Chapter 5
Practice Test 1

  1. While reviewing network flow logs, John sees that network flow on a particular segment suddenly dropped to zero. What is the most likely cause of this?
    1. A denial-of-service attack
    2. A link failure
    3. High bandwidth consumption
    4. Beaconing
  2. Saanvi is conducting the recovery process after his organization experienced a security incident. During that process, he plans to apply patches to all of the systems in his environment. Which one of the following should be his highest priority for patching?
    1. Windows systems
    2. Systems involved in the incident
    3. Linux systems
    4. Web servers
  3. Susan's organization suffered from a major breach that was attributed to an advanced persistent threat (APT) that used exploits of zero-day vulnerabilities to gain control of systems on her company's network. Which of the following is the least appropriate solution for Susan to recommend to help prevent future attacks of this type?
    1. Heuristic attack detection methods
    2. Signature-based attack detection methods
    3. Segmentation
    4. Leverage threat intelligence
  4. During his investigation of a Windows system, Eric discovered that files were deleted and he wants to determine whether a specific file previously existed on the computer. Which of the following is the least likely to be a potential location to discover evidence supporting that theory?
    1. Windows registry
    2. Master File Table
    3. INDX files
    4. Event logs
  5. As part of her SOC analyst duties, Emily is tasked with monitoring intrusion detection systems that cover her employer's corporate headquarters network. During her shift, Emily's IDS alarms report that a network scan has occurred from a system with IP address 10.0.11.19 on the organization's WPA3 Enterprise wireless network aimed at systems in the finance division. What data source should she check first?
    1. Host firewall logs
    2. AD authentication logs
    3. Wireless authentication logs
    4. WAF logs
  6. Casey's incident response process leads her to a production server that must stay online for her company's business to remain operational. What method should she use to capture the data she needs?
    1. Live image to an external drive.
    2. Live image to the system's primary drive.
    3. Take the system offline and image to an external drive.
    4. Take the system offline, install a write blocker on the system's primary drive, and then image it to an external drive.
  7. What does the Nmap response “filtered” mean in port scan results?
    1. Nmap cannot tell whether the port is open or closed.
    2. A firewall was detected.
    3. An IPS was detected.
    4. There is no application listening, but there may be one at any time.
  8. During her review of incident logs, Deepa discovers the initial entry via SSH on a front-facing bastion host (A) at 8:02 a.m. If the network that Deepa is responsible for is designed as shown here, what is the most likely diagnosis if the second intrusion shows up on host B at 7:15 a.m.?
    A system architecture. It involves internet, firewall, SSH bastion host, statefull firewall ruleset, and internal management system.
    1. Internal host B was previously compromised.
    2. Host A was compromised; then host B was compromised.
    3. Neither host B nor host A are synchronized to NTP properly.
    4. An internal threat compromised host B and then host A.
  9. Matt recently ran a vulnerability scan of his organization's network and received the results shown here. He would like to remediate the server with the highest number of the most serious vulnerabilities first. Which one of the following servers should be on his highest priority list?
    A set of 2 illustrations. The results of the 4 servers were exposed on the left. A doughnut chart depicts the vulnerabilities (right).
    1. Server A
    2. Server B
    3. Server C
    4. Server D
  10. Saanvi has been tasked with conducting a risk assessment for the midsize bank that he works at because of a recent compromise of their online banking web application. Saanvi has chosen to use the NIST 800-30 risk assessment framework shown here. What likelihood of occurrence should he assign to breaches of the web application?
    An illustration depicts 4 steps of a model. Step 1: Prepare for assessment. Step 2: Conduct assessment. Step 3: Communicate results. Step 4: Maintain assessment.
    1. Low
    2. Medium
    3. High
    4. Cannot be determined from the information given
  11. Hank's boss recently came back from a CEO summit event where he learned about the importance of cybersecurity and the role of vulnerability scanning. He asked Hank about the vulnerability scans conducted by the organization and suggested that instead of running weekly scans that they simply configure the scanner to start a new scan immediately after the prior scan completes. How should Hank react to this request?
