Latest CASP Questions

Question 1

Users have been reporting unusual automated phone calls, including names and phone numbers, that appear
to come from devices internal to the company. Which of the following should the systems administrator do to
BEST address this problem?

• Add ACL to firewall to block VoIP.
• Change the settings on the phone system to use SIP-TLS,
• Have the phones download new configurations over TFTP.
• Enable QoS configuration on the phone VLAN.

Answer 1

• Change the settings on the phone system to use SIP-TLS

Question 2

The Chief Information Security Officer (CISO) is concerned that certain system administrators with privileged access may be reading others users’ emails. Review of a tool’s output shows the administrators have used webmail to log into other users’ inboxes. Which of the followings tools would show this type of output?

• Log analysis tool
• Password cracker
• Command-line tool
• File integrity monitoring tool

Answer 2

• Log analysis tool

Question 3

While attending a meeting with the human resources department, an organization’s information security officer sees an employee using a username and password written on a memo pad to log into a specific service. When the information security office inquires further as to why passwords are being written down, the response is that there are too many passwords to remember for all the services the human resources department is required to use. Additionally, each password has specific complexity requirements and different expiration time frames. Which of the following would be the BEST solution for the information security officer to recommend?

• Utilize MFA
• Implementing SSO
• Deploying 802.1X
• Pushing SAML adoption
• Implementing TACACS

Answer 3

• Implementing SSO

Question 4

A firewall specialist has been newly assigned to participate in red team exercises and needs to ensure the skills represent real-world threats. Which of the following would be the BEST choice to help the new team member learn bleeding-edge techniques?

• Attend hacking conventions.
• Research methods using TOR.
• Interviewing current read team members .
• Attend web-based training.

Answer 4

• Attend hacking conventions.

Question 5

Following a recent network intrusion, a company wants to determine the current security awareness of all its employees. Which of the following is the BEST way to test awareness?

• Conduct a series of security training events with comprehensive tests at the end.
• Hire an external company to provide an independent audit of network security posture.
• Review the social media of all employees to see how much proprietary information is shared.
• Send an email from a corporate account requesting users to log into a site with their enterprise account.

Answer 5

• Hire an external company to provide an independent audit of network security posture.

Question 6

A company’s chief cybersecurity architect wants to configure mutual authentication to access an internal payroll website. The architect has asked the administration team to determine the configuration that would provide the best defense against MITM attacks. Which of the following implementation approaches would BEST support the architect’s goals?

• Utilize a challenge-response prompt as required input at username/password entry.
• Implement TLS and require the clients to use its own certificate during handshake.
• Configure a web application proxy and institute monitoring of HTTPS transactions.
• Install a reverse proxy in the corporate DMZ configured to decrypt TLS session.

Answer 6

• Implement TLS and require the clients to use its own certificate during handshake.

Question 7

While investigating suspicious activity on a server a security administrator runs the following report.

File system integrity check report
Total numbers of files: 3321
Added files: 12
Removed files: 0
Changed Files: 1
Changed files:
changed: /etc/passwd
---------------------------------------------------------
Detailed information about changes:
File: /etc/
Perm: -rw-r--r-- , -rw-r---rw-
Hash: md5:ab0e9acb928dfac35de2ac2bef918cae, md5:def9a24cdbeaf4cb15acfed93eedb

In addition, the administrator notices changes to the /etc/shadow file that were not listed in the report. Which of the following BEST describe this scenerio? (Select TWO)

• An attacker compromised the server and may have used a collision hash in the MD5 algorithm to hand the changes to the /etc/shadow file.
• An attacker compromised the server and may have also compromised the file integrity database to hide changes in the /etc/shadow file.
• An attacker compromised the server and may have installed a rootkit to always generate valid MD5 hashes to hide the changes to the /etc/shadow file.
• An attacker compromised the server and may have used MD5 collision hashes to generate valid passwords, allowing further access to administrator accounts on the server.
• An attacker compromised the server and may have used SELinux mandatory access controls to hide the changes to the /etc/shadow file.

Answer 7

• An attacker compromised the server and may have used a collision hash in the MD5 algorithm to hand the
  changes to the /etc/shadow file.
• An attacker compromised the server and may have used MD5 collision hashes to generate valid
  passwords, allowing further access to administrator accounts on the server.

Question 8

A security engineer is attempting to convey the importance of including job rotation in a company’s standard security policies. Which of the following would be the BEST justification?

• Making employees rotate through jobs ensures succession plans can be implemented and prevents single points of failure.
• Forcing different people to perform the same job minimizes the amount of time malicious actions go
  undetected by forcing malicious actors to attempt collusion between two or more people.
• Administrators and engineers who perform multiple job functions throughout the day benefit from being
  cross-trained in new job areas.
• It eliminates the new to share administrative account passwords because employees gain administrative
  rights as they rotate into new job areas.

Answer 8

• Forcing different people to perform the same job minimizes the amount of time malicious actions go
  undetected by forcing malicious actors to attempt collusion between two or more people.

Question 9

The Chief Financial Officer (CFO) of a major hospital system has received a ransom letter that demands a
large sum of cryptocurrency be transferred to an anonymous account. If the transfer does not take place within ten hours, the letter states that patient information will be released on the dark web. A partial listing of recent patients is included in the letter. This is the first indication that a breach took place. Which of the following steps should be done FIRST?

• Review audit logs to determine the extent of the breach.
• Pay the hacker under the condition that all information is destroyed.
• Engage a counter-hacking team to retrieve the data.
• Notify the appropriate legal authorities and legal counsel.

Answer 9

• Notify the appropriate legal authorities and legal counsel.

Question 10

A security administrator is updating a company’s SCADA authentication system with a new application. To ensure interoperability between the legacy system and the new application, which of the following stakeholders should be involved in the configuration process before deployment? (Select TWO)

• Network engineer
• Service desk personnel
• Human resources administrator
• Incident response coordinator
• Facilities manager
• Compliance manager

Answer 10

• Network engineer

- Compliance manager

Question 11

Given the code snippet below
#include 
#include 
int main(void) {
char username[8];
printf("Enter your username" ");
gets(username)
printf("/n");
if (username == NULL){
printf("you did not enter a username\n");
}
if strcmp(username, "admin") {
printf("%s". "Admin user, enter your physical token value: ");
// rest of conditional logic here has been snipped for brevity
} else {
printf("Standard user, enter your password" ");
// rest of conditional logic here has been snipped for brevity
}
}
Which of the following vulnerability types is MOST concerning?

• Only short names are supported, which could result in brute forcing of credentials.
• Buffer overflow in the username parameter could lead to a memory corruption vulnerability.
• Hardcoding usernames with different code paths taken depend on which user is entered.
• Format string vulnerability is present for admin users but not for standard users.

Answer 11

• Buffer overflow in the username parameter could lead to a memory corruption vulnerability.

Question 12

During the decommissioning phase of a hardware project, a security administrator is tasked with insuring no sensitive data is released inadvertently. All paper records are scheduled to be shredded in a crosscut shedder, and the waste will be burned. The system drives and removable media have been removed prior to e-cycling the hardware. Which of the following would ensure that no data is recovered from the system drives once they are disposed of?

• Overwriting all HDD blocks with an alternating series of data.
• Physically disabling the HDDs by removing the drive head.
• Demagnetizing the hard drive using a degausser,
• Deleting the UEFI boot loaders from each HDD.

Answer 12

• Demagnetizing the hard drive using a degausser,

Question 13

The Chief Executive Officer (CEO) of a small startup company has a need for a security policy and assessment to address governance, risk management, and compliance. The company has a resource-constrained IT department, but has no information security staff. The CEO has asked for this to be completed in three months. Which o the following would be the MOST cost-effective solution to meet the company’s needs?

• Select one of the IT personnel to obtain information security training, and then develop all necessary
  policies and documents in house.
• Accept all risks associated with information security, and bring up the issue again at next years’ annual
  board meeting.
• Release an RFP to consultancy firms, and then select the most appropriate consultant who can fulfill the
  requirements.
• Hire an experienced, full-time information security team to run the startup company’s information security
  department.

Answer 13

• Release an RFP to consultancy firms, and then select the most appropriate consultant who can fulfill the
  requirements.

Question 14

An engineer needs to provide access to company resources for several offshore contractors. The contractors require:

• Access to a number of applications, including internal websites.
• Access to database data and the ability to manipulate it.
• The ability to log into Linux and Windows servers remotely,

Which of the following remote access technologies are the BEST choices to provide all of this access securely?
(Select TWO)

• VTC
• VRRP
• VLAN
• VDI
• VPN
• Telnet

Answer 14

• VDI

- VPN

Question 15

Which of the following is the GREATEST security concern with respect to BYOD?

• The filtering of sensitive data out of data flows a geographic boundaries.
• Removing potential bottlenecks in data transmissions paths.
• The transfer of corporate data onto mobil corporate devices.
• The migration of data into and out of the network in an uncontrolled manner.

Answer 15

• The migration of data into and out of the network in an uncontrolled manner.

Question 16

Ann, a terminated employee, left personal photos on a company-issued laptop and no longer has access to
them. Ann emails her previous manager and asks to get her personal photos back. Which of the following
BEST describes how the manager should respond?

• Determine if the data still exists by inspecting to ascertain if the laptop has already been wiped and if the storage team has recent backups.
• Inform Ann that the laptop was for company data only and she should not have stored personal photos on a company asset.
• Report the email because it may have been a spoofed request coming from an attacker who is trying to exfiltrate data from the company’s laptop.
• Consult with the legal and/or human resources departments and check company policies around employment and termination procedures.

Answer 16

• Consult with the legal and/or human resources departments and check company policies around employment and termination procedures.

Question 17

A security engineer has been hired to design a device that will enable the exfiltration of data from within a well-defended network perimeter during an authorized test. The device must bypass all firewalls and NIDS in place, as well as allow for upload of commands from a centralized command and control server. The total cost of the device must be kept to a minimum in case the device is discovered during an assessment. Which of the following tools should the engineer load onto the device being designed?

• Custom firmware with rotating key generation.
• Automatic MITM proxy.
• TCP beacon broadcast software.
• Reverse shell endpoint listener.

Answer 17

• Reverse shell endpoint listener.

Question 18

An enterprise is trying to secure a specific web-based application by forcing the use of multifactor authentication. Currently, the enterprise cannot change the application’s sign-in page to include an extra field. However, the web-based application supports SAML. Which of the following would BEST secure the application?

• Using a SSO application that supports multifactor authentication.
• Enabling the web application to support LDAP integration.
• Forcing higher-complexity passwords, and frequent changes.
• Deploying Shibboleth to all web-based application in the enterprise.

Answer 18

• Using a SSO application that supports multifactor authentication.

Question 19

A Chief Information Security Officer (CISO) is reviewing the controls in place to support the organization’s
vulnerability management program. The CISO finds patching and vulnerability scanning policies and
procedures are in place. However, the CISO is concerned the organization is siloed and is not maintaining awareness of new risks to the organization. The CISO determines systems administrators need to participate in industry security events. Which of the following is the CISO looking to improve.

• Vendor diversification
• System hardening standards
• Bounty programs
• Threat awareness
• Vulnerability signatures

Answer 19

• Threat awareness

Question 20

A large company with a very complex IT environment is considering a move from an on-premises, internally
managed proxy to a cloud-based proxy solution managed by an external vendor. The current proxy provides caching, content filtering, malware analysis, and URL categorization for all staff connected behind the proxy. Staff members connect directly to the Internet outside of the corporate network. The cloud-based version of the solution would provide content filtering, TLS decryption, malware analysis, and URL categorization. After migrating to the cloud solution, all internal proxies would be decommissioned. Which of the following would MOST likely change the company’s RISK profile?

A. 1. There would be a loss of internal intellectual knowledge regarding proxy configurations and application
data flows.
2. There would be a greater likelihood of Internet outages due to lower resilience of cloud gateways.
3. There would be data sovereignty concerns due to changes required in routing and proxy PAC files.

B. 1. The external vendor would have access to inbound and outbound gateway traffic.

2. The service would provide some level of protection for staff working from home.
3. Outages would be likely to occur for systems or applications with hard-coded proxy information.

C. 1. The loss of local caching would dramatically increase ISP charges and impact existing bandwidth.

2. There would be greater likelihood of Internet access outages due to lower resilience of cloud gateways.
3. There would be a loss of internal intellectual knowledge regarding proxy configurations an application data flows.

D. 1. Outages would likely occur for systems ad applications with hard-coded proxy information.

2. The service would provide some level of protection for staff members working from home.
3. Malware detection times would decrease due to third-party management of the service.

Answer 20

B. 1. The external vendor would have access to inbound and outbound gateway traffic.

2. The service would provide some level of protection for staff working from home.
3. Outages would be likely to occur for systems or applications with hard-coded proxy information.

Question 21

A security incident responder discovers an attacker has gained access to a network and has overwritten key system files with backdoor software. The server was reimaged and patched offline. Which of the following tools should be implemented to detect similar attacks?

