All questions Flashcards by Andres Aguilera

246. An email recipient is unable to open a message encrypted through PKI that 
was sent from another organization.
Which of the following does the recipient need to decrypt the message?
• A. The sender's private key
• B. The recipient's private key
• C. The recipient's public key
• D. The CA's root certificate
• E. The sender's public key
• F. An updated CRL

Correct Answer: E

How well did you know this?

Not at all

Perfectly

245. A security administrator found the following piece of code referenced on a 
domain controller's task scheduler:
$var = GetDomainAdmins
If $var != "˜fabio'
SetDomainAdmins = NULL
With which of the following types of malware is the code associated?
• A. RAT
• B. Backdoor
• C. Logic bomb
• D. Crypto-malware

Correct Answer: C

How well did you know this?

Not at all

Perfectly

Which of the following is the proper use of a Faraday cage?
• A. To block electronic signals sent to erase a cell phone
• B. To capture packets sent to a honeypot during an attack
• C. To protect hard disks from access during a forensics investigation
• D. To restrict access to a building allowing only one person to enter at a time

Correct Answer: A

How well did you know this?

Not at all

Perfectly

In highly secure environments where the risk of malicious actors attempting
to steal data is high, which of the following is the BEST reason to deploy Faraday
cages?
• A. To provide emanation control to prevent credential harvesting
• B. To minimize signal attenuation over distances to maximize signal strength
• C. To minimize external RF interference with embedded processors
• D. To protect the integrity of audit logs from malicious alteration

Correct Answer: C

How well did you know this?

Not at all

Perfectly

A security professional wants to test a piece of malware that was isolated on
a user’s computer to document its effect on a system.
Which of the following is the FIRST step the security professional should take?
• A. Create a sandbox on the machine.
• B. Open the file and run it.
• C. Create a secure baseline of the system state.
• D. Harden the machine.

Correct Answer: C

How well did you know this?

Not at all

Perfectly

The exploitation of a buffer-overrun vulnerability in an application will MOST
likely lead to:
• A. arbitrary code execution.
• B. resource exhaustion.
• C. exposure of authentication credentials.
• D. dereferencing of memory pointers.

Correct Answer: A

How well did you know this?

Not at all

Perfectly

240. Using a one-time code that has been texted to a smartphone is an example 
of:
• A. something you have.
• B. something you know.
• C. something you do.
• D. something you are.

Correct Answer: A

How well did you know this?

Not at all

Perfectly

Which of the following BEST explains the difference between a credentialed
scan and a non-credentialed scan?
• A. A credentialed scan sees devices in the network, including those behind NAT, while
a non-credentialed scan sees outward-facing applications.
• B. A credentialed scan will not show up in system logs because the scan is running with
the necessary authorization, while non-credentialed scan activity will appear in the logs.
• C. A credentialed scan generates significantly more false positives, while a noncredentialed scan generates fewer false positives.
• D. A credentialed scan sees the system the way an authorized user sees the system,
while a non-credentialed scan sees the system as a guest.

Correct Answer: D

How well did you know this?

Not at all

Perfectly

A first responder needs to collect digital evidence from a compromised
headless virtual host.
Which of the following should the first responder collect FIRST?

A. Virtual memory
B. BIOS configuration
C. Snapshot
D. RAM

Correct Answer: C

How well did you know this?

Not at all

Perfectly

An organization wants to set up a wireless network in the most secure way.
Budget is not a major consideration, and the organization is willing to accept
some complexity when clients are connecting. It is also willing to deny wireless
connectivity for clients who cannot be connected in the most secure manner.
Which of the following would be the MOST secure setup that conforms to the
organization’s requirements?

• A. Enable WPA2-PSK for older clients and WPA2-Enterprise for all other clients.
• B. Enable WPA2-PSK, disable all other modes, and implement MAC filtering along with
port security.
• C. Use WPA2-Enterprise with RADIUS and disable pre-shared keys.
• D. Use WPA2-PSK with a 24-character complex password and change the password
monthly.

Correct Answer: C

How well did you know this?

Not at all

Perfectly

Which of the following serves to warn users against downloading and
installing pirated software on company devices?

A. AUP
B. NDA
C. ISA
D. BPA

Correct Answer: A

How well did you know this?

Not at all

Perfectly

A security analyst is investigating a call from a user regarding one of the
websites receiving a 503: Service Unavailable error. The analyst runs a netstat-an
command to discover if the web server is up and listening. The analyst receives
the following output:
TCP 10.1.5.2:80 192.168.2.112:60973 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60974 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60975 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60976 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60977 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60978 TIME_WAIT
Which of the following types of attack is the analyst seeing?

A. Buffer overflow
B. Domain hijacking
C. Denial of service
D. ARP poisoning

Correct Answer: C

How well did you know this?

Not at all

Perfectly

Which of the following documents would provide specific guidance
regarding ports and protocols that should be disabled on an operating system?
• A. Regulatory requirements
• B. Secure configuration guide
• C. Application installation guides
• D. User manuals

Correct Answer: B

How well did you know this?

Not at all

Perfectly

A security engineer is analyzing the following line of JavaScript code that
was found in a comment field on a web forum, which was recently involved in a
security breach:

Given the line of code above, which of the following BEST represents the attack 
performed during the breach?
• A. CSRF
• B. DDoS
• C. DoS
• D. XSS

Correct Answer: D

How well did you know this?

Not at all

Perfectly

An organization is concerned about video emissions from users’ desktops.
Which of the following is the BEST solution to implement?
• A. Screen filters
• B. Shielded cables
• C. Spectrum analyzers
• D. Infrared detection

Correct Answer: A

How well did you know this?

Not at all

Perfectly

Which of the following BEST distinguishes Agile development from other
methodologies in terms of vulnerability management?
• A. Cross-functional teams
• B. Rapid deployments
• C. Daily standups
• D. Peer review
• E. Creating user stories

Correct Answer: C

How well did you know this?

Not at all

Perfectly

A systems administrator is receiving multiple alerts from the company NIPS.
A review of the NIPS logs shows the following: reset both: 70.32.200.2:3194 “”>
10.4.100.4:80 buffer overflow attempt reset both: 70.32.200.2:3230 “”>
10.4.100.4:80 directory traversal attack reset client: 70.32.200.2:4019 “”>
10.4.100.4:80 Blind SQL injection attack
Which of the following should the systems administrator report back to
management?
• A. The company web server was attacked by an external source, and the NIPS blocked
the attack.
• B. The company web and SQL servers suffered a DoS caused by a misconfiguration of
the NIPS.
• C. An external attacker was able to compromise the SQL server using a vulnerable web
application.
• D. The NIPS should move from an inline mode to an out-of-band mode to reduce
network latency.

Correct Answer: A

How well did you know this?

Not at all

Perfectly

A contracting company recently completed its period of performance on a
government contract and would like to destroy all information associated with
contract performance.
Which of the following is the best NEXT step for the company to take?
• A. Consult data disposition policies in the contract.
• B. Use a pulper or pulverizer for data destruction.
• C. Retain the data for a period no more than one year.
• D. Burn hard copies containing PII or PHI

Correct Answer: A

How well did you know this?

Not at all

Perfectly

A security analyst is interested in setting up an IDS to monitor the company
network. The analyst has been told there can be no network downtime to
implement the solution, but the IDS must capture all of the network traffic.
Which of the following should be used for the IDS implementation?
• A. Network tap
• B. Honeypot
• C. Aggregation
• D. Port mirror

Correct Answer: A

How well did you know this?

Not at all

Perfectly

A company employee recently retired, and there was a schedule delay
because no one was capable of filling the employee’s position.
Which of the following practices would BEST help to prevent this situation in the
future?
• A. Mandatory vacation
• B. Separation of duties
• C. Job rotation
• D. Exit interviews

Correct Answer: C

How well did you know this?