    1. Hank should inform the CEO that this would have a negative impact on system performance and is not recommended.
    2. Hank should immediately implement the CEO's suggestion.
    3. Hank should consider the request and work with networking and engineering teams on possible implementation.
    4. Hank should inform the CEO that there is no incremental security benefit from this approach and that he does not recommend it.
  12. Selah's organization suffers an outage of its point-to-point encrypted VPN because of a system compromise at its ISP. What type of issue is this?
    1. Confidentiality
    2. Availability
    3. Integrity
    4. Accountability
  13. Garrett is working with a database administrator to correct security issues on several servers managed by the database team. He would like to extract a report for the DBA that will provide useful information to assist in the remediation effort. Of the report templates shown here, which would be most useful to the DBA team?
    A window page depicts the title, type, and vulnerability data.
    1. Qualys Top 20 Report
    2. Payment Card Industry (PCI) Technical Report
    3. Executive Report
    4. Technical Report
  14. Jiang's SolarWinds network monitoring tools provide data about a system hosted in Amazon's AWS environment. When Jiang checks his server's average response time, he sees the results shown here.
    A window page depicts a graph that presents the minimum or maximum or average response time and packet loss.

    What action should Jiang take based on this information?

    1. He should increase the speed of his network link.
    2. He should check for scheduled tasks at the times he sees spikes.
    3. He should ensure that his network card has the proper latency settings.
    4. He should perform additional diagnostics to determine the cause of the latency.
  15. Alex notices the traffic shown here during a Wireshark packet capture. What is the host with IP address 10.0.2.11 most likely doing?
    A window page presents the number, time, source, destination, protocol, length, and information data.
    1. UDP-based port scanning
    2. Network discovery via TCP
    3. SYN-based port scanning
    4. DNS-based discovery
  16. Jake is building a forensic image of a compromised drive using the dd command with its default settings. He finds that the imaging is going very slowly. What parameter should he adjust first?
    1. if
    2. bs
    3. of
    4. count
  17. What purpose does a honeypot system serve when placed on a network as shown here?
    A system architecture. It involves internet, border router, honeypot, firewall or unified security device, and internal trusted zone.
    1. It prevents attackers from targeting production servers.
    2. It provides information about the techniques attackers are using.
    3. It slows down attackers like sticky honey.
    4. It provides real-time input to IDSs and IPSs.
  18. Munju's security team has found consistent evidence of system compromise over a period of weeks, with additional evidence pointing to the systems they are investigating being compromised for years. Despite her team's best efforts, Munju has found that her team cannot seem to track down and completely remove the compromise. What type of attack is Munju likely dealing with?
    1. A Trojan horse
    2. An APT
    3. A rootkit
    4. A zero-day attack
  19. Which one of the following metrics would be most useful in determining the effectiveness of a vulnerability remediation program?
    1. Number of critical vulnerabilities resolved
    2. Time to resolve critical vulnerabilities
    3. Number of new critical vulnerabilities per month
    4. Time to complete vulnerability scans
  20. Mike's Nmap scan of a system using the command nmap 192.168.1.100 does not return any results. What does Mike know about the system if he is sure of its IP address, and why?
    1. The system is not running any open services.
    2. All services are firewalled.
    3. There are no TCP services reachable on Nmap's default 1000 TCP ports.
    4. There are no TCP services reachable on Nmap's default 65535 TCP ports.
  21. What is the purpose of creating a hash value for a drive during the forensic imaging process?
    1. To prove that the drive's contents were not altered
    2. To prove that no data was deleted from the drive
    3. To prove that no files were placed on the drive
    4. All of the above
  22. After completing his unsuccessful forensic analysis of the hard drive from a workstation that was compromised by malware, Ben sends it to be re-imaged and patched by his company's desktop support team. Shortly after the system returns to service, the device once again connects to the same botnet. What action should Ben take as part of his next forensic review if this is the only system showing symptoms like this?
    1. Verify that all patches are installed.
    2. Destroy the system.
    3. Validate the BIOS hash against a known good version.
    4. Check for a system with a duplicate MAC address.
  23. Part of the forensic data that Susan was provided for her investigation was a Wireshark packet capture. The investigation is aimed at determining what type of media an employee was consuming during work. What is the more detailed analysis that Susan can do if she is provided with the data shown here?