• Vulnerability scanner
• TPM
• Host-based firewall
• File integrity monitor
• NIPS

Answer 21

• File integrity monitor

Question 22

While reviewing KPIs of the email security appliance with the Chief Information Security Officer (CISO) of an
insurance company, the security engineer notices the following:

Month Encrypted Email Unencrypted Email Contains PII
1 200 0 0
2 230 10 5
3 185 15 10
4 198 60 40
5 204 75 45

Which of the following measures should the security engineer take to ensure PII is not intercepted in transit
while also preventing interruption to business?

• Quarantine emails sent to external domains containing PII and release after inspection.
• Prevent PII from being sent to domains that allow users to sign up for free webmail.
• Enable transport layer security on all outbound email communications and attachments.
• Provide security awareness training regarding transmission of PII.

Answer 22

• Provide security awareness training regarding transmission of PII.

Question 23

A Chief Security Officer (CISO) recently changed jobs into a new industry. The CISO’s first task is to write a new, relevant risk assessment for the organization. Which of the following would BEST help the CISO find relevant risks to the organization. (Select TWO)

A. Perform a penetration test
B. Conduct a regulatory audit
C. Hire a third-party consultant
D. Define a threat model
E. Review the existing BIA
F. Perform an attack path analysis

Answer 23

• Define a threat model

- Review the existing BIA

Question 24

A penetration tester noticed special characters in a database table. The penetration tester configured the browser to use an HTTP interceptor to verify that the front-end user registration web form accepts invalid input in the user’s age field. The developer was notified and asked to fix the issue. Which of the following is the MOST secure solution for developer to implement?

• IF $AGE == “!@#$%^&*()_+<>?”:{}[]” THEN ERROR
• IF $AGE ==[123456790] {1,3} THEN CONTINUE
• IF $AGE != “a-bA-Z!@#$%^&*()_+<>?{}[]” THEN CONTINUE
• IF $AGE == [1-0] {0,2} THEN CONTINUE

Answer 24

• IF $AGE ==[123456790] {1,3} THEN CONTINUE

Question 25

A security analyst is inspecting pseudocode of the following multithreaded application

1. perform daily ETL of data
2. 1 validate that yesterday’s data model file exists
3. 2 validate that today’s data model does not exist
4. 2 extract yesterday’s data model
5. 3 transform the format
6. 4 load the transformed data into today’s data model file
7. 5 exit

Which of the following security concerns is evident in the above pseudocode?

• Time of check/time of use
• Resource exhaustion
• Improper storage of sensitive data
• Privilege escalation

Answer 25

• Time of check/time of use

Question 26

A penetration test is being scoped for a set of web services with API endpoints. The APIs will be hosted on existing web application servers. Some of the new APIs will be available to unauthenticated users, but some will only be available to authenticated users. Which of the following tools or activities would the penetration tester MOST likely use or do during the engagement? (Select TWO)

• Static code analyzer
• Intercepting proxy
• Port scanner
• Reverse engineering
• Reconnaissance gathering
• User acceptance testing

Answer 26

• Intercepting proxy

- Reconnaissance gathering

Question 27

A technician is configuring security options on the mobile device manager for users who often utilize public Internet connections while traveling. After ensuring that full disk encryption is enabled, which of the following security measures should the technician take? (Select TWO)

• Require all mobile device backups to be encrypted
• Ensure all mobile devices back up using USB OTG
• Issue a remote wipe of corporate and personal partitions
• Restrict devices from making long-distance calls during business hours
• Implement an always-on VPN

Answer 27

• Require all mobile device backups to be encrypted

- Implement an always-on VPN

Question 28

An organization, which handles large volumes of PII, allows mobile devices that can process, store, and transmit PII and other sensitive data to be issued to employees. Security assessors can demonstrate recovery and decryption of remnant sensitive data from device storage after MDM issues a successful wipe command. Assuming availability of the controls, which of the following would BEST protect against loss of sensitive data in the future?

• Implement a container that wraps PII data and stores keying material directly in the container’s encrypted application space,
• Use encryption keys for sensitive data stored in an eFuse-backed memory space that is blown during a remote wipe.
• Issue devices that employ a stronger algorithm for the authentication od sensitive data stored on them.
• Procure devices that remove the bootloader binaries upon reciept of an MDM-issue remote wipe command.

Answer 28

• Implement a container that wraps PII data and stores keying material directly in the container’s encrypted application space,

Question 29

A software development company lost customers recently because of a large number of software issues. These issues were related to integrity and availability defects, including buffer overflows, pointer dereferences, and others. Which of the following should the company implement to improve code quality? (Select TWO)

• Development environment access controls
• Continuous integration
• Code comments and documentation
• Static analysis tools
• Application containerization
• Code obfuscation

Answer 29

• Code comments and documentation

- Static analysis tools

Question 30

Legal counsel has notified the information security manager of a legal matter that will require the preservation of electronic records for 2000 sales force employees. Source records will be email, PC, network shares, and applications. After all restrictions have been lifted, which of the following should the information manager review?

• Data retention policy
• Legal hold
• Chain of custody
• Scope statement

Answer 30

• Data retention policy

Question 31

Company leadership believes employees are experiencing an increased number of cyber attacks, however, the metrics so not show this. Currently the company uses “Number of successful phishing attacks” as a KPI, but it does not show an increase. Which of the following additional information should the Chief Information Security Officer (CISO) include in the report?

• The rate of phishing emails to non-phishing emails
• The number of phishing attacks per employee
• The number of unsuccessful phishing attacks
• The percentage of successful phishing attacks

Answer 31

• The number of unsuccessful phishing attacks

Question 32

Security policies that are in place at an organization prohibit USB drives from being utilized across the entire enterprise, with adequate technical control in place to block them. As a way to be able to work from various locations on different computing resources, several sales staff members have signed up for a web-based storage solution without the consent of the IT department. However, the operations department is required to use the same service to transmit certain business partner documents. Which of the following would BEST allow the IT department to monitor and control this behavior?

• Enabling AAA
• Deploy a CASB
• Configuring an NGFW
• Installing a WAF
• Using a vTPM

Answer 32

• Deploy a CASB

Question 33

A company uses an application in its warehouse that works with several commercially available tablets and can only be accesses inside the warehouse. The support department would like the selection of tablets to be limited to three models to provide better support and ensure spares are on hand. Users often keep the tablets after they leave the department, as many of them store personal media items. Which of the following should the security engineer recommend to meet these requirements?

• COPE with geofencing
• MDM with remote wipe
• BYOD with containerization
• CYOD with VPN

Answer 33

• COPE with geofencing

Question 34

A security engineer is performing an assessment again for a company. The security engineer examines the following output from the review:

• Password complexity: Disabled
• Require authentication from a domain controller before sign-in: Enabled
• Allow guest user access: Enabled
• Allow anonymous enumeration of groups: Disabled

Which of the following tools is the engineer utilizing to perform this assessment?

• Vulnerability scanner
• SCAP scanner
• Port scanner
• Interception proxy

Answer 34

• SCAP scanner

Question 35

While conducting a BIA for a proposed acquisition, the IT integration team found that both companies outsource CRM services to competing and incompatible third-party cloud services. The decision has been made to bring the CRM service in-house, and the IT team has choosen a future solution. With which of the following should the Chief Information Security Officer (CISO) be the MOST concerned? (Select TWO)

• Data remnants
• Sovereignty
• Compatible services
• Storage encryption
• Data migration
• Chain of custody

Answer 35

• Data remnants

- Data migration

Question 36

To meet an SLA, which of the following documents should be drafted, defining the company’s internal interdependent unit responsibilities and delivery timelines?

• BPA
• OLA
• MSA
• MOU

Answer 36

• OLA

Question 37

A government organization operates and maintains several ICS environments. The categorization of one of these environments led to a moderate baseline. The organization has compiled a set of applicable security controls based on this categorization. Given that this is a unique environment which of the following should the organization do NEXT to determine if other security controls should be considered?

• Check for any relevant or required overlays.
• Review enhancements with in the current control set.
• Modify to a high-baseline set of controls.
• Perform continuous monitoring.

Answer 37

• Modify to a high-baseline set of controls.

Question 38

A security architect is determining the best solution for a new project. The project is developing a new intranet with advanced authentication capabilities, SSO for users, and automated provisioning to streamline Day 1 access to systems. The security architect has identified the following requirements.

1. Information should be sourced from the trusted master data source.
2. There must be future requirements for identity proofing of devices and users.
3. A generic identity connector than can be reused must be developed.
4. The current project scope is for internally hosted applications only.

Which of the following solution building blocks should the security architect use to BEST meet the requirements?

• LDAP, multifactor authentication, OAuth, XACML
• AD, certificate-based authentication, Kerberos, SPML
• SAML, context-aware authentication, OAuth, WAYF
• NAC, radius, 802.1X, centralized active directory

Answer 38

• LDAP, multifactor authentication, OAuth, XACML

Question 39

The finance department has started to use a new payment system that requires strict PII security restrictions on various network devices. The company decides to enforce the restrictions and configure all devices appropriately. Which of the following risk response strategies is being used?

• Avoid
• Mitigate
• Transfer
• Accept

Answer 39

• Mitigate

Question 40

Following the successful response to a data-leakage incident, the incident team lead facilitates an exercise that focuses on continuous improvement of the organization’s incident response capabilities. Which of the following activities has the incident team lead executed?

• Lessons learned review
• Root cause analysis
• Incident audit
• Corrective action exercise

Answer 40

• Lessons learned review

Question 41

A project manager is working with a software development group to collect and evaluate user stories related to the organization’s internally designed CRM tool. After defining requirements, the project manager would like to validate the developer’s interpretation and understanding of the user’s request. Which of the following would BEST support this objective?

• Peer review
• Design review
• Scrum
• User acceptance testing
• Unit testing

Answer 41

• Scrum

Question 42

A system administrator receives an advisory email that a recently discovered exploit is being used in another country and the financial institutions have ceased operations while they find a way to respond to the attack. Which of the following BEST describes where the administrator should look to find information on the attack to determine if a response must be prepared for the systems? (Select TWO)

• Bug bounty websites
• Hacker forums
• Antivirus vendor websites
• Trade industry association websites
• CVE database
• Company’s legal department

Answer 42

• CVE database

- Company’s legal department

Question 43

Company.org has requested a black-box security assessment be performed on key cyber terrain. One area of concern is DNS services. The security assessor wants to run reconnaissance before taking any additional action and wishes to determine which DNS servers a Internet-facing. Which of the following commands should the assessor use to determine this information?

• dnsrecon -d company - t SOA
• dig company.org mx
• nc -v company.org
• whois company.org

Answer 43

• dnsrecon -d company - t SOA

Question 44

A user asks a security practitioner for recommendation on securing a home network. The user recently purchased a connected home assistant and multiple IoT devices in an effort to automate the home. Some of the IoT devices are wearables, and others are installed in the user’s automobiles. The current home network is configure as a single flat network behind an ISP-supplied router, The router has a single IP address, and the router performs NAT on incoming traffic to route it to individual devices. Which of the following security controls would address the user’s privacy concerns and provide the BEST level of security for the home network?

• Ensuring all IoT devices are configured in geofencing mode so that the devices do not work when removed from the home network. Disable the home assistant unless actively using it, segment the network so each IoT device has its own segment.
• Install a firewall capable of cryptographically separating network traffic, require strong authentication to access all IoT devices, and restrict network access for the home assistant based on time-of-day restrictions.
• Segment the home network to separate network traffic from users and the IoT devices, ensure security settings on the home assistant support no or limited recording capability, and install firewall rules on the router to restrict traffic to the home assistant as much as possible.
• Change all default passwords on the IoT devices, disable Internet access for the IoT devices and the home assistant, obtain routable IP addresses for all devices, and implement IPv6 and IPSec protections on all network traffic.

Answer 44

• Segment the home network to separate network traffic from users and the IoT devices, ensure security settings on the home assistant support no or limited recording capability, and install firewall rules on the router to restrict traffic to the home assistant as much as possible.

Question 45

A government contractor was a victim of a malicious attack that resulted in the theft of sensitive information. An analyst’s subsequent investigation of sensitive systems led to the following discoveries.

• There was no indication of the data owner’s or user’s account being compromised
• No database activity outside of previous baselines was discovered.
• All workstations and servers were fully patched for all known vulnerabilities at the time of the attack.
• It was likely not an insider threat, as all employees passed polygraph tests.

Given the scenario, which of the following is the MOST likely attack that occurred?

• The attacker harvested the hash credentials of an account within the database administrators group after dumping memory of a compromised machine. With these credentials, the attacker was able to access the database containing sensitive information directly.
• An account, which belongs to a administrator of virtualization infrastructure, was compromised with a successful phishing attack. The attacker used these credentials to access the virtual machine manager and made a copy of the target virtual machine image. The attacker later accessed the image offline to obtain sensitive information.
• A shared workstation was physically accessible in a common area of the contractor’s office space and was compromised by an attacker using a USB exploit, which later resulted in gaining a local administrator account. Using the local administrator credentials, the attacker was able to move laterally to the server hosting the database with sensitive information.
• After successfully using a watering hole attack to deliver an exploit to a machine, which belongs to an employee of the contractor, an attacker gained access to a corporate laptop. With this access, the attacker the establish a remote session over a VPN connection with the server hosting the database of sensitive information.

