Q&A

Question 1

A company has implemented a public-facing authentication system that uses PKI and extended attributes to allow third-party, web-based application integration.
Which of the following is this an example of? (Select THREE).

A.
Federation

B.
Two-factor authentication

C.
Transitive trust

D.
Trusted OS

E.
Single sign-on

F.
TOTP

G.
MAC

Answer 1

A,C,E

A - Federation allows for third party access. You could create a federated network with this method.

C - Transitive trust, because with public keys you need A computer to trust B, B to trust C, and therefore C to trust A.

E - Allows one user to use one set of login credentials across multiple applications. Necessary in this case to improve ease of use.

Question 2

A security administrator is seeking a secure way to send emails to a subcontractor without requiring user action. Which of the following would BEST provide security
between email gateways?

A.
SSL

B.
PGP

C.
HTTPS

D.
S/MIME

E.
TLS

F.

Answer 2

E

TLS - Transport Layer Security - newer updated SSL. That’s why it’s the answer.

Not S/Mime because that’s for email encryption
Pgp for same reason
Https is internet
SSL standard security link for web browser and server
SSH for operating network services over an unsecured network, again not email

Question 3

An administrator must change the IP address of the corporate web server. Since this is a critical web server, downtime must be kept to a minimum. To minimize
downtime as much as possible, which of the following DNS properties should be changed well before the actual IP change?

A.
PTR

B.
TTL

C.
SRV

D.
A

Answer 3

B.

Time to Live. I don’t know why. Find out later.

Question 4

Ann, a security administrator, needs to implement a transport encryption solution that will enable her to detect attempts to sniff packets. Which of the following could
be implemented?

A.
Eliptical curve algorithms

B.
Ephemeral keys

C.
Quantum cryptography

D.
Steganography

Answer 4

C

Quantum Cryptography - If you eavesdrop on this type of crptography it’ll be immediately obvious

Question 5

A security administrator wants to implement a multi-factor, location-based authentication system. The authentication system must incorporate something unique
about each user. Which of the following are user authentication factors that can be used by the system? (Select THREE).

A.
IP address

B.
Employee ID

C.
Username

D.
Unique identification number

E.
Keyboard timing

F.
Password

Answer 5

A,E,F
What you have, what you know, where you are, what you do,

A - IP address where you are
E - Keyboard timing - something you do
F - Password something you know

Question 6

An organization’s security policy requires secure file transfers to and from internal hosts. An employee is attempting to upload a file using an unsecure method to a
Linux-based dedicated file server and fails. Which of the following should the employee use to transfer the file?

A.
FTP

B.
HTTPS

C.
SSL

D.
SCP

E.
TLS

Answer 6

D

SCP - Secure Copy, uses SSH to send files securely and unattended. similar to FTPS

Question 7

After a private key has been compromised, an administrator realized that downloading a CRL once per day was not effective. The administrator wants to
immediately revoke certificates. Which of the following should the administrator investigate?

A.
CSR

B.
PKI

C.
IdP

D.
OCSP

Answer 7

D

OCSP - Online certificate status protocol. Used to obtain revocation status X.509 digital certificates.

Used instead of CRL because it contains less info and puts less strain on the network.

Question 8

A network administrator discovers that telnet was enabled on the company’s Human Resources (HR) payroll server and that someone outside the HR subnet has
been attempting to log into the server. The network administrator has disabled telnet on the payroll server. Which of the following is a method of tracking attempts

to log onto telnet without exposing important telnet data.

A.
Banner grabbing

B.
Active port monitors

C.
Honeypot

D.

Answer 8

B.

Active port monitors. You can see traffic coming on the telnet port (TCP 23).

Question 9

A security administrator is troubleshooting a network connectivity issue. The administrator believes that a router’s ACL may be blocking network traffic to a remote
network. Which of the following, if enabled, would confirm the administrator’s theory by providing helpful feedback?

