compTIA Security+ Flashcards
An engineer needs to find a solution that creates an added layer of security by preventing unauthorized access to internal company resources. Which of the following would be the best solution?
* RDP server
* Jump server
* Proxy server
* Hypervisor
Answer: JUMP SERVER | Secure Gateway requiring authentication before accesing internal systems
RDP server: While RDP can be used for remote access, it doesn’t provide the same level of security as a jump server, as it directly connects users to internal systems.
Proxy server: Proxy servers are primarily used for caching and filtering network traffic, not for preventing unauthorized access.
Hypervisor: Hypervisors are used for virtualization and don’t directly address security concerns related to unauthorized access.
Which of the following vulnerabilities is associated with installing software outside of a manufacturer’s approved software repository?
* Jailbreaking
* Memory injection
* Resource reuse
* Side loading
Side Loading | Process of installing software onto a device from sources other than official app store
Jailbreaking: This refers to the process of modifying a device’s operating system to allow for more customization, but it doesn’t directly relate to the risk of installing malicious software.
Memory injection: This is a type of attack that involves injecting malicious code into a running process, but it’s not directly related to the source of the software.
Resource reuse: This is a type of vulnerability that can occur in certain programming languages or frameworks, but it’s not specifically associated with installing software from unofficial sources.
A security analyst is reviewing alerts in the SIEM related to potential malicious network traffic coming from an employee’s corporate laptop. The security analyst has determined that additional data about the executable running on the machine is necessary to continue the investigation. Which of the following logs should the analyst use as a data source?
* Application
* IPS/IDS
* Network
* Endpoint
Endpoint Logs capture information about activities and processes running on indiv devices
Application logs: While application logs can provide information about specific applications, they may not capture the necessary details about the executable running on the device.
IPS/IDS logs: IPS/IDS logs primarily record network-level traffic and intrusion attempts, which might not provide the specific details about the executable running on the endpoint.
Network logs: Network logs can provide information about network traffic, but they may not capture detailed information about the specific executable running on the device.
A cyber operations team informs a security analyst about a new tactic malicious actors are using to compromise networks. SIEM alerts have not yet been configured. Which of the following best describes what the security analyst should do to identify this behavior?
* Digital Forensics
* E Discovery
* Incident Response
* Threat Hunting
Threat Hunting | Proactively searching for malicious activity within a network
Digital forensics: Digital forensics is typically used to investigate a specific incident or breach after it has occurred. In this case, there is no specific incident to investigate yet.
E-discovery: E-discovery is a legal process for identifying, preserving, retrieving, and producing electronically stored information. It’s not directly relevant to the task of proactively identifying malicious activity.
Incident response: Incident response involves responding to a specific security incident after it has occurred. Since there is no known incident yet, incident response would not be appropriate.
A company purchased cyber insurance to address items listed on the risk register. Which of the following strategies does this represent?
* Accept
* Transfer
* Mitigate
* Avoid
Transfer | Company is transferring financial risk associated with cyberattacks to insurance provider
A security administrator would like to protect data on employees’ laptops. Which of the following encryption techniques should the security administrator use?
* Partition
* Asymmetric
* Full Disk
* Database
Full Disk Encryption | Encryptes the entire contents of a hard drive - ensuring all data is protected even if the laptop is stolen or lost
Partition: Partitioning divides a hard drive into multiple logical sections, but it doesn’t provide encryption for the data stored on those partitions.
Asymmetric: Asymmetric encryption is a type of encryption that uses a pair of keys (public and private). While it can be used for data encryption, it’s not as suitable for protecting the entire contents of a hard drive.
Database: Database encryption specifically protects data within a database, but it doesn’t protect the entire contents of the laptop.
Which of the following security control types does an acceptable use policy best represent?
* Detective
* Compensating
* Corrective
* Preventitive
Preventitive -> An AUP is preventative because it outlines rules and guidelines
Which of the following is the most likely to be used to document risks, responsible parties, and thresholds?
* Risk tolerance
* Risk transfer
* Risk register
* Risk analysis
Risk register is the most likely tool to document risks, thresholds, etc..
Risk Tolerance is the level of risk an organization is willing to accept.
Which of the following is used to add extra complexity before using a one-way data transformation algorithm?
* Key stretching
* Data masking
* Steganography
* Salting
Key Stretching - Password or passphrase from cryptographic key
Data Masking: Obscuring or hiding sensitive data
Stenography: Hiding information within other data
Salting: Adding a random value to a password
A company is expanding its threat surface program and allowing individuals to security test the company’s internet-facing application. The company will compensate researchers based on the vulnerabilities discovered. Which of the following best describes the program the company is setting up?
