200-300

Question 1

Which of the following prevents an employee from seeing a colleague who is visiting an inappropriate website?

A. Job rotation policy
B. NDA
C. AUP
D. Separation of duties policy

Answer 1

C. AUP (Acceptable Use Policy).

An Acceptable Use Policy outlines acceptable and unacceptable behavior concerning the use of company resources, including guidelines for internet usage.

Question 2

A user reports falling for a phishing email to an analyst. Which of the following system logs would the analyst check FIRST?

A. DNS
B. Message gateway
C. Network
D. Authentication

Answer 2

B. Message gateway

Question 3

An attacker has determined the best way to impact operations is to infiltrate third-party software vendors. Which of the following vectors is being exploited?

A. Social media
B. Cloud
C. Supply chain
D. Social Engineering

Answer 3

C. Supply chain

Question 4

An organization would like to give remote workers the ability to use applications hosted inside the corporate network. Users will be allowed to use their personal computers, or they will be provided organization assets. Either way, no data or applications will be installed locally on any user systems. Which of the following mobile solutions would accomplish these goals?

A. VDI
B. MDM
C. COPE
D. UTM

Answer 4

A. VDI

Question 5

Which of the following is used to ensure that evidence is admissible in legal proceedings when it is collected and provided to the authorities?

A. Chain of custody
B. Legal hold
C. Event log
D. Artifacts

Answer 5

A. Chain of custody

Question 6

The Chief Information Security Officer (CISO) of a bank recently updated the incident response policy. The CISO is concerned that members of the incident response team do not understand their roles. The bank wants to test the policy but with the least amount of resources or impact. Which of the following BEST meets the requirements?

A. Warm site failover
B. Tabletop walk-through
C. Parallel path testing
D. Full outage simulation

Answer 6

B. Tabletop walk-through

Question 7

Which of the following control types fixes a previously identified issue and mitigates a risk?
A. Detective
B. Corrective
C. Preventative
D. Finalized

Answer 7

B. Corrective

Question 8

An analyst is reviewing logs associated with an attack. The logs indicate an attacker downloaded a malicious file that was quarantined by the AV solution. The attacker utilized a local non-administrative account to restore the malicious file to a new location. The file was then used by another process to execute a payload.
Which of the following attacks did the analyst observe?

A. Privilege escalation
B. Request forgeries
C. Injection
D. Replay attack

Answer 8

C. Injection

Question 9

A security engineer must deploy two wireless routers in an office suite. Other tenants in the office building should not be able to connect to this wireless network.
Which of the following protocols should the engineer implement to ensure the STRONGEST encryption?

A. WPS
B. WPA2
C. WAP
D. HTTPS

Answer 9

B. WPA2

Question 10

An attacker browses a company’s online job board attempting to find any relevant information regarding the technologies the company uses. Which of the following BEST describes this social engineering technique?

A. Hoax
B. Reconnaissance
C. Impersonation
D. Pretexting

Answer 10

B. Reconnaissance

Question 11

An analyst is trying to identify insecure services that are running on the internal network. After performing a port scan, the analyst identifies that a server has some insecure services enabled on default ports. Which of the following BEST describes the services that are currently running and the secure alternatives for replacing them? (Choose three.)

A. SFTP, FTPS
B. SNMPv2, SNMPv3
C. HTTP, HTTPS
D. TFTP, FTP
E. SNMPv1, SNMPv2
F. Telnet, SSH
G. TLS, SSL
H. POP, IMAP
I. Login, rlogin

Answer 11

C. HTTP, HTTPS
F. Telnet, SSH
E. SNMPv1, SNMPv2

Question 11

During an incident response process involving a laptop, a host was identified as the entry point for malware. The management team would like to have the laptop restored and given back to the user. The cybersecurity analyst would like to continue investigating the intrusion on the host. Which of the following would allow the analyst to continue the investigation and also return the laptop to the user as soon as possible?

A. dd
B. memdump
C. tcpdump
D. head

Answer 11

B. memdump (Memory Dump).

A memory dump captures the contents of a computer’s RAM.

Question 11

A security analyst needs to produce a document that details how a security incident occurred, the steps that were taken for recovery, and how future incidents can be avoided. During which of the following stages of the response process will this activity take place?

A. Recovery
B. Identification
C. Lessons learned
D. Preparation

Answer 11

C. Lessons learned

Question 11

An administrator is configuring a firewall rule set for a subnet to only access DHCP, web pages, and SFTP, and to specifically block FTP. Which of the following would BEST accomplish this goal?

