+Practice Flashcards by Charles John

A company has hired a third-party to gather information about the company’s servers and data. This third-party will not have direct access to the company’s internal network, but they can gather information from any other source. Which of the following would BEST describe this approach?

Passive reconnaissance.

How well did you know this?

Not at all

Perfectly

A company’s email server has received an email from a third-party, but the origination server does not match the list of authorized devices. Which of the following would determine the disposition of this message?

DMARC (Domain-based Message Authentication Reporting, and Conformance)

How well did you know this?

Not at all

Perfectly

Which of these threat actors would be MOST likely to attack systems for direct financial gain?

Organized crime.

How well did you know this?

Not at all

Perfectly

A security administrator has examined a server recently compromised by an attacker, and has determined the system was exploited due to a known operating system vulnerability. Which of the following would BEST describe this finding?

Root cause analysis.

How well did you know this?

Not at all

Perfectly

A city is building an ambulance service network for emergency medical dispatching. Which of the following should have the highest priority?

System availability.

How well did you know this?

Not at all

Perfectly

A system administrator receives a text alert when access rights are changed on a database containing private customer information. Which of the following would describe this alert?

Automation.

How well did you know this?

Not at all

Perfectly

A security administrator is concerned about the potential for data exfiltration using external storage drives. Which of the following would be the BEST way to prevent this method of data exfiltration?

Create an operating system security policy to block the use of removable media.

How well did you know this?

Not at all

Perfectly

A company creates a standard set of government reports each calendar quarter. Which of the following would describe this type of data?

Regulated.

How well did you know this?

Not at all

Perfectly

An insurance company has created a set of policies to handle data breaches. The security team has been given this set of requirements based on these policies:
* Access records from all devices must be saved and archived
* Any data access outside of normal working hours must be immediately reported
* Data access must only occur inside of the country
* Access logs and audit reports must be created from a single database
Which of the following should be implemented by the security team to meet these requirements? (Select THREE)

Restrict login access by IP address and GPS location. Consolidate all logs on a SIEM. Enable time-of-day restrictions on the authentication server.

How well did you know this?

Not at all

Perfectly

A security engineer is viewing this record from the firewall logs:
UTC 04/05/2023 03:09:15809 AV Gateway Alert 136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert: XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?

A download was blocked from a web server.

How well did you know this?

Not at all

Perfectly

A user connects to a third-party website and receives this message: Your connection is not private. NET::ERR_CERT_INVALID
Which of the following attacks would be the MOST likely reason for this message?

On-path.

How well did you know this?

Not at all

Perfectly

Which of the following would be the BEST way to provide a website login using existing credentials from a third-party site?

Federation.

How well did you know this?

Not at all

Perfectly

A system administrator is working on a contract that will specify a minimum required uptime for a set of Internet facing firewalls. The administrator needs to know how often the firewall hardware is expected to fail between repairs. Which of the following would BEST describe this information?

MTBF. (Mean Time Between Failures)

How well did you know this?

Not at all

Perfectly

An attacker calls into a company’s help desk and pretends to be the director of the company’s manufacturing department. The attacker states that they have forgotten their password and they need to have the password reset quickly for an important meeting. What kind of attack would BEST describe this phone call?

Social engineering.

How well did you know this?

Not at all

Perfectly

Two companies have been working together for a number of months, and they would now like to qualify their partnership with a broad formal agreement between both organizations. Which of the following would describe this agreement?

MOA (Memorandum of Agreement).

How well did you know this?

Not at all

Perfectly

Which of the following would explain why a company would automatically add a digital signature to each outgoing email message?

Integrity.

How well did you know this?

Not at all

Perfectly

The embedded OS in a company’s time clock appliance is configured to reset the file system and reboot when a file system error occurs. On one of the time clocks, this file system error occurs during the startup process and causes the system to constantly reboot. Which of the following BEST describes this issue?

Race condition.

How well did you know this?

Not at all

Perfectly

A recent audit has found that existing password policies do not include any restrictions on password attempts, and users are not required to periodically change their passwords. Which of the following would correct these policy issues? (Select TWO)

Password expiration. Account lockout.

How well did you know this?

Not at all

Perfectly

What kind of security control is associated with a login banner?

Deterrent.

How well did you know this?

Not at all

Perfectly

An internal audit has discovered four servers that have not been updated in over a year, and it will take two weeks to test and deploy the latest patches. Which of the following would be the best way to quickly respond to this situation in the meantime?

Move the servers to a protected segment.

How well did you know this?

Not at all

Perfectly

A business manager is documenting a set of steps for processing orders if the primary Internet connection fails. Which of these would BEST describe these steps?

Continuity of operations.

How well did you know this?

Not at all

Perfectly

A company would like to examine the credentials of each individual entering the data center building. Which of the following would BEST facilitate this requirement?

Access control vestibule.

How well did you know this?

Not at all

Perfectly

A company stores some employee information in encrypted form, but other public details are stored as plaintext. Which of the following would BEST describe this encryption strategy?

Record.

How well did you know this?

Not at all

Perfectly

A company would like to minimize database corruption if power is lost to a server. Which of the following would be the BEST strategy to follow?

Journaling.

How well did you know this?

Not at all

Perfectly

A company is creating a security policy for corporate mobile devices: * All mobile devices must be automatically locked after a predefined time period. * The location of each device needs to be traceable. * All of the user's information should be completely separate from company data. Which of the following would be the BEST way to establish these security policy rules?

MDM. (Mobile Device Manager)

A security engineer runs a monthly vulnerability scan. The scan doesn't list any vulnerabilities for Windows servers, but a significant vulnerability was announced last week and none of the servers are patched yet. Which of the following best describes this result?

