Question # 1
How is attacking a vulnerability categorized?
A. action on objectives
B. delivery
C. exploitation
D. installation
Correct Answer: C
Question # 2
One of the objectives of information security is to protect the CIA of information and systems.
What does CIA mean in this context?
A. confidentiality, identity, and authorization
B. confidentiality, integrity, and authorization
C. confidentiality, identity, and availability
D. confidentiality, integrity, and availability
Correct Answer: D
Question # 3
Which process is used when IPS events are removed to improve data integrity?
A. data availability
B. data normalization
C. data signature
D. data protection
Correct Answer: B
Question # 4
What is the difference between mandatory access control (MAC) and discretionary access control (DAC)?
A. MAC is controlled by the discretion of the owner and DAC is controlled by an administrator
B. MAC is the strictest of all levels of control and DAC is object-based access
C. DAC is controlled by the operating system and MAC is controlled by an administrator
D. DAC is the strictest of all levels of control and MAC is object-based access
Correct Answer: B
Question # 5
What is the function of a command and control server?
A. It enumerates open ports on a network device
B. It drops secondary payload into malware
C. It is used to regain control of the network after a compromise
D. It sends instruction to a compromised system
Correct Answer: D
Question # 6
Refer to the exhibit. Which two elements in the table are parts of the 5-tuple? (Choose two.)
A. First Packet
B. Initiator User
C. Ingress Security Zone
D. Source Port
E. Initiator IP
Correct Answer: DE
Question # 7
DRAG DROP –
Drag and drop the security concept on the left onto the example of that concept on the right.
Select and Place:
Question # 8
A network engineer discovers that a foreign government hacked one of the defense contractors in their home country and stole intellectual property. What is the threat agent in this situation?
A. the intellectual property that was stolen
B. the defense contractor who stored the intellectual property
C. the method used to conduct the attack
D. the foreign government that conducted the attack
Correct Answer: C
Question # 9
Which metric in CVSS indicates an attack that takes a destination bank account number and replaces it with a different bank account number?
A. integrity
B. confidentiality
C. availability
D. scope
Correct Answer: A
Question # 10
Why is encryption challenging to security monitoring?
A. Encryption analysis is used by attackers to monitor VPN tunnels.
B. Encryption is used by threat actors as a method of evasion and obfuscation.
C. Encryption introduces additional processing requirements by the CPU.
D. Encryption introduces larger packet sizes to analyze and store.
Correct Answer: B
Question # 11
What is the principle of defense-in-depth?
A. Agentless and agent-based protection for security are used.
B. Several distinct protective layers are involved.
C. Access control models are involved.
D. Authentication, authorization, and accounting mechanisms are used.
Correct Answer: B
Question # 12
A security incident occurred with the potential of impacting business services. Who performs the attack?
A. threat actor
B. malware author
C. direct competitor
D. bug bounty hunter
Correct Answer: A
Question # 13
Which event is a vishing attack?
A. obtaining disposed documents from an organization
B. using a vulnerability scanner on a corporate network
C. impersonating a tech support agent during a phone call
D. setting up a rogue access point near a public hotspot
Correct Answer: C
Question # 14
What is a difference between SIEM and SOAR?
A. SIEM predicts and prevents security alerts, while SOAR checks attack patterns and applies the mitigation.
B. SIEM’s primary function is to collect and detect anomalies, while SOAR is more focused on security operations automation and response.
C. SOAR’s primary function is to collect and detect anomalies, while SIEM is more focused on security operations automation and response.
D. SOAR predicts and prevents security alerts, while SIEM checks attack patterns and applies the mitigation.
Correct Answer: B
Question # 15
When communicating via TLS, the client initiates the handshake to the server and the server responds back with its certificate for identification.
Which information is available on the server certificate?
A. server name, trusted subordinate CA, and private key
B. trusted subordinate CA, public key, and cipher suites
C. trusted CA name, cipher suites, and private key
D. server name, trusted CA, and public key
Correct Answer: D
Question # 16
Refer to the exhibit. Which type of log is displayed?
A. IDS
B. proxy
C. NetFlow
D. sys
Correct Answer: A
Question # 17
An engineer receives a security alert that traffic with a known TOR exit node has occurred on the network.
What is the impact of this traffic?
A. ransomware communicating after infection
B. users downloading copyrighted content
C. data exfiltration
D. user circumvention of the firewall
Correct Answer: D
Question # 18
Refer to the exhibit. What is occurring in this network?
A. ARP cache poisoning
B. DNS cache poisoning
C. MAC address table overflow
D. MAC flooding attack
Correct Answer: A
Question # 19
Refer to the exhibit. What should be interpreted from this packet capture?
A. 81.179.179.69 is sending a packet from port 80 to port 50272 of IP address 192.168.122.100 using UDP protocol.
B. 192.168.122.100 is sending a packet from port 50272 to port 80 of IP address 81.179.179.69 using TCP protocol.
C. 192.168.122.100 is sending a packet from port 80 to port 50272 of IP address 81.179.179.69 using UDP protocol.
D. 81.179.179.69 is sending a packet from port 50272 to port 80 of IP address 192.168.122.100 using TCP protocol.
Correct Answer: B
Question # 20
Refer to the exhibit. Which event is occurring?