A. [Permission Source Destination Port]

Allow: Any Any 80 -

Allow: Any Any 443 -

Allow: Any Any 67 -

Allow: Any Any 68 -

Allow: Any Any 22 -

Deny: Any Any 21 -
Deny: Any Any
B. [Permission Source Destination Port]

Allow: Any Any 80 -

Allow: Any Any 443 -

Allow: Any Any 67 -

Allow: Any Any 68 -

Deny: Any Any 22 -

Allow: Any Any 21 -
Deny: Any Any
C. [Permission Source Destination Port]

Allow: Any Any 80 -

Allow: Any Any 443 -

Allow: Any Any 22 -

Deny: Any Any 67 -

Deny: Any Any 68 -

Deny: Any Any 21 -
Allow: Any Any
D. [Permission Source Destination Port]

Allow: Any Any 80 -

Allow: Any Any 443 -

Deny: Any Any 67 -

Allow: Any Any 68 -

Allow: Any Any 22 -

Allow: Any Any 21 -
Allow: Any Any

Answer 11

A. [Permission Source Destination Port]

Allow: Any Any 80 -

Allow: Any Any 443 -

Allow: Any Any 67 -

Allow: Any Any 68 -

Allow: Any Any 22 -

Deny: Any Any 21 -

Question 11

A company recently decided to allow its employees to use their personally owned devices for tasks like checking email and messaging via mobile applications. The company would like to use MDM, but employees are concerned about the loss of personal data. Which of the following should the IT department implement to BEST protect the company against company data loss while still addressing the employees’ concerns?

A. Enable the remote-wiping option in the MDM software in case the phone is stolen.
B. Configure the MDM software to enforce the use of PINs to access the phone.
C. Configure MDM for FDE without enabling the lock screen.
D. Perform a factory reset on the phone before installing the company’s applications.

Answer 11

B. Configure the MDM software to enforce the use of PINs to access the phone. Most Voted

Question 11

A company is working on mobile device security after a report revealed that users granted non-verified software access to corporate data. Which of the following is the MOST effective security control to mitigate this risk?

A. Block access to application stores
B. Implement OTA updates
C. Update the BYOD policy
D. Deploy a uniform firmware

Answer 11

A. Block access to application stores

Question 11

A user received an SMS on a mobile phone that asked for bank details. Which of the following social-engineering techniques was used in this case?

A. SPIM
B. Vishing
C. Spear phishing
D. Smishing

Answer 11

D. Smishing

Question 11

While investigating a recent security incident, a security analyst decides to view all network connections on a particular server. Which of the following would provide the desired information?

A. arp
B. nslookup
C. netstat
D. nmap

Answer 11

C. netstat

Question 11

The concept of connecting a user account across the systems of multiple enterprises is BEST known as:

A. federation.
B. a remote access policy.
C. multifactor authentication.
D. single sign-on.

Answer 11

A. federation.

Question 11

A security analyst needs to implement security features across smartphones, laptops, and tablets. Which of the following would be the MOST effective across heterogeneous platforms?

A. Enforcing encryption
B. Deploying GPOs
C. Removing administrative permissions
D. Applying MDM software

Answer 11

D. Applying MDM software

Question 12

The new Chief Information Security Officer at a company has asked the security team to implement stronger user account policies. The new policies require:

• Users to choose a password unique to their last ten passwords
• Users to not log in from certain high-risk countries

Which of the following should the security team implement? (Choose two.)

A. Password complexity
B. Password history
C. Geolocation
D. Geofencing
E. Geotagging
F. Password reuse

Answer 12

B. Password history
D. Geofencing

Question 12

Which of the following is MOST likely to contain ranked and ordered information on the likelihood and potential impact of catastrophic events that may affect business processes and systems, while also highlighting the residual risks that need to be managed after mitigating controls have been implemented?

A. An RTO report
B. A risk register
C. A business impact analysis
D. An asset value register
E. A disaster recovery plan

Answer 12

B. A risk register

A risk register is a tool used in risk management to capture and document identified risks, their potential impact, the likelihood of occurrence, mitigating controls, and residual risks after controls have been applied. It helps prioritize risks and assists in developing strategies to manage and mitigate them effectively.

Question 12

Which of the following is MOST likely to outline the roles and responsibilities of data controllers and data processors?

A. SSAE SOC 2
B. PCI DSS
C. GDPR
D. ISO 31000

Answer 12

C. GDPR

Question 13

A worldwide manufacturing company has been experiencing email account compromises. In one incident, a user logged in from the corporate office in France, but then seconds later, the same user account attempted a login from Brazil. Which of the following account policies would BEST prevent this type of attack?