* Open-source intelligence
* Bug bounty - Answer
* Red team
* Penetration testing
Bug Bounty: Program where individuals or groups are rewarded for discovering and reporting vulnerabilities in a company’s systems or applications
Which of the following threat actors is the most likely to use large financial resources to attack critical systems located in other countries?
* Insider
* Unskilled attacker
* Nation-state - Answer
* Hacktivist
Nation State
Which of the following enables the use of an input field to run commands that can view or manipulate data?
* Cross-site scripting
* Side loading
* Buffer overflow
* SQL injection
SQL Injection
A company has begun labeling all laptops with asset inventory stickers and associating them with employee IDs. Which of the following security benefits do these actions provide? (Choose two.)
* If a security incident occurs on the device, the correct employee can be notified.
* The security team will be able to send user awareness training to the appropriate device.
* Users can be mapped to their devices when configuring software MFA tokens.
* User-based firewall policies can be correctly targeted to the appropriate laptops.
* When conducting penetration testing, the security team will be able to target the desired laptops.
* Company data can be accounted for when the employee leaves the organization.
If a security incident occurs on the device && company data can be accounted for when the employee leaves the organization
A technician wants to improve the situational and environmental awareness of existing users as they transition from remote to in-office work. Which of the following is the best option?
* Send out periodic security reminders.
* Update the content of new hire documentation.
* Modify the content of recurring training. -ANSWER
* Implement a phishing campaign.
Modify the content of recurring training
A systems administrator receives the following alert from a file integrity monitoring tool: The hash of the cmd.exe file has changed. The systems administrator checks the OS logs and notices that no patches were applied in the last two months. Which of the following most likely occurred?
* The end user changed the file permissions.
* A cryptographic collision was detected.
* A snapshot of the file system was taken.
* A rootkit was deployed.
Rootkit: Type of malicious software that is designed to gain unauthorized access to a computer system and maintain control
Which of the following roles, according to the shared responsibility model, is responsible for securing the company’s database in an IaaS model for a cloud environment?
* Client
* Third-party vendor
* Cloud provider
* DBA
Client: In an Infrastructure as a Cloud model the client takes on most of the responsibility
A client asked a security company to provide a document outlining the project, the cost, and the completion time frame. Which of the following documents should the company provide to the client?
* MSA
* SLA –Service Level Agreement
* BPA –Business plan analysis
* SOW- Statement of Work
Statement of Work
Which of the following must be considered when designing a high-availability network?
* Ease of Recovery
* Ability to Patch
* Physical Isolation
* Responsiveness
* Attack Surface
* Extensible Authentication
Ease of Recovery && Responsiveness
Which of the following is the most likely outcome if a large bank fails an internal PCI DSS compliance assessment?
* Fines
* Audit findings
* Sanctions
* Reputation damage
Audit Findings
KEY is the internal PCI DSS
A company is developing a business continuity strategy and needs to determine how many staff members would be required to sustain the business in the case of a disruption. Which of the following best describes this step?
A. Capacity planning
B. Redundancy
C. Geographic dispersion
D. Tabletop exercise
Capacity Planning
Which of the following can best protect against an employee inadvertently installing malware on a company system?
A. Host-based firewall
B. System isolation
C. Least privilege
D. Application allow list
Application Allow List is a policy restricts the installation and execution of only approved applications on company systems.
Which of the following describes the reason root cause analysis should be conducted as part of incident response?
A. To gather IoCs for the investigation
B. To discover which systems have been affected
C. To eradicate any trace of malware on the network
D. To prevent future incidents of the same nature
Prevent future incidents of the same natures
Which of the following is the phase in the incident response process when a security analyst reviews roles and responsibilities?
A. Preparation
B. Recovery
C. Lessons learned
D. Analysis
Preparation
The management team notices that new accounts that are set up manually do not always have correct access or permissions. Which of the following automation techniques should a systems administrator use to streamline account creation?
A. Guard rail script
B. Ticketing workflow
C. Escalation script
D. User provisioning script
User Provisioning Script
A company is planning to set up a SIEM system and assign an analyst to review the logs on a weekly basis. Which of the following types of controls is the company setting up?
A. Corrective
B. Preventive
C. Detective
D. Deterrent
A technician is opening ports on a firewall for a new system being deployed and supported by a SaaS provider. Which of the following is a risk in the new system?
* Default credentials
* Non-segmented network-Answer
* Supply chain vendor
* Vulnerable software
Vulnerable Software: Outdated or Unpatched Software
A systems administrator is working on a solution with the following requirements: * Provide a secure zone. * Enforce a company-wide access control policy. * Reduce the scope of threats. Which of the following is the systems administrator setting up?
