Practice Test SYO - 701 Security Operations

Question 1

John wants to harden his organization’s routers. If there are no currently known vulnerabilities or issues with the device, which of the following hardening options will provide the biggest benefit?

Moving their administrative interfaces to a protected VLAN

Disabling unnecessary services

Installing the most current patch level for the OS

Enabling SNMP‐based logging

Answer 1

A. While all of these are best practices, moving the device’s administrative interface to a protected VLAN will provide the most significant improvement in security since there are no known issues or vulnerabilities at the moment. If there were, patching or disabling services would quickly move up the list.

Question 2

Melissa’s organization has deployed a firewall that uses three interfaces to provide services. The first interface connects to the Internet, the second to a network where the organization’s web servers reside, and the third to a secured network where the organization’s workstations are connected. What type of firewall architecture has Melissa’s organization deployed?

An ACL

A screened subnet

A binary firewall

A multihomed, multiroute NGFW

Answer 2

B. Screened subnet designs use a firewall with three interfaces, one for the Internet or an untrusted network, one for a protected but front‐facing network, and one for a shielded or protected network. ACLs (access control lists) use rules to control access. This design may use ACLs, but an ACL alone does not describe it. Binary firewalls were made up for this question, and while an NGFW may be multihomed, “multiroute” is not a term used to describe this design.

Question 3

Amanda scans a Red Hat Linux server that she believes is fully patched and discovers that the Apache version on the server is reported as vulnerable to an exploit from a few months ago. When she checks to see if she is missing patches, Apache is fully patched. What has occurred?

A false positive

An automatic update failure

A false negative

An Apache version mismatch

Answer 3

A. This is an example of a false positive. A false positive can cause a vulnerability to show that was not actually there. This sometimes happens when a patch or fix is installed but the application does not change in a way that shows the change, and it has been an issue with updates where the version number is the primary check for a vulnerability. When a vulnerability scanner sees a vulnerable version number but a patch has been installed that does not update it, a false positive report can occur. A false negative would report a patch or fix where there was actually a vulnerability. Automatic updates were not mentioned, nor was a specific Apache version.

Question 4

Frank is using the cloud hosting service’s web publishing service rather than running his own web servers. Where will Frank need to look to review his logs to see what types of traffic his application is creating?

Syslog

Apache logs

The cloud service’s web logs

None of the above

Answer 4

C. Since Frank is using the cloud service provider’s web services, he will need to review the logs that they capture. If he has not configured them, he will need to do so, and he will then need a service or capability to analyze them for the types of traffic he is concerned about. Syslog and Apache logs are both found on a traditional web host, and they would be appropriate if Frank was running his own web servers in the infrastructure‐as‐a‐service (IaaS) environment.

Question 5

Ian runs a vulnerability scan, which notes that a service is running on TCP port 8080. What type of service is most likely running on that port?

SSH

RDP

MySQL

HTTP

Answer 5

D. Although 80 and 443 are the most common HTTP ports, it is common practice to run additional web servers on port 8080 when a nonstandard port is needed. SSH would be expected to be on port 22, RDP on 3389, and MySQL on 3306.

Question 6

Alexandra is preparing to run automated security tests against the code that developers in her organization have completed. Which environment is she most likely to run them in if the next step is to deploy the code to production?

Development

Test

Staging

Production

Answer 6

C. Staging environments, sometimes called preproduction environments, are typically used for final quality assurance (QA) and validation before code enters the production environment as part of a deployment pipeline. Staging environments closely mirror production, allowing realistic testing and validation to be done. Development and test environments are used to create the code and for testing while it is being developed.

Question 7

Elizabeth wants to implement a cloud‐based authorization system. Which of the following protocols is she most likely to use for that purpose?

OpenID

Kerberos

SAML

OAuth

Answer 7

D. OAuth is a common authorization service used for cloud services. It allows users to decide which websites or applications to entrust their information to without requiring them to give them the user’s password. OpenID is frequently paired with OAuth as the authentication layer. Kerberos is more frequently used for on‐site authentication, and SAML is Security Assertion Markup Language.

Question 8

Nadine’s organization stores and uses sensitive information, including Social Security numbers. After a recent compromise, she has been asked to implement technology that can help prevent this sensitive data from leaving the company’s systems and networks. What type of technology should Nadine implement?

Stateful firewalls

OEM

DLP

SIEM

Answer 8

C. The best answer from this list is DLP, or data loss prevention technology. DLP is designed to protect data from being exposed or leaking from a network using a variety of techniques and technology. Stateful firewalls are used to control which traffic is sent to or from a system, but will not detect sensitive data. OEM is an original equipment manufacturer, and security information and event management (SIEM) can help track events and incidents but will not directly protect data itself.

Question 9

Social login, the ability to use an existing identity from a site like Google, Facebook, or a Microsoft account, is an example of which of the following concepts?