A.
DNS

B.
NAT

C.
NetBIOS

D.
ICMP

Answer 9

D.

ICMP - Internet control message protocol is used for error reporting and testing connectivity between hosts.

Question 10

A CA is attempting to publicize the acceptable parameters for certificate signing requests. Which of the following should a server administrator use to fulfill the
requirements of the CA?

A.
Interconnection security agreement

B.
Certificate templates

C.
Client-side certificates

D.
Software token

Answer 10

B.

Certificate templates - Read the question better. Using a certificate template just makes sense here, There are releasing the acceptable parameters. Make a template to fufill them.

Question 11

A company uses digital signatures to sign contracts. The company requires external entities to create an account with a third-party digital signature provider and
sign an agreement stating they will protect the account from unauthorized access. Which of the following security goals is the company trying to address in the
given scenario?

A.
Availability

B.
Non-repudiation

C.
Authentication

D.
Confidentiality

E.
Due diligence

Answer 11

B.

Non-repudiation - assurance that someone cannot deny something. That’s why they get a signature.

Question 12

A datacenter has suffered repeated burglaries that lead to equipment theft and arson. In the past, the thieves have demonstrated a determination to bypass any
installed safeguards. After mantraps had been installed to prevent tailgating, the thieves crashed through the wall of the datacenter with a vehicle after normal
business hours. Which of teh following options could further improve the physical safety and security of the datacenter? (select TWO).

A.
Cipher locks

B.
CCTV

C.
Escape routes

D.
K-rated fencing

E.
FM200 fire suppression

Answer 12

Really read the questions, man. This one is C,D

C - Escape routes. Key words here were improve the safety. ouch.
D - K rated fencing, already made sense.

Question 13

The content of a document that is routinely used by several employees and contains confidential information has been changed. While investigating the issue, it is
discovered that payment information for all teh company’s clients has been removed from the document. Which of the following could be used to determine who
changed the information?

A.
Audit logs

B.
Server baseline

C.
Document hashing

D.
Change management

Answer 13

A. Audit Logs

Audit logs will show who accessed the data. Change management wouldn’t be under suspicious circumstances.

Question 14

An organization experienced a fire at its datacenter and was unable to operate at that location. The company moved to a location where HVAC and power are
available, but must supply and configure its own computing resources in order to provide services. The company has relocated to a:

A.
hot site

B.
co-location site

C.
warm site

D.
cold site

Answer 14

D. Cold site

Cold site - Alternate location that is not actively online. Infrastructure must be installed and configured.

Hot site - Active location that has redundant systems with current data. Very expensive.

Warm site - Inbetween option. Has some infrastructure up and running. Racks power HVAC but need to copy over data.

Question 15

A penetration tester is attempting to determine the operating system of a remote host. Which of the following will provide this information?

A.
Protocol analyzer

B.
Honeypot

C.
Fuzzer

D.
Banner grabbing

Answer 15

D.

Banner grabbing is usually used to find out what ports are open, but I guess it can also be used for finding out the OS of a remote host.

Question 16

A company is providing mobile devices to all its employees. The system administrator has been tasked with providing input for the company’s new mobile device
policy. Which of the following are valid security concepts that the system administrator should include when offering feedback to management? (Select TWO)

A.
Transitive trust

B.
Asset tracking

C.
Remote wiping

D.
HSM

E.
Key management

Answer 16

C,E

Remote wiping - obvious if device is stolen secure policy to wipe it.

Key management, should have public private key for mobile devices as well. Moreover no other answers make sense.

Question 17

An organization that uses a cloud infrastructure to present a payment portal is using:

A.
software as a service

B.
platform as a service

C.
monitoring as a service

D.
infrastructure as a service

Answer 17

A.

Should’ve got this one, but it happens. Was tempted by platform even though a payment portal is purely software.

Question 18

A network administrator is in the process of developing a new network security infrastructure. One of the requirements for the new system is the ability to perform
advanced authentication, authorization, and accounting. Which of the following technologies BEST meets the stated requirement?

