500-600

Question 1

A government organization is developing an advanced Al defense system. Developers are using information collected from third-party providers. Analysts are noticing inconsistencies in the expected progress of the Al learning and attribute the outcome to a recent attack on one of the suppliers. Which of the following is the most likely reason for the inaccuracy of the system?

A. Improper algorithms security
B. Tainted training data
C. Fileless virus
D. Cryptomalware

Answer 1

B. Tainted training data

Question 2

A company’s help desk has received calls about the wireless network being down and users being unable to connect to it. The network administrator says all access points are up and running. One of the help desk technicians notices the affected users are working in a building near the parking lot. Which of the following is the most likely reason for the outage?

A. Someone near the building is jamming the signal.
B. A user has set up a rogue access point near the building.
C. Someone set up an evil twin access point in the affected area.
D. The APs in the affected area have been unplugged from the network.

Answer 2

A. Someone near the building is jamming the signal.

Question 3

Which of the following can best protect against an employee inadvertently installing malware on a company system?

A. Host-based firewall
B. System isolation
C. Least privilege
D. Application allow list

Answer 3

D. Application allow list

Question 4

An information security officer at a credit card transaction company is conducting a framework-mapping exercise with the internal controls. The company recently established a new office in Europe. To which of the following frameworks should the security officer map the existing controls? (Choose two.)

A. ISO
B. PCIDSS
C. SOC
D. GDPR
E. CSA
F. NIST

Answer 4

D. GDPR
B. PCIDSS

Question 5

A customer called a company’s security team to report that all invoices the customer has received over the last five days from the company appear to have fraudulent banking details. An investigation into the matter reveals the following:

• The manager of the accounts payable department is using the same password across multiple external websites and the corporate account.
• One of the websites the manager used recently experienced a data breach.
• The manager’s corporate email account was successfully accessed in the last five days by an IP address located in a foreign country.

Which of the following attacks has most likely been used to compromise the manager’s corporate account?

A. Remote access Trojan
B. Brute-force
C. Dictionary
D. Credential stuffing
E. Password spraying

Answer 5

D. Credential stuffing

Question 6

An organization’s corporate offices were destroyed due to a natural disaster, so the organization is now setting up offices in a temporary work space. Which of the following will the organization most likely consult?

A. The business continuity plan
B. The risk management plan
C. The communication plan
D. The incident response plan

Answer 6

A. The business continuity plan

Question 7

Security analysts notice a server login from a user who has been on vacation for two weeks. The analysts confirm that the user did not log in to the system while on vacation. After reviewing packet capture logs, the analysts notice the following:

username: ……smJA…..
password: 83249823948BCA234AE

Which of the following occurred?

A. A buffer overflow was exploited to gain unauthorized access.
B. The user’s account was compromised, and an attacker changed the login credentials.
C. An attacker used a pass-the-hash attack to gain access.
D. An insider threat with username smithJA logged in to the account.

Answer 7

C. An attacker used a pass-the-hash attack to gain access.

Question 8

A security analyst is taking part in an evaluation process that analyzes and categorizes threat actors of real-world events in order to improve the incident response team’s process. Which of the following is the analyst most likely participating in?

A. MITRE ATT&CK
B. Walk-through
C. Red team
D. Purple team
E. TAXII

Answer 8

A. MITRE ATT&CK

MITTRE ATT&CK is a framework, you cannot participate in a framework. You can follow framework, you can work by framework guidelines, but you cannot participate in a framework

Question 9

A network manager wants to protect the company’s VPN by multifactor authentication that uses:

• Something you know
• Something you have
• Somewhere you are

Which of the following would accomplish the manager’s goal?

A. Domain name. PKI, GeoIP lookup
B. VPN IP address, company ID. partner site
C. Password, authentication token, thumbprint
D. Company URL, TLS certificate, home address

Answer 9

C. Password, authentication token, thumbprint

Question 10

Which of the following terms should be included in a contract to help a company monitor the ongoing security maturity of a new vendor?

A. A right-to-audit clause allowing for annual security audits
B. Requirements for event logs to be kept for a minimum of 30 days
C. Integration of threat intelligence in the company’s AV
D. A data-breach clause requiring disclosure of significant data loss

Answer 10

A. A right-to-audit clause allowing for annual security audits

Question 11

Which of the following cloud models provides clients with servers, storage, and networks but nothing else?

