New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?
AHuman resources must email a copy of a user agreement to all new employees
BSupervisors must get verbal confirmation from new employees indicating they have read the user agreement
CAll new employees must take a test about the company security policy during the onboardmg process
DAll new employees must sign a user agreement to acknowledge the company security policy
An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?
AInformation sharing organization
BBlogs/forums
CCybersecurity incident response team
DDeep/dark web
An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?
ATo satisfy regulatory requirements for incident reporting
BTo hold other departments accountable
CTo identify areas of improvement in the incident response process
DTo highlight the notable practices of the organization's incident response team
A cloud team received an alert that unauthorized resources were being auto-provisioned. After investigating, the team suspects that cryptomining is occurring. Which of the following indicators would most likely lead the team to this conclusion?
AHigh GPU utilization
BBandwidth consumption
CUnauthorized changes
DUnusual traffic spikes
Given the following CVSS string:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Which of the following attributes correctly describes this vulnerability?
AA user is required to exploit this vulnerability.
BThe vulnerability is network based.
CThe vulnerability does not affect confidentiality.
DThe complexity to exploit the vulnerability is high.
Question 6
Security Operations
0
Question 7
Security Operations
Question 8
Security Operations
Question 10
Vulnerability Management
Question 11
Incident Response and Management
Question 12
Incident Response and Management
Question 13
Reporting and Communication
Question 14
Security Operations
Question 15
Vulnerability Management
Question 16
Incident Response and Management
Question 17
Incident Response and Management
Question 18
Vulnerability Management
Question 19
Incident Response and Management
Question 20
Security Operations
Question 21
Security Operations
Question 22
Incident Response and Management
Question 23
Incident Response and Management
Question 24
Vulnerability Management
Question 25
Reporting and Communication
Question 26
Incident Response and Management
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?
ADeploy a CASB and enable policy enforcement
BConfigure MFA with strict access
CDeploy an API gateway
DEnable SSO to the cloud applications
An analyst finds that an IP address outside of the company network that is being used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?
AExploitation
BReconnaissance
CCommand and control
DActions on objectives
An organization has deployed a cloud-based storage system for shared data that is in phase two of the data life cycle. Which of the following controls should the security team ensure are addressed? (Choose two.)
AData classification
BData destruction
CData loss prevention
DEncryption
EBackups
FAccess controls
A new zero-day vulnerability was released. A security analyst is prioritizing which systems should receive deployment of compensating controls deployment first. The systems have been grouped into the categories shown below:
Which of the following groups should be prioritized for compensating controls?
AGroup A
BGroup B
CGroup C
DGroup D
Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?
ADevelop a call tree to inform impacted users
BSchedule a review with all teams to discuss what occurred
CCreate an executive summary to update company leadership
DReview regulatory compliance with public relations for official notification
An incident response team found IoCs in a critical server. The team needs to isolate and collect technical evidence for further investigation. Which of the following pieces of data should be collected first in order to preserve sensitive information before isolating the server?
AHard disk
BPrimary boot partition
CMalicious files
DRouting table
EStatic IP address
An organization has experienced a breach of customer transactions. Under the terms of PCI DSS, which of the following groups should the organization report the breach to?
APCI Security Standards Council
BLocal law enforcement
CFederal law enforcement
DCard issuer
Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?
AMean time to detect
BNumber of exploits by tactic
CAlert volume
DQuantity of intrusion attempts
A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?
AThe current scanners should be migrated to the cloud
BCloud-specific misconfigurations may not be detected by the current scanners
CExisting vulnerability scanners cannot scan IaaS systems
DVulnerability scans on cloud environments should be performed from the cloud
A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?
ACreate a timeline of events detailing the date stamps, user account hostname and IP information associated with the activities
BEnsure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation
CCreate a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identify the case as an HR-related investigation
DNotify the SOC manager for awareness after confirmation that the activity was intentional
Which of the following is the first step that should be performed when establishing a disaster recovery plan?
AAgree on the goals and objectives of the plan
BDetermine the site to be used during a disaster
CDemonstrate adherence to a standard disaster recovery process
DIdentify applications to be run during a disaster
A technician identifies a vulnerability on a server and applies a software patch. Which of the following should be the next step in the remediation process?
ATesting
BImplementation
CValidation
DRollback
A security program was able to achieve a 30% improvement in MTTR by integrating security controls into a SIEM. The analyst no longer had to jump between tools. Which of the following best describes what the security program did?
AData enrichment
BSecurity control plane
CThreat feed combination
DSingle pane of glass
The analyst reviews the following endpoint log entry:
Which of the following has occurred?
ARegistry change
BRename computer
CNew account introduced
DPrivilege escalation
Due to reports of unauthorized activity that was occurring on the internal network, an analyst is performing a network discovery. The analyst runs an Nmap scan against a corporate network to evaluate which devices were operating in the environment. Given the following output:
Which of the following choices should the analyst look at first?
Awh4dc-748gy.lan (192.168.86.152)
Bofficerckuplayer.lan (192.168.86.22)
Cimaging.lan (192.168.86.150)
Dxlaptop.lan (192.168.86.249)
Ep4wnp1_aloa.lan (192.168.86.56)
When starting an investigation, which of the following must be done first?
ANotify law enforcement
BSecure the scene
CSeize all related evidence
DInterview the witnesses
Which of the following describes how a CSIRT lead determines who should be communicated with and when during a security incident?
AThe lead should review what is documented in the incident response policy or plan
BManagement level members of the CSIRT should make that decision
CThe lead has the authority to decide who to communicate with at any t me
DSubject matter experts on the team should communicate with others within the specified area of expertise
An analyst is reviewing a vulnerability report for a server environment with the following entries:
Which of the following systems should be prioritized for patching first?
A10.101.27.98
B54.73.225.17
C54.74.110.26
D54.74.110.228
Which of the following is the best way to begin preparation for a report titled "What We Learned" regarding a recent incident involving a cybersecurity breach?
ADetermine the sophistication of the audience that the report is meant for
BInclude references and sources of information on the first page
CInclude a table of contents outlining the entire report
DDecide on the color scheme that will effectively communicate the metrics
A security analyst is performing an investigation involving multiple targeted Windows malware binaries. The analyst wants to gather intelligence without disclosing information to the attackers. Which of the following actions would allow the analyst to achieve the objective?
AUpload the binary to an air gapped sandbox for analysis
BSend the binaries to the antivirus vendor
CExecute the binaries on an environment with internet connectivity