Federation

AAA

Privilege creep

Identity and access management

Answer 9

A. Social login is an example of a federated approach to using identities. The combination of identity providers and service providers, along with authorization management, is a key part of federation. AAA (authentication, authorization, and accounting) is typically associated with protocols like RADIUS. Privilege creep occurs as staff members change jobs and their privileges are not adjusted to only match their current role. IAM is a broader set of identity and access management practices. Although IAM may be involved in federated identity, this question does not directly describe IAM.

Question 10

Charles has configured his multifactor system to require both a PIN and a password. How many effective factors does he have in place once he presents both of these and his username?

One

Two

Three

Four

Answer 10

A. Although it may seem like Charles has presented two factors, in fact he has only presented two types of things he knows along with his identity. To truly implement a multifactor environment, he should use more than one of something you have, something you know, and something you are.

Question 11

Denny wants to deploy antivirus for his organization and wants to ensure that it will stop the most malware. What deployment model should Denny select?

Install antivirus from the same vendor on individual PCs and servers to best balance visibility, support, and security.

Install antivirus from more than one vendor on all PCs and servers to maximize coverage.

Install antivirus from one vendor on PCs and from another vendor on the server to provide a greater chance of catching malware.

Install antivirus only on workstations to avoid potential issues with server performance.

Answer 11

C. In this scenario, Denny specifically needs to ensure that he stops the most malware. In situations like this, vendor diversity is the best way to detect more malware, and installing a different vendor’s antivirus (AV) package on servers like email servers and then installing a managed package for PCs will result in the most detections in almost all cases. Installing more than one AV package on the same system is rarely recommended, since this often causes performance issues and conflicts between the packages—in fact, at times AV packages have been known to detect other AV packages because of the deep hooks they place into the operating system to detect malicious activity!

Question 12

You’re outlining your plans for implementing a wireless network to upper management. What wireless security standard should you adopt if you don’t want to use enterprise authentication but want to provide secure authentication for users that doesn’t require a shared password or passphrase?

WPA3

WPA

WPA2

WEP

Answer 12

A. WPA3 supports SAE, or simultaneous authentication of equals, providing a more secure way to authenticate that limits the potential for brute‐force attacks and allows individuals to use different passwords. WPA is not as secure as WPA2, and WEP is the oldest, and least secure, wireless security protocol. WPA2 is not as secure as WPA3 but remains in use due to broad deployment.

Question 12

Sophia wants to test her company’s web application to see if it is handling business logic properly. Which testing method would be most effective for this?

Static code analysis

Fuzzing

Baselining

Version control

Answer 12

A. Static code analysis can help identify business logic issues by leveraging expert knowledge and understanding of the business process and logic involved. Fuzzing is a technique whereby the tester intentionally enters incorrect values into input fields to see how the application will handle it but doesn’t directly test business logic. Baselining is the process of establishing security standards, and version control simply tracks changes in the code—it does not test the code.

Question 13

Endpoint detection and response has three major components that make up its ability to provide visibility into endpoints. Which of the following is not one of those three parts?

Data search

Malware analysis

Data exploration

Suspicious activity detection

Answer 13

B. Endpoint detection and response (EDR) focuses on identifying anomalies and issues, but it is not designed to be a malware analysis tool. Instead, the ability to search and explore data, identify suspicious activities, and coordinate responses is what makes up an EDR tool.

Question 14

Eric is responsible for his organization’s mobile device security. They use a modern mobile device management (MDM) tool to manage a BYOD mobile device environment. Eric needs to ensure that the applications and data that his organization provides to users of those mobile devices remain as secure as possible. Which of the following technologies will provide him with the best security?

Storage segmentation

Containerization

Full‐device encryption

Remote wipe

Answer 14

B. Containerization will allow Eric’s company’s tools and data to be run inside of an application‐based container, isolating the data and programs from the self‐controlled bring your own device (BYOD) devices. Storage segmentation can be helpful, but the operating system itself as well as the applications would remain a concern. Eric should recommend full‐device encryption (FDE) as a security best practice, but encrypting the container and the data it contains can provide a reasonable security layer even if the device itself is not fully encrypted. Remote wipe is helpful if devices are lost or stolen, but the end user may not be okay with having the entire device wiped, and there are ways to work around remote wipes, including blocking cellular and Wi‐Fi signals.

Question 15

Frank is a security administrator for a large company. Occasionally, a user needs to access a specific resource that they don’t have permission to access. Which access control methodology would be most helpful in this situation?

Mandatory access control (MAC)

Discretionary access control (DAC)

Role‐based access control

Rule‐based access control

Answer 15

D. Rule‐based access control applies a set of rules to an access request. Based on the application of the rules, the user may be given access to a specific resource that they were not explicitly granted permission to. MAC, DAC, and role‐based access control wouldn’t give a user access unless that user has already been explicitly given that access.

Question 16

Oliver needs to explain the access control scheme used by both the Windows and Linux filesystems. What access control scheme do they implement by default?