A. SaaS
B. PaaS
C. IaaS
D. DaaS

Answer 11

C. IaaS

Question 12

A marketing coordinator is trying to access a social media application on a company laptop but is getting blocked. The coordinator opens a help desk ticket to report the issue. Which of the following documents should a security analyst review to determine whether accessing social media applications on a company device is permitted?

A. Incident response policy
B. Business continuity policy
C. Change management policy
D. Acceptable use policy

Answer 12

D. Acceptable use policy

Question 13

Law enforcement officials sent a company a notification that states electronically stored information and paper documents cannot be destroyed. Which of the following explains this process?

A. Data breach notification
B. Accountability
C. Legal hold
D. Chain of custody

Answer 13

C. Legal hold

Question 14

A company wants to deploy decoy systems alongside production systems in order to entice threat actors and to learn more about attackers. Which of the following best describes these systems?

A. DNS sinkholes
B. Honeypots
C. Virtual machines
D. Neural networks

Answer 14

B. Honeypots

Question 15

A company’s help desk received several AV alerts indicating Mimikatz attempted to run on the remote systems. Several users also reported that the new company flash drives they picked up in the break room only have 512KB of storage. Which of the following is most likely the cause?

A. The GPO prevents the use of flash drives, which triggers a false positive AV indication and restricts the drives to only 512KB of storage.

B. The new flash drives need a driver that is being blocked by the AV software because the flash drives are not on the application’s allow list, temporarily restricting the drives to 512KB of storage.

C. The new flash drives are incorrectly partitioned, and the systems are automatically trying to use an unapproved application to repartition the drives.

D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.

Answer 15

D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.

Question 16

A company has installed badge readers for building access but is finding unauthorized individuals roaming the hallways. Which of the following is the most likely cause?

A. Shoulder surfing
B. Phishing
C. Tailgating
D. Identity fraud

Answer 16

C. Tailgating

Question 17

An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate data center that houses confidential information. There is a firewall at the internet border, followed by a DLP appliance, the VPN server, and the data center itself. Which of the following is the weakest design element?

A. The DLP appliance should be integrated into a NGFW.
B. Split-tunnel connections can negatively impact the DLP appliance’s performance.
C. Encrypted VPN traffic will not be inspected when entering or leaving the network.
D. Adding two hops in the VPN tunnel may slow down remote connections.

Answer 17

C. Encrypted VPN traffic will not be inspected when entering or leaving the network.

Question 18

Which of the following is the best method for ensuring non-repudiation?

A. SSO
B. Digital certificate
C. Token
D. SSH key

Answer 18

B. Digital certificate

Question 19

Which of the following methods is the most effective for reducing vulnerabilities?

A. Joining an information-sharing organization
B. Using a scan-patch-scan process
C. Implementing a bug bounty program
D. Patching low-scoring vulnerabilities first

Answer 19

B. Using a scan-patch-scan process

Question 20

An organization is struggling with scaling issues on its VPN concentrator and internet circuit due to remote work. The organization is looking for a software solution that will allow it to reduce traffic on the VPN and internet circuit, while still providing encrypted tunnel access to the data center and monitoring of remote employee internet traffic. Which of the following will help achieve these objectives?

A. Deploying a SASE solution to remote employees
B. Building a load-balanced VPN solution with redundant internet
C. Purchasing a low-cost SD-WAN solution for VPN traffic
D. Using a cloud provider to create additional VPN concentrators

Answer 20

A. Deploying a SASE solution to remote employees

SASE (Secure Access Service Edge) is a comprehensive networking and security approach that combines wide-area networking (WAN) capabilities with security features.

Question 21

Which of the following is the best reason to complete an audit in a banking environment?

A. Regulatory requirement
B. Organizational change
C. Self-assessment requirement
D. Service-level requirement

Answer 21

A. Regulatory requirement

Question 22

After a recent ransomware attack on a company’s system, an administrator reviewed the log files. Which of the following control types did the administrator use?

A. Compensating
B. Detective
C. Preventive
D. Corrective

Answer 22

B. Detective

Question 23

A technician needs to apply a high-priority patch to a production system. Which of the following steps should be taken first?

A. Air gap the system.
B. Move the system to a different network segment.
C. Create a change control request.
D. Apply the patch to the system.

Answer 23

C. Create a change control request.

Question 24

A security analyst reports a company policy violation in a case in which a large amount of sensitive data is being downloaded after hours from various mobile devices to an external site. Upon further investigation, the analyst notices that successful login attempts are being conducted with impossible travel times during the same time periods when the unauthorized downloads are occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an overlapping channel. Which of the following attacks is being conducted?

