Part 3

Question 1

An analyst has been asked to provide feedback regarding the control required by a revised regulatory
framework. At this time, the analyst only needs to focus on the technical controls.
Which of the following should the analyst provide an assessment of?
A. Tokenization of sensitive data
B. Establishment o’ data classifications
C. Reporting on data retention and purging activities
D. Formal identification of

Answer 1

Tokenization of sensitive data

Question 2

An analyst is participating in the solution analysis process for a cloud-hosted SIEM platform to centralize log monitoring and alerting capabilities in the SOC.
Which of the following is the BEST approach for supply chain assessment when selecting a vendor?
A. Gather information from providers, including datacenter specifications and copies of audit reports.
B. Identify SLA requirements for monitoring and logging.
C. Consult with senior management for recommendations.
D. Perform a proof of concept to identify possible solutions.

Answer 2

Identify SLA requirements for monitoring and logging.

Question 3

Which of the following would MOST likely be included in the incident response procedure after a
security breach of customer PII?
A. Human resources
B. Public relations
C. Marketing
D. Internal network operations center

Answer 3

B. Public relations

Question 4

The Cruel Executive Officer (CEO) of a large insurance company has reported phishing emails that
contain malicious links are targeting the entire organza lion.
Which of the following actions would work BEST to prevent against this type of attack?
A. Turn on full behavioral analysis to avert an infection
B. Implement an EOR mail module that will rewrite and analyze email links.
C. Reconfigure the EDR solution to perform real-time scanning of all files
D. Ensure EDR signatures are updated every day to avert infection.
E. Modify the EDR solution to use heuristic analysis techniques for malware.

Answer 4

B. Implement an EOR mail module that will rewrite and analyze email links.

Question 5

A cybersecurity analyst is reading a daily intelligence digest of new vulnerabilities. The type of
vulnerability that should be disseminated FIRST is one that:
A. enables remote code execution that is being exploited in the wild.
B. enables data leakage but is not known to be in the environment
C. enables lateral movement and was reported as a proof of concept
D. affected the organization in the past but was probably contained and eradicated

Answer 5

A. enables remote code execution that is being exploited in the wild.

Question 6

A cybersecurity analyst is supposing an incident response effort via threat intelligence.
Which of the following is the analyst MOST likely executing?
A. Requirements analysis and collection planning
B. Containment and eradication
C. Recovery and post-incident review
D. Indicator enrichment and research pivoting

Answer 6

A. Requirements analysis and collection planning

Question 7

In system hardening, which of the following types of vulnerability scans would work BEST to verify the
scanned device meets security policies?
A. SCAP
B. Burp Suite
C. OWASP ZAP
D. Unauthenticated

Answer 7

D. Unauthenticated

Question 8

Which of the following sets of attributes BEST illustrates the characteristics of an insider threat from a
security perspective?
A. Unauthorized, unintentional, benign
B. Unauthorized, intentional, malicious
C. Authorized, intentional, malicious
D. Authorized, unintentional, benign

Answer 8

C. Authorized, intentional, malicious

Question 9

Which of the following BEST describes the process by which code is developed, tested, and
deployed in small batches?
A. Agile
B. Waterfall
C. SDLC
D. Dynamic code analysis

Answer 9

C. SDLC

Question 10

Employees of a large financial company are continuously being Infected by strands of malware that are not detected by EDR tools.
When of the following Is the BEST security control to implement to reduce corporate risk while allowing
employees to exchange files at client sites?
A. MFA on the workstations
B. Additional host firewall rules
C. VDI environment
D. Hard drive encryption
E. Network access control
F. Network segmentation

Answer 10

C. VDI environment

Question 11

The inability to do remote updates of certificates, keys, software, and firmware is a security issue
commonly associated with:
A. web servers on private networks
B. HVAC control systems
C. smartphones
D. firewalls and UTM devices

Answer 11

D. firewalls and UTM devices

Question 12

An analyst identifies multiple instances of node-to-node communication between several endpoints
within the 10.200.2.0/24 network and a user machine at the IP address 10.200.2.5. This user machine at
the IP address 10.200.2.5 is also identified as initiating outbound communication during atypical business
hours with several IP addresses that have recently appeared on threat feeds.
Which of the following can be inferred from this activity?
A. 10.200.2.0/24 is infected with ransomware.
B. 10.200.2.0/24 is not routable address space.
C. 10.200.2.5 is a rogue endpoint.
D. 10.200.2.5 is exfiltrating datA.