Answer 45

• An account, which belongs to a administrator of virtualization infrastructure, was compromised with a successful phishing attack. The attacker used these credentials to access the virtual machine manager and made a copy of the target virtual machine image. The attacker later accessed the image offline to obtain sensitive information.

Question 46

A security engineer is analyzing an application during a security assessment to ensure it is configured to protect against common threats. Given the output below:

Response Headers
Cache-Control:no-cache
Content-Type:text/event-stream
Date:Mon, 17 Sep 2018 15:58:37 GMT
Expires:-1
Pragma:no-cache
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
Request Headers
Host: secure.comptia.org
Connection: keep-alive
Accept: text/event-stream
Cache-Control: no-cache
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US, en;q=0.9

Which of the following tools did the security engineer MOST likely use to generate this output?

• Application fingerprinter
• Fuzzer
• HTTP interceptor
• Vulnerability scanner

Answer 46

• HTTP interceptor

Question 47

An organization is implementing a virtualized thin-client solution for normal user computing and access. During
a review of the architecture, concerns were raised than an attacker could gain access to multiple user environments by simply gaining a foothold on a single one with malware. Which of the following reasons BEST explains this?

• Malware on one virtual environment could enable pivoting to others by leveraging vulnerabilities in the hypervisor.
• A worm on one virtual environment could spread to others by taking advantage of guest OS networking services vulnerabilities.
• One virtual environment may have one of more application-layer vulnerabilities, which would allow an attacker to escape that environment.
• Malware on one virtual user environment could be copied to all others by the attached network storage controller.

Answer 47

• Malware on one virtual environment could enable pivoting to others by leveraging vulnerabilities in the hypervisor.

Question 48

An information security officer is responsible for one secure network and one office network. Recent intelligence suggests there is an opportunity for attackers to gain access to the secure network due to similar login credentials across networks. To determine the users which should change their password information, the information security officer uses a tool to scan a file with hashed values on both networks and receives the following information.

Corporate Network Secure Network

james. bond asHU8$1bg jbond asHU8$1bg
tom. jones wit4njyt%! tom.jones wit4njyt%
dade. murphy mUrpHTIME7 d,murph3 t%w38T9)n
herbie. handcock hh2016!/# hhanco hh2016!/#
suzy. smith iLI#HFadf ssmith iLI#HFadf

Which of the following tools was used to gather this information from the hashed values in this file?

• Vulnerability scanner
• Fuzzer
• MD5 generator
• Password cracker
• Protocol analyzer

Answer 48

• password cracker

Listed answer is - Protocol analyzer, but makes no sense…

Question 49

The chief Information Security Officer (CISO) suspects that a database administrator has been tampering with financial data to the administrators advantage. Which of the following would allow a third-part consultant to conduct an on-site review of the administrator’s activity?

• Separation of duties
• Job rotation
• Continuous monitoring
• Mandatory vacation

Answer 49

• Separation of duties

Question 50

A system administrator at a medical imaging company discovers protected health information (PHI) on a general-purpose file server. Which of the following steps should the administrator take NEXT?

• Isolate all the PHI on its own VLAN and keep it segregated at Layer 2.
• Immediately encrypt the PHI with AES-256
• Delete all PHI from the network until the legal department is consulted.
• Consult the legal department to determine legal requirements.

Answer 50

• Immediately encrypt the PHI with AES-256

Question 51

The Chief Executive Officers (CEOs) from two different companies are discussing the highly sensitive prospect of merging their respective companies together, Both have invited their Chief Information Officers (CIOs) to discern how they can securely and digitally communicate, and the following criteria are collectedly determined:

• Must be encrypted on the email servers and clients
• Must be OK to transmit over unsecured Internet connections

Which of the following communication methods would be BEST to recommend?

• Force TLS between domains.
• Enable STARTTLS on both domains.
• Use PGP-encrypted emails.
• Switch both domains to utilize DNSSEC

Answer 51

• Use PGP-encrypted emails.

Question 52

A security analyst is reviewing the corporate MDM settings and notices some disabled settings, which
consequently permit users to download programs from untrusted developers and manually install them. After some conversations, it is confirmed that these settings were disabled to support the internal development of mobile applications. The security analyst is now recommending that developers and testers have a sperate device profile allowing this, and that the rest of the organization’s users do not have the ability to manually download and install untrusted application. Which of the following settings should be toggled to achieve the goal? (Select TWO)

• OTA updates
• Remote wiping
• Side loading
• Sandboxing
• Containerization
• Signed applications

Answer 52

• Containerization

- Signed applications

Question 53

A security analyst is classifying data based on input from data owners and other stakeholders. The analyst has identified three data types:

1. Financially sensitive data
2. Project data
3. Sensitive project data

The analyst proposes that data be protected in two major groups, with further access control separating the financial sensitive data from the sensitive project data. The normal project data will be stored in a separate, less secure location. Some stakeholders are concerned about the recommended approach and insist that commingling the data from different sensitive project would leave them vulnerable to industrial espionage. Which of the following is the BEST course of action for the analyst to recommend?

• Conduct a quantitative evaluation of the risks associated with commingling the data and reject or accept the concerns raised by the stakeholders.
• Meet with the affected stakeholders and determine which security controls would be sufficient to address the newly raised risks.
• Use qualitative methods to determine aggregate risk scores for each project and use the derived scores to more finely segregate the data.
• Increase the number of available data storage devices to provide enough capacity for physical separation of non-sensitive project data.

Answer 53

• Meet with the affected stakeholders and determine which security controls would be sufficient to address the newly raised risks.

Question 54

A security analyst has requested network engineers integrate sFlow into SOC’s overall monitoring picture. For this to be a useful addition to the monitoring capabilities, which of the following must be considered by the engineering team?

• Effective deployment of network taps.
• Overall bandwidth available at Internet PoP.
• Optimal placement of log aggregators.
• Availability of application layer visualizers

Answer 54

• Availability of application layer visualizers

Question 55

A security analyst has been asked to create a list of external IT security concerns, which are applicable to the organization. The intent is to show the different types of external actors, their attack vectors, and the types of vulnerabilities that would cause business impact. The Chief Information Security Officer (CISO) will then present this list to the board to request funding for controls in areas that have insufficient coverage. Which of the following exercise types should the analyst perform?

• Summarize the most recent disclosed vulnerabilities.
• Research industry best practices and the latest RFCs.
• Undertake an external vulnerability scan and penetration test.
• Conduct a threat modeling exercise,

Answer 55

• Conduct a threat modeling exercise,

Question 56

A company has decided to lower costs by conducting an internal assessment on specific devices and various internal and external subnets. The assessment will be done during regular office hours, but it must not affect any production servers. Which of the following would MOST likely be used to complete the assessment? (Select TWO)

• Agent-based vulnerability scan
• Black-box penetration testing
• Configuration review
• Social engineering
• Malware sandboxing
• Tabletop exercise

Answer 56

• Configuration review

- Tabletop exercise

Question 57

A business is growing and starting to branch out into other locations. In anticipation of opening an office in a different country, the Chief Information Security Officer (CISO) and legal team agree they need the following criteria regarding data to open the new office.

• Store taxation-related documents for five years.
• Store customer addresses in an encrypted format.
• Destroy customer information after one year.
• Keep data only in the customer’s home country.

Which of the following should the CISO implement to BEST meet these requirements? (Select THREE)

• Capacity planning policy
• Data retention policy
• Data classification policy
• Legal compliance policy
• Data sovereignty policy
• Backup policy
• Acceptable use policy
• Encryption standard

Answer 57

• Data retention policy
• Data sovereignty policy
• Encryption standard

Question 58

A company has decided to replace all its T-1 uplinks at each regional office and move away from using the existing MPLS network. All regional sites will use high-speed connections and VPNs to connect back to the main campus. Which of the following devices would most likely be added at each location?

• SIEM
• IDS/IPS
• Proxy server
• Firewall
• Router

Answer 58

• Firewall

Question 59

Given the following code snippet

❮FORM ACTION=”http://192.168.51.10/cgi-bin/order.pl” method=”post”❯
❮input type=”hidden name=”price” value=”199.99”❯
❮input type=hidden name=”prd_id” value=”X190”❯
QUANTITY:

Answer 59

• Improper field usage

Question 60

An advanced threat emulation engineer is conducting testing against a client’s network. The engineer conducts the testing in as realistic manner as possible. Consequently, the engineer has been gradually ramping up the volume of attacks over a long period of time. Which of the following combinations of techniques would the engineer MOST likely use in testing? (Select THREE)

• Black box testing
• Gray box testing
• Code review
• Social engineering
• Vulnerability assessment
• Pivoting
• Self-assessment
• White teaming
• External auditing

Answer 60

• Black box testing
• Vulnerability assessment
• Pivoting

Question 61

The Chief Information Security Officer (CISO) of an e-retailer, which has an established security department, identifies a customer using a fraudulent credit card. The CISO calls the local authorities, and when they arrive on-site, the authorities ask a security engineer to create a point-in-time copy of the running database in their presence. This is an example of:

• Creating a forensic image
• Deploying fraud monitoring
• Following a chain of custody
• analyzing the order of volatility

Answer 61

• Following a chain of custody

Question 62

An organization is in the process of integrating its operational technology and informational technology areas. As part of the integration, some of the cultural aspects it would like to see include more efficient use of resources during change windows, better protection of critical infrastructure, and ability to respond to incidents. The following observations have been identified:

1. The ICS supplier has specified that any software installed will result in lack of support.
2. There is not documented trust boundary defined between the SCADA and corporate networks.
3. Operational technology staff have to manage the SCADA equipment via the engineering workstation,
4. There is a lack of understanding of what is within the SCADA network.

Which of the following capabilities would BEST improve the security position?

• VNC, router, HIPS
• SIEM, VPN, firewall
• Proxy, VPN, WAF
• IDS, NAC, and log monitoring

Answer 62

• VNC, router, HIPS

Question 63

A regional business is expecting a severe winter storm next week. The IT staff has been reviewing corporate policies on how to handle various situations and found some are missing or incomplete. After reporting this gap in documentation to the information security manage, a document is immediately drafted to move various personnel to other locations to avoid downtime in operations. This is an example of

• a disaster recovery plan
• an incident response plan
• a business continuity plan
• a risk avoidance plan

Answer 63

• a business continuity plan

Question 64

Providers at a healthcare system with many geographically dispersed clinics have been fined five
times this year after an auditor received notice of the following SMS messages:

—image—

Which of the following represents the BEST solution for preventing future fines?

• Implement a secure text-messaging application for mobile devices and workstations.
• Write a policy requiring this information to be given over the phone only.
• Provide a courier service to deliver sealed documents containing public health informatics.
• Implement FTP services between clinics to transmit text documents with the information.
• Implement a system that will tokenize patient numbers.

Answer 64

• Implement a secure text-messaging application for mobile devices and workstations.

Question 65

An organization is considering the use of a thin client architecture as it moves to a cloud-hosted environment. A security analyst is asked to provide thoughts on the security advantages of using thin clients and virtual workstations. Which of the following are security advantages of the use of this combination of thin clients and virtual workstations?

• Malicious insiders will not have the opportunity to tamper with data at rest and affect the integrity of the system.
• Thin client workstations require much less security because they lack storage and peripherals that can be easily compromised, and the virtual workstations are protected in the cloud where security is outsourced.
• All thin clients use TPM for core protection, and virtual workstations use vTPM for core protection with both equally ensuring a greater security advantage for a cloud-hosted environment.
• Malicious users will have reduced opportunities for data extractions from their physical thin client workstations, this reducing the effectiveness of local attacks.

Answer 65

• Thin client workstations require much less security because they lack storage and peripherals that can be easily compromised, and the virtual workstations are protected in the cloud where security is outsourced.

Question 66

A security engineer is assisting a developer with input validation, they are studying the following code block:

String accountIdRegexp = "TODO, help!";
private static final Pattern accountIdPattern = Pattern.compile
("accountIdRegexp");
String accountId = request.getParameter("accountNumber");
if (!accountIdPattern.matcher(accountId).matches() {
System.out.println("account ID format incorrect");
} else {
//continue
}

The security engineer wants to ensure strong input validation is in place for customer-provided account identifiers. These identifiers are ten-digit numbers. The developer wants to ensure input validation is fast because a large number of people use the system.

Which of the following would be the BEST advise for the security engineer to give the developer?

• Replace code with Java-based type checks
• Parse input into an array
• Use regular expressions
• Canonicalize input into string objects before validation

Answer 66

• Use regular expressions

Question 67

Due to a breach, the Chief Executive Officer (CEO) has requested the following activities be conducted during incident response planning:

• Involve business owners and stakeholders
• Create an applicable scenario
• Conduct a biannual verbal review of the incident response plan
• Report on the lessons learned and gaps identified

Which of the following exercises has the CEO requested?

• Parallel operations
• Full transition
• Internal review
• Tabletop
• Partial simulation

Answer 67

• Internal review

Question 68

A security researches is gathering information about a recent spoke in the number of targeted attacks against multinational banks. The spike is on top of already sustained attacks against the banks. Some of the previous attacks have resulted in the loss of sensitive data, but as of yet the attackers have not successfully stolen any funds.

Based on the information available to the researcher, which of the following is the MOST likely threat profile?

