Part 4

Question 1

Against the recommendation of the IT security analyst, a company set all user passwords on a server as
"P@55w0rD" Upon review of the /etc/passwd file, an attacker found the following:

alice:a8df3b6c4fd75f0617431fs2468f35191df8d237f
bob:2d250c5b2976b03d757f324edb59340df96aa05e
chris:ea981ec3285421d01410809f3f3f997ce0f4150

Which of the following BEST explains why the encrypted passwords do not match?

A. Perfect forward secrecy
B. Key stretching
C. Salting
D. Hashing

Answer 1

C

Question 2

Which of the following would BEST provide a systems administrator with the ability to more efficiently
identify systems and manage permissions and policies based on location, role, and service level?

A. Standard naming conventions
B. Domain services
C. Baseline configurations
D. Diagrams

Answer 2

A

Question 3

Which of the following tools is effective in preventing a user from accessing unauthorized removable
media?

A. USB data blocker
B. Faraday cage
C. Proximity reader
D. Cable lock

Answer 3

A

Question 4

A company is providing security awareness training regarding the importance of not forwarding social
media messages from unverified sources. Which of the following risks would the training help to prevent?

A. Hoaxes
B. SPIMs
C. Identity fraud
D. Credential harvesting

Answer 4

A

Question 5

A company has a flat network that is deployed in the cloud. Security policy states that all production and
development servers must be segmented. Which of the following should be used to design the network
to meet the security requirements?

A. VPN
B. VLAN
C. Screened subnet
D. WAF

Answer 5

B

Question 6

A SOC operator is receiving continuous alerts from multiple Linux systems indicating that unsuccessful
SSH attempts to a functional user ID have been attempted on each one of them in a short period of time.

Which of the following BEST explains this behavior?

A. Rainbow table attack
B. Password spraying
C. Logic bomb
D. Malware bot

Answer 6

B

Question 7

A systems administrator reports degraded performance on a virtual server. The administrator increases
the virtual memory allocation, which improves conditions, but performance degrades again after a few days.
The administrator runs an analysts tool and sees the following output:

==3214== timeAttend.exe analyzed
==3214== ERROR SUMMARY:
==3214== malloc/free: in use at exit: 4608 bytes in 18 blocks
==3214== checked 82116 bytes
==3214== definitely lost: 4608 bytes in 18 blocks

The administrator terminates the timeAttend.exe observes system performance over the next few days,
and notices that the system performance does not degrade.

Which of the following issues is MOST likely occurring?

A. DLL injection
B. API attack
C. Buffer overflow
D. Memory leak

Answer 7

D

Question 8

Which of the following describes a social engineering technique that seeks to exploit a persons sense of
urgency?

A. A phising email stating a cash settlement has been awarded by will expire soon
B. A smishing message stating a package is scheduled for pickup
C. A vishing call that requests a donation be made to a local charity
D. A SPIM notification claiming to be undercover law enforcement investigating a cybercrime

Answer 8

A

Question 9

An attacker browses a company’s online job board attempting to find any relevant information regarding the
technologies the company uses.

Which of the following BEST describes this social engineering technique?

A. Hoax
B. Reconnaissance
C. Impersonation
D. Pretexting

Answer 9

B

Question 10

Several universities are participating in a collaborative research project and need to share compute and
storage resources.

Which of the following cloud deployment strategies would BEST meet this need?

A. Community
B. Private
C. Public
D. Hybrid

Answer 10

A

Question 11

During a recent penetration test, the tester discovers large amounts of data were exfiltrated over the course of
12 months via the internet. The penetration tester stops the test to inform the client of the findings.

Which of the following should be the client's NEXT step to mitigate the issue?

A. Conduct a fill vulnerability scan to identify possible vulnerabilities
B. Perform containment on the critical servers and resources
C. Review the firewall and identify the source of the active connection
D. Disconnect the entire infrastructure from the internet

Answer 11

B

Question 12

The Chief Compliance Officer from a bank has approved a background check policy for all new hires.

Which of the following is the policy MOST likely protecting against?

A. Preventing any current employees siblings from working at the bank to prevent nepotism
B. Hiring an employee who has been convicted of theft to adhere to industry compliance
C. Filtering applicants who have added false information to resumes so they appear better qualified
D. Ensuring no new hires have worked at other banks that may be trying to steal customer information

Answer 12

B

Question 13

A security analyst wants to fingerprint a web server.

Which of the following tools will the security analyst MOST likely use to accomplish this task?

