301-350

Question 1

A cloud administrator is configuring five compute instances under the same subnet in a VPC Three
instances are required to communicate with one another, and the other two must he logically isolated from
all other instances in the VPC.
Which of the following must the administrator configure to meet this requirement?

Answer 1

A. One security group
B. Two security groups
C. Three security groups
D. Five security groups
Answer: B

Question 2

A security analyst is reviewing the following command-line output:
Which of the following Is the analyst observing?

Answer 2

A. IGMP spoofing
B. URL redirection
C. MAC address cloning
D. DNS poisoning
Answer: C

Question 3

Which of the following represents a biometric FRR?

Answer 3

A. Authorized users being denied access
B. Users failing to enter the correct PIN
C. The denied and authorized numbers being equal
D. The number of unauthorized users being granted access
Answer: A

Question 4

A security analyst sees the following log output while reviewing web logs:
Which of the following mitigation strategies would be BEST to prevent this attack from being successful?

Answer 4

A. Secure cookies
B. Input validation
C. Code signing
D. Stored procedures
Answer: B

Question 5

A security analyst is reviewing the following output from a system:
Which of the following is MOST likely being observed?

Answer 5

A. ARP palsoning
B. Man in the middle
C. Denial of service
D. DNS poisoning
Answer: C

Question 6

A startup company is using multiple SaaS and IaaS platforms to stand up a corporate infrastructure
and build out a customer-facing web application.

Which of the following solutions would be BEST to provide security, manageability, and visibility into the
platforms?

Answer 6

A. SIEM
B. DLP
C. CASB
D. SWG
Answer: C

Question 7

To further secure a company’s email system, an administrator is adding public keys to DNS records in
the company’s domain.
Which of the following is being used?

Answer 7

A. PFS
B. SPF
C. DMARC
D. DNSSEC
Answer: D

Question 8

A hospital’s administration is concerned about a potential loss of patient data that is stored on tablets.
A security administrator needs to implement controls to alert the SOC any time the devices are near exits.
Which of the following would BEST achieve this objective?

Answer 8

A. Geotargeting
B. Geolocation
C. Geotagging
D. Geofencing
Answer: D

Question 9

An organization with a low tolerance for user inconvenience wants to protect laptop hard drives
against loss or data theft.
Which of the following would be the MOST acceptable?

Answer 9

A. SED
B. HSM
C. DLP
D. TPM
Answer: A

Question 10

An organization has hired a security analyst to perform a penetration test. The analyst captures 1Gb
worth of inbound network traffic to the server and transfer the pcap back to the machine for analysis.
Which of the following tools should the analyst use to further review the pcap?

Answer 10

A. Nmap
B. cURL
C. Netcat
D. Wireshark
Answer: D

Question 11

A external forensics investigator has been hired to investigate a data breach at a large enterprise with
numerous assets. It is known that the breach started in the DMZ and moved to the sensitive information,
generating multiple logs as the attacker traversed through the network.
Which of the following will BEST assist with this investigation?

Answer 11

A. Perform a vulnerability scan to identity the weak spots.
B. Use a packet analyzer to Investigate the NetFlow traffic.
C. Check the SIEM to review the correlated logs.
D. Require access to the routers to view current sessions.
Answer: C

Question 12

Which of the following refers to applications and systems that are used within an organization without
consent or approval?

Answer 12

A. Shadow IT
B. OSINT
C. Dark web
D. Insider threats
Answer: Av

Question 13

A company needs to centralize its logs to create a baseline and have visibility on its security events.
Which of the following technologies will accomplish this objective?

Answer 13

A. Security information and event management
B. A web application firewall
C. A vulnerability scanner
D. A next-generation firewall
Answer: A

Question 14

An incident response technician collected a mobile device during an investigation.
Which of the following should the technician do to maintain chain of custody?

Answer 14

A. Document the collection and require a sign-off when possession changes.
B. Lock the device in a safe or other secure location to prevent theft or alteration.
C. Place the device in a Faraday cage to prevent corruption of the data.
D. Record the collection in a blockchain-protected public ledger.
Answer: A

Question 15

A network administrator has been asked to install an IDS to improve the security posture of an
organization.
Which of the following control types is an IDS?

Answer 15

A. Corrective
B. Physical
C. Detective
D. Administrative
Answer: C

Question 16

A security analyst is logged into a Windows file server and needs to see who is accessing files and from which computers.
Which of the following tools should the analyst use?

