Implementation Flashcards
1
Q
A company’s help desk received several AV alerts indicating Mimikatz attempted to run on the remote systems. Several users also reported that the new company flash drives they picked up in the break room only have 512KB of storage. Which of the following is most likely the cause?
A
The GPO blocking the flash drives is being bypassed by a malicious flash drive that is attempting to harvest plaintext credentials from memory.
The presence of Mimikatz alerts and reports of new company flash drives having only 512KB of storage indicate a potential security incident involving malicious activity. Mimikatz is a well-known tool used for extracting passwords and other sensitive information from memory.
2
Q
A company is adding a clause to its AUP that states employees are not allowed to modify the operating system on mobile devices. Which of the following vulnerabilities is the organization addressing?
A
Jailbreaking
3
Q
A systems administrator works for a local hospital and needs to ensure patient data is protected and secure. Which of the following data classifications should be used to secure patient data?
A
Sensitive
In the healthcare industry, patient data is typically classified as sensitive. This means that it is important to take extra precautions to protect it from unauthorized access, use, or disclosure.
4
Q
A small business uses kiosks on the sales floor to display product information for customers. A security team discovers the kiosks use end-of-life operating systems. Which of the following is the security team most likely to document as a security implication of the current architecture?
A
Patch availability
5
Q
Which of the following provides a catalog of security and privacy controls related to the United States federal information systems?
A
NIST 800-53
6
Q
A security analyst is taking part in an evaluation process that analyzes and categorizes threat actors of real-world events in order to improve the incident response team’s process. Which of the following is the analyst most likely participating in?
A
MITRE ATT&CK
MITRE ATT&CK provides a comprehensive list of threat actor behaviors across various stages of the cyber attack lifecycle.
7
Q
During a security incident, the security operations team identified sustained network traffic from a malicious IP address: 10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization’s network. Which of the following fulfills this request?
A
access-list inbound deny ip source 10.1.4.9/32 destination 0.0.0.0/0
8
Q
A security analyst is investigating a malware incident at a company. The malware is accessing a command-and-control website at www.comptia.com. All outbound Internet traffic is logged to a syslog server and stored in /logfiles/messages. Which of the following commands would be best for the analyst to use on the syslog server to search for recent traffic to the command-and-control website?
A
tail -500 /logfiles/messages | grep www.comptia.com
9
Q
An administrator needs to inspect in-transit files on the enterprise network to search for PII, credit card data, and classification words. Which of the following would be the BEST to use?
A
NIPS solution
10
Q
A security analyst needs to implement security features across smartphones, laptops, and tablets. Which of the following would be the MOST effective across heterogenous platforms?
A
Applying MDM software
11
Q
An organization Chief Security Officer (CSO) wants to validate the business’s involvement in the incident response plan to ensure its validity and thoroughness? Which of the following will the CSO MOST likely use?
A
A tabletop exercise
12
Q
A new security engineer has started hardening systems. One of the hardening techniques the engineer is using involves disabling remote logins to the NAS. Users are now reporting the inability to use SCP to transfer files to the NAS, even though the data is still viewable from the users’ PCs. Which of the following is the MOST likely cause of this issue?
A
TFTP was disabled on the local hosts.
13
Q
A security analyst is reviewing the output of a web server log and notices a particular account is attempting to transfer large amounts of money:
GET http://yourbank.com/transfer.do?acctnum=087646958&amount=500000 HTTP/1.1
GET http://yourbank.com/transfer.do?acctnum=087646958&amount=5000000 HTTP/1.1
GET http://yourbank.com/transfer.do?acctnum=087646958&amount=1000000 HTTP/1.1
GET http://yourbank.com/transfer.do?acctnum=087646958&amount=500 HTTP/1.1
Which of the following types of attacks is MOST likely being conducted?
A
CSRF
14
Q
During a recent security assessment, a vulnerability was found in a common OS. The OS vendor was unaware of the issue and promised to release a patch within the next quarter. Which of the following BEST describes this type of vulnerability?
