Joe, a leading sales person at an organization, has announced on social media that he is leaving his current role to start a new company that will compete with his current employer. Joe is soliciting his current employer's customers. However, Joe has not resigned or discussed this with his current supervisor yet. Which of the following would be the best action for the incident response team to recommend?

Perform no action until HR or legal counsel advises on next steps

Isolate Joe's PC from the network

Reimage the PC based on standard operating procedures

Initiate a remote wipe of Joe's PC using mobile device management

Perform no action until HR or legal counsel advises on next steps

The Chief Information Security Officer is directing a new program to reduce attack surface risks and threats as part of a zero trust approach. The IT security team is required to come up with priorities for the program. Which of the following is the best priority based on common attack frameworks?

Reduce the administrator and privileged access accounts

Conduct thorough incident response

Enable SSO to enterprise applications

During an extended holiday break, a company suffered a security incident. This information was properly relayed to appropriate personnel in a timely manner and the server was up to date and configured with appropriate auditing and logging. The Chief Information Security Officer wants to find out precisely what happened. Which of the following actions should the analyst take first?

Clone the virtual server for forensic analysis

Log in to the affected server and begin analysis of the logs

Restore from the last known-good backup to confirm there was no loss of connectivity

Shut down the affected server immediately

A systems administrator is reviewing after-hours traffic flows from data-center servers and sees regular outgoing HTTPS connections from one of the servers to a public IP address. The server should not be making outgoing connections after hours. Looking closer, the administrator sees this traffic pattern around the clock during work hours as well. Which of the following is the most likely explanation?

Anomalous activity on unexpected ports

Network host IP address scanning

New employees in an organization have been consistently plugging in personal webcams despite the company policy prohibiting use of personal devices. The SOC manager discovers that new employees are not aware of the company policy. Which of the following will the SOC manager most likely recommend to help ensure new employees are accountable for following the company policy?

All new employees must sign a user agreement to acknowledge the company security policy

Human resources must email a copy of a user agreement to all new employees

Supervisors must get verbal confirmation from new employees indicating they have read the user agreement

All new employees must take a test about the company security policy during the cjitoardmg process

All new employees must sign a user agreement to acknowledge the company security policy

An analyst has been asked to validate the potential risk of a new ransomware campaign that the Chief Financial Officer read about in the newspaper. The company is a manufacturer of a very small spring used in the newest fighter jet and is a critical piece of the supply chain for this aircraft. Which of the following would be the best threat intelligence source to learn about this new campaign?

Information sharing organization

Cybersecuritv incident response team

An incident response team finished responding to a significant security incident. The management team has asked the lead analyst to provide an after-action report that includes lessons learned. Which of the following is the most likely reason to include lessons learned?

To identify areas of improvement in the incident response process

To satisfy regulatory requirements for incident reporting

To hold other departments accountable

To identify areas of improvement in the incident response process

To highlight the notable practices of the organization's incident response team

A vulnerability management team is unable to patch all vulnerabilities found during their weekly scans. Using the third-party scoring system described below, the team patches the most urgent vulnerabilities: Additionally, the vulnerability management team feels that the metrics Smear and Channing are less important than the others, so these will be lower in priority. Which of the following vulnerabilities should be patched first, given the above third-party scoring system?

TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No

InLoud: Cobain: Yes Grohl: No Novo: Yes Smear: Yes Channing: No

TSpirit: Cobain: Yes Grohl: Yes Novo: Yes Smear: No Channing: No

ENameless: Cobain: Yes Grohl: No Novo: Yes Smear: No Channing: No

PBleach: Cobain: Yes Grohl: No Novo: No Smear: No Channing: Yes

A recent zero-day vulnerability is being actively exploited, requires no user interaction or privilege escalation, and has a significant impact to confidentiality and integrity but not to availability. Which of the following CVE metrics would be most accurate for this zero-day threat?

CVSS: 31/AV: N/AC: L/PR: N/UI: N/S: U/C: H/1: K/A: L

CVSS:31/AV:K/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L

CVSS:31/AV:N/AC:L/PR:N/UI:H/S:U/C:L/I:N/A:H

CVSS:31/AV:L/AC:L/PR:R/UI:R/S:U/C:H/I:L/A:H

An organization conducted a web application vulnerability assessment against the corporate website, and the following output was observed: Which of the following tuning recommendations should the security analyst share?

Configure an Access-Control-Allow-Origin header to authorized domains

Set an HttpOnlvflaq to force communication by HTTPS

Block requests without an X-Frame-Options header

Configure an Access-Control-Allow-Origin header to authorized domains

Disable the cross-origin resource sharing header

The Chief Executive Officer of an organization recently heard that exploitation of new attacks in the industry was happening approximately 45 days after a patch was released. Which of the following would best protect this organization?

A mean time to remediate of 30 days

A mean time to detect of 45 days

A mean time to respond of 15 days

Third-party application testing

A company's user accounts have been compromised. Users are also reporting that the company's internal portal is sometimes only accessible through HTTP, other times; it is accessible through HTTPS. Which of the following most likely describes the observed activity?

An on-path attack is being performed by someone with internal access that forces users into port 80

There is an issue with the SSL certificate causinq port 443 to become unavailable for HTTPS access

An on-path attack is being performed by someone with internal access that forces users into port 80

The web server cannot handle an increasing amount of HTTPS requests so it forwards users to port 80

An error was caused by BGP due to new rules applied over the company's internal routers

The Chief Information Security Officer wants to eliminate and reduce shadow IT in the enterprise. Several high-risk cloud applications are used that increase the risk to the organization. Which of the following solutions will assist in reducing the risk?

