Exam C

Question 1

A finance company is legally required to maintain seven years of tax records for all of their customers. Which would be the BEST way to implement this requirement?

Answer 1

Create a separate daily backup archive for all
applicable tax records
An important consideration for a data retention mandate is to always have access to the information over the proposed time frame. In this example, a daily backup would ensure tax information is constantly archived over
a seven-year period and could always be retrieved if needed. If data was inadvertently deleted from the primary storage, the backup would still maintain a copy.

Question 2

A system administrator is designing a data center for an insurance company’s new public cloud and would like to automatically rotate encryption keys on a regular basis. Which of the following would provide this functionality?

Answer 2

Key management system
A key management system is used to manage large security key implementations from a central console. This includes creating keys, associating keys with individuals, rotating keys on regular intervals, and
logging all key use.

Question 3

A newly installed IPS is flagging a legitimate corporate application as malicious network traffic. Which would be the BEST way to resolve this issue?

Answer 3

Tune the IPS alerts
Each signature of an IPS can commonly be tuned to properly alert on a legitimate issue. Tuning the IPS can properly identify and block attacks and allow all legitimate traffic.

Question 4

A security administrator has identified an internally developed application which allows modification of SQL queries through the web-based front-end. Which of the following changes would resolve this vulnerability?

Answer 4

Validate all application input
Input validation would examine the input from the client and make sure that the input is expected and not malicious. In this example, validating the input would prevent any SQL (Structured Query Language) injection
through the web front-end.

Question 5

A system administrator is implementing a fingerprint scanner to provide access to the data center. Which authentication technology would be associated with this access?

Answer 5

Something you are
An authentication factor of “something you are” often refers to a physical characteristic. This factor commonly uses fingerprints, facial recognition, or some other biometric characteristic to match a user to an authentication attempt.

Question 6

The IT department of a transportation company maintains an on-site inventory of chassis-based network switch interface cards. If a failure occurs, the on-site technician can replace the interface card and have the system running again in sixty minutes. Which BEST describes this recovery metric?

Answer 6

MTTR
MTTR (Mean Time To Restore) is the amount of time required to get back up and running. This is sometimes called Mean Time To Repair.

Question 7

A company maintains a server farm in a large data center. These servers
are used internally and are not accessible from outside of the data center. The security team has discovered a group of servers was breached before the latest security patches were applied. Breach attempts were not logged
on any other servers. Which threat actor would be MOST likely involved in this breach?

Answer 7

Insider
None of these servers are accessible from the outside, and the only servers with any logged connections were also susceptible to the latest vulnerabilities. To complete this attack, there would need a very specific knowledge of the vulnerable systems and a way to communicate with those servers.

Question 8

An organization has received a vulnerability scan report of their Internet-facing web servers. The report shows the servers have multiple Sun Java Runtime Environment ( JRE) vulnerabilities, but the server administrator
has verified that JRE is not installed. Which would be the BEST way to handle this report?

Answer 8

Ignore the JRE vulnerability alert
It’s relatively common for vulnerability scans to show vulnerabilities that don’t actually exist, especially if the scans are not credentialed. An issue that is identified but does not actually exist is a false positive, and it can be
dismissed once the alert has been properly researched.

Question 9

A user downloaded and installed a utility for compressing and decompressing files. Immediately after installing the utility, the user’s overall workstation performance degraded and it now takes twice as much
time to perform any tasks on the computer. Which is the BEST description of this malware infection?

Answer 9

Trojan
A Trojan horse is malicious software that pretends to be something benign. The user will install the software with the expectation that it will perform a particular function, but in reality it is installing malware on the computer.

Question 10

Which of the following is the process for replacing sensitive data with a non-sensitive and functional placeholder?

Answer 10

Tokenization
Tokenization replaces sensitive data with a token, and this token can be used as a functional placeholder for the original data. Tokenization is commonly used with credit card processing and mobile devices.

