QUESTION 81
During a security incident at a healthcare facility, an unauthorized user downloads multiple patients’ PHI records. Which of the following is the best reason for the healthcare facility to communicate with the affected patients regarding the incident?
A. To meet regulatory requirements
B. To appease the stakeholders
C. To avoid legal liability
D. To get support from law enforcement
Correct Answer: A
QUESTION 82
Which of the following explains why a company might reprioritize a vulnerability score? (Select two).
A. System criticality
B. Alert volume
C. Unexpected outage
D. Threat intelligence
E. Patch availability
F. Public relations
Correct Answer: AD
QUESTION 83
A user receives an email requesting that they resolve several high-priority system issues. After addressing the issues, the user realizes that the email and attachments came from outside the organization. Which of the following would the SOC likely detect first?
A. Beaconing to the home site
B. Data exfiltration
C. Execution of unauthorized software
D. Repeated launch of an antivirus
Correct Answer: C
QUESTION 84
An organization’s SOC team notices suspicious behavior in the network. The team finds that an attacker has accessed and modified a human resources file. The incident report indicates a remote service session hijacking attack. Which of the following is the best mitigation?
A. Use the methodologies for OSSTMM.
B. Validate the security of the file server by using a vulnerability scanning tool.
C. Configure the remote desktop service to disable drive redirection.
D. Enable firewall rules to block unnecessary traffic between network security zones.
Correct Answer: C
QUESTION 85
Several users are trying to access a publicly accessible application and report performance issues. A security analyst investigates and finds the following:
1. The application recently received a major upgrade.
2. The vulnerability server started performing nightly scans last week.
3. Unusual internal traffic spikes to an unknown external site have occurred.
4. Bandwidth consumption levels are above average.
5. There are no related DLP alerts.
6. No new administrative accounts have been created or modified recently.
Which of the following is most likely the reason for the issues?
A. Rogue devices
B. DDoS attack
C. Unauthorized upgrade
D. Data exfiltration
Correct Answer: B
QUESTION 86
Which of the following is the most important reason for an incident response team to develop a formal incident declaration?
A. To check that an incident be reported through the proper channels
B. To identify and document staff who have the authority to declare an incident
C. To allow for public disclosure of a security event impacting the organization
D. To establish the department that is responsible for responding to an incident
Correct Answer: B
QUESTION 87
A sales application was remediated to address a critical vulnerability. The process took five business hours and was ultimately successful. However, the change advisory board informed the company’s leadership team that the process resulted in a considerable financial loss. Which of the following best explains the reason for the financial loss?
A. The loss is a normal cost of operations that relies on IT.
B. The Chief Information Officer did not notify the board members.
C. The IT team should have hired a penetration test assessment before patching.
D. The maintenance window was not properly communicated or scheduled.
Correct Answer: D
QUESTION 88
A company has recently experienced a security breach via a public-facing service. Analysis of the event on the server was traced back to the following piece of code:
SELECT * From user_data WHERE Username = 0 and userid= 1 or 1=1;–
Which of the following controls would be best to implement?
A. Deploy a wireless application protocol.
B. Remove the end-of-life component.
C. Implement proper access control.
D. Validate user input.
Correct Answer: D
QUESTION 89
An organization establishes an IR plan that prioritizes containment and isolation when the operations center confirms a breach. The organization’s plan requires that evidence be collected and preserved before any eradication or analysis is done. The organization has had false positives in the past and, therefore, does not allow automatic response to detected intrusions. The network operations center sees indications of data exfiltration on one of the internal servers. Users outside the organization have not accessed the server, and the event is occurring in the morning before anyone else is at work. Which of the following actions should the operations center take next?
A. Migrate the server to a sandbox environment.
B. Notify the response learn.
C. Immediately take an image of the server.
D. Take the offending server offline.
E. Update the IPS rules.
Correct Answer: B
QUESTION 90
Negotiations for a merger fail when one company was found to be using incorrect data. Numerous emails related to the merger had content that had been maliciously changed in transit. which of the following technologies should the company implement to mitigate this issue from occurring in the future?
A. DKIM
B. SPF
C. DMARC
D. FIM
Correct Answer: A
QUESTION 91
A systems administrator receives reports from customers that they cannot access a banking website from their home networks. Which of the following will determine if the home networks are blocked?
