CompTIA

Question 1

A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the administrator
finds the following output:
Time: 12/25 0300
From Zone: Untrusted
To Zone: DMZ
Attacker: externalip.com
Victim: 172.16.0.20
To Port: 80
Action: Alert
Severity: Critical
Upon examining the PCAP associated with the event, the security administrator finds the following
information:

 alert (" Click here for important information regarding your account : http://externalip.com/account
.php"); 

Which of the following actions should the security administrator take?

A. Upload the PCAP to the IDS in order to generate a blocking signature to block the traffic
B. Manually copy the

 data from the PCAP file and generate a blocking signature in the HIDS to block
the traffic for future events
C. Implement a host-based firewall rule to block future events of this type from occurring
D. Submit a change request to modify the XSS vulnerability signature to TCP reset on future attempts

Answer 1

D. Submit a change request to modify the XSS vulnerability signature to TCP reset on future attempts

Question 2

An employee opens a web browser and types a URL into the address bar. Instead of reaching the requested
site, the browser opens a completely different site. Which of the following types of attacks have MOST likely
occurred? (Select TWO)
A. DNS hijacking
B. Cross-site scripting
C. Domain hijacking
D. Man-in-the-browser
E. Session hijacking

Answer 2

A. DNS hijacking
D. Man-in-the-browser

Question 3

After discovering a security incident and removing the affected files, an administrator disabled an unneeded
service that led to the breach. Which of the following steps in the incident response process has the
administrator just completed?

A. Containment
B. Eradication
C. Recovery
D. Identification

Answer 3

B. Eradication

Question 4

The president of a company that specializes in military contracts receives a request for an interview. During
the interview, the reporter seems more interested in discussing the president’s family life and personal history
than the details of a recent company success. Of which of the following security concerns is this MOST likely
an example?
A. Insider threat
B. Social engineering
C. Passive reconnaissance
D. Phishing

Answer 4

B. Social engineering

Question 5

A company is deploying MFDs in its office to improve employee productivity when dealing with paperwork.
Which of the following concerns is MOST likely to be raised as a possible security issue in relation to these
devices?

A. Sensitive scanned materials being saved on the local hard drive
B. Faulty printer drivers causing PC performance degradation
C. Improperly configured NIC settings interfering with network security
D. Excessive disk space consumption due to storing large documents

Answer 5

A. Sensitive scanned materials being saved on the local hard drive

Question 6

A coding error has been discovered on a customer-facing website. The error causes each request to return
confidential PHI data for the incorrect organization. The IT department is unable to identify the specific
customers who are affected. As a result, all customers must be notified of the potential breach. Which of the
following would allow the team to determine the scope of future incidents?

A. Intrusion detection system
B. Database access monitoring
C. Application fuzzing
D. Monthly vulnerability scans

Answer 6

B. Database access monitoring

Question 7

A systems developer needs to provide machine-to-machine interface between an application and a database
server in the production environment. This interface will exchange data once per day. Which of the following
access control account practices would BEST be used in this situation?

A. Establish a privileged interface group and apply read-write permission to the members of the group.
B. Submit a request for account privilege escalation when the data needs to be transferred.
C. Install the application and database on the same server and add the interface to the local administrator
group
D. Use a service account and prohibit users from accessing this account for development work.

Answer 7

D. Use a service account and prohibit users from accessing this account for development work.

Question 8

An authorized user is conducting a penetration scan of a system for an organization. The tester has a set of
network diagrams, source code, version number of applications, and other information about the system,
including hostnames and network addresses. Which of the following BEST describes this type of penetration
test?

A. Gray-box testing
B. Black-box testing
C. White-box testing
D. Blue team exercise
E. Red team exercise

Answer 8

C. White-box testing

Question 9

Which of the following should a technician use to protect a cellular phone that is needed for an investigation,
to ensure the data will not be removed remotely?