Answer 12

D. 10.200.2.5 is exfiltrating datA.

Question 13

Which of the following would a security engineer recommend to BEST protect sensitive system data
from being accessed on mobile devices?
A. Use a UEFl boot password.
B. Implement a self-encrypted disk.
C. Configure filesystem encryption
D. Enable Secure Boot using TPM

Answer 13

C. Configure filesystem encryption

Question 14

A security analyst has discovered suspicious traffic and determined a host is connecting to a known
malicious website. The MOST appropriate action for the analyst to take would be lo implement a change
request to:
A. update the antivirus software
B. configure the firewall to block traffic to the domain
C. add the domain to the blacklist
D. create an IPS signature for the domain

Answer 14

B. configure the firewall to block traffic to the domain

Question 15

A security analyst is responding to an incident on a web server on the company network that is
making a large number of outbound requests over DNS.
Which of the following is the FIRST step the analyst should take to evaluate this potential indicator of
compromise’?
A. Run an anti-malware scan on the system to detect and eradicate the current threat
B. Start a network capture on the system to look into the DNS requests to validate command and control
traffic.
C. Shut down the system to prevent further degradation of the company network
D. Reimage the machine to remove the threat completely and get back to a normal running state.
E. Isolate the system on the network to ensure it cannot access other systems while evaluation is
underway.

Answer 15

E. Isolate the system on the network to ensure it cannot access other systems while evaluation is
underway.

Question 16

A human resources employee sends out a mass email to all employees that contains their personnel
records. A security analyst is called in to address the concern of the human resources director on how to
prevent this from happening in the future.
Which of the following would be the BEST solution to recommend to the director?
A. Install a data loss prevention system, and train human resources employees on its use.
Provide PII training to all employees at the company. Encrypt PII information.
B. Enforce encryption on all emails sent within the company. Create a PII program and policy on how to
handle datA. Train all human resources employees.
C. Train all employees. Encrypt data sent on the company network. Bring in privacy personnel to present
a plan on how PII should be handled.
D. Install specific equipment to create a human resources policy that protects PII datA. Train company
employees on how to handle PII datA. Outsource all PII to another company. Send the human resources
director to training for PII handling.

Answer 16

A. Install a data loss prevention system, and train human resources employees on its use.
Provide PII training to all employees at the company. Encrypt PII information.

Question 17

An information security analyst is reviewing backup data sets as part of a project focused on
eliminating archival data sets.
Which of the following should be considered FIRST prior to disposing of the electronic data?
A. Sanitization policy
B. Data sovereignty
C. Encryption policy
D. Retention standards

Answer 17

A. Sanitization policy

Question 18

A critical server was compromised by malware, and all functionality was lost. Backups of this server
were taken; however, management believes a logic bomb may have been injected by a rootkit.
Which of the following should a security analyst perform to restore functionality quickly?
A. Work backward, restoring each backup until the server is clean
B. Restore the previous backup and scan with a live boot anti-malware scanner
C. Stand up a new server and restore critical data from backups
D. Offload the critical data to a new server and continue operations

Answer 18

C. Stand up a new server and restore critical data from backups

Question 19

146.An analyst is searching a log for potential credit card leaks. The log stores all data encoded in
hexadecimal.
Which of the following commands will allow the security analyst to confirm the incident?
A. cat log xxd -r -p | egrep ‘ [0-9] {16}
B. egrep ‘(3(0-9)) (16) ‘ log
C. cat log | xxd -r -p egrep ‘(0-9) (16)’
D. egrep ‘(0-9) (16) ‘ log | xxdc

Answer 19

C. cat log | xxd -r -p egrep ‘(0-9) (16)’

Question 20

Which of the following are components of the intelligence cycle? (Select TWO.)
A. Collection
B. Normalization
C. Response
D. Analysis
E. Correction
F. Dissension