Question 11

A security administrator has installed a new firewall to protect a web server VLAN. The application owner requires all web server sessions communicate over an encrypted channel. Which rule should the security
administrator add to the firewall rulebase?

Answer 11

Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow
Most web servers use tcp/443 for HTTPS (Hypertext Transfer Protocol
Secure) for encrypted web server communication This rule allows HTTPS
encrypted traffic to be forwarded to the web server over tcp/443.

Question 12

Which of these would be used to provide multi-factor authentication?

Answer 12

Smart card with picture ID
A smart card commonly includes a certificate that can be used as a multifactor authentication of something you have. These smart cards are commonly combined with an employee identification card, and often require a separate PIN (Personal Identification Number) as an additional authentication factor.

Question 13

A company’s human resources team maintains a list of all employees participating in the corporate savings plan. A third-party financial company uses this information to manage stock investments for the employees. Which of the following would describe this financial company?

Answer 13

Processor
A data processor performs some type of action to the data, and this is often a different group within the organization or a third-party company.
In this example, the third-party financial organization is the data processor f the employee’s financial data.

Question 14

A company’s network team has been asked to build an IPsec tunnel to a new business partner. Which security risk would be the MOST important to consider?

Answer 14

Supply chain attack
A direct connection to a third-party creates potential access for an attacker. Most organizations will include a firewall to help monitor and protect against any supply chain attacks.

Question 15

A technology company is manufacturing a military-grade radar tracking system designed to identify any nearby unmanned aerial vehicles (UAVs).
The UAV detector must be able to instantly identify and react to a vehicle without delay. Which would BEST describe this tracking system?

Answer 15

RTOS
This tracking system requires an RTOS (Real-Time Operating System) to instantly react to input without any significant delays or queuing in the operating system. Operating systems used by the military, automobile
manufacturers, and industrial equipment companies often use RTOS to process certain transactions without any significant delays.

Question 16

An administrator is writing a script to convert an email message to a help desk ticket and assign the ticket to the correct department. Which should the administrator use to complete this script?

Answer 16

Orchestration
Orchestration describes the process of automation, and is commonly associated with large scale automation or automating processes between different systems.

Question 17

A security administrator would like a report showing how many attackers are attempting to use a known vulnerability to gain access to a corporate web server. Which should be used to gather this information?

Answer 17

IPS log
An IPS (Intrusion Detection System) commonly uses a database of known vulnerabilities to identify and block malicious network traffic. This log of attempted exploits would provide the required report information.

Question 18

During a ransomware outbreak, an organization was forced to rebuild database servers from known good backup systems. In which of the following incident response phases were these database servers brought
back online?

Answer 18

Recovery
The recovery phase focuses on getting things back to normal after an attack. This is the phase that removes malware, fixes vulnerabilities, and recovers the damaged systems.

Question 19

A security administrator is installing a web server with a newly built operating system. Which of the following would be the best way to harden this OS?

Answer 19

Remove unnecessary software
The process of hardening an operating system makes it more difficult to attack. In this example, the only step that would limit the attack surface is to remove any unnecessary or unused software.

Question 20

An incident response team would like to validate their disaster recovery plans without making any changes to the infrastructure. Which of the following would be the best course of action?

Answer 20

Tabletop exercise
A tabletop exercise is a walk-through exercise where the disaster recovery process can be discussed in a conference room without making any changes to the existing systems.

Question 21

A network IPS has created this log entry:
-Frame 4: 937 bytes on wire (7496 bits), 937 bytes captured
-Ethernet II, Src: HewlettP_82:d8:31, Dst: Cisco_a1:b0:d1
-Internet Protocol Version 4, Src: 172.16.22.7, Dst: 10.8.122.244
-Transmission Control Protocol, Src Port: 3863, Dst Port: 1433
-Application Data: SELECT * FROM users WHERE username=’x’
or ‘x’=’x’ AND password=’x’ or ‘x’=’x’
Which would describe this log entry?