Role‐based access control

Mandatory access control

Rule‐based access control

Discretionary access control

Answer 16

D. Both the Windows and Linux filesystems work based on a discretionary access control scheme where file and directory owners can determine who can access, change, or otherwise work with files under their control. Role‐based access controls systems determine rights based on roles that are assigned to users. Rule‐based access control systems use a series of rules to determine which actions can occur, and mandatory access control systems enforce control at the operating system level.

Question 17

A companywide policy is being created to define various security levels. Which of the following systems of access control would use documented security levels like Confidential or Secret for information?

RBAC

MAC

DAC

BAC

Answer 17

B. Mandatory access control (MAC) is based on documented security levels associated with the information being accessed. Role‐based access control (RBAC) is based on the role the user is placed in. Discretionary access control (DAC) lets the data owner set access control. BAC is not an access control model.

Question 18

Cynthia is preparing a new server for deployment, and her process includes turning off unnecessary services, setting security settings to match her organization’s baseline configurations, and installing patches and updates. What is this process known as?

OS hardening

Security uplift

Configuration management

Endpoint lockdown

Answer 18

A. OS hardening is the process of securing an operating system by patching, updating, and configuring the operating system to be secure. Configuration management is the ongoing process of managing configurations for systems, rather than this initial security step. Both security uplift and endpoint lockdown were made up for this question.

Question 19

John is performing a port scan of a network as part of a security audit. He notices that the domain controller is using secure LDAP. Which of the following ports would lead him to that conclusion?

53

389

443

636

Answer 19

D. Secure Lightweight Directory Access Protocol (LDAPS) uses port 636 by default. DNS uses port 53, LDAP uses 389, and secure HTTP uses port 443.

Question 20

Jessica wants to review the network traffic that her Windows system has sent to determine if a file containing sensitive data was uploaded from the system. What Windows log file can she use to find this information?

The application log

The network log

The security log

None of the above

Answer 20

D. Windows does not log network traffic at a level of granularity that will show if a file has been uploaded. Basic traffic statistics can be captured, but without additional sensors and information‐gathering capabilities, Jessica will not be able to determine if files are sent from a Windows system.

Question 21

What term is used to describe the documentation trail for control, analysis, transfer, and final disposition of evidence for digital forensic work?

Evidence log

Paper trail

Chain of custody

Digital footprint

Answer 21

C. The chain of custody in forensic activities tracks who has a device, data, or other forensic artifact at any time, when transfers occur, who performed analysis, and where the item, system, or device goes when the forensic process is done. Evidence logs may be maintained by law enforcement to track evidence that is gathered. Paper trail and digital footprint are not technical terms used for digital forensics.

Question 22

Nathan needs to know how many times an event occurred and wants to check a log file for that event. Which of the following grep commands will tell him how many times the event happened if each occurrence is logged independently in the logfile.txt log file, and uses a unique event ID, event101?

grep logfile.txt ‐n ‘event101’

grep ‐c ‘event101’ logfile.txt

grep logfile.txt ‐c ‘event101’

grep ‐c event101 ‐i logfile.txt

Answer 22

B. The ‐c flag for grep counts the number of occurrences for a given string in a file. The ‐n flag shows the matched lines and line numbers. Even if you’re not sure about which flag is which, the syntax should help on a question like this. When using grep, the pattern comes before the filename, allowing you to rule out two of the options right away.

Question 23

Ryan has been asked to run Nessus on his network. What type of tool has he been asked to run?

A fuzzer

A vulnerability scanner

A WAF

A protocol analyzer

Answer 23

B. Nessus is a popular vulnerability scanning tool. It is not a fuzzer, web application firewall (WAF), or protocol analyzer.

Question 24

Michelle wants to check for authentication failures on a RedHat Linux–based system. Where should she look for these event logs?

/var/log/auth.log

/var/log/fail

/var/log/events

/var/log/secure

Answer 24

D. Red Hat stores authentication log information in /var/log/secure instead of /var/log/auth.log used by Debian and Ubuntu systems. Knowing the differences between the major distributions can help speed up your forensic and incident investigations, and consistency is one of the reasons that organizations often select a single Linux distribution for their infrastructure whenever it is possible to do so.

Question 25

Nelson has discovered malware on one of the systems he is responsible for and wants to test it in a safe environment. Which of the following tools is best suited to that testing?

strings

scanless

Cuckoo

Sn1per

Answer 25

C. Cuckoo, or Cuckoo Sandbox, is a malware analysis sandbox that will safely run malware and then analyze and report on its behavior. strings is a command‐line tool that retrieves strings from binary data. scanless is a tool described as a port scraper, which retrieves port information without running a port scan by using websites and services to run the scan for you. Sn1per is a pen test framework.

Question 26

Which of the following groups is not typically part of an incident response team?

Law enforcement

Security analysts

Management

Communications staff

Answer 26

A. Law enforcement is not typically part of organizational incident response teams, but incident response teams often maintain a relationship with local law enforcement officers. Security analysts, management, and communication staff as well as technical experts are all commonly part of a core incident response team.

