An engineer is sharing folders and files with different departments and got this error: ” No such file or directory”. What must the engineer verify next?
A. permission
B. symlinks
C. disk space
D. memory allocation
Correct Answer: B
QUESTION 116
A user reported that a mobile application is working very slowly. The DDOS tool reports high volume traffic. During which phase will CSIRT ensure that the incident does not continue and confirm that the organization took the required action?
A. preparation
B. recovery
C. containment
D. eradication
Correct Answer: C
QUESTION 117
A security team received a ticket to investigate suspicious emails to company employees sent from a list of malicious domains. Further analysis showed that a targeted phishing attempt was successfully blocked by the company’s email antivirus. At which step of the Cyber Kill Chain did the security team mitigate this attack?
A. Actions on Objectives
B. Command and Control
C. Weaponization
D. Delivery
Correct Answer: D
QUESTION 118
What describes the use of certificates on asymmetric encryption?
A. Certificates are being used instead of public and private keys to encrypt of decrypt communication.
B. Certificates contain the private key used to encrypt or decrypt communication.
C. Certificates contain the public key used to encrypt or decrypt communication.
D. Certificates contain private and public keys used to encrypt or decrypt communication.
Correct Answer: C
QUESTION 119
What is a description of the vulnerability management process?
A. attempting to exploit weaknesses on discovered assets
B. evaluating and reporting weaknesses in systems
C. nonsignature engine for finding weaknesses
D. real-time mechanism for zero-day weaknesses
Correct Answer: B
QUESTION 120
What is the functionality of systems-based sandboxing?
A. Identify spikes in traffic to detect abnormal behaviors within the network.
B. Deny unknown and unapproved code to be processed within controlled applications.
C. Execute and analyze the code behavior in an isolated environment.
D. Reverse connection to avoid firewall limitations on open ports.
Correct Answer: C
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.