Question 1

A group of doctor's offices have decided to merge into one organization. As part of the migration, the cybersecurity team is responsible for determining how systems from the different offices will be able to share information with each other until they can be formally combined into a single system. Which of the following does the cybersecurity team need to keep in mind throughout the merger as they perform the necessary tasks of combining systems that are specific to the medical field?

A) FISMA
B) PCI DSS
C) MOMA
D) HIPAA

HIPAA

Accepted Answer

HIPAA (Health Insurance Portability and Accountability Act) is the relevant regulation for the medical field, focusing on the protection and confidential handling of protected health information (PHI).

Question 2

Kiah, a cybersecurity analyst for the government, is setting up a new Linux server and needs to configure the data classification labels to be used for the new application. Which of the following are valid labels for U.S. government systems?

A) Public, secret, top secret
B) Sensitive but unclassified, classified, secret
C) Confidential, secret, top secret
D) Classified, secret, top secret

Confidential, secret, top secret

Accepted Answer

The U.S. government uses a system of classification to protect sensitive information. The valid labels for classifying information are Confidential, Secret, and Top Secret, reflecting increasing levels of sensitivity and the need for protection.

Question 3

Ramon has been hired as a consultant for a large corporation to validate its existing security controls. Which of the following would most likely be one of the first pieces of data he requests?&#10;A) Risk matrix&#10;B) Asset inventory&#10;C) Service-level agreement&#10;D) Operational-level agreement

Accepted Answer

An asset inventory is crucial for understanding what assets the corporation has, which is foundational for assessing and validating security controls. It helps in identifying what needs to be protected and is typically one of the first steps in a security assessment process.

Question 4

Nadia, a cybersecurity analyst, has installed a vulnerability scanning application called Nessus that uses modular updates she can download and install as needed. Which of the following terms may be used to describe these updates?

A) Plug-ins
B) Patches
C) Service packs
D) Updates

Accepted Answer

Nessus, a popular vulnerability scanning tool, uses "plug-ins" to update its database of vulnerabilities and functionalities. These plug-ins allow Nessus to be modular and flexible, enabling users to add new capabilities or update existing ones without needing to overhaul the entire application.

Question 5

Nikola is meeting with the executives of a large stock brokerage company. He knows that they have had a data breach recently and are extremely concerned about any further intrusions. This organization could be described as having an extremely low ________.

A) Sensitivity level
B) Fault tolerance
C) Risk appetite
D) Vulnerability stamina

Accepted Answer

Risk appetite refers to the amount of risk an organization is willing to accept in pursuit of its objectives. Given their recent data breach and heightened concern about further intrusions, the organization likely has a very low risk appetite.

Question 6

Sakura, a cybersecurity analyst, is implementing SCAP for her organization. She wants to implement best practices for the configuration of settings on various computer systems. Which of the following might she use to meet her goal?

A) CVE
B) CCE
C) CPE
D) CWE

Accepted Answer

CCE (Common Configuration Enumeration) provides unique identifiers to system configuration issues to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. Sakura would use CCE to implement best practices for the configuration of settings on various computer systems.

Question 7

Tyrese, a system administrator, is responsible for the Windows Server infrastructure at his organization. He has discovered that when it comes time to upgrade some of the servers from Windows Server 2012 R2, they will no longer be able to use the built-in vulnerability scanner. Which of the following is the vulnerability scanner that Tyrese had read about?

A) WSUS
B) VSS
C) WVSS
D) MBSA

Accepted Answer

The vulnerability scanner Tyrese had read about is the Microsoft Baseline Security Analyzer (MBSA). MBSA is a tool designed to assess the security configuration and check for vulnerabilities in Windows systems, including Windows Server versions.

Question 8

Isla is an executive at a large corporation that is currently working on merging with another corporation. Final regulatory approval is still needed, but could be more than a year away. In the meantime, the two companies have created a business partnership agreement to start working on certain projects together. They have also created an agreement that is not legally binding to define each of their roles in a new project. Which of the following is most likely the agreement they created?