A. A binary named “submit” is running on VM cuckoo1.
B. A binary is being submitted to run on VM cuckoo1
C. A binary on VM cuckoo1 is being submitted for evaluation
D. A URL is being evaluated to see if it has a malicious binary
Correct Answer: B
Question # 21
Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?
A. A policy violation is active for host 10.10.101.24.
B. A host on the network is sending a DDoS attack to another inside host.
C. There are three active data exfiltration alerts.
D. A policy violation is active for host 10.201.3.149.
Correct Answer: C
Question # 22
An analyst is investigating a host in the network that appears to be communicating to a command and control server on the Internet. After collecting this packet capture, the analyst cannot determine the technique and payload used for the communication.
Which obfuscation technique is the attacker using?
A. Base64 encoding
B. transport layer security encryption
C. SHA-256 hashing
D. ROT13 encryption
Correct Answer: B
Question # 23
During which phase of the forensic process is data that is related to a specific event labeled and recorded to preserve its integrity?
A. examination
B. investigation
C. collection
D. reporting
Correct Answer: C
Question # 24
A malicious file has been identified in a sandbox analysis tool.
Which piece of information is needed to search for additional downloads of this file by other hosts?
A. file type
B. file size
C. file name
D. file hash value
Correct Answer: D
Question # 25
Refer to the exhibit. What is the potential threat identified in this Stealthwatch dashboard?
A. A policy violation is active for host 10.10.101.24.
B. A host on the network is sending a DDoS attack to another inside host.
C. There are two active data exfiltration alerts.
D. A policy violation is active for host 10.201.3.149.
Correct Answer: C
Question # 26
An organization’s security team has detected network spikes coming from the internal network. An investigation has concluded that the spike in traffic was from intensive network scanning. How should the analyst collect the traffic to isolate the suspicious host?
A. based on the most used applications
B. by most active source IP
C. by most used ports
D. based on the protocols used
Correct Answer: B
Question # 27
Refer to the exhibit. Which type of attack is being executed?
A. cross-site request forgery
B. command injection
C. SQL injection
D. cross-site scripting
Correct Answer: C
Question # 28
Which technology should be used to implement a solution that makes routing decisions based on HTTP header, uniform resource identifier, and SSL session ID attributes?
A. AWS
B. IIS
C. Load balancer
D. Proxy server
Correct Answer: C
Question # 29
Which utility blocks a host portscan?
A. HIDS
B. sandboxing
C. host-based firewall
D. antimalware
Correct Answer: C
Question # 30
Refer to the exhibit. What is the expected result when the “Allow subdissector to reassemble TCP streams” feature is enabled?
A. insert TCP subdissectors
B. extract a file from a packet capture
C. disable TCP streams
D. unfragment TCP
Correct Answer: B
Question # 31
An analyst discovers that a legitimate security alert has been dismissed.
Which signature caused this impact on network traffic?
A. true negative
B. false negative
C. false positive
D. true positive
Correct Answer: B
Question # 32
At which layer is deep packet inspection investigated on a firewall?
A. internet
B. transport
C. application
D. data link
Correct Answer: C
Question # 33
What is a difference between data obtained from Tap and SPAN ports?
A. SPAN passively splits traffic between a network device and the network without altering it, while Tap alters response times.
B. Tap mirrors existing traffic from specified ports, while SPAN presents more structured data for deeper analysis.
C. SPAN improves the detection of media errors, while Tap provides direct access to traffic with lowered data visibility.
D. Tap sends traffic from physical layers to the monitoring device, while SPAN provides a copy of network traffic from switch to destination.
Correct Answer: D
Question # 34
What is a difference between an inline and a tap mode traffic monitoring?
A. Tap mode monitors packets and their content with the highest speed, while the inline mode draws a packet path for analysis.
B. Inline monitors traffic without examining other devices, while a tap mode tags traffic and examines the data from monitoring devices.
C. Inline mode monitors traffic path, examining any traffic at a wire speed, while a tap mode monitors traffic as it crosses the network.
D. Tap mode monitors traffic direction, while inline mode keeps packet data as it passes through the monitoring devices.
Correct Answer: C
Question # 35
Which regular expression is needed to capture the IP address 192.168.20.232?
A. ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}
B. ^(?:[0-9]{1,3}\.)*
C. ^)?:[0-9]{1,3}\.){1,4}
D. ^([0-9].{3})
Correct Answer: A
Question # 36
Which category relates to improper use or disclosure of PII data?
A. legal
B. compliance
C. regulated
D. contractual
Correct Answer: C
Question # 37
Which metric should be used when evaluating the effectiveness and scope of a Security Operations Center?
A. The average time the SOC takes to register and assign the incident.
B. The total incident escalations per week.
C. The average time the SOC takes to detect and resolve the incident.
D. The total incident escalations per month.
Correct Answer: C
Question # 38
The SOC team has confirmed a potential indicator of compromise on an endpoint. The team has narrowed the executable file’s type to a new Trojan family.
