251-300

Question 1

A security analyst is concerned about critical vulnerabilities that have been detected on some applications running inside containers. Which of the following is the BEST remediation strategy?

A Update the base container Image and redeploy the environment.
B Include the containers in the regular patching schedule for servers.
C Patch each running container individually and test the application.
D Update the host in which the containers are running.

Answer 1

A. Update the base container Image and redeploy the environment.

Question 2

A small, local company experienced a ransomware attack. The company has one web-facing server and a few workstations. Everything is behind an ISP firewall. A single web facing server is set up on the router to forward all polls so that the server is viewable from the internet. The company uses an older version of third-party software to manage the website. The assets were never patched. Which of the following should be done to prevent an attack like this from happening again? (Choose three.)

A install DLP software to prevent data loss
B Use the latest version of software
C Install a SIEM device
D Implement MDM
E Implement a screened subnet for the web server
F Install an endpoint security solution
G Update the website certificate and revoke the existing ones
H Deploy additional network sensors

Answer 2

B. Use the latest version of software
E. Implement a screened subnet for the web server
F. Install an endpoint security solution

Question 3

Which of the following BEST helps to demonstrate integrity during a forensic investigation?

A Event logs
B Encryption
C Hashing
D Snapshots

Answer 3

C. Hashing

Question 4

A company is moving its retail website to a public cloud provider. The company wants to tokenize credit card data but not allow the cloud provider to see the stored credit card information. Which of the following would BEST meet these objectives?

A WAF
B CASB
C VPN
D TLS

Answer 4

D. TLS

Question 5

An organization has been experiencing outages during holiday sales and needs to ensure availability of its point-of-sale systems. The IT administrator has been asked to improve both server-data fault tolerance and site availability under high consumer load. Which of the following are the best options to accomplish this objective? (Choose two.)

A Load balancing
B Incremental backups
C UPS
D RAID
E Dual power supply
F VLAN

Answer 5

A. Load balancing
D. RAID

Question 6

A junior security analyst is conducting an analysis after passwords were changed on multiple accounts without users interaction. The SIM have multiple login entries with the following text
suspicious event - user:

scheduledtasks successfully authenticate on AD on abnormal time

suspicious event - user: scheduledtasks failed to execute c:weekly _checkupslamazing-3rdparty-domain-assessment. py

suspicious event - user: scheduledtasks failed to execute c:weekly checkups\secureyourAD-3rdparty-compliance sh

suspicious event - user: scheduledtasks successfully executed c:weekly checkupslamazing-3rdparty-domain-assessment.py

Which of the following is the MOST likely attack conducted on the environment?

A Malicious script
B Privilege escalation
C Domain hijacking
D DNS poisoning

Answer 6

B. Privilege escalation

Question 7

Users have been issued smart cards that provide physical access to a building. The cards also contain tokens that can be used to access information systems. Users can log in to any thin client located throughout the building and see the same desktop each time. Which of the following technologies are being utilized to provide these capabilities? (Choose two.)

A COPE
B VDI
C GPS
D TOTP
E REID
F BYOD

Answer 7

B. VDI
E. REID

Question 8

A security team has been alerted to a flood of incoming emails that have various subject lines and are addressed to multiple email inboxes. Each email contains a URL shortener link that is redirecting to a dead domain. Which of the following is the best step for the security team to take?

A Create a blocklist for all subject lines.
B Send the dead domain to a DNS sinkhole
C Quarantine all emails received and notify all employees.
D Block the URL shortener domain in the web proxy.

Answer 8

D. Block the URL shortener domain in the web proxy.

Question 9

Which of the following can be used to calculate the total loss expected per year due to a threat targeting an asset?

A EF x asset value
B ALE/ SLE
C MTBF x impact
D SLEXARO

Answer 9

D. SLEXARO

Question 10

A security analyst is reviewing packet capture data from a compromised host on the network. In the packet capture, the analyst locates packets that contain large amounts of text. Which of the following is most likely installed on the compromised host?

A Keylogger
B Spyware
C Trojan
D Ransomware

Answer 10

A. Keylogger

Question 11

An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate data center that houses confidential information. There is a firewall at the internet border, followed by a DLP appliance, the VPN server, and the data center itself. Which of the following is the weakest design element?

A The DLP appliance should be integrated into a NGFW.
B Split-tunnel connections can negatively impact the DLP appliance’s performance
C Encrypted VPN traffic will not be inspected when entering or leaving the network.
D Adding two hops in the VPN tunnel may slow down remote connections

Answer 11

C. Encrypted VPN traffic will not be inspected when entering or leaving the network.

Question 12

The Chief Compliance Officer from a bank has approved a background check policy for all new hires. Which of the following is the policy MOST likely protecting against?