Question 27

Charlene wants to set up a tool that can allow her to see all the systems a given IP address connects to and how much data is sent to that IP by port and protocol. Which of the following tools is not suited to meet that need?

IPFIX

IPSec

sFlow

NetFlow

Answer 27

B. IPSec is not a tool used to capture network flows. sFlow, NetFlow, and IPFIX are all used to capture network flow information, which will provide the information Charlene needs.

Question 28

Tools like PRTG and Cacti that monitor SNMP information are used to provide what type of information for an incident investigation?

Authentication logs

Bandwidth monitoring

System log information

Email metadata

Answer 28

B. PRTG and Cacti are both network monitoring tools that can provide bandwidth monitoring information. Bandwidth monitors can help identify exfiltration, heavy and abnormal bandwidth usage, and other information that can be helpful for both incident identification and incident investigations. If you encounter a question like this on the exam, even if you’re not familiar with either tool, you can use your knowledge of what Simple Network Management Protocol (SNMP) is used for to identify which of the categories is most likely correct.

Question 29

Troy wants to review metadata about an email he has received to determine what system or server the email was sent from. Where can he find this information?

In the email message’s footer

In the to: field

In the email message’s headers

In the from: field

Answer 29

C. Email headers contain a significant amount of metadata, including where the email was sent from. The from: field lists a sender but does not indicate where the email was actually sent from. The to: field lists who the email was sent to, and footers are not used to store this information for email.

Question 30

Valerie wants to implement an email security framework that will help to ensure that only authorized systems send email on behalf of her domains. Which of the following should she implement?

DKIM

DMARC

STP

SPF

Answer 30

D. The Sender Policy Framework (SPF) lists IP addresses of systems allowed to send email in DNS TXT records for a domain. DKIM (DomainKeys Identified Mail) validates a domain’s identity using a public key pair, validating the authenticity of the sender. DMARC (domain‐based message authentication, reporting, and conformance) controls how unauthenticated messages are handled by mailbox providers, including quarantining, rejecting, or rejecting messages. STP is not an email security framework.

Question 31

Gary wants to deploy a tool that will allow him to identify and effectively respond to ransomware that might target systems that his company owns. He knows that he is likely to need to identify threats based on behavior rather than just using signatures, and he wants to have a dashboard‐style view of his data. What tool should Gary select to meet this need?

IPS

NAC

DLP

EDR

Answer 31

D. Endpoint detection and response (EDR) tools combine behavior‐based detection capabilities with centralized dashboards and advanced response capabilities. Intrusion prevention systems (IPSs) can detect network threats but aren’t well suited to detecting behaviors on endpoint systems. NAC (network access control) is used to limit who can connect to a network. Data loss prevention (DLP) systems monitor for data exfiltration as well as data that is sent both inadvertently and on purpose outside the organization that shouldn’t be.

Question 32

Michelle wants to determine why attackers were able to take her organization’s web server cluster offline after an incident occurred. What process should she and her team follow to determine this?

Threat hunting

Root cause analysis

A lessons learned analysis

Recovery

Answer 32

B. Root cause analysis is a process used to determine the underlying cause of an issue such as why attackers were able to successfully take down Michelle’s web server cluster. Threat hunting is used to proactively look for threats using a variety of techniques, including OSINT and leveraging indicators of compromise. Lessons learned processes look for takeaways from events and incidents to allow organizations to improve their processes and procedures. Recovery is part of the incident response process but focuses on restoring the organization to normal operation.

Question 33

The percentage of the value of an asset that is lost due to an incident or loss event is known as what?

Asset depreciation

Exposure factor

Annual loss event

Asset valuation adjustment

Answer 33

B. The EF (exposure factor) for an asset is the value of the asset that would be lost in the event of a loss or damage scenario. Depreciation is a financial term that writes down the cost of a capital item over a given lifespan; annualized loss expectancy is a risk‐related term, not annual loss event; and asset valuation adjustment was made up for this question.

Question 34

Derek’s organization has recently set up a notification process that sends a text message to system administrators when security exception log events occur on the systems they are responsible for. Unfortunately, Derek and his team have received dozens of alerts at all times of the day due to the log event happening for failed logins when users type their passwords incorrectly. What should Derek and his team do next to help with this?

Set alert thresholds.

Engage in alert tuning.

Disable the alerts.

Move the alerts to email.

Answer 34

B. Derek’s team needs to carefully consider what alerts should be sent, why, and how often. That will require alert tuning. Simply setting alert thresholds may miss critical events, disabling alerts will not achieve the goal of enabling this type of notification, and moving the alerts to email will typically result in a less timely response.

Question 35

Ian wants to deploy multifactor tokens to his organization. Which of the following provides the greatest security?

Hardware tokens

Application‐based tokens

SMS multifactor

Extended password length

Answer 35

A. Hardware tokens provide the greatest security because they need to be physically present to be used. Application‐based tokens are more secure than SMS in many cases because SMS can be redirected or accessed through SIM‐swapping and other attacks. Extending password length does not provide a second factor and is the least secure of these options by far.

