201-250

Question 1

Which of the following will provide the BEST physical security countermeasures to stop intruders?
(Select TWO.)

Answer 1

A. Alarms
B. Signage
C. Lighting
D. Mantraps
E. Fencing
F. Sensors
Answer: D,E

Question 2

A security analyst is reviewing a penetration-testing report from a third-party contractor. The
penetration testers used the organization’s new API to bypass a driver to perform privilege escalation on
the organization’s web servers. Upon looking at the API, the security analyst realizes the particular API
call was to a legacy system running an outdated OS.
Which of the following is the MOST likely attack type?

Answer 2

A. Request forgery
B. Session replay
C. DLL injection
D. Shimming
Answer: A

Question 3

A user enters a password to log in to a workstation and is then prompted to enter an authentication
code.
Which of the following MFA factors or attributes are being utilized in the authentication process? (Select
TWO).

Answer 3

A. Something you know
B. Something you have
C. Somewhere you are
D. Someone you are
E. Something you are
F. Something you can do
Answer: B,E

Question 4

The manager who is responsible for a data set has asked a security engineer to apply encryption to
the data on a hard disk.
The security engineer is an example of a:

Answer 4

A. data controller.
B. data owner
C. data custodian.
D. data processor
Answer: D

Question 5

A security modern may have occurred on the desktop PC of an organization’s Chief Executive Officer
(CEO) A duplicate copy of the CEO’s hard drive must be stored securely to ensure appropriate forensic
processes and the chain of custody are followed.

Which of the following should be performed to accomplish this task?

Answer 5

A. Install a new hard drive in the CEO’s PC, and then remove the old hard drive and place it in a
tamper-evident bag
B. Connect a write blocker to the hard drive Then leveraging a forensic workstation, utilize the dd
command m a live Linux environment to create a duplicate copy
C. Remove the CEO’s hard drive from the PC, connect to the forensic workstation, and copy all the
contents onto a remote fileshare while the CEO watches
D. Refrain from completing a forensic analysts of the CEO’s hard drive until after the incident is confirmed,
duplicating the hard drive at this stage could destroy evidence
Answer: D

Question 6

An organization blocks user access to command-line interpreters but hackers still managed to invoke
the interpreters using native administrative tools.

Which of the following should the security team do to prevent this from Happening in the future?

Answer 6

A. Implement HIPS to block Inbound and outbound SMB ports 139 and 445.
B. Trigger a SIEM alert whenever the native OS tools are executed by the user
C. Disable the built-in OS utilities as long as they are not needed for functionality.
D. Configure the AV to quarantine the native OS tools whenever they are executed
Answer: C

Question 7

Which of the following BEST describes the MFA attribute that requires a callback on a predefined
landline?

Answer 7

A. Something you exhibit
B. Something you can do
C. Someone you know
D. Somewhere you are
Answer: D

Question 8

A security analyst needs to implement security features across smartphones. laptops, and tablets.
Which of the following would be the MOST effective across heterogeneous platforms?

Answer 8

A. Enforcing encryption
B. Deploying GPOs
C. Removing administrative permissions
D. Applying MDM software
Answer: D

Question 9

A large industrial system’s smart generator monitors the system status and sends alerts to third-party
maintenance personnel when critical failures occur. While reviewing the network logs the company’s
security manager notices the generator’s IP is sending packets to an internal file server’s IP.
Which of the following mitigations would be BEST for the security manager to implement while
maintaining alerting capabilities?

Answer 9

A. Segmentation
B. Firewall whitelisting
C. Containment
D. isolation
Answer: A

Question 10

Which of the following environments minimizes end-user disruption and is MOST likely to be used to
assess the impacts of any database migrations or major system changes by using the final version of the
code?

Answer 10

A. Staging
B. Test
C. Production
D. Development
Answer: B

Question 11

Which of the following is the correct order of volatility from MOST to LEAST volatile?

Answer 11

A. Memory, temporary filesystems, routing tables, disk, network storage
B. Cache, memory, temporary filesystems, disk, archival media
C. Memory, disk, temporary filesystems, cache, archival media
D. Cache, disk, temporary filesystems, network storage, archival media
Answer: B

Question 12

A recent security assessment revealed that an actor exploited a vulnerable workstation within an
organization and has persisted on the network for several months. The organization realizes the need to
reassess Its security.
Strategy for mitigating risks within the perimeter.
Which of the following solutions would BEST support the organization’s strategy?