A Preventing any current employees’ siblings from working at the bank to prevent nepotism
B Hiring an employee who has been convicted of theft to adhere to industry compliance
C Filterina applicants who have added false information to resumes so they appear better qualified
D Ensuring no new hires have worked at other banks that may be trying to steal customer information

Answer 12

D. Ensuring no new hires have worked at other banks that may be trying to steal customer information

Question 13

A company recently set up an e commerce portal to sell its products online. The company wants to start accepting credit cards for payment, which requires compliance with a security standard Which of the following standards must the company comply with before accepting credit cards on its e-commerce platform?

A PCIDSS
B ISO 22301
C ISO 27001
D NIST CSF

Answer 13

A. PCIDSS

Question 14

A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the score allows the organization to better:

A validate the vulnerability exists in the organization’s network through penetration testing
B research the appropriate mitigation techniques in a vulnerability database.
C find the software patches that are required to mitigate a vulnerability.
D prioritize remediation of vulnerabilities based on the possible impact.

Answer 14

D. prioritize remediation of vulnerabilities based on the possible impact.

Question 15

A network administrator has been alerted that web pages are experiencing long load times. After determining it is not a routing or DNS issue, the administrator logs in to the router, runs a command, and receives the following output:

CPU 0 percent busy, from 300 sec ago 1 sec ave: 99 percent busy
5 sec ave: 97 percent bus
1 min ave: 83 percent busy

Which of the following is the router experiencing?

A DDoS attack
B Memor leak
C Buffer overflow
D Resource exhaustion

Answer 15

D. Resource exhaustion

Question 16

An organization recently released a software assurance policy that requires developers to run code scans each night on the repository. After the first night, the security team alerted the developers that more than 2,000 findings were reported and need to be addressed. Which of the following is the MOST likely cause for the high number of findings?

A The vulnerability scanner was not properly configured and generated a high number of false positives
B Third-party libraries have been loaded into the repository and should be removed from the codebase
C The vulnerability scanner found several memory leaks during runtime, causing duplicate reports for the same issue
D The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated.

Answer 16

D. The vulnerability scanner was not loaded with the correct benchmarks and needs to be updated.

Question 17

Which of the following control types is patch management classified under?

A Deterrent
B Physical
C Corrective
D Detective

Answer 17

C. Corrective

Question 18

Which of the following is a benefit of including a risk management framework into an organization’s security approach?

A It defines expected service levels from participating supply chain partners to ensure system outages are remediated in a timely manner.
B It identifies specific vendor products that have been tested and approved for use in a secure environment.
C It provides legal assurances and remedies in the event a data breach occurs
D It incorporates control, development, policy, and management activities into IT operations.

Answer 18

D. It incorporates control, development, policy, and management activities into IT operations.

Question 19

A security analyst is reviewing the following logs:

[10:00:00 AM Login relected
- username administrator - password Spring2023
[10: 00:01 AM] Login rejected
- username jsmith - password Spring2023
[10:00:01 AM] Login rejected
use rare guest password Spring2023
[10:00:02 AM) Login rejected - username polk password Spring2023
(10:00:03 AM] Login rejected - username martin - password spring2023

Which of the following attacks is most likely occurring?

A Password spraying
B Account forgery
C Pass-the-hash
D Brute-force

Answer 19

A. Password spraying

Question 20

While checking logs, a security engineer notices a number of end users suddenly downloading files with the tar g extension. Closer examination of the files reveals they are PE32 files. The end users state they did not initiate any of the downloads. Further investigation reveals the end users all clicked on an external email containing an infected MHT file with an href link a week prior.

Which of the following is MOST likely occurring?

A A RAT was installed and is transferring additional exploit tools
B The workstations are beaconing to a command-and-control server.
C A logic bomb was executed and is responsible for the data transfers.
D A fileless virus is spreading in the local network environment

Answer 20

B. The workstations are beaconing to a command-and-control server.

Question 21

After a recent security incident, a security analyst discovered that unnecessary ports were open on a firewall policy for a web server. Which of the following firewall polices would be MOST secure for a web server?

Answer 21

[Source Destination Port Action]
ANY ANY TCP 80 DENY
ANY ANY TCP 443 ALLOW
ANY ANY ANY ALLOW

Question 22

A security incident may have occurred on the desktop PC of an organization’s Chief Executive Officer (CEO). A duplicate copy of the CEO’s hard drive must be stored securely to ensure appropriate forensic processes and the chain of custody are followed. Which of the following should be performed to accomplish this task?