A. Network location
B. Impossible travel time
C. Geolocation
D. Geofencing

Answer 13

B. Impossible travel time

This policy sets restrictions based on the physical impossibility of a user being able to travel between distant locations in a short amount of time. F

Question 14

A new vulnerability in the SMB protocol on the Windows systems was recently discovered, but no patches are currently available to resolve the issue. The security administrator is concerned that servers in the company’s DMZ will be vulnerable to external attack; however, the administrator cannot disable the service on the servers, as SMB is used by a number of internal systems and applications on the LAN. Which of the following TCP ports should be blocked for all external inbound connections to the DMZ as a workaround to protect the servers? (Choose two.)

A. 135
B. 139
C. 143
D. 161
E. 443
F. 445

Answer 14

B. 139
F. 445

Ports 139 and 445 are associated with the SMB protocol and are commonly used for file and printer sharing.

Question 15

A recent phishing campaign resulted in several compromised user accounts. The security incident response team has been tasked with reducing the manual labor of filtering through all the phishing emails as they arrive and blocking the sender’s email address, along with other time-consuming mitigation actions. Which of the following can be configured to streamline those tasks?

A. SOAR playbook
B. MDM policy
C. Firewall rules
D. URL filter
E. SIEM data collection

Answer 15

A. SOAR playbook

Question 16

Which of the following concepts BEST describes tracking and documenting changes to software and managing access to files and systems?

A. Version control
B. Continuous monitoring
C. Stored procedures
D. Automation

Answer 16

A. Version control

Question 17

A penetration tester is brought on site to conduct a full attack simulation at a hospital. The penetration tester notices a WAP that is hanging from the drop ceiling by its cabling and is reachable. Which of the following recommendations would the penetration tester MOST likely make given this observation?

A. Employ a general contractor to replace the drop-ceiling tiles.
B. Place the network cabling inside a secure conduit.
C. Secure the access point and cabling inside the drop ceiling.
D. Utilize only access points that have internal antennas

Answer 17

C. Secure the access point and cabling inside the drop ceiling. Most Voted

Question 18

Which of the following techniques eliminates the use of rainbow tables for password cracking?

A. Hashing
B. Tokenization
C. Asymmetric encryption
D. Salting

Answer 18

D. Salting

Salting involves adding a unique random value (salt) to each password before hashing. This process ensures that even if two users have the same password, their hashed passwords will be different due to the addition of unique salts.

Question 19

During a security assessment, a security analyst finds a file with overly permissive permissions. Which of the following tools will allow the analyst to reduce the permissions for the existing users and groups and remove the set-user-ID bit from the file?

A. ls
B. chflags
C. chmod
D. lsof
E. setuid

Answer 19

C. chmod

Question 20

A network administrator is concerned about users being exposed to malicious content when accessing company cloud applications. The administrator wants to be able to block access to sites based on the AUP. The users must also be protected because many of them work from home or at remote locations, providing on-site customer support. Which of the following should the administrator employ to meet these criteria?

A. Implement NAC.
B. Implement an SWG.
C. Implement a URL filter.
D. Implement an MDM.

Answer 20

B. Implement an SWG.

Question 21

A website developer is working on a new e-commerce website and has asked an information security expert for the most appropriate way to store credit card numbers to create an easy reordering process. Which of the following methods would BEST accomplish this goal?

A. Salting the magnetic strip information
B. Encrypting the credit card information in transit
C. Hashing the credit card numbers upon entry
D. Tokenizing the credit cards in the database

Answer 21

D. Tokenizing the credit cards in the database

Tokenization masks sensitive data elements with a randomized unique strings, known as tokens. See how these are used to improve data security.

Question 22

Which of the following supplies non-repudiation during a forensics investigation?

A. Dumping volatile memory contents first
B. Duplicating a drive with dd
C. Using a SHA-2 signature of a drive image
D. Logging everyone in contact with evidence
E. Encrypting sensitive data

Answer 22

C. Using a SHA-2 signature of a drive image

Question 23

A security analyst is tasked with classifying data to be stored on company servers. Which of the following should be classified as proprietary?

A. Customers’ dates of birth
B. Customers’ email addresses
C. Marketing strategies
D. Employee salaries

Answer 23

C. Marketing strategies

Question 24

Which of the following holds staff accountable while escorting unauthorized personnel?

A. Locks
B. Badges
C. Cameras
D. Visitor logs

Answer 24

D. Visitor logs

Question 25

An organization’s Chief Security Officer (CSO) wants to validate the business’s involvement in the incident response plan to ensure its validity and thoroughness. Which of the following will the CSO MOST likely use?