A. Air gap
B. Secure cabinet
C. Faraday cage
D. Safe

Answer 9

C. Faraday cage

Question 10

A government organization recently contacted three different vendors to obtain cost quotes for a desktop PC
refresh. The quote from one of the vendors was significantly lower than the other two and was selected for the
purchase. When the PCs arrived, a technician determined some NICs had been tampered with. Which of the
following MOST accurately describes the security risk presented in this situation?

A. Hardware root of trust
B. UEFI
C. Supply chain
D. TPM
E. Crypto-malware
F. ARP poisoning

Answer 10

C. Supply chain

Question 11

A company wants to provide centralized authentication for its wireless system. The wireless authentication
system must integrate with the directory back end. Which of the following is a AAA solution that will provide
the required wireless authentication?

A. TACACS+
B. MSCHAPv2
C. RADIUS
D. LDAP

Answer 11

C. RADIUS

Question 12

In a lessons learned report, it is suspected that a well-organized, well-funded, and extremely sophisticated
group of attackers may have been responsible for a breach at a nuclear facility. Which of the following
describes the type of actors that may have been implicated?

A. Nation-state
B. Hacktivist
C. Insider
D. Competitor

Answer 12

A. Nation-state

Question 13

A contracting company recently completed its period of performance on a government contract and would like
to destroy all information associated with contract performance. Which of the following is the best NEXT step
for the company to take?

A. Consult data disposition policies in the contract
B. Use a pulper or pulverizer for data destruction
C. Retain the data for a period no more that one year
D. Burn hard copies containing PII or PHI

Answer 13

A. Consult data disposition policies in the contract

Question 14

When accessing a popular website, a user receives a warning that the certificate for the website is not valid.
Upon investigation, it was noted that the certificate is not revoked and the website is working fine for other
users. Which of the following is the MOST likely cause for this?

A. The certificate is corrupted on the server
B. The certificate was deleted from the local cache
C. The user needs to restart the machine
D. The system date on the user’s device is out of sync

Answer 14

D. The system date on the user’s device is out of sync

Question 15

A user is unable to obtain an IP address from the corporate DHCP server. Which of the following is MOST
likely the cause?

A. Default configuration
B. Resource exhaustion
C. Memory overflow
D. Improper input handling

Answer 15

B. Resource exhaustion

Question 16

A video-game developer has received reports of players who are cheating. All game players each have five
capabilities that are ranked on a scale of 1 to 10 points, with 10 total points available for balance. Players can
move these points between capabilities at any time. The programming logic is as follows:
A player asks to move points from one capability to another.
The source capability must have enough points to allow the move.
The destination capability must not exceed 10 after the move.
The move from source capability to destination capability is then completed.
The time stamps of the game logs show each step of the transfer process takes about 900ms. However, the
time stamps of the cheating players show capability transfers at the exact same time. The cheating players
have 10 points in multiple capabilities. Which of the following is MOST likely being exploited to allow these
capabilities transfers?

A. TOC/TOU
B. CSRF
C. Memory leak
D. XSS
E. SQL injection
F. Integer overflow

Answer 16

A. TOC/TOU

Question 17

A security engineer wants to introduce key stretching techniques to the account database to make password
guessing attacks more difficult. Which of the following should be considered to achieve this? (Select TWO).

A. Digital signature
B. bcrypt
C. Perfect forward secrecy
D. SHA-256
E. P-384
F. PBKDF2
G. Record-level encryption

Answer 17

B. bcrypt
F. PBKDF2

Question 18

A security engineer is working to secure an organization’s VMs. While reviewing the workflow for creating VMs
on demand, the engineer raises a concern about the integrity of the secure boot process of the VM guest.
Which of the following would BEST address this concern?

A. Configure file integrity monitoring of the guest OS.
B. Enable the vTPM on a Type 2 hypervisor.
C. Only deploy servers that are based on a hardened image.
D. Protect the memory allocation of a Type 1 hypervisor.