A
Zero day
15
Q
A network manager is concerned that business may be negatively impacted if the firewall in the datacenter goes offline. The manager would like to implement a high availability pair to:
A
remove the single point of failure
16
Q
A large industrial system’s smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs, the company’s security manager notices the generator’s IP is sending packets to an internal file server’s IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities?
A
Segmentation
17
Q
A security analyst is looking for a solution to help communicate to the leadership team the severity levels of the organization’s vulnerabilities. Which of the following would BEST meet this need?
A
CVSS
18
Q
A security analyst is investigating a report from a penetration test. During the penetration test, consultants were able to download sensitive data from a back-end server. The back-end server was exposing an API that should have only been available from the company’s mobile application. After reviewing the back-end server logs, the security analyst finds the following entries:
10.35.45.53 - - [22/May/2020:06:57:31 +0100] ‘GET /api/cliend_id=1 HTTP/1.1” 403 1703
“http://www.example.com/api/” “PostmanRuntime/7.26.5”
10.35.45.53 - - [22/May/2020:07:00:58 +0100] ‘GET /api/cliend_id=2 HTTP/1.1” 403 1703
“http://www.example.com/api/” “PostmanRuntime/7.22.0”
10.32.40.13 - - [22/May/2020:08:08:52 +0100] ‘GET /api/cliend_id=1 HTTP/1.1” 302 21703
“http://www.example.com/api/” “CompanyMobileApp/1.1.1”
10.32.40.25 - - [22/May/2020:08:13:52 +0100] ‘GET /api/cliend_id=1 HTTP/1.1” 200 21703
“http://www.example.com/api/” “CompanyMobileApp/2.3.1”
10.35.45.53 - - [22/May/2020:08:20:18 +0100] ‘GET /api/cliend_id=2 HTTP/1.1” 200 22405
“http://www.example.com/api/” “CompanyMobileApp/2.3.0”Which of the following
Which of the following is the MOST likely cause of the security control bypass?
A
User-agent spoofing
19
Q
A company recently experienced a significant data loss when proprietary information was leaked to a competitor. The company took special precautions by using proper labels; however, email filter logs do not have any record of the incident. An investigation confirmed the corporate network was not breached, but documents were downloaded from an employee’s COPE tablet and passed to the competitor via cloud storage. Which of the following is the BEST mitigation strategy to prevent this from happening in the future?
A
CASB
20
Q
A company uses specially configured workstations for any work that requires administrator privileges to its Tier 0 and Tier 1 systems. The company follows a strict process to harden systems immediately upon delivery. Even with these strict security measures in place, an incident occurred from one of the workstations . The root cause appears to be that the SoC was tampered with or replaced. Which of the following MOST likely occurred?
A
A supply-chain attack
21
Q
A security administrator wants to implement a program that tests a user’s ability to recognize attacks over the organization’s email system. Which of the following would be BEST suited for this task?
A
Phishing campaign
22
Q
An organization has expanded its operation by opening a remote office. The new office is fully furnished with office resources to support up to 50 employees working on any given day. Which of the following VPN solutions would BEST support the new office?
A
Site-to-site
23
Q
A security analyst discovers that a company’s username and password database were posted on an internet forum. The usernames and passwords are stored in plaintext. Which of the following would mitigate the damage done by this type of data exfiltration in the future?
A
Implement salting and hashing
24
Q
A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing the internet all day. Which of the following would MOST likely show where the malware originated?
A
The DNS logs
25
A security analyst is reviewing logs on a server and observes the following output:
01/01/2020 03:33:23 admin attempted login with password sneak
01/01/2020 03:33:32 admin attempted login with password sneaked
01/01/2020 03:33:41 admin attempted login with password sneaker
01/01/2020 03:33:50 admin attempted login with password sneer
01/01/2020 03:33:59 admin attempted login with password sneeze
01/01/2020 03:34:08 admin attempted login with password sneezy
Which of the following is the security analyst observing?
A dictionary attack
26
A security administrator is trying to determine whether a server is vulnerable to a range of attacks. After using a tool, the administrator obtains the following output.
HTTP/1.0 200 OK
Content-Type: text/html
Server: Apache
root:s9fyf983#:0:1:System Operator:/:/bin/bash
daemon:*:1:1::/tmp:
user1:fi@su3FF:183:100:user:/home/users/user1:/bin/bash
Which of the following attacks was successfully implemented based on the output?
