Architecture and Design Flashcards
1
Q
A company has limited storage space available and an online presence that cannot be down for more than four hours. Which of the following backup methodologies should the company implement to allow for the FASTEST database restore time in the event of a failure, while being mindful of the limited available storage space?
A
Implement full backups every Sunday at 8:00 p.m. and nightly differential backups at 8:00 p.m
2
Q
An organization has a growing workforce that is mostly driven by additions to the sales department. Each newly hired salesperson relies on a mobile device to conduct business. The Chief Information Officer (CIO) is wondering if the organization may need to scale down just as quickly as it scaled up. The CIO is also concerned about the organization’s security and customer privacy. Which of the following would be BEST to address the CIO’s concerns?
A
Implement BYOD for the sales department while leveraging the MDM
3
Q
Which of the following are the MOST likely vectors for the unauthorized or unintentional inclusion of vulnerable code in a software company’s final software releases? (Choose two.)
A
Included third-party libraries
Vendors/supply chain
4
Q
A customer service representative reported an unusual text message that was sent to the help desk. The message contained an unrecognized invoice number with a large balance due and a link to click for more details. Which of the following BEST describes this technique?
A
Smishing
5
Q
A security analyst is concerned about traffic initiated to the dark web from the corporate LAN. Which of the following should the analyst monitor?
A
Tor
6
Q
Which of the following should be monitored by threat intelligence researchers who search for leaked credentials?
A
Dark web
7
Q
An employee installed a new service on the domain controller without consent or approval from the IT department and change management. What specifically describes this type of threat?
A
Shadow IT
8
Q
Which of the following threat actors is most likely to be motivated by ideology?
A
Hacktivist
9
Q
After a security assessment is concluded, what benefit does the CVSS score provide to a company on the list of discovered vulnerabilities?
A
Prioritize remediation of vulnerabilities based on the possible impact
CVSS (Common Vulnerability Scoring System) is used to assign severity scores (zero to ten) to vulnerabilities which allows responders to prioritize the responses and better manage resources. Scores are calculated by a formula that uses several metrics, including complexity and severity.
10
Q
An attacker tricks a user into providing confidential information. Which of the following describes this form of malicious reconnaissance?
A
Social engineering
11
Q
A company recently experienced a major breach. An investigation concludes that customer credit card data was stolen and exfiltrated through a dedicated business partner connection to a vendor, who is not held to the same security control standards. Which of the following is the most likely source of the breach?
A
Supply chain
12
Q
A user is having problems accessing network shares. An admin investigates and finds the following on the user’s computer:
What attack has been performed on this computer?
A
ARP poisoning
Two different devices shouldn’t have the same MAC addresses. Since these are dynamically learned ARP entries, it is reasonable to believe this was an ARP poisoning. Device .1 is probably the default gateway and then device .11 is the MitM
13
Q
A Chief Information Security Officer (CISO) wants to explicitly raise awareness about the increase of ransomware-as-a-service in a report to the management team. Which of the following best describes the threat actor in the CISO’s report?
A
Organized crime
14
Q
Which of the following can be used to identify potential attacker activities without affecting production servers?
A
Honeypot
15
Q
A security analyst notices an unusual amount of traffic hitting the edge of the network. Upon examining the logs, the analyst identifies a source IP address and blocks that address from communicating with the network. Even though the analyst is blocking this address, the attack is still ongoing and coming from a large number of different source IP addresses. Which of the following describes this type of attack?
A
DDoS
16
Q
A company is expanding its threat surface program and allowing individuals to security test the company’s internet-facing application. The company will compensate researchers based on the vulnerabilities discovered. Which of the following best describes the program the company is setting up?
A
Bug bounty
17
Q
A company has installed badge readers for building access but is finding unauthorized individuals roaming the hallways. Which of the following is the most likely cause?
A
Tailgating
18
Q
A company’s Chief Information Security Officer (CISO) recently warned the security manager that the company’s Chief Executive Officer (CEO) is planning to publish a controversial opinion article in a national newspaper, which may result in new cyberattacks. Which of the following would be best for the security manager to use in a threat model?