* Zero Trust
* AAA
* Non-repudiation
* CIA
Zero Trust
Which of the following involves an attempt to take advantage of database misconfigurations?
A. Buffer overflow
B. SQL injection
C. VM escape
D. Memory injection
SQL Injection
Which of the following is used to validate a certificate when it is presented to a user?
A. OCSP- Online Certificate Status Protocol
B. CSR - Certificate Signing Request
C. CA – Cert Authority
D. CRC- Cyclic Redundancy Check
OCSP
Which of the following actions could a security engineer take to ensure workstations and servers are properly monitored for unauthorized changes and software?
A. Configure all systems to log scheduled tasks.
B. Collect and monitor all traffic exiting the network.
C. Block traffic based on known malicious signatures.
D. Install endpoint management software on all systems
Install endpoint management software on all systems
One of a company’s vendors sent an analyst a security bulletin that recommends a BIOS update. Which of the following vulnerability types is being addressed by the patch?
A. Virtualization
B. Firmware
C. Application
D. Operating system
Firmware
Which of the following is used to quantitatively measure the criticality of a vulnerability?
A. CVE- Common Vulnerabilities and Exposures
B. CVSS - Common Vulnerability Scoring System
C. CIA- Confidentiality, Integrity, and Availability
D. CERT- Computer Emergency Response Team
CVSS - Common Vulnerability Scoring System
Which of the following would the security analyst conclude for this reported vulnerability?
A. It is a false positive.
B. A rescan is required.
C. It is considered noise.
D. Compensating controls exist.
It is a false positive.-
An organization is leveraging a VPN between its headquarters and a branch location. Which of the following is the VPN protecting?
A. Data in use
B. Data in transit
C. Geographic restrictions
D. Data sovereignty
Data in transit
Which of the following should a systems administrator use to ensure an easy deployment of resources within the cloud provider?
* Software as a service
* Infrastructure as code
* Internet of Things
* Software-defined networking
Infrastructure as code
A organization disabled unneeded services and placed a firewall in front of a business-critical legacy system. Which of the following best describes the actions taken by the organization?
* Exception
* Segmentation
* Risk transfer
*Compensating controls
Compensating Controls
After a security awareness training session, a user called the IT help desk and reported a suspicious call. The suspicious caller stated that the Chief Financial Officer wanted credit card information in order to close an invoice. Which of the following topics did the user recognize from the training?
* Insider threat
* Email phishing
* Social engineering
* Executive whaling
Social Engineering
A security consultant needs secure, remote access to a client environment. Which of the following should the security consultant most likely use to gain access?
* EAP- Extensible Authentication Protocol
* DHCP - Dynamic Host Configuration Protocol
* IPSec- Internet Protocol Security
* NAT- Network Address Translation
IPSec - Internet Protocol Security
Which of the following is a hardware-specific vulnerability?
A. Firmware version - Answer
B. Buffer overflow
C. SQL injection
D. Cross-site scripting
Firmware Version
Which of the following would be the best way to block unknown programs from executing?
A. Access control list
B. Application allow list
C. Host-based firewall
D. DLP solution
Application Allow List
A company hired a consultant to perform an offensive security assessment covering penetration testing and social engineering. Which of the following teams will conduct this assessment activity?
* White
* Purple
* Blue
* Red-
Red
Malware spread across a company’s network after an employee visited a compromised industry blog. Which of the following best describes this type of attack?
* Impersonation
* Disinformation
* Watering-hole
* Smishing
Watering Hole: attack targets a specific group of people by compromising websites or blogs they frequently visit
Which of the following tools can assist with detecting an employee who has accidentally emailed a file containing a customer’s PII?
A. SCAP
B. NetFlow
C. Antivirus
D. DLP
Data Loss Prevention: Solutions that are specifically designed to identify, monitor, and protect sensitive data INLUDING PII
A company purchased cyber insurance to address items listed on the risk register. Which of the following strategies does this represent?
A. Accept
B. Transfer
C. Mitigate
* Avoid
Transfer
Which of the following allows for the attribution of messages to individuals?
A. Adaptive identity
B. Non-repudiation
C. Authentication
D. Access logs
Non-repudiation
A company’s marketing department collects, modifies, and stores sensitive customer data. The infrastructure team is responsible for securing the data while in transit and at rest. Which of the following data roles describes the customer?
* Processor
* Custodian
* Subject
* Owner
Subject
A software development manager wants to ensure the authenticity of the code created by the company. Which of the following options is the most appropriate?