Directory traversal
27
A manufacturing company has several one-off legacy information systems that cannot be migrated to a newer OS due to software compatibility issues. The OSs are supported by the vendor, but the industrial software is no longer supported. The Chief Information Security Officer has created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment while also creating backups of the systems for recovery. Which of the following resiliency techniques will provide these capabilities?
Full backups
28
Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyberintrusions, phishing, and other malicious cyberactivity?
Threat feeds
29
A security analyst is investigating an incident to determine what an attacker was able to do on a compromised laptop. The analyst reviews the following SIEM log.
Which of the following describes the method that was used to compromised the laptop?
An attacker was able to bypass the application approve list by emailing a spreadsheet attachment with an embedded PowerShell in the file
Based on the provided log information, it appears that the attacker was able to use PowerShell to execute a script (lat.ps1) on the compromised laptop (PC1), with the creator process being Outlook. Additionally, a blocked executable (asdf234.exe) was attempted to be executed on PC1 but was blocked by Group Policy.
Therefore, it is likely that the attacker used a technique to bypass the application approve list in order to execute the PowerShell script.
There is no evidence provided in the log information that suggests the attacker was able to move laterally from PC1 to PC2 using a pass-the-hash attack, install malware to the C:\asdf234 folder to gain administrator rights, or phish user credentials successfully from an Outlook user profile.
Therefore, based on the available information, the most likely method used to compromise the laptop is that the attacker was able to bypass the application approve list by emailing a spreadsheet attachment with an embedded PowerShell in the file.
30
A security analyst is using OSINT to gather information to verify whether company data is available publicly. Which of the following is the BEST application for the analyst to use?
theharvester
31
Which of the following is the BEST reason to maintain a functional and effective asset management policy that aids in ensuring the security of an organization?
To provide data to quantify risk based on the organization’s systems
The BEST reason to maintain a functional and effective asset management policy that aids in ensuring the security of an organization is to provide data to quantify risk based on the organization's systems.
Asset management policies help organizations keep track of their assets, such as hardware and software, and identify any vulnerabilities or risks associated with them. By quantifying these risks, organizations can prioritize their security efforts and allocate resources accordingly to ensure that their assets are properly protected.
While keeping software and hardware fully patched for known vulnerabilities, only allowing approved devices onto the business network, and standardizing by selecting one laptop model for all users in the organization are all important aspects of maintaining a secure environment, they are only part of a comprehensive asset management policy.
32
The IT department’s on-site developer has been with the team for many years. Each time an application is released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST help the team ensure the application is ready to be released to production?
Submit the application to QA before releasing it
33
A security administrator is managing administrative access to sensitive systems with the following requirements.
-Common login accounts most not be used for administrative duties.
-Administrative accounts must be temporal in nature.
-Each administrative account must be assigned to one specific user.
-Accounts must have complex passwords.
-Audit trails and loggings must be enabled on all systems.
Which of the following is the security analyst observing?
PAM
34
Which of the following types of controls is a turnstile?
Physical
35
A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization’s executives determine their next course of action?
A business continuity plan
36
Which of the following measures the average time that equipment will operate before it breaks?
MTBF
37
A small, local company experienced a ransomware attack. The company has one web-facing server and a few workstations. Everything is behind an ISP firewall. A single web-facing server is set up on the router to forward all ports so that the server is viewable from the internet. The company uses an older version of third-party software to manage the website. The assets were never patched. Which of the following would be done to prevent an attack like this from happening again? (Select THREE)
Use the latest version of software
Implement a screened subnet for the web server
Install an endpoint security solution
38
Which of the following is an administrative control that would be MOST effective to reduce the occurrence of malware execution?
Security awareness training
39
Which of the following technologies is used to actively monitor for specific file types being transmitted on the network?
Data loss prevention
Data loss prevention is the technology used to actively monitor for specific file types being transmitted on the network. Data loss prevention (DLP) tools are designed to detect and prevent unauthorized data exfiltration by monitoring and inspecting data as it moves across the network, including email, web traffic, and other network channels. DLP systems can identify specific file types, such as credit card numbers, social security numbers, and other sensitive data, and prevent them from leaving the network.