False negative.

An IT help desk is using automation to improve the response time for security events. Which of the following use cases would apply to this process?

Escalation.

A network administrator would like each user to authenticate with their corporate username and password when connecting to the company's wireless network. Which of the following should the network administrator configure on the wireless access points?

802.1X.

A company's VPN service performs a posture assessment during the login process. Which of the following mitigation techniques would this describe?

Configuration enforcement.

A user has assigned individual rights and permissions to a file on their network drive. The user adds three additional individuals to have read-only access to the file. Which of the following would describe this access control model?

Discretionary.

A remote user has received a text message with a link to login and confirm their upcoming work schedule. Which of the following would BEST describe this attack?

Smishing.

A company is formalizing the design and deployment process used by their application programmers. Which of the following policies would apply?

Development lifecycle.

A security administrator has copied a suspected malware executable from a user's computer and is running the program in a sandbox. Which of the following would describe this part of the incident response process?

Containment.

A server administrator at a bank has noticed a decrease in the number of visitors to the bank's website. Additional research shows that users are being directed to a different IP address than the bank's web server. Which of the following would MOST likely describe this attack?

DNS poisoning.

Which of the following considerations are MOST commonly associated with a hybrid cloud model?

Network protection mismatches.

A company hires a large number of seasonal employees, and their system access should normally be disabled when the employee leaves the company. The security administrator would like to verify that their systems cannot be accessed by any of the former employees. Which of the following would be the BEST way to provide this verification?

Validate the offboarding processes and procedures.

Which of the following is used to describe how cautious an organization might be to taking a specific risk?

Risk appetite.

A technician is applying a series of patches to fifty web servers during a scheduled maintenance window. After patching and rebooting the first server, the web service fails with a critical error. Which of the following should the technician do NEXT?

Follow the steps listed in the backout plan.

An attacker has discovered a way to disable a server by sending specially crafted packets from many remote devices to the operating system. When the packet is received, the system crashes and must be rebooted to restore normal operations. Which of the following would BEST describe this attack?

DDoS.

A data breach has occurred in a large insurance company. A security administrator is building new servers and security systems to get all of the financial systems back online. Which part of the incident response process would BEST describe these actions?

Recovery.

A network team has installed new access points to support an application launch. In less than 24 hours, the wireless network was attacked and private company information was accessed. Which of the following would be the MOST likely reason for this breach?

Misconfiguration.

An organization has identified a significant vulnerability in an Internet-facing firewall. The firewall company has stated the firewall is no longer available for sale and there are no plans to create a patch for this vulnerability. Which of the following would BEST describe this issue?

End-of-life.

A company has decided to perform a disaster recovery exercise during an annual meeting with the IT directors and senior directors. A simulated disaster will be presented, and the participants will discuss the logistics and processes required to resolve the disaster. Which of the following would BEST describe this exercise?

Tabletop exercise.

A security administrator needs to block users from visiting websites hosting malicious software. Which of the following would be the BEST way to control this access?

DNS filtering.

A system administrator has been called to a system with a malware infection. As part of the incident response process, the administrator has imaged the operating system to a known-good version. Which of these incident response steps is the administrator following?

Recovery.

A company has placed a SCADA system on a segmented network with limited access from the rest of the corporate network. Which of the following would describe this process?

Hardening.

An administrator is viewing the following security log: Dec 30 08:40:03 web01 Failed password for root from 10.101.88.230 port 26244 ssh2 Dec 30 08:40:05 web01 Failed password for root from 10.101.88.230 port 26244 ssh2 Dec 30 08:40:09 web01 445 more authentication failures; rhost=10.101.88.230 user=root Which of the following would describe this attack?

Brute force.

During a morning login process, a user's laptop was moved to a private VLAN and a series of updates were automatically installed. Which of the following would describe this process?

Configuration enforcement.

Which of the following describes two-factor authentication?

A Windows Domain requires a password and smart card.

A company is deploying a new application to all employees in the field. Some of the problems associated with this roll out include: * The company does not have a way to manage the devices in the field * Team members have many different kinds of mobile devices * The same device needs to be used for both corporate and private use Which of the following deployment models would address these concerns?

COPE.

An organization is installing a UPS for their new data center. Which of the following would BEST describe this control type?

Compensating.

A manufacturing company would like to track the progress of parts used on an assembly line. Which of the following technologies would be the BEST choice for this task?

Blockchain.

A company's website has been compromised and the website content has been replaced with a political message. Which of the following threat actors would be the MOST likely culprit?

Hacktivist.

A Linux administrator is downloading an updated version of her Linux distribution. The download site shows a link to the ISO and a SHA256 hash value. Which of these would describe the use of this hash value?

Verifies that the file was not corrupted during the file transfer.

A company's security policy requires that login access should only be available if a person is physically within the same building as the server. Which of the following would be the BEST way to provide this requirement?

Biometric scanner.

A development team has installed a new application and database to a cloud service. After running a vulnerability scanner on the application instance, a security administrator finds the database is available for anyone to query without providing any authentication. Which of these vulnerabilities is MOST associated with this issue?

Open permissions.

Employees of an organization have received an email with a link offering a cash bonus for completing an internal training course. Which of the following would BEST describe this email?

Phishing campaign.

Which of the following risk management strategies would include the purchase and installation of an NGFW?

Mitigate.

An organization is implementing a security model where all application requests must be validated at a policy enforcement point. Which of the following would BEST describe this model?

Zero trust.

A company is installing a new application in a public cloud. Which of the following determines the assignment of data security in this cloud infrastructure?

Responsibility matrix.