A) SLA
B) OLA
C) MOU
D) DRP

Accepted Answer

An MOU (Memorandum of Understanding) is typically used to define a "gentleman's agreement" between parties, outlining their roles and intentions in a project without creating a legally binding contract. This fits the scenario where the companies want to start collaborating on a new project while awaiting regulatory approval for their merger.

Question 9

Victoria, a cybersecurity analyst, has discovered a vulnerability within several servers that requires a configuration modification. However, company policies dictate that she needs to get approval first to make this modification. Which of the following processes does the company most likely have in place?

A) Change control
B) Regression testing
C) Modification restriction
D) Configuration control

Accepted Answer

The company most likely has a change control process in place, which requires approval before making any modifications to ensure that changes are managed and documented properly.

Question 10

Tamara is a systems administrator for a company that wants to move some of their applications to a cloud service provider. Tamara needs to ensure that data won't be lost and that the systems will maintain 99.999% uptime. Which of the following should Tamara review from the CSPs her company is considering?

A) MOUs
B) Change control documentation
C) SLAs
D) OLAs

Accepted Answer

Service Level Agreements (SLAs) are contracts between service providers and their customers that define the performance and quality metrics under which the service will be provided. For Tamara, reviewing SLAs is crucial to ensure that the cloud service provider can meet the requirements for data protection and 99.999% uptime.

Question 11

Clifford, a cybersecurity analyst, has been tasked with implementing a method of automating vulnerability management at his organization. Which of the following is the most likely solution that Clifford would choose to implement?

A) AVMP
B) SCAP
C) SCP
D) PAM

Accepted Answer

The answer of Clifford, a cybersecurity analyst, has been tasked...

Question 12

Loide is a cybersecurity analyst and is looking for a vulnerability scanner that will pull updates from a web-based feed so that it constantly has the latest information about new vulnerabilities as they're discovered. Which of the following might be a good source of data for the scanner?

A) NVLM
B) OSCVD
C) NVCDB
D) NVD

Accepted Answer

The answer of Loide is a cybersecurity analyst and is...

Question 13

The CISO of a large organization, Mikael, has just returned from a security conference. At the conference, he learned about a vulnerability scanner that he would like to implement at his company. He likes the fact that the software published under the GNU GPL. Which of the following vulnerability scanners is he most likely considering?

A) Nessus
B) Tenable
C) Nikto
D) Nexpose

Accepted Answer

The answer of The CISO of a large organization, Mikael,...

Question 14

Cece, a penetration tester, has been hired by a company to attempt to breach the company's systems and gain access to whatever she can, just as if she were a real threat actor. Which of the following might be one of the initial tests that she performs?

A) A non-credentialed vulnerability scan
B) An agent-based vulnerability scan
C) A credentialed vulnerability scan
D) A push-based vulnerability scan

Accepted Answer

The answer of Cece, a penetration tester, has been hired...

Question 15

David, an IT manager, has just returned from a security conference where he was discussing the capabilities of a vendor's products. The vendor explained that their system relied on an agent that is installed on systems within an organization in order for it to work. Which of the following is most likely the type of product offered by this vendor?

A) Flip-based vulnerability scanner
B) Pull-based vulnerability scanner
C) Slide-based vulnerability scanner
D) Push-based vulnerability scanner

Accepted Answer

The answer of David, an IT manager, has just returned...

Question 16

Alois, a cybersecurity manager,has purchased a new vulnerability scanning tool on a trial basisto determine whether it would work for the organization's systems. She meets with her team to make the announcement and get input on which systems should be part of the first phase of the trial. Which of the following is she trying to determine?

A) Sensitivity level
B) Scope
C) Vulnerability feeds
D) Workflow

Accepted Answer

The answer of Alois, a cybersecurity manager,has purchased a new...

Question 17

Jim wants to implement an active vulnerability scanner within his company. He is trying to determine the scope of systems to be scanned. Which of the following might he choose to exempt from active vulnerability scanning?

A) Linux servers
B) Distribution routers
C) Industrial control systems
D) Windows servers

Accepted Answer

The answer of Jim wants to implement an active vulnerability...

Deck 5: Scanning for Vulnerabilities