Deploy a CASB and enable policy enforcement

Configure MFA with strict access

Enable SSO to the cloud applications

An incident response analyst notices multiple emails traversing the network that target only the administrators of the company. The email contains a concealed URL that leads to an unknown website in another country. Which of the following best describes what is happening? (Choose two.)

Address Resolution Protocol poisoning

During security scanning, a security analyst regularly finds the same vulnerabilities in a critical application. Which of the following recommendations would best mitigate this problem if applied along the SDLC phase?

Use application security scanning as part of the pipeline for the CI/CDflow

Conduct regular red team exercises over the application in production

Ensure that all implemented coding libraries are regularly checked

Use application security scanning as part of the pipeline for the CI/CDflow

Implement proper input validation for any data entry form

The security team reviews a web server for XSS and runs the following Nmap scan: Which of the following most accurately describes the result of the scan?

The vulnerable parameter and characters > and ' with a reflected XSS attempt

An output of characters > and ' as the parameters used m the attempt

The vulnerable parameter ID hccp://l72.31.15.2/1.php?id-2 and unfiltered characters returned

The vulnerable parameter and unfiltered or encoded characters passed > and ' as unsafe

The vulnerable parameter and characters > and ' with a reflected XSS attempt

A security analyst is trying to identify possible network addresses from different source networks belonging to the same company and region. Which of the following shell script functions could help achieve the goal?

function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ''.in-addr'' '{print $1}').origin.asn.cymru.com TXT +short }

function w() { a=$(ping -c 1 $1 | awk-F ''/'' 'END{print $1}') && echo ''$1 | $a'' }

function x() { b=traceroute -m 40 $1 | awk 'END{print $1}') && echo ''$1 | $b'' }

function y() { dig $(dig -x $1 | grep PTR | tail -n 1 | awk -F ''.in-addr'' '{print $1}').origin.asn.cymru.com TXT +short }

function z() { c=$(geoiplookup$1) && echo ''$1 | $c'' }

A security analyst is writing a shell script to identify IP addresses from the same country. Which of the following functions would help the analyst achieve the objective?

function x() { info=$(geoiplookup $1) && echo ''$1 | $info'' }

function w() { info=$(ping -c 1 $1 | awk -F ''/'' 'END{print $1}') && echo ''$1 | $info'' }

function x() { info=$(geoiplookup $1) && echo ''$1 | $info'' }

function y() { info=$(dig -x $1 | grep PTR | tail -n 1 ) && echo ''$1 | $info'' }

function z() { info=$(traceroute -m 40 $1 | awk 'END{print $1}') && echo ''$1 | $info'' }

A security analyst obtained the following table of results from a recent vulnerability assessment that was conducted against a single web server in the environment: Which of the following should be completed first to remediate the findings?

Perform proper sanitization on all fields

Ask the web development team to update the page contents

Add the IP address allow listing for control panel access

Purchase an appropriate certificate from a trusted root CA

Perform proper sanitization on all fields

A company receives a penetration test report summary from a third party. The report summary indicates a proxy has some patches that need to be applied. The proxy is sitting in a rack and is not being used, as the company has replaced it with a new one. The CVE score of the vulnerability on the proxy is a 9.8. Which of the following best practices should the company follow with this proxy?

Migrate the proxy to the cloud.

Which of the following is the best action to take after the conclusion of a security incident to improve incident response in the future?

Schedule a review with all teams to discuss what occurred

Develop a call tree to inform impacted users

Schedule a review with all teams to discuss what occurred

Create an executive summary to update company leadership

Review regulatory compliance with public relations for official notification

Which of the following security operations tasks are ideal for automation?

Email header analysis: Check the email header for a phishing confidence metric greater than or equal to five Add the domain of sender to the block list Move the email to quarantine

Suspicious file analysis:Look for suspicious-looking graphics in a folder.Create subfolders in the original folder based on category of graphics found.Move the suspicious graphics to the appropriate subfolder

Firewall IoC block actions: Examine the firewall logs for IoCs from the most recently published zero-day exploit Take mitigating actions in the firewall to block the behavior found in the logs Follow up on any false positives that were caused by the block rules

Security application user errors: Search the error logs for signs of users having trouble with the security application Look up the user's phone number Call the user to help with any questions about using the application

Email header analysis: Check the email header for a phishing confidence metric greater than or equal to five Add the domain of sender to the block list Move the email to quarantine

A company is implementing a vulnerability management program and moving from an on-premises environment to a hybrid IaaS cloud environment. Which of the following implications should be considered on the new hybrid environment?

Cloud-specific misconfigurations may not be detected by the current scanners

The current scanners should be migrated to the cloud

Cloud-specific misconfigurations may not be detected by the current scanners

Existing vulnerability scanners cannot scan laaS systems

Vulnerability scans on cloud environments should be performed from the cloud

A security alert was triggered when an end user tried to access a website that is not allowed per organizational policy. Since the action is considered a terminable offense, the SOC analyst collects the authentication logs, web logs, and temporary files, reflecting the web searches from the user's workstation, to build the case for the investigation. Which of the following is the best way to ensure that the investigation complies with HR or privacy policies?

Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

Create a timeline of events detailinq the date stamps, user account hostname and IP information associated with the activities

Ensure that the case details do not reflect any user-identifiable information Password protect the evidence and restrict access to personnel related to the investigation

Create a code name for the investigation in the ticketing system so that all personnel with access will not be able to easily identity the case as an HR-related investigation