Not at all

Perfectly

After discovering a security incident and removing the affected files, an
administrator disabled an unneeded service that led to the breach.
Which of the following steps in the incident response process has the
administrator just completed?
• A. Containment
• B. Eradication
• C. Recovery
• D. Identification

Correct Answer: B

How well did you know this?

Not at all

Perfectly

225. Which of the following is the MOST likely motivation for a script kiddie threat 
actor?
• A. Financial gain
• B. Notoriety
• C. Political expression
• D. Corporate espionage

Correct Answer: B

How well did you know this?

Not at all

Perfectly

An administrator is disposing of media that contains sensitive information.
Which of the following will provide the MOST effective method to dispose of the
media while ensuring the data will be unrecoverable?
• A. Wipe the hard drive.
• B. Shred the hard drive.
• C. Sanitize all of the data.
• D. Degauss the hard drive

Correct Answer: B

How well did you know this?

Not at all

Perfectly

An organization is building a new customer services team, and the manager
needs to keep the team focused on customer issues and minimize distractions.
The users have a specific set of tools installed, which they must use to perform
their duties. Other tools are not permitted for compliance and tracking purposes.
Team members have access to the Internet for product lookups and to research
customer issues.
Which of the following should a security engineer employ to fulfill the
requirements for the manager?

A. Install a web application firewall.
B. Install HIPS on the team’s workstations.
C. Implement containerization on the workstations.
D. Configure whitelisting for the team.

Correct Answer: C

How well did you know this?

Not at all

Perfectly

222. A technician is required to configure updates on a guest operating system while maintaining the ability to quickly revert the changes that were made while testing the updates. Which of the following should the technician implement? • A. Snapshots • B. Revert to known state • C. Rollback to known configuration • D. Shadow copy

Correct Answer: A

221. While monitoring the SIEM, a security analyst observes traffic from an external IP to an IP address of the business network on port 443. Which of the following protocols would MOST likely cause this traffic? * A. HTTP * B. SSH * C. SSL * D. DNS

Correct Answer: C

220. During a security audit of a company's network, unsecure protocols were found to be in use. A network administrator wants to ensure browser-based access to company switches is using the most secure protocol. Which of the following protocols should be implemented? • A. SSH2 • B. TLS1.2 • C. SSL1.3 • D. SNMPv3

Correct Answer: B

219. An organization's IRP prioritizes containment over eradication. An incident has been discovered where an attacker outside of the organization has installed cryptocurrency mining software on the organization's web servers. Given the organization's stated priorities, which of the following would be the NEXT step? • A. Remove the affected servers from the network. • B. Review firewall and IDS logs to identify possible source IPs. • C. Identify and apply any missing operating system and software patches. • D. Delete the malicious software and determine if the servers must be reimaged.

Correct Answer: B

218. An attacker has obtained the user ID and password of a datacenter's backup operator and has gained access to a production system. Which of the following would be the attacker's NEXT action? • A. Perform a passive reconnaissance of the network. • B. Initiate a confidential data exfiltration process. • C. Look for known vulnerabilities to escalate privileges. • D. Create an alternate user ID to maintain persistent access.

Correct Answer: B

217. A company recently installed fingerprint scanners at all entrances to increase the facility's security. The scanners were installed on Monday morning, and by the end of the week it was determined that 1.5% of valid users were denied entry. Which of the following measurements do these users fall under? • A. FRR • B. FAR • C. CER • D. SLA

Correct Answer: A

216. Which of the following represents a multifactor authentication system? • A. An iris scanner coupled with a palm print reader and fingerprint scanner with liveness detection. • B. A secret passcode that prompts the user to enter a secret key if entered correctly. • C. A digital certificate on a physical token that is unlocked with a secret passcode. • D. A one-time password token combined with a proximity badge.

Correct Answer: C

215. An organization's policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using any of their previous 12 passwords. The quantization does not use single sign-on, nor does it centralize storage of passwords. The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has been detected for that separate system. Account login has been detected for users who are on vacation. Which of the following BEST describes what is happening? • A. Some users are meeting password complexity requirements but not password length requirements. • B. The password history enforcement is insufficient, and old passwords are still valid across many different systems. • C. Some users are reusing passwords, and some of the compromised passwords are valid on multiple systems. • D. The compromised password file has been brute-force hacked, and the complexity requirements are not adequate to mitigate this risk.

Correct Answer: D

214. A healthcare company is revamping its IT strategy in light of recent regulations. The company is concerned about compliance and wants to use a pay-per-use model. Which of the following is the BEST solution? * A. On-premises hosting * B. Community cloud * C. Hosted infrastructure * D. Public SaaS

Correct Answer: D

213. The Chief Information Officer (CIO) has determined the company's new PKI will not use OCSP. The purpose of OCSP still needs to be addressed. Which of the following should be implemented? • A. Build an online intermediate CA. • B. Implement a key escrow. • C. Implement stapling. • D. Install a CRL.

Correct Answer: D

212. Which of the following is a security consideration for IoT devices? • A. IoT devices have built-in accounts that users rarely access. • B. IoT devices have less processing capabilities. • C. IoT devices are physically segmented from each other. • D. IoT devices have purpose-built applications.

Correct Answer: A

211. An organization needs to integrate with a third-party cloud application. The organization has 15000 users and does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the following is the BEST way for the organization to integrate with the cloud application? • A. Upload a separate list of users and passwords with a batch import. • B. Distribute hardware tokens to the users for authentication to the cloud. • C. Implement SAML with the organization's server acting as the identity provider. • D. Configure a RADIUS federation between the organization and the cloud provider.

D. Configure a RADIUS federation between the organization and the cloud provider

210. An attacker has gathered information about a company employee by obtaining publicly available information from the Internet and social networks. Which of the following types of activity is the attacker performing? • A. Pivoting • B. Exfiltration of data • C. Social engineering • D. Passive reconnaissance

D. Passive reconnaissance

209. A company is examining possible locations for a hot site. Which of the following considerations is of MOST concern if the replication technology being used is highly sensitive to network latency? * A. Connection to multiple power substations * B. Location proximity to the production site * C. Ability to create separate caged space * D. Positioning of the site across international borders

Correct Answer: B

208. A government organization recently contacted three different vendors to obtain cost quotes for a desktop PC refresh. The quote from one of the vendors was significantly lower than the other two and was selected for the purchase. When the PCs arrived, a technician determined some NICs had been tampered with. Which of the following MOST accurately describes the security risk presented in this situation? • A. Hardware root of trust • B. UEFI • C. Supply chain • D. TPM • E. Crypto-malware • F. ARP poisoning

Correct Answer: C

207. A company is experiencing an increasing number of systems that are locking up on Windows startup. The security analyst clones a machine, enters into safe mode, and discovers a file in the startup process that runs Wstart.bat. @echo off :asdhbawdhbasdhbawdhb start notepad.exe start notepad.exe start calculator.exe start calculator.exe goto asdhbawdhbasdhbawdhb Given the file contents and the system's issues, which of the following types of malware is present? * A. Rootkit * B. Logic bomb * C. Worm * D. Virus

Correct Answer: B

206. A Chief Information Security Officer (CISO) for a school district wants to enable SSL to protect all of the public-facing servers in the domain. Which of the following is a secure solution that is the MOST cost effective? • A. Create and install a self-signed certificate on each of the servers in the domain. • B. Purchase a load balancer and install a single certificate on the load balancer. • C. Purchase a wildcard certificate and implement it on every server. • D. Purchase individual certificates and apply them to the individual servers.

A. Create and install a self-signed certificate on each of the servers in the domain.

205. The president of a company that specializes in military contracts receives a request for an interview. During the interview, the reporter seems more interested in discussing the president's family life and personal history than the details of a recent company success. Which of the following security concerns is this MOST likely an example of? • A. Insider threat • B. Social engineering • C. Passive reconnaissance • D. Phishing

Correct Answer: B

204. A company moved into a new building next to a sugar mil. Cracks have been discovered in the walls of the server room, which is located on the same side as the sugar mill loading docks. The cracks are believed to have been caused by heavy trucks. Moisture has begun to seep into the server room, causing extreme humidification problems and equipment failure. Which of the following BEST describes the type of threat the organization faces? • A. Foundational • B. Man-made • C. Environmental • D. Natural

Correct Answer: A

203. A security analyst wishes to scan the network to view potentially vulnerable systems the way an attacker would. Which of the following would BEST enable the analyst to complete the objective? • A. Perform a non-credentialed scan. • B. Conduct an intrusive scan. • C. Attempt escalation of privilege. • D. Execute a credentialed scan.