Answer 21

SQL injection
The SQL injection is contained in the application data. The attacker was attempting to circumvent the authentication through the use of equivalent SQL statements (‘x’=’x’).

Question 22

A system administrator has installed a new firewall between the corporate user network and the data center network. When the firewall is turned on with the default settings, users complain the application in the data center is no longer working. Which would be the BEST way to correct this application issue?

Answer 22

Create firewall rules that match the application traffic flow
By default, most firewalls implicitly deny all traffic. Firewall rules must be built to match the traffic flows, and only then will traffic pass through the firewall.

Question 23

Which of these would be used to provide HA for a web-based database application?

Answer 23

UPS
HA (High Availability) means the service should always be on and available. The only device on this list providing HA is the UPS (Uninterruptible Power Supply). If power is lost, the UPS will provide electricity using battery power or a gas-powered generator.

Question 24

Each year, a certain number of laptops are lost or stolen and must be replaced by the company. Which of the following would describe the total cost the company spends each year on laptop replacements?

Answer 24

ALE
The ALE (Annual Loss Expectancy) is the total amount of the financial loss over an entire year.

Question 25

A network administrator is viewing a log file from a web server:
https://www.example.com/?s=/Index/think/
app/invokefunction&function=call_user_func_
array&vars[0]=md5&vars[1][0]=__HelloThinkPHP
Which would be the BEST way to prevent this attack?

Answer 25

Input validation
In this example, the attacker is attempting to use a remote code execution exploit. Input validation can be used to create a very specific filter of allowed input, and a strict validation process would have prevented the web server from processing this attack information.

Question 26

Sam would like to send an email to Jack and have Jack verify that Sam was the sender of the email. Which should Sam use to provide this verification?

Answer 26

Digitally sign with Sam’s private key
The sender of a message digitally signs with their own private key to ensure integrity, authentication, and non-repudiation of the signed contents. The digital signature is validated with the sender’s public key.

Question 27

The contract of a long-term temporary employee is ending. Which would be the MOST important part of the off-boarding process?

Answer 27

Archive the decryption keys associated with the user account
Without the decryption keys, it will be impossible to access any of the user’s protected files once they leave the company. Given the other possible answers, this one is the only one that would result in unrecoverable data loss if not properly followed.

Question 28

A cybersecurity analyst has been asked to respond to a denial of service attack against a web server, and the analyst has collected the log files and data from the server. Which would allow a future analyst
to verify the data as original and unaltered?

Answer 28

Data hashing
Data hashing creates a unique message digest based on stored data. If the data is tampered with, a hash taken after the change will differ from the original value. This allows the forensic engineer to identify if information
has been changed.

Question 29

A security administrator is reviewing authentication logs. The logs show a large number of accounts with at least three failed authentication attempts during the previous week. Which would BEST explain this report data?

Answer 29

Spraying
A spraying attack attempts to discover login credentials using a small number of authentication attempts. If the password isn’t discovered in those few attempts, the brute force process stops before any account
lockouts occur. An attacker could potentially perform a spraying attack across many accounts without any noticeable alerts or alarms.

Question 30

A security administrator has been asked to block all browsing to casino gaming websites. Which of the following would be the BEST way to implement this requirement?

Answer 30

Add a content filter rule
Web filters contain a large database of categorized website addresses, and this allows an administrator to create rules to block browsing attempts to specific content. For example, a content filter may allow browsing to news and business sites, but block browsing attempts to gaming and shopping
sites.

Question 31

A company is experiencing downtime and outages when application patches and updates are deployed during the week. Which of the following would help to resolve these issues?

Answer 31

Change management procedures
Change management defines a series of best practices for implementing changes in a complex technical environment. The goals of change management are to implement updates and changes while also maintaining the uptime and availability of critical business systems.

Question 32

A company is implementing a series of steps to follow when responding
to a security event. Which of the following would provide this set of
processes and procedures?

