251-300

Question 1

A company’s Chief Information Office (CIO) is meeting with the Chief Information Security Officer
(CISO) to plan some activities to enhance the skill levels of the company’s developers.
Which of the following would be MOST suitable for training the developers’?

Answer 1

A. A capture-the-flag competition
B. A phishing simulation
C. Physical security training
D. Baste awareness training
Answer: B

Question 2

A security administrator suspects there may be unnecessary services running on a server.
Which of the following tools will the administrator MOST likely use to confirm the suspicions?

Answer 2

A. Nmap
B. Wireshark
C. Autopsy
D. DNSEnum
Answer: A

Question 3

A security engineer has enabled two-factor authentication on all workstations.
Which of the following approaches are the MOST secure? (Select TWO).

Answer 3

A. Password and security question
B. Password and CAPTCHA
C. Password and smart card
D. Password and fingerprint
E. Password and one-time token
F. Password and voice
Answer: C,D

Question 4

A cybersecurity administrator needs to add disk redundancy for a critical server. The solution must
have a two- drive failure for better fault tolerance.
Which of the following RAID levels should the administrator select?

Answer 4

A. 0
B. 1
C. 5
D. 6
Answer: B

Question 5

A company was recently breached Part of the company’s new cybersecurity strategy is to centralize
the logs from all security devices.
Which of the following components forwards the logs to a central source?

Answer 5

A. Log enrichment
B. Log aggregation
C. Log parser
D. Log collector
Answer: D

Question 6

A security engineer needs to implement an MDM solution that complies with the corporate mobile
device policy.
The policy states that in order for mobile users to access corporate resources on their devices the
following requirements must be met:
• Mobile device OSs must be patched up to the latest release
• A screen lock must be enabled (passcode or biometric)
• Corporate data must be removed if the device is reported lost or stolen
Which of the following controls should the security engineer configure? (Select TWO)

Answer 6

A. Containerization
B. Storage segmentation
C. Posturing
D. Remote wipe
E. Full-device encryption
F. Geofencing
Answer: D,E

Question 7

A user contacts the help desk to report the following:
✑ Two days ago, a pop-up browser window prompted the user for a name and password after connecting
to the corporate wireless SSID. This had never happened before, but the user entered the information as
requested.
✑ The user was able to access the Internet but had trouble accessing the department share until the next
day.
✑ The user is now getting notifications from the bank about unauthorized transactions.
Which of the following attack vectors was MOST likely used in this scenario?

Answer 7

A. Rogue access point
B. Evil twin
C. DNS poisoning
D. ARP poisoning
Answer: A

Question 8

A company has limited storage available and online presence that cannot for more than four hours.
Which of the following backup methodologies should the company implement to allow for the FASTEST
database restore time In the event of a failure, which being maindful of the limited available storage
space?

Answer 8

A. Implement fulltape backup every Sunday at 8:00 p.m and perform nightly tape rotations.
B. Implement different backups every Sunday at 8:00 and nightly incremental backups at 8:00 p.m
C. Implement nightly full backups every Sunday at 8:00 p.m
D. Implement full backups every Sunday at 8:00 p.m and nightly differential backups at 8:00
Answer: B

Question 9

Which of the following often operates in a client-server architecture to act as a service repository.
providing enterprise consumers access to structured threat intelligence data?

Answer 9

A. STIX
B. CIRT
C. OSINT
D. TAXII
Answer: B

Question 10

A forensics investigator is examining a number of unauthorized payments the were reported on the
company’s website. Some unusual log entries show users received an email for an unwanted mailing list
and clicked on a link to attempt to unsubscribe. One of the users reported the email to the phishing team,
and the forwarded email revealed the link to be:
Which of the following will the forensics investigator MOST likely determine has occurred?

Answer 10

A. SQL injection
B. CSRF
C. XSS
D. XSRF
Answer: B

Question 11

A smart retail business has a local store and a newly established and growing online storefront. A
recent storm caused a power outage to the business and the local ISP, resulting in several hours of lost
sales and delayed order processing.
The business owner now needs to ensure two things:
* Protection from power outages
* Always-available connectivity In case of an outage
The owner has decided to implement battery backups for the computer equipment.
Which of the following would BEST fulfill the owner’s second need?

Answer 11

A. Lease a point-to-point circuit to provide dedicated access.
B. Connect the business router to its own dedicated UPS.
C. Purchase services from a cloud provider for high availability
D Replace the business’s wired network with a wireless network.
Answer: C

Question 12

An organization’s RPO for a critical system is two hours. The system is used Monday through Friday,
from 9:00 am to 5:00 pm. Currently, the organization performs a full backup every Saturday that takes four
hours to complete.
Which of the following additional backup implementations would be the BEST way for the analyst to meet
the business requirements?