When decommissioning a device, a company documents the type and size of storage drive, the amount of RAM, and any installed adapter cards. Which of the following describes this process?

Enumeration.

An attacker has sent more information than expected in a single API call, and this has allowed the execution of arbitrary code. Which of the following would BEST describe this attack?

Buffer overflow.

A company encourages users to encrypt all of their confidential materials on a central server. The organization would like to enable key escrow as a backup option. Which of these keys should the organization place into escrow?

Private.

A company is in the process of configuring and enabling host-based firewalls on all user devices. Which of the following threats is the company addressing?

Instant messaging.

A manufacturing company would like to use an existing router to separate a corporate network from a manufacturing floor. Both networks use the same physical switch, and the company does not want to install any additional hardware. Which of the following would be the BEST choice for this segmentation?

Create separate VLANs for the corporate network and the manufacturing floor.

An organization needs to provide a remote access solution for a newly deployed cloud-based application. This application is designed to be used by mobile field service technicians. Which of the following would be the best option for this requirement?

SASE.

A company is implementing a quarterly security awareness campaign. Which of the following would MOST likely be part of this campaign?

Suspicious message reports from users.

A recent report shows the return of a vulnerability that was previously patched four months ago. After researching this issue, the security team has found a recent patch has reintroduced this vulnerability on the servers. Which of the following should the security administrator implement to prevent this issue from occurring in the future?

Change management.

A security manager would like to ensure that unique hashes are used with an application login process. Which of the following would be the BEST way to add random data when generating a set of stored password hashes?

Salting.

Which cryptographic method is used to add trust to a digital certificate?

Digital signature.

A company is using SCAP as part of their security monitoring processes. Which of the following would BEST describe this implementation?

Automate the validation and patching of security issues. Identify and document authorized data center visitors.

An organization maintains a large database of customer information for sales tracking and customer support. Which person in the organization would be responsible for managing the access rights to this data?

Data custodian.

An organization's content management system currently labels files and documents as "Public" and "Restricted." On a recent update, a new classification type of "Private" was added. Which of the following would be the MOST likely reason for this addition?

Expanded privacy compliance.

A corporate security team would like to consolidate and protect the private keys across all of their web servers. Which of these would be the BEST way to securely store these keys?

Integrate an HSM.

A security technician is reviewing this security log from an IPS: ALERT 2023-06-01 13:07:29 [163bcf65118-179b547b] Cross-Site Scripting in JSON Data 222.43.112.74:3332 -> 64.235.145.35:80 URL/index.html - Method POST - Query String "-" User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3 NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7 Detail: token="" Which of the following can be determined from this log information? (Select TWO)

The alert was generated from an embedded script. The attacker's IP address is 222.43.112.74.

Which of the following describes a monetary loss if one event occurs?

SLE.

A user with restricted access has typed this text in a search field of an internal web-based application: USER77' OR '1'='1 After submitting this search request, all database records are displayed on the screen. Which of the following would BEST describe this search?

SQL injection.

A user has opened a helpdesk ticket complaining of poor system performance, excessive pop up messages, and the cursor moving without anyone touching the mouse. This issue began after they opened a spreadsheet from a vendor containing part numbers and pricing information. Which of the following is MOST likely the cause of this user's issues?

Trojan horse.

A web-based manufacturing company processes monthly charges to credit card information saved in the customer's profile. All of the customer information is encrypted and protected with additional authentication factors. Which of the following would be the justification for these security controls?

Compliance reporting.

A security manager has created a report showing intermittent network communication from certain workstations on the internal network to one external IP address. These traffic patterns occur at random times during the day. Which of the following would be the MOST likely reason for these traffic patterns?

Keylogger.

The security policies in a manufacturing company prohibit the transmission of customer information. However, a security administrator has received an alert that credit card numbers were transmitted as an email attachment. Which of the following was the MOST likely source of this alert message?

DLP (Data Loss Prevention).

A security administrator has configured a virtual machine in a screened subnet with a guest login account and no password. Which of the following would be the MOST likely reason for this configuration?

The server is a honeypot for attracting potential attackers.

A security administrator is configuring a DNS server with a SPF record. Which of the following would be the reason for this configuration?

List all servers authorized to send emails.

A company would like to securely deploy applications without the overhead of installing a virtual machine for each system. Which of the following would be the BEST way to deploy these applications?

Containerization.

A company has just purchased a new application server, and the security director wants to determine if the system is secure. The system is currently installed in a test environment and will not be available to users until the roll out to production next week. Which of the following would be the BEST way to determine if any part of the system can be exploited?

Penetration test.

A security administrator has performed an audit of the organization's production web servers, and the results have identified default configurations, web services running from a privileged account, and inconsistencies with SSL certificates. Which of the following would be the BEST way to resolve these issues?

Server hardening.

A shipping company stores information in small regional warehouses around the country. The company maintains an IPS at each warehouse to watch for suspicious traffic patterns. Which of the following would BEST describe the security control used at the warehouse?

Detective.

The Vice President of Sales has asked the IT team to create daily backups of the sales data. The Vice President is an example of a:

Data owner.

A security engineer is preparing to conduct a penetration test of a third-party website. Part of the preparation involves reading through social media posts for information about this site. Which of the following describes this practice?

OSINT.

A company would like to orchestrate the response when a virus is detected on company devices. Which of the following would be the BEST way to implement this function?

Escalation scripting.

A user in the accounting department has received a text message from the CEO. The message requests payment by cryptocurrency for a recently purchased tablet. Which of the following would BEST describe this attack?

Smishing.

A company has been informed of a hypervisor vulnerability that could allow users on one virtual machine to access resources on another virtual machine. Which of the following would BEST describe this vulnerability?

