All questions

Question 1

246. An email recipient is unable to open a message encrypted through PKI that 
was sent from another organization.
Which of the following does the recipient need to decrypt the message?
• A. The sender's private key
• B. The recipient's private key
• C. The recipient's public key
• D. The CA's root certificate
• E. The sender's public key
• F. An updated CRL

Answer 1

Correct Answer: E

Question 2

245. A security administrator found the following piece of code referenced on a 
domain controller's task scheduler:
$var = GetDomainAdmins
If $var != "˜fabio'
SetDomainAdmins = NULL
With which of the following types of malware is the code associated?
• A. RAT
• B. Backdoor
• C. Logic bomb
• D. Crypto-malware

Answer 2

Correct Answer: C

Question 3

244. Which of the following is the proper use of a Faraday cage?
     • A. To block electronic signals sent to erase a cell phone
     • B. To capture packets sent to a honeypot during an attack
     • C. To protect hard disks from access during a forensics investigation
     • D. To restrict access to a building allowing only one person to enter at a time

Answer 3

Correct Answer: A

Question 4

243. In highly secure environments where the risk of malicious actors attempting
     to steal data is high, which of the following is the BEST reason to deploy Faraday
     cages?
     • A. To provide emanation control to prevent credential harvesting
     • B. To minimize signal attenuation over distances to maximize signal strength
     • C. To minimize external RF interference with embedded processors
     • D. To protect the integrity of audit logs from malicious alteration

Answer 4

Correct Answer: C

Question 5

242. A security professional wants to test a piece of malware that was isolated on
     a user’s computer to document its effect on a system.
     Which of the following is the FIRST step the security professional should take?
     • A. Create a sandbox on the machine.
     • B. Open the file and run it.
     • C. Create a secure baseline of the system state.
     • D. Harden the machine.

Answer 5

Correct Answer: C

Question 6

241. The exploitation of a buffer-overrun vulnerability in an application will MOST
     likely lead to:
     • A. arbitrary code execution.
     • B. resource exhaustion.
     • C. exposure of authentication credentials.
     • D. dereferencing of memory pointers.

Answer 6

Correct Answer: A

Question 7

240. Using a one-time code that has been texted to a smartphone is an example 
of:
• A. something you have.
• B. something you know.
• C. something you do.
• D. something you are.

Answer 7

Correct Answer: A

Question 8

239. Which of the following BEST explains the difference between a credentialed
     scan and a non-credentialed scan?
     • A. A credentialed scan sees devices in the network, including those behind NAT, while
     a non-credentialed scan sees outward-facing applications.
     • B. A credentialed scan will not show up in system logs because the scan is running with
     the necessary authorization, while non-credentialed scan activity will appear in the logs.
     • C. A credentialed scan generates significantly more false positives, while a noncredentialed scan generates fewer false positives.
     • D. A credentialed scan sees the system the way an authorized user sees the system,
     while a non-credentialed scan sees the system as a guest.

Answer 8

Correct Answer: D

Question 9

238. A first responder needs to collect digital evidence from a compromised
     headless virtual host.
     Which of the following should the first responder collect FIRST?

• A. Virtual memory
• B. BIOS configuration
• C. Snapshot
• D. RAM

Answer 9

Correct Answer: C

Question 10

237. An organization wants to set up a wireless network in the most secure way.
     Budget is not a major consideration, and the organization is willing to accept
     some complexity when clients are connecting. It is also willing to deny wireless
     connectivity for clients who cannot be connected in the most secure manner.
     Which of the following would be the MOST secure setup that conforms to the
     organization’s requirements?

• A. Enable WPA2-PSK for older clients and WPA2-Enterprise for all other clients.
• B. Enable WPA2-PSK, disable all other modes, and implement MAC filtering along with
port security.
• C. Use WPA2-Enterprise with RADIUS and disable pre-shared keys.
• D. Use WPA2-PSK with a 24-character complex password and change the password
monthly.

Answer 10

Correct Answer: C

Question 11

236. Which of the following serves to warn users against downloading and
     installing pirated software on company devices?

• A. AUP
• B. NDA
• C. ISA
• D. BPA

Answer 11

Correct Answer: A

Question 12

235. A security analyst is investigating a call from a user regarding one of the
     websites receiving a 503: Service Unavailable error. The analyst runs a netstat-an
     command to discover if the web server is up and listening. The analyst receives
     the following output:
     TCP 10.1.5.2:80 192.168.2.112:60973 TIME_WAIT
     TCP 10.1.5.2:80 192.168.2.112:60974 TIME_WAIT
     TCP 10.1.5.2:80 192.168.2.112:60975 TIME_WAIT
     TCP 10.1.5.2:80 192.168.2.112:60976 TIME_WAIT
     TCP 10.1.5.2:80 192.168.2.112:60977 TIME_WAIT
     TCP 10.1.5.2:80 192.168.2.112:60978 TIME_WAIT
     Which of the following types of attack is the analyst seeing?

• A. Buffer overflow
• B. Domain hijacking
• C. Denial of service
• D. ARP poisoning

Answer 12

Correct Answer: C

Question 13

234. Which of the following documents would provide specific guidance
     regarding ports and protocols that should be disabled on an operating system?
     • A. Regulatory requirements
     • B. Secure configuration guide
     • C. Application installation guides
     • D. User manuals

Answer 13

Correct Answer: B

Question 14

233. A security engineer is analyzing the following line of JavaScript code that
     was found in a comment field on a web forum, which was recently involved in a
     security breach:

Given the line of code above, which of the following BEST represents the attack 
performed during the breach?
• A. CSRF
• B. DDoS
• C. DoS
• D. XSS

Answer 14

Correct Answer: D

Question 15

232. An organization is concerned about video emissions from users’ desktops.
     Which of the following is the BEST solution to implement?
     • A. Screen filters
     • B. Shielded cables
     • C. Spectrum analyzers
     • D. Infrared detection

Answer 15

Correct Answer: A

Question 16

231. Which of the following BEST distinguishes Agile development from other
     methodologies in terms of vulnerability management?
     • A. Cross-functional teams
     • B. Rapid deployments
     • C. Daily standups
     • D. Peer review
     • E. Creating user stories

Answer 16

Correct Answer: C

Question 17

230. A systems administrator is receiving multiple alerts from the company NIPS.
     A review of the NIPS logs shows the following: reset both: 70.32.200.2:3194 “”>
     10.4.100.4:80 buffer overflow attempt reset both: 70.32.200.2:3230 “”>
     10.4.100.4:80 directory traversal attack reset client: 70.32.200.2:4019 “”>
     10.4.100.4:80 Blind SQL injection attack
     Which of the following should the systems administrator report back to
     management?
     • A. The company web server was attacked by an external source, and the NIPS blocked
     the attack.
     • B. The company web and SQL servers suffered a DoS caused by a misconfiguration of
     the NIPS.
     • C. An external attacker was able to compromise the SQL server using a vulnerable web
     application.
     • D. The NIPS should move from an inline mode to an out-of-band mode to reduce
     network latency.

Answer 17

Correct Answer: A

Question 18

229. A contracting company recently completed its period of performance on a
     government contract and would like to destroy all information associated with
     contract performance.
     Which of the following is the best NEXT step for the company to take?
     • A. Consult data disposition policies in the contract.
     • B. Use a pulper or pulverizer for data destruction.
     • C. Retain the data for a period no more than one year.
     • D. Burn hard copies containing PII or PHI

Answer 18

Correct Answer: A

Question 19

228. A security analyst is interested in setting up an IDS to monitor the company
     network. The analyst has been told there can be no network downtime to
     implement the solution, but the IDS must capture all of the network traffic.
     Which of the following should be used for the IDS implementation?
     • A. Network tap
     • B. Honeypot
     • C. Aggregation
     • D. Port mirror

Answer 19

Correct Answer: A

Question 20

227. A company employee recently retired, and there was a schedule delay
     because no one was capable of filling the employee’s position.
     Which of the following practices would BEST help to prevent this situation in the
     future?
     • A. Mandatory vacation
     • B. Separation of duties
     • C. Job rotation
     • D. Exit interviews

Answer 20

Correct Answer: C

Question 21

226. After discovering a security incident and removing the affected files, an
     administrator disabled an unneeded service that led to the breach.
     Which of the following steps in the incident response process has the
     administrator just completed?
     • A. Containment
     • B. Eradication
     • C. Recovery
     • D. Identification

Answer 21

Correct Answer: B

Question 22

225. Which of the following is the MOST likely motivation for a script kiddie threat 
actor?
• A. Financial gain
• B. Notoriety
• C. Political expression
• D. Corporate espionage

Answer 22

Correct Answer: B

Question 23

224. An administrator is disposing of media that contains sensitive information.
     Which of the following will provide the MOST effective method to dispose of the
     media while ensuring the data will be unrecoverable?
     • A. Wipe the hard drive.
     • B. Shred the hard drive.
     • C. Sanitize all of the data.
     • D. Degauss the hard drive

Answer 23

Correct Answer: B

Question 24

223. An organization is building a new customer services team, and the manager
     needs to keep the team focused on customer issues and minimize distractions.
     The users have a specific set of tools installed, which they must use to perform
     their duties. Other tools are not permitted for compliance and tracking purposes.
     Team members have access to the Internet for product lookups and to research
     customer issues.
     Which of the following should a security engineer employ to fulfill the
     requirements for the manager?

