NEW QUESTION 1

Using a heuristic system to detect an anomaly in a computer’s baseline, a system administrator was able to detect an attack even though the company signature based IDS and antivirus did not detect it. Further analysis revealed that the attacker had downloaded an executable file onto the company PC from the USB port, and executed it to trigger a privilege escalation flaw. Which of the following attacks has MOST likely occurred?

• A. Cookie stealing
• B. Zero-day
• C. Directory traversal
• D. XML injection

Answer: B

NEW QUESTION 2

Several accounting department users are reporting unusual Internet traffic in the browsing history of their workstations alter returning to work awl logging in. The building security team informs the IT security team that the cleaning stall was caught using the systems after the accounting department users left for the day Which of the following steps should the IT security team take to help prevent this from happening again? (Select TWO)

• A. Install a web monitors application to track Internet usage after hours
• B. Configure a policy for workstation account timeout at three minutes
• C. Configure NAC lo set time-based restrictions on the accounting group to normal business hours
• D. Configure mandatory access controls to allow only accounting department users lo access the workstations
• E. Set up a camera to monitor the workstations for unauthorized use

Answer: BC

NEW QUESTION 3

A technician is running an intensive vulnerability scan to detect which ports are open to exploit. During the scan, several network services are disabled and production is affected. Which of the following sources would be used to evaluate which network service was interrupted?

• A. Syslog
• B. Network mapping
• C. Firewall logs
• D. NIDS

Answer: A

NEW QUESTION 4

A technician recently fixed a computer with several viruses and spyware programs on it and notices the Internet settings were set to redirect all traffic through an unknown proxy. This type of attack is known as which of the following?

• A. Phishing
• B. Social engineering
• C. Man-in-the-middle
• D. Shoulder surfing

Answer: C

NEW QUESTION 5

An analyst was testing the latest version of an internally developed CRM system. The analyst created a basic user account. Using a few tools in Kali’s latest distribution, the analyst was able to access configuration files, change permissions on folders and groups, and delete and create new system objects. Which of the following techniques did the analyst use to perform these unauthorized activities?

• A. Impersonation
• B. Privilege escalation
• C. Directory traversal
• D. Input injection

Answer: C

NEW QUESTION 6

A security analyst begins to notice the CPU utilization from a sinkhole has begun to spike Which of the
following describes what may be occurring?

• A. Someone has logged on to the sinkhole and is using the device
• B. The sinkhole has begun blocking suspect or malicious traffic
• C. The sinkhole has begun rerouting unauthorized traffic
• D. Something is controlling the sinkhole and causing CPU spikes due to malicious utilization.

Answer: C

NEW QUESTION 7

A security professional is analyzing the results of a network utilization report. The report includes the following information:

Which of the following servers needs further investigation?

• A. hr.dbprod.01
• B. R&D.file.srvr.01
• C. mrktg.file.srvr.02
• D. web.srvr.03

Answer: A

NEW QUESTION 8

Oven the following log snippet:

Which of the following describes the events that have occurred?

• A. An attempt to make an SSH connection from 'superman' was done using a password.
• B. An attempt to make an SSH connection from 192 168 1 166 was done using PKI.
• C. An attempt to make an SSH connection from outside the network was done using PKI.
• D. An attempt to make an SSH connection from an unknown IP address was done using a password.

Answer: B

NEW QUESTION 9

Which of the following utilities could be used to resolve an IP address to a daman name, assuming the address has a PTR record?

• A. ifconfig
• B. ping
• C. arp
• D. nbtotot

Answer: B

NEW QUESTION 10

A new policy requires the security team to perform web application and OS vulnerability scans. All of the company’s web applications use federated authentication and are accessible via a central portal. Which of the following should be implemented to ensure a more thorough scan of the company’s web application, while at the same time reducing false positives?