Answer 12

A. Incremental backups Monday through Friday at 6:00 p.m and differential backups hourly
B. Full backups Monday through Friday at 6:00 p.m and incremental backups hourly.
C. incremental backups Monday through Friday at 6:00 p.m and full backups hourly.
D. Full backups Monday through Friday at 6:00 p.m and differential backups hourly.
Answer: A

Question 13

A company has drafted an insider-threat policy that prohibits the use of external storage devices.
Which of the following would BEST protect the company from data exfiltration via removable media?

Answer 13

A. Monitoring large data transfer transactions in the firewall logs
B. Developing mandatory training to educate employees about the removable media policy
C. Implementing a group policy to block user access to system files
D. Blocking removable-media devices and write capabilities using a host-based security tool
Answer: D

Question 14

A software developer needs to perform code-execution testing, black-box testing, and nonfunctional
testing on a new product before its general release.
Which of the following BEST describes the tasks the developer is conducting?

Answer 14

A. Verification
B. Validation
C. Normalization
D. Staging
Answer: A

Question 15

Which of the following would be the BEST resource lor a software developer who is looking to
improve secure coding practices for web applications?

Answer 15

A. OWASP
B. Vulnerability scan results
C. NIST CSF
D. Third-party libraries
Answer: A

Question 16

A security analyst needs to perform periodic vulnerability scans on production systems.
Which of the following scan Types would produce the BEST vulnerability scan report?

Answer 16

A. Port
B. Intrusive
C. Host discovery
D. Credentialed
Answer: D

Question 17

Which of the following would be BEST for a technician to review to determine the total risk an
organization can bear when assessing a “cloud-first” adoption strategy?

Answer 17

A. Risk matrix
B. Risk tolerance
C. Risk register
D. Risk appetite
Answer: B

Question 18

Following a prolonged datacenter outage that affected web-based sales, a company has decided to
move its operations to a private cloud solution.
The security team has received the following requirements:
• There must be visibility into how teams are using cloud-based services.
• The company must be able to identify when data related to payment cards is being sent to the cloud.
• Data must be available regardless of the end user’s geographic location
• Administrators need a single pane-of-glass view into traffic and trends.
Which of the following should the security analyst recommend?

Answer 18

A. Create firewall rules to restrict traffic to other cloud service providers.
B. Install a DLP solution to monitor data in transit.
C. Implement a CASB solution.
D. Configure a web-based content filter.
Answer: B

Question 19

A retail executive recently accepted a job with a major competitor. The following week, a security
analyst reviews the security logs and identifies successful logon attempts to access the departed
executive’s accounts.
Which of the following security practices would have addressed the issue?

Answer 19

A. A non-disclosure agreement
B. Least privilege
C. An acceptable use policy
D. Ofboarding
76 / 107
Answer: D

Question 20

A security analyst discovers several .jpg photos from a cellular phone during a forensics investigation
involving a compromised system. The analyst runs a forensics tool to gather file metadata.
Which of the following would be part of the images if all the metadata is still intact?

Answer 20

A. The GPS location
B. When the file was deleted
C. The total number of print jobs
D. The number of copies made
Answer: A

Question 21

A network engineer needs to build a solution that will allow guests at the company’s headquarters to
access the Internet via WiFi. This solution should not allow access to the internal corporate network, but it
should require guests to sign off on the acceptable use policy before accessing the Internet.
Which of the following should the engineer employ to meet these requirements?

Answer 21

A. Implement open PSK on the APs
B. Deploy a WAF
C. Configure WIPS on the APs
D. Install a captive portal
Answer: D

Question 22

An employee has been charged with fraud and is suspected of using corporate assets.
As authorities collect evidence, and to preserve the admissibility of the evidence, which of the following
forensic techniques should be used?

Answer 22

A. Order of volatility
B. Data recovery
C. Chain of custody
D. Non-repudiation
Answer: C

Question 23

The lessons-learned analysis from a recent incident reveals that an administrative office worker
received a call from someone claiming to be from technical support. The caller convinced the office
worker to visit a website, and then download and install a program masquerading as an antivirus package.
The program was actually a backdoor that an attacker could later use to remote control the worker’s PC.
Which of the following would be BEST to help prevent this type of attack in the future?

Answer 23

A. Data loss prevention
B. Segmentation
C. Application whitelisting
D. Quarantine
Answer: C

Question 24

The human resources department of a large online retailer has received multiple customer
complaints about the rudeness of the automated chatbots It uses to interface and assist online shoppers.
The system, which continuously learns and adapts, was working fine when it was installed a few months ago.
Which of the following BEST describes the method being used to exploit the system?