Answer 20

A. Collection

D. Analysis

Question 21

An organization has not had an incident for several months. The Chief Information Security Officer
(CISO) wants to move to a more proactive stance for security investigations.
Which of the following would BEST meet that goal?
A. Root-cause analysis
B. Active response
C. Advanced antivirus
D. Information-sharing community
E. Threat hunting

Answer 21

E. Threat hunting

Question 22

A cybersecurity analyst is supporting an incident response effort via threat intelligence.
Which of the following is the analyst MOST likely executing?
A. Requirements analysis and collection planning
B. Containment and eradication
C. Recovery and post-incident review
D. Indicator enrichment and research pivoting

Answer 22

A. Requirements analysis and collection planning

Question 23

150.A small organization has proprietary software that is used internally. The system has not been well
maintained and cannot be updated with the rest of the environment.
Which of the following is the BEST solution?
A. Virtualize the system and decommission the physical machine.
B. Remove it from the network and require air gapping.
C. Only allow access to the system via a jumpbox
D. Implement MFA on the specific system.

Answer 23

A: Virtualize the system and decommission the physical machine.

Question 24

Which of the following technologies can be used to house the entropy keys for disk encryption on
desktops and laptops?
A. Self-encrypting drive
B. Bus encryption
C. TPM
D. HSM

Answer 24

A. Self-encrypting drive

Question 25

As part of a review of modern response plans, which of the following is MOST important for an
organization lo understand when establishing the breach notification period?
A. Organizational policies
B. Vendor requirements and contracts
C. Service-level agreements
D. Legal requirements

Answer 25

D. Legal requirements

Question 26

A security analyst needs to reduce the overall attack surface.
Which of the following infrastructure changes should the analyst recommend?
A. Implement a honeypot.
B. Air gap sensitive systems.
C. Increase the network segmentation.
D. Implement a cloud-based architecture

Answer 26

C. Increase the network segmentation

Question 27

154.Which of the following types of policies is used to regulate data storage on the network?
A. Password
B. Acceptable use
C. Account management
D. Retention

Answer 27

D. Retention

Question 28

157.A team of security analysis has been alerted to potential malware activity. The initial examination
indicates one of the affected workstations on beaconing on TCP port 80 to five IP addresses and
attempting to spread across the network over port 445.
Which of the following should be the team’s NEXT step during the detection phase of this response
process?
A. Escalate the incident to management ,who will then engage the network infrastructure team to keep
them informed
B. Depending on system critically remove each affected device from the network by disabling wired and
wireless connections
C. Engage the engineering team to block SMB traffic internally and outbound HTTP traffic to the five IP
addresses Identify potentially affected systems by creating a correlation
D. Identify potentially affected system by creating a correlation search in the SIEM based on the network
traffic.

Answer 28

D. Identify potentially affected system by creating a correlation search in the SIEM based on the network
traffic.

Question 29

A security team wants to make SaaS solutions accessible from only the corporate campus.
Which of the following would BEST accomplish this goal?
A. Geofencing
B. IP restrictions
C. Reverse proxy
D. Single sign-on

Answer 29

A. Geofencing

Question 30

As part of an exercise set up by the information security officer, the IT staff must move some of the
network systems to an off-site facility and redeploy them for testing. All staff members must ensure their
respective systems can power back up and match their gold image. If they find any inconsistencies, they
must formally document the information.
Which of the following BEST describes this test?
A. Walk through
B. Full interruption
C. Simulation
D. Parallel

Answer 30

C. Simulation

Question 31

During a cyber incident, which of the following is the BEST course of action?
A. Switch to using a pre-approved, secure, third-party communication system.
B. Keep the entire company informed to ensure transparency and integrity during the incident.
C. Restrict customer communication until the severity of the breach is confirmed.
D. Limit communications to pre-authorized parties to ensure response efforts remain confidential

Answer 31

Limit communications to pre-authorized parties to ensure response efforts remain confidential