Answer 12

A. FIM
B. DLP
C. EDR
D. UTM
Answer: C

Question 13

A network administrator has been alerted that web pages are experiencing long load times.
After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command,
and receives the following output:

Which of the following is the router experiencing?

Answer 13

A. DDoS attack
B. Memory leak
C. Buffer overflow
D. Resource exhaustion
Answer: D

Question 14

A user must introduce a password and a USB key to authenticate against a secure computer, and
authentication is limited to the state in which the company resides.
Which of the following authentication concepts are in use?

Answer 14

A. Something you know, something you have, and somewhere you are
B. Something you know, something you can do, and somewhere you are
C. Something you are, something you know, and something you can exhibit
D. Something you have, somewhere you are, and someone you know
Answer: A

Question 15

A security analyst b concerned about traffic initiated to the dark web from the corporate LAN.
Which of the following networks should he analyst monitor?

Answer 15

A. SFTP
B. AS
C. Tor
D. IoC
Answer: C

Question 16

A root cause analysis reveals that a web application outage was caused by one of the company’s
developers uploading a newer version of the third-party libraries that were shared among several
applications.
Which of the following implementations would be BEST to prevent the issue from reoccurring?

Answer 16

A. CASB
B. SWG
C. Containerization
D. Automated failover
Answer: C

Question 17

A security analyst is reviewing logs on a server and observes the following output:
Which of the following is the security analyst observing?

Answer 17

A. A rainbow table attack
B. A password-spraying attack
C. A dictionary attack
D. A keylogger attack
Answer: C

Question 18

HOTSPOT
Select the appropriate attack and remediation from each drop-down list to label the corresponding attack
with its remediation.

Answer 18

{{ PIC }}

Question 19

Employees are having issues accessing the company’s website. Some employees report very slow
performance, while others cannot the website at all. The web and security administrators search the logs
and find millions of half-open connections to port 443 on the web server. Further analysis reveals
thousands of different source IPs initiating this traffic.

Which of the following attacks is MOST likely occurring?

Answer 19

A. DDoS
B. Man-in-the-middle
C. MAC flooding
D. Domain hijacking
Answer: A

Question 20

A nuclear plant was the victim of a recent attack, and all the networks were air gapped. A subsequent
investigation revealed a worm as the source of the issue.
Which of the following BEST explains what happened?

Answer 20

A. A malicious USB was introduced by an unsuspecting employee.
B. The ICS firmware was outdated
C. A local machine has a RAT installed.
D. The HVAC was connected to the maintenance vendor.
Answer: A

Question 21

Which of the following would be the BEST resource for a software developer who is looking to
improve secure coding practices for web applications?

Answer 21

A. OWASP
B. Vulnerability scan results
C. NIST CSF
D. Third-party libraries
Answer: A

Question 22

DRAG DROP

A security engineer is setting up password less authentication for the first time.

Answer 22

{{ PIC }}

Question 23

Which of the following BEST describes a security exploit for which a vendor patch is not readily
available?

Answer 23

A. Integer overflow
B. Zero-day
C. End of life
D. Race condition
Answer: B

Question 24

A security analyst is looking for a solution to help communicate to the leadership team the seventy
levels of the organization’s vulnerabilities.

Which of the following would BEST meet this need?

Answer 24

A. CVE
B. SIEM
C. SOAR
D. CVSS
Answer: D

Question 25

A major political party experienced a server breach. The hacker then publicly posted stolen internal
communications concerning campaign strategies to give the opposition party an advantage.

Which of the following BEST describes these threat actors?

Answer 25

A. Semi-authorized hackers
B. State actors
C. Script kiddies
D. Advanced persistent threats
Answer: B

Question 26

A security analyst receives a SIEM alert that someone logged in to the appadmin test account, which
is only used for the early detection of attacks.
The security analyst then reviews the following application log:
Which of the following can the security analyst conclude?

Answer 26

A. A replay attack is being conducted against the application.
B. An injection attack is being conducted against a user authentication system.
C. A service account password may have been changed, resulting in continuous failed logins within the
application.
D. A credentialed vulnerability scanner attack is testing several CVEs against the application.
Answer: C

Question 27

During a security assessment, a security finds a file with overly permissive permissions.
Which of the following tools will allow the analyst to reduce the permission for the existing users and
groups and remove the set-user-ID from the file?

