NO.111 Which of the following items represents a document that includes detailed information on when an incident was detected, how impactful the incident was, and how it was remediated, in addition to incident response effectiveness and any identified gaps needing improvement?

NO.112 A cybersecurity analyst has received an alert that well-known “call home” messages are continuously observed by network sensors at the network boundary. The proxy firewall successfully drops the messages. After determining the alert was a true positive, which of the following represents the MOST likely cause?

NO.113 A computer has been infected with a virus and is sending out a beacon to command and control server through an unknown service. Which of the following should a security technician implement to drop the traffic going to the command and control server and still be able to identify the infected host through firewall logs?

NO.114 Given the following access log:

Which of the following accurately describes what this log displays?

NO.115 An organization has recently recovered from an incident where a managed switch had been accessed and reconfigured without authorization by an insider. The incident response team is working on developing a lessons learned report with recommendations. Which of the following recommendations will BEST prevent the same attack from occurring in the future?

NO.116 A software assurance lab is performing a dynamic assessment on an application by automatically generating and inputting different, random data sets to attempt to cause an error/failure condition. Which of the following software assessment capabilities is the lab performing AND during which phase of the SDLC should this occur? (Select two.)

NO.117 A cybersecurity analyst has several SIEM event logs to review for possible APT activity. The analyst was
given several items that include lists of indicators for both IP addresses and domains. Which of the
following actions is the BEST approach for the analyst to perform?

NO.118 A cybersecurity analyst is reviewing the following outputs:
Which of the following can the analyst infer from the above output?

NO.119 A software engineer has resigned and given two weeks’ notice. The organization is concerned the engineer may have taken proprietary code. Which of me following will BEST help the security analysis to determine IT any code has been exfilltrated?

NO.120 A web application has a newly discovered vulnerability in the authentication method used to validate known company users. The user ID of Admin with a password of “password” grants elevated access to the application over the Internet. Which of the following is the BEST method to discover the vulnerability before a production deployment?

NO.121 Which of the following is the use of tools to simulate the ability for an attacker to gain access to a specified network?

NO.122 An analyst received a forensically sound copy of an employee’s hard drive. The employee’s manager
suspects inappropriate images may have been deleted from the hard drive. Which of the following could
help the analyst recover the deleted evidence?

NO.123 The developers recently deployed new code to three web servers. A daily automated external device scan report shows server vulnerabilities that are failing items according to PCI DSS. If the vulnerability is not valid, the analyst must take the proper steps to get the scan clean. If the vulnerability is valid, the analyst must remediate the finding. After reviewing the given information, select the STEP 2 tab in order to complete the simulation by selecting the correct “Validation Result” AND “Remediation Action” for each server listed using the drop down options.
Instructions:
If at any time you would like to bring back the initial state of the simulation, please select the Reset button.
When you have completed the simulation, please select the Done button to submit. Once the simulation is submitted, please select the Next button to continue.

NO.124 A system administrator recently deployed and verified the installation of a critical patch issued by the company’s primary OS vendor. This patch was supposed to remedy a vulnerability that would allow an adversary to remotely execute code from over the network. However, the administrator just ran a vulnerability assessment of networked systems, and each of them still reported having the same vulnerability. Which of the following is the MOST likely explanation for this?

NO.125 A security analyst is attempting to configure a vulnerability scan for a new segment on the network. Given the requirement to prevent credentials from traversing the network while still conducting a credentialed scan, which of the following is the BEST choice?

NO.126 The Chief Information Security Officer (CISO) asked for a topology discovery to be conducted and verified against the asset inventory. The discovery is failing and not providing reliable or complete data. The syslog shows the following information:

Which of the following describes the reason why the discovery is failing?

NO.127 In order to leverage the power of data correlation within Nessus, a cybersecurity analyst needs to write an
SQL statement that will provide how long a vulnerability has been present on the network.
Given the following output table:

Which of the following SQL statements would provide the resulted output needed for this correlation?

NO.128 After scanning the main company’s website with the OWASP ZAP tool, a cybersecurity analyst is reviewing the following warning:

The analyst reviews a snippet of the offending code:

Which of the following is the BEST course of action based on the above warning and code snippet?