Question 32

A malicious hacker wants to gather guest credentials on a hotel 802.11 network.
Which of the following tools is the malicious hacker going to use to gain access to information found on
the hotel network?
A. Nikto
B. Aircrak-ng
C. Nessus
D. tcpdump

Answer 32

A. Nikto

Question 33

A security analyst discovers a vulnerability on an unpatched web server that is used for testing
machine learning on Bing Data sets. Exploitation of the vulnerability could cost the organization $1.5
million in lost productivity. The server is located on an isolated network segment that has a 5% chance of
being compromised.
Which of the following is the value of this risk?
A. $75.000
B. $300.000
C. $1.425 million
D. $1.5 million

Answer 33

A. $75.000

Question 34

A security analyst receives an alert that highly sensitive information has left the company’s network
Upon investigation, the analyst discovers an outside IP range has had connections from three servers
more than 100 times m the past month. The affected servers are virtual machines.
Which of the following is the BEST course of action?
A. Shut down the servers as soon as possible, move them to a clean environment, restart, run a
vulnerability scanner to find weaknesses determine the root cause, remediate, and report
B. Report the data exfiltration to management take the affected servers offline, conduct an antivirus scan,
remediate all threats found, and return the servers to service.
C. Disconnect the affected servers from the network, use the virtual machine console to access the
systems, determine which information has left the network, find the security weakness, and remediate
D. Determine if any other servers have been affected, snapshot any servers found, determine the vector
that was used to allow the data exfiltration. fix any vulnerabilities, remediate, and report.

Answer 34

A. Shut down the servers as soon as possible, move them to a clean environment, restart, run a
vulnerability scanner to find weaknesses determine the root cause, remediate, and report

Question 35

A security analyst discovers accounts in sensitive SaaS-based systems are not being removed in a
timely manner when an employee leaves the organization.
To BEST resolve the issue, the organization should implement?
A. federated authentication
B. role-based access control.
C. manual account reviews
D. multifactor authentication.

Answer 35

A. federated authentication

Question 36

An analyst is reviewing a list of vulnerabilities, which were reported from a recent vulnerability scan of
a Linux server.
Which of the following is MOST likely to be a false positive?
A. OpenSSH/OpenSSL Package Random Number Generator Weakness
B. Apache HTTP Server Byte Range DoS
C. GDI+ Remote Code Execution Vulnerability (MS08-052)
D. HTTP TRACE / TRACK Methods Allowed (002-1208)
E. SSL Certificate Expiry

Answer 36

E. SSL Certificate Expiry

Question 37

A security analyst has been alerted to several emails that snow evidence an employee is planning
malicious activities that involve employee Pll on the network before leaving the organization.
The security analysis BEST response would be to coordinate with the legal department and:
A. the public relations department
B. senior leadership
C. law enforcement
D. the human resources department

Answer 37

D. the human resources department

Question 38

An organization has not had an incident for several month. The Chief information Security Officer
(CISO) wants to move to proactive stance for security investigations.
Which of the following would BEST meet that goal?
A. Root-cause analysis
B. Active response
C. Advanced antivirus
D. Information-sharing community
E. Threat hunting

Answer 38

E. Threat hunting

Question 39

An organization has several systems that require specific logons Over the past few months,
the security analyst has noticed numerous failed logon attempts followed by password resets.
Which of the following should the analyst do to reduce the occurrence of legitimate failed logons and
password resets?
A. Use SSO across all applications
B. Perform a manual privilege review
C. Adjust the current monitoring and logging rules
D. Implement multifactor authentication

Answer 39

A. Use SSO across all applications

Question 40

A security analyst is reviewing the following requirements (or new time clocks that will be installed in a
shipping warehouse:
•. The clocks must be configured so they do not respond to ARP broadcasts.
•. The server must be configured with static ARP entries for each clock.
Which of the following types of attacks will this configuration mitigate?
A. Spoofing
B. Overflows
C. Rootkits
D. Sniffing

Answer 40

A. Spoofing

Question 41

During an investigation, a security analyst identified machines that are infected with malware the
antivirus was unable to detect.
Which of the following is the BEST place to acquire evidence to perform data carving?
A. The system memory
B. The hard drive
C. Network packets
D. The Windows Registry

Answer 41

A. The system memory

Question 42

A security analyst conducted a risk assessment on an organization’s wireless network and identified
a high-risk element in the implementation of data confidentially protection.
Which of the following is the BEST technical security control to mitigate this risk?
A. Switch to RADIUS technology
B. Switch to TACACS+ technology.
C. Switch to 802 IX technology
D. Switch to the WPA2 protocol.