Answer 16

A. netstat
B. net share
C. netcat
D. nbtstat
E. net session
Answer: A

Question 17

A security analyst discovers that a company username and password database was posted on an
internet forum. The username and passwords are stored in plan text.
Which of the following would mitigate the damage done by this type of data exfiltration in the future?

Answer 17

A. Create DLP controls that prevent documents from leaving the network
B. Implement salting and hashing
C. Configure the web content filter to block access to the forum.
D. Increase password complexity requirements
Answer: A

Question 18

An attacker is exploiting a vulnerability that does not have a patch available.
Which of the following is the attacker exploiting?

Answer 18

A. Zero-day
B. Default permissions
C. Weak encryption
D. Unsecure root accounts
Answer: A

Question 19

A security analyst is reviewing the output of a web server log and notices a particular account is
attempting to transfer large amounts of money:
Which of the following types of attack is MOST likely being conducted?

Answer 19

A. SQLi
B. CSRF
C. Session replay
D. API
Answer: C

Question 20

An organization has decided to host its web application and database in the cloud.
Which of the following BEST describes the security concerns for this decision?

Answer 20

A. Access to the organization’s servers could be exposed to other cloud-provider clients
B. The cloud vendor is a new attack vector within the supply chain
C. Outsourcing the code development adds risk to the cloud provider
D. Vendor support will cease when the hosting platforms reach EOL.
Answer: B

Question 21

An organization’s help desk is flooded with phone calls from users stating they can no longer access
certain websites. The help desk escalates the issue to the security team, as these websites were
accessible the previous day. The security analysts run the following command: ipconfig /flushdns, but the
issue persists. Finally, an analyst changes the DNS server for an impacted machine, and the issue goes
away.
Which of the following attacks MOST likely occurred on the original DNS server?

Answer 21

A. DNS cache poisoning
B. Domain hijacking
C. Distributed denial-of-service
D. DNS tunneling
Answer: B

Question 22

After a ransomware attack a forensics company needs to review a cryptocurrency transaction
between the victim and the attacker.
Which of the following will the company MOST likely review to trace this transaction?

Answer 22

A. The public ledger
B. The NetFlow data
C. A checksum
D. The event log
Answer: A

Question 23

The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the
company’s Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account. The email
states Ann is on vacation and has lost her purse, containing cash and credit cards.
Which of the following social-engineering techniques is the attacker using?

Answer 23

A. Phishing
B. Whaling
C. Typo squatting
D. Pharming
Answer: B

Question 24

An organization plans to transition the intrusion detection and prevention techniques on a critical
subnet to an anomaly-based system.
Which of the following does the organization need to determine for this to be successful?

Answer 24

A. The baseline
B. The endpoint configurations
C. The adversary behavior profiles
D. The IPS signatures
Answer: C

Question 25

An organization is developing a plan in the event of a complete loss of critical systems and data.
Which of the following plans is the organization MOST likely developing?

Answer 25

A. Incident response
B. Communications
C. Disaster recovery
D. Data retention
Answer: C

Question 26

A security analyst is preparing a threat for an upcoming internal penetration test. The analyst needs
to identify a method for determining the tactics, techniques, and procedures of a threat against the
organization’s network.
Which of the following will the analyst MOST likely use to accomplish the objective?

Answer 26

A. A table exercise
B. NST CSF
C. MTRE ATT$CK
D. OWASP
Answer: C

Question 27

In which of the following risk management strategies would cybersecurity insurance be used?

Answer 27

A. Transference
B. Avoidance
C. Acceptance
D. Mitigation
Answer: A

Question 28

A company’s bank has reported that multiple corporate credit cards have been stolen over the past
several weeks. The bank has provided the names of the affected cardholders to the company’s forensics
team to assist in the cyber-incident investigation.
An incident responder learns the following information:
✑ The timeline of stolen card numbers corresponds closely with affected users making Internet-based
purchases from diverse websites via enterprise desktop PCs.
✑ All purchase connections were encrypted, and the company uses an SSL inspection proxy for the
inspection of encrypted traffic of the hardwired network.
✑ Purchases made with corporate cards over the corporate guest WiFi network, where no SSL inspection
occurs, were unaffected.
Which of the following is the MOST likely root cause?

