226-250

Question 1

A recent phishing campaign resulted in several compromised user accounts. The security incident response team has been tasked with reducing the manual labor of filtering through all the phishing emails as they arrive and blocking the sender’s email address, along with other time-consuming mitigation actions. Which of the following can be configured to streamline those tasks?

A. SOAR playbook
B. MDM policy
C. Firewall rules
D. URL filter
E. SIEM data collection

Answer 1

A. SOAR playbook

Question 2

A user reports constant lag and performance issues with the wireless network when working at a local coffee shop. A security analyst walks the user through an installation of Wireshark and gets a five-minute pcap to analyze. The analyst observes the following output:

Which of the following attacks does the analyst MOST likely see in this packet capture?

A. Session replay
B. Evil twin
C. Bluejacking
D. ARP poisoning

Answer 2

B. Evil twin

Question 3

A security analyst is reviewing the following output from a system:

TCP 192.168.10.10:80 192.168.1.2.60101 TIME_WAIT
TCP 192.168.10.10:80 192.168.1.2.60102 TIME_WAIT
TCP 192.168.10.10:80 192.168.1.2.60103 TIME_WAIT

Which of the following is MOST likely being observed?

A. ARP poisoning
B. Man in the middle
C. Denial of service
D. DNS poisoning

Answer 3

C. Denial of service

Question 4

Which of the following concepts BEST describes tracking and documenting changes to software and managing access to files and systems?

A. Version control
B. Continuous monitoring
C. Stored procedures
D. Automation

Answer 4

A. Version control

Question 5

A penetration tester is brought on site to conduct a full attack simulation at a hospital. The penetration tester notices a WAP that is hanging from the drop ceiling by its cabling and is reachable. Which of the following recommendations would the penetration tester MOST likely make given this observation?

A. Employ a general contractor to replace the drop-ceiling tiles.
B. Place the network cabling inside a secure conduit.
C. Secure the access point and cabling inside the drop ceiling.
D. Utilize only access points that have internal antennas

Answer 5

C. Secure the access point and cabling inside the drop ceiling.

Question 6

Which of the following techniques eliminates the use of rainbow tables for password cracking?

A. Hashing
B. Tokenization
C. Asymmetric encryption
D. Salting

Answer 6

D. Salting

Question 7

During a security assessment, a security analyst finds a file with overly permissive permissions. Which of the following tools will allow the analyst to reduce the permissions for the existing users and groups and remove the set-user-ID bit from the file?

A. ls
B. chflags
C. chmod
D. lsof
E. setuid

Answer 7

C. chmod

Question 8

A network administrator is concerned about users being exposed to malicious content when accessing company cloud applications. The administrator wants to be able to block access to sites based on the AUP. The users must also be protected because many of them work from home or at remote locations, providing on-site customer support. Which of the following should the administrator employ to meet these criteria?

A. Implement NAC.
B. Implement an SWG.
C. Implement a URL filter.
D. Implement an MDM.

Answer 8

B. Implement an SWG.

Question 9

A website developer is working on a new e-commerce website and has asked an information security expert for the most appropriate way to store credit card numbers to create an easy reordering process. Which of the following methods would BEST accomplish this goal?

A. Salting the magnetic strip information
B. Encrypting the credit card information in transit
C. Hashing the credit card numbers upon entry
D. Tokenizing the credit cards in the database

Answer 9

D. Tokenizing the credit cards in the database

Question 10

Which of the following supplies non-repudiation during a forensics investigation?

A. Dumping volatile memory contents first
B. Duplicating a drive with dd
C. Using a SHA-2 signature of a drive image
D. Logging everyone in contact with evidence
E. Encrypting sensitive data

Answer 10

C. Using a SHA-2 signature of a drive image

Question 11

A security analyst is tasked with classifying data to be stored on company servers. Which of the following should be classified as proprietary?

A. Customers’ dates of birth
B. Customers’ email addresses
C. Marketing strategies
D. Employee salaries

Answer 11

C. Marketing strategies

Question 12

Which of the following holds staff accountable while escorting unauthorized personnel?

A. Locks
B. Badges
C. Cameras
D. Visitor logs

Answer 12

D. Visitor logs

Question 13

An organization’s Chief Security Officer (CSO) wants to validate the business’s involvement in the incident response plan to ensure its validity and thoroughness. Which of the following will the CSO MOST likely use?

A. An external security assessment
B. A bug bounty program
C. A tabletop exercise
D. A red-team engagement

Answer 13

C. A tabletop exercise

Question 14

Which of the following documents provides guidance regarding the recommended deployment of network security systems from the manufacturer?