File integrity monitoring (FIM) is a security control that monitors changes to critical system files, including configuration files, log files, and executable files. FIM is used to detect unauthorized changes to files, such as those made by malware, but it does not actively monitor for specific file types being transmitted on the network.
Honeynets are a type of security tool that are designed to detect and analyze malware by creating a network of decoy systems that are designed to attract attackers. Honeynets are not used to actively monitor for specific file types being transmitted on the network.
Tcpreplay is a utility used for testing and validating network equipment by replaying real traffic from pcap files. It is not used for actively monitoring for specific file types being transmitted on the network.
40
A security analyst reviews a company’s authentication logs and notices multiple authentication failures. The authentication failures are from different usernames that share the same IP address. Which of the following password attacks is MOST likely happening?
Spraying
The password attack that is MOST likely happening in this scenario is spraying. Spraying is a type of password attack where an attacker tries a small number of commonly used passwords against a large number of usernames. In this case, the attacker is attempting to authenticate with different usernames that share the same IP address, which indicates that they are trying to test a small number of passwords against a large number of accounts.
Dictionary attacks and brute-force attacks are different types of password attacks that involve testing a large number of passwords against a single account or a small number of accounts.
A dictionary attack uses a list of common passwords, while a brute-force attack tries all possible password combinations.
Rainbow table attacks involve precomputing hashes of common passwords and storing them in a database, which can be used to quickly crack passwords. However, this type of attack is less likely in this scenario because the attacker is attempting to authenticate with multiple usernames, indicating that they are trying to test a small number of passwords against a large number of accounts rather than cracking a specific password.
41
An employee received multiple messages on a mobile device. The message were instructing the employee to pair the device to an unknown device. Which of the following BEST describes what a malicious person might be doing to cause this issue to occur?
Bluesnarfing
42
Which of the following BEST describes the situation where a successful onboarded employee who is using a fingerprint reader is denied access at the company’s main gate?
Crossover error rate
43
Which of the following will provide the BEST physical security countermeasures to stop intruders? (Choose two.)
Access control vestibule
Fencing
44
Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day operations. Which of the following documents did Ann receive?
An annual privacy notice
45
An analyst is trying to identify insecure services that are running on the internal network. After performing a port scan, the analyst identifies that a server has some insecure services enabled on default ports. Which of the following BEST describes the services that are currently running and the secure alternatives for replacing them? (Choose three.)
SNMPv2, SNMPv3
HTTP, HTTPS
Telnet, SSH
46
While reviewing the wireless router, a systems administrator of a small business determines someone is spoofing the MAC address of an authorized device. Given the table below
Which of the following should be the administrator’s NEXT step to detect if there is a rogue system without impacting availability?
Physically check each system
47
An engineer wants to inspect traffic to a cluster of web servers in a cloud environment. Which of the following solutions should the engineer implement?
WAF
48
A research company discovered that an unauthorized piece of software has been detected on a small number of machines in its lab. The researchers collaborate with other machines using port 445 and, on the internet, using port 443. The unauthorized software is starting to be seen on additional machines outside of the lab and is making outbound communications using HTTPS and SMB. The security team has been instructed to resolve the problem as quickly as possible causing minimal disruption to the researchers. Which of the following contains the BEST course of action in this scenario?
Place the unauthorized application in a blocklist
49
An information security manager for an organization is completing a PCI DSS self-assessment for the first time. Which of the following is the MOST likely reason for this type of assessment?
The organization is expecting to process credit card information
50
A well-known organization has been experiencing attacks from APTs. The organization is concerned that custom malware is being created and emailed into the company or installed on USB sticks that are dropped in parking lots. Which of the following is the BEST defense against this scenario?
Implementing application execution in a sandbox for unknown software
51
Which of the following supplies non-repudiation during a forensics investigation?
Using a SHA-2 signature of a drive image
52
A network engineer is troubleshooting wireless network connectivity issues that were reported by users. The issues are occurring only in the section of the building that is closest to the parking lot. Users are intermittently experiencing slow speeds when accessing websites and are unable to connect to network drives. The issues appear to increase when laptop users return to their desks after using their devices in other areas of the building. There have also been reports of users being required to enter their credentials on web pages in order to gain access to them. Which of the following is the most likely cause of this issue?