    A window page presents the number, time, source, destination, protocol, length, and information data.
    1. She can determine that the user was viewing a GIF.
    2. She can manually review the TCP stream to see what data was sent.
    3. She can export and view the GIF.
    4. She cannot determine what media was accessed using this data set.
  24. Which one of the following models traces the steps that an attacker would commonly perform during an intrusion?
    1. MITRE ATT&CK
    2. Diamond
    3. Cyber Kill Chain
    4. STIX
  25. Mika wants to run an Nmap scan that includes all TCP ports and uses service detection. Which of the following nmap commands should she execute?
    1. nmap -p0 -all -SC
    2. nmap -p 1-32768 -sVS
    3. nmap -p 1-65535 -sV -sS
    4. nmap -all -sVS
  26. Which one of the following cloud service models relies on the cloud service provider to implement the greatest number of security controls?
    1. SaaS
    2. PaaS
    3. FaaS
    4. IaaS
  27. Dan is a cybersecurity analyst for a healthcare organization. He ran a vulnerability scan of the VPN server used by his organization. His scan ran from inside the datacenter against a VPN server also located in the datacenter. The complete vulnerability report is shown here. What action should Dan take next?
    A window page presents the first detected, last detected, time detected, and last fixed data.
    1. Dan should immediately remediate this vulnerability.
    2. Dan should schedule the vulnerability for remediation within the next 30 days.
    3. Dan should rerun the scan because this is likely a false positive report.
    4. Dan should take no action.
  28. Kwame received an alert from his organization's SIEM that it detected a potential attack against a web server on his network. However, he is unsure whether the traffic generating the alert actually entered the network from an external source or whether it came from inside the network. The NAT policy at the network perimeter firewall rewrites public IP addresses, making it difficult to assess this information based on IP addresses. Kwame would like to perform a manual log review to locate the source of the traffic. Where should he turn for the best information?
    1. Application server logs
    2. Database server logs
    3. Firewall logs
    4. Antimalware logs
  29. Which one of the following types of vulnerability scans would provide the least information about the security configuration of a system?
    1. Agent-based scan
    2. Credentialed scan
    3. Uncredentialed internal scan
    4. Uncredentialed external scan
  30. After finishing a forensic case, Sam needs to wipe a magnetic hard drive (HDD) that he is using to prepare it for the next case. Which of the following methods is best suited to preparing the hard drive that he will use if he wants to be in compliance with NIST SP 800-88?
    1. Degauss the drive.
    2. Zero-write the drive.
    3. Seven rounds: all ones, all zeros, and five rounds of random values.
    4. Use the ATA Secure Erase command.
  31. After reading the NIST standards for incident response, Mateo spends time configuring the NTP service on each of his servers, workstations, and appliances throughout his network. What phase of the incident response process is he working to improve?
    1. Preparation
    2. Detection and analysis
    3. Containment, eradication, and recovery
    4. Post-incident activity
  32. Latisha is the ISO for her company and is notified that a zero-day exploit has been released that can result in remote code execution on all Windows workstations on her network because of an attack against Windows domain services. She wants to limit her exposure to this exploit but needs the systems to continue to be able to access the Internet. Which of the following approaches is best for her response?
    1. Firewalling
    2. Patching
    3. Isolation
    4. Segmentation
  33. When Saanvi was called in to help with an incident recovery effort, he discovered that the network administrator had configured the network as shown here. What type of incident response action best describes what Saanvi has encountered?
    A system architecture. It involves border router, data center, business office, containment, and firewall ruleset.
    1. Segmentation
    2. Isolation
    3. Removal
    4. Network locking
  34. As part of the forensic investigation of a Linux workstation, Alex needs to determine what commands may have been issued on the system. If no anti-forensic activities have taken place, what is the best location for Alex to check for a history of commands issued on the system?
    1. /var/log/commands.log
    2. $HOME/.bash_history
    3. $HOME/.commands.sqlite
    4. /var/log/authactions.log
  35. Ben recently completed a risk analysis and determined that he should implement a new set of firewall rules to filter traffic from known suspect IP addresses. What type of risk management activity is he performing?