A. Testing input validation on the user input fields
B. Performing code signing on company-developed software - Answer
C. Performing static code analysis on the software
D. Ensuring secure cookies are use
Performing code signing on company-developed software
A security administrator is deploying a DLP solution to prevent the exfiltration of sensitive customer data. Which of the following should the administrator do first?
* Block access to cloud storage websites.
* Create a rule to block outgoing email attachments.
* Apply classifications to the data.
* Remove all user permissions from shares on the file server.
Apply classifications to the data
Which of the following security concepts is the best reason for permissions on a human resources fileshare to follow the principle of least privilege?
A. Integrity
B. Availability
C. Confidentiality
D. Non-repudiation
Confidentiality
Rules of Engagement
A security administrator needs a method to secure data in an environment that includes some form of checks so track any changes. Which of the following should the administrator set up to achieve this goal?
* SPF – Sender Policy Framework
* GPO – Group Policy Object
* NAC – Network Equipment Center
* FIM – File Integrity Monitoring
File Integrity Monitor (FIM)
An analyst is evaluating the implementation of Zero Trust principles within the data plane. Which of the following would be most relevant for the analyst to evaluate? TRICKY QUESTION
* Secured zones
* Subject role
* Adaptive identity
* Threat scope reduction
Subject to the Role
Which of the following threat actors is the most likely to be hired by a foreign government to attack critical systems located in other countries?
A. Hacktivist
B. Whistleblower
C. Organized crime-Answer
D. Unskilled attacker
Organized Crime
Which of the following threat actors is the most likely to use large financial resources to attack critical systems located in other countries?
A. Insider
B. Unskilled attacker
C. Nation-state - Answer
D. Hacktivist
Nation State
An IT manager informs the entire help desk staff that only the IT manager and the help desk lead will have access to the administrator console of the help desk software. Which of the following security techniques is the IT manager setting up?
A. Hardening
B. Employee monitoring
C. Configuration enforcement
D. Least privilege
Least privilege
An organization is struggling with scaling issues on its VPN concentrator and internet circuit due to remote work. The organization is looking for a software solution that will allow it to reduce traffic on the VPN and internet circuit, while still providing encrypted tunnel access to the data center and monitoring of remote employee internet traffic. Which of the following will help achieve these objectives?
A. Deploying a SASE (secure access service edge) solution to remote employees
B. Building a load-balanced VPN solution with redundant internet
C. Purchasing a low-cost SD-WAN solution for VPN traffic
D. Using a cloud provider to create additional VPN concentrators
Deploying a SASE (secure access service edge) solution to remote employees
Which of the following roles, according to the shared responsibility model, is responsible for securing the company’s database in an IaaS model for a cloud environment?
A. Client
B. Third-party vendor
C. Cloud provider
D. DBA
Client
Which of the following is required for an organization to properly manage its restore process in the event of system failure?
* A. IRP
* B. DRP
* C. RPO
* D. SDLC
DRP
Which of the following practices would be best to prevent an insider from introducing malicious code into a company’s development process?
A. Code scanning for vulnerabilities
B. Open-source component usage
C. Quality assurance testing
D. Peer review and approval
Peer Review & Approval
A company decided to reduce the cost of its annual cyber insurance policy by removing the coverage for ransomware attacks. Which of the following analysis elements did the company most likely use in making this decision?
* MTTR
* RTO
* ARO
* MTBF
A. MTTR-mean time to repair
B. RTO-recovery time objective
C. ARO- annualized rate of occurrence - Answer
D. MTBF-Mean time between Failures
An organization is leveraging a VPN between its headquarters and a branch location. Which of the following is the VPN protecting?
A. Data in use
B. Data in transit
C. Geographic restrictions
D. Data sovereignty
Data In Transit
An administrator notices that several users are logging in from suspicious IP addresses. After speaking with the users, the administrator determines that the employees were not logging in from those IP addresses and resets the affected users’ passwords. Which of the following should the administrator implement to prevent this type of attack from succeeding in the future?
A. Multifactor authentication
B. Permissions assignment
C. Access management
D. Password complexity
Multifactor Authentication
An organization’s internet-facing website was compromised when an attacker exploited a buffer overflow. Which of the following should the organization deploy to best protect against similar attacks in the future?
A. NGFW
B. WAF - Answer
C. TLS
D. SD-WAN
Web Application Firewall (WAF)
During a security incident, the security operations team identified sustained network traffic from a malicious IP address: 10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization’s network. Which of the following fulfills this request?
