1) Which of the following best describes integrated intelligence? a) Same teams; already integrated b) Threat intel feeds hunters; hunters feedback accuracy c) Hunters feed intel sources; sources feedback accuracy d) Separate efforts; no engagement 2) Your organization is involved in a data breach of over 2000 protected health information records. Which of the following stakeholders should you ensure are involved for compliance and regulatory reporting of the incident? a) Computer forensics team b) Public relations c) Legal counsel d) Human resources 3) Which of the following are viable options for containment during the incident response lifecycle? a) Segmentation, sanitization, and reconstruction b) Segmentation, isolation, and restoration c) Segmentation, isolation, and removal d) Elimination, isolation, and sanitization 4) Which of the following is an example of an external agency your organization may be required to communicate with during an incident? a) Regulatory agency b) Incident response team c) Legal department d) IT department 5) Which of the following is a characteristic of the Lockheed Martin Cyber Kill Chain framework? a) A. During the Weaponization stage, the attacker delivers organized malware to the victim via various methods. b) B. The Command and Control stage is used for remote manipulation of the victim. c) D. The Exploitation stage involves installing malware on a victim’s assets. d) C. During the Actions on Objective stage, the attacker performs reconnaissance on the victim, such as harvesting e-mail addresses and so on. 6) Which of the following are three elements in the preparation phase of the incident response cycle? a) B. Training, testing, and documentation b) A. Determining the scope of impact, estimating maximum tolerable downtime, and checking for data integrity c) D. Segmentation, isolation, and removal d) C. Data collection, data correlation, and reverse engineering 7) As part of a proactive threat hunting methodology, which of the following is generated from observations and must be testable? a) Fact b) Hypothesis c) Principle d) Theory 8) Which of the following is performed to examine the effectiveness, currency, and level of risk mitigation of implemented security measures? a) Control review b) Qualitative analysis c) Risk assessment d) Quantitative analysis 9) Which of the following indicators of compromise is best described by periodic transmission of outbound connections between a compromised computer and an external controller? a) Irregular peer-to-peer communications b) Beaconing c) Use of unusual ports or protocols d) Bandwidth utilization 10) Which of the following best describes reverse engineering? a) Reverse engineering involves disassembling or decompiling binary code into either assembly language or another high-level language to determine all possible functions of the software. b) Reverse engineering involves submitting a variety of unconventional inputs into a running program to determine how it behaves under those conditions. c) Reverse engineering involves an automated static code review. d) Reverse engineering involves running an unknown binary in a sandbox environment to determine its behavior. 11) Which of the following functions do network scanners perform to identify the operating system running on a discovered host? a) Vulnerability scanning b) Port scanning c) OS fingerprinting d) Service discovery 12) Which of the following tools is an open sourced web application security tool? a) Metasploit framework b) Zed Attack Proxy (ZAP) c) Nessus d) Burp Suite 13) Which of the following should you do with any indicators of compromise (IoC) generated as part of the response effort? a) Report them to law enforcement or regulatory agencies. b) Incorporate the new IoCs into your network monitoring plan. c) Disregard them as not relevant to the next response, since you have mitigated those vulnerabilities. d) Pass them on to upper management and other stakeholders for informational purposes only. 14) Which of the following methods of responding to risk involves the organization simply understanding and working with residual risk after it has taken all other risk response steps? a) Risk acceptance b) Risk transfer c) Risk avoidance d) Risk mitigation 15) Which of the following terms describes a type of cloud-computing service that abstracts the requirements for running code? a) Infrastructure as Code b) Infrastructure as a Service c) Function as a Service d) Platform as a Service 16) Which of the following terms describes the formal determination of whether an event is enough of a deviation from normal operations to be called an incident and the degree to which services have been affected? a) Level of risk b) Incident category c) Scope of impact d) Threat level 17) Which of the following is the most important factor in vulnerability prioritization? a) Cost to remediate b) Sensitivity c) Criticality d) Severity 18) Which of the following phases in the threat-hunting process follows generating a hypothesis? a) Informing operations b) Investigating via tools c) Developing a theory d) Discovering patterns 19) When an organization is sharing