Answer 24

A. Baseline modification
B. A fileless virus
C. Tainted training data
D. Cryptographic manipulation
Answer: C

Question 25

Which of the following utilize a subset of real data and are MOST likely to be used to assess the
features and functions of a system and how it interacts or performs from an end user’s perspective
against defined test cases? (Select TWO).

Answer 25

A. Production
B. Test
C. Research and development
D. PoC
E. UAT
F. SDLC
Answer: B,E

Question 26

A web server administrator has redundant servers and needs to ensure failover to the secondary
server when the primary server goes down.
Which of the following should the administrator implement to avoid disruption?

Answer 26

A. NIC teaming
B. High availability
C. Dual power supply
D. laaS
Answer: B

Question 27

A security manager for a retailer needs to reduce the scope of a project to comply with PCI DSS. The
PCI data is located in different offices than where credit cards are accepted. All the offices are connected
via MPLS back to the primary datacenter.
Which of the following should the security manager implement to achieve the objective?

Answer 27

A. Segmentation
B. Containment
C. Geofencing
D. Isolation
Answer: A

Question 28

Several large orders of merchandise were recently purchased on an e-commerce company’s website.
The totals for each of the transactions were negative values, resulting in credits on the customers’
accounts.
Which of the following should be implemented to prevent similar situations in the future?

Answer 28

A. Ensure input validation is in place to prevent the use of invalid characters and values.
B. Calculate all possible values to be added together and ensure the use of the proper integer in the code.
C. Configure the web application firewall to look for and block session replay attacks.
D. Make sure transactions that are submitted within very short time periods are prevented from being
processed.
Answer: A

Question 29

A security administrator needs to inspect in-transit files on the enterprise network to search for Pll,
credit card data, and classification words.
Which of the following would be the BEST to use?

Answer 29

A. IDS solution
B. EDR solution
C. HIPS software solution
D. Network DLP solution
Answer: D

Question 30

A security engineer is installing a WAF to protect the company’s website from malicious web requests
over SSL.
Which of the following is needed to meet the objective?

Answer 30

A. A reverse proxy
B. A decryption certificate
C. A split-tunnel VPN
D. Load-balanced servers
Answer: B

Question 31

An organization recently recovered from a data breach. During the root cause analysis, the
organization determined the source of the breach to be a personal cell phone that had been reported lost.
Which of the following solutions should the organization implement to reduce the likelihood of future data
breaches?

Answer 31

A. MDM
B. MAM
C. VDI
D. DLP
Answer: A

Question 32

Which of the following is a reason why an organization would define an AUP?

Answer 32

A. To define the lowest level of privileges needed for access and use of the organization’s resources
B. To define the set of rules and behaviors for users of the organization’s IT systems
C. To define the intended partnership between two organizations
D. To define the availability and reliability characteristics between an IT provider and consumer
Answer: B

Question 33

An organization needs to implement more stringent controls over administrator/root credentials and
service accounts.
Requirements for the project include:
✑ Check-in/checkout of credentials
The ability to use but not know the password
✑ Automated password changes
✑ Logging of access to credentials
Which of the following solutions would meet the requirements?

Answer 33

A. OAuth 2.0
B. Secure Enclave
C. A privileged access management system
D. An OpenID Connect authentication system
Answer: D

Question 34

A cybersecurity administrator is using iptables as an enterprise firewall. The administrator created
some rules, but the network now seems to be unresponsive All connections are being dropped by the
firewall.
Which of the following would be the BEST option to remove the rules?

Answer 34

A. # iptables -t mangle -X
B. # iptables -F
C. # iptables -Z
D. # iptables -P INPUT -j DROP
Answer: D

Question 35

A company is upgrading its wireless infrastructure to WPA2-Enterprise using EAP-TLS.
Which of the following must be part of the security architecture to achieve AAA? (Select TWO)

Answer 35

A. DNSSEC
B. Reverse proxy
C. VPN concentrator
D. PKI
E. Active Directory
F. RADIUS
Answer: E,F

Question 36

A security analyst must determine if either SSH or Telnet is being used to log in to servers.
Which of the following should the analyst use?

Answer 36

A. logger
B. Metasploit
C. tcpdump
D. netstat
Answer: D

Question 37

A Chief Security Officer (CSO) is concerned about the volume and integrity of sensitive information
that is exchanged between the organization and a third party through email. The CSO is particularly
concerned about an unauthorized party who is intercepting information that is in transit between the two
organizations.
Which of the following would address the CSO’s concerns?

Answer 37

A. SPF
B. DMARC
C. SSL
D. DKIM
E. TLS
Answer: E

Question 38

An analyst needs to set up a method for securely transferring files between systems. One of the
requirements is to authenticate the IP header and the payload.
Which of the following services would BEST meet the criteria?