Escape.

While working from home, users are attending a project meeting over a web conference. When typing in the meeting link, the browser is unexpectedly directed to a different website than the web conference. Users in the office do not have any issues accessing the conference site. Which of the following would be the MOST likely reason for this issue?

DNS poisoning.

A company is launching a new internal application that will not start until a username and password is entered and a smart card is plugged into the computer. Which of the following BEST describes this process?

Authentication.

An online retailer is planning a penetration test as part of their PCI DSS validation. A third-party organization will be performing the test, and the online retailer has provided the Internet-facing IP addresses for their public web servers. No other details were provided. What penetration testing methodology is the online retailer using?

Partially known environment.

A manufacturing company produces radar used by commercial and military organizations. A recently proposed policy change would allow the use of mobile devices inside the facility. Which of the following would be the MOST significant threat vector issue associated with this change in policy?

Loss of intellectual property.

Which of the following would be the BEST way for an organization to verify the digital signature provided by an external email server?

Check the DKIM record.

A company is using older operating systems for their web servers and are concerned of their stability during periods of high use. Which of the following should the company use to maximize the uptime and availability of this service?

Load balancer.

A user in the accounting department would like to email a spreadsheet with sensitive information to a list of third-party vendors. Which of the following would be the BEST way to protect the data in this email?

Asymmetric encryption.

A system administrator would like to segment the network to give the marketing, accounting, and manufacturing departments their own private network. The network communication between departments would be restricted for additional security. Which of the following should be configured on this network?

VLAN.

A technician at an MSP has been asked to manage devices on third-party private network. The technician needs command line access to internal routers, switches, and firewalls. Which of the following would provide the necessary access?

Jump server.

A transportation company is installing new wireless access points in their corporate office. The manufacturer estimates the access points will operate an average of 100,000 hours before a hardware-related outage. Which of the following describes this estimate?

MTBF.

A security administrator is creating a policy to prevent the disclosure of credit card numbers in a customer support application. Users of the application would only be able to view the last four digits of a credit card number. Which of the following would provide this functionality?

Masking.

A user is authenticating through the use of a PIN and a fingerprint. Which of the following would describe these authentication factors?

Something you know, something you are.

A security administrator is configuring the authentication process used by technicians when logging into wireless access points and switches. Instead of using local accounts, the administrator would like to pass all login requests to a centralized database. Which of the following would be the BEST way to implement this requirement?

AAA.

A recent audit has determined that many IT department accounts have been granted Administrator access. The audit recommends replacing these permissions with limited access rights. Which of the following would describe this policy?

Least privilege.

A recent security audit has discovered email addresses and passwords located in a packet capture. Which of the following did the audit identify?

Insecure protocols.

Before deploying a new application, a company is performing an internal audit to ensure all of their servers are configured with the appropriate security features. Which of the following would BEST describe this process?

Due care.

An organization has previously purchased insurance to cover a ransomware attack, but the costs of maintaining the policy have increased above the acceptable budget. The company has now decided to cancel the insurance policies and address potential ransomware issues internally. Which of the following would best describe this action?

Acceptance.

Which of these threat actors would be MOST likely to install a company's internal application on a public cloud provider?

Shadow IT.

An IPS report shows a series of exploit attempts were made against externally facing web servers. The system administrator of the web servers has identified a number of unusual log entries on each system. Which of the following would be the NEXT step in the incident response process?

Disconnect the web servers from the network.

A security administrator is viewing the logs on a laptop in the shipping and receiving department and identifies these events: 8:55:30 AM | D:\Downloads\ChangeLog-5.0.4.scr | Quarantine Success 9:22:54 AM | C:\Program Files\Photo Viewer\ViewerBase.dll | Quarantine Failure 9:44:05 AM | C:\Sales\Sample32.dat | Quarantine Success Which of the following would BEST describe the circumstances surrounding these events?

The antivirus application identified three viruses and quarantined two viruses.

In the past, an organization has relied on the curated Apple App Store to avoid issues associated with malware and insecure applications. However, the IT department has discovered an iPhone in the shipping department with applications not available on the Apple App Store. How did the shipping department user install these apps on their mobile device?

Side loading.

A company has noticed an increase in support calls from attackers. These attackers are using social engineering to gain unauthorized access to customer data. Which of the following would be the BEST way to prevent these attacks?

User training.

As part of an internal audit, each department of a company has been asked to compile a list of all devices, operating systems, and applications in use. Which of the following would BEST describe this audit?

Self-assessment.

A company is concerned about security issues at their remote sites. Which of the following would provide the IT team with more information of potential shortcomings?

Gap analysis.

An attacker has identified a number of devices on a corporate network with the username of "admin" and the password of "admin." Which of the following describes this situation?

Default credentials.

A security administrator attends an annual industry convention with other security professionals from around the world. Which of the following attacks would be MOST likely in this situation?

Watering hole.

A transportation company headquarters is located in an area with frequent power surges and outages. The security administrator is concerned about the potential for downtime and hardware failures. Which of the following would provide the most protection against these issues? Select TWO.

UPS. Generator.

An organization has developed an in-house mobile device app for order processing. The developers would like the app to identify revoked server certificates without sending any traffic over the corporate Internet connection. Which of the following must be configured to allow this functionality?

OCSP stapling.

A security administrator has been asked to build a network link to secure all communication between two remote locations. Which of the following would be the best choice for this task?

IPsec.

A Linux administrator has received a ticket complaining of response issues with a database server. After connecting to the server, the administrator views this information: Filesystem Size Used Avail Use% Mounted on /dev/xvda1 158G 158G 0 100% / Which of the following would BEST describe this information?