Correct Answer: A

202. Which of the following is an example of federated access management? • A. Windows passing user credentials on a peer-to-peer network • B. Applying a new user account with a complex password • C. Implementing a AAA framework for network access • D. Using a popular website login to provide access to another website

Correct Answer: D

``` 201. Which of the following is unique to a stream cipher? • A. It encrypt 128 bytes at a time. • B. It uses AES encryption. • C. It performs bit-level encryption. • D. It is used in HTTPS. ```

Correct Answer: C

200. A systems developer needs to provide machine-to-machine interface between an application and a database server in the production environment. This interface will exchange data once per day. Which of the following access control account practices would BEST be used in this situation? • A. Establish a privileged interface group and apply read-write permission to the members of that group. • B. Submit a request for account privilege escalation when the data needs to be transferred. • C. Install the application and database on the same server and add the interface to the local administrator group. • D. Use a service account and prohibit users from accessing this account for development work.

D. Use a service account and prohibit users from accessing this account for development work

``` 199. A security administrator needs to conduct a full inventory of all encryption protocols and cipher suites. Which of the following tools will the security administrator use to conduct this inventory MOST efficiently? • A. tcpdump • B. Protocol analyzer • C. Netstat • D. Nmap ```

D. Nmap

``` 198. Which of the following command line tools would be BEST to identify the services running in a server? • A. traceroute • B. nslookup • C. ipconfig • D. netstat ```

D. netstat

197. A security administrator is investigating a possible account compromise. The administrator logs onto a desktop computer, executes the command notepad.exe c:\Temp\qkakforlkgfkja.log, and reviews the following: Lee,\rI have completed the task that was assigned to me\rrespectfully\rJohn\r https://www.portal.com\rjohnuser\rilovemycat2 Given the above output, which of the following is the MOST likely cause of this compromise? • A. Virus • B. Worm • C. Rootkit • D. Keylogger

D. Keylogger

``` 196. Which of the following is MOST likely caused by improper input handling? • A. Loss of database tables • B. Untrusted certificate warning • C. Power off reboot loop • D. Breach of firewall ACLs ```

A. Loss of database tables

``` 195. A penetration tester is checking to see if an internal system is vulnerable to an attack using a remote listener. Which of the following commands should the penetration tester use to verify if this vulnerability exists? (Choose two.) • A. tcpdump • B. nc • C. nmap • D. nslookup • E. tail • F. tracert ```

Correct Answer: BC

194. A company recently implemented a new security system. In the course of configuration, the security administrator adds the following entry: #Whitelist USB\VID_13FE&PID_4127&REV_0100 Which of the following security technologies is MOST likely being configured? • A. Application whitelisting • B. HIDS • C. Data execution prevention • D. Removable media control

D. Removable media control

193. A Chief Information Officer (CIO) is concerned that encryption keys might be exfiltrated by a contractor. The CIO wants to keep control over key visibility and management. Which of the following would be the BEST solution for the CIO to implement?" • A. HSM • B. CA • C. SSH • D. SSL

A. HSM

``` 192. Which of the following provides PFS? • A. AES • B. RC4 • C. DHE • D. HMAC ```

C. DHE

191. A security administrator is investigating a report that a user is receiving suspicious emails. The user's machine has an old functioning modem installed. Which of the following security concerns need to be identified and mitigated? (Choose two.) • A. Vishing • B. Whaling • C. Spear phishing • D. Pharming • E. War dialing • F. Hoaxing

Correct Answer: EF

190. A technician, who is managing a secure B2B connection, noticed the connection broke last night. All networking equipment and media are functioning as expected, which leads the technician to question certain PKI components. Which of the following should the technician use to validate this assumption? (Choose two.) • A. PEM • B. CER • C. SCEP • D. CRL • E. OCSP • F. PFX

Correct Answer: DE | CRL and OCSP

189. A state-sponsored threat actor has launched several successful attacks against a corporate network. Although the target has a robust patch management program in place, the attacks continue in depth and scope, and the security department has no idea how the attacks are able to gain access. Given that patch management and vulnerability scanners are being used, which of the following would be used to analyze the attack methodology? • A. Rogue system detection • B. Honeypots • C. Next-generation firewall • D. Penetration test

B. Honeypots

188. An organization wishes to allow its users to select devices for business use but does not want to overwhelm the service desk with requests for too many different device types and models. Which of the following deployment models should the organization use to BEST meet these requirements? • A. VDI environment • B. CYOD model • C. DAC mode • D. BYOD model

B. CYOD model | choose your own device

``` 187. Given the information below: MD5HASH document.doc 049eab40fd36caadlfab10b3cdf4a883 [1] Which of the following concepts are described above? (Choose two.) • A. Salting • B. Collision • C. Steganography • D. Hashing • E. Key stretching ```

B. Collision | D. Hashing

186. A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the administrator finds the following output: Time: 12/25 0300 From Zone: Untrust To Zone: DMZ Attacker: externalip.com Victim: 172.16.0.20 To Port: 80 Action: Alert Severity: Critical When examining the PCAP associated with the event, the security administrator finds the following information: alert ("Click here for important information regarding your account! http://externalip.com/account.php"); script> Which of the following actions should the security administrator take? • A. Upload the PCAP to the IDS in order to generate a blocking signature to block the traffic. • B. Manually copy the data from the PCAP file and generate a blocking signature in the HIDS to block the traffic for future events. • C. Implement a host-based firewall rule to block future events of this type from occurring. • D. Submit a change request to modify the XSS vulnerability signature to TCP reset on future attempts.

B. Manually copy the data from the PCAP file and generate a blocking signature in the HIDS to block the traffic for future events.

185. A systems administrator has installed a new UTM that is capable of inspecting SSL/TLS traffic for malicious payloads. All inbound network traffic coming from the Internet and terminating on the company's secure web servers must be inspected. Which of the following configurations would BEST support this requirement? • A. The web servers' CA full certificate chain must be installed on the UTM. • B. The UTM certificate pair must be installed on the web servers. • C. The web servers' private certificate must be installed on the UTM. • D. The UTM and web servers must use the same certificate authority.

A. The web servers' CA full certificate chain must be installed on the UTM.

184. A preventive control differs from a compensating control in that a preventive control is: • A. put in place to mitigate a weakness in a user control. • B. deployed to supplement an existing control that is EOL. • C. relied on to address gaps in the existing control structure. • D. designed to specifically mitigate a risk.

C. relied on to address gaps in the existing control structure.

``` 183. Which of the following encryption algorithms require one encryption key? (Choose two.) • A. MD5 • B. 3DES • C. BCRYPT • D. RC4 • E. DSA ```

B. 3DES | D. RC4

182. A network administrator is implementing multifactor authentication for employees who travel and use company devices remotely by using the company VPN. Which of the following would provide the required level of authentication? • A. 802.1X and OTP • B. Fingerprint scanner and voice recognition • C. RBAC and PIN • D. Username/Password and TOTP

A. 802.1X and OTP

181. A systems administrator is increasing the security settings on a virtual host to ensure users on one VM cannot access information from another VM. Which of the following is the administrator protecting against? • A. VM sprawl - Virtualization sprawl is a phenomenon that occurs when the number of virtual machines (VMs) on a network reaches a point where administrators can no longer manage them effectively. Virtualization sprawl is also referred to as virtual machine sprawl, VM sprawl or virtual server sprawl. • B. VM escape - Virtual machine escape is an exploit in which the attacker runs code on a VM that allows an operating system running within it to break out and interact directly with the hypervisor. Such an exploit could give the attacker access to the host operating system and all other virtual machines (VMs) running on that host. * C. VM migration - Virtual machine migration is the task of moving a virtual machine from one physical hardware environment to another. It is part of managing hardware virtualization systems and is something that providers look at as they offer virtualization services. Virtual machine migration is also known as teleportation. * D. VM sandboxing - When something is put in a sandbox environment, it's essentially in a virtual machine that's isolated from the rest of the endpoint

B. VM escape

180. Moving laterally within a network once an initial exploit is used to gain persistent access for the purpose of establishing further control of a system is known as: • A. pivoting. • B. persistence. • C. active reconnaissance. • D. a backdoor.