A
Hacktivists
19
Q
A security analyst reports a company policy violation in a case in which a large amount of sensitive data is being downloaded after hours from various mobile devices to an external site. Upon further investigation, the analyst notices that successful login attempts are being conducted with impossible travel times during the same time periods when the unauthorized downloads are occurring. The analyst also discovers a couple of WAPs are using the same SSID, but they have non-standard DHCP configurations and an overlapping channel. Which of the following attacks is being conducted?
A
Evil twin
20
Q
A security analyst is reviewing the following logs:
Which of the following attacks is most likely occurring?
A
Password spraying
21
Q
A company hired a consultant to perform an offensive security assessment covering penetration testing and social engineering. Which of the following teams will conduct this assessment activity?
A
Red
22
Q
A large financial services firm recently released information regarding a security breach within its corporate network that began several years before. During the time frame in which the breach occurred, indicators show an attacker gained administrative access to the network through a file downloaded from a social media site and subsequently installed it without the user’s knowledge. Since the compromise, the attacker was able to take command and control of the computer systems anonymously while obtaining sensitive corporate and personal employee information. Which of the following methods did the attacker most likely use to gain access?
A
A RAT
23
Q
A junior security analyst is reviewing web server logs and identifies the following pattern in the log file:
http://comptia.org/../../../etc/passwd
Which of the following types of attacks is being attempted and how can it be mitigated?
A
XSS; implement a SIEM
24
Q
A security assessment found that several embedded systems are running unsecure protocols. These systems were purchased two years ago, and the company that developed them is no longer in business. Which of the following constraints best describes the reason the findings cannot be remediated?
A
Unavailable patch
25
A user downloaded an extension for a browser, and the user device later became infected. The analyst who is investigating the incident saw various logs where the attacker was hiding activity by deleting data. The following was observed running:
Which of the following is the malware using to execute the attack?
PowerShell
26
A user's login credentials were recently compromised. During the investigation, the security analyst determined the user input credentials into a pop-up window when prompted to confirm the username and password. However, the trusted website does not use a pop-up for entering user credentials. Which of the following attacks occurred?
DNS poisoning
27
A systems administrator set up an automated process that checks for vulnerabilities across the entire environment every morning. Which of the following activities is the systems administrator conducting?
Scanning
28
An engineer is setting up a VDI environment for a factory location, and the business wants to deploy a low-cost solution to enable users on the shop floor to log in to the VDI environment directly. Which of the following should the engineer select to meet these requirements?
Thin clients
29
A systems administrator receives the following alert from a file integrity monitoring tool:
The hash of the cmd.exe file has changed.
The systems administrator checks the OS logs and notices that no patches were applied in the last two months. Which of the following most likely occurred?
A rootkit was deployed
When a file integrity monitoring tool detects a change in the hash of a critical system file like "cmd.exe," it could indicate that a rootkit has been deployed. Rootkits are malicious software designed to hide their presence on a system by modifying critical files and processes, including system utilities like "cmd.exe."
30
A security analyst was asked to evaluate a potential attack that occurred on a publicly accessible section of the company's website. The malicious actor posted an entry in an attempt to trick users into clicking the following:
https://www.c0mpt1a.com/contact-us/%3Fname%3D%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E
Which of the following was most likely observed?
XSS
31
An analyst is concerned about data leaks and wants to restrict access to internet services to authorized users only. The analyst also wants to control the actions each user can perform on each service. Which of the following would be the best technology for the analyst to consider implementing?
CASB
CASB is a security solution that provides visibility and control over the use of cloud services by employees within an organization. It helps enforce security policies and ensures that access to internet services is restricted to authorized users only. CASB allows the organization to define granular policies to control the actions each user can perform on each cloud service.
32
A security engineer needs to recommend a solution to defend against malicious actors misusing protocols and being allowed through network defenses. Which of the following will the engineer most likely recommend?
A next-generation firewall
33
A company's legal department drafted sensitive documents in a SaaS application and wants to ensure the documents cannot be accessed by individuals in high-risk countries. Which of the following is the most effective way to limit this access?
Geolocation policy
34
Several users have opened tickets with the help desk. The help desk has reassigned the tickets to a security analyst for further review. The security analyst reviews the following metrics:
Which of the following is MOST likely the result of the security analyst's review?