A Install a new hard drive in the CEO’s PC, and then remove the old hard drive and place it in a tamper-evident bag.
B Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.
C Remove the CEO’s hard drive from the PC, connect to the forensic workstation, and copy all the contents onto a remote fileshare while the CEO watches.
D Refrain from completing a forensic analysis of the CEO’s hard drive until after the incident is confirmed; duplicating the hard drive at this stage could destroy evidence.

Answer 22

B. Connect a write blocker to the hard drive. Then, leveraging a forensic workstation, utilize the dd command in a live Linux environment to create a duplicate copy.

Question 23

Which of the following is a common source of unintentional corporate credential leakage in cloud environments?

A Code repositories
B Dark web
C Threat feeds
D State actors
E Vulnerability databases

Answer 23

A. Code repositories

Question 24

Which of the follow ng disaster recovery sites is the most cost effective to operate?

A Warm site
B Cold site
C Hot site
D Hybrid site

Answer 24

B. Cold site

Question 25

Which of the following in the incident response process is the BEST approach to improve the speed of the identification phase?

A Activate verbose logging in all critical assets.
B Tune monitoring in order to reduce false positive rates.
C Redirect all events to multiple syslog servers.
D Increase the number of sensors present on the environment.

Answer 25

B. Tune monitoring in order to reduce false positive rates.

Question 26

A security engineer is concerned about using an agent on devices that relies completely on defined known bad signatures. The security engineer wants to implement a tool with multiple components including the ability to track, analyze, and monitor devices without reliance on definitions alone. Which of the following solutions best fits this use case?

A EDR
B DIP
C NGEW
D HIPS

Answer 26

A. EDR

Question 27

Which of the following tools is effective in preventing a user from accessing unauthorized removable media?

A USB data blocker
B Faraday cage
C Proximity reader
D Cable lock

Answer 27

A. USB data blocker

Question 28

During a security incident, the security operations team identified sustained network traffic from a malicious IP address: 10.1 4 9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization’s network. Which of the following fulfills this request?

A access-list inbound deny ip source 0.0.0.0/0 destination 10.1 4.9/32
B access-list inbound deny ip source 10.1 4.9/32 destination 0.0.0.0/0
C access-list inbound permit ip source 10.1 4.9/32 destination 0.0.0.0/0
D access-list inbound permit ip source 0.0.0.0/0 destination 10.1.4.9/32

Answer 28

B. access-list inbound deny ip source 10.1 4.9/32 destination 0.0.0.0/0

Question 29

Which of the following would be the best way to block unknown programs from executing?

A Access control list
B Application allow list
C Host-based firewall
D DLP solution

Answer 29

B. Application allow list

Question 30

A company is designing the layout of a new data center so it will have an optimal environmental temperature. Which of the following must be included? (Choose two.)

A An air gap
B A cold aisle
C Removable doors
D A hot aisle
E An loT thermostat
F A humidity monitor

Answer 30

B. A cold aisle
D. A hot aisle

Question 31

Which of the following identifies the point in time when an organization will recover data in the event of an outage?

A ALE
B RPO
C MTBE
D ARO

Answer 31

B. RPO

Question 32

Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyberintrusions, phishing, and other malicious cyberactivity?

A Intelligence fusion
B Review reports
C Log reviews
D Threat feeds

Answer 32

D. Threat feeds

Question 33

A penetration tester is brought on site to conduct a full attack simulation at a hospital. The penetration tester notices a WAP that is hanging from the drop ceiling by its cabling and is reachable Which of the following recommendations would the penetration tester MOST likely make given this observation?

A Employ a general contractor to replace the drop-ceiling tiles.
B Place the network cabling inside a secure conduit.
C Secure the access point and cabling inside the drop ceiling.
D Utilize only access points that have internal antennas

Answer 33

C. Secure the access point and cabling inside the drop ceiling.

Question 34

Which of the following is a known security risk associated with data archives that contain financial information?

A Data can become a liability if archived longer than required by regulatory guidance
B Data must be archived off-site to avoid breaches and meet business requirements.
C Companies are prohibited from providing archived data to e-discovery requests.
D Unencrypted archives should be preserved as long as possible and encrypted.

Answer 34

A. Data can become a liability if archived longer than required by regulatory guidance

Question 35

A security analyst is reviewing SIM logs during an ongoing attack and notices the following:

http://company.com/get.php?f-/etc/passwd
http://company.com/..$2F..82F..82F..82Fetc%2Fshadow
http://company.com/.
-/../../../ete/passwa
Which of the following best describes the type of attack?

A SOLi
B CSRE
C API attacks
D Directory traversal

Answer 35

D. Directory traversal

Question 36

Which of the following is used to ensure that evidence is admissible in legal proceedings when it is collected and provided to the authorities?