A. access-list inbound deny ip source 0.0.0.0/0 destination 10.1.4.9/32
B. access-list inbound deny ip source 10.1.4.9/32 destination 0.0.0.0/0
C. access-list inbound permit ip source 10.1.4.9/32 destination 0.0.0.0/0
D. access-list inbound permit ip source 0.0.0.0/0 destination 10.1.4.9/32
access-list inbound deny ip source 10.1.4.9/32 destination 0.0.0.0/0
A company is developing a business continuity strategy and needs to determine how many staff members would be required to sustain the business in the case of a disruption. Which of the following best describes this step?
A. Capacity planning- Answer
B. Redundancy
C. Geographic dispersion
D. Tabletop exercise
Capacity Planning
A company is concerned about weather events causing damage to the server room and downtime. Which of the following should the company consider?
A. Clustering servers B. Geographic dispersion - Answer
C. Load balancers
D. Off-site backups
Geographic Dispersion
A security operations center determines that the malicious activity detected on a server is normal. Which of the following activities describes the act of ignoring detected activity in the future?
A. Tuning
B. Aggregating
C. Quarantining
D. Archiving
Tuning
Which of the following should a security administrator adhere to when setting up a new set of firewall rules?
A. Disaster recovery plan
B. Incident response procedure
C. Business continuity plan
D. Change management procedure
Change management procedure outlines the steps and approvals required for making changes to IT systems, including firewall rules
Which of the following is used to quantitatively measure the criticality of a vulnerability?
A. CVE- Common Vulnerabilities and Exposures
B. CVSS - Common Vulnerability Scoring System
C. CIA- Confidentiality, Integrity, and Availability
D. CERT- Computer Emergency Response Team
B. CVSS - Common Vulnerability Scoring System
A security team is reviewing a report. One of the findings indicated that a web application from field is vulnerable to cross-site scripting. Which of the following application security techniques should the security analyst recommend the developer implement to prevent this vulnerability?
* Secure Cookies
* Version Control
* Input Validation
* Code Signing
Input Validations
Cross-site scripting occurs when an application allows user input to be executed as code in the browser. Proper input validation ensures that any input data is sanitized and does not contain executable scripts or malicious content, which can protect the application from XSS attacks.
A security engineer is implementing FDE for all laptops in an organization. Which of the following are the most important for the engineer to consider as part of the planning process? (Choose two.)
A. Key escrow
B. TPM presence
C. Digital signatures
D. Data tokenization
E. Public key management
F. Certificate authority linking
TPM presence: A Trusted Platform Module (TPM) is a hardware component that can securely generate, store, and manage cryptographic keys. It’s essential for FDE as it provides a secure and tamper-resistant environment for key storage and management.
Public key management: FDE uses public key cryptography, which involves a pair of keys: a public key and a private key. The public key is used to encrypt data, while the private key is used to decrypt it. Proper public key management is crucial to ensure that data can be decrypted and accessed when needed.
What is CVSS?
Common Vulnerability Scoring System scores range from 0 to 10, with higher scores indicating more severe vulnerabilities.
A security analyst is reviewing the source code of an application in order to identify misconfigurations and vulnerabilities. Which of the following kinds of analysis best describes this review?
* Dynamic
* Static
* Gap
* Impact
Static analysis involves examining the code without actually executing it, looking for potential issues like vulnerabilities and misconfigurations.
Dynamic analysis involves running the application to observe its behavior and identify security issues.
Gap analysis is a process of comparing the current state of a system against a desired or ideal state.
Impact analysis assesses the potential consequences of a security incident.
A systems administrator deployed a monitoring solution that does not require installation on the endpoints that the solution is monitoring. Which of the following is described in this scenario?
A. Agentless solution
B. Client-based soon
C. Open port
D. File-based solution
Agentless Solution
An organization requests a third-party full-spectrum analysis of its supply chain. Which of the following would the analysis team use to meet this requirement?
A. Vulnerability scanner
B. Penetration test
C. SCAP –Security Content Automation protocol
D. Illumination tool
A company web server is initiating outbound traffic to a low-reputation, public IP on non-standard pat. The web server is used to present an unauthenticated page to clients who upload images the company. An analyst notices a suspicious process running on the server hat was not created by the company development team. Which of the following is the most likely explanation for his security incident? A. A web shell has been deployed to the server through the page.
B. A vulnerability has been exploited to deploy a worm to the server.
C. Malicious insiders are using the server to mine cryptocurrency.
D. Attackers have deployed a rootkit Trojan to the server over an exposed RDP port.
A web shell has been deployed to the server through the page.
A malicious update was distributed to a common software platform and disabled services at many organizations. Which of the following best describes this type of vulnerability?