    1. Risk avoidance
    2. Risk acceptance
    3. Risk transference
    4. Risk mitigation
  36. Crystal is attempting to determine the next task that she should take on from a list of security priorities. Her boss told her that she should focus on activities that have the most “bang for the buck.” Of the tasks shown here, which should she tackle first?
    A table represents the data on security issue, criticality, and time required to fix.
    1. Task 1
    2. Task 2
    3. Task 3
    4. Task 4
  37. During the analysis of an incident that took place on her network, Sofia discovered that the attacker used a stolen cookie to access a web application. Which one of the following attack types most likely occurred?
    1. On-path (man-in-the-middle)
    2. Privilege escalation
    3. Cross-site scripting
    4. Session hijacking
  38. Curt is conducting a forensic analysis of a Windows system and needs to determine whether a program was set to automatically run. Which of the following locations should he check for this information?
    1. NTFS INDX files
    2. The registry
    3. Event logs
    4. Prefetch files
  39. What concept measures how easy data is to lose?
    1. Order of volatility
    2. Data transience
    3. Data loss prediction
    4. The Volatility Framework
  40. Steps like those listed here are an example of what type of incident response preparation?
    1. Visit otx.alienvault.com and the suspected C&C system's IP address on the top search input field.
    2. If the IP address is associated with malware C&C activity, create a ticket in the incident response tracking system.
    1. Creating a CSIRT
    2. Creating a playbook
    3. Creating an incident response plan
    4. Creating an IR-FAQ
  41. While analyzing the vulnerability scan from her web server, Kristen discovers the issue shown here. Which one of the following solutions would best remedy the situation?
    A window page presents the first detected, last detected, time detected, and last fixed data.
    1. Move from TLS 1.0 to SSL 3.0.
    2. Require IPsec connections to the server.
    3. Disable the use of TLS.
    4. Move from TLS 1.0 to TLS 1.3.
  42. Charles is building an incident response playbook for his organization that will address command-and-control client-server traffic detection and response. Which of the following information sources is least likely to be part of his playbook?
    1. DNS query logs
    2. Threat intelligence feeds
    3. Honeypot data
    4. Notifications from internal staff about suspicious behavior
  43. Carol recently fell victim to a phishing attack. When she clicked the link in an email message that she received, she was sent to her organization's central authentication service and logged in successfully. She did verify the URL and certificate to validate that the authentication server was genuine. After authenticating, she was sent to a form that collected sensitive personal information that was sent to an attacker. What type of vulnerability did the attacker most likely exploit?
    1. Buffer overflow
    2. Session hijacking
    3. IP spoofing
    4. Open redirect
  44. As a penetration tester, Max uses Wireshark to capture all of his testing traffic. Which of the following is not a reason that Max would capture packets during penetration tests?
    1. To document the penetration test
    2. To scan for vulnerabilities
    3. To gather additional information about systems and services
    4. To troubleshoot issues encountered when connecting to targets
  45. Rich recently configured new vulnerability scans for his organization's business intelligence systems. The scans run late at night when users are not present. Rich received complaints from the business intelligence team that the performance burden imposed by the scanning is causing their overnight ETL jobs to run too slowly and they are not completing before business hours. How should Rich handle this situation?
    1. Rich should inform the team that they need to run the ETL jobs on a different schedule.
    2. Rich should reconfigure the scans to run during business hours.
    3. Rich should inform the team that they must resize the hardware to accommodate both requirements.
    4. Rich should work with the team to find a mutually acceptable solution.
  46. Javier ran a vulnerability scan of a new web application created by developers on his team and received the report shown here. The developers inspected their code carefully and do not believe that the issue exists. They do have a strong understanding of SQL injection issues and have corrected similar vulnerabilities in other applications. What is the most likely scenario in this case?
    A window page depicts the CGI generic SQL injection data.
    1. Javier misconfigured the scan.
    2. The code is deficient and requires correction.
    3. The vulnerability is in a different web application running on the same server.
    4. The result is a false positive.
  47. During an incident investigation, Mateo is able to identify the IP address of the system that was used to compromise multiple systems belonging to his company. What can Mateo determine from this information?