Corporate PCs have been turned into a botnet
35
An organization suffered numerous multiday power outages at its current location. The Chief Executive Officer wants to create a disaster recovery strategy to resolve this issue. Which of the following options offer low-cost solutions? (Choose two.)
Generator
UPS
36
A security analyst discovers that one of the web APIs is being abused by an unknown third party. Logs indicate that the third party is attempting to manipulate the parameters being passed to the API endpoint. Which of the following solutions would best help to protect against the attack?
WAF
A Web Application Firewall (WAF) is a security solution designed to protect web applications and APIs from various attacks, including those that attempt to manipulate parameters and exploit vulnerabilities in the application layer. It sits between the clients (users or third parties) and the web server, inspecting the HTTP/HTTPS traffic and filtering out malicious requests.
37
An application owner reports suspicious activity on an internal financial application from various internal users within the past 14 days. A security analyst notices the following:
-Financial transactions were occurring during irregular time frames and outside of business hours by unauthorized users.
-Internal users in question were changing their passwords frequently during that time period.
-A jump box that several domain administrator users use to connect to remote devices was recently compromised.
-The authentication method used in the environment is NTLM.
Which of the following types of attacks is MOST likely being used to gain unauthorized access?
Pass-the-hash
38
A government organization is developing an advanced Al defense system. Developers are using information collected from third-party providers. Analysts are noticing inconsistencies in the expected progress of the Al learning and attribute the outcome to a recent attack on one of the suppliers. Which of the following is the most likely reason for the inaccuracy of the system?
Tainted training data
39
During an incident, an EDR system detects an increase in the number of encrypted outbound connections from multiple hosts. A firewall is also reporting an increase in outbound connections that use random high ports. An analyst plans to review the correlated logs to find the source of the incident. Which of the following tools will best assist the analyst?
A SIEM
40
A company recently suffered a breach in which an attacker was able to access the internal mail servers and directly access several user inboxes. A large number of email messages were later posted online. Which of the following would best prevent email contents from being released should another breach occur?
Implement S/MIME to encrypt the emails at rest
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a technology used to encrypt email messages, ensuring that the contents of the messages are protected both during transmission and at rest. When S/MIME is implemented, the email messages are encrypted using the recipient's public key, and only the recipient with the corresponding private key can decrypt and read the message.
41
Which of the following exercises should an organization use to improve its incident response process?
Tabletop
42
An attacker is attempting to harvest user credentials on a client's website. A security analyst notices multiple attempts of random usernames and passwords. When the analyst types in a random username and password, the logon screen displays the following message:
“The username you entered does not exist.”
Which of the following should the analyst recommend be enabled?
Error handling
The error message is too specific; attackers know the username they guessed is wrong so they can try and guess another until they find one that sticks; so proper error handling should be less specific such as "Invalid credentials"
43
An organization disabled unneeded services and placed a firewall in front of a business-critical legacy system. Which of the following best describes the actions taken by the organization?
Compensating controls
Compensating controls are alternative security measures put in place when standard controls cannot be implemented or are not sufficient to meet security requirements.
44
Which of the following describes the ability of code to target a hypervisor from inside a guest OS?
VM escape
45
A grocery store is expressing security and reliability concerns regarding the on-site backup strategy currently being performed by locally attached disks. The main concerns are the physical security of the backup media and the durability of the data stored on these devices. Which of the following is a cost-effective approach to address these concerns?
Migrate to a cloud backup solution
46
A local server recently crashed and the team is attempting to restore the server from a backup. During the restore process, the team notices the file size of each daily backup is large and will run out of space at the current rate. The current solution appears to do a full backup every night.
Which of the following would use the least amount of storage space for backups?
A weekly, full backup with daily incremental backups
47
A security analyst discovers several jpg photos from a cellular phone during a forensics investigation involving a compromised system. The analyst runs a forensics tool to gather file metadata. Which of the following would be part of the images if all the metadata is still intact?
The GPS location
48
A financial analyst is expecting an email containing sensitive information from a client. When the email arrives the analyst receives an error and is unable to open the encrypted message. Which of the following is the most likely cause of the issue?