An external access point is engaging in an evil-twin attack
53
A company recently experienced a data breach and the source was determined to be an executive who was charging a phone in a public area. Which of the following would MOST likely have prevented this breach?
A USB data blocker
54
An organization is moving away from the use of client-side and server-side certificates for EAP. The company would like for the new EAP solution to have the ability to detect rogue access points. Which of the following would accomplish these requirements?
EAP-FAST
55
A company wants to deploy PKI on its internet-facing website. The applications that are currently deployed are:
-www.company.com (main website)
-contactus.company.com (for locating a nearby location)
-quotes.company.com (for requesting a price quote)
The company wants to purchase one SSL certificate that will work for all existing applications and any future applications that follow the same naming conventions, such as store.company.com. Which of the following certificate types would BEST meet the requirements?
Wildcard
56
When implementing automation with IoT devices, which of the following should be considered FIRST to keep the network secure?
Communication protocols
57
Which of the following BEST describes when an organization utilizes a ready-to-use application from a cloud provider?
SaaS
58
While preparing a software inventory report, a security analyst discovers an unauthorized program installed on most of the company’s servers. The program utilizes the same code signing certificate as an application deployed to only the accounting team. After removing the unauthorized program, which of the following mitigations should the analyst implement to BEST secure the server environment?
Revoke the code signing certificate used by both programs
59
A company is concerned about individuals driving a car into the building to gain access. Which of the following security controls would work BEST to prevent this from happening?
Bollard
60
Which of the following is a cryptography concept that operates on a fixed length of bits?
Hashing
61
During a Chief information Security Officer (CISO) convention to discuss security awareness, the attendees are provided with a network connection to use as a resource. As the convention progresses, one of the attendees starts to notice delays in the connection, and the HTTPS site requests are reverting to HTTP. Which of the following BEST describes what is happening?
A SSL/TLS downgrade
62
A company wants to modify its current backup strategy to minimize the number of backups that would need to be restored in case of data loss. Which of the following would be the BEST backup strategy to implement?
Full backups followed by differential backups
63
A user received an SMS on a mobile phone that asked for bank details. Which of the following social engineering techniques was used in this case?
Smishing
64
A company’s leadership team is in the middle of planning its disaster recovery plan for the next year. The leadership team wants the company’s RTO to be 15 days. Which of the following is the BEST choice for the company?
Cold site
65
During a security assessment, a security analyst finds a file with overly permissive permissions. Which of the following tools will allow the analyst to reduce the permissions for the existing users and groups and remove the set-user-ID bit from the file?
chmod
The tool that will allow the security analyst to reduce the permissions for existing users and groups and remove the set-user-ID bit from the file is chmod.
chmod (short for change mode) is a Unix command used to change the access permissions of files and directories. It is used to modify the file permissions for owner, group, and others, and to add or remove certain permissions. The analyst can use chmod to reduce the file permissions and remove the set-user-ID bit.
ls is a Unix command used to list the files and directories in a directory. It is not used to modify file permissions.
chflags is a Unix command used to change file system flags. It is not used to modify file permissions.
lsof (short for list open files) is a Unix command used to list all open files and the processes that opened them. It is not used to modify file permissions.
setuid is a Unix file system flag that allows a file to be executed with the permissions of its owner. It is not a command or tool used to modify file permissions.
66
While reviewing pcap data, a network security analyst is able to locate plaintext usernames and passwords being sent from workstations to network switches. Which of the following is the security analyst MOST likely observing?
A telnet session
67
A security analyst is reviewing the latest vulnerability scan report for a web server following an incident. The vulnerability report showed no concerning findings. The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available for the vulnerability. Which of the following is the MOST likely cause?
The scan resulted in a false negative for the vulnerability.
68
A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions?
Nmap
69
A cybersecurity administrator is using iptables as an enterprise firewall. The administrator created some rules, but the network now seems to be unresponsive. All connections are being dropped by the firewall. Which of the following would be the BEST option to remove the rules?