Question 36

Jake wants to understand the root cause of a security incident. He knows a number of the events that occurred, but he wants to engage other staff members to define the root cause. What common root cause analysis (RCA) technique should he use?

The Five W’s

A fishbone diagram

The Five Why’s

A recursion analysis

Answer 36

C. The Five Why’s process is well suited to interviews because it asks “Why” each time an answer is provided to get to a root cause. The Five W’s are a common reference in journalism to who, what, when, where, and why—not a root cause analysis tool. Fishbone diagrams are commonly used for RCA, but are not as useful for an interview process. They’re more likely to be used after the interview to see how answers and events fit together. Recursion analysis is not an RCA process.

Question 37

Paul wants to integrate his organization’s web application with common cloud identity providers like Google and Microsoft. What authentication standard should he select if he wants to maximize interoperability?

OAuth

Kerberos

LDAP

Active Directory

Answer 37

A. OAuth is an open standard widely supported by cloud identity providers. Kerberos is used for internal use rather than for external integrations; LDAP is used for some services but is no longer a common choice for this type of integration with cloud service providers compared to options like OAuth, SAML, and OpenID‐based integrations; and Active Directory is used by Microsoft but is not as interoperable.

Question 38

Dane wants to implement passwordless authentication for his organization. What type of device should he issue to his users to support this type of authentication?

A password manager

An RFID card

A security key

A biometric token

Answer 38

C. Security keys are commonly used for passwordless authentication since they can provide both a physical token and cryptographic login credentials that are unlocked using a password, fingerprint reader, or camera. A password manager does not provide this but does securely store and manage passwords. RFID cards are simply something you have, and biometrics are typically not tokens—they’re data stored to match a user’s biometric signature.

Question 39

Ensuring that inetd services like echo, time, rsh, and telnet are not enabled are all examples of what type of action?

Preventing SQL injection

Hardening a Linux system

Hardening a Windows system

Patching insecure services

Answer 39

B. Older, insecure services like chargen, daytime, echo, time, rsh, and telnet are all managed by inetd in Linux distributions. Disabling these services is a common item in security hardening benchmarks like the CIS benchmarks. These services are not Windows services, they are not SQL‐related, and disabling them is not a type of patching.

Question 40

Helen wants to sign her code. What will the output of code signing be?

An encrypted copy of the code using her private key

A signed hash of the software using her private key

A signed hash of the software using her public key

An encrypted copy of the code using her public key

Answer 40

B. Code signing uses the signing organization or individual’s private key to sign a hash of the code. This allows the code to be verified using the organization’s or individual’s public key. Signing code does not involve encrypting it.

Question 41

Naomi’s organization has recently acquired another company. Naomi is concerned about asset tracking and inventory because the acquired company does not have an inventory of their systems and devices. What major security concern should she express about this from a hardware asset management perspective?

There may not be an appropriate hardware life‐cycle process.

Manufacturer support may not be possible without an inventory.

There is no way to know if systems are missing.

Vulnerability scans may not be accurate without an inventory.

Answer 41

C. Without an inventory, organizations may misplace, lose, or even have devices stolen. That may result in data breaches or simply loss of assets. A hardware life cycle process is an operational concern; manufacturer support is typically tied to individual devices; and vulnerability scans are possible without an inventory, but Naomi may not know what the device itself is until she physically locates it.

Question 42

Lucca knows that the CVSS environmental score is made up of three components, including an impact metric. What three components does he need to consider as part of the impact metric score?

Confidentiality, integrity, and availability

Network, disk, and memory

Severity, likelihood, and impact

Probability, impact, and cost

Answer 42

A. The CVSS environmental score’s impact metric takes into account confidentiality, integrity, and availability risks, with each rated between high, medium, and low levels. It is not a direct rating of network, disk, memory, severity, likelihood, probability, or cost.

Question 43

What tool is commonly used to allow for measurement and monitoring of security settings to align with NIST 800‐53 controls?

SAML

CVE

CVSS

SCAP

Answer 43

D. The Security Content Automation Protocol (SCAP) is frequently used to allow for monitoring and measurement of NIST 800‐53‐based controls. SAML is used for authorization and authentication, and CVE and CVSS are used to identify and rank vulnerabilities.

Question 44

Ian wants to test embedded device web servers for potential security issues with the version of the web server software. What tool should he select to do this most effectively across his large organization’s network of IoT devices?

A WAF

Pentesting

A vulnerability scanner

A port scanner

Answer 44

C. Vulnerability scanners are perfectly suited to this type of task and can be configured to specifically test the web servers that are part of the IoT devices to increase the speed of the scan. A WAF is used to protect web applications and servers, not to assess vulnerabilities and security issues. Pentesting can identify these problems but is typically not fast or scalable. Port scanners identify open ports and service but don’t identify vulnerabilities as effectively as a dedicated vulnerability scanning tool will.