B. persistence.

179. A company network is currently under attack. Although security controls are in place to stop the attack, the security administrator needs more information about the types of attacks being used. Which of the following network types would BEST help the administrator gather this information? • A. DMZ • B. Guest network • C. Ad hoc • D. Honeynet

D. Honeynet

178. An organization's research department uses workstations in an air-gapped network. A competitor released products based on files that originated in the research department. Which of the following should management do to improve the security and confidentiality of the research files? • A. Implement multifactor authentication on the workstations. • B. Configure removable media controls on the workstations. • C. Install a web application firewall in the research department. • D. Install HIDS on each of the research workstations.

B. Configure removable media controls on the workstations.

177. A security analyst is running a credential-based vulnerability scanner on a Windows host. The vulnerability scanner is using the protocol NetBIOS over TCP/IP to connect to various systems, However, the scan does not return any results. To address the issue, the analyst should ensure that which of the following default ports is open on systems? • A. 135 • B. 137 • C. 3389 • D. 5060

B. 137

176. While reviewing system logs, a security analyst notices that a large number of end users are changing their passwords four times on the day the passwords are set to expire. The analyst suspects they are cycling their passwords to circumvent current password controls. Which of the following would provide a technical control to prevent this activity from occurring? • A. Set password aging requirements. • B. Increase the password history from three to five. • C. Create an AUP that prohibits password reuse. • D. Implement password complexity requirements.

A. Set password aging requirements.

175. Which of the following is the MOST significant difference between intrusive and non-intrusive vulnerability scanning? • A. One uses credentials, but the other does not. • B. One has a higher potential for disrupting system operations. • C. One allows systems to activate firewall countermeasures. • D. One returns service banners, including running versions.

B. One has a higher potential for disrupting system operations.

174. Which of the following should a technician use to protect a cellular phone that is needed for an investigation, to ensure the data will not be removed remotely? • A. Air gap • B. Secure cabinet • C. Faraday cage • D. Safe

C. Faraday cage

173. A Chief Information Security Officer (CISO) is performing a BIA for the organization in case of a natural disaster. Which of the following should be at the top of the CISO's list? • A. Identify redundant and high-availability systems. • B. Identity mission-critical applications and systems. • C. Identify the single point of failure in the system. • D. Identity the impact on safety of the property

B. Identity mission-critical applications and systems.

172. Which of the following BEST explains how the use of configuration templates reduces organization risk? • A. It ensures consistency of configuration for initial system implementation. • B. It enables system rollback to a last known-good state patches break functionality. • C. It facilitates fault tolerance since applications can be migrated across templates. • D. It improves vulnerability scanning efficiency across multiple systems.

A. It ensures consistency of configuration for initial system implementation.

171. A security technician has been assigned data destruction duties. The hard drives that are being disposed of contain highly sensitive information. Which of the following data destruction techniques is MOST appropriate? • A. Degaussing • B. Purging • C. Wiping • D. Shredding

D. Shredding

``` 170. Which of the following implements a stream cipher? • A. File-level encryption • B. IKEv2 exchange • C. SFTP data transfer • D. S/MIME encryption ```

D. S/MIME encryption

169. A security analyst is emailing PII in a spreadsheet file to an audit validator for after-actions related to a security assessment. The analyst must make sure the PII data is protected with the following minimum requirements: ✑ Ensure confidentiality at rest. ✑ Ensure the integrity of the original email message. Which of the following controls would ensure these data security requirements are carried out? • A. Encrypt and sign the email using S/MIME. • B. Encrypt the email and send it using TLS. • C. Hash the email using SHA-1. • D. Sign the email using MD5.

A. Encrypt and sign the email using S/MIME.

168. Which of the following BEST describes the purpose of authorization? • A. Authorization provides logging to a resource and comes after authentication. • B. Authorization provides authentication to a resource and comes after identification. • C. Authorization provides identification to a resource and comes after authentication. • D. Authorization provides permissions to a resource and comes after authentication.

D. Authorization provides permissions to a resource and comes after authentication.

167. A security administrator is implementing a secure method that allows developers to place files or objects onto a Linux server. Developers are required to log in using a username, password, and asymmetric key. Which of the following protocols should be implemented? • A. SSL/TLS • B. SFTP • C. SRTP • D. IPSec

B. SFTP

166. A manager makes an unannounced visit to the marketing department and performs a walk-through of the office. The manager observes unclaimed documents on printers. A closer look at these documents reveals employee names, addresses, ages, birth dates, marital/dependent statuses, and favorite ice cream flavors. The manager brings this to the attention of the marketing department head. The manager believes this information to be PII, but the marketing head does not agree. Having reached a stalemate, which of the following is the MOST appropriate action to take NEXT? • A. Elevate to the Chief Executive Officer (CEO) for redress; change from the top down usually succeeds. • B. Find the privacy officer in the organization and let the officer act as the arbiter. • C. Notify employees whose names are on these files that their personal information is being compromised. • D. To maintain a working relationship with marketing, quietly record the incident in the risk register.

B. Find the privacy officer in the organization and let the officer act as the arbiter.

165. An organization wants to deliver streaming audio and video from its home office to remote locations all over the world. It wants the stream to be delivered securely and protected from intercept and replay attacks. Which of the following protocols is BEST suited for this purpose? • A. SSH • B. SIP • C. S/MIME • D. SRTP

D. SRTP - secure real-time transport protocol Two protocols specifically designed to be used with SRTP are ZRTP and MIKEY

164. A security administrator is investigating many recent incidents of credential theft for users accessing the company's website, despite the hosting web server requiring HTTPS for access. The server's logs show the website leverages the HTTP POST method for carrying user authentication details. Which of the following is the MOST likely reason for compromise? • A. The HTTP POST method is not protected by HTTPS. • B. The web server is running a vulnerable SSL configuration. • C. The HTTP response is susceptible to sniffing. • D. The company doesn't support DNSSEC.

A. The HTTP POST method is not protected by HTTPS.

``` 163. A security administrator is choosing an algorithm to generate password hashes. Which of the following would offer the BEST protection against offline brute force attacks? • A. MD5 • B. 3DES • C. AES • D. SHA-1 ```