• A. Install a web application firewall.
• B. Install HIPS on the team’s workstations.
• C. Implement containerization on the workstations.
• D. Configure whitelisting for the team.

Answer 24

Correct Answer: C

Question 25

222. A technician is required to configure updates on a guest operating system
     while maintaining the ability to quickly revert the changes that were made while
     testing the updates.
     Which of the following should the technician implement?
     • A. Snapshots
     • B. Revert to known state
     • C. Rollback to known configuration
     • D. Shadow copy

Answer 25

Correct Answer: A

Question 26

221. While monitoring the SIEM, a security analyst observes traffic from an
     external IP to an IP address of the business network on port 443.
     Which of the following protocols would MOST likely cause this traffic?

• A. HTTP
• B. SSH
• C. SSL
• D. DNS

Answer 26

Correct Answer: C

Question 27

220. During a security audit of a company’s network, unsecure protocols were
     found to be in use. A network administrator wants to ensure browser-based
     access to company switches is using the most secure protocol.
     Which of the following protocols should be implemented?
     • A. SSH2
     • B. TLS1.2
     • C. SSL1.3
     • D. SNMPv3

Answer 27

Correct Answer: B

Question 28

219. An organization’s IRP prioritizes containment over eradication. An incident
     has been discovered where an attacker outside of the organization has installed
     cryptocurrency mining software on the organization’s web servers.
     Given the organization’s stated priorities, which of the following would be the
     NEXT step?
     • A. Remove the affected servers from the network.
     • B. Review firewall and IDS logs to identify possible source IPs.
     • C. Identify and apply any missing operating system and software patches.
     • D. Delete the malicious software and determine if the servers must be reimaged.

Answer 28

Correct Answer: B

Question 29

218. An attacker has obtained the user ID and password of a datacenter’s backup
     operator and has gained access to a production system.
     Which of the following would be the attacker’s NEXT action?
     • A. Perform a passive reconnaissance of the network.
     • B. Initiate a confidential data exfiltration process.
     • C. Look for known vulnerabilities to escalate privileges.
     • D. Create an alternate user ID to maintain persistent access.

Answer 29

Correct Answer: B

Question 30

217. A company recently installed fingerprint scanners at all entrances to
     increase the facility’s security. The scanners were installed on Monday morning,
     and by the end of the week it was determined that 1.5% of valid users were denied
     entry.
     Which of the following measurements do these users fall under?
     • A. FRR
     • B. FAR
     • C. CER
     • D. SLA

Answer 30

Correct Answer: A

Question 31

216. Which of the following represents a multifactor authentication system?

• A. An iris scanner coupled with a palm print reader and fingerprint scanner with liveness
detection.
• B. A secret passcode that prompts the user to enter a secret key if entered correctly.
• C. A digital certificate on a physical token that is unlocked with a secret passcode.
• D. A one-time password token combined with a proximity badge.

Answer 31

Correct Answer: C

Question 32

215. An organization’s policy requires users to create passwords with an
     uppercase letter, lowercase letter, number, and symbol. This policy is enforced
     with technical controls, which also prevents users from using any of their
     previous 12 passwords. The quantization does not use single sign-on, nor does it
     centralize storage of passwords.
     The incident response team recently discovered that passwords for one system
     were compromised. Passwords for a completely separate system have NOT been
     compromised, but unusual login activity has been detected for that separate
     system. Account login has been detected for users who are on vacation.
     Which of the following BEST describes what is happening?
     • A. Some users are meeting password complexity requirements but not password length
     requirements.
     • B. The password history enforcement is insufficient, and old passwords are still valid
     across many different systems.
     • C. Some users are reusing passwords, and some of the compromised passwords are
     valid on multiple systems.
     • D. The compromised password file has been brute-force hacked, and the complexity
     requirements are not adequate to mitigate this risk.

Answer 32

Correct Answer: D

Question 33

214. A healthcare company is revamping its IT strategy in light of recent
     regulations. The company is concerned about compliance and wants to use a
     pay-per-use model.
     Which of the following is the BEST solution?

• A. On-premises hosting
• B. Community cloud
• C. Hosted infrastructure
• D. Public SaaS

Answer 33

Correct Answer: D

Question 34

213. The Chief Information Officer (CIO) has determined the company’s new PKI
     will not use OCSP. The purpose of OCSP still needs to be addressed.
     Which of the following should be implemented?
     • A. Build an online intermediate CA.
     • B. Implement a key escrow.
     • C. Implement stapling.
     • D. Install a CRL.

Answer 34

Correct Answer: D

Question 35

212. Which of the following is a security consideration for IoT devices?
     • A. IoT devices have built-in accounts that users rarely access.
     • B. IoT devices have less processing capabilities.
     • C. IoT devices are physically segmented from each other.
     • D. IoT devices have purpose-built applications.

Answer 35

Correct Answer: A

Question 36

211. An organization needs to integrate with a third-party cloud application. The
     organization has 15000 users and does not want to allow the cloud provider to
     query its LDAP authentication server directly.
     Which of the following is the BEST way for the organization to integrate with the
     cloud application?
     • A. Upload a separate list of users and passwords with a batch import.
     • B. Distribute hardware tokens to the users for authentication to the cloud.
     • C. Implement SAML with the organization’s server acting as the identity provider.
     • D. Configure a RADIUS federation between the organization and the cloud provider.

Answer 36

D. Configure a RADIUS federation between the organization and the cloud provider

Question 37

210. An attacker has gathered information about a company employee by
     obtaining publicly available information from the Internet and social networks.
     Which of the following types of activity is the attacker performing?
     • A. Pivoting
     • B. Exfiltration of data
     • C. Social engineering
     • D. Passive reconnaissance

Answer 37

D. Passive reconnaissance

Question 38

209. A company is examining possible locations for a hot site.
     Which of the following considerations is of MOST concern if the replication
     technology being used is highly sensitive to network latency?

• A. Connection to multiple power substations
• B. Location proximity to the production site
• C. Ability to create separate caged space
• D. Positioning of the site across international borders

Answer 38

Correct Answer: B

Question 39

208. A government organization recently contacted three different vendors to
     obtain cost quotes for a desktop PC refresh. The quote from one of the vendors
     was significantly lower than the other two and was selected for the purchase.
     When the PCs arrived, a technician determined some NICs had been tampered
     with.
     Which of the following MOST accurately describes the security risk presented in
     this situation?
     • A. Hardware root of trust
     • B. UEFI
     • C. Supply chain
     • D. TPM
     • E. Crypto-malware
     • F. ARP poisoning

Answer 39

Correct Answer: C

Question 40

207. A company is experiencing an increasing number of systems that are
     locking up on Windows startup. The security analyst clones a machine, enters
     into safe mode, and discovers a file in the startup process that runs Wstart.bat.
     @echo off
     :asdhbawdhbasdhbawdhb
     start notepad.exe
     start notepad.exe
     start calculator.exe
     start calculator.exe
     goto asdhbawdhbasdhbawdhb

Given the file contents and the system’s issues, which of the following types of
malware is present?

• A. Rootkit
• B. Logic bomb
• C. Worm
• D. Virus

Answer 40

Correct Answer: B

Question 41

206. A Chief Information Security Officer (CISO) for a school district wants to
     enable SSL to protect all of the public-facing servers in the domain.
     Which of the following is a secure solution that is the MOST cost effective?
     • A. Create and install a self-signed certificate on each of the servers in the domain.
     • B. Purchase a load balancer and install a single certificate on the load balancer.
     • C. Purchase a wildcard certificate and implement it on every server.
     • D. Purchase individual certificates and apply them to the individual servers.

Answer 41

A. Create and install a self-signed certificate on each of the servers in the domain.

Question 42

205. The president of a company that specializes in military contracts receives a
     request for an interview. During the interview, the reporter seems more interested
     in discussing the president’s family life and personal history than the details of a
     recent company success.
     Which of the following security concerns is this MOST likely an example of?
     • A. Insider threat
     • B. Social engineering
     • C. Passive reconnaissance
     • D. Phishing

Answer 42

Correct Answer: B

Question 43

204. A company moved into a new building next to a sugar mil. Cracks have been
     discovered in the walls of the server room, which is located on the same side as
     the sugar mill loading docks. The cracks are believed to have been caused by
     heavy trucks. Moisture has begun to seep into the server room, causing extreme
     humidification problems and equipment failure.
     Which of the following BEST describes the type of threat the organization faces?
     • A. Foundational
     • B. Man-made
     • C. Environmental
     • D. Natural

Answer 43

Correct Answer: A

Question 44

203. A security analyst wishes to scan the network to view potentially vulnerable
     systems the way an attacker would.
     Which of the following would BEST enable the analyst to complete the objective?
     • A. Perform a non-credentialed scan.
     • B. Conduct an intrusive scan.
     • C. Attempt escalation of privilege.
     • D. Execute a credentialed scan.

Answer 44

Correct Answer: A

Question 45

202. Which of the following is an example of federated access management?
     • A. Windows passing user credentials on a peer-to-peer network
     • B. Applying a new user account with a complex password
     • C. Implementing a AAA framework for network access
     • D. Using a popular website login to provide access to another website

Answer 45

Correct Answer: D

Question 46

201. Which of the following is unique to a stream cipher?
• A. It encrypt 128 bytes at a time.
• B. It uses AES encryption.
• C. It performs bit-level encryption.
• D. It is used in HTTPS.