A.
Kerberos

B.
SAML

C.
TACACS+

D.
LDAPS

Answer 18

C. TACACS+

Newest tech developed my military. Very secure. Still somewhat of a guess, probably need further research.

Question 19

A recent policy change at an organization requires that all remote access connections to and from file servers at remote locations must be encrypted. Which of the
following protocols would accomplish this new objective? (Select TWO).

A.
TFTP

B.
SSH

C.
FTP

D.
RDP

E.
HTTP

Answer 19

B,D

Tftp is not right, that’s trivial file transfer protocol. Very insecure.

SSH - secure shell, definitely encrypted.

RDP - Remote desktop protocol. Encrypted but wording through me off.

Question 20

In order to establish a connection to a server using secure LDAP, which of the following must be installed on the client?

A.
Server public key

B.
Subject alternative names certificate

C.
CA anchor of trust

D.
Certificate signing request

Answer 20

A.

Lightweight directory access protocol. Secure LDAP Goes over port 636 and uses SSL/TLS.

Makes sense to need a public key, but this one is a little confusing.

Question 21

A security administrator receives an IDS alert that a single internal IP address is connecting to several known malicious command and control domains. The

administrator connects to the switch and adds a MAC filter to Port 18 to block the system from the network.
BEFORE AFTER
MAC Address VLAN Port MAC Address VLAN Port
67A7.353B.5064 101 4 67A7.353B.5064 101 4
7055.4961.1F33 100 9 7055.4961.1F33 100 9
0046.6416.5809 101 21 0046.6416.5809 101 21
7027.0108.31B5 100 16 7027.0108.31B5 100 16
5243.6353.7720 101 6 5243.6353.7720 101 6
1484.A471.6542 100 2 1484.A471.6542 100 2
80C7.8669.5845 101 7 80C7.8669.5845 101 7
7513.77B9.4130 101 18 0046.6419.5809 101 18
5A77.1816.3859 101 19 5A77.1816.3859 101 19
8294.7E31.3270 100 8 8294.7E31.3270 100 8
A few minutes later, the same malicious traffic starts again from a different IP. Which of the following is the MOST likely reason that the system was able to bypass
the administrator’s MAC filter?

A.
The system is now ARP spoofing a device on the switch.

B.
The system is now VLAN hopping to bypass the switch port MAC filter.

C.
The system is now spoofing a MAC address.

D.
The system is now connecting to the switch.

Answer 21

C.

That’s how you would get past a MAC filter.

Question 22

A company has classified the following database records:
OBJECT CONFIDENTIALITY INTEGRITY AVAILABILITY
First Name LOW MEDIUM LOW
Last Name LOW MEDIUM LOW

Address MEDIUM HIGH LOW
Bank Account Number HIGH HIGH MEDIUM
Credit Card Number HIGH HIGH MEDIUM
Which of the following is a management control the company can implement to increase the security of the above information with respect to confidentiality?

A.
Implement a client based software filter to prevent some employees from viewing confidential information.

B.
Use privacy screen on all computers handling and displaying sensitive information.

C.
Encrypt the records which have a classification of HIGH in the confidentiality column.

D.
Disseminate the data classification table to all employees and provide training on data disclosure.

Answer 22

D.

Not sure how to learn this one. I think the key word is management control, meaning training employees, as encrypting data or the other options aren’t a management control.

Question 23

Which of the following remote authentication methods uses a reliable transport layer protocol for communication?

A.
RADIUS

B.
LDAP

C.
TACACS+

D.
SAML

Answer 23

C

TACACS+ TCP(port 49). This is more secure than RADIUS because entire communication is encrypted.

More imporantly it’s more reliable because it is connection oriented unlike UDP, which RADIUS uses.

Question 24

During a recent audit, it was discovered that the employee who deploys patches also approves the patches. The audit found there is no documentation supporting
the patch management process, and there is no formal vetting of installed patches. Which of the following controls should be implemented to mitigate this risk?
(Select TWO).