Resource consumption.

Which of the following can be used for credit card transactions from a mobile device without sending the actual credit card number across the network?

Tokenization.

A security administrator receives a report each week showing a Linux vulnerability associated with a Windows server. Which of the following would prevent this information from appearing in the report?

Alert tuning.

Which of the following would a company use to calculate the loss of a business activity if a vulnerability is exploited?

Exposure factor.

An administrator is designing a network to be compliant with a security standard for storing credit card numbers. Which of the following would be the BEST choice to provide this compliance?

Perform regular audits and vulnerability scans.

A company is accepting proposals for an upcoming project, and one of the responses is from a business owned by a board member. Which of the following would describe this situation?

Conflict of interest.

A company has rolled out a new application that requires the use of a hardware-based token generator. Which of the following would be the BEST description of this access feature?

Something you have.

A company has signed an SLA with an Internet service provider. Which of the following would BEST describe the requirements of this SLA?

The service provider will provide 99.99% uptime.

An attacker has created multiple social media accounts and is posting information in an attempt to get the attention of the media. Which of the following would BEST describe this attack?

Misinformation campaign.

Which of the following would be the BEST way to protect credit card account information when performing real-time purchase authorizations?

Tokenization.

A company must comply with legal requirements for storing customer data in the same country as the customer's mailing address. Which of the following would describe this requirement?

Data sovereignty.

A company is installing access points in all of their remote sites. Which of the following would provide confidentiality for all wireless data?

WPA3.

A security administrator has found a keylogger installed in an update of the company's accounting software. Which of the following would prevent the transmission of the collected logs?

Block all unknown outbound network traffic at the Internet firewall.

A user in the marketing department is unable to connect to the wireless network. After authenticating with a username and password, the user receives this message: "The connection attempt could not be completed. The Credentials provided by the server could not be validated. Radius Server: radius.example.com Root CA: Example.com Internal CA Root Certificate" The AP is configured with WPA3 encryption and 802.1X authentication. Which of the following is the MOST likely reason for this login issue?

The client computer does not have the proper certificate installed.

A security administrator has created a new policy prohibiting the use of MD5 hashes due to collision problems. Which of the following describes the reason for this new policy?

Two different messages share the same hash.

A security administrator has been tasked with hardening all internal web servers to control access from certain IP address ranges and ensure all transferred data remains confidential. Which of the following should the administrator include in his project plan? (Select TWO)

Use HTTPS for all server communication. Enable a host-based firewall.

A security administrator has identified the installation of ransomware on a database server and has quarantined the system. Which of the following should be followed to ensure that the integrity of the evidence is maintained?

Chain of custody.

Which of the following would be the BEST option for application testing in an environment completely separated from the production network?

Air gap.

A security engineer is planning the installation of a new IPS. The network must remain operational if the IPS is turned off or disabled. Which of the following would describe this configuration?

Fail open.

Which of the following describes the process of hiding data from others by embedding the data inside of a different media type?

Obfuscation.

Which of the following vulnerabilities would be the MOST significant security concern when protecting against a hacktivist?

Lack of patch updates on an Internet-facing database server.

A company is installing a security appliance to protect the organization's web-based applications from attacks such as SQL injections and unexpected input. Which of the following would BEST describe this appliance?

WAF.

Which of the following would be the BEST way to determine if files have been modified after the forensics data acquisition process has occurred?

Create a hash of the data.

A system administrator is implementing a password policy that would require letters, numbers, and special characters to be included in every password. Which of the following controls MUST be in place to enforce this password policy?

Complexity.

Which of the following would a company follow to deploy a weekly operating system patch?

Change management.

Which of the following would be the MOST likely result of plaintext application communication?

Replay attack.

A system administrator believes that certain configuration files on a Linux server have been modified from their original state. The administrator has reverted the configurations to their original state, but he would like to be notified if they are changed again. Which of the following would be the BEST way to provide this functionality?

File integrity monitoring.

A security administrator is updating the network infrastructure to support 802.1X. Which of the following would be the BEST choice for this configuration?

LDAP.

A company owns a time clock appliance, but the time clock doesn't provide any access to the operating system and it doesn't provide a method to upgrade the firmware. Which of the following describes this appliance?

Embedded system.

A company has deployed laptops to all employees, and each laptop is enumerated during each login. Which of the following is supported with this configuration?

If the laptop hardware is modified, the security team is alerted.

A security manager believes that an employee is using their laptop to circumvent the corporate Internet security controls through the use of a cellular hotspot. Which of the following could be used to validate this belief? (Select TWO)

HIPS. Host-based firewall logs.

An application developer is creating a mobile device app that will require a true random number generator real-time memory encryption. Which of the following technologies would be the BEST choice for this app?

Secure enclave.

Which of the following would be a common result of a successful vulnerability scan?

A list of missing software patches.

When connected to the wireless network, users at a remote site receive an IP address which is not part of the corporate address scheme. Communication over this network is also slower than the wireless connections elsewhere in the building. Which of the following would be the MOST likely reason for these issues?

Rogue access point.

A company has identified a compromised server, and the security team would like to know if an attacker has used this device to move between systems. Which of the following would be the BEST way to provide this information?

NetFlow logs.

A system administrator has protected a set of system backups with an encryption key. The system administrator used the same key when restoring files from this backup. Which of the following would BEST describe this encryption type?

Symmetric.

A new malware variant takes advantage of a vulnerability in a popular email client. Once installed, the malware forwards all email attachments containing credit card information to an external email address. Which of the following would limit the scope of this attack?

Scan outgoing traffic with DLP.