#iptables -F
If the network is unresponsive and all connections are being dropped by the firewall, it is necessary to remove the firewall rules to restore connectivity.
The best option to remove the rules is to use the iptables flush command, which removes all rules from the firewall.
Therefore, the best option among the given choices to remove the rules is:
b. # iptables -F
The iptables -F command flushes all firewall rules, removing all chains and their rules from the firewall. This will effectively reset the firewall to its default state, allowing all traffic to pass through the firewall. After removing the rules, the administrator can then create new rules as needed to properly secure the network while maintaining connectivity.
70
A Chief Information Security Officer has defined resiliency requirements for a new data center architecture. The requirements are as follows:
-Critical file shares will remain accessible during and after a natural disaster
-Five percent of the hard disks can fail at any given time without impacting the data
-Systems will be forced to shut down gracefully when battery levels are below 20%
Which of the following are required to BEST meet these objectives? (Select THREE)
RAID
UPS
Geographic dispersal
71
An individual is looking to implement a secure wireless network. One of the requirements is to protect sensitive data. Which of the following technologies is BEST suited to meet this objective?
CCMP
72
A Chief Executive Officer (CEO) personal information was stolen in a social-engineering attack. Which of the following sources would reveal if the CEO’s personal information is for sale?
The dark web
73
An administrator is configuring a firewall rule set for a subnet to only access DHCP, web pages, and SFTP, and to specifically block FTP. Which of the following would BEST accomplish this goal?
Permission Source Destination Port
Allow: Any Any 80
Allow: Any Any 443
Allow: Any Any 67
Allow: Any Any 68
Allow: Any Any 22
Deny: Any Any 21
Deny: Any Any
74
A security analyst is hardening a network infrastructure. The analyst is given the following requirements:
-Preserve the use of public IP addresses assigned to equipment on the core router
-Enable “in transport” encryption protection to the web server with the strongest cipher
Which of the following should the analyst implement to meet these requirements? (Select two)
Configure NAT on the core router
Enable TLSv2 encryption on the web server
75
While investigating a recent security incident, a security analyst decided to view all network connections on a particular server. Which of the following would provide the desired information?
netstat
76
Which of the following is a risk that is specifically associated with hosting applications in the public cloud?
Shared tenancy
77
Which of the following is a security implication of newer ICS devices that are becoming more common in corporations?
Devices with cellular communication capabilities bypass traditional network security controls
https://securityboulevard.com/2021/03/scada-security-in-a-cellular-world/
78
If a current private key is compromised, which of the following would ensure it cannot be used to decrypt all historical data?
Perfect forward secrecy
79
Which of the following is a physical security control that ensures only the authorized user is present when gaining access to a secured area?
A biometric scanner
80
A systems engineer thinks a business system has been compromised and is being used to exfiltrate data to a competitor. The engineer contacts the CSIRT. The CSIRT tells the engineer to immediately disconnect the network cable and to not do anything else. Which of the following is the most likely reason for this request?
Memory contents, including fileless malware, are lost when the power is turned off.
81
A security architect is designing a remote access solution for a business partner. The business partner needs to access one Linux server at the company. The business partner wants to avoid managing a password for authentication and additional software installation. Which of the following should the architect recommend?
Soft token
82
Cloud security engineers are planning to allow and deny access to specific features in order to increase data security. Which of the following cloud features is the most appropriate to ensure access is granted properly?
Resource policies
83
A security operations technician is searching the log named /var/messages for any events that were associated with a workstation with the IP address 10.1.1.1. Which of the following would provide this information?
cat /var/messages | grep 10.1.1.1
84
Which of the following can be used to detect a hacker who is stealing company data over port 80?
Packet capture
85
A user is trying to upload a tax document which the corporate finance department requested but a security program is prohibiting the upload. A security analyst determines the file contains PII. Which of the following steps can the analyst take to correct this issue?
Modify the exception list on the DLP to allow the upload
86
A cybersecurity analyst at Company A is working to establish a secure communication channel with a counterpart at Company B, which is 3,000 miles (4,828 kilometers) away. Which of the following concepts would help the analyst meet this goal in a secure manner?