D. SHA-1

``` 162. An organization wants to ensure network access is granted only after a user or device has been authenticated. Which of the following should be used to achieve this objective for both wired and wireless networks? • A. CCMP • B. PKCS#12 • C. IEEE 802.1X • D. OCSP ```

C. IEEE 802.1X

161. An organization has air gapped a critical system. Which of the following BEST describes the type of attacks that are prevented by this security measure? • A. Attacks from another local network segment • B. Attacks exploiting USB drives and removable media • C. Attacks that spy on leaked emanations or signals • D. Attacks that involve physical intrusion or theft

A. Attacks from another local network segment

160. A Chief Information Security Officer (CISO) has instructed the information assurance staff to act upon a fast-spreading virus. Which of the following steps in the incident response process should be taken NEXT? • A. Identification • B. Eradication • C. Escalation • D. Containment

A. Identification

159. The Chief Information Security Officer (CISO) in a company is working to maximize protection efforts of sensitive corporate data. The CISO implements a "100% shred" policy within the organization, with the intent to destroy any documentation that is not actively in use in a way that it cannot be recovered or reassembled. Which of the following attacks is this deterrent MOST likely to mitigate? • A. Dumpster diving • B. Whaling • C. Shoulder surfing • D. Vishing

A. Dumpster diving

158. A company has a team of penetration testers. This team has located a file on the company file server that they believe contains cleartext usernames followed by a hash. Which of the following tools should the penetration testers use to learn more about the content of this file? • A. Exploitation framework • B. Vulnerability scanner • C. Netcat • D. Password cracker

D. Password cracker

157. When used together, which of the following qualify as two-factor authentication? • A. Password and PIN • B. Smart card and PIN • C. Proximity card and smart card • D. Fingerprint scanner and iris scanner

B. Smart card and PIN

156. A network technician is designing a network for a small company. The network technician needs to implement an email server and web server that will be accessed by both internal employees and external customers. Which of the following would BEST secure the internal network and allow access to the needed servers? • A. Implementing a site-to-site VPN for server access. • B. Implementing a DMZ segment for the server. • C. Implementing NAT addressing for the servers. • D. Implementing a sandbox to contain the servers.

B. Implementing a DMZ segment for the server.

155. Which of the following identity access methods creates a cookie on the first login to a central authority to allow logins to subsequent applications without reentering credentials? • A. Multifactor authentication • B. Transitive trust • C. Federated access • D. Single sign-on

D. Single sign-on

154. An application developer has neglected to include input validation checks in the design of the company's new web application. An employee discovers that repeatedly submitting large amounts of data, including custom code, to an application will allow the execution of the custom code at the administrator level. Which of the following BEST identifies this application attack? • A. Cross-site scripting • B. Clickjacking • C. Buffer overflow • D. Replay

C. Buffer overflow

153. A developer has incorporated routines into the source code for controlling the length of the input passed to the program. Which of the following types of vulnerabilities is the developer protecting the code against? • A. DLL injection • B. Memory leak • C. Buffer overflow • D. Pointer dereference

C. Buffer overflow

152. An administrator is implementing a secure web server and wants to ensure that if the web server application is compromised, the application does not have access to other parts of the server or network. Which of the following should the administrator implement? (Choose two.) • A. Mandatory access control • B. Discretionary access control • C. Rule-based access control • D. Role-based access control • E. Attribute-based access control

Correct Answer: AC A. Mandatory access control C. Rule-based access control

151. Joe, a user, reports to the help desk that he can no longer access any documents on his PC. He states that he saw a window appear on the screen earlier, but he closed it without reading it. Upon investigation, the technician sees high disk activity on Joe's PC. Which of the following types of malware is MOST likely indicated by these findings? • A. Keylogger • B. Trojan • C. Rootkit • D. Crypto-malware

D. Crypto-malware

150. A company is planning to utilize its legacy desktop systems by converting them into dummy terminals and moving all heavy applications and storage to a centralized server that hosts all of the company's required desktop applications. Which of the following describes the BEST deployment method to meet these requirements? • A. IaaS • B. VM sprawl • C. VDI • D. PaaS

C. VDI

149. Management wants to ensure any sensitive data on company-provided cell phones is isolated in a single location that can be remotely wiped if the phone is lost. Which of the following technologies BEST meets this need? • A. Geofencing • B. Containerization • C. Device encryption • D. Sandboxing

B. Containerization

148. A systems administrator needs to integrate multiple IoT and small embedded devices into the company's wireless network securely. Which of the following should the administrator implement to ensure low-power and legacy devices can connect to the wireless network? • A. WPS • B. WPA • C. EAP-FAST • D. 802.1X

A. WPS

147. Which of the following can occur when a scanning tool cannot authenticate to a server and has to rely on limited information obtained from service banners? • A. False positive • B. Passive reconnaissance • C. Access violation • D. Privilege escalation

A. False positive

146. A recent penetration test revealed several issues with a public-facing website used by customers. The testers were able to: ✑ Enter long lines of code and special characters ✑ Crash the system ✑ Gain unauthorized access to the internal application server ✑ Map the internal network The development team has stated they will need to rewrite a significant portion of the code used, and it will take more than a year to deliver the finished product. Which of the following would be the BEST solution to introduce in the interim? • A. Content fileting • B. WAF • C. TLS • D. IPS/IDS • E. UTM

E. UTM - Unified threat management (UTM) describes an information security (infosec) system that provides a single point of protection against threats, including viruses, worms, spyware and other malware, and network attacks. ... UTM systems combine multiple security features into a single device or software program.

``` 145. Which of the following control types would a backup of server data provide in case of a system issue? • A. Corrective • B. Deterrent • C. Preventive • D. Detective ```

A. Corrective

144. The Chief Executive Officer (CEO) received an email from the Chief Financial Officer (CFO), asking the CEO to send financial details. The CEO thought it was strange that the CFO would ask for the financial details via email. The email address was correct in the "From" section of the email. The CEO clicked the form and sent the financial information as requested. Which of the following caused the incident? • A. Domain hijacking • B. SPF not enabled • C. MX records rerouted • D. Malicious insider

B. SPF not enabled - Sender Policy Framework (SPF), is a technical standard and email authentication technique that helps protect email senders and recipients from spam, spoofing, and phishing. ... It was designed to supplement SMTP, the basic protocol used to send email, because SMTP does not itself include any authentication mechanisms.

143. Two companies are enabling TLS on their respective email gateways to secure communications over the Internet. Which of the following cryptography concepts is being implemented? • A. Perfect forward secrecy • B. Ephemeral keys • C. Domain validation • D. Data in transit

D. Data in transit

142. A company has migrated to two-factor authentication for accessing the corporate network, VPN, and SSO. Several legacy applications cannot support multifactor authentication and must continue to use usernames and passwords. Which of the following should be implemented to ensure the legacy applications are as secure as possible while ensuring functionality? (Choose two.) • A. Privileged accounts • B. Password reuse restrictions • C. Password complexity requirements • D. Password recovery • E. Account disablement

Correct Answer: CE

141. A company's IT staff is given the task of securely disposing of 100 server HDDs. The security team informs the IT staff that the data must not be accessible by a third party after disposal. Which of the following is the MOST time-efficient method to achieve this goal? • A. Use a degausser to sanitize the drives. • B. Remove the platters from the HDDs and shred them. • C. Perform a quick format of the HDD drives. • D. Use software to zero fill all of the hard drives.

A. Use a degausser to sanitize the drives.

140. Which of the following terms BEST describes an exploitable vulnerability that exists but has not been publicly disclosed yet? • A. Design weakness • B. Zero-day • C. Logic bomb • D. Trojan

B. Zero-day

139. A company has critical systems that are hosted on an end-of-life OS. To maintain operations and mitigate potential vulnerabilities, which of the following BEST accomplishes this objective? • A. Use application whitelisting. • B. Employ patch management. • C. Disable the default administrator account. • D. Implement full-disk encryption.