An organization has identified a security breach and has removed the affected servers from the network. Which of the following is the NEXT step in the incident response process?

Eradication.

A security administrator has been tasked with storing and protecting customer payment and shipping information for a three-year period. Which of the following would describe the source of this data?

Data subject.

Which of the following would be the main reasons why a system administrator would use a TPM when configuring full disk encryption? (Select TWO)

Uses burned-in cryptographic keys. Includes built-in protections against brute-force attacks.

A security administrator is using an access control where each file or folder is assigned a security clearance level, such as "confidential" or "secret." The security administrator then assigns a maximum security level to each user. What type of access control is used in this network?

Mandatory.

Cameron, a security administrator, is reviewing a report that shows a number of devices on internal networks attempting to connect with servers in the data center network. Which of the following security controls should Cameron add to prevent internal systems from accessing data center devices?

ACL.

A financial services company is headquartered in an area with a high occurrence of tropical storms and hurricanes. Which of the following would be MOST important when restoring services disabled by a storm?

Disaster recovery plan.

A user in the mail room has reported an overall slowdown of his shipping management software. An anti-virus scan did not identify any issues, but a more thorough malware scan identified a kernel driver which is not part of the original operating system installation. Which of the following malware was installed on this system?

Rootkit.

A virus scanner has identified a macro virus in a word processing file attached to an email. Which of the following information could be obtained from the metadata of this file?

Date and time when the file was created.

When a person enters a data center facility, they must check-in before they are allowed to move further into the building. People who are leaving must be formally checked-out before they are able to exit the building. Which of the following would BEST facilitate this process?

Access control vestibule.

A security administrator has discovered an employee exfiltrating confidential company information by embedding data within image files and emailing the images to a third-party. Which of the following would best describe this activity?

Steganography.

A third-party has been contracted to perform a penetration test on a company's public web servers. The testing company has been provided with the external IP addresses of the servers. Which of the following would describe this scenario?

Partially known environment.

Which of the following would be the best way to describe the estimated number of laptops that might be stolen in a fiscal year?

ARO.

A finance company is legally required to maintain seven years of tax records for all of their customers. Which of the following would be the BEST way to implement this requirement?

Create a separate daily backup archive for all applicable tax records.

A system administrator is designing a data center for an insurance company's new public cloud and would like to automatically rotate encryption keys on a regular basis. Which of the following would provide this functionality?

Key management system.

A newly installed IPS is flagging a legitimate corporate application as malicious network traffic. Which of the following would be the BEST way to resolve this issue?

Tune the IPS alerts.

A security administrator has identified an internally developed application which allows modification of SQL queries through the web-based front-end. Which of the following changes would resolve this vulnerability?

Validate all application input.

A system administrator is implementing a fingerprint scanner to provide access to the data center. Which of the following authentication technologies would be associated with this access?

Something you are.

The IT department of a transportation company maintains an on-site inventory of chassis-based network switch interface cards. If a failure occurs, the on-site technician can replace the interface card and have the system running again in sixty minutes. Which of the following BEST describes this recovery metric?

MTTR.

A company maintains a server farm in a large data center. These servers are used internally and are not accessible from outside of the data center. The security team has discovered a group of servers was breached before the latest security patches were applied. Breach attempts were not logged on any other servers. Which of these threat actors would be MOST likely involved in this breach?

Insider.

An organization has received a vulnerability scan report of their Internet-facing web servers. The report shows the servers have multiple Sun Java Runtime Environment (JRE) vulnerabilities, but the server administrator has verified that JRE is not installed. Which of the following would be the BEST way to handle this report?

Ignore the JRE vulnerability alert.

A user downloaded and installed a utility for compressing and decompressing files. Immediately after installing the utility, the user's overall workstation performance degraded and it now takes twice as much time to perform any tasks on the computer. Which of the following is the BEST description of this malware infection?

Trojan.

Which of the following is the process for replacing sensitive data with a non-sensitive and functional placeholder?

Tokenization.

A security administrator has installed a new firewall to protect a web server VLAN. The application owner requires all web server sessions communicate over an encrypted channel. Which of these rules should the security administrator include in the firewall rule base?

Source: ANY, Destination: ANY, Protocol: TCP, Port: 443, Allow.

Which of these would be used to provide multi-factor authentication?

Smart card with picture ID.

A company's network team has been asked to build an IPsec tunnel to a new business partner. Which of the following security risks would be the MOST important to consider?

Supply chain attack.

A company's human resources team maintains a list of all employees participating in the corporate savings plan. A third-party financial company uses this information to manage stock investments for the employees. Which of the following would describe this financial company?

Processor.

A technology company is manufacturing a military grade radar tracking system that can instantly identify any nearby unmanned aerial vehicles (UAVs). The UAV detector must be able to instantly identify and react to a vehicle without delay. Which of the following would BEST describe this tracking system?

RTOS.

An administrator is writing a script to convert an email message to a help desk ticket and assign the ticket to the correct department. Which of the following should be administrator use to complete this script?

Orchestration.

A security administrator would like a report showing how many attackers are attempting to use a known vulnerability to gain access to a corporate web server. Which of the following should be used to gather this information?

IPS log.

During a ransomware outbreak, an organization was forced to rebuild database servers from known good backup systems. In which of the following incident response phases were these database servers brought back online?

Recovery.

A security administrator is installing a web server with a newly built operating system. Which of the following would be the best way to harden this OS?

Remove unnecessary software.