Key exchange
87
A systems administrator is required to enforce MFA for corporate email account access, relying on the possession factor. Which of the following authentication methods should the systems administrator choose? (Choose two.)
Time-based one-time password
Hardware token
88
A security investigation revealed that malicious software was installed on a server using a server administrator's credentials. During the investigation, the server administrator explained that Telnet was regularly used to log in. Which of the following most likely occurred?
A packet capture tool was used to steal the password
89
A Chief Information Security Officer (CISO) wants to implement a new solution that can protect against certain categories of websites whether the employee is in the office or away. Which of the following solutions should the CISO implement?
SWG
SWGs are designed to monitor and filter internet traffic to and from user devices, blocking access to known malicious sites or sites that violate company policies. They provide protection against web-based threats such as malware, phishing, and other types of attacks.
90
A security administrator needs to add fault tolerance and load balancing to the connection from the file server to the backup storage. Which of the following is the best choice to achieve this objective?
Multipath
91
A security administrator examines the given table of an access switch and sees this output:
Which of the following best describes the attack that is currently in progress?
MAC flooding on Fa0/2 port
92
Which of the following roles is responsible for defining the protection type and classification type for a given set of files?
General counsel
93
Which of the following is required in order for an IDS and a WAF to be effective on HTTPS traffic?
TLS inspection
94
While troubleshooting service disruption on a mission-critical server, a technician discovered the user account that was configured to run automated processes was disabled because the user’s password failed to meet password complexity requirements. Which of the following would be the best solution to securely prevent future issues?
Configuring a service account to run the processes
95
A security analyst is assessing a newly developed web application by testing SQL injection, CSRF, and XML injection. Which of the following frameworks should the analyst consider?
OWASP
96
A security administrator is integrating several segments onto a single network. One of the segments, which includes legacy devices, presents a significant amount of risk to the network. Which of the following would allow users to access to the legacy devices without compromising the security of the entire network?
Jump server
97
Which of the following types of disaster recovery plan exercises requires the least interruption to IT operations?
Tabletop
98
A security operations center wants to implement a solution that can execute files to test for malicious activity. The solution should provide a report of the files' activity against known threats. Which of the following should the security operations center implement?
Cuckoo
99
A network architect wants a server to have the ability to retain network availability even if one of the network switches it is connected to goes down. Which of the following should the architect implement on the server to achieve this goal?
NIC teaming
100
A security administrator performs weekly vulnerability scans on all cloud assets and provides a detailed report. Which of the following describes the administrator’s activities?
Continuous monitoring
101
A technician is setting up a new firewall on a network segment to allow web traffic to the internet while hardening the network. After the firewall is configured, users receive errors stating the website could not be located. Which of the following would best correct the issue?
Ensuring that port 53 has been explicitly allowed in the rule set
102
After a recent security breach, a security analyst reports that several administrative usernames and passwords are being sent via cleartext across the network to access network devices over port 23. Which of the following should be implemented so all credentials sent over the network are encrypted when remotely accessing and configuring network devices?
SSH
103
A security analyst generated a file named host1.pcap and shared it with a team member who is going to use it for further incident analysis.
Which of the following tools will the other team member MOST likely use to open this file?
Wireshark
104
An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the number of devices that were replaced due to loss damage or theft steadily increased by 10%. Which of the following would BEST describe the estimated number of devices to be replaced next year?
ARO
105
After a recent security incident, a security analyst discovered that unnecessary ports were open on a firewall policy for a web server. Which of the following firewall policies would be MOST secure for a web server?
D
106
A recent security audit revealed that a popular website with IP address 172.16.1.5 also has an
FTP service that employees were using to store sensitive corporate data.
The organization's outbound firewall processes rules top-down.
Which of the following would permit HTTP and HTTPS, while denying all other services for this host?
access-rule permit tcp destination 172.16.1.5 port 80
access-rule permit tcp destination 172.16.1.5 port 443
access-rule deny ip destination 172.16.1.5
107
Which of the following would be indicative of a hidden audio file found inside of a piece of source code?