A. Evil twin
B. Jamming
C. DNS poisoning
D. Bluesnarfing
E. DDoS

Answer 24

A. Evil twin

Question 25

An engineer needs to deploy a security measure to identify and prevent data tampering within the enterprise. Which of the following will accomplish this goal?

A. Antivirus
B. IPS
C. FTP
D. FIM

Answer 25

D. FIM

File Integrity Monitoring (FIM) is a security measure that helps identify and prevent data tampering within the enterprise. FIM systems monitor files and directories for any unauthorized changes, modifications, or tampering.

Question 26

Which of the following mitigation techniques places devices in physically or logically separated networks and leverages policies to limit the types of communications that are allowed?

A. Host-based firewalls
B. Access control list
C. Port security
D. Least privilege

Answer 26

B. Access control list

Question 27

All security analysts’ workstations at a company have network access to a critical server VLAN. The information security manager wants to further enhance the controls by requiring that all access to the secure VLAN be authorized only from a given single location. Which of the following will the information security manager most likely implement?

A. A forward proxy server
B. A jump server
C. A reverse proxy server
D. A stateful firewall server

Answer 27

B. A jump server

Question 28

Which of the following best describes why a company would erase a newly purchased device and install its own image with an operating system and applications?

A. Installing a new operating system thoroughly tests the equipment
B. Removing unneeded applications reduces the system’s attack surface
C. Reimaging a system creates an updated baseline of the computer image
D. Wiping the device allows the company to evaluate its performance

Answer 28

B. Removing unneeded applications reduces the system’s attack surface

Question 29

A backdoor was detected on the containerized application environment. The investigation detected that a zero-day vulnerability was introduced when the latest container image version was downloaded from a public registry. Which of the following is the best solution to prevent this type of incident from occurring again?

A. Enforce the use of a controlled trusted source of container images.
B. Deploy an IPS solution capable of detecting signatures of attacks targeting containers.
C. Define a vulnerability scan to assess container images before being introduced on the environment.
D. Create a dedicated VPC for the containerized environment.

Answer 29

B. Deploy an IPS solution capable of detecting signatures of attacks targeting containers.

Question 30

An external forensics investigator has been hired to investigate a data breach at a large enterprise with numerous assets. It is known that the breach started in the perimeter network and moved to the sensitive information, generating multiple logs as the attacker traversed through the network. Which of the following will best assist with this investigation?

A. Perform a vulnerability scan to identify the weak spots.
B. Use a packet analyzer to investigate the NetFlow traffic.
C. Check the SIEM to review the correlated logs.
D. Require access to the routers to view current sessions.

Answer 30

C. Check the SIEM to review the correlated logs.

Question 31

A Chief Information Security Officer (CISO) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies?

A. PCI DSS
B. GDPR
C. NIST
D. ISO 31000

Answer 31

B. GDPR

Question 32

During an internal penetration test, a security analyst identified a network device that had accepted cleartext authentication and was configured with a default credential. Which of the following recommendations should the security analyst make to secure this device?

A. Configure SNMPv1.
B. Configure SNMPv2c.
C. Configure SNMPv3.
D. Configure the default community string.

Answer 32

C. Configure SNMPv3.

Question 32

Developers are writing code and merging it into shared repositories several times a day, where it is tested automatically. Which of the following concepts does this best represent?

A. Functional testing
B. Stored procedures
C. Elasticity
D. Continuous integration

Answer 32

D. Continuous integration

Question 33

A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file downloaded from a social media site and subsequently installed it without the user’s knowledge. Since the compromise, the attacker was able to take command and control of the computer systems anonymously while obtaining sensitive corporate and personal employee information. Which of the following methods did the attacker most likely use to gain access?

A. A bot
B. A fileless virus
C. A logic bomb
D. A RAT (Remote Access Trojan)

Answer 33

D. A RAT (Remote Access Trojan)

Question 34

Recent changes to a company’s BYOD policy require all personal mobile devices to use a two-factor authentication method that is not something you know or have. Which of the following will meet this requirement?

A. Facial recognition
B. Six-digit PIN
C. PKI certificate
D. Smart card

Answer 34

A. Facial recognition

Question 35

A critical file server is being upgraded, and the systems administrator must determine which RAID level the new server will need to achieve parity and handle two simultaneous disk failures. Which of the following RAID levels meets this requirement?