• Nation-state-sponsored attackers conducting espionage for strategic gain.
• Insiders seeking to gain access to funds for illicit purposes.
• Opportunists seeking notoriety and fame for personal gain.
• Hacktivists seeking to make a political statement because of socio-economic factors.

Answer 68

• Hacktivists seeking to make a political statement because of socio-economic factors.

Question 69

A systems administrator has installed a disk wiping utility on all computers across the organization and configured it to perform a seven-pass wipe and an additional pass to overwrite the disk with zeros. The company has also instituted a policy that requires users to erase files containing sensitive information when they are no longer needed. To ensure the process provides the intended results, an auditor reviews the following content from a randomly selected decommissioned hard disk:

• 0000000000000000
• 0000000000000000
• 0000000000000000
• 00000000000qjkehd

Which of the following should be included in the auditor’s report based in the above findings?

• The hard disk contains bad sectors
• The disk has been degaussed.
• The data represents part of the disk BIOS.
• Sensitive data might still be present on the hard drives.

Answer 69

• The hard disk contains bad sectors

Question 70

Security technician receives a copy of a report that was originally sent to the board of directors by the Chief Information security Officer (CISO). The report outlines the following KPI/KRI data for last 12 months.

Month AV Fleet AV Signature Detected Phishing Infected Threat Landscape Number of Open
Coverage Updated Attempts Systems Rating Security Incidents
--------------------------------------------------------------------------------------------------------------------------------------------------
---------------------
January 30% 100% 40 26 High 40
February 20% 100% 8 4 Low 40
March 40% 100% 2 3 Low 30
April 50% 98% 17 12 Medium 30
May 90% 98% 40 5 Low 20
June 95% 98% 10 13 Medium 30
July 95% 98% 25 13 Medium 30
August 95% 96% 8 15 Medium 40
Sept 95% 90% 9 10 Medium 50
Oct 95% 90% 20 4 Low 65
Nov 95% 98% 17 7 Low 75
Dec 95% 100% 5 22 High 85

Which of the following BEST describes what could be interpreted from the above data?

A. 1. AV coverage across the fleet improved.
2. There is no correlation between infected systems and AV coverage.
3. There is no correlation between phishing attempts attempts and infected systems.
4. A correlation between threat landscape rating and infected systems appears to exist.
5. Effectiveness and performance of the security team appears to be degrading.
B. 1. AV signature coverage has remained consistently high.
2. AV coverage across the fleet improved.
3. A correlation between phishing attempts and infected systems to exist.
4. There is a correlation between the threat landscape rating and security team’s performance.
5. There is no correlation between detected phishing attempts and infected systems.
C. 1. AV coverage across the fleet declined.
2. There is no correlation between infected systems and AV coverage.
3. A correlation between phishing attempts and infected system appears to exist.
4. There is no correlation between the threat landscape rating and the security team’s performance.
5. There is a correlation between detected phishing attempts and infected systems.
D. 1. AV coverage across the fleet declined.
2. There is no correlation between infected systems and AV coverage.
3. A correlation between phishing attempts and infected systems appears to exist.
4. There is no correlation between the threat landscape rating and the security team’s performance.
5. Effectiveness and performance of the security team appears to be degraded.

Answer 70

A. 1. AV coverage across the fleet improved.

2. There is no correlation between infected systems and AV coverage.
3. There is no correlation between phishing attempts attempts and infected systems.

Question 71

A security engineer is attempting to convey the importance of including job rotation in a company’s standard security policies. Which of the following would be the BEST justification?

• Making employees rotate through jobs ensures succession plans can be implemented and prevents single point of failure.
• Forcing different people to perform the same job minimizes the amount of time malicious actions go undetected by forcing malicious actors to attempt collusion between two or more people.
• Administrators and engineers who perform multiple job functions throughout the day benefit from being cross-trained in new job areas.
• It eliminates the need to share administrative account passwords because employees gain administrative rights as they rotate into a new job area.

Answer 71

• Forcing different people to perform the same job minimizes the amount of time malicious actions go undetected by forcing malicious actors to attempt collusion between two or more people.

Question 72

The Chief Information Officer (CIO) wants to increase security and accessibility among the organization’s cloud SaaS applications. The applications are configured to use passwords, and two-factor authentication is not provided natively.

Which of the following would BEST address the CIO’s concerns?

• Procure a password manager for the employees to use with the cloud applications.
• Create a VPN tunnel between the on-premises environment and the cloud providers.
• Deploy applications internally and migrate away from SaaS applications.
• Implement an IdP that supports SAML and time-based, one-time passwords.

Answer 72

• Implement an IdP that supports SAML and time-based, one-time passwords.

Question 73

Which of the following is an external pressure that causes companies to hire security assessors and penetrations testers?

• Lack of adequate in house testing skills.
• Requirements for geographically based assessments.
• Cost reduction measures.
• Regulatory insistence on independent reviews.

Answer 73

• Regulatory insistence on independent reviews.

Question 74

After significant vulnerabilities and misconfigurations were found in numerous production web applications, a security manager identified the need to implement better development controls. Which of the following controls should be verified? (Select TWO)

• Input validation routines are enforced on the server side.
• Operating systems do not permit null sessions.
• System administrator receive application security training.
• VPN connections are terminated after a defined period of time
• Error-handling logic fails securely.
• OCSP calls are handled effectively.

Answer 74

• Input validation routines are enforced on the server side.

- Error-handling logic fails securely.

Question 75

An organization has established the following controls matrix:

—image—

The following control sets have been defined by the organization and are applied in aggregate fashion:

• Systems containing PII are protected with the minimum control set.
• Systems containing medical data are protected at the moderate level.
• Systems containing cardholder data are protected at the high level.

The organization is preparing to deploy a system that protects the confidentially of a database containing PII and medical data from clients. Based on the controls classification, which of the following controls would BEST meet these requirements?

• Proximity card access to the server room, context-based authentication, UPS, and full-disk encryption for the database server.
• Cipher lock on the server room door, FDE, surge protector, and static analysis of all application code.
• Peer review of all application changes, static analysis of application code, UPS, and penetration testing of the complete system.
• Intrusion detection capabilities, network-based IPS, generator, and context-based authentication.

Answer 75

• Intrusion detection capabilities, network-based IPS, generator, and context-based authentication.

Question 76

A security engineer is assessing the controls that are in place to secure the corporate-Internet-facing DNS server. The engineer notices that security ACLs exist but are not being used properly. The DNS server should respond to any source but only provide information about domains it has authority over. Additionally , the DNS administrators have identified some problematic IP addresses that should not not be able to make DNS requests. Given the ACLs below:

acl secondary-dns {
192.168.1.54;
};
acl internal-nets {
192.168.1.0/24;
};
acl blacklist-ips {
224.0.22.39;
12.122.1.0/24;
122.64.8.80;
};

Which of the following should the security administrator configure to meet the DNS security needs?

- zone "company.com" in {
type "master";
allow-query { any;};
allow-transfer { !blacklist-ips;};
};
- zone "company.com" in {
type = "master";
file "company.hosts";
allow-query { secondary-dns; internal-nets; !blacklist-ips; ;};
allow-transfer {none};
};
- zone "company.com" in {
type = "master";
file "company.hosts";
allow-query { internal-nets; !blacklist-ips; };
allow-transfer {none};
};
- zone "company.com" in {
type = "master";
file "company.hosts";
allow-query { any; !blacklist-ips; };
allow-transfer { secondary-dns};
};

Answer 76

- zone "company.com" in {
type = "master";
file "company.hosts";
allow-query { any; !blacklist-ips; };
allow-transfer { secondary-dns};
};

Question 77

A legacy web application, which is being used by a hospital, cannot be upgraded for 12 months. A new vulnerability is found in the legacy application and the networking team is tasked with mitigation. Middleware for mitigation will cost $100,000 per year. Which of the following must be calculated to determine ROI? (Select TWO)

• ALE
• RTO
• MTBF
• ARO
• RPO

Answer 77

• ALE
• ARO

These are the only options that have a monetary metric.

Question 78

A company is not familiar with the risks associated with IPv6. The systems administrator wants to isolate IPv4 from IPv6 traffic between two different network segments. Which of the following should the company implement? (Select TWO)

A. Use an internal firewall to block UDP port 3544.
B. Disable network discovery protocol on all company routers.
C. Block IP protocol 41 using layer 3 switches
D. Disable the DHCPv6 service from all routers
E. Drop traffic for ::/0 at the edge firewall.
F. Implement a 6in4 proxy server

Answer 78

• Disable the DHCPv6 service from all routers

- Drop traffic for ::/0 at the edge firewall.

Question 79

Ann, a security administrator is conducting an assessment on a new firewall, which is placed at the perimeter of a network containing PII. Ann runs the following commands on a server (10.2.1.19) behind the firewall.

service iptables stop
service sshd stop

From her own workstation (192.168.2.45) outside the firewall. Ann then runs a port scan against the server and records the following packet capture of the port scan.

0.872299 192.168.2.45 -> 10.1.1.19 TCP 62 49188 > 22 [SYN] Seq=0 Len=0
MSS=1460
0.872899 10.0.1.19 -> 192.168.2.45 TCP 62 22 > 49188 [RST] Seq=0 Len=0
MSS=1460
0.892308 192.168.2.45 -> 10.1.1.19 TCP 62 49188 > 23 [SYN] Seq=0 Len=0
MSS=1460
0.892309 10.0.1.19 -> 192.168.2.45 TCP 62 23 > 49189 [RST] Seq=0 Len=0
MSS=1460
0.901234 192.168.2.45 -> 10.1.1.19 TCP 62 49189 > 24 [SYN] Seq=0 Len=0
MSS=1460
0.901454 10.0.1.19 -> 192.168.2.45 TCP 62 24 > 49188 [RST] Seq=0 Len=0
MSS=1460
0.925657 192.168.2.45 -> 10.1.1.19 TCP 62 49188 > 25 [SYN] Seq=0 Len=0
MSS=1460
0.929872 10.0.1.19 -> 192.168.2.45 TCP 62 25 > 49188 [RST] Seq=0 Len=0
MSS=1460

Connectivity to the server from outside the firewall worked as expected prior to executing these commands. Which of the following can be said about the new firewall?

• It is correctly dropping all packets destined for the server.
• It is not blocking or filtering any traffic to the server.
• iptables needs to be restarted
• The IDS functionality of the firewall is currently disabled

Answer 79

• It is correctly dropping all packets destined for the server.

Note: iptables is the linux service for a firewall. sshd is the Secure Shell (SSH) service.

Question 80

A security analyst is reviewing the following company requirements prior to selecting the appropriate technical control configuration parameter.

RTO 2 days
RPO 36 hours
MTTR 24 hours
MFBF 60 days

Which of the following solutions will address the RPO requirements?

• Remote Syslog facility collection real-time events
• Server farm behind the load balancer delivering five-nines uptime
• Backup solution that implements daily snapshots
• Cloud environment distributed across geographic regions

Answer 80

• Backup solution that implements daily snapshots

Note: RPO defines how much data you can afford to lose. This is what defines how often you make backups.

Question 81

A security consultant is improving the physical security of a sensitive site and takes pictures of the unbranded building to include in the report. Two weeks later the security consultant misplaces the phone, which only has one hour of charge left on it. The person who finds the phone removes the MicroSD card in an attempt to discover the owner to return it.

The person extracts the following from the phone and EXIF data from some files.

DCM images folder
Audio books folder
Torrentz
My TAX.xls
Consultancy HR Manual.doc
Camera: SM-G950F
Exposure time: 1/60 s
Location: 3500 Lacey Road USA

Which of the following BEST describes the security problem?

• MicroSD is not encrypted and also contains personal data
• MicroSD contains a mixture of personal and work data
• MicroSD is not encrypted and contains geotagging information
• MicroSD contains pirated software and is not encrypted

Answer 81

• MicroSD is not encrypted and contains geotagging information

Question 82

An organization is deploying IoT locks, sensors and cameras, which operate over 802.11 to replace legacy building access control systems. These devices are capable of triggering physical changes access changes, including locking and unlocking doors and gates. Unfortunately, the devices have known vulnerabilities for which the vendor has yet to provide firmware updates. Which of the following would BEST mitigate this risk?

• Direct wire the IoT devices into the physical switches and place them on an exclusive VLAN
• Require sensors to sign all transmitted unlock control messages digitally
• Associate the devices with an isolated wireless network configured for WPA2 and EAP-TLS
• Implement an out-of-band monitoring solution to detect message injections and attempts.

Answer 82

• Associate the devices with an isolated wireless network configured for WPA2 and EAP-TLS

Question 83

A company decides to implement a BYOD policy and is concerned about how to implement the proper controls to secure its mobile device. Which of the following security approaches can the company implement to ensure its mobile devices are secure?