Steganography
108
A security engineer is deploying a new wireless network for a company. The company shares office space with multiple tenants. Which of the following should the engineer configured on the wireless network to ensure that confidential data is not exposed to unauthorized users?
AES
109
A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted.
Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds.
Which of the following cryptographic techniques would BEST meet the requirement?
Homomorphic
110
A penetration tester was able to compromise an internal server and is now trying to pivot the current session in a network lateral movement. Which of the following tools, if available on the server, will provide the MOST useful information for the next assessment step?
Nmap
111
Which of the following must be in place before implementing a BCP?
BIA
112
Multiple business accounts were compromised a few days after a public website had its credentials database leaked on the Internet. No business emails were identified in the breach, but the security team thinks that the list of passwords exposed was later used to compromise business accounts. Which of the following would mitigate the issue?
Password history
113
A security analyst wants to fingerprint a web server. Which of the following tools will the security analyst MOST likely use to accomplish this task?
curl --head http://192.168.0.10
114
A local coffee shop runs a small Wi-Fi hotspot for its customers that utilizes WPA2-PSK. The coffee shop would like to stay current with security trends and wants to implement WPA3 to make its Wi-Fi even more secure. Which of the following technologies will the coffee shop MOST likely use in place of PSK?
SAE
115
A company recently experienced an attack during which its main website was directed to the attacker’s web server, allowing the attacker to harvest credentials from unsuspecting customers. Which of the following should the company implement to prevent this type of attack occurring in the future?
DNSSEC
116
An analyst is generating a security report for the management team. Security guidelines recommend disabling all listening unencrypted services. Given this output from Nmap:
Which of the following should the analyst recommend to disable?
23/tcp
117
A developer is building a new portal to deliver single-pane-of-glass management capabilities to customers with multiple firewalls. To improve the user experience, the developer wants to implement an authentication and authorization standard that uses security tokens that contain assertions to pass user Information between nodes. Which of the following roles should the developer configure to meet these requirements? (Select TWO).
Identity provider
Service provider
118
Web server A is unreachable from the corporate branch office. Review the stateful firewall below. Which of the options below would resolve the problem while ensuring the web traffic is secure?
Add a rule “permit source 172.30.1.0/24 to destination 172.30.2.1/24, HTTPS”
(A), (B), and (C) are all insecure. We want HTTPS. (D) Is the wrong direction. We want the branch office set as the source and the web server as the destination. (E) Has the wrong source address. (F) is correct. We do not need to make a rule for the web server to the office since a stateful firewall will allow return traffic that matches the new rule.
119
The website http://companywebsite.com requires users to provide personal Information, including security question responses, for registration. Which of the following would MOST likely cause a data breach?
Unsecure protocol
120
A security analyst is reviewing the following command-line output:
Which of the following BEST describes this type of attack?
MAC address cloning
121
A web server that require both encrypted and unencrypted web traffic is utilizing default ports. Which of the following changes should be made to the firewall below?
Block 22 from the internet
Only web traffic is required to the web server!
122
Which of the following BEST describes the method a security analyst would use to confirm a file that is downloaded from a trusted security website is not altered in transit or corrupted using a verified checksum?
Hashing
123
A security engineer needs to create a network segment that can be used for servers that require connections from untrusted networks. Which of the following should the engineer implement?
A screened subnet
124
As part of an investigation a forensics expert has been given a massive packet capture for analysis, full of HTTP requests. They need to view the first few requests and then search for a specific string that indicates the compromise. Which of the options below would allow them to perform this action quickly and efficiently? (Pick two)
head
grep
125
A security researcher is tracking an adversary by noting its attack and techniques based on its capabilities, infrastructure, and victims. Which of the following is the researcher MOST likely using?
The Diamond Model of Intrusion Analysis
126
While preparing a demonstration for employees of your company, you need to identify a method for determining tactics, techniques, and procedures of threats against your network. Which of the following would you most likely use?
MITRE ATT&CK
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is a great source of free intelligence!
https://attack.mitre.org/
127
Which of the following is a difference between a DRP and a BCP?
A BCP prepares for any operational interruption while a DRP prepares for natural disasters
128
Which of the following describes a maintenance metric that measures the average time required to troubleshoot and restore failed equipment?
MTTR