Question 45

Tom wants his email servers to reject email that is not authenticated in a way to prevent spoofing. Which of the following should he implement?

SPF

DMARC

DKIM

TLS

Answer 45

B. DMARC, or Domain‐based Message Authentication, Reporting, and Conformance, controls how unauthenticated messages are handled by mailbox providers, including quarantining, rejecting, or rejecting messages. SPF (Sender Policy Framework) lists IP addresses of systems allowed to send email in DNS TXT records for a domain. DomainKeys Identified Mail (DKIM) validates a domain’s identity using a public key pair, validating the authenticity of the sender. TLS (Transport Layer Security) is used to encrypt data in motion.

Question 46

Wayne has identified a vulnerable server that is part of his organization’s critical infrastructure but that is no longer supported by the vendor and for which no additional patches exist. Every time Wayne scans the server using his vulnerability scanner, the services on the device crash. What should Wayne do?

Report the server as vulnerable and suggest that it be replaced immediately.

Disable the network connection on the device and isolate the server to protect it.

Identify a third‐party insurance provider who will insure the organization against potential issues with the server.

Document an exemption, remove the server from automated scans, and implement compensating controls.

Answer 46

D. In most organization, Wayne’s next steps should be to document the exemption due to the criticality of the server and its extenuating circumstances. Removing the server from scans will prevent it from being effectively impacted by a denial‐of‐service attack each time a scan occurs, but this also means that compensating controls should be implemented if possible. Reporting the server as vulnerable and suggesting it be replaced does not remediate the server or protect it, and will continue to allow it to fail based on future scans. Disabling the device’s network connection will also cause a service outage. Insurance will not prevent service outages or protect the device.

Question 47

Alan wants to configure his firewall to allow Microsoft SQL traffic through to the database server from web application servers in a screened subnet design. What is the minimum set of ports that he should port to allow this?

TCP 3389 and 1433

TCP 1433

TCP 8080

TCP 139 and 445

Answer 47

B. TCP port 1433 is the minimum port requirement for a Microsoft SQL server connection. TCP 3389 is used for Remote Desktop Protocol (RDP). TCP 8080 is a common alternate port for web servers, and TCP 139 and 445 are used for SMB connections.

Question 48

Zhen’s new organization has informed him that they used a COPE model for their mobile devices. What does this tell Zhen about what he can do with the device?

He can choose what device he uses, but the organization will own it.

He will be provided with a device but can use it for reasonable personal use.

He will be provided with a device and can only use it for business purposes.

He will have to bring his own device but can use it for personal and business use.

Answer 48

B. COPE, or company‐owned, personally enabled, models allow staff to use organizationally owned devices for reasonable personal use. CYOD, or choose your own device, allows users to pick their company‐owned device from a list of approved devices. COBO, or company‐owned, business‐only, is just that—users can only use the devices for business purposes. BYOD asks users to bring their own device, often leaving organizations with limited or no control of the device.

Question 49

The Windows Task Manager can be used to identify malware through what technique?

Dynamic analysis

Process auditing

CVSS matching

Vulnerability scanning

Answer 49

B. Process auditing involves reviewing processes to identify unknown or unexpected processes. During incident response scenarios, this is often initially done via the Task Manager. Dynamic analysis is a code review process that uses running code. CVSS matching was made up for this question, and vulnerability scanning tests open services and doesn’t involve the Task Manager.

Question 50

Ujama wants to deploy a network device that will allow him to use policy‐based controls for email as well as active defenses against phishing attacks before email is delivered to his users. Which of the following devices is best suited to this purpose?

A web application firewall

An email security gateway

A DKIM appliance

A DMARC appliance

Answer 50

B. Email security gateways are appliances or software virtual appliances that provide anti‐spam, anti‐phishing, and other email security–related services. They’re purpose‐built to deliver exactly the capabilities that Ujama is looking for. A WAF (web application firewall) is used to protect web applications. DKIM and DMARC are both email security frameworks, but they’re not implemented as appliances themselves.

Question 51

Which of the following methods typically provides the greatest insight into vulnerabilities that exist on systems owned by a company?

Penetration tests

Authenticated scans

Unauthenticated scans

Port scans

Answer 51

B. Authenticated scans can identify vulnerabilities that are not visible to unauthenticated scans. Penetration testers may not be able to obtain access equivalent to authenticated scans, so an authenticated scan is more likely to provide detailed data. Port scans do not provide deep vulnerability data.

Question 52

Rick is reviewing Linux system permissions and finds a directory that is set to:

-rwxr–r–
Who will have access to the directory to read the file?

The user

The user and their group

All users

No users except root

Answer 52

C. Linux permissions are read left to right for user, group, and other. With r’s at each location, this means everyone can read the contents of the directory. Only the user can write and execute files in the directory.

Question 53

Beena is granted access to her organization’s customer information because she is a data steward; her access occurs between 8 a.m. and 5 p.m., and it is occurring from a known workstation that has passed security checks. What type of access control scheme is in use?

