1. A security incident has been created after noticing unusual behavior from a Windows domain controller. The server administrator has discovered that a user loggedin to the server with elevated permissions, but the users account does not follow the standard corporate naming scheme. There are also several other accounts inthe administrators group that do not follow this naming scheme. Which of the following is the possible cause for this behavior and the BEST remediation step?

A) The Windows Active Directory domain controller has not completed synchronization, and should force the domain controller to sync.
B) The naming scheme allows for too many variations, and the account naming convention should be updates to enforce organizational policies.
C) The server has been compromised and should be removed from the network and cleaned before reintroducing it to the network.
D) The server administrator created user accounts cloning the wrong user ID, and the accounts should be removed from administrators and placed in an employeegroup.



2. During an investigation, a computer is being seized. Which of the following is the FIRST step the analyst should take?

A) Perform a physical hard disk image.
B) Initiate chain-of-custody documentation.
C) Unplug the network cable and take screenshots of the desktop.
D) Power off the computer and remove it from the network.



3. In order to meet regulatory compliance objectives for the storage of PHI, vulnerability scans must be conducted on a continuous basis. The last completed scan ofthe network returned 5,682 possible vulnerabilities. The Chief Information Officer (CIO) would like to establish a remediation plan to resolve all known issues. Whichof the following is the BEST way to proceed?

A) Reduce the scan to items identified as critical in the asset inventory, and resolve these issues first.
B) Place assets that handle PHI in a sandbox environment, and then resolve all vulnerabilities.
C) Attempt to identify all false positives and exceptions, and then resolve all remaining items.
D) Hold off on additional scanning until the current list of vulnerabilities have been resolved.



4. An insurance company employs quick-response team drivers that carry corporate-issued mobile devices with the insurance companys app installed on them.Devices are configuration-hardened by an MDM and kept up to date. The employees use the app to collect insurance claim information and process payments.Recently, a number of customers have filed complaints of credit card fraud against the insurance company, which occurred shortly after their payments wereprocessed via the mobile app. The cyber-incident response team has been asked to investigate. Which of the following is MOST likely the cause?

A) 3G and less secure cellular technologies are not restricted.
B) The app does not employ TLS.
C) The MDM server is misconfigured.
D) USB tethering is enabled.



5. A company allows employees to work remotely. The security administration is configuring services that will allow remote help desk personnel to work secure outsidethe companys headquarters. Which of the following presents the BEST solution to meet this goal?

A) Open port 3389 on the firewall to the server to allow users to connect remotely.
B) Configure a VPN concentrator to terminate in the DMZ to allow help desk personnel access to resources.
C) Set up a jump box for all help desk personnel to remotely access system resources.
D) Use the companys existing web server for remote access and configure over port 8080.