A. An external security assessment
B. A bug bounty program
C. A tabletop exercise
D. A red-team engagement

Answer 25

C. A tabletop exercise

Tabletop exercises are simulations or discussions designed to test an organization’s incident response plan in a relaxed environment without the pressure of a real incident.

Question 26

Which of the following documents provides guidance regarding the recommended deployment of network security systems from the manufacturer?

A. Cloud control matrix
B. Reference architecture
C. NIST RMF
D. CIS Top 20

Answer 26

B. Reference architecture

A reference architecture typically outlines recommended practices, configurations, and deployment strategies provided by the manufacturer to assist users in implementing their products or systems effectively within their infrastructure.

Question 27

During a recent security assessment, a vulnerability was found in a common OS. The OS vendor was unaware of the issue and promised to release a patch within the next quarter. Which of the following BEST describes this type of vulnerability?

A. Legacy operating system
B. Weak configuration
C. Zero day
D. Supply chain

Answer 27

C. Zero day

Question 28

Which of the following is a targeted attack aimed at compromising users within a specific industry or group?

A. Watering hole
B. Typosquatting
C. Hoax
D. Impersonation

Answer 28

A. Watering hole

A watering hole attack involves an attacker infecting websites that individuals from a particular organization or industry are known to visit frequently. The attackers use these compromised websites as a lure to exploit vulnerabilities in visitors’ systems and gain unauthorized access or deploy malware.

Question 29

A security engineer is concerned that the strategy for detection on endpoints is too heavily dependent on previously defined attacks. The engineer would like a tool to monitor for changes to key files and network traffic on the device. Which of the following tools BEST addresses both detection and prevention?

A. NIDS
B. HIPS
C. AV
D. NGFW

Answer 29

B. HIPS (Host-based Intrusion Prevention System)

HIPS is designed to monitor and analyze network traffic and system activities on individual devices. It can detect suspicious behavior or changes to critical system files, applications, and configurations, and then take action to prevent potential intrusions or attacks in real-time.

Question 30

During a recent incident, an external attacker was able to exploit an SMB vulnerability over the internet. Which of the following action items should a security analyst perform FIRST to prevent this from occurring again?

A. Check for any recent SMB CVEs.
B. Install AV on the affected server.
C. Block unneeded TCP 445 connections.
D. Deploy a NIDS in the affected subnet.

Answer 30

C. Block unneeded TCP 445 connections.

Question 31

A penetration tester is fuzzing an application to identify where the EIP of the stack is located on memory. Which of the following attacks is the penetration tester planning to execute?

A. Race-condition
B. Pass-the-hash
C. Buffer overflow
D. XSS

Answer 31

C. Buffer Overflow

In a buffer overflow attack, an attacker inputs more data than the buffer was designed to handle, causing it to overflow and potentially overwrite adjacent memory, including the EIP on the stack. By identifying the location of the EIP, an attacker can potentially hijack the program’s control flow to execute arbitrary code or commands. Fuzzing is a technique used to identify vulnerabilities, including potential buffer overflow vulnerabilities, by sending unexpected or malformed data to an application.

Question 32

Server administrators want to configure a cloud solution so that computing memory and processor usage is maximized most efficiently across a number of virtual servers. They also need to avoid potential denial-of-service situations caused by availability. Which of the following should administrators configure to maximize system availability while efficiently utilizing available computing power?

A. Dynamic resource allocation
B. High availability
C. Segmentation
D. Container security

Answer 32

A. Dynamic resource allocation

Dynamic resource allocation involves the ability to adjust memory, processor usage, and other resources among virtual servers based on demand. This approach allows the system to efficiently utilize available resources by dynamically allocating them where and when they are needed most.

Question 33

A security analyst in a SOC has been tasked with onboarding a new network into the SIEM. Which of the following BEST describes the information that should feed into a SIEM solution in order to adequately support an investigation?

A. Logs from each device type and security layer to provide correlation of events
B. Only firewall logs since that is where attackers will most likely try to breach the network
C. Email and web-browsing logs because user behavior is often the cause of security breaches
D. NetFlow because it is much more reliable to analyze than syslog and will be exportable from every device

Answer 33

A. Logs from each device type and security layer to provide correlation of events

Question 33

An organization just implemented a new security system. Local laws state that citizens must be notified prior to encountering the detection mechanism to deter malicious activities. Which of the following is being implemented?