A. Use application whitelisting.

138. A company is performing an analysis of which corporate units are most likely to cause revenue loss in the event the unit is unable to operate. Which of the following is an element of the BIA that this action is addressing? • A. Critical system inventory • B. Single point of failure • C. Continuity of operations • D. Mission-essential functions

A. Critical system inventory

137. Which of the following attackers generally possesses minimal technical knowledge to perform advanced attacks and uses widely available tools as well as publicly available information? • A. Hacktivist • B. White hat hacker • C. Script kiddie • D. Penetration tester

C. Script kiddie

136. An organization's Chief Executive Officer (CEO) directs a newly hired computer technician to install an OS on the CEO's personal laptop. The technician performs the installation, and a software audit later in the month indicates a violation of the EULA occurred as a result. Which of the following would address this violation going forward? • A. Security configuration baseline • B. Separation of duties • C. AUP • D. NDA

C. AUP

135. A water utility company has seen a dramatic increase in the number of water pumps burning out. A malicious actor was attacking the company and is responsible for the increase. Which of the following systems has the attacker compromised? • A. DMZ • B. RTOS • C. SCADA • D. IoT

C. SCADA

134. A network technician is setting up a new branch for a company. The users at the new branch will need to access resources securely as if they were at the main location. Which of the following networking concepts would BEST accomplish this? • A. Virtual network segmentation • B. Physical network segmentation • C. Site-to-site VPN • D. Out-of-band access • E. Logical VLANs

C. Site-to-site VPN

133. A salesperson often uses a USB drive to save and move files from a corporate laptop. The corporate laptop was recently updated, and now the files on the USB are read-only. Which of the following was recently added to the laptop? • A. Antivirus software • B. File integrity check • C. HIPS • D. DLP

D. DLP

323. A security administrator suspects that data on a server has been exhilarated as a result of un- authorized remote access. Which of the following would assist the administrator in con-firming the suspicions? (Select TWO) • A. Networking access control • B. DLP alerts • C. Log analysis • D. File integrity monitoring • E. Host firewall rules

Correct Answer: BC

324. A company is deploying a new VoIP phone system. They require 99.999% uptime for their phone service and are concerned about their existing data network interfering with the VoIP phone system. The core switches in the existing data network are almost fully saturated. Which of the following options will pro-vide the best performance and availability for both the VoIP traffic, as well as the traffic on the existing data network? * A. Put the VoIP network into a different VLAN than the existing data network. * B. Upgrade the edge switches from 10/100/1000 to improve network speed * C. Physically separate the VoIP phones from the data network * D. Implement flood guards on the data network

A. Put the VoIP network into a different VLAN than the existing data network.

325. A server administrator needs to administer a server remotely using RDP, but the specified port is closed on the outbound firewall on the network. The access the server using RDP on a port other than the typical registered port for the RDP protocol? • A. TLS • B. MPLS • C. SCP • D. SSH

A. TLS

326. Which of the following can be used to control specific commands that can be executed on a network infrastructure device? • A. LDAP • B. Kerberos • C. SAML • D. TACACS+

D. TACACS+

327. Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate- based authentication with its users. The company uses SSL- inspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication. Which of the following model prevents the IDS from capturing credentials used to authenticate users to the new service or keys to decrypt that communication? • A. Use of OATH between the user and the service and attestation from the company domain • B. Use of active directory federation between the company and the cloud-based service • C. Use of smartcards that store x.509 keys, signed by a global CA • D. Use of a third-party, SAML-based authentication service for attestation

B. Use of active directory federation between the company and the cloud-based service

1. A company has a data system with definitions for "Private" and "Public". The company’s security policy outlines how data should be protected based on type. The company recently added the data type "Proprietary". Which of the following is the MOST likely reason the company added this data type? • A. Reduced cost • B. More searchable data • C. Better data classification • D. Expanded authority of the privacy officer

C. Better data classification

2. A systems administrator has finished configuring firewall ACL to allow access to a new web answer. PERMIT TCP from: ANY to: 192.168.1.10:80 PERMIT TCP from: ANY to: 192.168.1.10:443 DENY TCP from: ANY to: ANY - The security administrator confirms form the following packet capture that there is network traffic from the internet to the web server: TCP 10.23.243.2:2000->192.168.1.10:80 POST/defaults TCP 172.16.4.100:1934->192.168.1.10:80 GET/session.aspx?user_1_sessionid= a12ad8741d8f7e7ac723847aa8231a The companies internal auditor issues a security finding and requests that immediate action be taken. With which of the following is the auditor MOST concerned? • A. Misconfigured firewall • B. Clear text credentials • C. Implicit deny • D. Default configuration

B. Clear text credentials

3. An organizations internal auditor discovers that large sums of money have recently been paid to a vendor that management does not recognize. The IT security department is asked to investigate the organizations the organizations ERP system to determine how the accounts payable module has been used to make these vendor payments. The IT security department finds the following security configuration for the accounts payable module: ✑ New Vendor Entry Required Role: Accounts Payable Clerk ✑ New Vendor Approval Required Role: Accounts Payable Clerk ✑ Vendor Payment Entry Required Role: Accounts Payable Clerk ✑ Vendor Payment Approval Required Role: Accounts Payable Manager Which of the following changes to the security configuration of the accounts payable module would BEST mitigate the risk? • A. Option A • B. Option B • C. Option C • D. Option D

A. Option A

4. A CSIRT has completed restoration procedures related to a breach of sensitive data is creating documentation used to improve the organization's security posture. The team has been specifically tasked to address logical controls in their suggestions. Which of the following would be MOST beneficial to include in lessons learned documentation? (Choose two.) • A. A list of policies, which should be revised to provide better clarity to employees regarding acceptable use • B. Recommendations relating to improved log correlation and alerting tools • C. Data from the organization's IDS/IPS tools, which show the timeline of the breach and the activities executed by the attacker • D. A list of potential improvements to the organization's NAC capabilities, which would improve AAA within the environment • E. A summary of the activities performed during each phase of the incident response activity • F. A list of topics that should be added to the organization's security awareness training program based on weaknesses exploited during the attack

A. A list of policies, which should be revised to provide better clarity to employees regarding acceptable use F. A list of topics that should be added to the organization's security awareness training program based on weaknesses exploited during the attack

5. A security analyst receives a notification from the IDS after working hours, indicating a spike in network traffic. Which of the following BEST describes this type of IDS? • A. Anomaly-based • B. Stateful • C. Host-based • D. Signature-based

A. Anomaly-based

6. An instructor is teaching a hands-on wireless security class and needs to configure a test access point to show students an attack on a weak protocol. Which of the following configurations should the instructor implement? • A. WPA2 • B. WPA • C. EAP • D. WEP

D. WEP

7. A security analyst is hardening a large-scale wireless network. The primary requirements are the following: ✑ Must use authentication through EAP-TLS certificates ✑ Must use an AAA server ✑ Must use the most secure encryption protocol Given these requirements, which of the following should the analyst implement and recommend? (Select TWO.) • A. 802.1X • B. 802.3 • C. LDAP • D. TKIP • E. CCMP • F. WPA2-PSK

A. 802.1X | F. WPA2-PSK

8. A company recently experienced data exfiltration via the corporate network. In response to the breach, a security analyst recommends deploying an out-of-band IDS solution. The analyst says the solution can be implemented without purchasing any additional network hardware. Which of the following solutions will be used to deploy the IDS? • A. Network tap • B. Network proxy • C. Honeypot • D. Port mirroring

D. Port mirroring - Port mirroring is the network switch ability to send a copy of network data packets being transmitted over a switch port to a network monitoring or inspection device that is itself connected to the port mirror - a dedicated port on the switch

9. An organization wants to implement a solution that allows for automated logical controls for network defense. An engineer plans to select an appropriate network security component, which automates response actions based on security threats to the network. Which of the following would be MOST appropriate based on the engineer's requirements? • A. NIPS - Net Intrusion Prevension system • B. HIDS - host based IDS • C. Web proxy • D. Elastic load balancer • E. NAC - Network access control

A. NIPS -Net intrusion prevention

10. A highly complex password policy has made it nearly impossible to crack account passwords. Which of the following might a hacker still be able to perform? • A. Pass-the-hash attack • B. ARP poisoning attack • C. Birthday attack • D. Brute force attack

A. Pass-the-hash attack

11. Which of the following is the main difference an XSS vulnerability and a CSRF vulnerability? • A. XSS needs the attacker to be authenticated to the trusted server. • B. XSS does not need the victim to be authenticated to the trusted server. • C. CSRF needs the victim to be authenticated to the trusted server. • D. CSRF does not need the victim to be authenticated to the trusted server. • E. CSRF does not need the attacker to be authenticated to the trusted server.

B. XSS does not need the victim to be authenticated to the trusted server. C. CSRF needs the victim to be authenticated to the trusted server.

12. A group of developers is collaborating to write software for a company. The developers need to work in subgroups and control who has access to their modules. Which of the following access control methods is considered user-centric? • A. Time-based • B. Mandatory • C. Rule-based • D. Discretionary

D. Discretionary

13. Which of the following methods minimizes the system interaction when gathering information to conduct a vulnerability assessment of a router? • A. Download the configuration • B. Run a credentialed scan. • C. Conduct the assessment during downtime • D. Change the routing to bypass the router.