A. nmap -p1 -65535 192.168.0.10
B. dig 192.168.0.10
C. curl –head http://192.168.0.10
D. ping 192.168.0.10

Answer 13

C

Question 14

Which of the following is the MOST effective control against zero-day vulnerabilities?

A. Network segmentation
B. Patch management
C. Intrusion prevention system
D. Multiple vulnerability scanners

Answer 14

C

Question 15

Data exfiltration analysis indicates that an attacker managed to download system configuration notes
from a web server. The web-server logs have been deleted, but analysis have determined that the system
configuration notes were stored in the database administrators folder on the web server.

Which of the following attacks explains what occurred? (Select TWO)

A. Pass-the-hash
B. Directory traversal
C. SQL injection
D. Privilege escalation
E. Cross-site scripting
F. Request forgery

Answer 15

BD

Question 16

A penetration tester was able to compromise an internal server and is now trying to pivot the current
session in a network lateral movement.

Which of the following tools, if available on the server, will provide the MOST useful information for the next assessment step?

A. Autopsy
B. Cuckoo
C. Memdump
D. Nmap

Answer 16

D

Question 17

Server administrators want to configure a cloud solution so that computing memory and processor usage is
maximized most efficiently across a number of virtual servers. They also need to avoid potential denial-
of service situations caused by availability.

Which of the following should administrators configure to maximize system availability while efficiently utilizing available computing power?

A. Dynamic resource allocation
B. High availability
C. Segmentation
D. Container security

Answer 17

A

Question 18

A web server has been compromised due to a ransomware attack. Further investigation reveals the
ransomware has been in the server for the past 72 hours. The systems administrator needs to get the
services back up as soon as possible.

Which of the following should the administrator use to restore services to a secure state?

A. The last incremental backup that was conducted 72 hours ago
B. The last known-good configuration
C. The last full backup that was conducted seven days ago
D. The baseline OS configuration

Answer 18

A

Question 19

A systems engineer wants to leverage a cloud-based architecture with low latency between network-
connected devices that also reduces the bandwidth that is required by performing analytics directly on the
endpoints.

Which of the following would BEST meet the requirements? (Select TWO)

A. Private cloud
B. SaaS
C. Hybrid cloud
D. IaaS
E. DRaaS
F. Fog computing

Answer 19

CF

Question 20

A Chief Information Security Officer wants to ensure the organization is validating and checking the integrity of
zone transfers.

Which of the following solutions should be implemented?

A. DNSSEC
B. LDAPS
C. NGFW
D. DLP

Answer 20

A

Question 21

Which of the following is a benefit of including a risk management framework into an organizations
security approach?

A. It defines expected service levels from participating supply chain partners to ensure system outages
are
remediated in a timely manner
B. It identifies specific vendor products that have been tested and approved for use in a secure
environment
C. It provides legal assurances and remedies in the event a data breach occurs
D. It incorporates control, development, policy and management activities into IT operations

Answer 21

D

Question 22

A security analyst was called to investigate a file received directly from a hardware manufacturer. The
analyst is trying to determine whether the file was modified in transit before installation on the users
computer.

Which of the following can be used to safely assess the file?

A. Check the hash of the installation file
B. Match the file names
C. Verify the URL download location
D. Verify the code signing certificate

Answer 22

A

Question 23

DDoS attacks are causing an overload on the cluster of cloud servers. A security architect is researching
alternatives to make the cloud environment respond to load fluctuation in a cost-effective way.

Which of the following options BEST fulfills the architects requirements?

A. An orchestration solution that can adjust scalability of cloud assets
B. Use the multipath by adding more connections to cloud storage
C. Cloud assets replicated on geographically distributed regions
D. An on-site backup that is deployed and only used when the load increases

Answer 23

A

Question 24

A help desk technician receives an email from the Chief Information Officer (CIO) asking for documents.
The technician knows the CIO is on vacation for a few weeks. Which of the following should the technician
do FIRST to validate the authenticity of the email?

A. Check the metadata in the email header of the received path in reverse order to follow the emails path
B. Hover the mouse over the CIOs email address to verify the email address
C. Look at the metadata in the email header and verify the "From" line matches the CIOs email address
D. Forward the email to the CIO and ask if the CIO sent the email requesting the documents

Answer 24

A

Question 25

Which of the following would BEST provide detective and corrective controls for thermal regulation?

A. A smoke detector
B. A fire alarm
C. An HVAC system
D. A fire suppression system
E. Guards

Answer 25

C

Question 26

After a recent security incident, a security analyst discovered that unnecessary ports were open on a firewall
policy for a web server.

Which of the following firewall policies would be MOST secure for a web server?