A.
IT contingency planning

B.
Change management policy

C.
Least privilege

D.
Separation of duties

E.
Dual control

F.
Mandatory job rotation

Answer 24

B,D

Change management policy, makes sense as there was no policy for that in place. It’s a necessary component to this situation.

Separation of duties - the guy who deploys patches shouldn’t approve them as well. Not ideal.

Question 25

Which of the following should be used to implement voice encryption?

A.
SSLv3

B.
VDSL

C.
SRTP

D.
VoIP

Answer 25

C.

SRTP:The Secure Real-time Transport Protocol. The PowerSec supports the use of SRTP media encryption (RFC 3711). … Each voice call needs two encryption keys.

Not familiar with any of these except D. but now I know. SRTP can encrypt VoIP.

Question 26

Which of the following types of attacks are MOST likely to be successful when using fuzzing against an executable program? (Select TWO).

A.
SQL injection

B.
Session hijacking

C.
Integer overflow

D.
Buffer overflow

E.
Header manipulation

Answer 26

A,D

Fuzzing is throwing random data at an application in an attempt to crash it or find a vulnerability.

SQL injection I suppose could be used in this case. Throwing random SQL queries in an attempt to break or breach the app.

Buffer Overflow is writing more data than the buffer can handle. Nice. That’s a fuzzing attack in a nutshell.

Question 27

A security administrator has detected the following pattern in a TCP packer: URG=1, ACK=1, PSH=1, RST=1, SYN=1, FIN=1. Which of the following attacks is this
an example of?

A.
Replay

B.
Spoofing

C.
Xmas

D.
DDoS

Answer 27

C.

Xmas - Lighting up the network. Trying to fingerprint the system or map it. TCP Header information looks like that when it’s been lit up. It’s either a 1 or a 0.

Question 28

The network engineer for an organization intends to use certificate-based 802.1X authentication on a network. The engineer’s organization has an existing PKI that
is used to issue server and user certificates. The PKI is currently not configured to support the issuance of 802.1X certificates. Which of the following represents an
item the engineer MUST configure?

A.
OCSP responder

B.
Web enrollment portal

C.
Symmetric cryptography

D.
Certificate extension

Answer 28

D,

Another one where a guess is in order. An extension makes sense, and the other answers really don’t. Just respect the wording. Ask yourself what makes the most sense.

Question 29

Which of the following network design components would assist in separating network traffic based on the logical location of users?

A.
IPSec

B.
NAC

C.
VLAN

D.
DMZ

Answer 29

D.

DMZ. None of the others are really location based. Used to provide public facing resources. That’s the logical separation I guess. They are outside of the network and want to come in.

Question 30

A server administrator is investigating a breach and determines that an attacker modified the application log to obfuscate the attack vector. During the lessons
learned activity, the facilitator asks for a mitigation response to protect the integrity of the logs should a similar attack occur. Which of the following mitigations would
be MOST appropriate to fulfill the requirement?

A.
Host-based IDS

B.
Automated log analysis

C.
Enterprise SIEM

D.
Real-time event correlation

Answer 30

C.

Enterprise SIEM(Security info and event management) would be the most effective. Really just needed to know the acronym.

Question 31

A security administrator wants to implement a system that will allow the organization to quickly and securely recover from a computer breach. The security
administrator notices that the majority of malware infections are caused by zero-day armored viruses and rootkits. Which of the following solutions should the
system administrator implement?

A.
Install an antivirus solution that provides HIPS capabilities.

B.
Implement a thick-client model with local snapshots.

C.
Deploy an enterprise patch management system.

D.
Enable the host-based firewall and remove users’ administrative rights.

Answer 31

A.

HIPS antivirus would work here. C would patch zero days but might not offer protection against rootkits? I’m not sure but A would work.