A. Proximity cards with guards
B. Fence with electricity
C. Drones with alarms
D. Motion sensors with signage

Answer 33

D. Motion sensors with signage

Question 34

An IT security manager requests a report on company information that is publicly available. The manager’s concern is that malicious actors will be able to access the data without engaging in active reconnaissance. Which of the following is the MOST efficient approach to perform the analysis?

A. Provide a domain parameter to theHarvester tool.
B. Check public DNS entries using dnsenum.
C. Perform a Nessus vulnerability scan targeting a public company’s IP.
D. Execute nmap using the options: scan all ports and sneaky mode.

Answer 34

A. Provide a domain parameter to theHarvester tool.

Question 35

An IT security manager requests a report on company information that is publicly available. The manager’s concern is that malicious actors will be able to access the data without engaging in active reconnaissance. Which of the following is the MOST efficient approach to perform the analysis?

A. Provide a domain parameter to theHarvester tool.
B. Check public DNS entries using dnsenum.
C. Perform a Nessus vulnerability scan targeting a public company’s IP.
D. Execute nmap using the options: scan all ports and sneaky mode.

Answer 35

A. Provide a domain parameter to theHarvester tool.

Question 36

Which of the following environments utilizes dummy data and is MOST likely to be installed locally on a system that allows code to be assessed directly and modified easily with each build?

A. Production
B. Test
C. Staging
D. Development

Answer 36

D. Development

Question 37

An analyst receives multiple alerts for beaconing activity for a host on the network. After analyzing the activity, the analyst observes the following activity:

• A user enters comptia.org into a web browser.
• The website that appears is not the comptia.org site.
• The website is a malicious site from the attacker.
• Users in a different office are not having this issue.

Which of the following types of attacks was observed?

A. On-path attack
B. DNS poisoning
C. Locator (URL) redirection
D. Domain hijacking

Answer 37

B. DNS poisoning

DNS poisoning is a type of attack where the DNS records are manipulated to redirect users from legitimate websites to malicious ones. In this case, when the user attempts to access “comptia.org,” the DNS resolution is manipulated to redirect the user to a malicious website instead of the legitimate site, indicating a DNS poisoning attack.

Question 38

Which of the following in the incident response process is the BEST approach to improve the speed of the identification phase?

A. Activate verbose logging in all critical assets.
B. Tune monitoring in order to reduce false positive rates.
C. Redirect all events to multiple syslog servers.
D. Increase the number of sensors present on the environment.

Answer 38

B. Tune monitoring to reduce false positive rates.

By optimizing and refining monitoring tools and configurations to decrease false positives, security teams can focus more on genuine threats, thereby accelerating the identification of potential incidents. This helps in differentiating actual security events from noise, enabling quicker identification and response to genuine threats.

Question 38

A security administrator is analyzing the corporate wireless network. The network only has two access points running on channels 1 and 11. While using airodump-ng, the administrator notices other access points are running with the same corporate ESSID on all available channels and with the same BSSID of one of the legitimate access points. Which of the following attacks is happening on the corporate network?

A. On-path
B. Evil twin
C. Jamming
D. Rogue access point
E. Disassociation

Answer 38

Evil Twin attack on the corporate network.

An Evil Twin attack involves:

Setting up a rogue wireless access point with an identical Service Set Identifier (SSID) as the legitimate network.
Broadcasting the rogue access point with the same BSSID as one of the actual access points in use.

Question 39

When implementing automation with IoT devices, which of the following should be considered FIRST to keep the network secure?

A. Z-Wave compatibility
B. Network range
C. Zigbee configuration
D. Communication protocols

Answer 39

D. Communication protocols

Question 40

An organization is concerned that its hosted web servers are not running the most updated version of the software. Which of the following would work BEST to help identify potential vulnerabilities?

A. hping3 -S comptia-org -p 80
B. nc -l -v comptia.org -p 80
C. nmap comptia.org -p 80 -sV
D. nslookup –port=80 comptia.org

Answer 40

C. nmap comptia.org -p 80 -sV.

Nmap provides a number of features for probing computer networks, including host discovery and service and operating system detection

Question 41

A company wants to build a new website to sell products online. The website will host a storefront application that will allow visitors to add products to a shopping cart and pay for the products using a credit card. Which of the following protocols would be the MOST secure to implement?

A. SSL
B. SFTP
C. SNMP
D. TLS

Answer 41

D. TLS

Question 42

An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the number of devices that were replaced due to loss, damage, or theft steadily increased by 10%. Which of the following would BEST describe the estimated number of devices to be replaced next year?

A. ALE
B. ARO
C. RPO
D. SLE

Answer 42

B. ARO (Annualized Replacement Occurrence).

Explanation:

ARO represents the frequency or rate at which a loss event occurs within a year. It is used to estimate the likelihood or occurrence of a specific loss event happening in a given year.