    1. The identity of the attacker
    2. The country of origin of the attacker
    3. The attacker's domain name
    4. None of the above
  48. After a major compromise involving what appears to be an APT, Jaime needs to conduct a forensic examination of the compromised systems. Which containment method should he recommend to ensure that he can fully investigate the systems that were involved while minimizing the risk to his organization's other production systems?
    1. Sandboxing
    2. Removal
    3. Isolation
    4. Segmentation
  49. Piper is attempting to remediate a security vulnerability and must apply a patch to a production database server. The database administration team is concerned that the patch will disrupt business operations. How should Piper proceed?
    1. She should deploy the patch immediately on the production system.
    2. She should wait 60 days to deploy the patch to determine whether bugs are reported.
    3. She should deploy the patch in a sandbox environment to test it prior to applying it in production.
    4. She should contact the vendor to determine a safe time frame for deploying the patch in production.
  50. Kent ran a vulnerability scan of an internal CRM server that is routinely used by employees, and the scan reported that no services were accessible on the server. Employees continued to use the CRM application over the Web without difficulty during the scan. What is the most likely source of Kent's result?
    1. The server requires strong authentication.
    2. The server uses encryption.
    3. The scan was run from a different network perspective than user traffic.
    4. The scanner's default settings do not check the ports used by the CRM application.
  51. Steve needs to perform an Nmap scan of a remote network and wants to be as stealthy as possible. Which of the following nmap commands will provide the stealthiest approach to his scan?
    1. nmap -P0 -sT 10.0.10.0/24
    2. nmap -sT -T0 10.0.10.0/24
    3. nmap -P0 -sS 10.0.10.0/24
    4. nmap -P0 -sS -T0 10.0.10.0/24
  52. After performing threat hunting, Lakshman determines that it would be appropriate to disable some services on his organization's database servers. What activity is Lakshman engaging in?
    1. Establishing a hypothesis
    2. Gathering evidence
    3. Reducing the attack surface
    4. Executable process analysis
  53. Jenna is configuring the scanning frequency for her organization's vulnerability scanning program. Which one of the following is the least important criteria for Jenna to consider?
    1. Sensitivity of information stored on systems
    2. Criticality of the business processes handled by systems
    3. Operating system installed on systems
    4. Exposure of the system to external networks
  54. Donna is interpreting a vulnerability scan from her organization's network, shown here. She would like to determine which vulnerability to remediate first. Donna would like to focus on the most critical vulnerability according to the potential impact if exploited. Assuming the firewall is properly configured, which one of the following vulnerabilities should Donna give the highest priority?
    A system architecture. It involves internet, firewall, internal network, workstation, file server, web server, screened subnet, and email server.
    1. Severity 5 vulnerability in the file server
    2. Severity 3 vulnerability in the file server
    3. Severity 4 vulnerability in the web server
    4. Severity 2 vulnerability in the mail server
  55. Which one of the following document categories provides the highest-level authority for an organization's cybersecurity program?
    1. Policy
    2. Standard
    3. Procedure
    4. Framework
  56. Mateo is planning a vulnerability scanning program for his organization and is scheduling weekly scans of all the servers in his environment. He was approached by a group of system administrators who asked that they be given direct access to the scan reports without going through the security team. How should Mateo respond?
    1. Mateo should provide the administrators with access.
    2. Mateo should deny the administrators access because the information may reveal critical security issues.
    3. Mateo should offer to provide the administrators with copies of the report after they go through a security review.
    4. Mateo should deny the administrators access because it would allow them to correct security issues before they are analyzed by the security team.
  57. While reviewing a report from a vulnerability scan of a web server, Paul encountered the vulnerability shown here. What is the easiest way for Paul to correct this vulnerability with minimal impact on the business?
    A window page presents the first detected, last detected, time detected, and last fixed data.