Answer 27

A. 1a
B. chflags
C. chmod
D. leof
E. setuid
Answer: D

Question 28

A security administrator needs to create a RAIS configuration that is focused on high read speeds
and fault tolerance. It is unlikely that multiple drivers will fail simultaneously.

Which of the following RAID configurations should the administration use?

Answer 28

A. RA1D 0
B. RAID1
C. RAID 5
D. RAID 10
Answer: C

Question 29

Which of the following BEST explains the reason why a server administrator would place a document
named password.txt on the desktop of an administrator account on a server?

Answer 29

A. The document is a honey file and is meant to attract the attention of a cyberintruder.
B. The document is a backup file if the system needs to be recovered.
C. The document is a standard file that the OS needs to verify the login credentials.
D. The document is a keylogger that stores all keystrokes should the account be compromised.
Answer: A

Question 30

A security analyst needs to complete an assessment. The analyst is logged into a server and must
use native tools to map services running on it to the server’s listening ports.
Which of the following tools can BEST accomplish this talk?

Answer 30

A. Netcat
B. Netstat
C. Nmap
D. Nessus
Answer: B

Question 31

A company is setting up a web server on the Internet that will utilize both encrypted and unencrypted
web-browsing protocols.
A security engineer runs a port scan against the server from the Internet and sees the following output:

Which of the following steps would be best for the security engineer to take NEXT?

Answer 31

A. Allow DNS access from the internet.
B. Block SMTP access from the Internet
C. Block HTTPS access from the Internet
D. Block SSH access from the Internet.
Answer: D

Question 32

A recently discovered zero-day exploit utilizes an unknown vulnerability in the SMB network protocol
to rapidly infect computers. Once infected, computers are encrypted and held for ransom.
Which of the following would BEST prevent this attack from reoccurring?

Answer 32

A. Configure the perimeter firewall to deny inbound external connections to SMB ports.
B. Ensure endpoint detection and response systems are alerting on suspicious SMB connections.
C. Deny unauthenticated users access to shared network folders.
D. Verify computers are set to install monthly operating system, updates automatically.
Answer: A

Question 33

Which of the following technical controls is BEST suited for the detection and prevention of buffer
overflows on hosts?

Answer 33

A. DLP
B. HIDS
C. EDR
D. NIPS
Answer: C

Question 34

A company uses wireless tor all laptops and keeps a very detailed record of its assets, along with a
comprehensive list of devices that are authorized to be on the wireless network. The Chief Information
Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the
wireless PSK and obtain access to the internal network.
Which of the following should the company implement to BEST prevent this from occurring?

Answer 34

A. A BPDU guard
B. WPA-EAP
C. IP filtering
D. A WIDS
Answer: B

Question 35

An end user reports a computer has been acting slower than normal for a few weeks, During an
investigation, an analyst determines the system 3 sending the users email address and a ten-digit number
ta an IP address once a day.
The only resent log entry regarding the user’s computer is the following:
Which of the following is the MOST likely cause of the issue?

Answer 35

A. The end user purchased and installed 2 PUP from a web browser.
B. 4 bot on the computer is rule forcing passwords against a website.
C. A hacker Is attempting to exfilltrated sensitive data.
D. Ransomwere is communicating with a command-and-control server.
Answer: A

Question 36

A company just developed a new web application for a government agency. The application must be
assessed and authorized prior to being deployed.
Which of the following is required to assess the vulnerabilities resident in the application?

Answer 36

A. Repository transaction logs
B. Common Vulnerabilities and Exposures
C. Static code analysis
D. Non-credentialed scans
Answer: C

Question 37

An analyst has determined that a server was not patched and an external actor exfiltrated data on
port 139.
Which of the following sources should the analyst review to BEST ascertain how the Incident could have
been prevented?

Answer 37

A. The vulnerability scan output
B. The security logs
C. The baseline report
D. The correlation of events
Answer: A

Question 38

An organization has implemented a two-step verification process to protect user access to data that 6
stored in the could Each employee now uses an email address of mobile number a code to access the
data.
Which of the following authentication methods did the organization implement?

Answer 38

A. Token key
B. Static code
C. Push notification
D. HOTP
Answer: A

Question 39

An.. that has a large number of mobile devices is exploring enhanced security controls to manage
unauthorized access if a device is lost or stolen. Specifically, if mobile devices are more than 3mi (4 8km)
from the building, the management team would like to have the security team alerted and server resources restricted on those devices.
Which of the following controls should the organization implement?