Answer 32

Playbook
A playbook provides a conditional set of steps to follow when addressing
a specific event. An organization might have separate playbooks for
investigating a data breach, responding to a virus infection, or recovering
from a ransomware attack.

Question 33

A transportation company maintains a scheduling application and a database in a virtualized cloud-based environment. Which would be the BEST way to backup these services?

Answer 33

Snapshot
Virtual machines (VMs) have a snapshot feature to capture both a full backup of the virtual system and incremental changes that occur over time. It’s common to take a snapshot of a VM for backup purposes or before making any significant changes to the VM. If the changes need to be rolled back, a previous snapshot can be selected and instantly applied to the VM.

Question 34

In an environment using discretionary access controls, which of these would control the rights and permissions associated with a file or directory?

Answer 34

Owner
The owner of an object controls access in a discretionary access control model. The object and type of access is at the discretion of the owner, and they can determine who can access the file and the type of access they
would have.

Question 35

A security administrator has installed a network-based DLP solution to determine if file transfers contain PII. Which describes the data during the file transfer?

Answer 35

In-transit
Data in-transit describes information actively moving across the network. As the information passes through switches and routers, it is considered to be in-transit.

Question 36

A medical imaging company would like to connect all remote locations together with high speed network links. The network connections must maintain high throughput rates and must always be available during
working hours. In which of the following should these requirements be enforced with the network provider?

Answer 36

Service level agreement
A service level agreement (SLA) is used to contractually define the minimum terms for services. In this example, the medical imaging
company would require an SLA from the network provider for the necessary throughput and uptime metrics.

Question 37

A company is implementing a security awareness program for their user community. Which should be included for additional user guidance and training?

Answer 37

Information on proper password management
User awareness programs focus on security fundamentals that everyone in the organization can use during their normal work day. Protecting and managing passwords is an important security consideration for all users in the company.

Question 38

A security administrator is preparing a phishing email as part of a periodic employee security awareness campaign. The email is spoofed to appear as an unknown third-party and asks employees to immediately
click a link or their state licensing will be revoked. Which should be the expected response from the users?

Answer 38

Report the suspicious link to the help desk
The users should be trained to report anything suspicious, and unusual links in an email message would certainly be an important security concern.

Question 39

A security administrator would like to minimize the number of certificate status checks made by web site clients to the certificate authority. Which would be the BEST option for this requirement?

Answer 39

OCSP stapling
OCSP (Online Certificate Status Protocol) stapling allows the certificate holder verify their own certificate status. The OCSP status is commonly “stapled” into the SSL/TLS handshake process. Instead of contacting the
certificate authority to verify the certificate, the verification is included with the initial network connection to the server.

Question 40

A company is concerned their EDR solution will not be able to stop more advanced ransomware variants. Technicians have created a backup and restore utility to get most systems up and running less than an hour after an attack. What type of security control is associated with this restore
process?

Answer 40

Compensating
Instead of preventing an attack, a compensating control is used to restore
systems using other means. A streamlined backup and restore process compensates for the limited security features of the EDR (Endpoint Detection and Response) software.

Question 41

To upgrade an internal application, the development team provides the operations team with instructions for backing up, patching the application, and reverting the patch if needed. The operations team
schedules a date for the upgrade, informs the business divisions, and tests the upgrade process after completion. Which of the following describes this process?

Answer 41

Change management
Change management is the process for making any type of change, such as a software upgrade, a hardware replacement, or any other type of modification to the existing environment. Having a formal change
management process minimizes the risk of a change and makes everyone aware of the changes as they occur.

Question 42

A company is implementing a public file-storage and cloud-based sharing service, and would like users to authenticate with an existing account on a trusted third-party web site. Which of the following should the company implement?

Answer 42

Federation
Federation provides authentication and authorization between two entities using a separate trusted authentication platform. For example, a web site could allow authentication using an existing account on a third-party
social media site.