Answer 42

A. Switch to RADIUS technology

Question 43

When attempting to do a stealth scan against a system that does not respond to ping, which of the
following Nmap commands BEST accomplishes that goal?
A. nmap –sA –O -noping
B. nmap –sT –O -P0
C. nmap –sS –O -P0
D. nmap –sQ –O -P0

Answer 43

C. nmap –sS –O -P0

Question 44

A company wants to establish a threat-hunting team.
Which of the following BEST describes the rationale for integration intelligence into hunt operations?
A. It enables the team to prioritize the focus area and tactics within the company’s environment.
B. It provide critically analyses for key enterprise servers and services.
C. It allow analysis to receive updates on newly discovered software vulnerabilities.
D. It supports rapid response and recovery during and followed an incident.

Answer 44

A. It enables the team to prioritize the focus area and tactics within the company’s environment.

Question 45

A security analyst is reviewing a suspected phishing campaign that has targeted an organisation. The
organization has enabled a few email security technologies in the last year: however, the analyst believes
the security features are not working.
The analyst runs the following command:
> dig domain._domainkey.comptia.orq TXT
Which of the following email protection technologies is the analyst MOST likely validating?
A. SPF
B. DNSSEC
C. DMARC
D. DKIM

Answer 45

A. SPF

Question 46

A company recently experienced a break-in whereby a number of hardware assets were stolen
through unauthorized access at the back of the building.
Which of the following would BEST prevent this type of theft from occurring in the future?
A. Motion detection
B. Perimeter fencing
C. Monitored security cameras
D. Badged entry

Answer 46

A. Motion detection

Question 47

A forensic analyst took an image of a workstation that was involved in an incident To BEST ensure
the image is not tampered with me analyst should use:
A. hashing
B. backup tapes
C. a legal hold
D. chain of custody.

Answer 47

D. chain of custody.

Question 48

A security analyst is building a malware analysis lab. The analyst wants to ensure malicious
applications are not capable of escaping the virtual machines and pivoting to other networks.
To BEST mitigate this risk, the analyst should use.
A. an 802.11ac wireless bridge to create an air gap.
B. a managed switch to segment the lab into a separate VLAN.
C. a firewall to isolate the lab network from all other networks.
D. an unmanaged switch to segment the environments from one another.

Answer 48

C. a firewall to isolate the lab network from all other networks.

Question 49

Ransomware is identified on a company’s network that affects both Windows and MAC hosts. The
command and control channel for encryption for this variant uses TCP ports from 11000 to 65000. The
channel goes to good1. Iholdbadkeys.com, which resolves to IP address 72.172.16.2.
Which of the following is the MOST effective way to prevent any newly infected systems from actually
encrypting the data on connected network drives while causing the least disruption to normal Internet
traffic?
A. Block all outbound traffic to web host good1 iholdbadkeys.com at the border gateway.
B. Block all outbound TCP connections to IP host address 172.172.16.2 at the border gateway.
C. Block all outbound traffic on TCP ports 11000 to 65000 at the border gateway.
D. Block all outbound traffic on TCP ports 11000 to 65000 to IP host address 172.172.16.2 at the border
gateway.

Answer 49

A. Block all outbound traffic to web host good1 iholdbadkeys.com at the border gateway.

Question 50

While preparing of an audit of information security controls in the environment an analyst outlines a
framework control that has the following requirements:
• All sensitive data must be classified
• All sensitive data must be purged on a quarterly basis
• Certificates of disposal must remain on file for at least three years This framework control is MOST likely
classified as:
A. prescriptive
B. risk-based
C. preventive
D. corrective

Answer 50

A. prescriptive