Question 43

A Chief Executive Officer’s (CEO) personal information was stolen in a social-engineering attack. Which of the following sources would reveal if the CEO’s personal information is for sale?

A. Automated information sharing
B. Open-source intelligence
C. The dark web
D. Vulnerability databases

Answer 43

C. The dark web

Question 44

An organization is repairing the damage after an incident. Which of the following controls is being implemented?

A. Detective
B. Preventive
C. Corrective
D. Compensating

Answer 44

C. Corrective

Question 45

Which of the following typically uses a combination of human and artificial intelligence to analyze event data and take action without intervention?

A. TTP
B. OSINT
C. SOAR
D. SIEM

Answer 45

C. SOAR

Question 46

A security analyst has been tasked with creating a new WiFi network for the company. The requirements received by the analyst are as follows:

• Must be able to differentiate between users connected to WiFi
• The encryption keys need to change routinely without interrupting the users or forcing reauthentication
• Must be able to integrate with RADIUS
• Must not have any open SSIDs

Which of the following options BEST accommodates these requirements?

A. WPA2-Enterprise
B. WPA3-PSK
C. 802.11n
D. WPS

Answer 46

B. WPA3-PSKWPA2-Enterprise

Deploying WPA2-Enterprise requires a RADIUS server, which handles the task of authenticating network users access. The actual authentication process is based on the 802.1x policy and comes in several different systems labelled

Question 47

A Chief Security Officer is looking for a solution that can reduce the occurrence of customers receiving errors from back-end infrastructure when systems go offline unexpectedly. The security architect would like the solution to help maintain session persistence. Which of the following would BEST meet the requirements?

A. Reverse proxy
B. NIC teaming
C. Load balancer
D. Forward proxy

Answer 47

C. Load balancer.

Load balancers are designed to distribute network or application traffic across multiple servers or resources to ensure efficient use of resources, improve reliability, and prevent overloading of individual servers.

Load balancers can detect when a server goes offline unexpectedly and redirect traffic to other available servers, reducing errors customers might receive due to server unavailability.

Question 48

Which of the following should an organization consider implementing in the event executives need to speak to the media after a publicized data breach?

A. Incident response plan
B. Business continuity plan
C. Communication plan
D. Disaster recovery plan

Answer 48

C. Communications Plan

Question 49

A well-known organization has been experiencing attacks from APTs. The organization is concerned that custom malware is being created and emailed into the company or installed on USB sticks that are dropped in parking lots. Which of the following is the BEST defense against this scenario?

A. Configuring signature-based antivirus to update every 30 minutes
B. Enforcing S/MIME for email and automatically encrypting USB drives upon insertion
C. Implementing application execution in a sandbox for unknown software
D. Fuzzing new files for vulnerabilities if they are not digitally signed

Answer 49

C. Implementing application execution in a sandbox for unknown software.

Question 50

A company is implementing BYOD and wants to ensure all users have access to the same cloud-based services. Which of the following would BEST allow the company to meet this requirement?

A. IaaS
B. PaaS
C. MaaS
D. SaaS

Answer 50

D. SaaS

Question 51

An organization is tuning SIEM rules based off of threat intelligence reports. Which of the following phases of the incident response process does this scenario represent?

A. Lessons learned
B. Eradication
C. Recovery
D. Preparation

Answer 51

D. Preparation

Question 52

A company’s security team received notice of a critical vulnerability affecting a high-profile device within the web infrastructure. The vendor patch was just made available online but has not yet been regression tested in development environments. In the interim, firewall rules were implemented to reduce the access to the interface affected by the vulnerability. Which of the following controls does this scenario describe?

A. Deterrent
B. Compensating
C. Detective
D. Preventive

Answer 52

B. Compensating

Question 53

A company was recently breached, Part of the company’s new cybersecurity strategy is to centralize the logs from all security devices. Which of the following components forwards the logs to a central source?

A. Log enrichment
B. Log aggregation
C. Log parser
D. Log collector

Answer 53

B. Log aggregation

Question 54

Which of the following is the MOST likely reason for securing an air-gapped laboratory HVAC system?

A. To avoid data leakage
B. To protect surveillance logs
C. To ensure availability
D. To facilitate third-party access

Answer 54

A. To avoid data leakage

Question 55

A user forwarded a suspicious email to the security team. Upon investigation, a malicious URL was discovered. Which of the following should be done FIRST to prevent other users from accessing the malicious URL?