Answer 28

A. HTTPS sessions are being downgraded to insecure cipher suites
B. The SSL inspection proxy is feeding events to a compromised SIEM
C. The payment providers are insecurely processing credit card charges
D. The adversary has not yet established a presence on the guest WiFi network
Answer: C

Question 29

A consultant is configuring a vulnerability scanner for a large, global organization in multiple countries.
The consultant will be using a service account to scan systems with administrative privileges on a weekly
basis, but there is a concern that hackers could gain access to account to the account and pivot through the global network.
Which of the following would be BEST to help mitigate this concern?

Answer 29

A. Create consultant accounts for each region, each configured with push MFA notifications.
B. Create one global administrator account and enforce Kerberos authentication
C. Create different accounts for each region. limit their logon times, and alert on risky logins
D. Create a guest account for each region. remember the last ten passwords, and block password reuse
Answer: C

Question 30

A development team employs a practice of bringing all the code changes from multiple team
members into the same development project through automation. A tool is utilized to validate the code
and track source code through version control.
Which of the following BEST describes this process?

Answer 30

A. Continuous delivery
B. Continuous integration
C. Continuous validation
D. Continuous monitoring
Answer: B

Question 31

A small business just recovered from a ransomware attack against its file servers by purchasing the
decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator
wants to ensure it does not happen again.
Which of the following should the IT administrator do FIRST after recovery?

Answer 31

A. Scan the NAS for residual or dormant malware and take new daily backups that are tested on a
frequent basis
B. Restrict administrative privileges and patch ail systems and applications.
C. Rebuild all workstations and install new antivirus software
D. Implement application whitelisting and perform user application hardening
Answer: A

Question 32

An organization recently acquired an ISO 27001 certification.
Which of the following would MOST likely be considered a benefit of this certification?

Answer 32

A. It allows for the sharing of digital forensics data across organizations
B. It provides insurance in case of a data breach
C. It provides complimentary training and certification resources to IT security staff.
D. It certifies the organization can work with foreign entities that require a security clearance
E. It assures customers that the organization meets security standards
Answer: E

Question 33

A company has decided to move its operations to the cloud. It wants to utilize technology that will
prevent users from downloading company applications for personal use, restrict data that is uploaded,
and have visibility into which applications are being used across the company.
Which of the following solutions will BEST meet these requirements?

Answer 33

A. An NGFW
B. A CASB
C. Application whitelisting
D. An NG-SWG
Answer: B

Question 34

The website http://companywebsite.com requires users to provide personal Information, Including
security question responses, for registration.
Which of the following would MOST likely cause a data breach?

Answer 34

A. Lack of input validation
B. Open permissions
C. Unsecure protocol
D. Missing patches
Answer: C

Question 35

CORRECT TEXT
A company recently added a DR site and is redesigning the network. Users at the DR site are having
issues browsing websites.
INSTRUCTIONS
Click on each firewall to do the following:
✑ Deny cleartext web traffic.
✑ Ensure secure management protocols are used.
✑ Resolve issues at the DR site.
The ruleset order cannot be modified due to outside constraints.
If at any time you would like to bring back the initial state of the simulation, please click the Reset All button.

Answer 35

{{ PIC }}

Question 36

A host was infected with malware. During the incident response, Joe, a user, reported that he did not
receive any emails with links, but he had been browsing the Internet all day.
Which of the following would MOST likely show where the malware originated?

Answer 36

A. The DNS logs
B. The web server logs
C. The SIP traffic logs
D. The SNMP logs
Answer: A

Question 37

Local guidelines require that all information systems meet a minimum-security baseline to be
compliant.
Which of the following can security administrators use to assess their system configurations against the
baseline?

Answer 37

A. SOAR playbook
B. Security control matrix
C. Risk management framework
D. Benchmarks
Answer: D

Question 38

Company engineers regularly participate in a public Internet forum with other engineers throughout
the industry.
Which of the following tactics would an attacker MOST likely use in this scenario?

Answer 38

A. Watering-hole attack
B. Credential harvesting
C. Hybrid warfare
D. Pharming
Answer: A

Question 39

An organization is concerned that is hosted web servers are not running the most updated version of
the software.
Which of the following would work BEST to help identify potential vulnerabilities?