A. Download the configuration

14. Which of the following BEST explains why sandboxing is a best practice for testing software from an untrusted vendor prior to an enterprise deployment? • A. It allows the software to run in an unconstrained environment with full network access. • B. It eliminates the possibility of privilege escalation attacks against the local VM host. • C. It facilitates the analysis of possible malware by allowing it to run until resources are exhausted. • D. It restricts the access of the software to a contained logical space and limits possible damage

D. It restricts the access of the software to a contained logical space and limits possible damage

``` 15. A small- to medium-sized company wants to block the use of USB devices on its network. Which of the following is the MOST cost-effective way for the security analyst to prevent this? • A. Implement a DLP system • B. Apply a GPO • C. Conduct user awareness training • D. Enforce the AUP ```

B. Apply a GPO

16. Which of the following is the BEST way for home users to mitigate vulnerabilities associated with IoT devices on their home networks? • A. Power off the devices when they are not in use, • B. Prevent IoT devices from contacting the Internet directly. • C. Apply firmware and software updates upon availability. • D. Deploy a bastion host on the home network.

C. Apply firmware and software updates upon availability.

17. Corporations choose to exceed regulatory framework standards because of which of the following incentives? • A. It improves the legal defensibility of the company. • B. It gives a social defense that the company is not violating customer privacy laws. • C. It proves to investors that the company takes APT cyber actors seriously • D. It results in overall industrial security standards being raised voluntarily.

A. It improves the legal defensibility of the company.

18. A call center company wants to implement a domain policy primarily for its shift workers. The call center has large groups with different user roles. Management wants to monitor group performance. Which of the following is the BEST solution for the company to implement? • A. Reduced failed logon attempts • B. Mandatory password changes • C. Increased account lockout time • D. Time-of-day restrictions

D. Time-of-day restrictions

19. A buffer overflow can result in: • A. loss of data caused by unauthorized command execution. • B. privilege escalation caused by TPN override. • C. reduced key strength due to salt manipulation. • D. repeated use of one-time keys.

B. privilege escalation caused by TPN override.

20. Users are attempting to access a company's website but are transparently redirected to another websites. The users confirm the URL is correct. Which of the following would BEST prevent this issue in the future? • A. DNSSEC • B. HTTPS • C. IPSec • D. TLS/SSL

A. DNSSEC

21. Which of the following is a compensating control that will BEST reduce the risk of weak passwords? • A. Requiring the use of one-time tokens • B. Increasing password history retention count • C. Disabling user accounts after exceeding maximum attempts • D. Setting expiration of user passwords to a shorter time

A. Requiring the use of one-time tokens

22. A consumer purchases an exploit from the dark web. The exploit targets the online shopping cart of a popular website, allowing the shopper to modify the price of an item as checkout. Which of the following BEST describes this type of user? • A. Insider • B. Script kiddie • C. Competitor • D. Hacktivist • E. APT

B. Script kiddie

23. Joe, a backup administrator, wants to implement a solution that will reduce the restoration time of physical servers. Which of the following is the BEST method for Joe to use? • A. Differential • B. Incremental • C. Full • D. Snapshots

C. Full

24. Which of the following development models entails several iterative and incremental software development methodologies such as Scrum? • A. Spiral • B. Waterfall • C. Agile • D. Rapid

A. Spiral

25. Which of the following are used to substantially increase the computation time required to crack a password? (Choose two.) • A. BCRYPT • B. Substitution cipher • C. ECDHE • D. PBKDF2 • E. Diffie-Hellman

A. BCRYPT | D. PBKDF2

26. Which of the following describes the maximum amount of time a mission essential function can operate without the systems it depends on before significantly impacting the organization? • A. MTBF • B. MTTR • C. RTO • D. RPO

C. RTO -

27. A network administrator is brute forcing accounts through a web interface. Which of the following would provide the BEST defense from an account password being discovered? • A. Password history • B. Account lockout • C. Account expiration • D. Password complexity

B. Account lockout

28. A security engineer wants to add SSL to the public web server. Which of the following would be the FIRST step to implement the SSL certificate? • A. Download the web certificate • B. Install the intermediate certificate • C. Generate a CSR • D. Encrypt the private key

C. Generate a CSR -

29. Which of the following is a major difference between XSS attacks and remote code exploits? • A. XSS attacks use machine language, while remote exploits use interpreted language • B. XSS attacks target servers, while remote code exploits target clients • C. Remote code exploits aim to escalate attackers' privileges, while XSS attacks aim to gain access only • D. Remote code exploits allow writing code at the client side and executing it, while XSS attacks require no code to work

C. Remote code exploits aim to escalate attackers' privileges, while XSS attacks aim to gain access only

30. A systems administrator has implemented multiple websites using host headers on the same server. The server hosts two websites that require encryption and other websites where encryption is optional. Which of the following should the administrator implement to encrypt web traffic for the required websites? • A. Extended domain validation • B. TLS host certificate • C. OCSP stapling • D. Wildcard certificate

B. TLS host certificate

31. Which of the following are considered among the BEST indicators that a received message is a hoax? (Choose two.) • A. Minimal use of uppercase letters in the message • B. Warnings of monetary loss to the receiver • C. No valid digital signature from a known security organization • D. Claims of possible damage to computer hardware • E. Embedded URLs

B. Warnings of monetary loss to the receiver | D. Claims of possible damage to computer hardware

32. Management wishes to add another authentication factor in addition to fingerprints and passwords in order to have three-factor authentication. Which of the following would BEST satisfy this request? • A. Retinal scan • B. Passphrase • C. Token fob • D. Security question

C. Token fob

33. During a lessons learned meeting regarding a previous incident, the security team receives a follow-up action item with the following requirements: ✑ Allow authentication from within the United States anytime ✑ Allow authentication if the user is accessing email or a shared file system ✑ Do not allow authentication if the AV program is two days out of date ✑ Do not allow authentication if the location of the device is in two specific countries Given the requirements, which of the following mobile deployment authentication types is being utilized? • A. Geofencing authentication • B. Two-factor authentication • C. Context-aware authentication • D. Biometric authentication

C. Context-aware authentication

34. A network administrator is creating a new network for an office. For security purposes, each department should have its resources isolated from every other department but be able to communicate back to central servers. Which of the following architecture concepts would BEST accomplish this? • A. Air gapped network • B. Load balanced network • C. Network address translation • D. Network segmentation

D. Network segmentation

35. A customer calls a technician and needs to remotely connect to a web server to change some code manually. The technician needs to configure the user's machine with protocols to connect to the Unix web server, which is behind a firewall. Which of the following protocols does the technician MOST likely need to configure? • A. SSH • B. SFTP • C. HTTPS • D. SNMP

A. SSH

36. A security analyst is assessing a small company's internal servers against recommended security practices. Which of the following should the analyst do to conduct the assessment? (Choose two.) • A. Compare configurations against platform benchmarks • B. Confirm adherence to the company's industry-specific regulations • C. Review the company's current security baseline • D. Verify alignment with policy related to regulatory compliance • E. Run an exploitation framework to confirm vulnerabilities

C. Review the company's current security baseline E. Run an exploitation framework to confirm vulnerabilities

37. Joe recently assumed the role of data custodian for this organization. While cleaning out an unused storage safe, he discovers several hard drives that are labeled "unclassified" and awaiting destruction. The hard drives are obsolete and cannot be installed in any of his current computing equipment. Which of the following is the BEST method for disposing of the hard drives? • A. Burning • B. Wiping • C. Purging • D. Pulverizing

D. Pulverizing

38. Students at a residence hall are reporting Internet connectivity issues. The university's network administrator configured the residence hall's network to provide public IP addresses to all connected devices, but many student devices are receiving private IP addresses due to rogue devices. The network administrator verifies the residence hall's network is correctly configured and contacts the security administrator for help. Which of the following configurations should the security administrator suggest for implementation? • A. Router ACLs • B. BPDU guard • C. Flood guard • D. DHCP snooping

D. DHCP snooping