A. Configure the web content filter for the web address.
B. Report the website to threat intelligence partners.
C. Set the SIEM to alert for any activity to the web address.
D. Send out a corporate communication to warn all users of the malicious email.

Answer 55

A. Configure the web content filter for the web address.

Question 56

A systems analyst is responsible for generating a new digital forensics chain-of-custody form. Which of the following should the analyst include in this documentation? (Choose two.)

A. The order of volatility
B. A CRC32 checksum
C. The provenance of the artifacts
D. The vendor’s name
E. The date and time
F. A warning banner

Answer 56

E. The date and time
C. The provenance of the artifacts

Question 57

An organization is migrating several SaaS applications that support SSO. The security manager wants to ensure the migration is completed securely. Which of the following application integration aspects should the organization consider before focusing into underlying implementation details? (Choose two.)

A. The back-end directory source
B. The identity federation protocol
C. The hashing method
D. The encryption method
E. The registration authority
F. The certificate authority

Answer 57

B. The identity federation protocol Most Voted
F. The certificate authority

Question 58

A security analyst has been tasked with finding the maximum amount of data loss that can occur before ongoing business operations would be impacted. Which of the following terms BEST defines this metric?

A. MTTR
B. RTO
C. RPO
D. MTBF

Answer 58

C. RPO

RPO - Recovery Point Objective - your goal for acceptable amount of data loss

Question 59

The IT department’s on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production?

A. Limit the use of third-party libraries.
B. Prevent data exposure queries.
C. Obfuscate the source code.
D. Submit the application to QA before releasing it.

Answer 59

D. Submit the application to QA before releasing it.

Question 60

During a security incident investigation, an analyst consults the company’s SIEM and sees an event concerning high traffic to a known, malicious command-and-control server. The analyst would like to determine the number of company workstations that may be impacted by this issue. Which of the following can provide this information?

A. WAF logs
B. DNS logs
C. System logs
D. Application logs

Answer 60

B. DNS logs

Question 61

A company has a flat network that is deployed in the cloud. Security policy states that all production and development servers must be segmented. Which of the following should be used to design the network to meet the security requirements?

A. CASB
B. VPC
C. Perimeter network
D. WAF

Answer 61

B. VPC

Question 62

A new plug-and-play storage device was installed on a PC in the corporate environment. Which of the following safeguards will BEST help to protect the PC from malicious files on the storage device?

A. Change the default settings on the PC.
B. Define the PC firewall rules to limit access.
C. Encrypt the disk on the storage device.
D. Plug the storage device in to the UPS.

Answer 62

C. Encrypt the disk on the storage device.

Question 63

A company is adopting a BYOD policy and is looking for a comprehensive solution to protect company information on user devices. Which of the following solutions would BEST support the policy?

A. Mobile device management
B. Full-device encryption
C. Remote wipe
D. Biometrics

Answer 63

A. Mobile device management

Question 64

A company wants to modify its current backup strategy to minimize the number of backups that would need to be restored in case of data loss. Which of the following would be the BEST backup strategy to implement?

A. Incremental backups followed by differential backups
B. Full backups followed by incremental backups
C. Delta backups followed by differential backups
D. Incremental backups followed by delta backups
E. Full backups followed by differential backups

Answer 64

E. Full backups followed by differential backups

Question 65

The compliance team requires an annual recertification of privileged and non-privileged user access. However, multiple users who left the company six months ago still have access. Which of the following would have prevented this compliance violation?

A. Account audits
B. AUP
C. Password reuse
D. SSO

Answer 65

A. Account audits

Question 66

A company recently experienced a data breach and the source was determined to be an executive who was charging a phone in a public area. Which of the following would MOST likely have prevented this breach?

A. A firewall
B. A device pin
C. A USB data blocker
D. Biometrics

Answer 66

C. A USB data blocker

Question 67

The manager who is responsible for a data set has asked a security engineer to apply encryption to the data on a hard disk. The security engineer is an example of a __________.

A. data controller.
B. data owner.
C. data custodian.
D. data processor.

Answer 67

C. data custodian.

Question 68

An organization with a low tolerance for user inconvenience wants to protect laptop hard drives against loss or data theft. Which of the following would be the MOST acceptable?

A. SED
B. HSM
C. DLP
D. TPM

Answer 68

A. SED (Self-Encrypting Drive).

Self-Encrypting Drives (SEDs) offer hardware-based encryption directly on the drive itself, ensuring that all data stored on the drive is automatically encrypted and remains protected even if the drive is removed or stolen.

Question 69

After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager use to control the network traffic?