A. SPF
B. Browser cookie
C. WHOIS
D. AbuselPDB
Correct Answer: D
QUESTION 92
A recent security audit found that RCE was possible for a specific application server that requires public access for HTTP and HTTPS traffic. Which of the following controls should a security analyst recommend?
A. Modifying the rules on the WAF to sanitize user input
B. Only allowing one application server to be publicly accessible
C. Creating an IAM policy so that only administrators can access the server
D. Configuring a firewall rule to deny all inbound external traffic
Correct Answer: A
QUESTION 93
A systems administrator needs to grant access to corporate systems to a contractor. Which of the following documents should be signed before any access is provided?
A. BC
B. MOU
C. NDA
D. SLA
Correct Answer: C
QUESTION 94
A SOC analyst responds to a security incident and discovers the threat actor’s IP address. The analyst uses this information to correlate the attack and affected assets. Which of the following best describes what the Soc analyst is using?
A. APT
B. IoC
C. TTP
D. CSIRT
Correct Answer: B
QUESTION 95
Which of the following describes the importance of an organization understanding SLOs when outsourcing IR to a third party?
A. To track the performance of specific KPIs
B. To understand the hidden costs of an SLA
C. To ensure that an objective risk score can be calculated
D. To quantify the risk appetite in an MOU
Correct Answer: A
QUESTION 96
An employee submits a ticket that contains the following information to a cybersecurity analyst:
Ticket Body: Please review this file received via email as it is coming from an unknown sender and let me know if it is safe to open.
Ticket Attachment: Invoice-0489293348.pdf
Which of the following is the best way to help the analyst determine the impact of opening the attachment if the file has been customized for the specific recipient?
A. Execute cuckoo submit Invoice-0489293348.pdf.
B. Run strings Invoice-0489293348.pdf.
C. Submit the sender IP address to AbuselPDB and review the report.
D. Send the IP address found on the email header to VirusTotal.
Correct Answer: A
QUESTION 97
An analyst wants to track how quickly vulnerabilities are identified. Which of the following would be the best metric?
A. KPI
B. MTTD
C. SLO
D. Alert volume
Correct Answer: B
QUESTION 98
An incident responder requests a specialized team to evaluate a hard drive during an investigation. A security analyst needs to retrieve information from the hard drive. Which of the following tools will best meet the requirements given the organization’s limited budget?
A. Nessus
B. MSF
C. FTK
D. EnCase
Correct Answer: C
QUESTION 99
A security analyst is analyzing two vulnerabilities on a critical router. The analyst must choose only one to patch during this maintenance window. Given the following information:
Vulnerability 1 has not received a CVSS score. The vulnerability has the following characteristics:
1. Must be logged in to the router, but elevated privileges are not required
2. Trivial to exploit, but user interaction is needed
3. Low impact to availability, but high impact to confidentiality and integrity
Vulnerability 2 has a CVSS score of AV:N/AC:L/PR:L/UI:N /S:U/C:L/I:L/A:H. Which of the following conclusions should the analyst reach?
A. Patch Vulnerability 1 because it has a higher overall Impact when looking at confidentiality, integrity, and availability, and ‘t requires lower privileges.
B. Patch Vulnerability 1 because it is easier to exploit and has a higher impact on confidentiality.
C. Patch vulnerability 2 because it has a higher overall impact when looking at confidentiality integrity, and availability, and it can be explored by a privileged user.
D. Patch Vulnerability 2 because it is easier to exploit, has a high impact on availability, and it is more likely to be exploited remotely.
Correct Answer: D
QUESTION 100
Which of the following is the best strategy for prioritizing vulnerabilities for remediation?
A. Remediate from the beginning to the end of the report.
B. Remediate the findings based on the description of the vulnerabilities.
C. Remediate the vulnerabilities based on the CVE score only.
D. Remediate based on the organization’s timeframe in the procedures.
Correct Answer: D
We use cookies to improve your experience, including essential cookies required for the website to function. By continuing, you agree to our use of cookies. Learn more.
We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with customised advertisements based on the pages you visited previously and to analyse the effectiveness of the ad campaigns.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.