Answer 46

Correct Answer: C

Question 47

200. A systems developer needs to provide machine-to-machine interface
     between an application and a database server in the production environment.
     This interface will exchange data once per day.
     Which of the following access control account practices would BEST be used in
     this situation?
     • A. Establish a privileged interface group and apply read-write permission to the
     members of that group.
     • B. Submit a request for account privilege escalation when the data needs to be
     transferred.
     • C. Install the application and database on the same server and add the interface to the
     local administrator group.
     • D. Use a service account and prohibit users from accessing this account for
     development work.

Answer 47

D. Use a service account and prohibit users from accessing this account for
development work

Question 48

199. A security administrator needs to conduct a full inventory of all encryption 
protocols and cipher suites.
Which of the following tools will the security administrator use to conduct this 
inventory MOST efficiently?
• A. tcpdump
• B. Protocol analyzer
• C. Netstat
• D. Nmap

Answer 48

D. Nmap

Question 49

198. Which of the following command line tools would be BEST to identify the 
services running in a server?
• A. traceroute
• B. nslookup
• C. ipconfig
• D. netstat

Answer 49

D. netstat

Question 50

197. A security administrator is investigating a possible account compromise.
     The administrator logs onto a desktop computer, executes the command
     notepad.exe c:\Temp\qkakforlkgfkja.log, and reviews the following:
     Lee,\rI have completed the task that was assigned to me\rrespectfully\rJohn\r
     https://www.portal.com\rjohnuser\rilovemycat2
     Given the above output, which of the following is the MOST likely cause of this
     compromise?
     • A. Virus
     • B. Worm
     • C. Rootkit
     • D. Keylogger

Answer 50

D. Keylogger

Question 51

196. Which of the following is MOST likely caused by improper input handling?
• A. Loss of database tables
• B. Untrusted certificate warning
• C. Power off reboot loop
• D. Breach of firewall ACLs

Answer 51

A. Loss of database tables

Question 52

195. A penetration tester is checking to see if an internal system is vulnerable to 
an attack using a remote listener.
Which of the following commands should the penetration tester use to verify if 
this vulnerability exists? (Choose two.)
• A. tcpdump
• B. nc
• C. nmap
• D. nslookup
• E. tail
• F. tracert

Answer 52

Correct Answer: BC

Question 53

194. A company recently implemented a new security system. In the course of
     configuration, the security administrator adds the following entry:
     #Whitelist
     USB\VID_13FE&PID_4127&REV_0100
     Which of the following security technologies is MOST likely being configured?
     • A. Application whitelisting
     • B. HIDS
     • C. Data execution prevention
     • D. Removable media control

Answer 53

D. Removable media control

Question 54

193. A Chief Information Officer (CIO) is concerned that encryption keys might be
     exfiltrated by a contractor. The CIO wants to keep control over key visibility and
     management.
     Which of the following would be the BEST solution for the CIO to implement?”
     • A. HSM
     • B. CA
     • C. SSH
     • D. SSL

Answer 54

A. HSM

Question 55

192. Which of the following provides PFS?
• A. AES
• B. RC4
• C. DHE
• D. HMAC

Answer 55

C. DHE

Question 56

191. A security administrator is investigating a report that a user is receiving
     suspicious emails. The user’s machine has an old functioning modem installed.
     Which of the following security concerns need to be identified and mitigated?
     (Choose two.)
     • A. Vishing
     • B. Whaling
     • C. Spear phishing
     • D. Pharming
     • E. War dialing
     • F. Hoaxing

Answer 56

Correct Answer: EF

Question 57

190. A technician, who is managing a secure B2B connection, noticed the
     connection broke last night. All networking equipment and media are functioning
     as expected, which leads the technician to question certain PKI components.
     Which of the following should the technician use to validate this assumption?
     (Choose two.)
     • A. PEM
     • B. CER
     • C. SCEP
     • D. CRL
     • E. OCSP
     • F. PFX

Answer 57

Correct Answer: DE

CRL and OCSP

Question 58

189. A state-sponsored threat actor has launched several successful attacks
     against a corporate network. Although the target has a robust patch management
     program in place, the attacks continue in depth and scope, and the security
     department has no idea how the attacks are able to gain access. Given that patch
     management and vulnerability scanners are being used, which of the following
     would be used to analyze the attack methodology?
     • A. Rogue system detection
     • B. Honeypots
     • C. Next-generation firewall
     • D. Penetration test

Answer 58

B. Honeypots

Question 59

188. An organization wishes to allow its users to select devices for business use
     but does not want to overwhelm the service desk with requests for too many
     different device types and models.
     Which of the following deployment models should the organization use to BEST
     meet these requirements?
     • A. VDI environment
     • B. CYOD model
     • C. DAC mode
     • D. BYOD model

Answer 59

B. CYOD model

choose your own device

Question 60

187. Given the information below:
MD5HASH document.doc 049eab40fd36caadlfab10b3cdf4a883
[1]
Which of the following concepts are described above? (Choose two.)
• A. Salting
• B. Collision
• C. Steganography
• D. Hashing
• E. Key stretching

Answer 60

B. Collision

D. Hashing

Question 61

186. A security administrator receives alerts from the perimeter UTM. Upon
     checking the logs, the administrator finds the following output:
     Time: 12/25 0300
     From Zone: Untrust
     To Zone: DMZ
     Attacker: externalip.com
     Victim: 172.16.0.20
     To Port: 80
     Action: Alert
     Severity: Critical
     When examining the PCAP associated with the event, the security administrator
     finds the following information:
     alert (“Click here for important information regarding your account!
     http://externalip.com/account.php”); script>
     Which of the following actions should the security administrator take?
     • A. Upload the PCAP to the IDS in order to generate a blocking signature to block the
     traffic.
     • B. Manually copy the data from the PCAP file and generate a blocking
     signature in the HIDS to block the traffic for future events.
     • C. Implement a host-based firewall rule to block future events of this type from
     occurring.
     • D. Submit a change request to modify the XSS vulnerability signature to TCP reset on
     future attempts.

Answer 61

B. Manually copy the data from the PCAP file and generate a blocking
signature in the HIDS to block the traffic for future events.

Question 62

185. A systems administrator has installed a new UTM that is capable of
     inspecting SSL/TLS traffic for malicious payloads. All inbound network traffic
     coming from the Internet and terminating on the company’s secure web servers
     must be inspected.
     Which of the following configurations would BEST support this requirement?
     • A. The web servers’ CA full certificate chain must be installed on the UTM.
     • B. The UTM certificate pair must be installed on the web servers.
     • C. The web servers’ private certificate must be installed on the UTM.
     • D. The UTM and web servers must use the same certificate authority.

Answer 62

A. The web servers’ CA full certificate chain must be installed on the UTM.

Question 63

184. A preventive control differs from a compensating control in that a preventive
     control is:
     • A. put in place to mitigate a weakness in a user control.
     • B. deployed to supplement an existing control that is EOL.
     • C. relied on to address gaps in the existing control structure.
     • D. designed to specifically mitigate a risk.

Answer 63

C. relied on to address gaps in the existing control structure.

Question 64

183. Which of the following encryption algorithms require one encryption key? 
(Choose two.)
• A. MD5
• B. 3DES
• C. BCRYPT
• D. RC4
• E. DSA

Answer 64

B. 3DES

D. RC4

Question 65

182. A network administrator is implementing multifactor authentication for
     employees who travel and use company devices remotely by using the company
     VPN.
     Which of the following would provide the required level of authentication?
     • A. 802.1X and OTP
     • B. Fingerprint scanner and voice recognition
     • C. RBAC and PIN
     • D. Username/Password and TOTP

Answer 65

A. 802.1X and OTP

Question 66

181. A systems administrator is increasing the security settings on a virtual host
     to ensure users on one VM cannot access information from another VM.
     Which of the following is the administrator protecting against?
     • A. VM sprawl - Virtualization sprawl is a phenomenon that occurs when the number of virtual machines (VMs) on a network reaches a point where administrators can no longer manage them effectively. Virtualization sprawl is also referred to as virtual machine sprawl, VM sprawl or virtual server sprawl.

• B. VM escape - Virtual machine escape is an exploit in which the attacker runs code on a VM that allows an operating system running within it to break out and interact directly with the hypervisor. Such an exploit could give the attacker access to the host operating system and all other virtual machines (VMs) running on that host.

• C. VM migration - Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another. It is part of managing hardware virtualization systems and is something that providers look at as they offer virtualization services. Virtual machine migration is also known as teleportation.
• D. VM sandboxing - When something is put in a sandbox environment, it’s essentially in a virtual machine that’s isolated from the rest of the endpoint

Answer 66

B. VM escape

Question 67

180. Moving laterally within a network once an initial exploit is used to gain
     persistent access for the purpose of establishing further control of a system is
     known as:
     • A. pivoting.
     • B. persistence.
     • C. active reconnaissance.
     • D. a backdoor.

Answer 67

B. persistence.

Question 68

179. A company network is currently under attack. Although security controls are
     in place to stop the attack, the security administrator needs more information
     about the types of attacks being used.
     Which of the following network types would BEST help the administrator gather
     this information?
     • A. DMZ
     • B. Guest network
     • C. Ad hoc
     • D. Honeynet

Answer 68

D. Honeynet

Question 69

178. An organization’s research department uses workstations in an air-gapped
     network. A competitor released products based on files that originated in the
     research department.
     Which of the following should management do to improve the security and
     confidentiality of the research files?
     • A. Implement multifactor authentication on the workstations.
     • B. Configure removable media controls on the workstations.
     • C. Install a web application firewall in the research department.
     • D. Install HIDS on each of the research workstations.