A network IPS has created this log entry: Frame 4: 937 bytes on wire (7496 bits), 937 bytes captured Ethernet II, Src: HewlettP_82:d8:31, Dst: Cisco_a1:b0:d1 Internet Protocol Version 4, Src: 172.16.22.7, Dst: 10.8.122.244 Transmission Control Protocol, Src Port: 3863, Dst Port: 1433 Application Data: SELECT * FROM users WHERE username='x' or 'x'='x' AND password='x' or 'x'='x' Which of the following would describe this log entry?

SQL injection.

An incident response team would like to validate their disaster recovery plans without making any changes to the infrastructure. Which of the following would be the best course of action?

Tabletop exercise.

A system administrator has installed a new firewall between the corporate user network and the data center network. When the firewall is turned on with the default settings, users complain that the application in the data center is no longer working. Which of the following would be the BEST way to correct this application issue?

Create firewall rules that match the application traffic flow.

Which of these would be used to provide HA for a web-based database application?

UPS.

Each year, a certain number of laptops are lost or stolen and must be replaced by the company. Which of the following would describe the total cost the company spends each year on laptop replacements?

ALE.

A network administrator is viewing a log file from a web server: https://www.example.com/?s=/Index/think/app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][0]=__HelloThinkPHP. Which of the following would be the BEST way to prevent this attack?

Input validation.

Sam would like to send an email to Jack and have Jack verify that Sam was the sender of the email. Which of these should Sam use to provide this verification?

Digitally sign with Sam's private key.

The contract of a long-term temporary employee is ending. Which of these would be the MOST important part of the off-boarding process?

Archive the decryption keys associated with the user account.

A cybersecurity analyst has been asked to respond to a denial of service attack against a web server, and the analyst has collected the log files and data from the server. Which of the following would allow a future analyst to verify the data as original and unaltered?

Data hashing.

A security administrator is reviewing authentication logs. The logs show a large number of accounts with at least three failed authentication attempts during the previous week. Which of the following would BEST explain this report data?

Spraying.

A security administrator has been asked to block all browsing to casino gaming websites. Which of the following would be the BEST way to implement this requirement?

Add a content filter rule.

A company is experiencing downtime and outages when application patches and updates are deployed during the week. Which of the following would help to resolve these issues?

Change management procedures.

A company is implementing a series of steps to follow when responding to a security event. Which of the following would provide this set of processes and procedures?

Playbook.

A transportation company maintains a scheduling application and a database in a virtualized cloud-based environment. Which of the following would be the BEST way to backup these services?

Snapshot.

In an environment using discretionary access controls, which of these would control the rights and permissions associated with a file or directory?

Owner.

A security administrator has installed a network-based DLP solution to determine if file transfers contain PII. Which of the following describes the data during the file transfer?

In-transit.

A medical imaging company would like to connect all remote locations together with high speed network links. The network connections must maintain high throughput rates and must always be available during working hours. In which of the following should these requirements be enforced with the network provider?

Service level agreement.

A company is implementing a security awareness program for their user community. Which of the following should be included for additional user guidance and training?

Information on proper password management.

A security administrator is preparing a phishing email as part of a periodic employee security awareness campaign. The email is spoofed to appear as an unknown third-party and asks employees to immediately click a link or their state licensing will be revoked. Which of the following should be the expected response from the users?

Report the suspicious link to the help desk.

A security administrator would like to minimize the number of certificate status checks made by web site clients to the certificate authority. Which of the following would be the BEST option for this requirement?

OCSP stapling.

A company is concerned their EDR solution will not be able to stop more advanced ransomware variants. Technicians have created a backup and restore utility to get most systems up and running less than an hour after an attack. What type of security control is associated with this restore process?

Compensating.

To upgrade an internal application, the development team provides the operations team with instructions for backing up, patching the application, and reverting the patch if needed. The operations team schedules a date for the upgrade, informs the business divisions, and tests the upgrade process after completion. Which of the following describes this process?

Change management.

A company is implementing a public file-storage and cloud-based sharing service, and would like users to authenticate with an existing account on a trusted third-party web site. Which of the following should the company implement?

Federation.

A system administrator is viewing this output from a file integrity monitoring report: 15:43:01 - Repairing corrupted file C:\Windows\System32\kernel32.dll 15:43:03 - Repairing corrupted file C:\Windows\System32\netapi32.dll 15:43:07 - Repairing corrupted file C:\Windows\System32\user32.dll 15:43:43 - Repair complete Which of the following malware types is the MOST likely cause of this output?

Rootkit.

What type of vulnerability would be associated with this log information? GET http://example.com/show.aspview=../../Windows/system.ini HTTP/1.1

Directory traversal.

A developer has created an application to store password information in a database. Which of the following BEST describes a way of protecting these credentials by adding random data to the password?

Salting.

Which of the following processes provides ongoing building and testing of newly written code?

Continuous integration.

Which of the following BEST describes a responsibility matrix?

A visual summary of cloud provider accountability.

A security administrator is implementing an authentication system for the company. Which of the following would be the best choice for validating login credentials for all usernames and passwords in the authentication system?

LDAP.

A technician is reviewing this information from an IPS log: MAIN_IPS: 22June2023 09:02:50 reject 10.1.111.7 Alert: HTTP Suspicious Webdav OPTIONS Method Request; Host: Server Severity: medium; Performance Impact:3; Category: info-leak; Packet capture; disable Proto:tcp; dst:192.168.11.1; src:10.1.111.7 Which of the following can be associated with this log information? (Select TWO)

The source of the attack is 10.1.111.7. The attacker sent an unusual HTTP packet to trigger the IPS.

A company has contracted with a third-party to provide penetration testing services. The service includes a port scan of each externally-facing device. This is an example of:

Active reconnaissance.