A. RAID 0+1
B. RAID 2
C. RAID 5
D. RAID 6

Answer 35

D. RAID 6

RAID 6 is a fault-tolerant RAID level that provides dual parity, which means it can withstand the failure of two disks simultaneously without data loss. It is achieved by distributing two sets of parity information across the disks. This level of fault tolerance makes RAID 6 suitable for critical systems where data integrity and high availability are crucial.

Question 36

A company must ensure sensitive data at rest is rendered unreadable. Which of the following will the company most likely use?

A. Hashing
B. Tokenization
C. Encryption
D. Segmentation

Answer 36

C. Encryption

Question 37

A security assessment found that several embedded systems are running unsecure protocols. These systems were purchased two years ago, and the company that developed them is no longer in business. Which of the following constraints best describes the reason the findings cannot be remediated?

A. Inability to authenticate
B. Implied trust
C. Lack of computing power
D. Unavailable patch

Answer 37

D. Unavailable patch

Question 38

A security engineer is concerned about using an agent on devices that relies completely on defined known-bad signatures. The security engineer wants to implement a tool with multiple components including the ability to track, analyze, and monitor devices without reliance on definitions alone. Which of the following solutions best fits this use case?

A. EDR
B. DLP
C. NGFW
D. HIPS

Answer 38

A. EDR

Endpoint Detection and Response (EDR) is a solution that provides continuous monitoring, analysis, and response capabilities on endpoints (devices) in an organization’s network. Unlike traditional antivirus solutions that rely on known-bad signatures, EDR solutions use behavior-based analysis and heuristics to detect and respond to potential threats.

Question 39

A user’s login credentials were recently compromised. During the investigation, the security analyst determined the user input credentials into a pop-up window when prompted to confirm the username and password. However, the trusted website does not use a pop-up for entering user credentials. Which of the following attacks occurred?

A. Cross-site scripting
B. SQL injection
C. DNS poisoning
D. Certificate forgery

Answer 39

A. Cross-site scripting

Question 40

To reduce costs and overhead, an organization wants to move from an on-premises email solution to a cloud-based email solution. At this time, no other services will be moving. Which of the following cloud models would best meet the needs of the organization?

A. MaaS
B. IaaS
C. SaaS
D. PaaS

Answer 40

C. SaaS

Question 41

A software development manager wants to ensure the authenticity of the code created by the company. Which of the following options is the most appropriate?

A. Testing input validation on the user input fields
B. Performing code signing on company-developed software
C. Performing static code analysis on the software
D. Ensuring secure cookies are used

Answer 41

B. Performing code signing on company-developed software

Question 42

An organization is having difficulty correlating events from its individual AV, EDR, DLP, SWG, WAF, MDM, HIPS, and CASB systems. Which of the following is the best way to improve the situation?

A. Remove expensive systems that generate few alerts.
B. Modify the systems to alert only on critical issues.
C. Utilize a SIEM to centralize logs and dashboards.
D. Implement a new syslog/NetFlow appliance.

Answer 42

C. Utilize a SIEM to centralize logs and dashboards.

Question 43

A company’s end users are reporting that they are unable to reach external websites. After reviewing the performance data for the DNS severs, the analyst discovers that the CPU, disk, and memory usage are minimal, but the network interface is flooded with inbound traffic. Network logs show only a small number of DNS queries sent to this server. Which of the following best describes what the security analyst is seeing?

A. Concurrent session usage
B. Secure DNS cryptographic downgrade
C. On-path resource consumption
D. Reflected denial of service

Answer 43

D. Reflected denial of service

Question 44

An audit identified PII being utilized in the development environment of a critical application. The Chief Privacy Officer (CPO) is adamant that this data must be removed; however, the developers are concerned that without real data they cannot perform functionality tests and search for specific data. Which of the following should a security professional implement to best satisfy both the CPO’s and the development team’s requirements?

A. Data purge
B. Data encryption
C. Data masking
D. Data tokenization

Answer 44

C. Data masking

Question 45

A security analyst is investigating a malware incident at a company. The malware is accessing a command-and-control website at www.comptia.com. All outbound Internet traffic is logged to a syslog server and stored in /logfiles/messages. Which of the following commands would be best for the analyst to use on the syslog server to search for recent traffic to the command-and-control website?