Answer 69

B. Configure removable media controls on the workstations.

Question 70

177. A security analyst is running a credential-based vulnerability scanner on a
     Windows host. The vulnerability scanner is using the protocol NetBIOS over
     TCP/IP to connect to various systems, However, the scan does not return any
     results.
     To address the issue, the analyst should ensure that which of the following
     default ports is open on systems?
     • A. 135
     • B. 137
     • C. 3389
     • D. 5060

Answer 70

B. 137

Question 71

176. While reviewing system logs, a security analyst notices that a large number
     of end users are changing their passwords four times on the day the passwords
     are set to expire. The analyst suspects they are cycling their passwords to
     circumvent current password controls.
     Which of the following would provide a technical control to prevent this activity
     from occurring?
     • A. Set password aging requirements.
     • B. Increase the password history from three to five.
     • C. Create an AUP that prohibits password reuse.
     • D. Implement password complexity requirements.

Answer 71

A. Set password aging requirements.

Question 72

175. Which of the following is the MOST significant difference between intrusive
     and non-intrusive vulnerability scanning?
     • A. One uses credentials, but the other does not.
     • B. One has a higher potential for disrupting system operations.
     • C. One allows systems to activate firewall countermeasures.
     • D. One returns service banners, including running versions.

Answer 72

B. One has a higher potential for disrupting system operations.

Question 73

174. Which of the following should a technician use to protect a cellular phone
     that is needed for an investigation, to ensure the data will not be removed
     remotely?
     • A. Air gap
     • B. Secure cabinet
     • C. Faraday cage
     • D. Safe

Answer 73

C. Faraday cage

Question 74

173. A Chief Information Security Officer (CISO) is performing a BIA for the
     organization in case of a natural disaster. Which of the following should be at the
     top of the CISO’s list?
     • A. Identify redundant and high-availability systems.
     • B. Identity mission-critical applications and systems.
     • C. Identify the single point of failure in the system.
     • D. Identity the impact on safety of the property

Answer 74

B. Identity mission-critical applications and systems.

Question 75

172. Which of the following BEST explains how the use of configuration
     templates reduces organization risk?
     • A. It ensures consistency of configuration for initial system implementation.
     • B. It enables system rollback to a last known-good state patches break functionality.
     • C. It facilitates fault tolerance since applications can be migrated across templates.
     • D. It improves vulnerability scanning efficiency across multiple systems.

Answer 75

A. It ensures consistency of configuration for initial system implementation.

Question 76

171. A security technician has been assigned data destruction duties. The hard
     drives that are being disposed of contain highly sensitive information.
     Which of the following data destruction techniques is MOST appropriate?
     • A. Degaussing
     • B. Purging
     • C. Wiping
     • D. Shredding

Answer 76

D. Shredding

Question 77

170. Which of the following implements a stream cipher?
• A. File-level encryption
• B. IKEv2 exchange
• C. SFTP data transfer
• D. S/MIME encryption

Answer 77

D. S/MIME encryption

Question 78

169. A security analyst is emailing PII in a spreadsheet file to an audit validator
     for after-actions related to a security assessment. The analyst must make sure
     the PII data is protected with the following minimum requirements:
     ✑ Ensure confidentiality at rest.
     ✑ Ensure the integrity of the original email message.
     Which of the following controls would ensure these data security requirements
     are carried out?
     • A. Encrypt and sign the email using S/MIME.
     • B. Encrypt the email and send it using TLS.
     • C. Hash the email using SHA-1.
     • D. Sign the email using MD5.

Answer 78

A. Encrypt and sign the email using S/MIME.

Question 79

168. Which of the following BEST describes the purpose of authorization?
     • A. Authorization provides logging to a resource and comes after authentication.
     • B. Authorization provides authentication to a resource and comes after identification.
     • C. Authorization provides identification to a resource and comes after authentication.
     • D. Authorization provides permissions to a resource and comes after authentication.

Answer 79

D. Authorization provides permissions to a resource and comes after authentication.

Question 80

167. A security administrator is implementing a secure method that allows
     developers to place files or objects onto a Linux server. Developers are required
     to log in using a username, password, and asymmetric key.
     Which of the following protocols should be implemented?
     • A. SSL/TLS
     • B. SFTP
     • C. SRTP
     • D. IPSec

Answer 80

B. SFTP

Question 81

166. A manager makes an unannounced visit to the marketing department and
     performs a walk-through of the office. The manager observes unclaimed
     documents on printers. A closer look at these documents reveals employee
     names, addresses, ages, birth dates, marital/dependent statuses, and favorite ice
     cream flavors. The manager brings this to the attention of the marketing
     department head. The manager believes this information to be PII, but the
     marketing head does not agree. Having reached a stalemate, which of the
     following is the MOST appropriate action to take NEXT?
     • A. Elevate to the Chief Executive Officer (CEO) for redress; change from the top down
     usually succeeds.
     • B. Find the privacy officer in the organization and let the officer act as the arbiter.
     • C. Notify employees whose names are on these files that their personal information is
     being compromised.
     • D. To maintain a working relationship with marketing, quietly record the incident in the
     risk register.

Answer 81

B. Find the privacy officer in the organization and let the officer act as the arbiter.

Question 82

165. An organization wants to deliver streaming audio and video from its home
     office to remote locations all over the world. It wants the stream to be delivered
     securely and protected from intercept and replay attacks.
     Which of the following protocols is BEST suited for this purpose?
     • A. SSH
     • B. SIP
     • C. S/MIME
     • D. SRTP

Answer 82

D. SRTP - secure real-time transport protocol Two protocols specifically designed to be used with SRTP are ZRTP and MIKEY

Question 83

164. A security administrator is investigating many recent incidents of credential
     theft for users accessing the company’s website, despite the hosting web server
     requiring HTTPS for access. The server’s logs show the website leverages the
     HTTP POST method for carrying user authentication details.
     Which of the following is the MOST likely reason for compromise?
     • A. The HTTP POST method is not protected by HTTPS.
     • B. The web server is running a vulnerable SSL configuration.
     • C. The HTTP response is susceptible to sniffing.
     • D. The company doesn’t support DNSSEC.

Answer 83

A. The HTTP POST method is not protected by HTTPS.

Question 84

163. A security administrator is choosing an algorithm to generate password 
hashes.
Which of the following would offer the BEST protection against offline brute force 
attacks?
• A. MD5
• B. 3DES
• C. AES
• D. SHA-1

Answer 84

D. SHA-1

Question 85

162. An organization wants to ensure network access is granted only after a user 
or device has been authenticated.
Which of the following should be used to achieve this objective for both wired 
and wireless networks?
• A. CCMP
• B. PKCS#12
• C. IEEE 802.1X
• D. OCSP

Answer 85

C. IEEE 802.1X

Question 86

161. An organization has air gapped a critical system.
     Which of the following BEST describes the type of attacks that are prevented by
     this security measure?
     • A. Attacks from another local network segment
     • B. Attacks exploiting USB drives and removable media
     • C. Attacks that spy on leaked emanations or signals
     • D. Attacks that involve physical intrusion or theft

Answer 86

A. Attacks from another local network segment

Question 87

160. A Chief Information Security Officer (CISO) has instructed the information
     assurance staff to act upon a fast-spreading virus.
     Which of the following steps in the incident response process should be taken
     NEXT?
     • A. Identification
     • B. Eradication
     • C. Escalation
     • D. Containment

Answer 87

A. Identification

Question 88

159. The Chief Information Security Officer (CISO) in a company is working to
     maximize protection efforts of sensitive corporate data. The CISO implements a
     “100% shred” policy within the organization, with the intent to destroy any
     documentation that is not actively in use in a way that it cannot be recovered or
     reassembled.
     Which of the following attacks is this deterrent MOST likely to mitigate?
     • A. Dumpster diving
     • B. Whaling
     • C. Shoulder surfing
     • D. Vishing

Answer 88

A. Dumpster diving

Question 89

158. A company has a team of penetration testers. This team has located a file on
     the company file server that they believe contains cleartext usernames followed
     by a hash.
     Which of the following tools should the penetration testers use to learn more
     about the content of this file?
     • A. Exploitation framework
     • B. Vulnerability scanner
     • C. Netcat
     • D. Password cracker

Answer 89

D. Password cracker

Question 90

157. When used together, which of the following qualify as two-factor
     authentication?
     • A. Password and PIN
     • B. Smart card and PIN
     • C. Proximity card and smart card
     • D. Fingerprint scanner and iris scanner

Answer 90

B. Smart card and PIN

Question 91

156. A network technician is designing a network for a small company. The
     network technician needs to implement an email server and web server that will
     be accessed by both internal employees and external customers.
     Which of the following would BEST secure the internal network and allow access
     to the needed servers?
     • A. Implementing a site-to-site VPN for server access.
     • B. Implementing a DMZ segment for the server.
     • C. Implementing NAT addressing for the servers.
     • D. Implementing a sandbox to contain the servers.

