501-525

Question 1

A government organization is developing an advanced Al defense system. Developers are using information collected from third-party providers. Analysts are noticing inconsistencies in the expected progress of the Al learning and attribute the outcome to a recent attack on one of the suppliers. Which of the following is the most likely reason for the inaccuracy of the system?

A. Improper algorithms security
B. Tainted training data
C. Fileless virus
D. Cryptomalware

Answer 1

B. Tainted training data

Question 2

A company’s help desk has received calls about the wireless network being down and users being unable to connect to it. The network administrator says all access points are up and running. One of the help desk technicians notices the affected users are working in a building near the parking lot. Which of the following is the most likely reason for the outage?

A. Someone near the building is jamming the signal.
B. A user has set up a rogue access point near the building.
C. Someone set up an evil twin access point in the affected area.
D. The APs in the affected area have been unplugged from the network.

Answer 2

A. Someone near the building is jamming the signal.

Question 3

Which of the following can best protect against an employee inadvertently installing malware on a company system?

A. Host-based firewall
B. System isolation
C. Least privilege
D. Application allow list

Answer 3

D. Application allow list

Question 4

An information security officer at a credit card transaction company is conducting a framework-mapping exercise with the internal controls. The company recently established a new office in Europe. To which of the following frameworks should the security officer map the existing controls? (Choose two.)

A. ISO
B. PCIDSS
C. SOC
D. GDPR
E. CSA
F. NIST

Answer 4

B. PCIDSS
D. GDPR

Question 5

A customer called a company’s security team to report that all invoices the customer has received over the last five days from the company appear to have fraudulent banking details. An investigation into the matter reveals the following:

• The manager of the accounts payable department is using the same password across multiple external websites and the corporate account.
• One of the websites the manager used recently experienced a data breach.
• The manager’s corporate email account was successfully accessed in the last five days by an IP address located in a foreign country.

Which of the following attacks has most likely been used to compromise the manager’s corporate account?

A. Remote access Trojan
B. Brute-force
C. Dictionary
D. Credential stuffing
E. Password spraying

Answer 5

D. Credential stuffing

Question 6

An organization’s corporate offices were destroyed due to a natural disaster, so the organization is now setting up offices in a temporary work space. Which of the following will the organization most likely consult?

A. The business continuity plan
B. The risk management plan
C. The communication plan
D. The incident response plan

Answer 6

A. The business continuity plan

Question 7

Security analysts notice a server login from a user who has been on vacation for two weeks. The analysts confirm that the user did not log in to the system while on vacation. After reviewing packet capture logs, the analysts notice the following:

username: ….smithJA…..
Password: 944d3697d880ed401b5ba2c77811

Which of the following occurred?

A. A buffer overflow was exploited to gain unauthorized access.
B. The user’s account was compromised, and an attacker changed the login credentials.
C. An attacker used a pass-the-hash attack to gain access.
D. An insider threat with username smithJA logged in to the account.

Answer 7

C. An attacker used a pass-the-hash attack to gain access.

Question 8

A security analyst is taking part in an evaluation process that analyzes and categorizes threat actors of real-world events in order to improve the incident response team’s process. Which of the following is the analyst most likely participating in?

A. MITRE ATT&CK
B. Walk-through
C. Red team
D. Purple team
E. TAXII

Answer 8

A. MITRE ATT&CK

Question 9

A network manager wants to protect the company’s VPN by multifactor authentication that uses:

• Something you know
• Something you have
• Somewhere you are

Which of the following would accomplish the manager’s goal?

A. Domain name. PKI, GeoIP lookup
B. VPN IP address, company ID. partner site
C. Password, authentication token, thumbprint
D. Company URL, TLS certificate, home address

Answer 9

C. Password, authentication token, thumbprint

Question 10

Which of the following terms should be included in a contract to help a company monitor the ongoing security maturity of a new vendor?

A. A right-to-audit clause allowing for annual security audits
B. Requirements for event logs to be kept for a minimum of 30 days
C. Integration of threat intelligence in the company’s AV
D. A data-breach clause requiring disclosure of significant data loss

Answer 10

A. A right-to-audit clause allowing for annual security audits

Question 11

Which of the following cloud models provides clients with servers, storage, and networks but nothing else?

A. SaaS
B. PaaS
C. IaaS
D. DaaS

Answer 11

C. IaaS

Question 12

A marketing coordinator is trying to access a social media application on a company laptop but is getting blocked. The coordinator opens a help desk ticket to report the issue. Which of the following documents should a security analyst review to determine whether accessing social media applications on a company device is permitted?

A. Incident response policy
B. Business continuity policy
C. Change management policy
D. Acceptable use policy

Answer 12

D. Acceptable use policy

Question 13

Law enforcement officials sent a company a notification that states electronically stored information and paper documents cannot be destroyed. Which of the following explains this process?