A. Source Destination Port Action
Any Any TCP 53 Allow
Any Any TCP 80 Allow
Any Any TCP 443 Allow
Any Any Any Any

B. Source Destination Port Action
Any Any TCP 53 Deny
Any Any TCP 80 Allow
Any Any TCP 445 Allow
Any Any Any Allow

C. Source Destination Port Action
Any Any TCP 80 Deny
Any Any TCP 443 Allow
Any Any Any Allow

D. Source Destination Port Action
Any Any TCP 80 Allow
Any Any TCP 443 Allow
Any Any Any Deny

Answer 26

D

Question 27

A DBA reports that several production server hard drives were wiped over the weekend. The DBA also reports
that several Linux servers were unavailable due to system files being deleted unexpectedly. A security
analyst verified that software was configured to delete data deliberately from those servers. No backdoors to any
servers were found.

Which of the following attacks was MOST likely used to cause the data loss?

A. Logic bomb
B. Ransomware
C. Fileless virus
D. Remote Access Trojan
E. Rootkit

Answer 27

A

Question 28

A security analyst is reviewing the vulnerability scan report for a web server following an incident. The
vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a
patch is available for the vulnerability.

Which of the following is the MOST likely cause?

A. Security patches were uninstalled due to user impact
B. An adversary altered the vulnerability scan reports
C. A zero-day vulnerability was used to exploit the web server
D. The scan reported a false negative for the vulnerability

Answer 28

A

Question 29

Several users have opened tickets with the help desk The help desk has reassigned the tickets to a
security analyst for further review. The security analyst reviews the following metrics:

Hostname Normal CPU Current CPU Normal network Current network
Utilization utilization % Connections connections
Accounting PC 22% 48% 12 66
HR-PC 35% 55% 15 57
IT-PC 78% 98% 25 92
Sales-PC 28% 50% 20 56
Manager-PC 21% 44% 18 49

Which of the following is MOST likely the result of the security analysts review?

A. The ISP is dropping outbound connections
B. The user of the Sales-PC fell for a phishing attack
C. Corporate PCs have been turned into a botnet
D. An on-path attack is taking place between PCs and the router

Answer 29

C

Question 30

An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the
number of devices that were replaced due to loss, damage, or theft steadily increased by 10%.

Which of the following would BEST describe the estimated number of devices to be replaced next year?

A. ALE
B. ARO
C. RPO
D. SLE

Answer 30

A

Question 31

An administrator needs to protect user passwords and has been advised to hash the passwords.

Which of the following BEST describes what the administrator is being advised to do?

A. Perform a mathematical operation on the passwords that will convert them into unique strings
B. Add extra data to the passwords so their length is increased, making them harder to brute force
C. Store all passwords in the system in a rainbow table that has a centralized location
D. Enforce the use of one-time passwords that are changed for every login session

Answer 31

A

Question 32

A security analyst is receiving numerous alerts reporting that the response time of an internet-facing application
has been degraded. However, the internal network performance was not degraded.

Which of the following MOST likely explains this behavior?

A. DNS poisoning
B. MAC flooding
C. DDoS attack
D. ARP poisoning

Answer 32

C

Question 33

Which of the following terms describes a broad range of information that is sensitive to a specific
organization?

A. Public
B. Top secret
C. Proprietary
D. Open-source

Answer 33

C

Question 34

The SOC for a large MSSP is meeting to discuss the lessons learned from a recent incident that took
much too long to resolve. This type of incident has become more common in recent weeks and is consuming large amounts of the analysts time due to manual tasks being performed.

Which of the following solutions should the SOC consider to BEST improve its response time?

A. configure an NIDS appliance using a Switched Port Analyzer
B. Collect OSINT and catalog the artifacts in a central repository
C. Implement a SOAR with customizable playbooks
D. Install a SIEM with community-driven threat intelligence

Answer 34

C

Question 35

Which of the following are the BEST ways to implement remote home access to a company’s intranet
systems If establishing an always-on VPN is not an option? (Select TWO)

A. Install VPN concentrators at home office
B. Create NAT on the firewall for intranet systems
C. Establish SSH access to a jump server
D. Implement a SSO solution
E. Enable MFA for intranet systems
F. Configure SNMPv3 server and clients

Answer 35

AE

Question 36

Which of the following is the BEST example of a cost-effective physical control to enforce a USB removable
media restriction policy?