Answer 91

B. Implementing a DMZ segment for the server.

Question 92

155. Which of the following identity access methods creates a cookie on the first
     login to a central authority to allow logins to subsequent applications without reentering credentials?
     • A. Multifactor authentication
     • B. Transitive trust
     • C. Federated access
     • D. Single sign-on

Answer 92

D. Single sign-on

Question 93

154. An application developer has neglected to include input validation checks in
     the design of the company’s new web application. An employee discovers that
     repeatedly submitting large amounts of data, including custom code, to an
     application will allow the execution of the custom code at the administrator level.
     Which of the following BEST identifies this application attack?
     • A. Cross-site scripting
     • B. Clickjacking
     • C. Buffer overflow
     • D. Replay

Answer 93

C. Buffer overflow

Question 94

153. A developer has incorporated routines into the source code for controlling
     the length of the input passed to the program.
     Which of the following types of vulnerabilities is the developer protecting the
     code against?
     • A. DLL injection
     • B. Memory leak
     • C. Buffer overflow
     • D. Pointer dereference

Answer 94

C. Buffer overflow

Question 95

152. An administrator is implementing a secure web server and wants to ensure
     that if the web server application is compromised, the application does not have
     access to other parts of the server or network.
     Which of the following should the administrator implement? (Choose two.)
     • A. Mandatory access control
     • B. Discretionary access control
     • C. Rule-based access control
     • D. Role-based access control
     • E. Attribute-based access control

Answer 95

Correct Answer: AC
A. Mandatory access control
C. Rule-based access control

Question 96

151. Joe, a user, reports to the help desk that he can no longer access any
     documents on his PC. He states that he saw a window appear on the screen
     earlier, but he closed it without reading it. Upon investigation, the technician sees
     high disk activity on Joe’s PC.
     Which of the following types of malware is MOST likely indicated by these
     findings?
     • A. Keylogger
     • B. Trojan
     • C. Rootkit
     • D. Crypto-malware

Answer 96

D. Crypto-malware

Question 97

150. A company is planning to utilize its legacy desktop systems by converting
     them into dummy terminals and moving all heavy applications and storage to a
     centralized server that hosts all of the company’s required desktop applications.
     Which of the following describes the BEST deployment method to meet these
     requirements?
     • A. IaaS
     • B. VM sprawl
     • C. VDI
     • D. PaaS

Answer 97

C. VDI

Question 98

149. Management wants to ensure any sensitive data on company-provided cell
     phones is isolated in a single location that can be remotely wiped if the phone is
     lost.
     Which of the following technologies BEST meets this need?
     • A. Geofencing
     • B. Containerization
     • C. Device encryption
     • D. Sandboxing

Answer 98

B. Containerization

Question 99

148. A systems administrator needs to integrate multiple IoT and small embedded
     devices into the company’s wireless network securely.
     Which of the following should the administrator implement to ensure low-power
     and legacy devices can connect to the wireless network?
     • A. WPS
     • B. WPA
     • C. EAP-FAST
     • D. 802.1X

Answer 99

A. WPS

Question 100

147. Which of the following can occur when a scanning tool cannot authenticate
     to a server and has to rely on limited information obtained from service banners?
     • A. False positive
     • B. Passive reconnaissance
     • C. Access violation
     • D. Privilege escalation

Answer 100

A. False positive

Question 101

146. A recent penetration test revealed several issues with a public-facing
     website used by customers. The testers were able to:
     ✑ Enter long lines of code and special characters
     ✑ Crash the system
     ✑ Gain unauthorized access to the internal application server
     ✑ Map the internal network
     The development team has stated they will need to rewrite a significant portion of
     the code used, and it will take more than a year to deliver the finished product.
     Which of the following would be the BEST solution to introduce in the interim?
     • A. Content fileting
     • B. WAF
     • C. TLS
     • D. IPS/IDS
     • E. UTM

Answer 101

E. UTM - Unified threat management (UTM) describes an information security (infosec) system that provides a single point of protection against threats, including viruses, worms, spyware and other malware, and network attacks. … UTM systems combine multiple security features into a single device or software program.

Question 102

145. Which of the following control types would a backup of server data provide 
in case of a system issue?
• A. Corrective
• B. Deterrent
• C. Preventive
• D. Detective

Answer 102

A. Corrective

Question 103

144. The Chief Executive Officer (CEO) received an email from the Chief Financial
     Officer (CFO), asking the CEO to send financial details. The CEO thought it was
     strange that the CFO would ask for the financial details via email. The email
     address was correct in the “From” section of the email. The CEO clicked the form
     and sent the financial information as requested.
     Which of the following caused the incident?
     • A. Domain hijacking
     • B. SPF not enabled
     • C. MX records rerouted
     • D. Malicious insider

Answer 103

B. SPF not enabled - Sender Policy Framework (SPF), is a technical standard and email authentication technique that helps protect email senders and recipients from spam, spoofing, and phishing. … It was designed to supplement SMTP, the basic protocol used to send email, because SMTP does not itself include any authentication mechanisms.

Question 104

143. Two companies are enabling TLS on their respective email gateways to
     secure communications over the Internet.
     Which of the following cryptography concepts is being implemented?
     • A. Perfect forward secrecy
     • B. Ephemeral keys
     • C. Domain validation
     • D. Data in transit

Answer 104

D. Data in transit

Question 105

142. A company has migrated to two-factor authentication for accessing the
     corporate network, VPN, and SSO. Several legacy applications cannot support
     multifactor authentication and must continue to use usernames and passwords.
     Which of the following should be implemented to ensure the legacy applications
     are as secure as possible while ensuring functionality? (Choose two.)
     • A. Privileged accounts
     • B. Password reuse restrictions
     • C. Password complexity requirements
     • D. Password recovery
     • E. Account disablement

Answer 105

Correct Answer: CE

Question 106

141. A company’s IT staff is given the task of securely disposing of 100 server
     HDDs. The security team informs the IT staff that the data must not be accessible
     by a third party after disposal.
     Which of the following is the MOST time-efficient method to achieve this goal?
     • A. Use a degausser to sanitize the drives.
     • B. Remove the platters from the HDDs and shred them.
     • C. Perform a quick format of the HDD drives.
     • D. Use software to zero fill all of the hard drives.

Answer 106

A. Use a degausser to sanitize the drives.

Question 107

140. Which of the following terms BEST describes an exploitable vulnerability
     that exists but has not been publicly disclosed yet?
     • A. Design weakness
     • B. Zero-day
     • C. Logic bomb
     • D. Trojan

Answer 107

B. Zero-day

Question 108

139. A company has critical systems that are hosted on an end-of-life OS. To
     maintain operations and mitigate potential vulnerabilities, which of the following
     BEST accomplishes this objective?
     • A. Use application whitelisting.
     • B. Employ patch management.
     • C. Disable the default administrator account.
     • D. Implement full-disk encryption.

Answer 108

A. Use application whitelisting.

Question 109

138. A company is performing an analysis of which corporate units are most
     likely to cause revenue loss in the event the unit is unable to operate.
     Which of the following is an element of the BIA that this action is addressing?
     • A. Critical system inventory
     • B. Single point of failure
     • C. Continuity of operations
     • D. Mission-essential functions

Answer 109

A. Critical system inventory

Question 110

137. Which of the following attackers generally possesses minimal technical
     knowledge to perform advanced attacks and uses widely available tools as well
     as publicly available information?
     • A. Hacktivist
     • B. White hat hacker
     • C. Script kiddie
     • D. Penetration tester

Answer 110

C. Script kiddie

Question 111

136. An organization’s Chief Executive Officer (CEO) directs a newly hired
     computer technician to install an OS on the CEO’s personal laptop. The
     technician performs the installation, and a software audit later in the month
     indicates a violation of the EULA occurred as a result.
     Which of the following would address this violation going forward?
     • A. Security configuration baseline
     • B. Separation of duties
     • C. AUP
     • D. NDA

Answer 111

C. AUP

Question 112

135. A water utility company has seen a dramatic increase in the number of water
     pumps burning out. A malicious actor was attacking the company and is
     responsible for the increase.
     Which of the following systems has the attacker compromised?
     • A. DMZ
     • B. RTOS
     • C. SCADA
     • D. IoT

Answer 112

C. SCADA

Question 113

134. A network technician is setting up a new branch for a company. The users at
     the new branch will need to access resources securely as if they were at the main
     location.
     Which of the following networking concepts would BEST accomplish this?
     • A. Virtual network segmentation
     • B. Physical network segmentation
     • C. Site-to-site VPN
     • D. Out-of-band access
     • E. Logical VLANs

Answer 113

C. Site-to-site VPN

Question 114

133. A salesperson often uses a USB drive to save and move files from a
     corporate laptop. The corporate laptop was recently updated, and now the files
     on the USB are read-only.
     Which of the following was recently added to the laptop?
     • A. Antivirus software
     • B. File integrity check
     • C. HIPS
     • D. DLP

Answer 114

D. DLP

Question 115

323. A security administrator suspects that data on a server has been exhilarated
     as a result of un- authorized remote access.
     Which of the following would assist the administrator in con-firming the
     suspicions? (Select TWO)
     • A. Networking access control
     • B. DLP alerts
     • C. Log analysis
     • D. File integrity monitoring
     • E. Host firewall rules

Answer 115

Correct Answer: BC

Question 116

324. A company is deploying a new VoIP phone system. They require 99.999%
     uptime for their phone service and are concerned about their existing data
     network interfering with the VoIP phone system. The core switches in the existing
     data network are almost fully saturated.
     Which of the following options will pro-vide the best performance and availability
     for both the VoIP traffic, as well as the traffic on the existing data network?