Answer 39

A. Geofencing
B. Lockout
C. Near-field communication
D. GPS tagging
Answer: A

Question 40

Joe, a user at a company, clicked an email link led to a website that infected his workstation. Joe, was
connected to the network, and the virus spread to the network shares. The protective measures failed to
stop this virus, and It has continues to evade detection.
Which of the following should administrator implement to protect the environment from this malware?

Answer 40

A. Install a definition-based antivirus.
B. Implement an IDS/IPS
C. Implement a heuristic behavior-detection solution.
D. Implement CASB to protect the network shares.
Answer: C

Question 41

A company is adopting a BYOD policy and is looking for a comprehensive solution to protect
company information on user devices.
Which of the following solutions would BEST support the policy?

Answer 41

A. Mobile device management
B. Full-device encryption
C. Remote wipe
D. Biometrics
Answer: A

Question 42

A user is concerned that a web application will not be able to handle unexpected or random input
without crashing.
Which of the following BEST describes the type of testing the user should perform?

Answer 42

A. Code signing
B. Fuzzing
C. Manual code review
D. Dynamic code analysis
Answer: D

Question 43

A network engineer has been asked to investigate why several wireless barcode scanners and
wireless computers in a warehouse have intermittent connectivity to the shipping server. The barcode
scanners and computers are all on forklift trucks and move around the warehouse during their regular
use.
Which of the following should the engineer do to determine the issue? (Choose two.)

Answer 43

A. Perform a site survey
B. Deploy an FTK Imager
C. Create a heat map
70 / 107
D. Scan for rogue access points
E. Upgrade the security protocols
F. Install a captive portal
Answer: A,C

Question 44

An organization’s finance department is implementing a policy to protect against collusion.
Which of the following control types and corresponding procedures should the organization implement to
fulfill this policy’s requirement? (Select TWO).

Answer 44

A. Corrective
B. Deterrent
C. Preventive
D. Mandatory vacations
E. Job rotation
F. Separation of duties
Answer: D,E

Question 45

An incident, which is affecting dozens of systems, involves malware that reaches out to an Internet
service for rules and updates. The IP addresses for the Internet host appear to be different in each case.
The organization would like to determine a common IoC to support response and recovery actions.
Which of the following sources of information would BEST support this solution?

Answer 45

A. Web log files
B. Browser cache
C. DNS query logs
D. Antivirus
Answer: C

Question 46

A remote user recently took a two-week vacation abroad and brought along a corporateowned
laptop. Upon returning to work, the user has been unable to connect the laptop to the VPN.
Which of the following is the MOST likely reason for the user’s inability to connect the laptop to the VPN?

Answer 46

A. Due to foreign travel, the user’s laptop was isolated from the network.
B. The user’s laptop was quarantined because it missed the latest path update.
C. The VPN client was blacklisted.
D. The user’s account was put on a legal hold.
Answer: A

Question 47

A website developer is working on a new e-commerce website and has asked an information security
expert for the most appropriate way to store credit card numbers to create an easy reordering process.
Which of the following methods would BEST accomplish this goal?

Answer 47

A. Salting the magnetic strip information
B. Encrypting the credit card information in transit.
C. Hashing the credit card numbers upon entry.
D. Tokenizing the credit cards in the database
Answer: C

Question 48

A client sent several inquiries to a project manager about the delinquent delivery status of some
critical reports. The project manager darned the reports were previously sent via email but then quickly
generated and backdated the reports before submitting them via a new email message.
Which of the following actions MOST likely supports an investigation for fraudulent submission?

Answer 48

A. Establish chain of custody
B. Inspect the file metadata
C. Reference the data retention policy
D. Review the email event logs
Answer: D

Question 49

A Chief Executive Officer (CEO) is dissatisfied with the level of service from the company’s new
service provider. The service provider is preventing the CEO. from sending email from a work account to
a personal account.
Which of the following types of service providers is being used?

Answer 49

A. Telecommunications service provider
B. Cloud service provider
C. Master managed service provider
D. Managed security service provider
Answer: B

Question 50

Which of the following disaster recovery tests is The LEAST time-consuming for the disaster recovery
team?

Answer 50

A. Tabletop
B. Parallel
C. Full interruption
D. Simulation
Answer: D