A. DDoS attack
B. Rogue employee
C. Insider threat
D. Supply chain
Supply Chain
A security officer is implementing a security awareness program and has placed security-themed posters around the building and assigned online user training. Which of the following will the security officer most likely implement?
A. Password policy
B. Access badges
C. Phishing campaign
D. Risk assessment
Phishing Campaign
An organization wants to improve the company’s security authentication method for remote employees. Given the following requirements: * Must work across SaaS and internal network applications * Must be device manufacturer agnostic * Must have offline capabilities
Which of the following would be the most appropriate authentication method?
A. Username and password
B. Biometrics
C. SMS verification
D. Time-based tokens
Time Based Tokens
Which of the following is a common data removal option for companies that want to wipe sensitive data from hard drives in a repeatable manner but allow the hard drives to be reused?
A. Sanitization
B. Formatting
C. Degaussing
D. Defragmentation
Sanitization
A security administrator notices numerous unused, non-compliant desktops are connected to the network. Which of the following actions would the administrator most likely recommend to the management team?
A. Monitoring
B. Decommissioning
C. Patching
D. Isolating
Decommissioning
A systems administrator would like to create a point-in-time backup of a virtual machine. Which of the following should the administrator use?
A. Replication
B. Simulation
C. Snapshot
D. Containerization
Snapshot
A security analyst at an organization observed several user logins from outside the organization’s network. The analyst determined that these logins were not performed by individuals within the
organization. Which of the following recommendations would reduce the likelihood of future attacks? (Choose two.)
A. Disciplinary actions for users
B. Conditional access policies
C. More regular account audits
D. Implementation of additional authentication factors
E. Enforcement of content filtering policies
F. A review of user account permissions
Conditional Access Policies and Implementation of additional authentication factors
A security team is addressing a risk associated with the attack surface of the organization’s web application over port 443. Currently, no advanced network security capabilities are in place. Which of the following would be best to set up? (Choose two.)
A. NIDS –Answer
B. Honeypot
C. Certificate revocation list
D. HIPS
E. WAF –Answer
F. SIEM
Web Application Firewall (WAF) and Network Intrusion Detection System (NIDS)
NIDS can network traffic for signs of malicious activity - detect and alert the security team
Which of the following is the best resource to consult for information on the most common application exploitation methods?
A. OWASP –Answer
B. STIX
C. OVAL
D. Threat intelligence feed
E. Common Vulnerabilities and Exposures
OWASP
An organization experienced a security breach that allowed an attacker to send fraudulent wire transfers from a hardened PC exclusively to the attacker’s bank through remote connections. A security analyst is creating a timeline of events and has found a different PC on the network containing malware. Upon reviewing the command history, the analyst finds the following:
PS>.\mimikatz.exe “sekurlsa::pth /user:localadmin /domain:corp-domain.com /ntlm:B4B9B02E1F29A3CF193EAB28C8D617D3F327
Which of the following best describes how the attacker gained access to the hardened PC?
A. The attacker created fileless malware that was hosted by the banking platform. B. The attacker performed a pass-the-hash attack using a shared support account.
C. The attacker utilized living-off-the-land binaries to evade endpoint detection and response software.
D. The attacker socially engineered the accountant into performing bad transfers.
The attacker performed a pass-the-hash attack using a shared support account
During an annual review of the system design, an engineer identified a few issues with the currently released design. Which of the following should be performed next according to best practices?
A. Risk management process
B. Product design process
C. Design review process D. Change control process
Change Control Process
A development team is launching a new public-facing web product. The Chief Information Security Officer has asked that the product be protected from attackers who use malformed or invalid inputs to destabilize the system. Which of the following practices should the development team implement?
A. Fuzzing
B. Continuous deployment
C. Static code analysis
D. Manual peer review
Fuzzing
A security analyst recently read a report about a flaw in several of the organization’s printer models that causes credentials to be sent over the network in cleartext, regardless of the encryption settings. Which of the following would be best to use to validate this finding?
A. Wireshark
B. netcat
C. Nessus
D. Nmap
Wireshark
A third-party vendor is moving a particular application to the end-of-life stage at the end of the current year. Which of the following is the most critical risk if the company chooses to continue running the application?
A. Lack of security updates
B. Lack of new features
C. Lack of support
D. Lack of source code access
Lack of Security Updates
Which of the following physical controls can be used to both detect and deter? (Choose two.)
A. Lighting
B. Fencing
C. Signage
D. Sensor
E. Bollard
F. Lock
Lighting and Sensor
The author of a software package is concerned about bad actors repackaging and inserting malware into the software. The software download is hosted on a website, and the author exclusively controls the website’s contents. Which of the following techniques would best ensure the software’s integrity?