• A. Put the VoIP network into a different VLAN than the existing data network.
• B. Upgrade the edge switches from 10/100/1000 to improve network speed
• C. Physically separate the VoIP phones from the data network
• D. Implement flood guards on the data network

Answer 116

A. Put the VoIP network into a different VLAN than the existing data network.

Question 117

325. A server administrator needs to administer a server remotely using RDP, but
     the specified port is closed on the outbound firewall on the network.
     The access the server using RDP on a port other than the typical registered port
     for the RDP protocol?
     • A. TLS
     • B. MPLS
     • C. SCP
     • D. SSH

Answer 117

A. TLS

Question 118

326. Which of the following can be used to control specific commands that can be
     executed on a network infrastructure device?
     • A. LDAP
     • B. Kerberos
     • C. SAML
     • D. TACACS+

Answer 118

D. TACACS+

Question 119

327. Company XYZ has decided to make use of a cloud-based service that
     requires mutual, certificate- based authentication with its users. The company
     uses SSL- inspecting IDS at its network boundary and is concerned about the
     confidentiality of the mutual authentication.
     Which of the following model prevents the IDS from capturing credentials used to
     authenticate users to the new service or keys to decrypt that communication?
     • A. Use of OATH between the user and the service and attestation from the company
     domain
     • B. Use of active directory federation between the company and the cloud-based service
     • C. Use of smartcards that store x.509 keys, signed by a global CA
     • D. Use of a third-party, SAML-based authentication service for attestation

Answer 119

B. Use of active directory federation between the company and the cloud-based service

Question 120

1. A company has a data system with definitions for “Private” and “Public”. The
   company’s security policy outlines how data should be protected based on type.
   The company recently added the data type “Proprietary”.
   Which of the following is the MOST likely reason the company added this data
   type?
   • A. Reduced cost
   • B. More searchable data
   • C. Better data classification
   • D. Expanded authority of the privacy officer

Answer 120

C. Better data classification

Question 121

2. A systems administrator has finished configuring firewall ACL to allow access
   to a new web answer.
   PERMIT TCP from: ANY to: 192.168.1.10:80
   PERMIT TCP from: ANY to: 192.168.1.10:443
   DENY TCP from: ANY to: ANY -
   The security administrator confirms form the following packet capture that there
   is network traffic from the internet to the web server:
   TCP 10.23.243.2:2000->192.168.1.10:80 POST/defaults
   TCP 172.16.4.100:1934->192.168.1.10:80 GET/session.aspx?user_1_sessionid=
   a12ad8741d8f7e7ac723847aa8231a
   The companies internal auditor issues a security finding and requests that
   immediate action be taken. With which of the following is the auditor MOST
   concerned?
   • A. Misconfigured firewall
   • B. Clear text credentials
   • C. Implicit deny
   • D. Default configuration

Answer 121

B. Clear text credentials

Question 122

3. An organizations internal auditor discovers that large sums of money have
   recently been paid to a vendor that management does not recognize. The IT
   security department is asked to investigate the organizations the organizations
   ERP system to determine how the accounts payable module has been used to
   make these vendor payments. The IT security department finds the following
   security configuration for the accounts payable module:
   ✑ New Vendor Entry Required Role: Accounts Payable Clerk
   ✑ New Vendor Approval Required Role: Accounts Payable Clerk
   ✑ Vendor Payment Entry Required Role: Accounts Payable Clerk
   ✑ Vendor Payment Approval Required Role: Accounts Payable Manager
   Which of the following changes to the security configuration of the accounts
   payable module would BEST mitigate the risk?
   • A. Option A
   • B. Option B
   • C. Option C
   • D. Option D

Answer 122

A. Option A

Question 123

4. A CSIRT has completed restoration procedures related to a breach of sensitive
   data is creating documentation used to improve the organization’s security
   posture. The team has been specifically tasked to address logical controls in their
   suggestions.
   Which of the following would be MOST beneficial to include in lessons learned
   documentation? (Choose two.)
   • A. A list of policies, which should be revised to provide better clarity to employees
   regarding acceptable use
   • B. Recommendations relating to improved log correlation and alerting tools
   • C. Data from the organization’s IDS/IPS tools, which show the timeline of the breach
   and the activities executed by the attacker
   • D. A list of potential improvements to the organization’s NAC capabilities, which would
   improve AAA within the environment
   • E. A summary of the activities performed during each phase of the incident response
   activity
   • F. A list of topics that should be added to the organization’s security awareness training
   program based on weaknesses exploited during the attack

Answer 123

A. A list of policies, which should be revised to provide better clarity to employees
regarding acceptable use

F. A list of topics that should be added to the organization’s security awareness training
program based on weaknesses exploited during the attack

Question 124

5. A security analyst receives a notification from the IDS after working hours,
   indicating a spike in network traffic.
   Which of the following BEST describes this type of IDS?
   • A. Anomaly-based
   • B. Stateful
   • C. Host-based
   • D. Signature-based

Answer 124

A. Anomaly-based

Question 125

6. An instructor is teaching a hands-on wireless security class and needs to
   configure a test access point to show students an attack on a weak protocol.
   Which of the following configurations should the instructor implement?
   • A. WPA2
   • B. WPA
   • C. EAP
   • D. WEP

Answer 125

D. WEP

Question 126

7. A security analyst is hardening a large-scale wireless network. The primary
   requirements are the following:
   ✑ Must use authentication through EAP-TLS certificates
   ✑ Must use an AAA server
   ✑ Must use the most secure encryption protocol
   Given these requirements, which of the following should the analyst implement
   and recommend? (Select TWO.)
   • A. 802.1X
   • B. 802.3
   • C. LDAP
   • D. TKIP
   • E. CCMP
   • F. WPA2-PSK

Answer 126

A. 802.1X

F. WPA2-PSK

Question 127

8. A company recently experienced data exfiltration via the corporate network. In
   response to the breach, a security analyst recommends deploying an out-of-band
   IDS solution. The analyst says the solution can be implemented without
   purchasing any additional network hardware.
   Which of the following solutions will be used to deploy the IDS?
   • A. Network tap
   • B. Network proxy
   • C. Honeypot
   • D. Port mirroring

Answer 127

D. Port mirroring - Port mirroring is the network switch ability to send a copy of network data packets being transmitted over a switch port to a network monitoring or inspection device that is itself connected to the port mirror - a dedicated port on the switch

Question 128

9. An organization wants to implement a solution that allows for automated
   logical controls for network defense. An engineer plans to select an appropriate
   network security component, which automates response actions based on
   security threats to the network.
   Which of the following would be MOST appropriate based on the engineer’s
   requirements?
   • A. NIPS - Net Intrusion Prevension system
   • B. HIDS - host based IDS
   • C. Web proxy
   • D. Elastic load balancer
   • E. NAC - Network access control

Answer 128

A. NIPS -Net intrusion prevention

Question 129

10. A highly complex password policy has made it nearly impossible to crack
    account passwords.
    Which of the following might a hacker still be able to perform?
    • A. Pass-the-hash attack
    • B. ARP poisoning attack
    • C. Birthday attack
    • D. Brute force attack

Answer 129

A. Pass-the-hash attack

Question 130

11. Which of the following is the main difference an XSS vulnerability and a CSRF
    vulnerability?
    • A. XSS needs the attacker to be authenticated to the trusted server.
    • B. XSS does not need the victim to be authenticated to the trusted server.
    • C. CSRF needs the victim to be authenticated to the trusted server.
    • D. CSRF does not need the victim to be authenticated to the trusted server.
    • E. CSRF does not need the attacker to be authenticated to the trusted server.

Answer 130

B. XSS does not need the victim to be authenticated to the trusted server.
C. CSRF needs the victim to be authenticated to the trusted server.

Question 131

12. A group of developers is collaborating to write software for a company. The
    developers need to work in subgroups and control who has access to their
    modules.
    Which of the following access control methods is considered user-centric?
    • A. Time-based
    • B. Mandatory
    • C. Rule-based
    • D. Discretionary

Answer 131

D. Discretionary

Question 132

13. Which of the following methods minimizes the system interaction when
    gathering information to conduct a vulnerability assessment of a router?
    • A. Download the configuration
    • B. Run a credentialed scan.
    • C. Conduct the assessment during downtime
    • D. Change the routing to bypass the router.

Answer 132

A. Download the configuration

Question 133

14. Which of the following BEST explains why sandboxing is a best practice for
    testing software from an untrusted vendor prior to an enterprise deployment?
    • A. It allows the software to run in an unconstrained environment with full network
    access.
    • B. It eliminates the possibility of privilege escalation attacks against the local VM host.
    • C. It facilitates the analysis of possible malware by allowing it to run until resources are
    exhausted.
    • D. It restricts the access of the software to a contained logical space and limits possible
    damage

Answer 133

D. It restricts the access of the software to a contained logical space and limits possible
damage

Question 134

15. A small- to medium-sized company wants to block the use of USB devices on 
its network.
Which of the following is the MOST cost-effective way for the security analyst to 
prevent this?
• A. Implement a DLP system
• B. Apply a GPO
• C. Conduct user awareness training
• D. Enforce the AUP

Answer 134

B. Apply a GPO

Question 135

16. Which of the following is the BEST way for home users to mitigate
    vulnerabilities associated with IoT devices on their home networks?
    • A. Power off the devices when they are not in use,
    • B. Prevent IoT devices from contacting the Internet directly.
    • C. Apply firmware and software updates upon availability.
    • D. Deploy a bastion host on the home network.