``` 39. Which of the following is a technical preventive control? • A. Two-factor authentication • B. DVR-supported cameras • C. Acceptable-use MOTD • D. Syslog server ```

A. Two-factor authentication

40. A security administrator is performing a risk assessment on a legacy WAP with a WEP-enabled wireless infrastructure. Which of the following should be implemented to harden the infrastructure without upgrading the WAP? • A. Implement WPA and TKIP • B. Implement WPS and an eight-digit pin • C. Implement WEP and RC4 • D. Implement WPA2 Enterprise

D. Implement WPA2 Enterprise

41. A systems administrator is installing a new server in a large datacenter. Which of the following BEST describes the importance of properly positioning servers in the rack to maintain availability? • A. To allow for visibility of the servers' status indicators • B. To adhere to cable management standards • C. To maximize the fire suppression system's efficiency • D. To provide consistent air flow

D. To provide consistent air flow

42. A Chief Information Security Officer (CISO) asks the security architect to design a method for contractors to access the company's internal network securely without allowing access to systems beyond the scope of their project. Which of the following methods would BEST fit the needs of the CISO? • A. VPN • B. PaaS • C. IaaS • D. VDI

A. VPN

43. To get the most accurate results on the security posture of a system, which of the following actions should the security analyst do prior to scanning? • A. Log all users out of the system • B. Patch the scanner • C. Reboot the target host • D. Update the web plugins

B. Patch the scanner

44. While investigating a virus infection, a security analyst discovered the following on an employee laptop: ✑ Multiple folders containing a large number of newly released movies and music files ✑ Proprietary company data ✑ A large amount of PHI data ✑ Unapproved FTP software ✑ Documents that appear to belong to a competitor Which of the following should the analyst do FIRST? • A. Contact the legal and compliance department for guidance • B. Delete the files, remove the FTP software, and notify management • C. Back up the files and return the device to the user • D. Wipe and reimage the device

A. Contact the legal and compliance department for guidance

45. Which of the following penetration testing concepts is an attacker MOST interested in when placing the path of a malicious file in the Windows/CurrentVersion/Run registry key? • A. Persistence • B. Pivoting • C. Active reconnaissance • D. Escalation of privilege

D. Escalation of privilege

46. An organization has an account management policy that defines parameters around each type of account. The policy specifies different security attributes, such as longevity, usage auditing, password complexity, and identity proofing. The goal of the account management policy is to ensure the highest level of security while providing the greatest availability without compromising data integrity for users. Which of the following account types should the policy specify for service technicians from corporate partners? • A. Guest account • B. User account • C. Shared account • D. Privileged user account • E. Default account • F. Service account

D. Privileged user account

47. A security analyst is implementing PKI-based functionality to a web application that has the following requirements: ✑ File contains certificate information ✑ Certificate chains ✑ Root authority certificates ✑ Private key All of these components will be part of one file and cryptographically protected with a password. Given this scenario, which of the following certificate types should the analyst implement to BEST meet these requirements? • A. .pfx certificate • B. .cer certificate • C. .der certificate • D. .crt certificate

A. .pfx certificate

``` 48. Which of the following encryption algorithms is used primarily to secure data at rest? • A. AES • B. SSL • C. TLS • D. RSA ```

A. AES

49. A security auditor is performing a vulnerability scan to find out if mobile applications used in the organization are secure. The auditor discovers that one application has been accessed remotely with no legitimate account credentials. After investigating, it seems the application has allowed some users to bypass authentication of that application. Which of the following types of malware allow such a compromise to take place? (Choose two.) • A. RAT • B. Ransomware • C. Worm • D. Trojan • E. Backdoor

A. RAT | E. Backdoor

50. An organization electronically processes sensitive data within a controlled facility. The Chief Information Security Officer (CISO) wants to limit emissions from emanating from the facility. Which of the following mitigates this risk? • A. Upgrading facility cabling to a higher standard of protected cabling to reduce the likelihood of emission spillage • B. Hardening the facility through the use of secure cabinetry to block emissions • C. Hardening the facility with a Faraday cage to contain emissions produced from data processing • D. Employing security guards to ensure unauthorized personnel remain outside of the facility

C. Hardening the facility with a Faraday cage to contain emissions produced from data processing

51. As part of a corporate merger, two companies are combining resources. As a result, they must transfer files through the Internet in a secure manner. Which of the following protocols would BEST meet this objective? (Choose two.) • A. LDAPS • B. SFTP • C. HTTPS • D. DNSSEC • E. SRTP

B. SFTP C. HTTPS

52. A company is deploying a file-sharing protocol access a network and needs to select a protocol for authenticating clients. Management requests that the service be configured in the most secure way possible. The protocol must also be capable of mutual authentication, and support SSO and smart card logons. Which of the following would BEST accomplish this task? • A. Store credentials in LDAP • B. Use NTLM authentication • C. Implement Kerberos • D. Use MSCHAP authentication

C. Implement Kerberos

53. A company wants to provide centralized authentication for its wireless system. The wireless authentication system must integrate with the directory back end. Which of the following is a AAA solution that will provide the required wireless authentication? • A. TACACS+ • B. MSCHAPv2 • C. RADIUS • D. LDAP

C. RADIUS

54. An incident response analyst at a large corporation is reviewing proxy data log. The analyst believes a malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of the following is the best NEXT step for the analyst to take? • A. Call the CEO directly to ensure awareness of the event • B. Run a malware scan on the CEO's workstation • C. Reimage the CEO's workstation • D. Disconnect the CEO's workstation from the network

D. Disconnect the CEO's workstation from the network

55. A law office has been leasing dark fiber from a local telecommunications company to connect a remote office to company headquarters. The telecommunications company has decided to discontinue its dark fiber product and is offering an MPLS connection, which the law office feels is too expensive. Which of the following is the BEST solution for the law office? • A. Remote access VPN • B. VLAN • C. VPN concentrator • D. Site-to-site VPN

D. Site-to-site VPN

56. An analyst is part of a team that is investigating a potential breach of sensitive data at a large financial services organization. The organization suspects a breach occurred when proprietary data was disclosed to the public. The team finds servers were accessed using shared credentials that have been in place for some time. In addition, the team discovers undocumented firewall rules, which provided unauthorized external access to a server. Suspecting the activities of a malicious insider threat, which of the following was MOST likely to have been utilized to exfiltrate the proprietary data? • A. Keylogger • B. Botnet • C. Crypto-malware • D. Backdoor • E. Ransomware • F. DLP

D. Backdoor

57. An organization is providing employees on the shop floor with computers that will log their time based on when they sign on and off the network. Which of the following account types should the employees receive? • A. Shared account • B. Privileged account • C. User account • D. Service account

C. User account

58. An employee in the finance department receives an email, which appears to come from the Chief Financial Officer (CFO), instructing the employee to immediately wire a large sum of money to a vendor. Which of the following BEST describes the principles of social engineering used? (Choose two.) • A. Familiarity • B. Scarcity • C. Urgency • D. Authority • E. Consensus

C. Urgency | D. Authority

59. A security administrator has replaced the firewall and notices a number of dropped connections. After looking at the data the security administrator sees the following information that was flagged as a possible issue: "SELECT * FROM" and "˜1'='1' Which of the following can the security administrator determine from this? • A. An SQL injection attack is being attempted • B. Legitimate connections are being dropped • C. A network scan is being done on the system • D. An XSS attack is being attempted

A. An SQL injection attack is being attempted

60. A penetration testing team deploys a specifically crafted payload to a web server, which results in opening a new session as the web server daemon. This session has full read/write access to the file system and the admin console. Which of the following BEST describes the attack? • A. Domain hijacking • B. Injection • C. Buffer overflow • D. Privilege escalation

D. Privilege escalation