    1. Block ports 80 and 443.
    2. Adjust directory permissions.
    3. Block port 80 only to require the use of encryption.
    4. Remove CGI from the server.
  58. A log showing a successful user authentication is classified as what type of occurrence in NIST's definitions?
    1. A security incident
    2. A security event
    3. An event
    4. An adverse event
  59. Fran is trying to run a vulnerability scan of a web server from an external network, and the scanner is reporting that there are no services running on the web server. She verified the scan configuration and attempted to access the website running on that server using a web browser on a computer located on the same external network and experienced no difficulty. What is the most likely issue with the scan?
    1. A host firewall is blocking access to the server.
    2. A network firewall is blocking access to the server.
    3. An intrusion prevention system is blocking access to the server.
    4. Fran is scanning the wrong IP address.
  60. During a regulatory compliance assessment, Manish discovers that his organization has implemented a multifactor authentication requirement for systems that store and handle highly sensitive data. The system requires that users provide both a password and a four-digit PIN. What should Manish note in his findings about this system?
    1. The multifactor system provides two independent factors and provides an effective security control.
    2. The factors used are both the same type of factor, making the control less effective.
    3. The system uses only two factors and is not a true multifactor system. To qualify as multifactor, it should include at least three factors.
    4. The multifactor system's use of a four-digit PIN does not provide sufficient complexity, and additional length should be required for any PIN for secure environments.
  61. Which one of the following mechanisms may be used to enhance security in a context-based authentication system?
    1. Time of day
    2. Location
    3. Device fingerprint
    4. All of the above
  62. Latisha's organization has faced a significant increase in successful phishing attacks, resulting in compromised accounts. She knows that she needs to implement additional technical controls to prevent successful attacks. Which of the following controls will be the most effective while remaining relatively simple and inexpensive to deploy?
    1. Increased password complexity requirements
    2. Application or token-based multifactor authentication
    3. Biometric-based multifactor authentication
    4. OAuth-based single sign-on
  63. Lauren downloads a new security tool and checks its MD5. What does she know about the software she downloaded if she receives the following message? 
            root@demo:~# md5sum -c demo.md5
        demo.txt: FAILED
        md5sum: WARNING: 1 computed checksum did not match
    1. The file is corrupted.
    2. Attackers have modified the file.
    3. The files do not match.
    4. The test failed and provided no answer.
  64. Peter works for an organization that is joining a consortium of similar organizations that use a federated identity management (FIM) system. He is configuring his identity management system to participate in the federation. Specifically, he wants to ensure that users at his organization will be able to use their credentials to access federated services. What role is Peter configuring?
    1. Relying party
    2. Service provider
    3. Identity provider
    4. Consumer
  65. Mika uses a security token like the unit shown here and a password to authenticate to her PayPal account. What two types of factors is she using?
    A photograph of the security token.
    1. Something she knows and something she has.
    2. Something she knows and something she is.
    3. Something she is and something she has.
    4. Mika is using only one type of factor because she knows the token code and her password.
  66. During the account setup for her bank, Deepa is asked to answer a series of questions about her past home addresses, financial transactions, and her credit history. What type of authentication factor is Deepa being asked for?
    1. Location factor
    2. Knowledge factor
    3. Possession factor
    4. Biometric factor
  67. Charles is worried about users conducting SQL injection attacks. Which of the following solutions will best address his concerns?
    1. Using secure session management
    2. Enabling logging on the database
    3. Performing user input validation
    4. Implementing TLS
  68. Which of the following risks is most commonly associated with vulnerability scanning activities?
    1. Attackers may learn about the vulnerabilities.
    2. Services may be crashed by the scanner.
    3. The vulnerability scanner may be exploited by attackers.
    4. Too many vulnerabilities may be detected.
  69. Adam finds entries in his authentication logs for many of the systems in his network that all have logins for the same userID with a variety of passwords. What type of attack has he discovered?
    1. A session hijacking attack
    2. An on-path (man-in-the-middle) attack
    3. A credential stuffing attack
    4. A password spraying attack
  70. You are reviewing the methods that your organization uses to communicate with the media during an incident response effort. Which one of the following is not a commonly accepted practice?