A. head -500 www.comptia.com | grep /logfiles/messages
B. cat /logfiles/messages | tail -500 www.comptia.com
C. tail -500 /logfiles/messages | grep www.comptia.com
D. grep -500 /logfiles/messages | cat www.comptia.com

Answer 45

C. tail -500 /logfiles/messages | grep www.comptia.com

Question 46

A systems administrator set up an automated process that checks for vulnerabilities across the entire environment every morning. Which of the following activities is the systems administrator conducting?

A. Scanning
B. Alerting
C. Reporting
D. Archiving

Answer 46

A. Scanning

Question 47

An engineer is setting up a VDI environment for a factory location, and the business wants to deploy a low-cost solution to enable users on the shop floor to log in to the VDI environment directly. Which of the following should the engineer select to meet these requirements?

A. Laptops
B. Containers
C. Thin clients
D. Workstations

Answer 47

C. Thin clients

Question 48

A systems administrator receives the following alert from a file integrity monitoring tool:

The hash of the cmd.exe file has changed.

The systems administrator checks the OS logs and notices that no patches were applied in the last two months. Which of the following most likely occurred?

A. The end user changed the file permissions.
B. A cryptographic collision was detected.
C. A snapshot of the file system was taken.
D. A rootkit was deployed.

Answer 48

D. A rootkit was deployed.

Question 49

A security analyst was asked to evaluate a potential attack that occurred on a publicly accessible section of the company’s website. The malicious actor posted an entry in an attempt to trick users into clicking the following:

https://www.c0mpt1a.com/contact-us/%3Fname%3D%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E

Which of the following was most likely observed?

A. DLL injection
B. Session replay
C. SQLi
D. XSS

Answer 49

D. XSS

Question 50

A company’s Chief Information Security Officer (CISO) recently warned the security manager that the company’s Chief Executive Officer (CEO) is planning to publish a controversial opinion article in a national newspaper, which may result in new cyberattacks. Which of the following would be best for the security manager to use in a threat model?

A. Hacktivists
B. White-hat hackers
C. Script kiddies
D. Insider threats

Answer 50

A. Hacktivists

Question 51

Which of the following provides a catalog of security and privacy controls related to the United States federal information systems?

A. GDPR
B. PCI DSS
C. ISO 27000
D. NIST 800-53

Answer 51

D. NIST 800-53

Question 52

An analyst is concerned about data leaks and wants to restrict access to internet services to authorized users only. The analyst also wants to control the actions each user can perform on each service. Which of the following would be the best technology for the analyst to consider Implementing?

A. DLP
B. VPC
C. CASB
D. Content filtering

Answer 52

C. CASB

CASB is a security solution that provides visibility and control over the use of cloud services by employees within an organization. I

Question 53

A grocery store is expressing security and reliability concerns regarding the on-site backup strategy currently being performed by locally attached disks. The main concerns are the physical security of the backup media and the durability of the data stored on these devices. Which of the following is a cost-effective approach to address these concerns?

A. Enhance resiliency by adding a hardware RAID.
B. Move data to a tape library and store the tapes off-site.
C. Install a local network-attached storage.
D. Migrate to a cloud backup solution.

Answer 53

D. Migrate to a cloud backup solution.

Question 54

A security engineer needs to recommend a solution to defend against malicious actors misusing protocols and being allowed through network defenses. Which of the following will the engineer most likely recommend?

A. A content filter
B. A WAF
C. A next-generation firewall
D. An IDS

Answer 54

C. A next-generation firewall

Question 55

A company’s legal department drafted sensitive documents in a SaaS application and wants to ensure the documents cannot be accessed by individuals in high-risk countries. Which of the following is the most effective way to limit this access?

A. Data masking
B. Encryption
C. Geolocation policy
D. Data sovereignty regulation

Answer 55

C. Geolocation policy

Question 56

An organization suffered numerous multiday power outages at its current location. The Chief Executive Officer wants to create a disaster recovery strategy to resolve this issue. Which of the following options offer low-cost solutions? (Choose two.)

A. Warm site
B. Generator
C. Hot site
D. Cold site
E. Cloud backups
F. UPS

Answer 56

D. Cold site
E. Cloud backups

Question 57

A security analyst discovers that one of the web APIs is being abused by an unknown third party. Logs indicate that the third party is attempting to manipulate the parameters being passed to the API endpoint. Which of the following solutions would best help to protect against the attack?