Rule‐based access control

Role‐based access control

Mandatory access control

Attribute‐based access control

Answer 53

A. A set of rules that defines who can access the data has determined if Beena is granted access. Here, rules assess her role, the time of day, and the workstation’s status. This is not accomplished using a classification or clearance system like MAC uses, and it does not rely on just an attribute like Beena’s location or other information about her.

Question 54

Geenah wants to identify where Wi‐Fi signals are weakest in her building. What should she create to visually display signal coverage and strength throughout her building?

A war walk

A spectrum analysis

An SSID plot

A heatmap

Answer 54

D. Heatmaps are used to show signal strength and coverage, allowing organizations to identify areas where there may be poor coverage or where multiple signals may conflict. War walking (and war driving) are techniques used to map wireless access points to geographic locations. Spectrum analysis and SSID plots are not terms used for this type of activity.

Question 55

Bug bounty programs are an example of what type of program?

Contracted penetration testing

Responsible disclosure

Third‐party bounty

Trusted threat

Answer 55

B. Bug bounty programs are frequently part of responsible disclosure programs intended to provide a way for third parties to report security issues and to be incentivized to report them in responsible ways. Bug bounties can help identify flaws, but they’re not typically part of contracted penetration testing engagements. Third‐party bounty is not a typical way of describing them, and trusted threat programs were made up for this question.

Question 56

The hospital that Isabella works for leverages threat information from the Health‐ISAC as part of their security team’s work. What type of threat information provider is the Health‐ISAC?

An OSINT provider

A dark web source

An information‐sharing organization

A proprietary threat data source

Answer 56

C. ISACs, or Information Sharing and Analysis Centers, are information‐sharing organizations established to connect organizations in verticals like health care, government, utilities, and higher education. While it may provide OSINT information, they go far beyond that. They are not typically found via the dark web and don’t require TOR to access their information, and they are not commercial or proprietary threat data sources.

Question 57

Hector is concerned about Bluetooth security. Which of the following is a legitimate security concern about Bluetooth?

It is not encrypted.

Bluetooth is only useful at short range.

Bluejacking may occur.

Bluetooth devices can be fingerprinted.

Answer 57

D. Bluetooth devices can be fingerprinted relatively easily, making it easy to identify individual users who have Bluetooth turned on. Modern Bluetooth traffic is encrypted, its relatively short range is not a security concern, and Bluejacking sends unwanted spam, which isn’t a direct data security issue.

Question 58

What role do port scans play in asset tracking?

Enumeration of assets.

They provide OSINT.

Version tracking for assets.

They do not play a role in asset tracking.

Answer 58

A. Port scans can help with enumeration of assets when an inventory does not exist. They do not provide OSINT; OSINT is a passive information‐gathering process and a scan is an active process. Version tracking via port scans is inaccurate and does not provide full information. Identifying assets via port scans is a reasonably common part of asset management, particularly for initial discovery.

Question 59

A CVSS score is based on what three metric groups of data?

Scope, Impact, Environmental

Base, Temporal, and Environmental

Risk, Threat, Impact

Time, Risk, Scope

Answer 59

B. CVSS scores are based on base metrics like the attack vector; complexity; scope; user interaction required and privileges required; the temporal group, which includes exploit code maturity, remediation level, and report confidence; and the environmental group, including confidentiality, availability, and integrity requirements. While scope, impact, risk, and threat all play into these elements, CVSS calls the three metric groups Base, Temporal, and Environmental.

Question 60

Guillermo wants to establish his organization’s security baseline for Linux systems. After selecting the CIS benchmark that best matches his organization’s commonly used Linux distribution, what should he do next?

Deploy the benchmark to a test system to see how it performs in normal use.

Install SELinux to allow for the baseline to be implemented fully.

Review the baseline to determine any settings that are not a good fit for the organization’s usage.

Identify the deployment method for the baseline to the Linux systems.

Answer 60

C. Reviewing any baseline to determine its fit for the organization and how the organization’s systems and services operate is an appropriate next step after selecting a benchmark. Deploying SELinux may be necessary for some features depending on the distribution in use, but nothing in the question indicates that this is required. Once the benchmark has been modified to purpose and suitability, it can be tested, and further modifications can be made if necessary. Finally, it can be deployed and managed.

Question 61

The organization that Chris works for has recently acquired another company. As part of the acquisition, Chris is preparing to address the data that the newly acquired company used, including setting up rules to handle it in his data loss prevention (DLP) system. What step is commonly required prior to data being protected by a DLP system?

Hashing the data and creating signatures

Encrypting the data

Classifying and tagging the data

Applying a mandatory access control scheme to the data

Answer 61

C. DLP systems often rely on classification, tagging, and metadata to help them identify sensitive data that the organization handles and which could be exfiltrated or sent inadvertently outside of the organization. Hashing and creating signatures is more commonly associated with filesystem‐monitoring tools. Encrypting the data is not required by a DLP and may actually make it harder for the DLP to identify the data. Applying a mandatory access control scheme to the data is not a typical step in preparing for DLP‐based protection.