Question 43

A system administrator is viewing this output from a file integrity monitoring report:
-15:43:01 - Repairing corrupted file C:\Windows\System32\kernel32.dll
-15:43:03 - Repairing corrupted file C:\Windows\System32\netapi32.dll
-15:43:07 - Repairing corrupted file C:\Windows\System32\user32.dll
-15:43:43 - Repair complete

Which malware type is the MOST likely cause of this output?

Answer 43

Rootkit
A rootkit modifies operating system files to become part of the core OS. The kernel, user, and networking libraries in Windows are core operating system files.

Question 44

What type of vulnerability would be associated with this log information?
GET http://example.com/show.asp?view=../../Windows/system.ini HTTP/1.1

Answer 44

Directory traversal
Directory traversal attempts to read or access files outside the scope of the web server’s file directory. The pair of dots in a file path (..) refers to the parent directory, so this example is attempt to move back two parent
directories before proceeding into the /Windows directory. In a properly
configured web server, this traversal should not be possible.

Question 45

A developer has created an application to store password information in a database. Which BEST describes a way of protecting these credentials by adding random data to the password?

Answer 45

Salting
Passwords are often stored as hashes, but the hashes themselves are often subject to brute force or rainbow table attacks. It’s common to add some additional random data (a salt) to a password before the hashing process.
This ensures that each password is truly random when stored, and it makes it more difficult for an attacker to discover all of the stored passwords.

Question 46

Which of the following processes provides ongoing building and testing
of newly written code?

Answer 46

Continuous integration
With continuous integration, code can be constantly written and merged into the central repository many times each day.

Question 47

Which of the following BEST describes a responsibility matrix?

Answer 47

A visual summary of cloud provider accountability
A cloud provider commonly creates a responsibility matrix to document the service coverage between the cloud provider and the customer. For example, a cloud responsibility matrix may show the cloud provider responsible for network controls and the customer responsible for all stored data.

Question 48

A security administrator is implementing an authentication system for the company. Which of the following would be the best choice
for validating login credentials for all usernames and passwords in the authentication system?

Answer 48

LDAP
LDAP (Lightweight Directory Access Protocol) is a common standard for authentication. LDAP is an open standard and is available across many different operating systems and devices.

Question 49

Richard is reviewing this information from an IPS log:
-MAIN_IPS: 22June2023 09:02:50 reject 10.1.111.7
-Alert: HTTP Suspicious Webdav OPTIONS Method Request; Host: Server
-Severity: medium; Performance Impact:3;
-Category: info-leak; Packet capture; disable
-Proto:tcp; dst:192.168.11.1; src:10.1.111.7
Which of the following can be associated with this log information?
(Select TWO)
❍ A. The attacker sent a non-authenticated BGP packet to
trigger the IPS
❍ B. The source of the attack is 192.168.11.1
❍ C. The event was logged but no packets were dropped
❍ D. The source of the attack is 10.1.111.7
❍ E. The attacker sent an unusual HTTP packet to trigger the IPS

Answer 49

D. The source of the attack is 10.1.111.7 and
E. The attacker sent an unusual HTTP packet to trigger the IPS
The second line of the IPS log shows the type of alert, and this record
indicates a suspicious HTTP packet was sent. The last line of the IPS log
shows the protocol, destination, and source IP address information. The
source IP address is 10.1.111.7.

Question 50

A company has contracted with a third-party to provide penetration testing services. The service includes a port scan of each externally-facing device. This is an example of:

Answer 50

Active reconnaissance
Active reconnaissance sends traffic across the network, and this traffic can be viewed and logged. Performing a port scan will send network traffic to a server, and most port scan attempts can be identified and logged by an IPS (Intrusion Prevention System).

Question 51

An access point in a corporate headquarters office has the following configuration:
IP address: 10.1.10.1
Subnet mask: 255.255.255.0
DHCPv4 Server: Enabled
SSID: Wireless
Wireless Mode: 802.11n
Security Mode: WEP-PSK
Frequency band: 2.4 GHz
Software revision: 2.1
MAC Address: 60:3D:26:71:FF:AA
IPv4 Firewall: Enabled
Which of the following would apply to this configuration?

