Which compliance standard specifically applies to organizations that handle credit card information?
PCI DSS governs credit card data security.
Why this answer
PCI DSS is the Payment Card Industry Data Security Standard for credit card data.
985 questions total · 14pages · All types, answers revealed
Page 14 of 14
Which compliance standard specifically applies to organizations that handle credit card information?
PCI DSS governs credit card data security.
Why this answer
PCI DSS is the Payment Card Industry Data Security Standard for credit card data.
An analyst observes an alert triggered by a single SYN packet to a closed port. The packet did not complete a TCP handshake. What type of attack does this most likely indicate?
SYN scan sends SYN and expects SYN-ACK for open ports; RST indicates closed.
Why this answer
A SYN scan sends SYN packets to target ports. If a RST is received, the port is closed. The incomplete handshake is characteristic of a SYN scan, not a full connection scan or DoS attack.
A security engineer is analyzing a recent data breach. Which TWO are examples of active reconnaissance techniques? (Select two.)
Port scanning directly probes open ports on a target system.
Why this answer
Active reconnaissance involves direct interaction with the target. Port scanning and ping sweeps are active; WHOIS and Google searches are passive.
During an incident response, an analyst identifies a PCAP containing an HTTP POST request to a suspicious external IP with a large payload. The response is not typical for web applications. What type of activity is most likely occurring?
Correct. Large POST to external IP suggests exfiltration.
A SOC analyst receives an alert from the SIEM indicating a high number of outbound DNS queries from an internal host to a domain known for malicious activity. The analyst reviews the logs and finds that the host is a DNS server. What should be the analyst's first action?
Immediate containment to prevent further compromise.
Why this answer
The correct first action is to isolate the DNS server from the network and escalate to incident response. A DNS server generating outbound DNS queries to a known malicious domain indicates a likely compromise (e.g., DNS tunneling or malware command-and-control), not normal recursive resolution. Immediate containment prevents further data exfiltration or lateral movement, aligning with incident response best practices.
Exam trap
Cisco often tests the misconception that a DNS server's outbound queries are always benign recursive lookups, leading candidates to choose baseline checking or simple blocking instead of recognizing the need for immediate containment and escalation.
How to eliminate wrong answers
Option B is wrong because checking a baseline assumes the activity might be normal, but a DNS server should not be making outbound queries to a known malicious domain; this wastes critical time during an active compromise. Option C is wrong because blocking the domain at the firewall without investigation may stop the immediate symptom but does not address the root cause (e.g., a backdoor or persistent threat), and closing the alert prematurely violates proper incident handling procedures. Option D is wrong because restarting the DNS service could destroy volatile evidence (e.g., in-memory artifacts, active connections) and does not remediate the underlying compromise, potentially allowing the threat to persist.
A security policy requires that all endpoints have host-based firewalls enabled. A user reports that an application stopped working after a recent update. What should the analyst do?
Aligns with policy while solving issue.
Why this answer
Option B is correct because creating an exception maintains firewall policy while allowing the app. Option A violates policy. Option C may revert security patches.
Options D and E are less direct.
A security analyst notices repeated failed login attempts from a single IP address against multiple user accounts. What is the best immediate action to take?
Blocking the IP address stops the brute-force attempt immediately.
Why this answer
Blocking the source IP address on the firewall is the best immediate action because it stops the ongoing brute-force attack at the network perimeter, preventing further authentication attempts from that IP without disrupting legitimate users. This aligns with the principle of containment before investigation, as the firewall ACL can be updated quickly to deny traffic from the offending source.
Exam trap
Cisco often tests the candidate's ability to prioritize containment over investigation or remediation; the trap here is that candidates may choose to increase logging (Option A) to gather evidence, but the immediate action must stop the active attack first.
How to eliminate wrong answers
Option A is wrong because increasing logging verbosity does not stop the attack; it only generates more log data, which could overwhelm storage and delay response. Option B is wrong because changing all user passwords is disruptive, time-consuming, and does not address the source of the attack—the attacker can simply continue trying new passwords against the same accounts. Option C is wrong because disabling affected user accounts would deny service to legitimate users and does not prevent the attacker from targeting other accounts from the same IP.
During memory analysis with Volatility, the 'cmdline' plugin shows a process with no command-line arguments. Which plugin could help recover the original command line if it was truncated or hidden?
cmdscan searches for command-line history in memory.
Why this answer
The 'cmdscan' plugin scans the memory for command-line history that might not be captured by cmdline. It can recover previously typed commands.
A company is implementing a new data classification policy. The policy defines three levels: Public, Internal, and Confidential. An employee accidentally emails a spreadsheet marked 'Confidential' to an external partner. The email system automatically encrypts all outbound emails containing 'Confidential' classification. Which security control is being demonstrated?
DLP controls can automatically encrypt outbound emails containing sensitive data based on classification.
Why this answer
Option D is correct because the email system is automatically encrypting outbound emails based on classification, which is a type of data loss prevention (DLP). Option A is wrong because access control restricts who can access data, not how it is transmitted. Option B is wrong because encryption at rest occurs when data is stored.
Option C is wrong because auditing records events but does not prevent data loss.
Correct. ICMP port unreachable indicates closed port.
Page 14 of 14
Practice 200-201 by domain
Target a specific domain to shore up weak areas.