A. Putting security/antitamper tape over USB ports, logging the port number, and regularly inspecting
the ports
B. Implementing a GPO that will restrict access to authorized USB removable media and regularly
verifying
that it is enforced
C. Placing systems into locked, key-controlled containers with no access to the USB ports.
D. Installing an endpoint agent to detect connectivity of USB and removable media

Answer 36

A

Question 37

A recent security breach exploited software vulnerabilities in the firewall and within the network management
solution.

Which of the following will MOST likely be used to identify when the breach occurred through each
device?

A. SIEM correlation dashboards
B. Firewall syslog event logs
C. Network management solution login audit logs
D. Bandwidth monitors and interface sensors

Answer 37

A

Question 38

Which of the following risk management strategies would an organization use to maintain a legacy system with
known risks for operational purposes?

A. Acceptance
B. Transference
C. Avoidance
D. Mitigation

Answer 38

A

Question 39

A penetration tester is fuzzing an application to identify where the EIP of the stack is located on memory.

Which of the following attacks is the penetration tester planning to execute?

A. Race-condition
B. Pass-the-hash
C. Buffer overflow
D. XSS

Answer 39

C

Question 40

Which of the following would be indicative of a hidden audio file found inside of a piece of source code?

A. Steganography
B. Homomorphic encryption
C. Cipher suite
D. Blockchain

Answer 40

A

Question 41

An organization has developed an application that needs a patch to fix a critical vulnerability.

In which of the following environments should the patch be deployed LAST?

A. Test
B. Stage
C. Development
D. Production

Answer 41

D

Question 42

Which of the following organizations sets frameworks and controls for optimal security configuration on
systems?

A. ISO
B. GDPR
C. PCI DSS
D. NIST

Answer 42

D

Question 43

A security analyst receives an alert from the company's SIEM that anomalous activity is coming from a
local source IP address of 192.168.34.26. The Chief Information Security Officer asks the analyst to block the
originating source. Several days later, another employee opens an internal ticket stating that vulnerability scans
are no longer being performed properly. The IP address the employee provides is 192.168.34.26.

Which of the following describes this type of alert?

A. True positive
B. True negative
C. False positive
D. False negative

Answer 43

C

Question 44

An internet company has created a new collaboration application. To expand the user base, the company
wants to implement an option that allows users to log in to the application with the credentials of other
popular websites.

Which of the following should the company implement?

A. SSO
B. CHAP
C. 802.1x
D. OpenID

Answer 44

D

Question 45

A users account is constantly being locked out. Upon further review, a security analyst found the following in
the SIEM:

Time Log Message
9:00:00 AM login: user password: aBG23TMV
9:00:01 AM login: user password: aBG33TMV
9:00:02 AM login: user password: aBG43TMV
9:00:03 AM login: user password: aBG53TMV

A. An attacker is utilizing a password-spraying attack against the account
B. An attacker is utilizing a dictionary attack against the account
C. An attacker is utilizing a brute-force attack against the account
D. An attacker is utilizing a rainbow table attack against the account

Answer 45

C

Question 46

Business partners are working on a security mechanism to validate transactions securely. The
requirement is for one company to be responsible for deploying a trusted solution that will register and issue artifacts used to sign, encrypt, and decrypt transaction files.

Which of the following is the BEST solution to adopt?

A. PKI
B. Blockchain
C. SAML
D. OAuth

Answer 46

A

Question 47

A security analyst is concerned about critical vulnerabilities that have been detected on some applications
running inside containers.

Which of the following is the BEST remediation strategy?

A. Update the base container image and redeploy the environment
B. Include the containers in the regular patching schedule for servers
C. Patch each running container individually and test the application
D. Update the host in which the containers are running

Answer 47

A

Question 48

A company is implementing a DLP solution on the file server. The file server has PII, financial information,
users favorite mixed drink, and health information stored on it. Depending on what type of data is
hosted on the file server, the company wants different DLP rules assigned to the data.

Which of the following should the company do to help accomplish this goal?

A. Classify the data
B. Mask the data
C. Assign an application owner
D. Perform a risk analysis

Answer 48

A

Question 49

A junior security analyst is conducting an analysis after passwords were changed on multiple accounts
without users interaction. The SIEM have multiple login entries with the following text:

suspicious event - user: scheduletasks successfully authenticated on AD on
abnormal time
suspicious event - user: scheduletasks failed to execute c:\weekly_checkups
\secureyourAD-3rdparty-compliance.sh
suspicious event - user: scheduletasks successfully executed c:\weekly_checkups
\amazing-3rdparty-domain-assessment.py

Which of the following is the MOST likely attack conducted on the environment?