Answer 51

Weak encryption
A common issue is weak or outdated security configurations. Older encryptions such as DES and WEP should be updated to use newer and
stronger encryption technologies.

Question 52

An attacker has gained access to an application through the use of packet captures. Which would be MOST likely used by the attacker?

Answer 52

Replay
A replay attack uses previously transmitted information to gain access to an application or service. This information is commonly captured in network packets and replayed to the service.

Question 53

A company is receiving complaints of slowness and disconnections to their Internet-facing web server. A network administrator monitors the Internet link and finds excessive bandwidth utilization from thousands
of different IP addresses. Which of the following would be the MOST likely reason for these performance issues?

Answer 53

DDoS
A DDoS (Distributed Denial of Service) is the failure of a service caused by many different remote devices. In this example, the DDoS is related to a bandwidth utilization exhaustion caused by excessive server requests.

Question 54

A company has created an itemized list of tasks to be completed by a third-party service provider. After the services are complete, this
document will be used to validate the completion of the services. Which would describe this agreement type?

Answer 54

SOW
A SOW (Statement of Work) is a detailed list of tasks, items, or processes to be completed by a third-party. The SOW lists the job scope, location, deliverables, and any other specifics associated with the agreement. The SOW is also used as a checklist to verify the job was completed properly by the service provider.

Question 55

A company is deploying a series of internal applications to different cloud providers. Which of the following connection types should be deployed for this configuration?

Answer 55

SD-WAN
An SD-WAN (Software Defined Networking in a Wide Area Network) network allows users to efficiently communicate directly to cloud-based applications.

Question 56

A company is updating components within the control plane of their zero-trust implementation. Which of the following would be part of this update?

Answer 56

Policy engine
The policy engine is located in the control plane and evaluates each access decision based on security policy and other information sources. The policy engine determines if access should be granted, denied, or revoked.

Question 57

Which malware type would cause a workstation to participate in a DDoS?

Answer 57

Bot
A bot (robot) is malware that installs itself on a system and then waits for instructions. It’s common for botnets to use thousands of bots to perform DDoS (Distributed Denial of Service) attacks.

Question 58

Which are used to force the preservation of data for later use in court?

Answer 58

Legal hold
A legal hold is a legal technique to preserve relevant information. This process will ensure the data remains accessible for any legal preparation prior to litigation.

Question 59

A company would like to automatically monitor and report on any movement occurring in an open field at the data center. Which would be the BEST choice for this task?

Answer 59

Microwave sensor
Microwave sensors can detect movement across large areas such as open fields.

Question 60

A company is releasing a new product, and part of the release includes the installation of load balancers to the public web site. Which would best describe this process?

Answer 60

Capacity planning
Capacity planning describes the process of matching the supply of a resource to the demand. In this example, the company is planning for an increased interest in their products and are increasing the overall capacity of their web server resources.

Question 61

A system administrator would like to prove an email message was sent by a specific person. Which of the following describes the verification of this message source?

Answer 61

Non-repudiation
Non-repudiation is used to verify the source of data or a message. Digital signatures are commonly used for non-repudiation.

Question 62

A security administrator has created a policy to alert if a user modifies the hosts file on their system. Which behavior does this policy address?

Answer 62

Risky
Making a change to the hosts file can be a security concern, and many systems will prevent this change without elevated permissions. Modifying the hosts file would be categorized as risky behavior.

Question 63

A company has identified a web server data breach resulting in the theft of financial records from 150 million customers. A security update to the company’s web server software was available for two months prior to the
breach. Which would have prevented this breach from occurring?