A. Input validation
B. Code signing
C. Secure cookies
D. Fuzzing
Code Signing
A multinational bank hosts several servers in its data center. These servers run a business-critical application used by customers to access their account information. Which of the following should the bank use to ensure accessibility during peak usage times?
A. Load balancer
B. Cloud backups
C. Geographic dispersal
D. Disk multipathing
Load Balancer
Which of the following data roles is responsible for identifying risks and appropriate access to data?
A. Owner
B. Custodian
C. Steward
D. Controller
Owner
A company hired an external consultant to assist with required system upgrades to a critical business application. A systems administrator needs to secure the consultant’s access without sharing passwords to critical systems. Which of the following solutions should most likely be utilized?
A. TACACS+
B. SAML
C. An SSO platform
D. Role-based access control
E. PAM software
Privelege Access Management Software (PAM) provides centralized platform managing and controlling priveleged accounts
During a penetration test, a flaw in the internal PKI was exploited to gain domain administrator rights using specially crafted certificates. Which of the following remediation tasks should be completed as part of the cleanup phase?
A. Updating the CRL
B. Patching the CA
C. Changing passwords
D. Implementing SOAR
Patching the Certificate Authority
A company wants to implement MFA. Which of the following enables the additional factor while using a smart card? A. PIN
B. Hardware token
C. User ID
D. SMS
PIN
Which of the following best describes a social engineering attack that uses a targeted electronic messaging campaign aimed at a Chief Executive Officer?
A. Whaling
B. Spear phishing
C. Impersonation
D. Identity fraud
Whaling
A security administrator needs to create firewall rules for the following protocols: RTP, SIP, H.323. and SRTP. Which of the following does this rule set support?
A. RTOS-Real Time Operating System
B. VoIP
C. SoC-system on a chip
D. HVAC-heating, vent, air conditioning
VoIP
A company wants to reduce the time and expense associated with code deployment. Which of the following technologies should the company utilize? A. Serverless architecture
B. Thin clients
C. Private cloud
D. Virtual machines
Serverless Architecture
A company is adding a clause to its AUP (Acceptable Use Policy) that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing?
A. Cross-site scripting
B. Buffer overflow
C. Jailbreaking
D. Side loading
Jailbreaking is the process of removing restrictions imposed by the manufacturer on a mobile device’s operating system. This allows users to install unauthorized apps and modify the device’s software. Jailbreaking can introduce security vulnerabilities and compromise the device’s integrity.
A Chief Information Security Officer (CISO) wants to explicitly raise awareness about the increase of ransomware-as-a-service in a report to the management team. Which of the following best describes the threat actor in the CISO’s report?
A. Insider threat
B. Hacktivist
C. Nation-state
D. Organized crime
Organized Crime
An administrator assists the legal and compliance team with ensuring information about customer transactions is archived for the proper time period. Which of the following data policies is the administrator carrying out?
A. Compromise
B. Retention
C. Analysis
D. Transfer
E. Inventory
Retention
A company is discarding a classified storage array and hires an outside vendor to complete the disposal. Which of the following should the company request from the vendor?
A. Certification
B. Inventory list
C. Classification
D. Proof of ownership
Certification | Certification of Disposal
After an audit, an administrator discovers all users have access to confidential data on a file server. Which of the following should the administrator use to restrict access to the data quickly?
A. Group Policy
B. Content filtering
C. Data loss prevention
D. Access control lists
Access Control Lists
After a recent vulnerability scan, a security engineer needs to harden the routers within the corporate network. Which of the following is the most appropriate to disable?
A. Console access
B. Routing protocols
C. VLANs
D. Web-based administration
Web Based Administration
A security administrator is hardening corporate systems and applying appropriate mitigations by consulting a real-world knowledge base for adversary behavior. Which of the following would be best for the administrator
- MITRE ATT&CK
- CSIRT
- CVSS
- SOAR
MITRE ATT&CK is a comprehensive knowledge base of adversary tactics, techniques, and procedures (TTPs) that security professionals use to understand and defend against real-world cyber threats.
CSIRT (Computer Security Incident Response Team): A team responsible for responding to security incidents and coordinating responses.
CVSS (Common Vulnerability Scoring System): A system used to assess the severity of security vulnerabilities, but it doesn’t focus on adversary behaviors.
SOAR (Security Orchestration, Automation, and Response):
A coffee shop owner wants to restrict access to only paying customers by prompting them for a receipt number. Which of the following is the best method to use given this requirement?
* WPA3
* Captive Portal
* PSK
* IEEE 802.1X
Captive Portal is a web page that users must interact with before gaining access to a network. It is commonly used in places like coffee shops, hotels, and airports, where users are required to enter credentials, such as a receipt number or voucher, to get internet access.