An access point in a corporate headquarters office has the following configuration: IP address: 10.1.10.1 Subnet mask: 255.255.255.0 DHCPv4 Server: Enabled SSID: Wireless Wireless Mode: 802.11n Security Mode: WEP-PSK Frequency band: 2.4 GHz Software revision: 2.1 MAC Address: 60:3D:26:71:FF:AA IPv4 Firewall: Enabled Which of the following would apply to this configuration?

Weak encryption.

An attacker has gained access to an application through the use of packet captures. Which of the following would be MOST likely used by the attacker?

Replay.

A company is receiving complaints of slowness and disconnections to their Internet-facing web server. A network administrator monitors the Internet link and finds excessive bandwidth utilization from thousands of different IP addresses. Which of the following would be the MOST likely reason for these performance issues?

DDoS.

A company has created an itemized list of tasks to be completed by a third-party service provider. After the services are complete, this document will be used to validate the completion of the services. Which of the following would describe this agreement type?

SOW.

A company is deploying a series of internal applications to different cloud providers. Which of the following connection types should be deployed for this configuration?

SD-WAN.

A company is updating components within the control plane of their zero-trust implementation. Which of the following would be part of this update?

Policy engine.

Which of the following malware types would cause a workstation to participate in a DDoS?

Bot.

Which of these are used to force the preservation of data for later use in court?

Legal hold.

A company would like to automatically monitor and report on any movement occurring in an open field at the data center. Which of the following would be the BEST choice for this task?

Microwave sensor.

A company is releasing a new product, and part of the release includes the installation of load balancers to the public web site. Which of the following would best describe this process?

Capacity planning.

A system administrator would like to prove an email message was sent by a specific person. Which of the following describes the verification of this message source?

Non-repudiation.

A security administrator has created a policy to alert if a user modifies the hosts file on their system. Which of the following behaviors does this policy address?

Risky.

A company has identified a web server data breach resulting in the theft of financial records from 150 million customers. A security update to the company's web server software was available for two months prior to the breach. Which of the following would have prevented this breach from occurring?

Patch management.

During the onboarding process, the IT department requires a list of software applications associated with the new employee's job functions. Which of the following would describe the use of this information?

Access control configuration.

A system administrator has identified an unexpected username on a database server, and the user has been transferring database files to an external server over the company's Internet connection. The administrator then performed these tasks: * Physically disconnected the Ethernet cable on the database server * Disabled the unknown account * Configured a firewall rule to prevent file transfers from the server Which of the following would BEST describe this part of the incident response process?

Containment.

Which of the following would be the MOST effective use of asymmetric encryption?

Create a shared session key.

Each salesperson in a company receives a laptop with applications and data to support their sales efforts. The IT manager would like to prevent third-parties from gaining access to this information if the laptop is stolen. Which of the following would be the BEST way to protect this data?

Full disk encryption.

A security administrator has compiled a list of all information stored and managed by an organization. Which of the following would best describe this list?

Data inventory.

A security administrator would like to monitor all outbound Internet connections for malicious software. Which of the following would provide this functionality?

Forward proxy.

What type of security control would be associated with corporate security policies?

Managerial.

Which of the following would be the MOST significant security concern when protecting against organized crime?

Maintain reliable backup data.

An application team has been provided with a hardened version of Linux to use with a new application installation, and this includes installing a web service and the application code on the server. Which of the following would BEST protect the application from attacks?

Implement a secure configuration of the web service.

A system administrator has configured MAC filtering on their corporate access point, but access logs show unauthorized users accessing the network. Which of the following should the administrator configure to prevent future unauthorized use?

Enable WPA3 encryption.

A system administrator has been tasked with performing an application upgrade, but the upgrade has been delayed due to a different scheduled installation of an outdated device driver. Which of the following issues would best describe this change management delay?

Dependency.

During an initial network connection, a supplicant communicates to an authenticator, which then sends an authentication request to an Active Directory database. Which of the following would BEST describe this authentication technology?

802.1X.

A security researcher has been notified of a potential hardware vulnerability. Which of the following should the researcher evaluate as a potential security issue?

Firmware versions.

Visitors to a corporate data center must enter through the main doors of the building. Which of the following security controls would be the BEST choice to successfully guide people to the front door? (Select TWO)

Bollards. Fencing.

A company's employees are required to authenticate each time a file share, printer, or SAN imaging system is accessed. Which of the following should be used to minimize the number of employee authentication requests?

SSO.

A company has recently moved from one accounting system to another, and the new system includes integration with many other divisions of the organization. Which of the following would ensure that the correct access has been provided to the proper employees in each division?

Internal self-assessment.

An attacker has circumvented a web-based application to send commands directly to a database. Which of the following would describe this attack type?

SQL injection.

A group of business partners is using blockchain technology to monitor and track raw materials and parts as they are transferred between companies. Where would a partner find these tracking details?

Ledger.

A network technician at a bank has noticed a significant decrease in traffic to the bank's public website. After additional investigation, the technician finds that users are being directed to a web site which looks similar to the bank's site but is not under the bank's control. Flushing the local DNS cache and changing the DNS entry does not have any effect. Which of the following has most likely occurred?

Domain hijacking.

A company runs two separate applications in their data center. The security administrator has been tasked with preventing all communication between these applications. Which of the following would be the BEST way to implement this security requirement?

Air gap.

A receptionist at a manufacturing company recently received an email from the CEO asking for a copy of the internal corporate employee directory. It was later determined that the email address was not sent from the CEO and the domain associated with the email address was not a corporate domain name. What type of training could help identify this type of attack in the future?

Recognizing social engineering.

Which of the following deployment models would a company follow if they require individuals to use their personal phones for work purposes?

BYOD.