The S/MIME plug-in is not enabled
49
A company develops a complex platform that is composed of a single application. After several issues with upgrades, the systems administrator recommends breaking down the application into unique, independent modules. Which of the following best identifies the systems administrator's recommendation?
Microservices
50
Which of the following would be the best way to block unknown programs from executing?
Application allow list
51
A company is planning to install a guest wireless network so visitors will be able to access the internet. The stakeholders want the network to be easy to connect to so time is not wasted during meetings. The WAPs are configured so that power levels and antennas cover only the conference rooms where visitors will attend meetings. Which of the following would best protect the company's internal wireless network against visitors accessing company resources?
Configure the guest wireless network to be on a separate VLAN from the company’s internal wireless network.
52
An organization relies on third-party videoconferencing to conduct daily business. Recent security changes now require all remote workers to utilize a VPN to corporate resources. Which of the following would best maintain high-quality videoconferencing while minimizing latency when connected to the VPN?
Configuring QoS properly on the VPN accelerators
53
A security analyst is scanning a company's public network and discovers a host is running a remote desktop that can be used to access the production network. Which of the following changes should the security analyst recommend?
Setting up a VPN and placing the jump server inside the firewall
54
A company would like to provide flexibility for employees on device preference. However, the company is concerned about supporting too many different types of hardware. Which of the following deployment models will provide the needed flexibility with the greatest amount of control and security over company data and infrastructure?
CYOD
55
A user would like to install software and features that are not available with a mobile device's default software. Which of the following would allow the user to install unauthorized software and enable new features?
Jailbreaking
56
An organization recently acquired an ISO 27001 certification. Which of the following would most likely be considered a benefit of this certification?
It assures customers that the organization meets security standards
This certification provides an independent verification that an organization meets recognized security standards and best practices. It demonstrates to its customers, partners, and stakeholders that it has implemented a comprehensive and systematic approach to managing information security.
57
A security professional wants to enhance the protection of a critical environment that is used to store and manage a company's encryption keys. The selected technology should be tamper resistant. Which of the following should the security professional implement to achieve the goal?
HSM
58
Which of the following is the correct order of volatility from most to least volatile?
Cache memory, temporary filesystems, disk, archival media
59
Which of the following agreements defines response time, escalation points, and performance metrics?
SLA
60
A bakery has a secret recipe that it wants to protect. Which of the following objectives should be added to the company’s security awareness training?
Insider threat detection
61
Which of the following must be considered when designing a high-availability network? (Choose two.)
Ease of recovery
Responsiveness
62
Which of the following strategies shifts risks that are not covered in an organization’s risk strategy?
Risk transference
63
An analyst is working on an email security incident in which the target opened an attachment containing a worm. The analyst wants to implement mitigation techniques to prevent further spread. Which of the following is the best course of action for the analyst to take?
Isolate the infected attachment
By isolating the infected attachment, the analyst can prevent the worm from spreading further within the network. This action involves removing the attachment from the compromised system and quarantining it to prevent it from being opened or executed.
64
A dynamic application vulnerability scan identified that code injection could be performed using a web form. Which of the following will be the best remediation to prevent this vulnerability?
Implement input validations
Implementing input validation is the best remediation to prevent code injection vulnerabilities. WAF will prevent attacks not vulnerability.
https://techtipbits.com/security/input-validation-in-web-applications/
65
A security administrator needs a method to secure data in an environment that includes some form of checks so that the administrator can track any changes. Which of the following should the administrator set up to achieve this goal?
FIM
66
Sales team members have been receiving threatening voicemail messages and have reported these incidents to the IT security team. Which of the following would be MOST appropriate for the IT security team to analyze?
Session Initiation Protocol traffic logs
67
Which of the following can be used to calculate the total loss expected per year due to a threat targeting an asset?
SLE x ARO
68
A security engineer is hardening existing solutions to reduce application vulnerabilities. Which of the following solutions should the engineer implement FIRST? (Choose two.)
Auto-update
Sandboxing
69
Which of the following authentication methods is considered to be the LEAST secure?
SMS
70
A company needs to centralize its logs to create a baseline and have visibility on its security events. Which of the following technologies will accomplish this objective?
Security information and event management
71
Employees in the research and development business unit receive extensive training to ensure they understand how to best protect company data. Which of the following is the type of data these employees are most likely to use in day to-day work activities?