• A. The vulnerability scanner should be configured to perform authenticated scans.
• B. The vulnerability scanner should be installed on the web server.
• C. The vulnerability scanner should implement OS and network service detection.
• D. The vulnerability scanner should scan for known and unknown vulnerabilities.

Answer: A

NEW QUESTION 11

A systems administrator is trying to secure a critical system. The administrator has placed the system behind a firewall, enabled strong authentication, and required all administrators of this system to attend mandatory training.
Which of the following BEST describes the control being implemented?

• A. Audit remediation
• B. Defense in depth
• C. Access control
• D. Multifactor authentication

Answer: B

NEW QUESTION 12

A technician receives a report that a user’s workstation is experiencing no network connectivity. The technician investigates and notices the patch cable running the back of the user’s VoIP phone is routed directly under the rolling chair and has been smashed flat over time.
Which of the following is the most likely cause of this issue?

• A. Cross-talk
• B. Electromagnetic interference
• C. Excessive collisions
• D. Split pairs

Answer: C

NEW QUESTION 13

A security analyst is reviewing a report from the networking department that describes an increase in network utilization, which is causing network performance issues on some systems. A top talkers report over a
five-minute sample is included.

Given the above output of the sample, which of the following should the security analyst accomplish FIRST to help track down the performance issues?

• A. Perform reverse lookups on each of the IP addresses listed to help determine if the traffic necessary.
• B. Recommend that networking block the unneeded protocols such as Quicklime lo clear up some of the congestion
• C. Put ACLs in place to restrict traffic destined for random or non-default application ports
• D. Quarantine the top talker on the network and begin to investigate any potential threats caused by the excessive traffic

Answer: A

NEW QUESTION 14

A web application has a newly discovered vulnerability in the authentication method used to validate known company users. The user ID of Admin with a password of “password” grants elevated access to the application over the Internet. Which of the following is the BEST method to discover the vulnerability before a production deployment?

• A. Manual peer review
• B. User acceptance testing
• C. Input validation
• D. Stress test the application

Answer: C

NEW QUESTION 15

A security analyst has noticed that a particular server has consumed over 1TB of bandwidth over the course of the month. It has port 3333 open; however, there have not been any alerts or notices regarding the server or its activities. Which of the following did the analyst discover?

• A. APT
• B. DDoS
• C. Zero day
• D. False positive

Answer: C

NEW QUESTION 16

File integrity monitoring states the following files have been changed without a written request or approved change. The following change has been made:
chmod 777 –Rv /usr
Which of the following may be occurring?

• A. The ownership pf /usr has been changed to the current user.
• B. Administrative functions have been locked from users.
• C. Administrative commands have been made world readable/writable.
• D. The ownership of/usr has been changed to the root user.

Answer: C

NEW QUESTION 17

A cybersecurity analyst has received an alert that well-known “call home” messages are continuously observed by network sensors at the network boundary. The proxy firewall successfully drops the messages. After determining the alert was a true positive, which of the following represents the MOST likely cause?

• A. Attackers are running reconnaissance on company resources.
• B. An outside command and control system is attempting to reach an infected system.
• C. An insider is trying to exfiltrate information to a remote network.
• D. Malware is running on a company system.

Answer: B

NEW QUESTION 18

Which of the following represent the reasoning behind careful selection of the timelines and time-of-day boundaries for an authorized penetration test? (Select TWO).

• A. To schedule personnel resources required for test activities
• B. To determine frequency of team communication and reporting
• C. To mitigate unintended impacts to operations
• D. To avoid conflicts with real intrusions that may occur
• E. To ensure tests have measurable impact to operations

Answer: AC

NEW QUESTION 19

A security analyst has just completed a vulnerability scan of servers that support a business critical application that is managed by an outside vendor. The results of the scan indicate the devices are missing critical patches. Which of the following factors can inhibit remediation of these vulnerabilities? (Select TWO)

• A. Inappropriate data classifications
• B. SLAs with the supporting vendor
• C. Business process interruption
• D. Required sandbox testing
• E. Incomplete asset inventory

Answer: CD

NEW QUESTION 20

Company A’s security policy states that only PKI authentication should be used for all SSH accounts. A security analyst from Company A is reviewing the following auth.log and configuration settings:

Which of the following changes should be made to the following sshd_config file to establish compliance with the policy?