Answer 135

C. Apply firmware and software updates upon availability.

Question 136

17. Corporations choose to exceed regulatory framework standards because of
    which of the following incentives?
    • A. It improves the legal defensibility of the company.
    • B. It gives a social defense that the company is not violating customer privacy laws.
    • C. It proves to investors that the company takes APT cyber actors seriously
    • D. It results in overall industrial security standards being raised voluntarily.

Answer 136

A. It improves the legal defensibility of the company.

Question 137

17. Corporations choose to exceed regulatory framework standards because of
    which of the following incentives?
    • A. It improves the legal defensibility of the company.
    • B. It gives a social defense that the company is not violating customer privacy laws.
    • C. It proves to investors that the company takes APT cyber actors seriously
    • D. It results in overall industrial security standards being raised voluntarily.

Answer 137

A. It improves the legal defensibility of the company.

Question 138

18. A call center company wants to implement a domain policy primarily for its
    shift workers. The call center has large groups with different user roles.
    Management wants to monitor group performance.
    Which of the following is the BEST solution for the company to implement?
    • A. Reduced failed logon attempts
    • B. Mandatory password changes
    • C. Increased account lockout time
    • D. Time-of-day restrictions

Answer 138

D. Time-of-day restrictions

Question 139

19. A buffer overflow can result in:
    • A. loss of data caused by unauthorized command execution.
    • B. privilege escalation caused by TPN override.
    • C. reduced key strength due to salt manipulation.
    • D. repeated use of one-time keys.

Answer 139

B. privilege escalation caused by TPN override.

Question 140

20. Users are attempting to access a company’s website but are transparently
    redirected to another websites. The users confirm the URL is correct.
    Which of the following would BEST prevent this issue in the future?
    • A. DNSSEC
    • B. HTTPS
    • C. IPSec
    • D. TLS/SSL

Answer 140

A. DNSSEC

Question 141

21. Which of the following is a compensating control that will BEST reduce the
    risk of weak passwords?
    • A. Requiring the use of one-time tokens
    • B. Increasing password history retention count
    • C. Disabling user accounts after exceeding maximum attempts
    • D. Setting expiration of user passwords to a shorter time

Answer 141

A. Requiring the use of one-time tokens

Question 142

22. A consumer purchases an exploit from the dark web. The exploit targets the
    online shopping cart of a popular website, allowing the shopper to modify the
    price of an item as checkout.
    Which of the following BEST describes this type of user?
    • A. Insider
    • B. Script kiddie
    • C. Competitor
    • D. Hacktivist
    • E. APT

Answer 142

B. Script kiddie

Question 143

23. Joe, a backup administrator, wants to implement a solution that will reduce
    the restoration time of physical servers.
    Which of the following is the BEST method for Joe to use?
    • A. Differential
    • B. Incremental
    • C. Full
    • D. Snapshots

Answer 143

C. Full

Question 144

24. Which of the following development models entails several iterative and
    incremental software development methodologies such as Scrum?
    • A. Spiral
    • B. Waterfall
    • C. Agile
    • D. Rapid

Answer 144

A. Spiral

Question 145

25. Which of the following are used to substantially increase the computation
    time required to crack a password? (Choose two.)
    • A. BCRYPT
    • B. Substitution cipher
    • C. ECDHE
    • D. PBKDF2
    • E. Diffie-Hellman

Answer 145

A. BCRYPT

D. PBKDF2

Question 146

26. Which of the following describes the maximum amount of time a mission
    essential function can operate without the systems it depends on before
    significantly impacting the organization?
    • A. MTBF
    • B. MTTR
    • C. RTO
    • D. RPO

Answer 146

C. RTO -

Question 147

27. A network administrator is brute forcing accounts through a web interface.
    Which of the following would provide the BEST defense from an account
    password being discovered?
    • A. Password history
    • B. Account lockout
    • C. Account expiration
    • D. Password complexity

Answer 147

B. Account lockout

Question 148

28. A security engineer wants to add SSL to the public web server. Which of the
    following would be the FIRST step to implement the SSL certificate?
    • A. Download the web certificate
    • B. Install the intermediate certificate
    • C. Generate a CSR
    • D. Encrypt the private key

Answer 148

C. Generate a CSR -

Question 149

29. Which of the following is a major difference between XSS attacks and remote
    code exploits?
    • A. XSS attacks use machine language, while remote exploits use interpreted language
    • B. XSS attacks target servers, while remote code exploits target clients
    • C. Remote code exploits aim to escalate attackers’ privileges, while XSS attacks aim to
    gain access only
    • D. Remote code exploits allow writing code at the client side and executing it, while XSS
    attacks require no code to work

Answer 149

C. Remote code exploits aim to escalate attackers’ privileges, while XSS attacks aim to
gain access only

Question 150

30. A systems administrator has implemented multiple websites using host
    headers on the same server. The server hosts two websites that require
    encryption and other websites where encryption is optional.
    Which of the following should the administrator implement to encrypt web traffic
    for the required websites?
    • A. Extended domain validation
    • B. TLS host certificate
    • C. OCSP stapling
    • D. Wildcard certificate

Answer 150

B. TLS host certificate

Question 151

31. Which of the following are considered among the BEST indicators that a
    received message is a hoax? (Choose two.)
    • A. Minimal use of uppercase letters in the message
    • B. Warnings of monetary loss to the receiver
    • C. No valid digital signature from a known security organization
    • D. Claims of possible damage to computer hardware
    • E. Embedded URLs

Answer 151

B. Warnings of monetary loss to the receiver

D. Claims of possible damage to computer hardware

Question 152

31. Which of the following are considered among the BEST indicators that a
    received message is a hoax? (Choose two.)
    • A. Minimal use of uppercase letters in the message
    • B. Warnings of monetary loss to the receiver
    • C. No valid digital signature from a known security organization
    • D. Claims of possible damage to computer hardware
    • E. Embedded URLs

Answer 152

B. Warnings of monetary loss to the receiver

D. Claims of possible damage to computer hardware

Question 153

32. Management wishes to add another authentication factor in addition to
    fingerprints and passwords in order to have three-factor authentication.
    Which of the following would BEST satisfy this request?
    • A. Retinal scan
    • B. Passphrase
    • C. Token fob
    • D. Security question

Answer 153

C. Token fob

Question 154

33. During a lessons learned meeting regarding a previous incident, the security
    team receives a follow-up action item with the following requirements:
    ✑ Allow authentication from within the United States anytime
    ✑ Allow authentication if the user is accessing email or a shared file system
    ✑ Do not allow authentication if the AV program is two days out of date
    ✑ Do not allow authentication if the location of the device is in two specific countries
    Given the requirements, which of the following mobile deployment authentication
    types is being utilized?
    • A. Geofencing authentication
    • B. Two-factor authentication
    • C. Context-aware authentication
    • D. Biometric authentication

Answer 154

C. Context-aware authentication

Question 155

34. A network administrator is creating a new network for an office. For security
    purposes, each department should have its resources isolated from every other
    department but be able to communicate back to central servers.
    Which of the following architecture concepts would BEST accomplish this?
    • A. Air gapped network
    • B. Load balanced network
    • C. Network address translation
    • D. Network segmentation

Answer 155

D. Network segmentation

Question 156

35. A customer calls a technician and needs to remotely connect to a web server
    to change some code manually. The technician needs to configure the user’s
    machine with protocols to connect to the Unix web server, which is behind a
    firewall.
    Which of the following protocols does the technician MOST likely need to
    configure?
    • A. SSH
    • B. SFTP
    • C. HTTPS
    • D. SNMP

Answer 156

A. SSH

Question 157

36. A security analyst is assessing a small company’s internal servers against
    recommended security practices.
    Which of the following should the analyst do to conduct the assessment?
    (Choose two.)
    • A. Compare configurations against platform benchmarks
    • B. Confirm adherence to the company’s industry-specific regulations
    • C. Review the company’s current security baseline
    • D. Verify alignment with policy related to regulatory compliance
    • E. Run an exploitation framework to confirm vulnerabilities

Answer 157

C. Review the company’s current security baseline

E. Run an exploitation framework to confirm vulnerabilities

Question 158

37. Joe recently assumed the role of data custodian for this organization. While
    cleaning out an unused storage safe, he discovers several hard drives that are
    labeled “unclassified” and awaiting destruction. The hard drives are obsolete and
    cannot be installed in any of his current computing equipment.
    Which of the following is the BEST method for disposing of the hard drives?
    • A. Burning
    • B. Wiping
    • C. Purging
    • D. Pulverizing

Answer 158

D. Pulverizing

Question 159

38. Students at a residence hall are reporting Internet connectivity issues. The
    university’s network administrator configured the residence hall’s network to
    provide public IP addresses to all connected devices, but many student devices
    are receiving private IP addresses due to rogue devices. The network
    administrator verifies the residence hall’s network is correctly configured and
    contacts the security administrator for help.
    Which of the following configurations should the security administrator suggest
    for implementation?
    • A. Router ACLs
    • B. BPDU guard
    • C. Flood guard
    • D. DHCP snooping