incident information with outside entities, such as contractors, which of the following is a necessity to protect sensitive information? a) Third-party provider contract b) Nondisclosure agreement c) Service level agreement d) Memorandum of understanding 20) Which of the following CIS controls covers vulnerability management? a) Control 9 b) Control 7 c) Control 1 d) Control 2 21) Which of the following is not a goal of a risk assessment? a) Determining probability of exploitation b) Determining business impact c) Implementing risk mitigation strategies d) Identifying vulnerabilities 22) Which of the following involves a threat actor modifying timestamps to hide the true timeline of their actions? a) Timeframing b) Timestomping c) Timeshifting d) Timeouts 23) Which of the following should you communicate to management regarding any variations in baselines used to remediate vulnerabilities? a) Corrective controls b) Detective controls c) Managerial controls d) Compensating controls 24) Which of the following terms describes a network architecture in which software applications are responsible for deciding how best to route data (control layer) and then for actually moving those packets around (data layer)? a) Bus network b) Software-defined networking c) Routed network d) Logical network 25) Which of the following terms describes a known-good, hardened image that can be used to facilitate the process of rebuilding a compromised host? a) Gold master b) Factory image c) Forensic image d) Complete backup 26) Which of the following CVSS Report Confidence (RC) metrics indicates that significant details regarding a vulnerability have been researched and published? a) Reasonable (R) b) Confirmed (C) c) Unknown (U) d) Not Defined (X) 27) Which of the following types of scans is used to limit network traffic during the scan? a) Server-based scan b) Agent-based scan c) Credentialed scan d) Noncredentialed scan 28) Which of the following would be a host-related indicator of potential compromise? a) Persistence mechanisms related to services b) Beaconing c) Unauthorized application modifications d) Malicious plug-ins or extensions 29) Which of the following is an example of a break in the chain of custody? a) An individual signs for receipt of evidence when it is being transferred from one investigator to another. b) An investigator removes evidence from an evidence locker, but does not remove it from the evidence room, in order to write down some additional information about it. c) An investigator places evidence in a locked container in a locked evidence room and notates that action on the chain of custody form. d) An investigator returns evidence to its owner after an investigation has concluded and has the owner sign a receipt for it. 30) Refer to the exhibit. Based on the vulnerabilities reported by the scanning tool, which of the following deprecated security protocols is host 192.168.189.130 running? a) Secure Sockets Layer b) Transport Layer Security c) IP Security d) Secure Shell 31) Which of the following is not a factor in making the decision to remove a host from the network and either leave it powered on, shut it down, preserve it, or rebuild it? a) Threat intelligence value b) Cost c) Ability to restore d) Crime scene evidence 32) Which of the following is a major security challenge to using a Software as a Service (SaaS) solution? a) Data leakage b) Identity and access management c) User provisioning d) Perimeter security 33) Which of the following architectures consists of a smart client that requires specific functions provided by a Function as a Service (FaaS) model? a) Client/server architecture b) Serverless architecture c) Virtual desktop infrastructure d) Software-defined networking 34) Which of the following is the name given to the process of adding content and context to a piece of data? a) Data management b) Data aggregation c) Data enrichment d) Data correlation 35) When looking through the log files of your DNS server, you discover that an unknown host has received unauthorized transfers of your entire DNS zone file. What was the most likely cause for this? a) A client made a recursive query to the DNS server. b) The DNS server initiated an unauthorized zone transfer to an arbitrary client. c) Improper permissions were set on the DNS server for authorized zone transfers. d) A client made an iterative query to the DNS server. 