• Use FDE with key escrow
• Allow the use of the camera, the microphone, and removable media
• Deploy a custom SEAndroid policy
• Implement security awareness training
• Configure a custom MAC policy

Answer 83

• Use FDE with key escrow

Question 84

A security analyst sees some suspicious entries in a log file from a web server website, which has a form that allows customers to leave feedback on the company’s projects. The analyst believes a malicious actor is scanning the web form. To know which security controls to put in place, the analyst first needs to determine the type of activity occurring to design a control. Given the log below:

Monday 10:00:04 10.14.34.55 aaaaa Phone Widget1 None left
Monday 10:00:04 10.14.34.55 bbbbb Phone Widget1 None left
Monday 10:00:05 10.14.34.55 ccccc Phone Widget1 ../../etc/
passwd
Monday 10:01:03 10.14.34.55 ddddd Phone Widget1 None left
Monday 10:01:04 10.14.34.55 eeeee Phone Widget1 None left
Monday 10:01:05 10.14.34.55 fffff Phone Widget1 1=1
Monday 10:03:05 172.16.34.20 Joe Phone Widget30 Love the
Widget!
Monday 10:04:01 10.14.34.55 ggggg Phone Widget1
Monday 10:05:05 10.14.34.55 hhhhh Phone Widget1 wget cookie
Monday 10:05:05 10.14.34.55 iiiii Phone Widget1 None left
Monday 10:05:06 10.14.34.55 jjjjj Phone Widget1 None left

Which of the following is the MOST likely type of activity occurring?

• SQL Injection
• XSS scanning
• Fuzzing
• Brute force

Answer 84

• Brute force

Question 85

A Chief Information Security Office (CISO) is reviewing technical documentation from various regional offices and notices some key differences between these groups. The CISO has not discovered an governance documentation. The CISO creates the following chart to visualize the differences amount the networking used.

Switch Vendor Trunking Protocal Minimum Cabling Requirements
Active Support
---------------------------------------------------------------------------------
----------
Group A Vendor 1 802.1q Cat 5E YES
Group B Vendor 2 ISL Cat 5E YES
Group C Vendor 3 802.1q Cat 5 NO
Group D Vendor 4 802.1q Cat 5 YES

Which of the following would be the CISO’s MOST immediate concern?

• There are open standards in use on the network
• Network engineers have ignored defacto standards
• Network engineers are not following SOPs
• The network has competing standards in use

Answer 85

• Network engineers have ignored defacto standards

Question 86

A Chief Security Officer (CSO) is reviewing the organization’s incident respose report form a recent incident. The details of the event indicate:

1. A user received a phishing email that appears to be a report from the organization’s CRM tool
2. The user attempted to access the CRM tool via a fraudulent web page but was unable to access the tool.
3. The user, unaware of the compromised account, did not report the incident and continued to use the CRM tool with the original credentials.
4. Several weeks later, the user reported anomalous activity within the CRM tool.
5. Following an investigation, it was determined the account was compromised and an attacker in another country gained access to the CRM tool.
6. Following identification of the corrupted data and successful recovery from the incident, a lessons learned activity was to be led by the CSO.

Which of the following would MOST likely have allowed the user to more quickly identify the unauthorized use
of credentials by the attacker?

A. Security awareness training
B. Last logon verification
C. Log correlation
D. Time of check controls
E. Time-of-use controls
F. WAYF-based authentication

Answer 86

• Last logon verification

Question 87

Company.com uses a trusted internal PKI to issue x.509 certificates for securing internal web application servers. After a security engineer issued a new certificate for Webserver17, employees begin receiving browser errors when connecting to the web server.

Webserver17 certificate properties"
Issuer internalpki.company.com
Signature algorithm sha256 RSA
Subject Webserver17.company.com
Public key RSA (2048 bits)
Enhanced key usage Client authentication
Subject alternative name Erpapp.company.com
Thumbprint algorithm sha1

• The enhanced key usage field is missing server authentication OID
• The thumbprint algorithm does not match the signature algorithm
• The thumbprint algorithm is being flagged by the browser as insecure
• The issuer is not a trusted CA by the web browser.
• The subject alternative name is incorrect

Answer 87

• The enhanced key usage field is missing server authentication OID

Question 88

One of the objectives of a bank is to instill a security awareness culture. Which of the following are techniques that could help to achieve this? (Choose TWO.)

• Blue teaming
• Phishing simulations
• Lunch-and-learn
• Random audits
• Continuous monitoring
• Separation of duties

Answer 88

• Phishing simulations

- Lunch-and-learn

Question 89

An online bank has contracted with a consultant to perform a security assessment of the bank’s web portal. The consultant notices the login page is linked from the main page with HTTP, but when the URL is changed to HTTP, the browser is automatically redirected back to the HTTPS site.

Which of the following is a concern for the consultant and how can it be mitigated?

• XSS could be used to inject code into the login page during the redirect to the HTTPS site. The consultant should implement a WAF to prevent this.
• The consultant is concerned the site is using n older version of SSL 3.0 protocol that is vulnerable to a variety of attacks. Upgrading the site to TLS 1.0 would mitigate is issue.
• The HTTP is is vulnerable to network sniffing, which could disclose usernames and passwords to an attacker. The consultant should recommend disabling HTTP on the web server.
• A successful MITM attack could intercept the redirect and use sslstrip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.

Answer 89

• A successful MITM attack could intercept the redirect and use sslstrip to decrypt further HTTPS traffic. Implementing HSTS on the web server would prevent this.

Question 90

A university’s help desk is receiving reports than Internet access on campus is not functioning. The network administrator looks at the management tools and sees the 1 Gbps Internet connection is completely saturated with ingress traffic. The administrator sees the following output on the Internet router:

13:45.12857 156.34.99.54.2343 > 192.168.3.78.443 s 37486928:37483928 (0) win
16384
13:45.12890 145.24.78.34.2343 > 192.168.3.78.443 s 58457854:58457854 (0) win
36638
13:45.12890 89.25.68.12.2343 > 192.168.3.78.443 s 3297488:32987488 (0) win 25411
13:45.12902 178.78.189.1.2343 > 192.168.3.78.443 s 36214896:36214869 (0) win
12225
13:45.12934 147.22.98.156.2343 > 192.168.3.78.443 s 21558745:21558745 (0) win
32633
13:45.12956 121.45.56.79.2343 > 192.168.3.78.443 s 86441289:86441289 (0) win
33225
13:45.12989 126.88.125.117.2343 > 192.168.3.78.443 s 47841688:48741688 (0) win
18412

The administrator calls the university’s ISP for assistance, but it takes more than four hours to speak to a network engineer who can resolve the problem. Based on the information above, which of the following should the ISP engineer do to resolve the issue?

• The ISP engineer should null route traffic to the web server immediately to restore Internet connectivity. The university should implement a remotely triggered black hole with the ISP to restore this more quickly.
• A university web server is under increased load during enrollment. The ISP engineer should immediately increase to 2 Gbps to restore Internet connectivity. In the future, the university should pay more for bandwidth to handle spikes in web server traffic.
• The ISP engineer should immediately begin blocking IP addresses that are attacking the web server to restore Internet connectivity. In the future, the university should install a WAF to prevent this attack from happening again.
• The ISP engineer should begin refusing network connections to the web server immediately to restore Internet connectivity on campus. The university should purchase an IPS device to stop DDoS attacks in the future.

Answer 90

• The ISP engineer should begin refusing network connections to the web server immediately to restore Internet connectivity on campus. The university should purchase an IPS device to stop DDoS attacks in the future.

Question 91

A recent overview of the network’s security and storage applications reveals a large amount of data that needs to be isolated for security reasons. Below are the critical applications and devices configured for the network.

• Firewall
• Core switches
• RM server
• Virtual environment
• NAC solution

The security manager also wants data from all critical applications to be aggregated to correlate events from multiple sources. Which of the following must be configured in certain applications to help ensure data aggregation and data isolation are implemented on the critical applications and devices? (Select TWO)

• Routing tables
• Log forwarding
• Data remnants
• Port aggregation
• NIC teaming
• Zones

Answer 91

• Log forwarding

- Zones

Question 92

A security administrator is troubleshooting RADIUS authentication for a newly implemented controller-based wireless deployment. The RADIUS server contains the following information in its logs:

• A RADIUS message was received from the invalid RADIUS client IP address
  10. 35.55.10

Based on this information, the administrator reconfigures the RADIUS server, which results in the following log data.

• An Access-Request was received from RADIUS client 10.35.55.10 with a Message- Authenticator attribute that is not valid

To correct this error message, the administrator makes an additional change to the RADIUS server. Which of the following did the administrator reconfigure on the RADIUS server? (Select TWO)

• Added the controller address as an authorized client
• Registered the RADIUS server to the wireless controller
• Corrected a mismatched shared secret
• Renewed the expired client certificate
• Reassigned the RADIUS policy to the controller
• Modified the client authentication method

Answer 92

• Added the controller address as an authorized client

- Corrected a mismatched shared secret

Question 93

After investigating virus outbreaks that have cost the company $1,000 per incident, the company’s Chief Information Security Officer (CISO) has been researching new antivirus software solutions to use and be fully supported for the next two years. The CISO has narrowed down the potential solutions to four candidates that meet all the company’s performance and capability requirements:

— image —

Using the table above, which of the following would be the BEST business-driven choice among five possible solutions?

• Product A
• Product B
• Product C
• Product D
• Product E

Answer 93

• Product D

Question 94

A security analyst, who is working in a Windows environment, has noticed a significant amount of IPv6 traffic originating from a client, even though IPv6 is not currently in use. The client is a stand-alone device, not connected to the AD, that manages a series of SCADA device used for manufacturing. Which of the following is the appropriate command to disable the client’s IPv6 stack?

• c:\❯netsh ipsec static set policy name=MyIPPolicy /v Disable TCPIP6
• c:\❯reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\IPV6” /v disallowRun /t REG_DWORD /d “0000001” /t
• c:\❯reg add “HKCU\system\CurrentControlSet\services\TCPIP6\Parameters /v DisabledComponets /t REG_DWORD /d 255 /t
• c:\❯reg add “HKLM\SYSTEM\CurrentControllSet\IPV6” /f /v fDenyIPV6Connections /t

Answer 94

• c:\❯reg add “HKCU\system\CurrentControlSet\services\TCPIP6\Parameters /v DisabledComponets /t REG_DWORD /d 255 /t

Question 95

An internal staff member logs into an ERP platform and clicks on a record. The browser URL changes to

• http://192.168.0.11/ERP/accountID=5&action=SELECT

Which of the following is the MOST likely vulnerability in this ERP platform

• Brute forcing of the account credentials
• Plain-text credentials transmitted over the Internet
• Insecure direct object reference
• SQL injection of ERP back end

Answer 95

• Plain-text credentials transmitted over the Internet

Question 96

A security analyst has been asked to create a list of external IT security concerns, which are applicable to the organization. The intent is to show the different types of external actors, their attack vectors, and the types of vulnerabilities that would cause business impact. The Chief Information Security Officer (CISO) will then present this list to the board to request funding for controls in areas that have insufficient coverage.

Which of the following exercise types should the analyst perform?

• Summarize the most recently disclosed vulnerabilities
• Research industry best practices and the latest RFC’s
• Undertake an external vulnerability scan and penetration test
• Conduct a threat modeling exercise

Answer 96

• Conduct a threat modeling exercise

Question 97

An organization is currently working with a client to mitigate data between a legacy ERP system and a cloud based ERP tool using a global PasS provider. As part of the engagement, the organization is performing data deduplication and sanitization of client data to ensure compliance with regulatory requirements.

Which of the following is the MOST likely reason for the need to sanitize the client data? (Select TWO)

• Data aggregation
• Data volume
• Data isolation
• Data sovereignty
• Data analytics
• Data precision

Answer 97

• Data aggregation

- Data sovereignty

Question 98

A medical device company is implementing a new COTS antivirus solution in its manufacturing plant. All validated machines and instruments must be retested for interoperability with the new software.

Which of the following would BEST ensure the software and instruments are working as designed?

• System design documentation
• User acceptance testing
• Peer Review
• Static code analysis testing
• Change control documentation

Answer 98

• Change control documentation

Question 99

A security administrator wants to implement controls to harden company-owned mobile devices. Company policy specifies the following requirements:

• Mandatory access control must be enforced by the OS
• Devices must use the mobile carrier data transport

Which of the following controls should the security administrator implement? (Select THREE)

A. Enable DLP
B. Enable SEAndroid
C. Enable EDR
D. Enable secure boot
E. Enable secure wipe
F. Disable Bluetooth
G. Disable 802.11
H. Disable geotagging

Answer 99

• Enable SEAndroid
• Disable Bluetooth
• Disable 802.11

Question 100

Several recent ransomware outbreaks at a company have cost a significant amount of lost revenue. The security team needs to find a technical control mechanism that will meet the following requirements and aid in preventing these outbreaks.

• Stop malicious software that does not match a signature
• Report on instances of suspicious behavior
• Protect from previously unknown threats
• Augment existing security capabilities

Which of the following tools would BEST meet thee requirements?

• Host-based firewall
• EDR
• HIPS
• Patch management

Answer 100

• HIPS

Question 101

A penetration tester is trying to gain access to a remote system. The tester is able to see the secure login page and knows one user account and email address, but has not yet discovered a password. Which of the following would be the EASIEST method of obtaining a password for the known account?

• Man In The Middle
• Reverse engineering
• Social engineering
• Hash cracking

Answer 101

• Social engineering

Question 102

A security engineer successfully exploits an application during a penetration test. As proof of the exploit, the security engineer takes screenshots of how the data was compromised in the application. Given the information below from the screenshot

2019-11-21 13:11:45 POST http://company.com/store

Answer 102

• The engineer queried the server and edited the data using an HTTP proxy interceptor

Question 103

Click on the exhibit buttons to view the four messages.