Intellectual property
Research and development teams are responsible for developing new products, designs, technologies, and proprietary processes for an organization.
This involves generating and working with sensitive intellectual property like trade secrets, patents, formulas, schematics, and other proprietary information that provides a competitive advantage.
72
An audit report indicates multiple suspicious attempts to access company resources were made. These attempts were not detected by the company. Which of the following would be the best solution to implement on the company's network?
Intrusion prevention system
73
An administrator is reviewing a single server's security logs and discovers the following:
Which of the following best describes the action captured in this log file?
Brute-force attack
74
An administrator identifies some locations on the third floor of the building that have a poor wireless signal. Multiple users confirm the incident and report it is not an isolated event. Which of the following should the administrator use to find the areas with a poor or non-existent wireless signal?
Site survey
75
Recent changes to a company's BYOD policy require all personal mobile devices to use a two-factor authentication method that is not something you know or have. Which of the following will meet this requirement?
Facial recognition
76
A critical file server is being upgraded, and the systems administrator must determine which RAID level the new server will need to achieve parity and handle two simultaneous disk failures. Which of the following RAID levels meets this requirement?
RAID 6
77
A company must ensure sensitive data at rest is rendered unreadable. Which of the following will the company most likely use?
Encryption
78
Which of the following has been implemented when a host-based firewall on a legacy Linux system allows connections from only specific internal IP addresses?
Network segmentation
You can set up Linux servers with host firewalls that only allow connections from a defined " segment IP range”. This separates the servers from other devices.
79
A company's help desk has received calls about the wireless network being down and users being unable to connect to it. The network administrator says all access points are up and running. One of the help desk technicians notices the affected users are working in a building near the parking lot. Which of the following is the most likely reason for the outage?
Someone near the building is jamming the signal.
80
A large bank with two geographically dispersed data centers is concerned about major power disruptions at both locations. Every day each location experiences very brief outages that last for a few seconds. However, during the summer a high risk of intentional under-voltage events that could last up to an hour exists, particularly at one of the locations near an industrial smelter. Which of the following is the best solution to reduce the risk of data loss?
Generator
If you need to supply power for an hour to a datacenter then you need Generator
81
Which of the following examples would be best mitigated by input sanitization?
Email message: “Click this link to get your free gift card.”
Input sanitization is used to clean user-provided input from potential malicious content.
The link could contain malicious code that could be executed when the user clicks on it. Input sanitization would help to prevent this by validating the link and removing any malicious code. In the case of a blank input, there is no input to sanitize, so input sanitization would not have any effect.
82
An organization would like to store customer data on a separate part of the network that is not accessible to users on the main corporate network. Which of the following should the administrator use to accomplish this goal?
Segmentation
83
An organization experiences a cybersecurity incident involving a command-and-control server. Which of the following logs should be analyzed to identify the impacted host? (Choose two.)
Network
Firewall
Network logs (Option D): These logs can help identify network connections to the command-and-control server and provide information about source IP addresses (the impacted host) and destination IP addresses (the command-and-control server).
Firewall logs (Option E): Firewall logs also track network traffic and can provide valuable information about source and destination IP addresses, helping identify the impacted host and its communication with the command-and-control server.
84
A large retail store's network was breached recently, and this news was made public. The store did not lose any intellectual property, and no customer information was stolen. Although no fines were incurred as a result, the store lost revenue after the breach. Which of the following is the most likely reason for this issue?
Reputation damage
85
An organization is struggling with scaling issues on its VPN concentrator and internet circuit due to remote work. The organization is looking for a software solution that will allow it to reduce traffic on the VPN and internet circuit, while still providing encrypted tunnel access to the data center and monitoring of remote employees internet traffic. Which of the following will help achieve these objectives?
Deploying a SASE solution to remote employees
Secure access service edge (SASE) is a network architecture that combines VPN and SD-WAN capabilities with cloud-native security functions such as SWG, CASB, firewalls, and zero-trust network access.
SASE solutions can optimize traffic routing and reduce the load on the VPN and internet circuit by intelligently directing traffic to the appropriate destination, whether it's to the data center or to the internet.