Answer 38

A. TLS
B. PFS
C. ESP
D. AH
Answer: A

Question 39

A user recently attended an exposition and received some digital promotional materials The user
later noticed blue boxes popping up and disappearing on the computer, and reported receiving several
spam emails, which the user did not open.
Which of the following is MOST likely the cause of the reported issue?

Answer 39

A. There was a drive-by download of malware
B. The user installed a cryptominer
C. The OS was corrupted
D. There was malicious code on the USB drive
Answer: D

Question 40

A company recently transitioned to a strictly BYOD culture due to the cost of replacing lost or
damaged corporate-owned mobile devices.
Which of the following technologies would be BEST to balance the BYOD culture while also protecting the
company’s data?

Answer 40

A. Containerization
B. Geofencing
C. Full-disk encryption
D. Remote wipe
Answer: C

Question 41

A university is opening a facility in a location where there is an elevated risk of theft The university
wants to protect the desktops in its classrooms and labs.
Which of the following should the university use to BEST protect these assets deployed in the facility?

Answer 41

A. Visitor logs
B. Cable locks
C. Guards
D. Disk encryption
E. Motion detection
Answer: B

Question 42

A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any
external networks.
Which of the following methods would BEST prevent the exfiltration of data? (Select TWO).

Answer 42

A. VPN
B. Drive encryption
C. Network firewall
D. File level encryption
E. USB blocker
F. MFA
Answer: B,E

Question 43

A Chief Executive Officer’s (CEO) personal information was stolen in a social engineering attack.
Which of the following sources would reveal if the CEO’s personal information is for sale?

Answer 43

A. Automated information sharing
B. Open-source intelligence
C. The dark web
D. Vulnerability databases
Answer: C

Question 44

A company’s help desk received several AV alerts indicating Mimikatz attempted to run on the remote
systems. Several users also reported that the new company flash drives they picked up in the
break room only have 512KB of storage.
Which of the following is MOST likely the cause?

Answer 44

A. The GPO prevents the use of flash drives, which triggers a false positive AV indication and restricts the
drives to only 512KB of storage.
B. The new flash drives need a driver that is being blocked by the AV software because the flash drives
are not on the application’s allow list, temporarily restricting the drives to 512KB of storage.
C. The new flash drives are incorrectly partitioned, and the systems are automatically trying to use an
unapproved application to repartition the drives.
D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to
harvest plaintext credentials from memory.
Answer: D

Question 45

A security analyst Is hardening a Linux workstation and must ensure It has public keys forwarded to
remote systems for secure login.
Which of the following steps should the analyst perform to meet these requirements? (Select TWO).

Answer 45

A. Forward the keys using ssh-copy-id.
B. Forward the keys using scp.
C. Forward the keys using ash -i.
D. Forward the keys using openssl -s.
E. Forward the keys using ssh-keyger.
Answer: A,D

Question 46

Under GDPR, which of the following is MOST responsible for the protection of privacy and website
user rights?

Answer 46

A. The data protection officer
B. The data processor
C. The data owner
D. The data controller
Answer: C

Question 47

A company recently set up an e-commerce portal to sell its product online. The company wants to
start accepting credit cards for payment, which requires compliance with a security standard.
Which of the following standards must the company comply with before accepting credit cards on its
e-commerce platform?

Answer 47

A. PCI DSS
B. ISO 22301
C. ISO 27001
D. NIST CSF
Answer: A

Question 48

A security analyst needs to determine how an attacker was able to use User3 to gain a foothold within
a company’s network. The company’s lockout policy requires that an account be locked out for a minimum
of 15 minutes after three unsuccessful attempts.
While reviewing the log files, the analyst discovers the following:
Which of the following attacks MOST likely occurred?

Answer 48

A. Dictionary
B. Credential-stuffing
C. Password-spraying
D. Brute-force
Answer: D

Question 49

Which of the following would BEST identify and remediate a data-loss event in an enterprise using
third-party, web-based services and file-sharing platforms?

Answer 49

A. SIEM
B. CASB
C. UTM
D. DLP
Answer: D

Question 50

The cost of ‘©movable media and the security risks of transporting data have become too great for a
laboratory. The laboratory has decided to interconnect with partner laboratones to make data transfers
easier and more secure. The Chief Security Officer

Answer 50

A. VLAN zoning with a file-transfer server in an external-facing zone
B. DLP running on hosts to prevent file transfers between networks
C. NAC that permits only data-transfer agents to move data between networks
D. VPN with full tunneling and NAS authenticating through the Active Directory
Answer: B