A. DLP
B. SIEM
C. NIDS
D. WAF (Web Application Firewall)

Answer 57

A Web Application Firewall (WAF) is a security solution specifically designed to protect web applications and APIs from various attacks, including those that attempt to manipulate parameters and exploit vulnerabilities in the application layer. It sits between the clients (users or third parties) and the web server, inspecting the HTTP/HTTPS traffic and filtering out malicious requests.

Question 58

An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:

• Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users.
• Internal users in question were changing their passwords frequently during that time period.
• A jump box that several domain administrator users use to connect to remote devices was recently compromised.
• The authentication method used in the environment is NTLM.

Which of the following types of attacks is most likely being used to gain unauthorized access?

A. Pass-the-hash
B. Brute-force
C. Directory traversal
D. Replay

Answer 58

A. Pass-the-hash

Question 59

During an incident, an EDR system detects an increase in the number of encrypted outbound connections from multiple hosts. A firewall is also reporting an increase in outbound connections that use random high ports. An analyst plans to review the correlated logs to find the source of the incident. Which of the following tools will best assist the analyst?

A. A vulnerability scanner
B. A NGFW
C. The Windows Event Viewer
D. A SIEM

Answer 59

D. A SIEM

Question 60

A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would best prevent email contents from being released should another breach occur?

A. Implement S/MIME to encrypt the emails at rest.
B. Enable full disk encryption on the mail servers.
C. Use digital certificates when accessing email via the web.
D. Configure web traffic to only use TLS-enabled channels.

Answer 60

A. Implement S/MIME to encrypt the emails at rest.

Question 61

A company hired a consultant to perform an offensive security assessment covering penetration testing and social engineering. Which of the following teams will conduct this assessment activity?

A. White
B. Purple
C. Blue
D. Red

Answer 61

D. Red

Question 62

Which of the following exercises should an organization use to improve its incident response process?

A. Tabletop
B. Replication
C. Failover
D. Recovery

Answer 62

A. Tabletop

Question 63

An attacker is attempting to harvest user credentials on a client’s website. A security analyst notices multiple attempts of random usernames and passwords. When the analyst types in a random username and password, the logon screen displays the following message:

The username you entered does not exist.

Which of the following should the analyst recommend be enabled?

A. Input valuation
B. Obfuscation
C. Error handling
D. Username lockout

Answer 63

C. Error handling

Question 64

An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system. Which of the following best describes the actions taken by the organization?

A. Exception
B. Segmentation
C. Risk transfer
D. Compensating controls

Answer 64

D. Compensating controls

Question 65

Which of the following describes the ability of code to target a hypervisor from inside a guest OS?

A. Fog computing
B. VM escape
C. Software-defined networking
D. Image forgery
E. Container breakout

Answer 65

B. VM escape

Question 65

A local server recently crashed and the team is attempting to restore the server from a backup. During the restore process, the team notices the file size of each daily backup is large and will run out of space at the current rate. The current solution appears to do a full backup every night.

Which of the following would use the least amount of storage space for backups?

A. A weekly, incremental backup with daily differential backups
B. A weekly, full backup with daily snapshot backups
C. A weekly, full backup with daily differential backups
D. A weekly, full backup with daily incremental backups

Answer 65

D. A weekly, full backup with daily incremental backups

Question 66

A security analyst discovers several jpg photos from a cellular phone during a forensics investigation involving a compromised system. The analyst runs a forensics tool to gather file metadata. Which of the following would be part of the images if all the metadata is still intact?

A. The GPS location
B. When the file was deleted
C. The total number of print jobs
D. The number of copies made

Answer 66

A. The GPS location

Question 67

A financial analyst is expecting an email containing sensitive information from a client. When the email arrives the analyst receives an error and is unable to open the encrypted message. Which of the following is the most likely cause of the issue?

A. The S/MIME plug-in is not enabled
B. The SSL certificate has expired
C. Secure IMAP was not implemented
D. POP3S is not supported

Answer 67

A. The S/MIME plug-in is not enabled

Question 68

A company develops a complex platform that is composed of a single application. After several issues with upgrades, the systems administrator recommends breaking down the application into unique, independent modules. Which of the following best identifies the systems administrator’s recommendation?

A. Virtualization
B. Serverless
C. Microservices
D. API gateway

Answer 68

C. Microservices

Question 69

A company is planning to install a guest wireless network so visitors will be able to access the internet. The stakeholders want the network to be easy to connect to so time is not wasted during meetings. The WAPs are configured so that power levels and antennas cover only the conference rooms where visitors will attend meetings. Which of the following would best protect the company’s internal wireless network against visitors accessing company resources?