A city municipality lost its primary data center when a tornado hit the facility. Which of the following should the city staff use immediately after the disaster to handle essential public services?
* BCP
* Communication Plan
* DRP
* IRP
DRP - Disaster Recovery Plan
An auditor discovered multiple insecure ports on some servers. Other servers were found to have legacy protocols. Which of the following tools did the auditor use to discover these issues?
* Nessus
* curl
* Wireshark
* netcat
Nessus is a popular vulnerability scanner that can detect open ports, insecure services, and outdated or vulnerable protocols on servers. It performs comprehensive scans to identify misconfigurations, vulnerabilities, and compliance issues.
An administrator is installing an LDAP browser tool in order to view objects in the corporate LDAP directory. Secure connections to the LDAP server are required. When the browser connects to the server, certificate errors are being displayed, and then the connection is terminated. Which of the following is the most likely solution?
A. The administrator should allow SAN certificates in the browser configuration. B. The administrator needs to install the server certificate into the local truststore.
C. The administrator should request that the secure LDAP port be opened to the server.
D. The administrator needs to increase the TLS version on the organization’s RA
B. The administrator needs to install the server certificate into the local truststore.
Which of the following describes effective change management procedures?
A. Approving the change after a successful deployment
B. Having a backout plan when a patch fails
C. Using a spreadsheet for tracking changes
D. Using an automatic change control bypass for security updates
Having a backout plan when a patch fails
Which of the following best describes the risk present after controls and mitigating factors have been applied?
A. Residual
B. Avoided
C. Inherent
D. Operational
Residual
A bank set up a new server that contains customers’ PII. Which of the following should the bank use to make sure the sensitive data is not modified?
A. Full disk encryption
B. Network access control
C. File integrity monitoring
D. User behavior analytics
File Integrity Monitor
The marketing department set up its own project management software without telling the appropriate departments. Which of the following describes this scenario?
A. Shadow IT
B. Insider threat
C. Data exfiltration
D. Service disruption
Shadow IT
Easy-to-guess passwords led to an account compromise. The current password policy requires at least 12 alphanumeric characters, one uppercase character, one lowercase character, a password history of
two passwords, a minimum password age of one day, and a maximum password age of 90 days. Which of the following would reduce the risk of this incident from happening again? (Choose two.)
A. Increasing the minimum password length to 14 characters.
B. Upgrading the password hashing algorithm from MD5 to SHA-512.
C. Increasing the maximum password age to 120 days.
D. Reducing the minimum password length to ten characters.
E. Reducing the minimum password age to zero days.
F. Including a requirement for at least one special character.
Increase the minimum password length to 14 characters and a requirement for a special character.
A security administrator needs to create firewall rules for the following protocols: RTP, SIP, H.323 and SRTP
Which of the following does this rule set support?
- RTOS
- VOIP
- SOC
- HVAC
VoIP
A company hired an external consultant to assist with required system upgrades to a critical business application. A systems administrator needs to secure the consultant’s access without sharing passwords to critical systems. Which of the following solutions should most likely be utilized?
A. TACACS+
B. SAML
C. An SSO platform
D. Role-based access control
E. PAM software
PAM Software
Which of the following risk management strategies should an enterprise adopt first if a legacy application is critical to business operations and there are preventative controls that are not yet implemented?
A. Mitigate
B. Accept
C. Transfer
D. Avoid
Mitigate
A security investigation revealed that malicious software was installed on a server using a server administrator’s credentials. During the investigation, the server administrator explained that Telnet was regularly used to log in. Which of the following most likely occurred?
A. A spraying attack was used to determine which credentials to use. B. A packet capture tool was used to steal the password.
C. A remote-access Trojan was used to install the malware.
D. A dictionary attack was used to log in as the server administrator.
A Packet Capture Tool was used to Steal the Password
After a company was compromised, customers initiated a lawsuit. The company’s attorneys have requested that the security team initiate a legal hold in response to the lawsuit. Which of the following describes the action the security team will most likely be required to take?
A. Retain the emails between the security team and affected customers for 30 days.
B. Retain any communications related to the security breach until further notice.
C. Retain any communications between security members during the breach response.
D. Retain all emails from the company to affected customers for an indefinite period of time.
B. Retain any communications related to the security breach until further notice.
A manager receives an email that contains a link to receive a refund. After hovering over the link, the manager notices that the domain’s URL points to a suspicious link. Which of the following security practices helped the manager to identify the attack?
A. End user training
B. Policy review
C. URL scanning
D. Plain text email
End user trainer