    1. Inform the media immediately of developments in the investigation.
    2. Conduct practice sessions for incident responders who communicate with the media.
    3. Establish media briefing procedures in advance of an incident.
    4. Maintain an incident response status document.
  71. Charles reviews the source code for a web application for vulnerabilities. What type of software assessment is this?
    1. Dynamic analysis
    2. Fuzzing
    3. Static analysis
    4. Reverse engineering
  72. Isaac sees the following entry in his web logs. What type of attack has been attempted? 
    http://example.com/../../../../../etc/shadow
    1. A buffer overflow attack
    2. An attack on the heap
    3. A session hijacking attack
    4. A directory traversal attack
  73. Precompiled SQL statements that only require variables to be input are an example of what type of application security control?
    1. Parameterized queries
    2. Encoding data
    3. Input validation
    4. Appropriate access controls
  74. Rob would like to perform a root-cause analysis in the wake of an incident. He will be including the results of that analysis in his incident report. What action should he take first?
    1. Document the analysis.
    2. Differentiate between each of the events and causal factors.
    3. Identify the problems and events that occurred.
    4. Establish a timeline.
  75. What are activities like disabling unnecessary processes, moving systems to internal IP addresses, and using firewalls and other network security devices to protect hosts known as in the context of threat hunting?
    1. Establishing a hypothesis
    2. Conducting a security lockdown
    3. Reducing the attack surface areas
    4. Bundling critical assets
  76. Bob is creating a report to management summarizing the result of a recent vulnerability scan. He would like to prioritize the results. Which one of the following tools would provide the most comprehensive assessment of the risk posed by each vulnerability?
    1. CVSS score
    2. Confidentiality rating
    3. Impact rating
    4. Likelihood rating
  77. Kelly's organization recently suffered a security incident where the attacker was present on her network for several months before the SOC identified the attack. Once they saw evidence, they quickly reacted to contain the incident. Which incident response metric would suffer most as a result of this performance?
    1. Mean time to respond
    2. Mean time to remediate
    3. Alert volume
    4. Mean time to detect
  78. Seth is trying to identify activities in his organization that might be automated to improve efficiency. Which one of the following activities is least likely to benefit from automation?
    1. Threat hunting
    2. Intrusion analysis
    3. Qualitative risk assessment
    4. Data backup
  79. Rae wants to detect forged sender addresses to decrease the amount of spam that her organization receives. Which of the following techniques or methods will most directly fit her needs?
    1. Spamhaus
    2. DKIM
    3. SPF
    4. RBL
  80. Your organization recently suffered a series of serious vulnerabilities as a result of the use of legacy software that is no longer supported by the vendor. This software is critical to your organization and can't be removed for at least six more months. What action plan would best address this risk during that six month period?
    1. Awareness, training, and education
    2. Compensating controls
    3. Patch management
    4. Changing business requirements
  81. Yolanda received a threat intelligence report and is evaluating it to determine whether her organization runs any of the software affected by the threat. What type of confidence is Yolanda attempting to gain?
    1. Timeliness
    2. Accuracy
    3. Relevancy
    4. Superficial
  82. Gabby's organization captures sensitive customer information, and salespeople and others often work with that data on local workstations and laptops. After a recent inadvertent breach where a salesperson accidentally sent a spreadsheet of customer information to another customer, her organization is seeking a technology solution that can help prevent similar problems. What should Gabby recommend?
    1. IDS
    2. FSB
    3. DLP
    4. FDE
  83. Fred is reviewing a checklist used in the automation of his security program and sees the following code:
    A window page depicts a code.

    What file type from the following list is he most likely reviewing?

    1. Plaintext
    2. JSON
    3. XML
    4. HTML
  84. Cynthia's organization receives a letter from a company they are a service provider for, notifying them of a pending legal case and telling them not to delete or discard documents related to the case. What term describes this?
    1. Legal hold
    2. Litigation priority
    3. Criminal suspension
    4. A data summons
  85. As part of his forensic investigation, Alex signs and notes in his log when the drive copy he prepared is transferred to legal counsel. What is this process known as?
    1. Handoff documentation
    2. Chain of custody tracking
    3. Asset tracking
    4. Forensic certification
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.128.94.171