A. Malicious script
B. Privilege escalation
C. Domain hijacking
D. DNS poisoning

Answer 49

A

Question 50

A recent phishing campaign resulted in several compromised user accounts. The security incident response
team has been tasked with reducing the manual labor of filtering through all the phishing emails as they
arrive and blocking the sender's email address, along with other time-consuming mitigation actions.

Which of the following can be configured to streamline those tasks?

A. SOAR playbook
B. MDM policy
C. Firewall rules
D. URL filter
E. SIEM data collection

Answer 50

A

Question 51

Field workers in an organization are issued mobile phones on a daily basis. All the work is performed within
one city, and the mobile phones are not used for any purpose other than work. The organization does
not want these phones used for personal purposes. The organization would like to issue the phones to workers as permanent devices so the phones do not need to be reissued every day.

Given the conditions described, which of the following technologies would BEST meet these requirements.

A. Geofencing
B. Mobile Device Management
C. containerization
D. Remote wiping

Answer 51

B

Question 52

A company suspects that some corporate accounts were compromised. The number of suspicious logins from
location not recognized by the users is increasing. Employees who travel need their accounts protected without
the risk of blocking legitimate login requests that may be made over new sign-in properties.

Which of the following security controls can be implemented?

A. Enforce MFA when an account request reaches a risk threshold
B. Implement geofencing to only allow access from headquarters
C. Enforce time-based login requests that align with business hours
D. Shift the access control scheme to a discretionary access control

Answer 52

A

Question 53

An organization has activated an incident response plan due to a malware outbreak on its network. The
organization has brought in a forensics team that has identified an internet-facing windows server as the
likely point of initial compromise. The malware family that was detected is known to be distributed by
manually logging on to servers and running malicious code.

Which of the following actions would be BEST to prevent reinfection from the initial infection vector?

A. Prevent connection over TFTP from the internal network
B. Create a firewall rule that blocks port 22 from the internet to the server
C. Disable file sharing port 445 to the server
D. Block port 3389 inbound from untrusted networks

Answer 53

D

Question 54

A company wants to restrict emailing of PHI documents. The company is implementing a DLP solution.

In order to restrict PHI documents, which of the following should be performed FIRST?

A. Retention
B. Governance
C. Classification
D. Change management

Answer 54

C

Question 55

What biometric error would allow an unauthorized user to access a system?

A. False acceptance
B. False entrance
C. False rejection
D. False denial

Answer 55

A

Question 56

An organization has decided to purchase an insurance because a risk assessment determined that the
cost to remediate the risk is greater than the five-year cost of the insurance policy.

The organization is enabling risk

A. Avoidance
B. Acceptance
C. Mitigation
D. Transference

Answer 56

D

Question 57

Which of the following will increase cryptographic security?

A. High data entropy
B. Algorithms that require less computing power
C. Longer key longevity
D. Hashing

Answer 57

A

Question 58

Which of the following secure coding techniques makes compromised code more difficult for hackers to
use?

A. Obfuscation
B. Normalization
C. Execution
D. Reuse

Answer 58

A

Question 59

A company recently decided to allow its employees to use their personally owned devices for tasks like
checking email and messaging via mobile applications. The company would like to use MDM, but
employees are concerned about the loss of personal data.

Which of the following should the IT department implement to BEST protect the company against lost devices while still addressing the employees concerns?

A. Enable the remote-wiping option in the MDM software in case the phone is stolen
B. Configure the MDM software to enforce the use of PINs to access the phone
C. Configure MDM for FDE without enabling the lock screen
D. Perform a factory reset on the phone before installing the company’s applications

Answer 59

B

Question 60

Which of the following is the GREATEST security concern when outsourcing code development to third-
party contractors for an internet-facing application?

A. Intellectual property theft
B. Elevated privileges
C. Unknown backdoor
D. Quality Assurance

Answer 60

C

Question 61

Which of the following is a known security risk associated with data archives that contain financial
information?

A. Data can become a liability if archived longer then required by regulatory guidance
B. Data must be archived off-site to avoid breaches and meet business requirements
C. Companies are prohibited from providing archived data to e-discovery requests
D. Unencrypted archives should be preserved as long as possible and encrypted

Answer 61

A

Question 62

Which of the following is the MOST relevant security check to be performed before embedding third-party libraries in developed code?

A. Check to see if the third party has resources to create dedicated development and staging environments
B. Verify the number of companies that downloaded the third-party code and the number of contributions on
the code repository
C. Assess existing vulnerabilities affecting the third-party code and the remediation efficiency of the libraries developers
D. Read multiple penetration-testing reports for environments running software that reused the library.