Question 32

After Ann arrives at the company’s co-location facility, she determines that she is unable to access the cage that holds the company’s equipment after a co-worker
updated the key card server the night before. This is an example of failure of which of the following?

A.
Testing controls

B.
Access signatures

C.
Fault tolerance

D.
Non-repudiation

Answer 32

READ THE QUESTION. A.

It wasn’t tested properly that was the failure. Duh.

Question 33

Which of the following attack types is MOST likely to cause damage or data loss for an organization and be difficult to investigate?

A.
Man-in-the-middle

B.
Spoofing

C.
DDoS

D.
Malicious insider

Answer 33

D.

Malicious insider would be hardest to catch because they have internal knowledge of security systems.

Question 34

An administrator is reviewing the logs for a content management system that supports the organization’s public-facing website. The administrator is concerned
about the number of attempted login failures from other countries for administrator accounts. Which of the following capabilities is BEST to implement if the
administrator wants the system to dynamically react to such attacks?

A.
Netflow-based rate limiting

B.
Disable generic administrative accounts

C.
Automated log analysis

D.
Intrusion prevention system

Answer 34

A. Netflow Based rate limiting.

Don’t know why.

Question 35

A system administrator wants to ensure that only authorized devices can connect to the wired and wireless corporate system. Unauthorized devices should be
automatically be placed on a guest network. Which of the following MUST be implemented to support these requirements? (Select TWO).

A.
Port security

B.
802.1X

C.
Proxy

D.
VLAN

E.
NAT

Answer 35

B,D

802.1x is a way to authenticate any plugging a cat6 cable into the network.

VLAN is the separation of networks and port security the one you picked is the same as 802.1x

Question 36

Which of the following network configurations provides security analysts with the MOST information regarding threats, while minimizing the risk to internal corporate
assets?

A.
Configuring the wireless access point to be unencrypted

B.
Increasing the logging level of internal corporate devices

C.
Allowing inbound traffic to a honeypot on the corporate LAN

D.
Placing a NIDS between the corporate firewall and ISP

Answer 36

D.

A honeypot would be to revealing to corporate resources. A NIDS would allow the administrator to note threats without actually letting them touch the network.

Question 37

A network administrator would like to implement a wireless solution that uses a very high performance stream cipher encryption protocol. Which of the following
solutions should the administrator implement to meet this goal?

A.
EAP-TLS

B.
WPA2 Enterprise

C.
WEP

D.
CCMP

Answer 37

C.

WEP is a STREAM cipher while WPA2 is a BLOCK cipher. Key distinction.

Question 38

A security manager is required to protect the disclosure of sensitive data stored on laptops and mobile devices while users are traveling. Users are required to
connect via VPN to the company’s network and are also issued cable locks. Which of the following should the security manager implement to further secure the
data? (Select TWO).

A.
Screen locks

B.
Remote wipe

C.
One-time tokens

D.
BIOS password

E.
Full-disk encryption

Answer 38

B,E

Full disk encryption would keep the data safe. VPN connection made me think one time tokens for some reason.

Question 39

A company needs to ensure that employees that are on vacation or leave cannot access network resources, while still retaining the ability to receive emails in their
inboxes. Which of the following will allow the company to achieve this goal?

A.
Set up an email alias

B.
Remove user privileges

C.
Install an SMTP proxy server

D.
Reset user passwords

Answer 39

A

Not sure what an email alias is.

Question 40

A security administrator creates separate VLANs for employee devices and HVAC equipment that is network attached. Which of the following are security reasons
for this design? (Select THREE).

A.
IDS often requires network segmentation of HVAC endpoints for better reporting.

B.
Broadcasts from HVAC equipment will be confined to their own network segment.

C.
HVAC equipment can be isolated from compromised employee workstations.

D.
VLANs are providing loop protection for the HVAC devices.

E.
Access to and from the HVAC equipment can be more easily controlled.

F.
Employee devices often interfere with proper functioning of HVAC devices.

Answer 40

B,C,E

Not sure. Maybe rewatch HVAC chapter.