A. Cloud control matrix
B. Reference architecture
C. NIST RMF
D. CIS Top 20

Answer 14

B. Reference architecture

Question 15

During a recent security assessment, a vulnerability was found in a common OS. The OS vendor was unaware of the issue and promised to release a patch within the next quarter. Which of the following BEST describes this type of vulnerability?

A. Legacy operating system
B. Weak configuration
C. Zero day
D. Supply chain

Answer 15

C. Zero day

Question 16

Which of the following is a targeted attack aimed at compromising users within a specific industry or group?

A. Watering hole
B. Typosquatting
C. Hoax
D. Impersonation

Answer 16

A. Watering hole

Question 17

To reduce and limit software and infrastructure costs, the Chief Information Officer has requested to move email services to the cloud. The cloud provider and the organization must have security controls to protect sensitive data. Which of the following cloud services would BEST accommodate the request?

A. IaaS
B. PaaS
C. DaaS
D. SaaS

Answer 17

D. SaaS

Question 18

A security engineer is concerned that the strategy for detection on endpoints is too heavily dependent on previously defined attacks. The engineer would like a tool to monitor for changes to key files and network traffic on the device. Which of the following tools BEST addresses both detection and prevention?

A. NIDS
B. HIPS
C. AV
D. NGFW

Answer 18

B. HIPS

Question 19

During a recent incident, an external attacker was able to exploit an SMB vulnerability over the internet. Which of the following action items should a security analyst perform FIRST to prevent this from occurring again?

A. Check for any recent SMB CVEs.
B. Install AV on the affected server.
C. Block unneeded TCP 445 connections.
D. Deploy a NIDS in the affected subnet.

Answer 19

C. Block unneeded TCP 445 connections.

Question 20

A penetration tester is fuzzing an application to identify where the EIP of the stack is located on memory. Which of the following attacks is the penetration tester planning to execute?

A. Race-condition
B. Pass-the-hash
C. Buffer overflow
D. XSS

Answer 20

C. Buffer overflow

Question 21

Server administrators want to configure a cloud solution so that computing memory and processor usage is maximized most efficiently across a number of virtual servers. They also need to avoid potential denial-of-service situations caused by availability. Which of the following should administrators configure to maximize system availability while efficiently utilizing available computing power?

A. Dynamic resource allocation
B. High availability
C. Segmentation
D. Container security

Answer 21

A. Dynamic resource allocation

Question 22

While reviewing the wireless router, a systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Given the table below:

PC1 192.168.1.20 00:1E:1B:43:21:B2 On
PC2 192.168.1.23 31:1C:3C:13:25:C4 Off
PC3 192.168.1.25 20:A2:22:45:11:D2 On
UNKNOWN 192.168.1.21 12:44:B2:FF:A1:22 Off

Which of the following should be the administrator’s NEXT step to detect if there is a rogue system without impacting availability?

A. Conduct a ping sweep,
B. Physically check each system.
C. Deny internet access to the “UNKNOWN” hostname.
D. Apply MAC filtering.

Answer 22

A. Conduct a ping sweep,

Question 23

A security analyst in a SOC has been tasked with onboarding a new network into the SIEM. Which of the following BEST describes the information that should feed into a SIEM solution in order to adequately support an investigation?

A. Logs from each device type and security layer to provide correlation of events
B. Only firewall logs since that is where attackers will most likely try to breach the network
C. Email and web-browsing logs because user behavior is often the cause of security breaches
D. NetFlow because it is much more reliable to analyze than syslog and will be exportable from every device

Answer 23

A. Logs from each device type and security layer to provide correlation of events

Question 24

An organization just implemented a new security system. Local laws state that citizens must be notified prior to encountering the detection mechanism to deter malicious activities. Which of the following is being implemented?

A. Proximity cards with guards
B. Fence with electricity
C. Drones with alarms
D. Motion sensors with signage

Answer 24

D. Motion sensors with signage

Question 25

An IT security manager requests a report on company information that is publicly available. The manager’s concern is that malicious actors will be able to access the data without engaging in active reconnaissance. Which of the following is the MOST efficient approach to perform the analysis?

A. Provide a domain parameter to theHarvester tool.
B. Check public DNS entries using dnsenum.
C. Perform a Nessus vulnerability scan targeting a public company’s IP.
D. Execute nmap using the options: scan all ports and sneaky mode.

Answer 25

A. Provide a domain parameter to the Harvester tool.