36) system from the applications running above it, enabling security separation from both the operating system and hardware? a) Containerization b) Virtualization c) Hypervisor d) Segmentation 37) Which of the following best describes an orchestration playbook rule that must be triggered to begin the steps within the rest of the playbook? a) Initiating condition b) Termination point c) Process step d) Decision gate 38) Which of the following is a measurement that conveys the length of time from the beginning of an incident to the time the organization is aware of it? a) Mean time to detect b) Mean time to respond c) Mean time to remediate d) Alert volume 39) Refer to the exhibit. Which of the following high-risk vulnerabilities is the focus of the tool output in the exhibit? a) XML injection b) Session hijacking c) Cross-site scripting d) SQL injection 40) Which of the following should a threat hunter assume prior to beginning the hunt for a particular threat on the network? a) The threat has no knowledge of the network b) The threat is footprinting the network c) The threat has already breached the network d) The threat is targeting the network 41) Which of the following should be your focus when performing vulnerability scans on critical assets in the organization? a) Thoroughness of each scan and frequency of scans b) Possibility of damage during scan c) Time assets must be offline during scanning d) Cost in labor hours and downtime 42) Which of the following is a command-line tool that allows you to capture and analyze network traffic on a host in real time? a) AbuseIPDB b) Wireshark c) tcpdump d) WHOIS 43) Which of the following types of threat research gives insight to a threat based on what others have observed about the threat? a) Anomaly based b) Behavioral based c) Reputational based d) Heuristic based 44) Which of the following types of threat research gives insight to a threat based on what others have observed about the threat? a) Reputational based b) Anomaly based c) Heuristic based d) Behavioral based 45) Which of the following CVSS metrics describes how exploitation of a given vulnerability could happen? a) Scope b) Attack Complexity c) Exploit Code Maturity d) Attack Vector 46) Which of the following terms best describes the efforts to integrate multiple tools, processes, and activities into a unified solution using a single management layer? a) User and entity behavioral analytics b) Workflow orchestration c) Security information and event management d) Integrated intelligence 47) Which of the following is a significant issue with legacy industrial control system (ICS) devices, causing them to be frequently targeted and exploited? a) Use of older encryption schemes b) Use of vendor passwords that are not changed when the device is installed c) Lack of vendor security patches for the device d) Lack of firewall rules preventing those devices from being attacked 48) Which of the following groups of stakeholders would internal organizational management escalate an incident response to, if needed? a) Contractors, law enforcement, and government regulatory agencies b) The internal incident response team, law enforcement, and government regulatory agencies c) Customers, business partners, and government regulatory agencies d) The in-house incident response team, customers, and business partners 49) Which of the following best describes the difference between an attack surface and attack vectors? (Choose two.) a) The attack surface is the logical and physical space that can be targeted by an attacker. b) An attack surface is the critical path a malicious actor may use to compromise the target. c) The attack vector is the logical and physical space that can be targeted by an attacker. d) An attack vector is the critical path a malicious actor may use to compromise the target. 50) Which of the following influences the level of technical detail you would include in a vulnerability report to stakeholders? a) B. Sensitivity of technical details b) D. Organizational policy c) A. Audience d) C. Regulatory requirements 51) You work as a cybersecurity analyst for an engineering company. Several engineers will be working from home because of limited onsite workspace, and they require VPN access. You need a solution that will ensure that any client connecting to the corporate VPN has the appropriate patches and antimalware signatures installed. Which of the following would be an appropriate solution? a) Configuration management database b) Network access control c) Endpoint detection and response d) Intrusion detection/prevention system 52) Which type of attack is characterized by a brute-force technique in which an attacker tries a single password against a system and then iterates through multiple systems on a network using the same password? a) Credential stuffing b) Man-in-the-middle c) Password spraying d) Session hijacking 53) Which of the following is not one of the National Institute of Justice’s three recommended principles that should guide every investigation? a) Only evidence relevant to proving the guilt of the suspect must be collected, analyzed, and presented. b) Actions taken to secure and collect digital evidence should not affect the integrity of that evidence. c) Activity relating to the seizure, examination, storage, or transfer of digital evidence should be documented, preserved, and available for review. d) Persons conducting an examination of digital evidence should be trained for that purpose. 