Question 41

The firewall administrator is installing a VPN application and must allow GRE through the firewall. Which of the following MUST the administrator allow through the
firewall?

A.
IPSec

B.
IP protocol 47

C.
IP protocol 50

D.
IP protocol 51

Answer 41

B.

Internet protocol 47 is the GRE protocol. Nice.

Question 42

A security administrator recently implemented IPSec for remote users. Which of the following ports must be allowed through the firewall in order for remote access
to be successful if the tunneling protocol is PPTP?

A.
UDP 500

B.
UDP 1723

C.
TCP 1723

D.
TCP 4500

Answer 42

C.

That’s the port for the tunneling protocol PPTP(point-to-point tunneling protocol.

Question 43

An organization received a subpoena requesting access to data that resides on an employee’s computer. The organization uses PKI. Which of the following is the
BEST way to comply with the request?

A.
Certificate authority

B.
Public key

C.
Key escrow

D.
Registration authority

E.
Key recovery agent

Answer 43

D.

You would need help getting the private key. Hence the answer.

Question 44

A system administrator decided to perform maintenance on a production server servicing retail store operations. The system rebooted in the middle of the day due
to the installation of monthly operating system patches. The downtime results in lost revenue due to the system being unavailable. Which of the following would
reduce the likelihood of this issue occurring again?

A.
Routine system auditing

B.
Change management controls

C.
Business continuity planning

D.
Data loss prevention implementation

Answer 44

B

production change bad

Question 45

A network technician needs to pass traffic from the company’s external IP address to a front-end mail server in the DMZ without exposing the IP address of the mail
server to the external network. Which of the following should the network technician use?

A.
NAT

B.
SMTP

C.
NAC

D.
SSH

E.
TLS

Answer 45

A.

Network address translation would help with not exposing the IP. Make the corporate IP into a public IP.

Question 46

A malicious insider is using an ARP spoofing tool to impersonate the gateway router. Which of the following attack types is the malicious insider implementing?

A.
Man-in-the-middle attack.

B.
IP spoofing attack.

C.
DNS poisoning and redirect attack.

D.
Replay attack.

Answer 46

A.

Rewatch man in the middle attack.

A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties, impersonates both parties and gains access to information that the two parties were trying to send to each other.

Question 47

A company has recently won a classified government contract involving both confidential and restricted information. To ensure proper authorization for
authenticated users and restrict unauthorized users from accessing information above their clearance, the company should establish:

A.
discretionary access control.

B.
mandatory access control.

C.
rule-based access control.

D.
role-based access control.

Answer 47

B. Read it twice.

Question 48

A security administrator determined that the time required to brute force 90% of the company’s password hashes is below the acceptable threshold. Which of the
following, if implemented, has the GREATEST impact in bringing this time above the acceptable threshold?

A.
Use a shadow password file.

B.
Increase the number of PBKDF2 iterations.

C.
Change the algorithm used to salt all passwords.

D.
Use a stronger hashing algorithm for password storage.

Answer 48

B

To increase the security of your master password, LastPass utilizes a stronger-than-typical version of Password-Based Key Derivation Function (PBKDF2). At its most basic, PBKDF2 is a “password-strengthening algorithm” that makes it difficult for a computer to check that any one password is the correct master password during a brute-force attack.

Question 49

A company is planning to encrypt the files in several sensitive directories of a file server with an asymmetric key. Which of the following could be used?

A.
AES

B.
RSA

C.
ECC

D.
3DES

E.
MD5

Answer 49

B

RSA was first described in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman of the Massachusetts Institute of Technology. Public-key cryptography, also known as asymmetric cryptography, uses two different but mathematically linked keys, one public and one private. The public key can be shared with everyone, whereas the private key must be kept secret. In RSA cryptography, both the public and the private keys can encrypt a message; the opposite key from the one used to encrypt a message is used to decrypt it.