Answer 159

D. DHCP snooping

Question 160

39. Which of the following is a technical preventive control?
• A. Two-factor authentication
• B. DVR-supported cameras
• C. Acceptable-use MOTD
• D. Syslog server

Answer 160

A. Two-factor authentication

Question 161

40. A security administrator is performing a risk assessment on a legacy WAP
    with a WEP-enabled wireless infrastructure.
    Which of the following should be implemented to harden the infrastructure
    without upgrading the WAP?
    • A. Implement WPA and TKIP
    • B. Implement WPS and an eight-digit pin
    • C. Implement WEP and RC4
    • D. Implement WPA2 Enterprise

Answer 161

D. Implement WPA2 Enterprise

Question 162

41. A systems administrator is installing a new server in a large datacenter.
    Which of the following BEST describes the importance of properly positioning
    servers in the rack to maintain availability?
    • A. To allow for visibility of the servers’ status indicators
    • B. To adhere to cable management standards
    • C. To maximize the fire suppression system’s efficiency
    • D. To provide consistent air flow

Answer 162

D. To provide consistent air flow

Question 163

42. A Chief Information Security Officer (CISO) asks the security architect to
    design a method for contractors to access the company’s internal network
    securely without allowing access to systems beyond the scope of their project.
    Which of the following methods would BEST fit the needs of the CISO?
    • A. VPN
    • B. PaaS
    • C. IaaS
    • D. VDI

Answer 163

A. VPN

Question 164

43. To get the most accurate results on the security posture of a system, which of
    the following actions should the security analyst do prior to scanning?
    • A. Log all users out of the system
    • B. Patch the scanner
    • C. Reboot the target host
    • D. Update the web plugins

Answer 164

B. Patch the scanner

Question 165

44. While investigating a virus infection, a security analyst discovered the
    following on an employee laptop:
    ✑ Multiple folders containing a large number of newly released movies and music files
    ✑ Proprietary company data
    ✑ A large amount of PHI data
    ✑ Unapproved FTP software
    ✑ Documents that appear to belong to a competitor
    Which of the following should the analyst do FIRST?
    • A. Contact the legal and compliance department for guidance
    • B. Delete the files, remove the FTP software, and notify management
    • C. Back up the files and return the device to the user
    • D. Wipe and reimage the device

Answer 165

A. Contact the legal and compliance department for guidance

Question 166

45. Which of the following penetration testing concepts is an attacker MOST
    interested in when placing the path of a malicious file in the
    Windows/CurrentVersion/Run registry key?
    • A. Persistence
    • B. Pivoting
    • C. Active reconnaissance
    • D. Escalation of privilege

Answer 166

D. Escalation of privilege

Question 167

46. An organization has an account management policy that defines parameters
    around each type of account. The policy specifies different security attributes,
    such as longevity, usage auditing, password complexity, and identity proofing.
    The goal of the account management policy is to ensure the highest level of
    security while providing the greatest availability without compromising data
    integrity for users.
    Which of the following account types should the policy specify for service
    technicians from corporate partners?
    • A. Guest account
    • B. User account
    • C. Shared account
    • D. Privileged user account
    • E. Default account
    • F. Service account

Answer 167

D. Privileged user account

Question 168

47. A security analyst is implementing PKI-based functionality to a web
    application that has the following requirements:
    ✑ File contains certificate information
    ✑ Certificate chains
    ✑ Root authority certificates
    ✑ Private key
    All of these components will be part of one file and cryptographically protected
    with a password. Given this scenario, which of the following certificate types
    should the analyst implement to BEST meet these requirements?
    • A. .pfx certificate
    • B. .cer certificate
    • C. .der certificate
    • D. .crt certificate

Answer 168

A. .pfx certificate

Question 169

48. Which of the following encryption algorithms is used primarily to secure data 
at rest?
• A. AES
• B. SSL
• C. TLS
• D. RSA

Answer 169

A. AES

Question 170

49. A security auditor is performing a vulnerability scan to find out if mobile
    applications used in the organization are secure. The auditor discovers that one
    application has been accessed remotely with no legitimate account credentials.
    After investigating, it seems the application has allowed some users to bypass
    authentication of that application.
    Which of the following types of malware allow such a compromise to take place?
    (Choose two.)
    • A. RAT
    • B. Ransomware
    • C. Worm
    • D. Trojan
    • E. Backdoor

Answer 170

A. RAT

E. Backdoor

Question 171

50. An organization electronically processes sensitive data within a controlled
    facility. The Chief Information Security Officer (CISO) wants to limit emissions
    from emanating from the facility.
    Which of the following mitigates this risk?
    • A. Upgrading facility cabling to a higher standard of protected cabling to reduce the
    likelihood of emission spillage
    • B. Hardening the facility through the use of secure cabinetry to block emissions
    • C. Hardening the facility with a Faraday cage to contain emissions produced from data
    processing
    • D. Employing security guards to ensure unauthorized personnel remain outside of the
    facility

Answer 171

C. Hardening the facility with a Faraday cage to contain emissions produced from data
processing

Question 172

51. As part of a corporate merger, two companies are combining resources. As a
    result, they must transfer files through the Internet in a secure manner.
    Which of the following protocols would BEST meet this objective? (Choose two.)
    • A. LDAPS
    • B. SFTP
    • C. HTTPS
    • D. DNSSEC
    • E. SRTP

Answer 172

B. SFTP

C. HTTPS

Question 173

52. A company is deploying a file-sharing protocol access a network and needs to
    select a protocol for authenticating clients. Management requests that the service
    be configured in the most secure way possible. The protocol must also be
    capable of mutual authentication, and support SSO and smart card logons.
    Which of the following would BEST accomplish this task?
    • A. Store credentials in LDAP
    • B. Use NTLM authentication
    • C. Implement Kerberos
    • D. Use MSCHAP authentication

Answer 173

C. Implement Kerberos

Question 174

53. A company wants to provide centralized authentication for its wireless
    system. The wireless authentication system must integrate with the directory
    back end.
    Which of the following is a AAA solution that will provide the required wireless
    authentication?
    • A. TACACS+
    • B. MSCHAPv2
    • C. RADIUS
    • D. LDAP

Answer 174

C. RADIUS

Question 175

54. An incident response analyst at a large corporation is reviewing proxy data
    log. The analyst believes a malware infection may have occurred. Upon further
    review, the analyst determines the computer responsible for the suspicious
    network traffic is used by the Chief Executive Officer (CEO).
    Which of the following is the best NEXT step for the analyst to take?
    • A. Call the CEO directly to ensure awareness of the event
    • B. Run a malware scan on the CEO’s workstation
    • C. Reimage the CEO’s workstation
    • D. Disconnect the CEO’s workstation from the network

Answer 175

D. Disconnect the CEO’s workstation from the network

Question 176

55. A law office has been leasing dark fiber from a local telecommunications
    company to connect a remote office to company headquarters. The
    telecommunications company has decided to discontinue its dark fiber product
    and is offering an MPLS connection, which the law office feels is too expensive.
    Which of the following is the BEST solution for the law office?
    • A. Remote access VPN
    • B. VLAN
    • C. VPN concentrator
    • D. Site-to-site VPN

Answer 176

D. Site-to-site VPN

Question 177

56. An analyst is part of a team that is investigating a potential breach of sensitive
    data at a large financial services organization. The organization suspects a
    breach occurred when proprietary data was disclosed to the public. The team
    finds servers were accessed using shared credentials that have been in place for
    some time. In addition, the team discovers undocumented firewall rules, which
    provided unauthorized external access to a server. Suspecting the activities of a
    malicious insider threat, which of the following was MOST likely to have been
    utilized to exfiltrate the proprietary data?
    • A. Keylogger
    • B. Botnet
    • C. Crypto-malware
    • D. Backdoor
    • E. Ransomware
    • F. DLP

Answer 177

D. Backdoor

Question 178

57. An organization is providing employees on the shop floor with computers that
    will log their time based on when they sign on and off the network.
    Which of the following account types should the employees receive?
    • A. Shared account
    • B. Privileged account
    • C. User account
    • D. Service account

Answer 178

C. User account

Question 179

58. An employee in the finance department receives an email, which appears to
    come from the Chief Financial Officer (CFO), instructing the employee to
    immediately wire a large sum of money to a vendor.
    Which of the following BEST describes the principles of social engineering used?
    (Choose two.)
    • A. Familiarity
    • B. Scarcity
    • C. Urgency
    • D. Authority
    • E. Consensus

Answer 179

C. Urgency

D. Authority

Question 180

59. A security administrator has replaced the firewall and notices a number of
    dropped connections. After looking at the data the security administrator sees
    the following information that was flagged as a possible issue: “SELECT * FROM”
    and “˜1’=’1’
    Which of the following can the security administrator determine from this?
    • A. An SQL injection attack is being attempted
    • B. Legitimate connections are being dropped
    • C. A network scan is being done on the system
    • D. An XSS attack is being attempted

Answer 180

A. An SQL injection attack is being attempted

Question 181

60. A penetration testing team deploys a specifically crafted payload to a web
    server, which results in opening a new session as the web server daemon. This
    session has full read/write access to the file system and the admin console.
    Which of the following BEST describes the attack?
    • A. Domain hijacking
    • B. Injection
    • C. Buffer overflow
    • D. Privilege escalation

Answer 181

D. Privilege escalation