Answer 62

C

Question 63

A security analyst is investigating suspicious traffic on the web server located at IP address 10.10.1.1. A search of the WAF logs reveals the following output:

Source IP Desitnation IP Requested URL Action Taken
172.16.1.3 10.10.1.1 /web/cgi-bin/contact?category=custname permit and log
172.16.1.3 10.10.1.1 /web/cgi-bin-/contact?category=custname+OR+1=1– permit and log

A. XSS attack
B. SQLi attack
C. Replay attack
D. XSRF attack

Answer 63

B

Question 64

A tax organization is working on an solution to validate the online submission of documents. The solution
should be carried on a portable USB device that should be inserted on any computer that is transmitting a
transaction securely.

Which of the following is the BEST certificate for these requirements?

A. User certificate
B. Self-signed certificate
C. Computer certificate
D. Root certificate

Answer 64

A

Question 65

An employee received a word processing file that was delivered as an email attachment. The subject line
and email content enticed the employee to open the attachment.

Which of the following attack vectors best matches this Malware?

A. Embedded Python code
B. Macro-enabled file
C. Bash scripting
D. Credential-harvesting website

Answer 65

B

Question 66

A business operations manager is concerned that a PC, that is critical to business operations, will have a
costly hardware failure soon. The manager is looking for options to continue business operations without
incurring large costs.

Which of the following would mitigate the managers concerns?

A. Implement a full-system upgrade
B. Perform a physical-to-virtual migration
C. Install uninterruptible power supplies
D. Purchase cyber security insurance

Answer 66

B

Question 67

Which of the following is a risk that is specifically associated with hosting applications in the public
cloud?

A. Unsecured root accounts
B. Zero-day
C. Shared tenancy
D. Insider threat

Answer 67

C

Question 68

A recent audit cited a risk involving numerous low-criticality vulnerabilities created by a web-application
using a third-party library. The developer staff state there are still customers using the application, even though, it is end-of-life and it would be substantial burden to update the application compatibility with more secure libraries.

Which of the following would be the MOST prudent course of action?

A. Accept the risk if there is a clear road map for timely decommission
B. Deny the risk due to the end-of-life status of the application
C. Use containerization to segment the application from the other applications to eliminate the risk
D. Outsource the application to a third-party developer group

Answer 68

C

Question 69

An organization is migrating several SaaS applications that support SSO. The security manager wants to
ensure the migration is completed securely.

Which of the following should the organization consider before implementation? (Select TWO)

A. The back-end directory source
B. The identity federation protocol
C. The hashing method
D. The encryption method
E. The registration authority
F. The certificate authority

Answer 69

CD

Question 70

An IT security manager requests a report on company information that is publicly available. The
managers concern is that malicious actors will be able to access the data without engaging in active
reconnaissance.

Which of the following is the MOST efficient approach to perform the analysis?

A. Provide a domain parameter to theHarvester tool
B. Check public DNS entries using dnsenum
C. Perform a NESSUS vulnerability scan targeting a public companys IP
D. Execute nmap using the options: scall all ports in sneaky mode.

Answer 70

A

Question 71

A help desk technician receives a phone call from someone claiming to be a part of the organizations cyber security incident response team. The caller asks the technician to verify the networks internal firewall IP
address.

Which of the following is the technicians BEST course of action?

A. Direct the caller to stop by the help desk in person and hang up declining any further requests from
the
caller.
B. Ask for the callers name, verify the persons identity in the email directory, and provide the
requested
information over the phone.
C. Write down the phone number of the caller if possible, the name of the person requesting the
information,
hang up, and notify the organizations cyber security officer.
D. Request the caller send an email for identity verification and provide the requested information via
email to
the caller.

Answer 71

C

Question 72

Two organizations plan to collaborate on the evaluation of new SIEM solutions for their respective
companies. A combined effort from both organizations SOC teams would speed up the effort.

Which of the following can be written to document this agreement?

A. MOU
B. ISA
C. SLA
D. NDA

Answer 72

A

Question 73

Which of the following employee roles is responsible for protecting an organizations collected personal
information?

A. CTO
B. DPO
C. CEO
D. DBA

Answer 73

B

Question 74

A malware attack has corrupted 30TB of company data across all file servers A systems administrator
Identifies the malware and contains the Issue, but the data Is unrecoverable. The administrator Is not concerned about the data loss because the company has a system in place that will allow users to access the data that was backed up last night.

Which of the following resiliency techniques did the administrator MOST likely use to prevent impacts to business operations after an attack?