Question 50

A security administrator has deployed five additional copies of the same virtualized Linux server to distribute the load of web traffic on the original server. Which of
the following should the administrator do to help security harden these new systems? (Select TWO).

A.
Configure for dual factor authentication

B.
Team/Bond network adapters

C.
Add virtual machine software extensions

D.
Deploy unique public keys to each virtual server

E.
Disable HTTP protocols

F.
Generate new SSH keys

Answer 50

D,F

Need keys to be secure. Not sure about generating new secure shell keys though. Most of this does not make sense.

Question 51

An assessment team is conducting a vulnerability scan of an organization’s database servers. During the configuration of the vulnerability scanner, the lead
assessor only configures the parameter of the database servers’ IP range, and then runs the vulnerability scanner. Which of the following scan types is being run on
the database servers?

A.
Intrusive

B.
Ping sweep

C.
Non-credentialed

D.
Offline

Answer 51

C

Non-credentialed is the type. No logins involved which would be intrusive and he is not just pinging the systems. Also not offline.

Question 52

Ann, a network security engineer, is trying to harden her wireless network. Currently, users are able to connect any device to the wireless network as long as they

authenticate with their network username and password. She is concerned that devices that are not company-issued may gain unauthorized access. Which of the
following techniques would be BEST suited to remediate this vulnerability? (Select TWO).

A.
Utilize a single service account, only known by IT, to authenticate all devices

B.
Install separate access points for personal devices

C.
Install an IPS to protect the network from rogue devices

D.
Filter the MAC addresses of all unknown devices on the wireless controller

E.
server to authenticate via computer end user

Answer 52

D, E

Question 53

A security administrator, believing it to be a security risk, disables IGMP snooping on a switch. This breaks a video application. The application is MOST likely using:

A.
RTP.

B.
multicast.

C.
anycast.

D.
VoIP.

Answer 53

B

The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IPv4 networks to establish multicast group memberships. IGMP is an integral part of IP multicas

Question 54

An application service provider has notified customers of a breach resulting from improper configuration changes. In the incident, a server intended for internal
access only was made accessible to external parties. Which of the following configurations were likely to have been improperly modified, resulting in the breach?

A.
NAT

B.
IDS

C.
CRL

D.
VPN

Answer 54

D

VPN Is configured for outside access. If it was configured improperly it would allow outsiders access

Question 55

A healthcare organization is in the process of building and deploying a new web server in the DMZ that will enable public Internet users the ability to securely send
and receive messages from their primary care physicians. Which of the following should the security administrator consider?

A.
An in-band method for key exchange and an out-of-band method for the session

B.
An out-of-band method for key exchange and an in-band method for the session

C.
A symmetric algorithm for key exchange and an asymmetric algorithm for the session

D.
An asymmetric algorithm for key exchange and a symmetric algorithm for the session

Answer 55

D

Question 56

A security specialist has implemented antivirus software and whitelisting controls to prevent malware and unauthorized application installation on the company
systems. The combination of these two technologies is an example of which of the following?

A.
Defense in depth

B.
Vulnerability scanning

C.
Application hardening

D.
Anti-malware

Answer 56

A

Defense in depth. Research topic.

Question 57

An administrator needs to deploy a new SSL wildcard certificate to three different web servers. Which of the following MUST be taken into consideration? (Select
TWO).

A.
The fingerprint on the certificate

B.
The CRL URL of the certificate

C.
Intermediate CA(s) that may need to be added

D.
File format needed by the target platform

E.
The CSR that was used to request the certificate

F.
The OU field on the certificate

Answer 57

C,F

Need to rewatch some certificate stuff.

Question 58

Which of the following social engineering attacks would describe a situation where an attacker calls an employee while impersonating a corporate executive?

A.
Vishing

B.
Phishing

C.
Whaling

D.
Pharming

Answer 58

A.

Strange thing to need to know but:

the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as bank details and credit card numbers.