• A. Change PermitRootLogin no to #PermitRootLogin yes
• B. Change ChallengeResponseAuthentication yes to ChallangeResponseAuthentication no
• C. Change PubkeyAuthentication yes to #PubkeyAuthentication yes
• D. Change #AuthorizedKeysFile sh/.ssh/authorized_keys to AuthorizedKeysFile sh/.ssh/ authorized_keys
• E. Change PassworAuthentication yes to PasswordAuthentication no

Answer: E

NEW QUESTION 21

A worm was detected on multiple PCs within the remote office. The security analyst recommended that the remote office be blocked from the corporate network during the incident response. Which of the following processes BEST describes this recommendation?

• A. Logical isolation of the remote office
• B. Sanitization of the network environment
• C. Segmentation of the network
• D. Secure disposal of affected systems

Answer: A

NEW QUESTION 22

A cybersecurity analyst is currently investigating a server outage. The analyst has discovered the following value was entered for the username: 0xbfff601a. Which of the following attacks may be occurring?

• A. Buffer overflow attack
• B. Man-in-the-middle attack
• C. Smurf attack
• D. Format string attack
• E. Denial of service attack

Answer: D

NEW QUESTION 23

A security analyst is performing a forensic analysis on a machine that was the subject of some historic SIEM alerts. The analyst noticed some network connections utilizing SSL on non-common ports, copies of svchost.exe and cmd.exe in %TEMP% folder, and RDP files that had connected to external IPs. Which of the following threats has the security analyst uncovered?

• A. DDoS
• B. APT
• C. Ransomware
• D. Software vulnerability

Answer: B

NEW QUESTION 24

Server contains baseline images that are deployed to sensitive workstations on a regular basis. The images are evaluated once per month for patching and other fixes, but do not change otherwise. Which of the following controls should be put in place to secure the file server and ensure the images are not changed?

• A. Install and configure a file integrity monitoring tool on the server and allow updates to the mages each month.
• B. Schedule vulnerability scans of the server at least once per month before the images are updated
• C. Require the use of two-factor authentication tor any administrator or user who needs to connect to the server.
• D. Install a honeypot to identify any attacks before the baseline images can be compromised

Answer: A

NEW QUESTION 25

A system administrator recently deployed and verified the installation of a critical patch issued by the company’s primary OS vendor. This patch was supposed to remedy a vulnerability that would allow an adversary to remotely execute code from over the network. However, the administrator just ran a vulnerability assessment of networked systems, and each of them still reported having the same vulnerability. Which of the following is the MOST likely explanation for this?

• A. The administrator entered the wrong IP range for the assessment.
• B. The administrator did not wait long enough after applying the patch to run the assessment.
• C. The patch did not remediate the vulnerability.
• D. The vulnerability assessment returned false positives.

Answer: C

NEW QUESTION 26

An alert has been distributed throughout the information security community regarding a critical Apache vulnerability. Which of the following courses of action would ONLY identify the known vulnerability?

• A. Perform an unauthenticated vulnerability scan on all servers in the environment.
• B. Perform a scan for the specific vulnerability on all web servers.
• C. Perform a web vulnerability scan on all servers in the environment.
• D. Perform an authenticated scan on all web servers in the environment.

Answer: B

NEW QUESTION 27

A reverse engineer was analyzing malware found on a retailer’s network and found code extracting track data in memory. Which of the following threats did the engineer MOST likely uncover?

• A. POS malware
• B. Rootkit
• C. Key logger
• D. Ransomware

Answer: A

NEW QUESTION 28
......