Which of the following is the MOST important objective of a post-incident review?

A. Capture lessons learned and improve incident response processes

B. Develop a process for containment and continue improvement efforts

C. Identify new technologies and strategies to remediate

D. Identify a new management strategy

A manufacturing company has joined the information sharing and analysis center for its sector. As a benefit, the company will receive structured IoC data contributed by other members. Which of the following best describes the utility of this data?

A. Other members will have visibility into instances of positive IoC identification within the manufacturing company's corporate network.

B. The manufacturing company will have access to relevant malware samples from all other manufacturing sector members.

C. Other members will automatically adjust their security postures to defend the manufacturing company's processes.

D. The manufacturing company can ingest the data and use tools to autogenerate security configurations for all of its infrastructure.

An organization has a strict policy that if elevated permissions are needed, users should always run commands under their own account, with temporary administrator privileges if necessary. A security analyst is reviewing syslog entries and sees the following:

Which of the following entries should cause the analyst the MOST concern?

A. <100>2 2020-01-10T19:33:41.002z webserver su 201 32001 = BOM ' su vi httpd.conf' failed for joe

B. <100>2 2020-01-10T20:36:36.0010z financeserver su 201 32001 = BOM ' sudo vi users.txt success

C. <100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ' su vi syslog.conf failed for jos

D. <100> 2020-01-10T19:34..002z financeserver su 201 32001 = BOM ' su vi success

E. <100> 2020-01-10T19:33:48.002z webserver sudo 201 32001 = BOM ' su vi httpd.conf' success

A security is reviewing a vulnerability scan report and notes the following finding:

As part of the detection and analysis procedures, which of the following should the analyst do NEXT?

A. Patch or reimage the device to complete the recovery

B. Restart the antiviruses running processes

C. Isolate the host from the network to prevent exposure

D. Confirm the workstation's signatures against the most current signatures.

When investigating a report of a system compromise, a security analyst views the following /var/log/secure log file:

Which of the following can the analyst conclude from viewing the log file?

A. The comptia user knows the sudo password.

B. The comptia user executed the sudo su command.

C. The comptia user knows the root password.

D. The comptia user added himself or herself to the /etc/sudoers file.

A system administrator has reviewed the following output:

Which of the following can a system administrator infer from the above output?

A. The company email server is running a non-standard port.

B. The company email server has been compromised.

C. The company is running a vulnerable SSH server.

D. The company web server has been compromised.

A technician receives the following security alert from the firewall's automated system:

After reviewing the alert, which of the following is the BEST analysis?

A. This alert is a false positive because DNS is a normal network function.

B. This alert indicates a user was attempting to bypass security measures using dynamic DNS.

C. This alert was generated by the SIEM because the user attempted too many invalid login attempts.

D. This alert indicates an endpoint may be infected and is potentially contacting a suspect host.

Scan results identify critical Apache vulnerabilities on a company's web servers. A security analyst believes many of these results are false positives because the web environment mostly consists of Windows servers.

Which of the following is the BEST method of verifying the scan results?

A. Run a service discovery scan on the identified servers.

B. Refer to the identified servers in the asset inventory.

C. Perform a top-ports scan against the identified servers.

D. Review logs of each host in the SIEM.

A computer at a company was used to commit a crime. The system was seized and removed for further analysis. Which of the following is the purpose of labeling cables and connections when seizing the computer system?

A. To capture the system configuration as it was at the time it was removed

B. To maintain the chain of custody

C. To block any communication with the computer system from attack

D. To document the model, manufacturer, and type of cables connected

Malicious users utilized brute force to access a system. An analyst is investigating these attacks and recommends methods to management that would help secure the system. Which of the following controls should the analyst recommend? (Choose three.)

A. Multifactor authentication

B. Network segmentation

C. Single sign-on

D. Encryption

E. Complexity policy

F. Biometrics

G. Obfuscation