According to the NIST Computer Security Incident Handling Guide, what is the next step in handling this event?
A. Perform forensics analysis on the infected endpoint
B. Isolate the infected endpoint from the network
C. Prioritize incident handling based on the impact
D. Collect public information on the malware behavior
Correct Answer: B
Question # 39
What is the difference between deep packet inspection and stateful inspection?
A. Stateful inspection is more secure due to its complex signatures, and deep packet inspection requires less human intervention.
B. Deep packet inspection is more secure due to its complex signatures, and stateful inspection requires less human intervention.
C. Deep packet inspection gives insights up to Layer 7, and stateful inspection gives insights only up to Layer 4.
D. Stateful inspection verifies data at the transport layer, and deep packet inspection verifies data at the application layer.
Correct Answer: C
Question # 40
The security team has detected an ongoing spam campaign targeting the organization. The team’s approach is to push back the cyber kill chain and mitigate ongoing incidents. At which phase of the cyber kill chain should the security team mitigate this type of attack?
A. installation
B. reconnaissance
C. actions
D. delivery
Correct Answer: D
Question # 41
What is obtained using NetFlow?
A. full packet capture
B. session data
C. application logs
D. network downtime report
Correct Answer: B
Question # 42
How does agentless monitoring differ from agent-based monitoring?
A. Agentless can access the data via API, while agent-based uses a less efficient method and accesses log data through WMI.
B. Agent-based monitoring has a lower initial cost for deployment, while agentless requires resource-intensive deployment.
C. Agent-based monitoring is less intrusive in gathering log data, while agentless requires open ports to fetch the logs.
D. Agent-based has a possibility to locally filter and transmit only valuable data, while agentless has much higher network utilization.
Correct Answer: D
Question # 43
According to the September 2020 threat intelligence feeds, a new malware called Egregor was introduced and used in many attacks. Distribution
of Egregor is primarily through a Cobalt Strike that has been installed on victim’s workstations using RDP exploits. Malware exfiltrates the victim’s
data to a command and control server. The data is used to force victims pay or lose it by publicly releasing it. Which type of attack is described?
A. malware attack
B. insider threat
C. ransomware attack
D. whale-phishing
Correct Answer: C
Question # 44
What is the difference between discretionary access control (DAC) and role-based access control (RBAC)?
A. DAC administrators pass privileges to users and groups, and in RBAC, permissions are applied to specific groups.
B. DAC requires explicit authorization for a given user on a given object, RBAC requires specific conditions.
C. RBAC is an extended version of DAC where you can add an extra level of authorization based on time.
D. RBAC access is granted when a user meets specific conditions, and in DAC, permissions are applied on user and group levels.
Correct Answer: A
Question # 45
Refer to the exhibit. Which stakeholders must be involved when a company workstation is compromised?
A. Employee 1, Employee 2, Employee 3, Employee 4, Employee 5, Employee 7
B. Employee 4, Employee 6, Employee 7
C. Employee 1, Employee 2, Employee 4, Employee 5
D. Employee 2, Employee 3, Employee 4, Employee 5
Correct Answer: D
Question # 46
Which information must an organization use to understand the threats currently targeting the organization?
A. vendor suggestions
B. threat intelligence
C. risk scores
D. vulnerability exposure
Correct Answer: B
Question # 47
An organization is cooperating with several third-party companies. Data exchange is on an unsecured channel using port 80. Internal employees use the FTP service to upload and download sensitive data. An engineer must ensure confidentiality while preserving the integrity of the communication. Which technology must the engineer implement in this scenario?
A. RADIUS server
B. web application firewall
C. X.509 certificates
D. CA server
Correct Answer: C
Question # 48
What describes a buffer overflow attack?
A. suppressing the buffers in a process
B. injecting new commands into existing buffers
C. overloading a predefined amount of memory
D. fetching data from memory buffer registers
Correct Answer: C
Question # 49
Which security model assumes an attacker within and outside of the network and enforces strict verification before connecting to any system or resource within the organization?
A. Take-Grant
B. Object-capability
C. Zero Trust
D. Biba
Correct Answer: C
Question # 50
Refer to the exhibit. An engineer is reviewing a Cuckoo report of a file. What must the engineer interpret from the report?
A. The file will monitor user activity and send the information to an outside source.
B. The file will Insert itself into an application and execute when the application is run.
C. The file will appear legitimate by evading signature-based detection.
D. The file will not execute its behavior in a sandbox environment to avoid detection.
Correct Answer: D
Question # 51
What is the functionality of an IDS?
A. forensic tool used to perform an in-depth analysis and debugging
B. software or device which monitors and identifies malicious network activity
C. device or software that detects and blocks suspicious files
D. endpoint protection software that prevents viruses and malware
Correct Answer: B
Question # 52
Which CVSS metric group identifies other components that are affected by a successful security attack?
A. scope
B. privileges required
C. integrity
D. attack vendor
Correct Answer: A