86
Which of the following is the best reason to complete an audit in a banking environment?
Regulatory requirement
Banks and financial institutions operate in highly regulated industries and are required by law to undergo rigorous audits and submit reports regularly. These audits ensure they comply with standards set by financial authorities.
87
After a recent ransomware attack on a company's system, an administrator reviewed the log files. Which of the following control types did the administrator use?
Detective
88
A technician needs to apply a high-priority patch to a production system. Which of the following steps should be taken first?
Create a change control request
89
An administrator assists the legal and compliance team with ensuring information about customer transactions is archived for the proper time period. Which of the following data policies is the administrator carrying out?
Retention
90
Which of the following provides a calculated value for known vulnerabilities so organizations can prioritize mitigation steps?
CVSS
91
A security analyst has received several reports of an issue on an internal web application. Users state they are having to provide their credential twice lo log in. The analyst checks with the application team and notes this is not an expected behavior. After looking at several logs the analyst decides to run some commands on the gateway and obtains the following output:
Which of the following BEST describes the attack the company is experiencing?
ARP poisoning
92
An engineer needs to deploy a security measure to identify and prevent data tampering within the enterprise. Which of the following will accomplish this goal?
FIM
93
Which of the following mitigation techniques places devices in physically or logically separated networks and leverages policies to limit the types of communications that are allowed?
Access control list
94
All security analysts' workstations at a company have network access to a critical server VLAN. The information security manager wants to further enhance the controls by requiring that all access to the secure VLAN be authorized only from a given single location. Which of the following will the information security manager most likely implement?
A jump server
95
A company recently experienced an attack in which a malicious actor was able to exfiltrate data by cracking stolen passwords, using a rainbow table on sensitive data. Which of the following should a security engineer do to prevent such an attack in the future?
Implement password salting
96
A company wants the ability to restrict web access and monitor the websites that employees visit. Which of the following would best meet these requirements?
Internet proxy
Proxy servers include logs that record each site visited by users. These logs can be helpful to identify frequently visited sites and to monitor user web browsing activities.
97
A security analyst receives an alert from the company's SIEM that anomalous activity is coming from a local source IP address of 192.168.34.26. The Chief Information Security Officer asks the analyst to block the originating source. Several days later another employee opens an internal ticket stating that vulnerability scans are no longer being performed properly. The IP address the employee provides is 192.168.34.26. Which of the following describes this type of alert?
False positive
98
A customer called a company's security team to report that all invoices the customer has received over the last five days from the company appear to have fraudulent banking details. An investigation into the matter reveals the following:
-The manager of the accounts payable department is using the same password across multiple external websites and the corporate account.
-One of the websites the manager used recently experienced a data breach.
-The manager's corporate email account was successfully accessed in the last five days by an IP address located in a foreign country.
Which of the following attacks has most likely been used to compromise the manager's corporate account?
Credential stuffing
99
Two organizations are discussing a possible merger. Both organizations' Chief Financial Officers would like to safely share payroll data with each other to determine if the pay scales for different roles are similar at both organizations. Which of the following techniques would be best to protect employee data while allowing the companies to successfully share this information?
Pseudo-anonymization
Pseudo-anonymization effectively replaces direct identifiers (like names) with fictitious labels, allowing for meaningful comparison of job titles, experience, and salaries, without revealing the actual identities of employees.
100
An organization's corporate offices were destroyed due to a natural disaster, so the organization is now setting up offices in a temporary work space. Which of the following will the organization most likely consult?
The business continuity plan
101
Which of the following can best protect against an employee inadvertently installing malware on a company system?
Application allow list
102
Security analysts notice a server login from a user who has been on vacation for two weeks. The analysts confirm that the user did not log in to the system while on vacation. After reviewing packet capture logs, the analysts notice the following:
Which of the following occurred?
An attacker used a pass-the-hash attack to gain access.
103
A marketing coordinator is trying to access a social media application on a company laptop but is getting blocked. The coordinator opens a help desk ticket to report the issue. Which of the following documents should a security analyst review to determine whether accessing social media applications on a company device is permitted?
Acceptable use policy
104
A network manager wants to protect the company's VPN by multifactor authentication that uses:
* Something you know
* Something you have
* Somewhere you are (NOT something you are)
Which of the following would accomplish the manager's goal?