Question 62

Annie wants to implement a passwordless authentication system. Which of the following would not meet her needs?

Windows Hello

A PIN‐based factor

A cell‐phone authenticator application

A FIDO2 security key

Answer 62

B. Passwordless authentication avoids making users provide a password or PIN by using a proof of identity from a device or token. Windows Hello, cell‐based authenticator applications, and FIDO2 security keys all support this, but entering a PIN does not.

Question 63

Laura wants to harden an ICS and SCADA devices her organization uses to manage critical infrastructure. The devices are old and unsupported, without recent updates. What hardening techniques are most likely to be available to her to help deal with these devices?

Isolation

Segmentation

Adding host‐based firewalls

Configuring host‐based IPS

Answer 63

B. Since ICS and SCADA devices need connectivity as part of their design, Laura knows that using segmentation to place the devices in a secure network is likely her best hardening option. Isolating the devices would break the functionality of ICS/SCADA systems. Neither ICS nor SCADA devices typically have support for host‐based firewalls or host‐based IPS.

Question 64

Nick wants to allow email servers to validate that email from his servers is actually from them. What email security framework should he adopt to allow this?

DKIM

DMARC

SPF

SMTP

Answer 64

A. DKIM (DomainKeys Identified Mail) validates a domain’s identity using a public key pair, validating the authenticity of the sender. DMARC (Domain‐based Message Authentication, Reporting, and Conformance) controls how unauthenticated messages are handled by mailbox providers, including quarantining, rejecting, or rejecting messages. The Sender Policy Framework (SPF) lists IP addresses of systems allowed to send email in DNS TXT records for a domain. STP is not an email security framework. The Simple Mail Transfer Protocol (SMTP) is the default email protocol.

Question 65

What process is commonly used with open source tools to ensure that dependencies are secure?

Static analysis

Package monitoring

Fagan testing

Port scanning

Answer 65

B. Package monitoring tools review the dependencies and packages that make up open source tools to identify vulnerable components. Static analysis is manual review of code. Fagan testing is a formal code analysis process. Port scanning is not used to monitor for dependency security.

Question 66

Kelsey’s organization has established an asset and inventory management process for servers. Which of the following is not a common part of asset tracking?

Data classification

Identifying owners

Documenting acquisition dates

Sanitization

Answer 66

D. Sanitization is part of decommissioning and disposal processes, not asset management. Tracking data classification used on systems, identifying owners, and documenting acquisition dates for warranty and life‐cycle tracking are all common parts of this process.

Question 67

Selah wants to prevent staff in her organization from visiting malicious websites while they’re in the office. If she wants to use the most up‐to‐date threat data, what web filter capability should she take advantage of?

Agent‐based web filtering

Reputation tools

A centralized web filtering proxy

URL scanning

Answer 67

B. Using threat data from reputation tools will best fit Selah’s needs. Agent‐based web filtering is used when systems will be mobile or connected to networks that are not controlled centrally. Centralized web filtering proxies and URL scanning are useful general controls, but reputation tools answer the specific need more directly.

Question 68

Joe has configured ACLs on a Cisco network device. The ACL he has configured is as follows:

interface ethernet0
ip access-group 111 in
!
access-list 111 deny tcp any any eq http
access-list 111 permit ip any any
access-list 111 deny tcp any any eq https

What does this ACL do?

Blocks HTTP traffic

Blocks both HTTP and HTTPS traffic

Prevents web application attacks

Allows for inspection of web traffic

Answer 68

A. ACLs are interpreted in the order they are listed. This ACL is not properly written if it is intended to block HTTPS because the ACL order includes a rule that allows any traffic after the rule that blocks HTTP is processed. This means that traffic will first be checked to see if it is HTTP traffic. If it is not, it will be allowed, and thus will bypass the HTTPS block. It will not prevent web application attacks since HTTPS can pass the ACL, and no specific configuration is set for inspection of web traffic.

Question 69

The use of machine learning and algorithms to analyze user behavior in order to identify anomalous behavior is a feature of what specialized type of tool?

UEBA

SIEM

EDR

DMARC

Answer 69

A. User and entity behavior analytics (UEBA) tools are specifically designed to use behavior‐based analytic tools leveraging machine learning and algorithmic analysis. SIEM is used to correlate events and log data as part of ongoing monitoring. EDR focuses on malicious behavior detection on endpoints. DMARC is used for email security.

Question 70

Jake has configured WPA3 Personal for his network. What feature makes WPA3 more secure than WPA2’s PSK mode?

SAE

PKI

TLS

EAP

Answer 70

A. SAE (Simultaneous Authentication of Equals) provides a secure authentication mode that replaced WPA2’s preshared key session key negotiation process. PKI is public key encryption and is not the solution in use. TLS is Transport Layer Security, used to encrypt data in motion, and EAP is an authentication protocol.