A. Tape backups
B. Replication
C. RAID
D. Cloud Storage

Answer 74

D

Question 75

A cybersecurity administrator needs to implement a Layer 7 security control on a network and block
potential attacks.

Which of the following can block an attack at Layer 7? (Select TWO).

A. HIDS
B. NIPS
C. HSM
D. WAF
E. NAC
F. NIDS
G. STATELESS FIREWALL

Answer 75

BD

Question 76

An organization is moving away from the use of client-side and server-side certificates for EAP. The
company would like for the new EAP solution to have the ability to detect rogue access points.

Which of the following would accomplish these requirements?

A. PEAP
B. EAP-FAST
C. EAP-TLS
D. EAP-TTLS

Answer 76

B

Question 77

An amusement park is implementing a biometric system that validates customers fingerprints to ensure
they are not sharing tickets The parks owner values customers above all and would prefer customers
convenience over security.

For this reason, which of the following features should the security team prioritize FIRST?

A. LOW FAR
B. LOW efficacy
C. Low FRR
D. Low CER

Answer 77

D

Question 78

A security proposal was set up to track requests for remote access by creating a baseline of the users common sign-in properties.

When a baseline deviation is detected, an MFA challenge will be triggered. Which of the following should be configured in order to deploy the proposal?

A. Context-aware authentication
B. Simultaneous authentication of equals
C. Extensive authentication protocol
D. Agentless network access control

Answer 78

D

Question 79

A company recently experienced a significant data loss when proprietary Information was leaked to a
competitor. The company took special precautions by using proper labels; however, email filter logs do
not have any record of the incident. An Investigation confirmed the corporate network was not breached,
but documents were downloaded from an employees COPE tablet and passed to the competitor via cloud
storage.

Which of the following is the BEST
remediation for this data leak?

A. User trainer
B. CASB
C. MDM
D. DLP

Answer 79

D

Question 80

The Chief Information Security Officer warns to prevent ex filtration of sensitive information from employee cell
phones when using public USB power charging stations.

Which of the following would be the BEST solution to
Implement?

A. DLP
B. USB data blocker
C. USB OTG
D. Disable USB ports

Answer 80

B

Question 81

A security analyst has been asked by the Chief Information Security Officer to:
* develop a secure method of providing centralized management of infrastructure
* reduce the need to constantly replace aging end user machines
* provide a consistent user desktop experience

Which of the following BEST meets these requirements?

A. BYOD
B. Mobile device management
C. VDI
D. Containerization

Answer 81

C

Question 81

An organization is planning to open other datacenters to sustain operations in the event of a natural disaster.

Which of the following considerations would BEST support the organizations resiliency?

A. Geographical dispersal
B. Generator power
C. Fire Suppression
D. Facility automation

Answer 81

A

Question 82

Historically. a company has had issues with users plugging in personally owned removable media devices
into corporate computers. As a result, the threat of malware incidents is almost constant.

Which of the following would BEST help prevent the malware from being installed on the computers?

A. AUP
B. NGFW
C. DLP
D. EDR

Answer 82

C

Question 83

During an incident response, an analyst applied rules to all inbound traffic on the border firewall and implemented ACLs on each critical server. Following an investigation, the company realizes it is still
vulnerable because outbound traffic is not restricted, and the adversary is able to maintain a presence in the
network.

In which of the following stages of the Cyber Kill Chain is the adversary currently operating?

A. Reconnaissance
B. Command and Control
C. Actions on objectives
D. Exploitation

Answer 83

B

Question 84

A security analyst has been tasked with creating a new WiFi network for the company. The requirements
received by the analyst are as follows:

• Must be able to differentiate between users connected to WiFi
• The encryption keys need to change routinely without interrupting the users or forcing
  reauthentication
• Must be able to integrate with RADIUS
• Must not have any open SSIDs

Which of the following options BEST accommodates these requirements?

A. WPA2-Enterprise
B. WPAS3-PSK
C. 802.11n
D. WPS

Answer 84

A

Question 85

An application owner reports suspicious activity on an internal financial application from various internal
users within the past 14 days. A security analyst notices the following:

• Financial transactions were occurring during irregular time frames and outside of business hours by
  unauthorized users.
• Internal users in question were changing their passwords frequently during that time period.
• A jump box that several domain administrator users use to connect to remote devices was recently
  compromised.
• The authentication method used in the environment is NTLM.

Which of the following types of attacks is MOST likely being used to gain unauthorized access?

A. pass-the-hash
B. Brute-force
C. Directory Traversal
D. Replay

Answer 85

A

Question 86

A systems administrator is troubleshooting a servers connection to an internal web server. The
administrator needs to determine the correct ports to use.