A. Configure the guest wireless network to be on a separate VLAN from the company’s internal wireless network.
B. Change the password for the guest wireless network every month.
C. Decrease the power levels of the access points for the guest wireless network.
D. Enable WPA2 using 802.1X for logging on to the guest wireless network.

Answer 69

A. Configure the guest wireless network to be on a separate VLAN from the company’s internal wireless network.

Question 70

Which of the following would be the best way to block unknown programs from executing?

A. Access control list
B. Application allow list
C. Host-based firewall
D. DLP solution

Answer 70

B. Application allow list

Question 71

An organization relies on third-party videoconferencing to conduct daily business. Recent security changes now require all remote workers to utilize a VPN to corporate resources. Which of the following would best maintain high-quality videoconferencing while minimizing latency when connected to the VPN?

A. Using geographic diversity to have VPN terminators closer to end users
B. Utilizing split tunneling so only traffic for corporate resources is encrypted
C. Purchasing higher bandwidth connections to meet the increased demand
D. Configuring QoS properly on the VPN accelerators

Answer 71

D. Configuring QoS properly on the VPN accelerators

Question 71

A security analyst is scanning a company’s public network and discovers a host is running a remote desktop that can be used to access the production network. Which of the following changes should the security analyst recommend?

A. Changing the remote desktop port to a non-standard number
B. Setting up a VPN and placing the jump server inside the firewall
C. Using a proxy for web connections from the remote desktop server
D. Connecting the remote server to the domain and increasing the password length

Answer 71

B. Setting up a VPN and placing the jump server inside the firewall

Question 72

A company recently experienced a major breach. An investigation concludes that customer credit card data was stolen and exfiltrated through a dedicated business partner connection to a vendor, who is not held to the same security control standards. Which of the following is the most likely source of the breach?

A. Side channel
B. Supply chain
C. Cryptographic downgrade
D. Malware

Answer 72

B. Supply chain

Question 73

A company would like to provide flexibility for employees on device preference. However, the company is concerned about supporting too many different types of hardware. Which of the following deployment models will provide the needed flexibility with the greatest amount of control and security over company data and infrastructure?

A. BYOD
B. VDI
C. COPE
D. CYOD

Answer 73

D. CYOD

Question 74

Which of the following threat actors is most likely to be motivated by ideology?

A. Business competitor
B. Hacktivist
C. Criminal syndicate
D. Script kiddie
E. Disgruntled employee

Answer 74

B. Hacktivist

Question 75

A user would like to install software and features that are not available with a mobile device’s default software. Which of the following would all the user to install unauthorized software and enable new features?

A. SQLi
B. Cross-site scripting
C. Jailbreaking
D. Side loading

Answer 75

C. Jailbreaking

Question 76

A user downloaded an extension for a browser and the user’s device later became infected. The analyst who is investigating the incident saw various logs where the attacker was hiding activity by deleting data. The following was observed running:

New-Partition -DiskNumber 2 -UseMaximumSize -AssignDriveLetter C| Format-Volume -DriveLetter C - FileSystemLabel “New”-FileSystem NTFS - Full -Force -Confirm:$false |

Which of the following is the malware using to execute the attack?

A. PowerShell
B. Python
C. Bash
D. Macros

Answer 76

A. PowerShell

Question 77

An organization recently acquired an ISO 27001 certification. Which of the following would most likely be considered a benefit of this certification?

A. It allows for the sharing of digital forensics data across organizations.
B. It provides insurance in case of a data breach
C. It provides complimentary training and certification resources to IT security staff
D. It certifies the organization can work with foreign entities that require a security clearance
E. It assures customers that the organization meets security standards

Answer 77

E. It assures customers that the organization meets security standards

Question 78

A junior security analyst is reviewing web server logs and identifies the following pattern in the log file:

http://comptia.org/../../../etc/passwd

Which of the following types of attacks is being attempted and how can it be mitigated?

A. XSS; implement a SIEM
B. CSRF; implement an IPS
C. Directory traversal; implement a WAF
D. SQL injection; implement an IDS

Answer 78

D. SQL injection; implement an IDS

Question 79

A security professional wants to enhance the protection of a critical environment that is used to store and manage a company’s encryption keys. The selected technology should be tamper resistant. Which of the following should the security professional implement to achieve the goal?