Answer 63

Patch management
This question describes an actual breach which occurred in 2017 to web servers at a large credit bureau. This breach resulted in the release of almost 150 million customer names, Social Security numbers, addresses, and birth dates. A web server vulnerability announced in March of 2017 was left unpatched, and attackers exploited the vulnerability two months later.
The attackers were in the credit bureau network for 76 days before they were discovered. A formal patch management process would have clearly identified this vulnerability and would have given the credit bureau the opportunity to mitigate or patch the vulnerability well before it would
have been exploited.

Question 64

During the onboarding process, the IT department requires a list of software applications associated with the new employee’s job functions. Which would describe the use of this information?

Answer 64

Access control configuration
The onboarding team needs to assign the proper access controls to new employees, and the list of applications provides additional details regarding application and data access.

Question 65

A system administrator has identified an unexpected username on a database server, and the user has been transferring database files to an external server over the company’s Internet connection. The administrator
then performed these tasks:
* Physically disconnected the Ethernet cable on the database server
* Disabled the unknown account
* Configured a firewall rule to prevent file transfers from the server
Which would BEST describe this part of the incident response process?

Answer 65

Containment
The containment phase isolates events which can quickly spread and get out of hand. A file transfer from a database server can quickly be contained by disabling any ability to continue the file transfer.

Question 66

Which of the following would be the MOST effective use of asymmetric encryption?

Answer 66

Create a shared session key
The Diffie-Hellman algorithm can combine public and private keys to derive the same session key. This allows two devices to create and use this shared session key without sending the key across the network.

Question 67

Each salesperson in a company receives a laptop with applications and data to support their sales efforts. The IT manager would like to prevent third-parties from gaining access to this information if the laptop is stolen. Which would be the BEST way to protect this data?

Answer 67

Full disk encryption
With full disk encryption, everything written to the laptop’s local drive is stored as encrypted data. If the laptop was stolen, the thief would not have the credentials to decrypt the drive data.

Question 68

A security administrator has compiled a list of all information stored and managed by an organization. Which of the following would best describe this list?

Answer 68

Data inventory
A data inventory describes a list of all data managed by an organization. This inventory includes the owner, update frequency, and format of the data.

Question 69

A security administrator would like to monitor all outbound Internet connections for malicious software. Which of the following would provide this functionality?

Answer 69

Forward proxy
A proxy server can be used to monitor incoming and outgoing network communication. Proxy servers can be used to identify malicious software, filter content, or increase performance through file caching.

Question 70

What type of security control would be associated with corporate security
policies?

Answer 70

Managerial
A managerial control type is associated with security design and implementation. Security policies and standard operating procedures are common examples of a managerial control type.

Question 71

Which of the following would be the MOST significant security concern
when protecting against organized crime?

Answer 71

Maintain reliable backup data
A common objective for organized crime is an organization’s data, and attacks from organized crime can sometimes encrypt or delete data. A good set of backups can often resolve these issues quickly and without any
ransomware payments to an organized crime syndicate.

Question 72

An application team has been provided with a hardened version of Linux to use with a new application installation, and this includes installing a web service and the application code on the server. Which would BEST protect the application from attacks?

Answer 72

Implement a secure configuration of the web service
The tech support resources for many services will include a list of hardening recommendations. This hardening may include account restrictions, file permission settings, internal service configuration options, and other settings to ensure that the service is as secure as possible.

Question 73

A system administrator has configured MAC filtering on their corporate access point, but access logs show unauthorized users accessing the network. Which of the following should the administrator configure to prevent future unauthorized use?

Answer 73

Enable WPA3 encryption
A MAC (Media Access Control) address can be spoofed on a remote device, which means anyone within the vicinity of the access point can view and use legitimate MAC addresses. To ensure proper authentication, the system administrator can enable WPA3 (Wi-Fi Protected Access version 3) with a pre-shared key or 802.1X can be used to integrate with
an existing authentication database.

Question 74

A system administrator has been tasked with performing an application upgrade, but the upgrade has been delayed due to a different scheduled installation of an outdated device driver. Which issue would best describe this change management delay?