54) Which of the following enables users of the MITRE ATT&CK framework to profile threat actors and their activities? a) Techniques used b) Originating locations c) Organizations targeted d) Social media profiles 55) Which of the following influences the level of technical detail you would include in a vulnerability report to stakeholders? a) Sensitivity of technical details b) Regulatory requirements c) Organizational policy d) Audience 56) You work as a cybersecurity analyst for an engineering company. Several engineers will be working from home because of limited onsite workspace, and they require VPN access. You need a solution that will ensure that any client connecting to the corporate VPN has the appropriate patches and antimalware signatures installed. Which of the following would be an appropriate solution? a) Endpoint detection and response b) Intrusion detection/prevention system c) Configuration management database d) Network access control 57) Which of the following methods is the most effective in automating a few simple tasks at the operating system level? a) Data enrichment b) Workflow orchestration c) Scripting d) Data transformation 58) Which of the following cloud deployment models would likely be the most secure, given an organization’s desire to protect its data and limit interactions with other organizations in a cloud? a) Hybrid b) Public c) Private d) Community 59) Which of the following forms of logical segmentation created by using a network is useful during a response to help contain an incident? a) Serverless architecture b) Jump box c) Honeypot d) Virtual LAN 60) Which of the following is a technique used to gather potential vulnerability information about the external portions of the organization’s network? a) Bug bounty b) Attack surface management c) Session management d) Edge and passive discovery 61) Which of the following is not a factor in considering the prioritization for vulnerability remediation? a) Severity b) Asset criticality c) Information sensitivity d) System functionality 62) Which of the following types of exercises tests everything from the participants’ detailed understanding of the organization’s IR process to specific individual and team tasks? a) Parallel exercise b) Documentation review exercise c) Tabletop exercise d) Full-scale exercise 63) Which of the following is not necessarily included in a vulnerability report? a) Affected hosts b) Mitigations c) Prioritization d) Threat intelligence 64) All of the following are network-related potential indicators of compromise except which one? a) Unusual system or application crashes b) Unexpected protocol usage c) Geographically improbable access d) Suspicious DNS requests 65) Which of the following describes a dereferencing flaw that allows a potential attack? a) A dereferencing vulnerability is a defect in code that creates an unstable quality in the operation of a program arising from timing variances produced by programming logic. b) A dereferencing vulnerability, or null point dereference, is a common flaw that occurs when software attempts to access a value stored in memory that does not exist. c) A dereferencing vulnerability is when a function is invoked by a program that introduces a weakness into a system based on its implementation or inherent qualities. d) A dereferencing vulnerability occurs when the object identifiers in requests are used in a way that reveals a format or pattern in underlying or back-end technologies, such as files, directories, database records, or URLs. 66) Which of the following best describes the four characteristics, or pillars, of a cloud access security broker (CASB)? a) Visibility, threat protection, compliance, and data security b) Identify, protect, detect, and respond c) Identification, authentication, authorization, and accountability d) Authentication, authorization, auditing, and accountability 67) Which of the following tools would you use to check for cross-site scripting vulnerabilities? a) Nmap b) OWASP Zed Attack Proxy c) OpenVAS d) Nessus 68) Which of the following would make it necessary to report a breach and loss of information that is protected by laws and regulations? a) The threat actor involved in the breach b) The number of records and type of data involved in the breach c) The security controls that failed, allowing the breach d) The number of vulnerabilities affecting the breach 69) Which of the following HTTP codes indicates that a user is not allowed to perform the requested operation and could indicate a security issue? a) HTTP code 401, Unauthorized b) HTTP code 403, Forbidden c) HTTP code 409, Conflict d) HTTP code 400, Bad Request
0%
Cysa+ test
Teilen
Teilen
Teilen
von
Vikkyodessa
Inhalt bearbeiten
Drucken
Einbetten
Mehr
Zuweisungen
Bestenliste
Mehr anzeigen
Weniger anzeigen
Diese Bestenliste ist derzeit privat. Klicke auf
Teilen
um sie öffentlich zu machen.
Diese Bestenliste wurde vom Eigentümer der Ressource deaktiviert.
Diese Bestenliste ist deaktiviert, da sich Ihre Einstellungen von denen des Eigentümer der Ressource unterscheiden.
Einstellungen zurücksetzen
Quiz
ist eine Vorlage mit offenem Ende. Es generiert keine Punkte für eine Bestenliste.
Anmelden erforderlich
Visueller Stil
Schriftarten
Abonnement erforderlich
Einstellungen
KI-Verbessert: Diese Aktivität enthält Inhalte, die von KI generiert werden.
Weitere Informationen.
Vorlage ändern
Alle anzeigen
Weitere Formate werden angezeigt, wenn du die Aktivität spielst.
Offene Ergebnisse
Link kopieren
QR-Code
Löschen
Soll die automatisch gespeicherte Aktivität
wiederhergestellt werden?