A. DLP
B. HSM
C. CA
D. FIM

Answer 79

B. HSM

Question 80

Which of the following is the correct order of volatility from most to least volatile?

A. Memory, temporary filesystems, routing tables, disk, network storage
B. Cache memory, temporary filesystems, disk, archival media
C. Memory, disk temporary filesystems, cache, archival media
D. Cache, disk, temporary filesystems, network storage, archival media

Answer 80

B. Cache memory, temporary filesystems, disk, archival media

Question 81

A Chief Information Security Officer (CISO) wants to explicitly raise awareness about the increase of ransomware-as-a-service in a report to the management team. Which of the following best describes the threat actor in the CISO’s report?

A. Insider threat
B. Hacktivist
C. Nation-state
D. Organized crime

Answer 81

D. Organized crime

Question 82

Which of the following agreements defines response time, escalation points, and performance metrics?

A. BPA
B. MOA
C. NDA
D. SLA

Answer 82

D. SLA

Question 83

A bakery has a secret recipe that it wants to protect. Which of the following objectives should be added to the company’s security awareness training?

A. Insider threat detection
B. Risk analysis
C. Phishing awareness
D. Business continuity planning

Answer 83

A. Insider threat detection

Question 84

Which of the following must be considered when designing a high-availability network? (Choose two.)

A. Ease of recovery
B. Ability to patch
C. Physical isolation
D. Responsiveness
E. Attack surface
F. Extensible authentication

Answer 84

A. Ease of recovery
D. Responsiveness

Question 85

Which of the following strategies shifts risks that are not covered in an organization’s risk strategy?

A. Risk transference
B. Risk avoidance
C. Risk mitigation
D. Risk acceptance

Answer 85

A. Risk transference

Question 86

A dynamic application vulnerability scan identified that code injection could be performed using a web form. Which of the following will be the best remediation to prevent this vulnerability?

A. Implement input validations
B. Deploy MFA
C. Utilize a WAF
D. Configure HIPS

Answer 86

A. Implement input validations

Question 87

A security administrator needs a method to secure data in an environment that includes some form of checks so that the administrator can track any changes. Which of the following should the administrator set up to achieve this goal?

A. SPF
B. GPO
C. NAC
D. FIM

Answer 87

D. FIM

Question 88

An analyst is working on an email security incident in which the target opened an attachment containing a worm. The analyst wants to implement mitigation techniques to prevent further spread. Which of the following is the best course of action for the analyst to take?

A. Apply a DLP solution
B. Implement network segmentation
C. Utilize email content filtering.
D. Isolate the infected attachment

Answer 88

B. Implement network segmentation

Question 89

Sales team members have been receiving threatening voicemail messages and have reported these incidents to the IT security team. Which of the following would be MOST appropriate for the IT security team to analyze?

A. Access control
B. Syslog
C. Session Initiation Protocol traffic logs
D. Application logs

Answer 89

C. Session Initiation Protocol traffic logs

Question 90

A security engineer is hardening existing solutions to reduce application vulnerabilities. Which of the following solutions should the engineer implement FIRST? (Choose two.)

A. Auto-update
B. HTTP headers
C. Secure cookies
D. Third-party updates
E. Full disk encryption
F. Sandboxing
G. Hardware encryption

Answer 90

B. HTTP headers
C. Secure cookies

Question 91

Which of the following authentication methods is considered to be the LEAST secure?

A. TOTP
B. SMS
C. HOTP
D. Token key

Answer 91

B. SMS

Question 92

Employees in the research and development business unit receive extensive training to ensure they understand how to best protect company data. Which of the following is the type of data these employees are most likely to use in day to-day work activities?

A. Encrypted
B. Intellectual property
C. Critical
D. Data in transit

Answer 92

B. Intellectual property

Question 93

An audit report indicates multiple suspicious attempts to access company resources were made. These attempts were not detected by the company. Which of the following would be the best solution to implement on the company’s network?

A. Intrusion prevention system
B. Proxy server
C. Jump server
D. Security zones

Answer 93

A. Intrusion prevention system

Question 94

An administrator identifies some locations on the third floor of the building that have a poor wireless signal Multiple users confirm the incident and report it is not an isolated event. Which of the following should the administrator use to find the areas with a poor or non-existent wireless signal?

A. Heat map
B. Input validation
C. Site survey
D. Embedded systems

Answer 94

C. Site survey