A Chain of custody
B Legal hold
C Event log
D Artifacts

Answer 36

A. Chain of custody

Question 37

A cloud service provider has created an environment where customers can connect existing local networks to the cloud for additional computing resources and block internal HR applications from reaching the cloud. Which of the following cloud models is being used?

A Public
B Community
C Hybrid
D Private

Answer 37

C. Hybrid

Question 38

When implementing automation with loT devices, which of the following should be considered FIRST to keep the network secure?

A Z-Wave compatibility
B Network range
C Zigbee configuration
D Communication protocols

Answer 38

D. Communication protocols

Question 39

Which of the following is a targeted attack aimed at compromising users within a specific industry or group?

A Watering hole
B Typosquatting
C Hoax
D Impersonation

Answer 39

A. Watering hole

Question 40

Which of the following best describes a use case for a DNS sinkhole?

A Attackers can see a DNS sinkhole as a highly valuable resource to identify a company’s domain structure.
B ADNS sinkhole can be used to draw employees away from known-good websites to malicious ones owned by the attacker.
C A DNS sinkhole can be used to capture traffic to known-malicious domains used by attackers.
D A DNS sinkhole can be set up to attract potential attackers away from a company’s network resources

Answer 40

C. A DNS sinkhole can be used to capture traffic to known-malicious domains used by attackers.

Question 41

Several universities are participating in a collaborative research project and need to share compute and storage resources. Which of the following cloud deployment strategies would BEST meet this need?

A Community
B Private
C Public
D Hybrid

Answer 41

D. Hybrid

Question 42

Which of the following describes the ability of code to target a hypervisor from inside a guest OS?

A Fog computing
B VM escape
C Software-defined networking
D Image forgery
E Container breakout

Answer 42

B. VM escape

Question 43

Following a prolonged data center outage that affected web-based sales, a company has decided to move its operations to a private cloud solution. The security team has received the following:

• There must be visibility into how teams are using cloud-based services.
• The company must be able to identify when data related to payment cards is being sent to the cloud
• Data must be available regardless of the end user’s geographic location.
• Administrators need a single pane-of-glass view into traffic and trends.

Which of the following should the security analyst recommend?

A Create firewall rules to restrict traffic to other cloud service providers.
B Install a DLP solution to monitor data in transit.
C Implement a CASB solution.
D Configure a web-based content filter.

Answer 43

C. Implement a CASB solution.

Question 44

A company has a flat network in the cloud. The company needs to implement a solution to segment its production and non-production servers without migrating servers to a new network. Which of the following solutions should the company implement?

A Intranet
B Screened subnet
C VLAN segmentation
D Zero Trust

Answer 44

C. VLAN segmentation

Question 45

During a recent security assessment, a vulnerability was found in a common OS. The OS vendor was unaware of the issue and promised to release a patch within the next quarter. Which of the following BEST describes this type of vulnerability?

A Legacy operating system
B Weak configuration
C Zero day
D Supply chain

Answer 45

C. Zero day

Question 46

A network architect wants a server to have the ability to retain network availability even if one of the network switches it is connected to goes down. Which of the following should the architect implement on the server to achieve this goal?

A RAID
B UPS
C NIC teaming
D Load balancing

Answer 46

D. Load Balancing

Question 47

A Chief Information Security Officer (CIO) is evaluating the dangers involved in deploying a new ERP system for the company. The CISO categorizes the system, selects the controls that apply to the system, implements the controls, and then assesses the success of the controls before authorizing the system. Which of the following is the CISO using to evaluate the environment for this new ERP system?

A The Diamond Model of Intrusion Analysis
B CIS Critical Security Controls
C NIST Risk Management Framework
D ISO 27002

Answer 47

C. NIST Risk Management Framework

Question 48

An organization would like to give remote workers the ability to use applications hosted inside the corporate network. Users will be allowed to use their personal computers, or they will be provided organization assets. Either way, no data or applications will be installed locally on any user systems. Which of the following mobile solutions would accomplish these goals?

A VDI
B MDM
C COPE
D UTM

Answer 48

A. VDI

Question 49

A security administrator would like to ensure all cloud servers will have software preinstalled for facilitating vulnerability scanning and continuous monitoring. Which of the following concepts should the administrator utilize?

A Provisioning
B Staging
C Staging
D Quality assurance

Answer 49

A. Provisioning

Question 50

During a security incident investigation, an analyst consults the company’s SIM and sees an event concerning high traffic to a known, malicious command-and-control server. The analyst would like to determine the number of company workstations that may be impacted by this issue. Which of the following can provide this information?

A WAF logs
B DNS logs
C System logs
D Application logs

Answer 50

B. DNS logs