— images and stuff —

A security architect is working with a project team to deliver an important service that stores and processes customer banking details. The project, internally known as ProjectX, is due to launch its first set of features publicly within a week, but the team has not been able to implement encryption-at-rest of the customer records. The security architect is drafting an escalation email to senior leadership.

Which of the following BEST conveys the business impact for senior leadership?

• Message 1
• Message 2
• Message 3
• Message 4

Answer 103

• Message 4

Question 104

The director of sales asked the development team for some small changes to increase the usability of an application used by the sales team. Prior security reviews of the code showed no significant vulnerabilities, and since the changes were small, they were given a peer review and then pushed to the live environment. Subsequent vulnerability scans now show numerous flaws that were not present in the previous versions of the code.

Which of the following is an SDLC best practice that should have been followed?

• Versioning
• Regression testing
• Continuous integration
• Integration testing

Answer 104

• Regression testing

Question 105

ODBC access to a database on a network-connected host is required. The host does not have a security mechanism to authenticate the incoming ODBC connection, and the application requires that the connection have read/write permissions. In order to further secure the data, anon standard configuration would need to be implemented. The information in the database is not sensitive, but was not readily accessible prior to the implementation of the ODBC connection.

Which of the following actions should be taken by the security analyst?

• Accept the risk in order to keep the system within the company’s standard security configuration.
• Explain the risks to the data owner and aid in the decision to accept the risk versus choosing a nonstandard solution.
• Secure the data despite the need to use a security control or solution that is not within company standards.
• Do not allow the connection to be made to avoid unnecessary risk and avoid deviating from the standard security configuration.

Answer 105

• Explain the risks to the data owner and aid in the decision to accept the risk versus choosing a nonstandard solution.

Question 106

The government is concerned with remote military missions being negatively being impacted by the use of technology that may fail to protect operational security. To remediate this concern, a number of solutions have been implemented, including the following:

• End-to-end encryption of all inbound and outbound communication, including personal email and chat
  sessions that allow soldiers to securely communicate with families.
• Layer 7 inspection and TCP/UDP port restriction, including firewall rules to only allow TCP port 80 and 443
  and approved applications
• A host-based whitelist of approved websites and applications that only allow mission-related tools and sites
• The use of satellite communication to include multiple proxy servers to scramble the source IP address

Which of the following is of MOST concern in this scenario?

• Malicious actors intercepting inbound and outbound communication to determine the scope of the mission
• Family members posting geotagged images on social media that were received via email from soldiers
• The effect of communication latency that may negatively impact real-time communication with mission control
• The use of centrally managed military network and computers by soldiers when communicating with external parties

Answer 106

• Malicious actors intercepting inbound and outbound communication to determine the scope of the mission

Question 107

Following a complete outage of the electronic medical record system for more than 18 hours, the hospital’s CEO has requested that the CISO perform an investigation into the possibility of a disgruntled employee causing the outage maliciously. To begin the investigation, the CISO pulls all event logs and device configurations from the time of the outage. The CISO immediately notices the configuration of a top-of-rack switch from one day prior to the outage does not match the configuration that was in place at the time of the outage. However, none of the event logs show who changed the switch configuration, and seven people have the ability to change it. Because of this, the investigation is inconclusive.

Which of the following processes should be implemented to ensure this information is available for future investigations?

• Asset inventory management
• Incident response plan
• Test and evaluation
• Configuration and change management

Answer 107

• Configuration and change management

Question 108

A laptop is recovered a few days after it was stolen. Which of the following should be verified during incident response activities to determine the possible impact of the incident?

• Full disk encryption status
• TPM PCR values
• File system integrity
• Presence of UEFI vulnerabilities

Answer 108

• Full disk encryption status

Question 109

An incident responder wants to capture volatile memory comprehensively from a running machine for forensic purposes. The machine is running a very recent release of the LINUX os, which of the following technical approaches would be the MOST feasible way to accomplish this capture?

• Run the memdump utility with the -k flag
• Use a loadable kernel module capture utility, such a LiME
• Run dd on /dev/mem
• Employ a stand-alone utility, such as FTK Imager

Answer 109

• Use a loadable kernel module capture utility, such a LiME

Question 110

Given the following:

// TODO - should this be odbc or jdbc?
var oddcString = getaParameterByName("queryString", "dbConnector");
doc.interHTML = "DB connector: ❮b❯ + odbcString + "❮/b❯";
document.body.appendChild(doc);

Which of the following vulnerabilities is present in the above code snippet?

• Disclosure of database credential
• SQL-based string concatenation
• DOM-based injection
• Information disclosure in comments

Answer 110

• Disclosure of database credential

Question 111

A financial institution’s information security officer is working with the risk management officer to determine what to do with the institution’s residual risk after all security controls have been implemented. Considering the institution’s very low risk tolerance, which of the following strategies would be best?

• Transfer the risk
• Avoid the risk
• Mitigate the risk
• Accept the risk

Answer 111

• Transfer the risk

Question 112

First responders, who are part of a core incident response team, have been working to contain an outbreak of ransomware that also led to data loss. In the rush to isolate the three hosts that were calling out to the NAS to encrypt whole directories, the hosts were shut down immediately and then isolated. Which of the following were missed? (Select TWO)

• CPU, process state tables, and main memory dumps
• Essential information needed to perform data restoration to a known clean state
• Temporary file system and swap space
• Indicators of compromise to determine ransomware encryption
• Chain of custody information needed for investigation

Answer 112

• CPU, process state tables, and main memory dumps

- Temporary file system and swap space

Question 113

A software company is releasing a new mobile application to a broad set of external customers. Because the software company is rapidly releasing new features, it has built in an over-the-air software update process that can automatically update the application at launch time. Which of the following security controls should be recommended by the company’s security architect to protect the integrity of the update process? (Select TWO)

• Validate cryptographic signatures applied to software updates
• Perform certificate pinning of the associated code signing key
• Require HTTPS connections for downloads of software updates
• Ensure there are multiple download mirrors for availability
• Enforce a click-through process with user opt-in for new features

Answer 113

• Validate cryptographic signatures applied to software updates
• Require HTTPS connections for downloads of software updates

Question 114

A company that has been breached multiple times is looking to protect cardholder data. The previous undetected attacks all mirrored normal administrator behavior. The company must deploy a host solution to meet the following requirements:

1. Detect administrative actions
2. Block unwanted MD5 hashes
3. Provide alerts
4. Stop exfiltration of cardholder data

Which of the following solutions would BEST meet these requirements? (Select TWO)

• AV
• EDR
• HIDS
• DLP
• HIPS
• EFS

Answer 114

• EDR

- HIPS

Question 115

An organization wants to arm its cybersecurity defense suite automatically with intelligence on zero-day threats shortly after they emerge. Acquiring tools and services which support the following data standards would BEST enable the organization to meet this objective?

• XCCDF
• OVAL
• STIX
• CWE
• CVE

Answer 115

• STIX

Question 116

A technician is validating compliance with organizational policies. The user and machine accounts in the AD are not yet to expire, which is non-compliant. Which of the following network tools would provide this type of information?

• SIEM server
• IDS appliance
• SCAP scanner
• HTTP interceptor

Answer 116

• SCAP scanner

Question 117

During a criminal investigation, the prosecutor submitted the original hard drive from the suspect’s computer as evidence. The defense objected during the trial proceedings, and the evidence was rejected. Which of the following practices should the prosecutor’ forensics team have used to ensure the subject’s data would be admissible as evidence? (Select TWO)

• Follow chain of custody best practices
• Create an identical image of the original hard drive, store the original securely, and then perform forensics only on the imaged drive
• Use forensics software on the original hard drive and present generated reports as evidence
• Create a tape backup of the original hard drive and present the backup as evidence
• Create an exact image of the original hard drive for forensics purposes, and then place the original back in service.

Answer 117

• Follow chain of custody best practices
• Create an identical image of the original hard drive, store the original securely, and then perform forensics only on the imaged drive

Question 118

Within the past six months, a company has experienced a series of attacks directed a various collaboration tools. Additionally, sensitive information was compromised during a recent security breach of a remote access session from an unsecured site. As a result, the company is requiring all collaboration tools to comply with the following:

• Secure messaging between internal users using digital signatures
• Secure sites for video conferencing sessions
• Presence information for all office employees
• Restriction of certain types of messages to be allowed into the network

Which of the following applications must be configured to the meet the requirements? (Select TWO)

• Remote desktop
• VoIP
• Remote assistance
• Email
• Instant messaging
• Social media websites

Answer 118

• Email

- Instant messaging

Question 119

A security analyst is reviewing the following packet capture of communication between a host and company’s router:

1 192.168.1.10 -> 10.5.10.1 icmp echo request 33 bytes sent ABCDEFGHIJKLMNOPQRSTUVWXYZ
2 10.5.10.1 -> 192.168.1.10 icmp echo reply 34 bytes sent ABCDEFGHIJKLMNOPQRSTUVWXYZ%MDKF8

Which of the following actions should the security analyst take to remove this vulnerability?

• Update the router code
• Implement a router ACL
• Disconnect the host from the network
• Install the latest the latest antivirus definitions
• Deploy a network based IPS

Answer 119

• Implement a router ACL

Question 120

A security analyst is reviewing the following pseudo-output snippet after running the command less /temp/file.tmp.

JFIF
40 42.8562N
74 0.3582W
DLLA;SSKFAKFSFAJFSUTHWNVUNVNUVNUVWVN
RWEIMVMIOWEMVWVMMVVMVMOWMVOMMIOMVMMM
ELRWIOURITU8U4DFVUR9W8UVOFW9JVKVWOVN

The information above was obtained from a public-facing website and used to identify military assets. Which of the following should be reduced the risk of a similar compromised?

• Deploy a solution to sanitize geotagging information
• Install software to wipe data remnants on servers
• Enforce proper input validation on mission-critical software
• Implement a digital watermarking solution

Answer 120

• Deploy a solution to sanitize geotagging information

Question 121

A security engineer is managing operational, excess, and available equipment for a customer. Three pieces of expensive leased equipment, which are supporting a highly confidential portion of the customer network, have recently been taken out of operation. The engineer determines the equipment lease runs for another 18 months. Which of the following is the BEST course of action for the engineer to take to decommission the equipment properly?

• Remove any labeling indicating the equipment was used to process confidential date and mark it as
  available for reuse
• Return the equipment to the leasing company and seek a refund for the unused time
• Redeploy the equipment to a less sensitive part of the network until the lease expires
• Securely wipe all device memory and store the equipment in a secure location until the end of the lease

Answer 121

• Securely wipe all device memory and store the equipment in a secure location until the end of the lease

Question 122

A company has created a policy to allow employees to use their personally owned devices. The CISO is getting reports of company data appearing on unapproved forums and an increase in theft of personal electronic devices. Which of the following security controls would BEST reduce the risk of exposure?

• Disk encryption on the local drive
• Group policy to enforce failed login lockout
• Multifactor authentication
• Implementation of email digital signatures

Answer 122

• Multifactor authentication

Question 123

Staff members are reporting an unusual number of device thefts associated with time out of the office. Thefts increased soon after the company deployed a new social networking app. Which of the following should the CISO recommend implementing?

• Automatic location check-ins
• Geolocated presence privacy
• Integrity controls
• NAC checks to quarantine devices

Answer 123

• Automatic location check-ins

Question 124

A project manager is working with system owners to develop maintenance windows for system patching and upgrades in a cloud-based PaaS environment. Management has indicated one maintenance window will be authorized per month, but clients have stated they require quarterly maintenance windows to meet their obligations. Which of the following documents should the project manager review?

• MOU
• SOW
• SRTM
• SLA

Answer 124

• SLA

Question 125

A newly hired CISO wants to understand how the organization’s CIRT handles issues brought to their attention, but needs to be very cautious about impacting any systems. The MOST appropriate method to use would be:

• an internal vulnerability assessment
• a red team threat hunt exercise
• a white-box penetration test
• a guided tabletop exercise

Answer 125

• a guided tabletop exercise

Question 126

A CISO is developing a new BIA for the organization. The CISO wants to gather requirements to determine the appropriate RTO and RPO for the organization’s ERP. Which of the following should the CISO interview as MOST qualified to provide RTO/RPO metrics?

• Data custodian
• Data owner
• Security analyst
• Business unit director
• Chief Executive Office

Answer 126

• Business unit director

Question 127

An external red team member conducts a penetration test, attempting to gain physical access to a large organization’s server room in a branch office. During reconnaissance, the red team member sees a clearly marked door to the server room, located next to the lobby, with a tumbler lock. Which of the following is BEST for the red team member to bring on site to open the locked door as quickly as possible without causing significant damage?

• Screwdriver set
• Bump key
• RFID duplicator
• Rake picking

Answer 127

• Bump key

Question 128

A company relies on the ICS to perform equipment monitoring functions that are federally mandated for operation of the facility. Fines for non-compliance could be costly. The ICS has known vulnerabilities and can no longer be patched or updated . Cyber-liability insurance cannot be obtained because insurance companies will not insure this equipment. Which of the following would be the BEST option to manage this risk to the company’s production environment?