A. A DMZ
B. A VPN
C. A VLAN
D. An ACL

Answer 69

D. An ACL

Question 70

Which of the following BEST describes when an organization utilizes a ready-to-use application from a cloud provider?

A. IaaS
B. SaaS
C. PaaS
D. XaaS

Answer 70

B. SaaS

Question 71

Which of the following BEST helps to demonstrate integrity during a forensic investigation?

A. Event logs
B. Encryption
C. Hashing
D. Snapshots

Answer 71

C. Hashing

Question 72

Which of the following would be MOST effective to contain a rapidly spreading attack that is affecting a large number of organizations?

A. Machine learning
B. DNS sinkhole
C. Blocklist
D. Honeypot

Answer 72

B. DNS sinkhole.

A DNS sinkhole is a technique that redirects malicious traffic from its intended destination to a controlled server or IP address. It prevents infected devices from connecting to malicious domains or IPs, thereby stopping the malware from communicating with its command-and-control servers and spreading further across networks.

Question 73

A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output:

CPU 0 percent busy, from 300 sec ago
1 sec ave: 99 percent busy
5 sec ave: 97 percent busy
1 min ave: 83 percent busy

Which of the following is the router experiencing?

A. DDoS attack
B. Memory leak
C. Buffer overflow
D. Resource exhaustion

Answer 73

D. Resource exhaustion

Question 74

The Chief Executive Officer (CEO) of an organization would like staff members to have the flexibility to work from home anytime during business hours, including during a pandemic or crisis. However, the CEO is concerned that some staff members may take advantage of the flexibility and work from high-risk countries while on holiday or outsource work to a third-party organization in another country. The Chief Information Officer (CIO) believes the company can implement some basic controls to mitigate the majority of the risk. Which of the following would be BEST to mitigate the CEO’s concerns? (Choose two.)

A. Geolocation
B. Time-of-day restrictions
C. Certificates
D. Tokens
E. Geotagging
F. Role-based access controls

Answer 74

A. Geolocation
B. Time-of-day restrictions

Question 75

While checking logs, a security engineer notices a number of end users suddenly downloading files with the .tar.gz extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior. Which of the following is MOST likely occurring?

A. A RAT was installed and is transferring additional exploit tools.
B. The workstations are beaconing to a command-and-control server.
C. A logic bomb was executed and is responsible for the data transfers.
D. A fileless virus is spreading in the local network environment

Answer 75

A. A RAT was installed and is transferring additional exploit tools. Most Voted

Question 76

A business is looking for a cloud service provider that offers a la carte services, including cloud backups, VM elasticity, and secure networking. Which of the following cloud service provider types should the business engage?

A. IaaS
B. PaaS
C. XaaS
D. SaaS

Answer 76

A. IaaS

IaaS providers offer infrastructure components such as virtual machines, storage, and networking as individual services, allowing users to select and manage the resources they require.

Question 77

A research company discovered that an unauthorized piece of software has been detected on a small number of machines in its lab. The researchers collaborate with other machines using port 445 and on the Internet using port 443. The unauthorized software is starting to be seen on additional machines outside of the lab and is making outbound communications using HTTPS and SMB. The security team has been instructed to resolve the problem as quickly as possible while causing minimal disruption to the researchers. Which of the following contains the BEST course of action in this scenario?

A. Update the host firewalls to block outbound SMB.
B. Place the machines with the unapproved software in containment.
C. Place the unauthorized application in a blocklist.
D. Implement a content filter to block the unauthorized software communication.

Answer 77

B. Place the machines with the unapproved software in containment.

Question 78

A security analyst has been reading about a newly discovered cyberattack from a known threat actor. Which of the following would BEST support the analyst’s review of the tactics, techniques, and protocols the threat actor was observed using in previous campaigns?

A. Security research publications
B. The MITRE ATT&CK framework
C. The Diamond Model of Intrusion Analysis
D. The Cyber Kill Chain

Answer 78

B. The MITRE ATT&CK framework

Question 80

A security analyst is hardening a network infrastructure. The analyst is given the following requirements:

• Preserve the use of public IP addresses assigned to equipment on the core router.
• Enable “in transport” encryption protection to the web server with the strongest ciphers.

Which of the following should the analyst implement to meet these requirements? (Choose two.)

A. Configure VLANs on the core router.
B. Configure NAT on the core router.
C. Configure BGP on the core router.
D. Enable AES encryption on the web server.
E. Enable 3DES encryption on the web server.
F. Enable TLSv2 encryption on the web server.

Answer 80

B. Configure NAT on the core router.
F. Enable TLSv2 encryption on the web server.