While implementing a PKI for a company, a security analyst plans to utilize a dedicated server as the certificate authority that is only used to sign intermediate certificates. Which of the following are the MOST secure states for the certificate authority server when it is not in use? (Choose two.)

A. On a private VLAN
B. Full disk encrypted
C. Powered off
D. Backed up hourly
E. VPN accessible only
F. Air gapped

While monitoring the information security notification mailbox, a security analyst notices several emails were reported as spam. Which of the following should the analyst do FIRST?

A. Block the sender in the email gateway.
B. Delete the email from the company's email servers.
C. Ask the sender to stop sending messages.
D. Review the message in a secure environment.

In SIEM software, a security analyst detected some changes to hash signatures from monitored files during the night followed by SMB brute-force attacks against the file servers. Based on this behavior, which of the following actions should be taken FIRST to prevent a more serious compromise?

A. Fully segregate the affected servers physically in a network segment, apart from the production network.
B. Collect the network traffic during the day to understand if the same activity is also occurring during business hours.
C. Check the hash signatures, comparing them with malware databases to verify if the files are infected.
D. Collect all the files that have changed and compare them with the previous baseline.

After examining a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them. Which of the following techniques is the analyst using?

A. Header analysis
B. File carving
C. Metadata analysis
D. Data recovery

An organization has the following risk mitigation policies:
– Risks without compensating controls will be mitigated first if the risk value is greater than $50,000.
– Other risk mitigation will be prioritized based on risk value.
The following risks have been identified:

Which of the following is the order of priority for risk mitigation from highest to lowest?

A. A, C, D, B
B. B, C, D, A
C. C, B, A, D
D. C, D, A, B
E. D, C, B, A

An organization has the following policy statements:
All emails entering or leaving the organization will be subject to inspection for malware, policy violations, and unauthorized content.
All network activity will be logged and monitored.
Confidential data will be tagged and tracked.
Confidential data must never be transmitted in an unencrypted form.
Confidential data must never be stored on an unencrypted mobile device.
Which of the following is the organization enforcing?

A. Acceptable use policy
B. Data privacy policy
C. Encryption policy
D. Data management policy

Which of the following BEST describes what an organization's incident response plan should cover regarding how the organization handles public or private disclosures of an incident?

A. The disclosure section should focus on how to reduce the likelihood customers will leave due to the incident.
B. The disclosure section should contain the organization's legal and regulatory requirements regarding disclosures.
C. The disclosure section should include the names and contact information of key employees who are needed for incident resolution.
D. The disclosure section should contain language explaining how the organization will reduce the likelihood of the incident from happening in the future.

A security analyst is investigating an incident related to an alert from the threat detection platform on a host (10.0.1.25) in a staging environment that could be running a cryptomining tool because it is sending traffic to an IP address that is related to Bitcoin.
The network rules for the instance are the following:

Which of the following is the BEST way to isolate and triage the host?

A. Remove rules 1, 2, and 3.
B. Remove rules 1, 2, 4, and 5.
C. Remove rules 1, 2, 3, 4, and 5.
D. Remove rules 1. 2, and 5.
E. Remove rules 1, 4, and 5.
F. Remove rules 4 and 5.

Which of the following BEST explains the function of TPM?

A. To provide hardware-based security features using unique keys
B. To ensure platform confidentiality by storing security measurements
C. To improve management of the OS Installations
D. To implement encryption algorithms for hard drives

The security team decides to meet informally to discuss and test their response plan for potential security breaches and emergency situations. Which of the following types of training will the security team perform?

A. Tabletop exercise
B. Red-team attack
C. System assessment implementation
D. Blue-team training
E. White-team engagement