Domain name, PKI, GeoIP lookup
105
Which of the following terms should be included in a contract to help a company monitor the ongoing security maturity of a new vendor?
A right-to-audit clause allowing for annual security audits
106
Which of the following cloud models provides clients with servers, storage, and networks but nothing else?
IaaS
107
An organization routes all of its traffic through a VPN. Most users are remote and connect into a corporate data center that houses confidential information. There is a firewall at the internet border, followed by a DLP appliance, the VPN server, and the data center itself. Which of the following is the weakest design element?
Encrypted VPN traffic will not be inspected when entering or leaving the network.
DLP won't be able to inspect data that is passing through a VPN
108
Which of the following is the best method for ensuring non-repudiation?
Digital certificate
109
An organization is having difficulty correlating events from its individual AV, EDR, DLP, SWG, WAF, MDM, HIPS, and CASB systems. Which of the following is the best way to improve the situation?
Utilize a SIEM to centralize logs and dashboards.
110
A company's end users are reporting that they are unable to reach external websites. After reviewing the performance data for the DNS servers, the analyst discovers that the CPU, disk, and memory usage are minimal, but the network interface is flooded with inbound traffic. Network logs show only a small number of DNS queries sent to this server. Which of the following best describes what the security analyst is seeing?
Reflected denial of service
In a reflected DoS attack, the attacker sends requests to a large number of public servers, spoofing the source IP address to make it appear as if the requests are coming from the target server. These public servers, acting as amplifiers, then send the responses back to the target server, overwhelming it with inbound traffic.
111
An audit identified PII being utilized in the development environment of a critical application. The Chief Privacy Officer (CPO) is adamant that this data must be removed; however, the developers are concerned that without real data they cannot perform functionality tests and search for specific data. Which of the following should a security professional implement to BEST satisfy both the CPO's and the development team's requirements?
Data masking
112
Which of the following methods is the most effective for reducing vulnerabilities?
Using a scan-patch-scan process
113
Law enforcement officials sent a company a notification that states electronically stored information and paper documents cannot be destroyed. Which of the following explains this process?
Legal hold
114
Which of the following best describes why a company would erase a newly purchased device and install its own image with an operating system and applications?
Reimaging a system creates an updated baseline of the computer image
Reimaging a system creates an updated baseline of the computer image, ensuring that it is set up with the latest updates, configurations, and software versions.
This process ensures that all devices start from a consistent and up-to-date configuration.
115
A backdoor was detected on the containerized application environment. The investigation detected that a zero-day vulnerability was introduced when the latest container image version was downloaded from a public registry. Which of the following is the best solution to prevent this type of incident from occurring again?
Enforce the use of a controlled trusted source of container images.
116
An external forensics investigator has been hired to investigate a data breach at a large enterprise with numerous assets. It is known that the breach started in the perimeter network and moved to the sensitive information, generating multiple logs as the attacker traversed through the network. Which of the following will best assist with this investigation?
Check the SIEM to review the correlated logs.
117
A Chief Information Security Officer (CISO) needs to create a policy set that meets international standards for data privacy and sharing. Which of the following should the CISO read and understand before writing the policies?
GDPR
118
During an internal penetration test, a security analyst identified a network device that had accepted cleartext authentication and was configured with a default credential. Which of the following recommendations should the security analyst make to secure this device?
Configure SNMPv3
119
Developers are writing code and merging it into shared repositories several times a day, where it is tested automatically. Which of the following concepts does this best represent?
Continuous integration
120
A company wants to deploy decoy systems alongside production systems in order to entice threat actors and to learn more about attackers. Which of the following best describes these systems?
Honeypots
121
A security engineer is concerned about using an agent on devices that rely completely on defined known-bad signatures. The security engineer wants to implement a tool with multiple components including the ability to track, analyze, and monitor devices without reliance on definitions alone. Which of the following solutions best fits this use case?
EDR
Endpoint Detection and Response (EDR) is a solution that provides continuous monitoring, analysis, and response capabilities on endpoints (devices) in an organization's network. EDR solutions use behavior-based analysis and heuristics to detect and respond to potential threats.
122