Answer 39

A. Hping3 –s comptia, org –p 80
B. Nc -1 –v comptia, org –p 80
C. nmp comptia, org –p 80 –aV
D. nslookup –port=80 comtia.org
Answer: C

Question 40

An enterprise needs to keep cryptographic keys in a safe manner.
Which of the following network appliances can achieve this goal?

Answer 40

A. HSM
B. CASB
C. TPM
D. DLP
Answer: A

Question 41

An organization relies on third-party video conferencing to conduct daily business. Recent security
changes now require all remote workers to utilize a VPN to corporate resources.
Which of the following would BEST maintain high-quality video conferencing while minimizing latency
when connected to the VPN?

Answer 41

A. Using geographic diversity to have VPN terminators closer to end users
B. Utilizing split tunneling so only traffic for corporate resources is encrypted
C. Purchasing higher-bandwidth connections to meet the increased demand
D. Configuring QoS properly on the VPN accelerators
Answer: D

Question 42

In which of the following situations would it be BEST to use a detective control type for mitigation?

Answer 42

A. A company implemented a network load balancer to ensure 99.999% availability of its web application.
B. A company designed a backup solution to increase the chances of restoring services in case of a
natural disaster.
C. A company purchased an application-level firewall to isolate traffic between the accounting department
and the information technology department.
D. A company purchased an IPS system, but after reviewing the requirements, the appliance was
supposed to monitor, not block, any traffic.
E. A company purchased liability insurance for flood protection on all capital assets.
Answer: D

Question 43

A security researcher is attempting to gather data on the widespread use of a Zero-day exploit.
Which of the following will the researcher MOST likely use to capture this data?

Answer 43

A. A DNS sinkhole
99 / 107
B. A honeypot
C. A vulnerability scan
D. cvss
Answer: B

Question 44

Which of the following types of controls is a CCTV camera that is not being monitored?

Answer 44

A. Detective
B. Deterrent
C. Physical
D. Preventive
Answer: B

Question 45

An attacker is attempting to exploit users by creating a fake website with the URL users.
Which of the following social-engineering attacks does this describe?

Answer 45

A. Information elicitation
B. Typo squatting
C. Impersonation
D. Watering-hole attack
Answer: D

Question 46

An organization has a growing workforce that is mostly driven by additions to the sales department.
Each newly hired salesperson relies on a mobile device to conduct business. The Chief Information
Officer (CIO) is wondering it the organization may need to scale down just as quickly as it scaled up. The
ClO is also concerned about the organization’s security and customer privacy.
Which of the following would be BEST to address the ClO’s concerns?

Answer 46

A. Disallow new hires from using mobile devices for six months
B. Select four devices for the sales department to use in a CYOD model
C. Implement BYOD for the sates department while leveraging the MDM
D. Deploy mobile devices using the COPE methodology
Answer: C

Question 47

A network administrator would like to configure a site-to-site VPN utilizing IPSec. The administrator
wants the tunnel to be established with data integrity encryption, authentication and anti- replay functions.
Which of the following should the administrator use when configuring the VPN?

Answer 47

A. AH
B. EDR
C. ESP
D. DNSSEC
Answer: C

Question 48

A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities
because the score allows the organization to better.

Answer 48

A. validate the vulnerability exists in the organization’s network through penetration testing
B. research the appropriate mitigation techniques in a vulnerability database
C. find the software patches that are required to mitigate a vulnerability
D. prioritize remediation of vulnerabilities based on the possible impact.
Answer: D

Question 49

The new Chief Executive Officer (CEO) of a large company has announced a partnership with a
vendor that will provide multiple collaboration applications t make remote work easier. The company has a
geographically dispersed staff located in numerous remote offices in different countries. The company’s IT
administrators are concerned about network traffic and load if all users simultaneously download the
application.
Which of the following would work BEST to allow each geographic region to download the software
without negatively impacting the corporate network?

Answer 49

A. Update the host IDS rules.
B. Enable application whitelisting.
C. Modify the corporate firewall rules.
D. Deploy all applications simultaneously.
Answer: B

Question 50

Which of the following will MOST likely cause machine learning and Al-enabled systems to operate
with unintended consequences?

Answer 50

A. Stored procedures
B. Buffer overflows
C. Data bias
D. Code reuse
Answer: A
Explanation:
https://lionbridge.ai/articles/7-types-of-data-bias-in-machine-learning/