Which of the following tools BEST shows which ports on
the web server are in a listening state?

A. ipconfig
B. ssh
C. ping
D. netstat

Answer 86

D

Question 87

Which of the following describes the continuous delivery software development methodology?

A. Waterfall
B. Spiral
C. V-Shaped
D. Agile

Answer 87

D

Question 88

An attacker was eavesdropping on a user who was shopping online. The attacker was able to spoof the
IP address associated with the shopping site. Later, the user received an email regarding the credit card
statement with unusual purchases.

Which of the following attacks took place?

A. on-path attack
B. Protocol poisoning
C. Domain hijacking
D. bluejacking

Answer 88

A

Question 89

A company needs to validate its updated incident response plan using a real-world scenario that will test
decision points and relevant incident response actions without interrupting daily operations.

Which of the following would BEST meet the company’s requirements?

A. Red-team exercise
B. Capture-the-flag exercise
C. tabletop exercise
D. Phishing exercise

Answer 89

C

Question 90

After multiple on premises security solutions were migrated to the cloud, the incident response time
increased. The analyst are spending a long time to trace information on different cloud consoles and correlating data in different formats.

Which of the following can be used to optimize the incident response time?

A. CASB
B. VPC
C. SWG
D. CMS

Answer 90

A

Question 91

Which of the following is the MOST relevant security check to be performed before embedding third
party libraries in developed code?

A. Check to see if the third party has resources to create dedicated development and staging environments.
B. Verify the number of companies that downloaded the third-party code and the number of
contributions on the code repository
C. Assess existing vulnerabilities affecting the third-party code and the remediation efficiency of the
libraries developers
D. Read multiple penetration-testing reports for environments running software that reused the library.

Answer 91

C

Question 92

Certain users are reporting their accounts are being used to send unauthorized emails and conduct
suspicious activities. After further investigation, a security analyst notices the following:

• All users share workstations throughout the day.
• Endpoint protection was disabled on several workstations throughout the network.
• Travel times on logins from the affected users are impossible.
• Sensitive data is being uploaded to external sites.
• All user account passwords were forced to be reset and the issue continued.

Which of the following attacks is being used to compromise the user accounts?

A. Brute-force
B. Keylogger
C. Dictionary
D. Rainbow

Answer 92

B

Question 93

Which of the following is the MOST likely reason for securing an air-gapped laboratory HVAC system?

A. To avoid data leakage
B. To protect surveillance logs
C. To ensure availability
D. To restrict remote access

Answer 93

C

Question 94

An application developer accidentally uploaded a company’s code-signing certificate private key to a
public web server. The company is concerned about malicious use of its certificate. Which of the following should the company do FIRST?

A. Delete the private key from the repository-.
B. Verify the public key is not exposed as well.
C. Update the DLP solution to check for private keys
D. Revoke the code-signing certificate.

Answer 94

D

Question 95

A security analyst is investigating some users who are being redirected to a fake website that resembles
www.comptia.org. The following output was found on the naming server of the organization:

Which of the following attacks has taken place?

A. Domain reputation
B. Domain hijacking
C. Disassociation
D. DNS Poisoning

Answer 95

D

Question 96

The Chief Information Security Officer (CISO) requested a report on potential areas of improvement following a
security incident.

Which of the following incident response processes is the CISO requesting?

A. Lessons learned
B. Preparation
C. Detection
D. Containment
E. Root Cause Analysis

Answer 96

A

Question 97

While reviewing an alert that shows a malicious request on one web application, a cybersecurity analyst is
alerted to a subsequent token reuse moments later on a different service using the same single sign-on
method.

Which of the following would BEST detect a malicious actor?

A. Utilizing SIEM correlation engines
B. Deploying Netflow at the network border
C. Disabling session tokens for all sites
D. Deploying a WAF for the web server

Answer 97

A

Question 98

An administrator is experiencing issues when trying to upload a support file to a vendor. A pop-up message
reveals that a payment card number was found in the file, and the file upload was blocked.

Which of the following controls is most likely causing this issue and should be checked FIRST?

A. DLP
B. Firewall rule
C. Content filter
D. MDM
E. Application whitelist

Answer 98

A

Question 99

After returning from a conference, a user’s laptop has been operating slower than normal and overheating, and the fans have been running constantly. During the diagnosis process, an unknown piece of hardware is found connected to the laptop’s motherboard.

Which of the following attack vectors was exploited to install the hardware?

A. Removable media
B. Spear phishing
C. Supply chain
D. Direct access

Answer 99

D