Answer 74

Dependency
Modifying one part of a system may first require changes to other components. In this example, the application upgrade is dependent on an updated version of a device driver.

Question 75

During an initial network connection, a supplicant communicates to an
authenticator, which then sends an authentication request to an Active
Directory database. Which of the following would BEST describe this
authentication technology?

Answer 75

802.1X
IEEE 802.1X is a standard for port-based network access control (NAC).
When 802.1X is enabled, devices connecting to the network do not gain access until they provide the correct authentication credentials.
This 802.1X standard refers to the client as the supplicant, the switch is commonly configured as the authenticator, and the back-end
authentication server is often a centralized user database.

Question 76

A security researcher has been notified of a potential hardware vulnerability. Which of the following should the researcher evaluate as a
potential security issue?

Answer 76

Firmware versions
Firmware describes the software inside of a hardware device and is often used as the operating system of the hardware. Issues with hardware vulnerabilities are usually resolved by updating firmware in the vulnerable
system.

Question 77

Visitors to a corporate data center must enter through the main doors of the building. Which of the following security controls would be the
BEST choice to successfully guide people to the front door? (Select TWO)

Answer 77

B. Bollards and D. Fencing
Both bollards and fencing provide physical security controls to direct people to an area by limiting their access to other areas.

Question 78

A company’s employees are required to authenticate each time a file share, printer, or SAN imaging system is accessed. Which of the following should be used to minimize the number of employee authentication requests?

Answer 78

SSO
SSO (Single Sign-On) accepts valid authentication requests and allows users to access multiple resources without requiring additional user authentications.

Question 79

A company has recently moved from one accounting system to another, and the new system includes integration with many other divisions of the organization. Which of the following would ensure that the correct access
has been provided to the proper employees in each division?

Answer 79

Internal self-assessment
An internal self-assessment with audit can verify users have the correct permissions and all users meet the practice of least privilege.

Question 80

An attacker has circumvented a web-based application to send commands directly to a database. Which of the following would describe this attack type?

Answer 80

SQL injection
A SQL (Structured Query Language) injection takes advantage of poorly written web applications. These web applications do not properly restrict the user input, and the resulting attack bypasses the application and
“injects” SQL commands directly into the database itself.

Question 81

A group of business partners is using blockchain technology to monitor and track raw materials and parts as they are transferred between companies. Where would a partner find these tracking details?

Answer 81

Ledger
The ledger is a shared document with a list of all blockchain transactions. The ledger is shared among everyone in the blockchain, and all transactions are available to view on this central ledger.

Question 82

A network technician at a bank has noticed a significant decrease in traffic to the bank’s public website. After additional investigation, the technician finds that users are being directed to a web site which looks similar to the bank’s site but is not under the bank’s control. Flushing the local DNS cache and changing the DNS entry does not have any effect. Which has most likely occurred?

Answer 82

Domain hijacking
Domain hijacking will modify the primary DNS (Domain Name System) settings for a domain and allow an attacker to direct users to an IP address controlled by the attacker.

Question 83

A company runs two separate applications in their data center. The security administrator has been tasked with preventing all communication between these applications. Which of the following would be the BEST
way to implement this security requirement?

Answer 83

Air gap
An air gap is a physical separation between networks. Air gapped networks are commonly used to separate networks that must never communicate to each other.

Question 84

A receptionist at a manufacturing company recently received an email from the CEO asking for a copy of the internal corporate employee directory. It was later determined that the email address was not sent from the CEO and the domain associated with the email address was not a corporate domain name. What type of training could help identify this
type of attack in the future?

Answer 84

Recognizing social engineering
Impersonating the CEO is a common social engineering technique. There are many ways to recognize a social engineering attack, and it’s important to train everyone to spot these situations when they are occurring.

Question 85

Which deployment model would a company follow if they require individuals to use their personal phones for work purposes?

Answer 85

BYOD
BYOD (Bring Your Own Device) is a model where the employee owns the mobile device but can also use the same device for work.