A. Data breach notification
B. Accountability
C. Legal hold
D. Chain of custody

Answer 13

C. Legal hold

Question 14

A company wants to deploy decoy systems alongside production systems in order to entice threat actors and to learn more about attackers. Which of the following best describes these systems?

A. DNS sinkholes
B. Honeypots
C. Virtual machines
D. Neural networks

Answer 14

B. Honeypots

Question 15

A company’s help desk received several AV alerts indicating Mimikatz attempted to run on the remote systems. Several users also reported that the new company flash drives they picked up in the break room only have 512KB of storage. Which of the following is most likely the cause?

A. The GPO prevents the use of flash drives, which triggers a false positive AV indication and restricts the drives to only 512KB of storage.
B. The new flash drives need a driver that is being blocked by the AV software because the flash drives are not on the application’s allow list, temporarily restricting the drives to 512KB of storage.
C. The new flash drives are incorrectly partitioned, and the systems are automatically trying to use an unapproved application to repartition the drives.
D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.

Answer 15

D. The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.

Question 16

A company has installed badge readers for building access but is finding unauthorized individuals roaming the hallways. Which of the following is the most likely cause?

A. Shoulder surfing
B. Phishing
C. Tailgating
D. Identity fraud

Answer 16

C. Tailgating

Question 17

An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate data center that houses confidential information. There is a firewall at the internet border, followed by a DLP appliance, the VPN server, and the data center itself. Which of the following is the weakest design element?

A. The DLP appliance should be integrated into a NGFW.
B. Split-tunnel connections can negatively impact the DLP appliance’s performance.
C. Encrypted VPN traffic will not be inspected when entering or leaving the network.
D. Adding two hops in the VPN tunnel may slow down remote connections.

Answer 17

C. Encrypted VPN traffic will not be inspected when entering or leaving the network.

Question 18

Which of the following is the best method for ensuring non-repudiation?

A. SSO
B. Digital certificate
C. Token
D. SSH key

Answer 18

B. Digital certificate

Question 19

Which of the following methods is the most effective for reducing vulnerabilities?

A. Joining an information-sharing organization
B. Using a scan-patch-scan process
C. Implementing a bug bounty program
D. Patching low-scoring vulnerabilities first

Answer 19

B. Using a scan-patch-scan process

Question 20

An organization is struggling with scaling issues on its VPN concentrator and internet circuit due to remote work. The organization is looking for a software solution that will allow it to reduce traffic on the VPN and internet circuit, while still providing encrypted tunnel access to the data center and monitoring of remote employee internet traffic. Which of the following will help achieve these objectives?

A. Deploying a SASE solution to remote employees
B. Building a load-balanced VPN solution with redundant internet
C. Purchasing a low-cost SD-WAN solution for VPN traffic
D. Using a cloud provider to create additional VPN concentrators

Answer 20

A. Deploying a SASE solution to remote employees

Question 21

Which of the following is the best reason to complete an audit in a banking environment?

A. Regulatory requirement
B. Organizational change
C. Self-assessment requirement
D. Service-level requirement

Answer 21

A. Regulatory requirement

Question 22

After a recent ransomware attack on a company’s system, an administrator reviewed the log files. Which of the following control types did the administrator use?

A. Compensating
B. Detective
C. Preventive
D. Corrective

Answer 22

B. Detective

Question 23

A technician needs to apply a high-priority patch to a production system. Which of the following steps should be taken first?

A. Air gap the system.
B. Move the system to a different network segment.
C. Create a change control request.
D. Apply the patch to the system.

Answer 23

C. Create a change control request.

Question 24

A security analyst reports a company policy violation in a case in which a large amount of sensitive data is being downloaded after hours from various mobile devices to an external site. Upon further investigation, the analyst notices that successful login attempts are being conducted with impossible travel times during the same time periods when the unauthorized downloads are occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an overlapping channel. Which of the following attacks is being conducted?

A. Evil twin
B. Jamming
C. DNS poisoning
D. Bluesnarfing
E. DDoS

Answer 24

A. Evil twin

Question 25

Several users have opened tickets with the help desk. The help desk has reassigned the tickets to a security analyst for further review. The security analyst reviews the following metrics:

Accounting PC 22% 48% 12 66
HR-PC 35% 55% 15 57
IT-PC 78% 98% 25 92
Sales-PC 28% 50% 20 56
Manager-PC 21% 44% 18 49

Which of the following is most likely the result of the security analyst’s review?

A. The ISP is dropping outbound connections.
B. The user of the Sales-PC fell for a phishing attack
C. Corporate PCs have been turned into a botnet.
D. An on-path attack is taking place between PCs and the router.

Answer 25

C. Corporate PCs have been turned into a botnet.