• Avoid the risk by removing the ICS from production
• Transfer the risk associated with the ICS vulnerabilities
• Mitigate the risk by restricting access to the ICS
• Accept the risk and upgrade the ICS when possible.

Answer 128

• Mitigate the risk by restricting access to the ICS

Question 129

A medical facility wants to purchase mobile devices for doctors and nurses. To ensure accountabilities, each individual will be assigned a separate mobile device. Additionally, to protect patient health information, management has identified the following requirements:

• Data must be encrypted at rest
• The device must be disabled if it leaves the facility
• The device must be disabled when tampered with

Which of the following technologies would BEST support these requirements? (Select TWO)

• eFuse
• NFC
• GPS
• Biometric
• USB 4.1
• MicroSD

Answer 129

• eFuse

- GPS

Question 130

An organization is improving its web services to enable better customer engagement and self-service. The organization has a mobile application and a rewards portal provided by a third party. The business wants to provide customers with the ability to log in once and have SSO between each of the applications. The integrity of the identity is important so it can be propagated through to back-end systems to maintain a consistent audit trail. Which of the following authentication and authorization types BEST meet the requirements? (Select TWO)

• SAML
• Social login
• OpenID connect
• XACML
• SPML
• OAuth

Answer 130

• Social login

- OpenID connect

Question 131

A security administrator is concerned with the security of data processed and stored by a secure Linux system. The administrator executes the bash script shown below:

while i; do echo $RANDOM%10; done;

The administrator then reviews the following output generated by the bash script.

3 9 2 7 3 9 2 3 8 4 7 5 7 4 6 4 5

Additionally, the administrator needs to consider the classification of the data stored. Which of the following action is MOST appropriate?

• Use an external source of entropy
• Implement perfect forward secrecy
• Use a cryptographic service provider
• Implement a key stretching algorithm

Answer 131

• Use a cryptographic service provider

Question 132

A penetration testing manager is contributing to an RFP for the purchase of a new testing platform. The manager has provided the following requirements:

• Must be able to MITM web-based protocols
• MUST be able to find common misconfigurations and security holes

Which of the following types of testing tools should be included in the testing platform? (Select TWO)

• Reverse engineering tool
• HTTP intercepting proxy
• Vulnerability scanner
• File integrity monitor
• Password cracker
• Fuzzer

Answer 132

• HTTP intercepting proxy

- Vulnerability scanner

Question 133

A recent security assessment revealed a web application may be vulnerable to clickjacking. According to the application developers, a fix may be months away. Which of the following should a security engineer configure on the web server to help mitigate the issue?

• File upload size limits
• HttpOnly cookie field
• X-Frame-Options header
• Input validation

Answer 133

• X-Frame-Options header

Question 134

A security engineer is designing a system in which offshore, outsourced staff can push code from the development environment to the production environment securely. The security engineer is concerned with data loss, while the business does not want to slow down its development process. Which of the following solutions BEST balances security requirements with business need?

• Set up a VDI environment that prevents copying and pasting to the local workstations of the outsourced staff members
• Install a client-side VPN on the staff laptops and limit access to the developments
• Create an IPSec VPN tunnel from the development network to the office of the outsourced staff
• Use online collaboration tool to initiate workstation-sharing sessions with local staff who have access to the development network.

Answer 134

• Set up a VDI environment that prevents copying and pasting to the local workstations of the outsourced staff members

Question 135

A security architect is reviewing the code for company’s finance HTML element, along with a server-side function, to generate a random number on the page used to initiate a funds transfer:

❮input type=”hidden” name=”token” value=generateRandomNumber()❯

Which of the following attacks is the security architect attempting to prevent?

• SQL Injection
• XSRF
• XSS
• Clickjacking

Answer 135

• XSRF

Question 136

Following a security assessment, the CISO is reviewing the results of the assessment and evaluation potential risk treatment strategies. As part of the CISO’s evaluation, a judgment of potential impact based on the identified risk is performed. To prioritize response actions, the CISO uses past experience to take into account the exposure factor as well as the external accessibility of the weakness identified. Which of the following is the CISO performing?

• Documentation of lessons learned
• Quantitative risk assessment
• Qualitative assessment of risk
• Business impact scoring
• Threat modeling

Answer 136

• Qualitative assessment of risk

Question 137

The marketing department has developing a new marketing campaign involving significant social media outreach. The campaign includes allowing employee and customers to submit blog posts and pictures of their of their day to day experiences at the company. The information security manager has been asked to provide an informative letter to all participants regarding the security risks and how to avoid privacy and operational security issues. Which of the following is the MOST important information to reference in the letter?

• After-action reports from prior incidents
• Social engineering techniques
• Company policies and employee NDAs
• Data Classification processes

Answer 137

• Company policies and employee NDAs

Question 138

A security administrator is reviewing the following output from an offline password audit:

Username Password Crack Time
User1 Teleportation1 4s
User2 Amphitheater1 2s
User3 Undetermined4u. 10s

Which of the following should the systems administrator implement to BEST address this audit finding? (Select TWO)

• Cryptoprocessor
• Bcrypt
• SHA-256
• PBKDF2
• Message authentication

Answer 138

• Bcrypt

- PBKDF2

Question 139

A security architect has been assigned to a new digital transformation program. The objectives are to provide better capabilities to customers and reduce costs. The program has highlighted the following requirements:

1. Long live sessions are required, as users do on log in very often
2. The solution has multiple SPs, which include mobile and web applications
3. A centralized IdP is utilized for all customer digital channels
4. The applications provide different functionality types such as forums and customer portals
5. The user experience needs to be the same across both mobile and web-based applications

• Social login to IdP, securely store session cookies, and implement one-time passwords sent to the mobile device
• Certificate-based authentication to IdP, securely store access tokens, and implement secure push notifications
• Username and password authentication to IdP, securely store refresh tokens, and implement context-aware authentication
• Username and password authentication to SP, securely store Java web tokens, and implement SMS OTPs

Answer 139

• Username and password authentication to SP, securely store Java web tokens, and implement SMS OTPs

Question 140

During a security assessment, activities were divided into two phases: internal and external exploitation. The security assessment team set a hard time limit on external activities before moving to a compromised box within the enterprise perimeter. Which of the following methods is the assessment team most likely to employ NEXT?

• Pivoting from the compromised, moving laterally through the enterprise, and trying to exfiltrate data and compromise devices
• Conducting a social engineering attack attempt with the goal of accessing the compromised box physically
• Exfiltrating network scans from the compromised box as a precursor to social media reconnaissance
• Open-source intelligence gathering to identify the network perimeter and scope to enable further system compromised

Answer 140

• Pivoting from the compromised, moving laterally through the enterprise, and trying to exfiltrate data and compromise devices

Question 141

Ann, a member of the finance department at a large corporation, has submitted a suspicious email she received to the information security team. The team was not expecting an email from Ann, and it contains a PDF file inside a ZIP compressed archive. The information security team is not sure which files were opened. A security team members uses an air-gapped PC to open the ZIP and PDF, and it appears to be a social engineering attempt to deliver an exploit. Which of the following would provide greater insight on the potential impact of the attempting attack?

• Run an antivirus scan on the finance PC
• Use a protocol analyzer on the air-gapped PC
• Perform reverse engineering on the document
• Analyze network logs for unusual traffic
• Run a baseline analyzer against the user’s computer

Answer 141

• Use a protocol analyzer on the air-gapped PC

Question 142

An organization has recently deployed an EDR solution across its laptops, desktops, and server infrastructure. The organization’s server infrastructure is deployed in an IaaS environment. A database within the nonproduction environment has been misconfigured with a routable IP and is communicating with a command and control server. Which of the following procedures should the security responder apply to the situation? (Select TWO)

• Contain the server
• Initiate a legal hold
• Perform a risk assessment
• Determine the data handling standard
• Disclose the breach to customers
• Perform an IOC sweep to determine the impact

Answer 142

• Initiate a legal hold

- Perform an IOC sweep to determine the impact

Question 143

A managed service provider is designing a log aggregation service for customers who no longer want to manage an internal SIEM infrastructure. The provider expects that customers will send all types of logs to them, and that log files could contain very sensitive entries. Customers have indicated that they want on-premises and cloud-based infrastructure logs to be stored in this new service. An engineer, who is designing the new service is deciding how to segment customers. Which of the following is the BEST statement for the engineer to take into consideration?

• Single-tenancy is often more expensive and has less efficient resource utilization. Multi tenancy may increase the risk of cross-customer exposure in the event of service vulnerabilities.
• The managed service provider should outsource security of the platform to an existing cloud company. This will allow the new log service to be launched faster and with well-tested security controls.
• Due to the likelihood of large log volumes, the service provider should use a multi tenancy model for the data storage tier, enable data deduplication for storage for storage cost efficiency, and encrypt data at rest.
• The most secure design approach would be to give customers on-premises appliances, install agents on endpoints, and then remotely manage the service via a VPN.

Answer 143

• Single-tenancy is often more expensive and has less efficient resource utilization. Multi tenancy may increase the risk of cross-customer exposure in the event of service vulnerabilities.

Question 144

An administrator is working with management to develop policies related to the use of cloud-base resources that contain corporate data. Management plans to require some control over organizational data stored on personal devices, such as tablets. Which of the following controls would BEST support management’s policy?

• MDM
• Sandboxing
• Mobile tokenization
• FDE
• MFA

Answer 144

• MDM

Question 145

An infrastructure team is at the end of a procurement process and has selected a vendor. As part of the final negotiations, there are a number of outstanding issues, including:

1. Indemnity clauses have identified the maximum liability
2. The data will be hosted and managed outside of the company’s geographical location.

The number of users accessing the system will be small, and no sensitive data will be hosted in the solution. As the security consultant on the project, which of the following should the project’s security consultant recommend as the NEXT step?

• Develop a security exemption, as it does not meet the security
• Mitigate the risk by asking the vendor to accept the in-country privacy principles
• Require the solution owner to accept the identified risks and consequences
• Review the entire procurement process to determine the lessons learned.

Answer 145

• Require the solution owner to accept the identified risks and consequences

Question 146

A security engineer is working with a software development team. The engineer is tasked with ensuring all security requirements are adhered to by the developers. Which of the following BEST describes the contents of the supporting document the engineer is creating?

• A series of ad-hoc tests that each verify security control functionality of the entire system at once.
• A series of discrete tasks that, when viewed in total, can be used to verify and document each individual constraint from the SRTM
• A set of formal methods that apply to one or more of the programming languages used on the development project
• A methodology to verify each security control in each unit of developed code prior to committing the code.

Answer 146

• A methodology to verify each security control in each unit of developed code prior to committing the code.

Question 147

A system owner has requested support from data owners to data owners to evaluate options for the disposal of equipment containing sensitive data. Regulatory requirements state the data must be rendered unrecoverable via logical means or physically destroyed. Which of the following facts is the regulation intended to address?

• Sovereignty
• E-waste
• Remanence
• Deduplication

Answer 147

• E-waste

Question 148

Following a recent data breach, a company has hired a new CISO. The CISO is very concerned with the response time to the previous breach and wishes to know how the security team expects to react to future attacks. Which of the following is the BEST method to achieve this goal while minimizing disruption?

• Perform a black box assessment
• Hire an external red team audit
• Conduct a tabletop exercise
• Recreate the previous breach
• Conduct an external vulnerability assessment

Answer 148

• Conduct a tabletop exercise

Question 149

An administrator has noticed mobile devices from an adjacent company on the corporate wireless network. Malicious activity is being reported from those devices. To add another layer of security in an enterprise environment, an administrator wants to add contextual authentication to allow users to access enterprise resources only while present in corporate buildings. Which of the following technologies would accomplish this?

• Port security
• Rogue device detection
• Bluetooth
• GPS

Answer 149

• Rogue device detection

Question 150

After several industry competitors suffered data loss as a result of cyberattacks, the COO of a company reaches out to the information security manager to review the organization’s security stance. As a result of the discussion, the COO wants the organization to meet the following criteria:

• Blocking of suspicious websites
• Prevention of attacks based on threat intelligence
• Reduction in spam
• Identity-based reporting to meet regulatory compliance
• Prevention of viruses based on signature
• Protect applications from web-based threats

Which of the following would be the BEST recommendation the information security manager can make?

• Reconfigure existing IPS resources
• Implement a WAF
• Deploy a SIEM solution
• Deploy a UTM solution
• Implement a EDR platform

Answer 150

• Deploy a UTM solution

Question 151

A security administrator is concerned about the increasing number of users who click on malicious links contained within phishing emails. Although the company has implemented a process to block these links at the network perimeter, many accounts become compromised. Which of the following should be implemented to further reduce the account compromises caused by remote users who click these links?

• Anti-spam gateways
• Security awareness training
• URL rewriting
• Internal phishing campaign

Answer 151

• Internal phishing campaign

Question 152

After a large organization has completed the acquisition of a smaller company, the smaller company must implement a new host-based security controls to connect its employees’ devices to the network. Given that the network requires 802.1X EAP-PEAP to identify and authenticate devices, which of the following should the security administrator do to integrate the new employees’ devices to the network securely?

