A security analyst needs to provide a copy of a hard drive for forensic analysis. Which of the following would allow the analyst to perform the task?

A. dcfldd if=/dev/one of=/mnt/usb/evidence.bin hash=md5, sha1 hashlog=/mnt/usb/ evidence.bin.hashlog
B. dd if=/dev/sda of=/mnt/usb/evidence.bin bs=4096; sha5l2sum /mnt/usb/ evidence.bin > /mnt/usb/evidence.bin.hash
C. tar -zcf /mnt/usb/evidence.tar.gz / -except /mnt; sha256sum /mnt/usb/ evidence.tar.gz > /mnt/usb/evidence.tar.gz.hash
D. find / -type f -exec cp {} /mnt/usb/evidence/ ; sha1sum /mnt/usb/evidence/* > /mnt/usb/evidence/evidence.hash

The Chief Information Officer of a large cloud software vendor reports that many employees are falling victim to phishing emails because they appear to come from other employees. Which of the following would BEST prevent this issue?

A. Include digital signatures on messages originating within the company.
B. Require users to authenticate to the SMTP server.
C. Implement DKIM to perform authentication that will prevent the issue.
D. Set up an email analysis solution that looks for known malicious links within the email.

A security analyst discovers a standard user has unauthorized access to the command prompt, PowerShell, and other system utilities. Which of the following is the BEST action for the security analyst to take?

A. Disable the appropriate settings in the administrative template of the Group Policy.
B. Use AppLocker to create a set of whitelist and blacklist rules specific to group membership.
C. Modify the registry keys that correlate with the access settings for the System32 directory.
D. Remove the user's permissions from the various system executables.

A threat hunting team received a new IoC from an ISAC that follows a threat actor's profile and activities. Which of the following should be updated NEXT?

A. The whitelist
B. The DNS
C. The blocklist
D. The IDS signature

During a review of the vulnerability scan results on a server, an information security analyst notices the following:

The MOST appropriate action for the analyst to recommend to developers is to change the web server so:

A. it only accepts TLSv1 .2.
B. it only accepts cipher suites using AES and SHA.
C. it no longer accepts the vulnerable cipher suites.
D. SSL/TLS is offloaded to a WAF and load balancer.

A company experienced a security compromise due to the inappropriate disposal of one of its hardware appliances. Sensitive information stored on the hardware appliance was not removed prior to disposal. Which of the following is the BEST manner in which to dispose of the hardware appliance?

A. Ensure the hardware appliance has the ability to encrypt the data before disposing of it.
B. Dispose of all hardware appliances securely, thoroughly, and in compliance with company policies.
C. Return the hardware appliance to the vendor, as the vendor is responsible for disposal.
D. Establish guidelines for the handling of sensitive information.

A company's domain has been spoofed in numerous phishing campaigns. An analyst needs to determine why the company is a victim of domain spoofing, despite having a DMARC record that should tell mailbox providers to ignore any email that fails DMARC. Upon review of the record, the analyst finds the following:
v=DMARC1; p=none; fo=0; rua=mailto:security@company.com;
ruf=mailto:security@company.com; adkim=r; rf=afrf; ri=86400;
Which of the following BEST explains the reason why the company's requirements are not being processed correctly by mailbox providers?

A. The DMARC record's DKIM alignment tag is incorrectly configured.
B. The DMARC record's policy tag is incorrectly configured.
C. The DMARC record does not have an SPF alignment tag.
D. The DMARC record's version tag is set to DMARC1 instead of the current version, which is DMARC3.

A security analyst at example.com receives SIEM alert for an IDS signature and reviews the associated packet capture and TCP stream:
Packet capture:

TCP stream:

Which of the following actions should the security analyst take NEXT?

A. Review the known Apache vulnerabilities to determine if a compromise actually occurred.
B. Contact the application owner for connect.example.local for additional information.
C. Mark the alert as a false positive scan coming from an approved source.
D. Raise a request to the firewall team to block 203.0.113.15.

An analyst is responding to an incident involving an attack on a company-owned mobile device that was being used by an employee to collect data from clients in the field. Malware was loaded on the device via the installation of a third-party software package. The analyst has baselined the device. Which of the following should the analyst do to BEST mitigate future attacks?

A. Implement MDM.
B. Update the malware catalog.
C. Patch the mobile device's OS.
D. Block third-party applications.

A security analyst is reviewing the following Internet usage trend report:

Which of the following usernames should the security analyst investigate further?

A. User 1
B. User 2
C. User 3
D. User 4