Answer 18

A. Configure file integrity monitoring of the guest OS.

Question 19

The security administrator of a small firm wants to stay current on the latest security vulnerabilities and attack
vectors being used by crime syndicates and nation-states. The information must be actionable and reliable.
Which of the following would BEST meet the needs of the security administrator?

A. Software vendor threat reports
B. White papers
C. Security blogs
D. Threat data subscription

Answer 19

D. Threat data subscription

Question 20

An organization is deploying loT locks, sensors, and cameras, which operate over 802.11, to replace legacy
building access control systems. These devices are capable of triggering physical access changes, including
locking and unlocking doors and gates. Unfortunately, the devices have known vulnerabilities for which the
vendor has yet to provide firmware updates. Which of the following would BEST mitigate this risk?

A. Direct wire the loT devices into physical switches and place them on an exclusive VLAN.
B. Require sensors to sign all transmitted unlock control messages digitally.
C. Associate the devices with an isolated wireless network configured for WPA2 and EAP-TLS.
D. Implement an out-of-band monitoring solution to detect message injections and attempts.

Answer 20

C. Associate the devices with an isolated wireless network configured for WPA2 and EAP-TLS.

Question 21

Users have reported that an internally developed web application is acting erratically, and the response output
is inconsistent. The issue began after a web application dependency patch was applied to improve security.
Which of the following would be the MOST appropriate tool to help identify the issue?

A. Fuzzer
B. SCAP scanner
C. Vulnerability scanner
D. HTTP interceptor

Answer 21

D. HTTP interceptor

Question 22

A consultant is planning an assessment of a customer-developed system. The system consists of a custom-
engineered board with modified open-source drivers and a one-off management GUI. The system relies on

two-factor authentication for interactive sessions, employs strong certificate-based data-in-transit encryption,
and randomly switches ports for each session. Which of the following would yield the MOST useful
information?

A. Password cracker
B. Wireless network analyzer
C. Fuzzing tools
D. Reverse engineering principles

Answer 22

D. Reverse engineering principles

Question 23

An organization is facing budget constraints. The Chief Technology Officer (CTO) wants to add a new
marketing platform, but the organization does not have the resources to obtain separate servers to run the
new platform. The CTO recommends running the new marketing platform on a virtuatlized video-conferencing
server because video conferencing is rarely used. The Chief Information Security Officer (CISO) denies this
request. Which of the following BEST explains the reason why the CISO has not approved the request?

A. Privilege escalation attacks
B. Performance and availability
C. Weak DAR encryption
D. Disparate security requirements

Answer 23

D. Disparate security requirements

Question 24

During the incident handling process, an analyst runs the following command:
PS c:>get-filehash c:\windows\system32\cmd.exe
SHA1 cmd.exe cda52a0faca4ac7df32cfb6c8fa09acf42ad5cb7
The original file hash for cmd.exe was:
ab5d7c8faca4ac7df32cfb6c8fa09acf42ad5f12
Which of the following is MOST associated with this indicator of compromise?

A. Virus
B. Rootkit
C. Backdoor
D. Keylogger

Answer 24

B. Rootkit

Question 25

While reviewing system logs, a security analyst notices that a large number of end users are changing their
passwords four times on the day the passwords are set to expire. The analyst suspects they are cycling their
passwords to circumvent current password controls. Which of the following would provide a technical control
to prevent this activity from occurring?

A. Set password aging requirements.
B. Increase the password history from three to five.
C. Create an AUP that prohibits password reuse.
D. Implement password complexity requirements.

Answer 25

A. Set password aging requirements.

Question 26

A security administrator is enhancing the security controls in an organization with respect to the allowed
devices policy. The administrator wrote a .reg file with the code below:
HKEY_LOCAL_MACHINE\System\Current control set\Services\USBSTOR
“Start = dword: 00000004
Which of the following BEST represents what the administrator is doing?

A. Changing the name of the USB port
B. Requiring USB device encryption
C. Upgrading the system to USB 3.0
D. Blocking the use of USB devices

Answer 26

D. Blocking the use of USB devices