• Distribute a NAC client and use the client to push the company’s private key to the new device
• Distribute the device connection policy and use a unique public/private key pair to each new employee’s device
• Install a self-signed SSL certificate on the company;s RADIUS server and distribute the certificate’s public key to all new client devices
• Install an 802.1X supplicant on all new devices and let each device generate a self-signed certificate to use for network access

Answer 152

• Distribute the device connection policy and use a unique public/private key pair to each new employee’s device

Question 153

A request has been approved for a vendor to access a new internal server using HTTPS and SSH to manage the backend system for the portal. Internal users just need HTTP and HTTPS access to all the internal webservers. All other external access to the new server and its subnet is not allowed. The security manager must ensure proper access us configured:

New internal server IP: 10.1.50.150
Vendor IP: 208.206.109.249
External development subnet: 108.109.110.0/28
Internal subnet: 10.1.10.0/24
Web team subnet: 10.1.40.0/24
Web server subnet: 10.1.50.0/24

Below is a snippet from the firewall related to that server (access is provided in a top-down model):

Line # Source address Destination address Port Access type
1 10.1.40.0/24 10.1.50.0/24 Any Permit
2 10.1.10.0/24 10.1.50.0/24 80 Permit
3 Any 10.1.50.0/24 Any Deny
4 208.206.109.249 10.1.50.150 80, 22 Permit
5 10.1.40.0/24 108.109.110.0/28 80, 8080 Permit

Which of the following lines should be configured to allow proper access? (Select TWO).

A. Move line 3 below line 4 and change port 80 to 443 on line 4
B. Move line 3 below line 4 and add port 443 to line
C. Move line 4 below line 5 and change port 80 to 8080 on line 2
D. Add port 22 to line 2
E. Add port 22 to line 5
F. Add port 443 to line 2
G. Add port 443 to line 5

Answer 153

• Move line 3 below line 4 and change port 80 to 443 on line 4
• Add port 443 to line 2

Question 154

Following a merger, the number of remote sites for a company has doubled to 52. The company has decided to secure each remote site with an NGFW to provide web filtering, NIDS/NIPS and network antivirus. The CIO has requested that the security engineer provide recommendations on sizing for the firewall with the requirements that it be easy to manage and provide capacity for growth. The tables below provide information on a subset of
remote sites and the firewall options

Location # of Users Connectivity Bandwidth Utilization
St. Louis 18 50Mbps 20Mbps
Des Moines 12 25Mbps 19Mbps
Chicago 27 100Mbps 41Mbps
Rapid City 6 10Mbps 8Mbps
Indianapolis 7 12Mbps 8Mbps

Vendor Maximum Recommended Firewall Full UTM? Centralized Management
Devices Throughput Available?
A 40 150Mbps Y Y
B 60 400Mbps N Y
C 25 200Mbps N N
D 25 100Mbps Y Y

Which of the following would be the BEST option to recommend to the CIO?

• Vendor A for all remote sites
• Vendor B for all remote sites
• Vendor C for small remote sites, and Vendor B for larger sites
• Vendor C for all remote sites
• Vendor D for all remote sites

Answer 154

• Vendor A for all remote sites

Question 155

A new database application was added to a company’s hosted VM environment. Firewall ACLs were modified to allow database users to access the server remotely. The company’s IdTrust security broker then identified abnormal behavior from a database user on-site. Upon further investigation, the security team noticed a user ran code on the VM that provided access to the hypervisor directly and access to other sensitive data. Which of the following should the security team do to help mitigate future attacks within the VM environment? (Select TWO)

• Install the appropriate patches
• Install perimeter NGFW
• Configure VM isolation
• Deprovision database VM
• Change the user’s access privileges
• Update virus definitions on all endpoints

Answer 155

• Configure VM isolation

- Change the user’s access privileges

Question 156

A newly hired CISO is reviewing the organization’s security budget from the previous year. The CISO notices $120,000 worth of fines were paid for not properly encrypting outbound email messages. The CISO expects next year’s cost associated with the fines to be double and the volume of messages to increase by 100%. The organization sent out approximately 25,000 messages per year over the last three years. Given the table below:

Security product Hardware price Installation fee Cost per message
Throughput MTBF
DLP Vendor A $50,000 $25,000 $1 100Mbps
10000 hours
DLP Vendor B $38,000 $10,000 $2 50Mbps
8000 hours
DLP Vendor C $45,000 $30,000 $1 70Mbps
7000 hours
DLP Vendor D $40,000 $60,000 $0.50 100Mbps
7000 hours

Which of the following would be the BEST for the CISO to include in this year’s budget?

• A budget for DLP Vendor A
• A budget for DLP Vendor B
• A budget for DLP Vendor C
• A budget for DLP Vendor D
• A budget line for paying future fines

Answer 156

• A budget for DLP Vendor A

Question 157

An organization just merged with an organization in another legal jurisdiction and must improve its security posture in ways that do not require additional resources to implement data isolation. One recommendation is to block communication between endpoint PC’s. Which of the following would be the BEST solution?

• Installing HIDS
• Configuring a host-based firewall
• Configuring EDR
• Implementing network segmentation

Answer 157

• Configuring a host-based firewall

Question 158

An organization is currently performing a market scan for managed security services and EDR capability. Which of the following business documents should be released to the prospective vendors in the first step of
the process? (Select TWO)

• MSA
• RFP
• NDA
• RFI
• MOU
• RFQ

Answer 158

• RFP

- RFI

Question 159

A penetration tester has been contracted to conduct a physical assessment of a site. Which of the following is the MOST plausible method of social engineering to be conducted during this engagement?

• Randomly calling customer employees and posing as a help desk technician requesting user password to resolve issues
• Posing as a copier service technician and indicating the equipment had “phone home” to alert the technician for a service call
• Simulating an illness while at a client location for a sales call and then recovering once listening devices are installed
• Obtaining fake government credentials and impersonating law enforcement to gain access to a company facility

Answer 159

• Posing as a copier service technician and indicating the equipment had “phone home” to alert the technician for a service call

Question 160

Developers are working on a new feature to add to a social media platform. The new feature involves users uploading pictures of what they are currently doing. The data privacy officer (DPO) is concerned about various types of abuse that might occur due to this new feature. The DPO states the new feature cannot be released with addressing the physical safety concerns of the platform’s users. Which of the following controls would BEST address the DPO’s concerns?

• Increasing blocking options available to the unloader
• Adding a one-hour delay of all uploaded photos
• Removing all metadata in the uploaded photo file
• Not displaying to the public who uploaded the photo
• Forcing TLS for all connections on the platform

Answer 160

• Removing all metadata in the uploaded photo file

Question 161

A security administrator is updating corporate policies to respond to an incident involving collusion between two system administrators that went undetected for more than six months. Which of the following policies would have MOST likely uncovered the collusion sooner? (Select TWO)

• Mandatory vacation
• Separation of duties
• Continue monitoring
• Incident response
• Time-of-day restrictions
• Job rotation

Answer 161

• Mandatory vacation

- Job rotation

Question 162

A consultant is hired to perform a passive vulnerability assessment of a company to determine what information might be collected about the company and its employees. The assessment will be considered successful if the consultant can discover the name of one of the IT administrators. Which of the following is MOST likely to produce the needed information?

• Whois
• DNA enumeration
• Vulnerability scanner
• Fingerprinting

Answer 162

• Whois

Question 163

Following a recent audit, an in-house software solution is found to have multiple security holes and vulnerabilities. The application is hosted on a public-facing legacy server that has access to an internal database containing sensitive information. The security manager must find a secure solution to protect the data without outsourcing the application. External access is still required for this application. The following was fully implemented recently within the enterprise network.

• NGFW on the perimeter network
• Internal VM environment within the datacenter
• New storage solution
• SSO integration for all new applications

Which of the following would BEST protect the data?

• Virtualize the server, patch the host infrastructure, and disable unnecessary services
• Use secure commercial software to process the data and integrate SSO
• Place the server in a DMZ and configure appropriate NAT and security rules
• Harden the server, configure SSO, and disable the inbound connection on the NGFW to the database
• Connect the server to the new storage solution and secure external access to the database

Answer 163

• Place the server in a DMZ and configure appropriate NAT and security rules

Question 164

Due to a recent acquisition, the security team must find a way to secure several legacy application, During the review of the applications, the following issues are documented:

• The applications are considered mission-critical
• The applications are written in code languages not currently supported by the development staff
• Security updates and patches will not be paid available for the applications
• Username and passwords do not meet corporate standards
• The data contained within the applications include both PII and PHI
• The applications communicate using TLS 1.0
• Only internal users access the applications

Which of the following should be utilized to reduce the risk associated with these application and their current
architecture?

• Update the company policies to reflect the current state of the applications so they are not out of compliance
• Create a group policy to enforce password complexity and username requirements
• Use network segmentation to isolate the applications and control access
• Move the applications to virtual server that meet the password and account standards

Answer 164

• Use network segmentation to isolate the applications and control access

Question 165

A corporate forensic investigator has been asked to acquire five forensic images of an employee database application. There are three images to capture in the US, one in the UK and one in Germany. Upon completion of the work, the forensic investigator saves the images to a local workstation. Which of the following types of concerns should the forensic investigator have about this work assignment?

• Environmental
• Privacy
• Ethical
• Criminal

Answer 165

• Privacy

Question 166

A large, public university has recently been experiencing an increase in ransomware attacks against computers connected to its network. Security engineers have discovered various staff members receiving seemingly innocuous files in their email that are being run. Which of the following would BEST mitigate the attack method?

• Improving organizational email filtering
• Conducting user awareness training
• Upgrading endpoint anti-malware software
• Enabling application whitelisting

Answer 166

• Enabling application whitelisting

Question 167

An organization is evaluating options related to moving organizational assets to a cloud-based environment using an IaaS provider. One engineer has suggested connecting a second cloud environment within the organization’s existing facilities to capitalize on available datacenter space and resources. Other project members are concerned about such a commitment of organizational assets and ask the Chief Security Office (CSO) for input. The CSO explains that the project team should work with the engineer to evaluate the risks associated with using the datacenter to implement…

• a hybrid cloud
• an on-premised private cloud
• a hosted hybrid cloud
• a private cloud

Answer 167

• a hybrid cloud

Question 168

A company recently implemented a new cloud storage storage solution and installed the required synchronization client on all company devices. A few months later. a breach of sensitive data was discovered. Root cause analysis shows the data breach happened from a lost personal mobile device. Which of the following controls can the organization implement to reduce the risk of similar breaches?

• Biometric authentication
• Cloud storage encryption
• Application containerization
• Hardware anti-tamper

Answer 168

• Biometric authentication

Question 169

A company is migrating systems from an on-premises facility to a third-party managed datacenter. For continuity of operations and business agility, remote access to all hardware platforms must be available at all times. Access controls need to be very robust and provide an audit trail. Which of the following security controls will meet the company’s objectives? (Select TWO)

• Integrated platform management interfaces are configured to allow access only via SSH
• Access to hardware platforms is restricted to the system administrator’s IP address
• Access is captured in event logs that include source address, time stamp, and outcome
• The IP addresses of server management interfaces are located within the company’s extranet
• Access is limited to interactive logins on the VDI
• Application logs are hashed cryptographically and sent to a SIEM

Answer 169

• Integrated platform management interfaces are configured to allow access only via SSH
• Access is captured in event logs that include source address, time stamp, and outcome

Question 170

The CISO accompanies the CIO to purchase a small piece of office equipment that is needed for an upcoming project. When paying for the item, the CIO is asked to use the EMV chip reader instead of swiping. The CIO asks the CISO what is difference, and the CISO explains it is part of the store’s risk management. The chip reader allows the store to:

• avoid fraudulent card risk
• transfer fraudulent card risk
• mitigate fraudulent card risk
• accept fraudulent card risk

Answer 170

• mitigate fraudulent card risk

Question 171

A security architect has designated that a server segment of an enterprise network will require each server to have secure and measured boot capabilities. The architect now wishes to ensure service consumers and peers can verify the hosted services. Which of the following capabilities must the architect consider for enabling the verification?

• Centralized attestation server
• Enterprise HSM
• vTPM
• SIEM

Answer 171

• Centralized attestation server

Question 172

A vendor develops a mobile application for global customers. The mobile application supports advanced encryption of data between the source (the mobile device) and the destination (the organization’s ERP system). As part of the vendor’s compliance program, which of the following would be important to take into account?

• Mobile tokenization
• Export controls
• Device containerization
• Privacy policies

Answer 172

• Export controls

Question 173

A security manager recently categorized an information system. During the categorization effort, the manager determined the loss of integrity of a specific information type would impact business significantly. Based on this, the security manager recommends the implementation of several solutions. Which of the following, when combined, would BEST mitigate this risk? (Select TWO)

• Access control
• Whitelisting
• Signing
• Validation
• Boot attestation

Answer 173

• Access control

- Validation

Question 174

An internal penetration tester was assessing a recruiting page for potential issues before it was pushed to the production website. The penetration tester discovers an issue that must be corrected before the page goes live. The web host administrator collects the log files below and gives them to the development team so improvements can made to the security design of the website.

— image —

Which of the following types of attack vectors did the penetration tester use?

• SQL injection
• CSRF
• Brute force
• XSS
• TOC/TOU

Answer 174

• CSRF