Cisco (350-201-CBRCOR) Exam Questions And Answers page 5
A patient views information that is not theirs when they sign in to the hospital s online portal. The patient calls the support center at the hospital but continues to be put on hold because other patients are experiencing the same issue. An incident has been declared, and an engineer is now on the incident bridge as the CyberOps Tier 3 Analyst. There is a concern about the disclosure of PII occurring in real-time. What is the first step the analyst should take to address this incident?
Contact the third-party handling provider to respond to the incident as critical
Turn off all access to the patient portal to secure patient records
Review system and application logs to identify errors in the portal code
Security Concepts
Threat Intelligence and Incident Response
A threat actor has crafted and sent a spear-phishing email with what appears to be a trustworthy link to the site of a conference that an employee recently attended. The employee clicked the link and was redirected to a malicious site through which the employee downloaded a PDF attachment infected with ransomware. The employee opened the attachment, which exploited vulnerabilities on the desktop. The ransomware is now installed and is calling back to its command and control server. Which security solution is needed at this stage to mitigate the attack?
web security solution
email security solution
endpoint security solution
network security solution
Network Security
Endpoint Security
An engineer notices that every Sunday night, there is a two-hour period with a large load of network activity. Upon further investigation, the engineer finds that the activity is from locations around the globe outside the organization s service area. What are the next steps the engineer must take?
Assign the issue to the incident handling provider because no suspicious activity has been observed during business hours.
Review the SIEM and FirePower logs, block all traffic, and document the results of calling the call center.
Define the access points using StealthWatch or SIEM logs, understand services being offered during the hours in question, and cross-correlate other source events.
Treat it as a false positive, and accept the SIEM issue as valid to avoid alerts from triggering on weekends.
Network Security
Threat Intelligence and Incident Response
The incident response team was notified of detected malware. The team identified the infected hosts, removed the malware, restored the functionality and data of infected systems, and planned a company meeting to improve the incident handling capability. Which step was missed according to the NIST incident handling guide?
Contain the malware
Install IPS software
Determine the escalation path
Perform vulnerability assessment
Threat Intelligence and Incident Response
Security Operations and Technology
How does Wireshark decrypt TLS network traffic?
with a key log file using per-session secrets
using an RSA public key
by observing DH key exchange
by defining a user-specified decode-as
Network Security
Threat Intelligence and Incident Response
What is the principle of Infrastructure as Code?
Single Choice
What is a principle of Infrastructure as Code?
System maintenance is delegated to software systems
Comprehensive initial designs support robust systems
Scripts and manual configurations work together to ensure repeatable routines
System downtime is grouped and scheduled across the infrastructure
Security Concepts
Cloud Security
A company recently started accepting credit card payments in their local warehouses and is undergoing a PCI audit. Based on business requirements, the company needs to store sensitive authentication data for 45 days. How must data be stored for compliance?
post-authorization by non-issuing entities if there is a documented business justification
by entities that issue the payment cards or that perform support issuing services
post-authorization by non-issuing entities if the data is encrypted and securely stored
by issuers and issuer processors if there is a legitimate reason
Security Concepts
Network Security
The SIEM tool informs a SOC team of a suspicious file. The team initializes the analysis with an automated sandbox tool, sets up a controlled laboratory to examine the malware specimen, and proceeds with behavioral analysis. What is the next step in the malware analysis process?
Perform static and dynamic code analysis of the specimen.
Unpack the specimen and perform memory forensics.
Contain the subnet in which the suspicious file was found.
Document findings and clean-up the laboratory.
Network Security
Threat Intelligence and Incident Response
Refer to the exhibit. An engineer is analyzing this Vlan0392-int12-239.pcap file in Wireshark after detecting a suspicious network activity. The origin header for the direct IP connections in the packets was initiated by a google chrome extension on a WebSocket protocol. The engineer checked message payloads to determine what information was being sent off-site but the payloads are obfuscated and unreadable. What does this STIX indicate?
The extension is not performing as intended because of restrictions since ports 80 and 443 should be accessible
The traffic is legitimate as the google chrome extension is reaching out to check for updates and fetches this information
There is a possible data leak because payloads should be encoded as UTF-8 text
There is a malware that is communicating via encrypted channels to the command and control server
Network Security
Security Operations and Technology
The physical security department received a report that an unauthorized person followed an authorized individual to enter a secured premise. The incident was documented and given to a security specialist to analyze. Which step should be taken at this stage?
Determine the assets to which the attacker has access
Identify assets the attacker handled or acquired
Change access controls to high risk assets in the enterprise
Identify movement of the attacker in the enterprise
Security Concepts
Endpoint Security
Comments