Question 59

A research user needs to transfer multiple terabytes of data across a network. The data is not confidential, so for performance reasons, does not need to be
encrypted. However, the authentication process must be confidential. Which of the following is the BEST solution to satisfy these requirements?

A.
Secured LDAP

B.
Kerberized FTP

C.
SCP

D.
SAML 2.0

Answer 59

B.

What?

Question 60

One of the driving factors towards moving an application to a cloud infrastructure is increased application availability. In the case where a company creates a private
cloud, the risk of application downtime is being:

A.
transferred.

B.
avoided.

C.
mitigated.

D.
accepted.

Answer 60

C

I could see why it’s mitigated.

Question 61

Several computers in an organization are running below the normal performance baseline. A security administrator inspects the computers and finds the following
pieces of information:
– Several users have uninstalled the antivirus software
– Some users have installed unauthorized software
– Several users have installed pirated software
– Some computers have had automatic updating disabled after being deployed
– Users have experienced slow responsiveness when using the Internet browser
– Users have complete control over critical system properties
Which of the following solutions would have prevented these issues from occurring? (Select TWO).

A.
Using snapshots to revert unwanted user changes

B.
Using an IPS instead of an antivirus

C.
Placing users in appropriate security groups

D.
Disabling unnecessary services

E.
Utilizing an application whitelist

F.
Utilizing an application blacklist

Answer 61

C,E

Question 62

An administrator must select an algorithm for creating hashes of critical system files in order to later detect any unauthorized changes. Which of the following could
the administrator use? (Select TWO).

A.
3DES

B.
Diffie-Hellman

C.
CHAP

D.
RIPEMD

E.
RSA

F.
AES-256

G.
SHA-512

Answer 62

D,G

Question 63

A retired employee did not return a company issued mobile device and may have company data on the device. Which of the following portions of the company’s
mobile device management solution could be used together to remove the company data from the employee’s device? (Select TWO)

A.
Full device encryption

B.
Application whitelisting

C.
Asset tracking

D.
Remote wiping

E.
Storage segmentation

F.
Inventory control

Answer 63

D,E

Remote wiping makes sense here.

Question 64

A manager is reviewing bids for Internet service in support of a new corporate office location. The location will provide 24-hour service to the organization’s global
user population. In which of the following documents would the manager MOST likely find quantitative data regarding latency levels and MTTR?

A.
ISA

B.
SLA

C.
MOU

D.
BPA

Answer 64

B

What do all these mean besides service level agreement

Question 65

An attacker has breached multiple lines of information security defense. Which of the following BEST describes why delayed containment would be dangerous?

A.
The attacker could be blocked by the NIPS before enough forensic data can be collected.

B.
The attacker could erase all evidence of how they compromised the network.

C.
The attacker could cease all attack activities making forensics more difficult.

D.
The attacker could escalate unauthorized access or compromise other systems

Answer 65

D

Just read all the answers.

Question 66

A recent regulatory audit discovers a large number of former employees with active accounts. Terminated users are removed from the HR system but not from
Active Directory. Which of the following processes would close the gap identified?

A.
Send a recurring email to managers with a link to IT Security policies.

B.
Perform routine audits against the HR system and Active Directory.

C.
Set an account expiration date for all Active Directory accounts to expire annually.

D.
Conduct permissions reviews in Active Directory for group membership.

Answer 66

B

Question 67

After responding to a virus detection notification, a security technician has been tasked with discovering how the virus was downloaded to the client computer.
Which of the following would BEST provide the technician with information related to the attack vector?

A.
Vulnerability scanning logs

B.
NIPS alerts

C.
Surveillance videos

D.
Proxy logs

Answer 67

D

Question 68

An old 802.11b wireless bridge must be configured to provide confidentiality of data in transit to include the MAC addresses of communicating end users. Which of
the following can be implemented to meet this requirement?

A.
MSCHAPv2

B.
WPA2

C.
WEP

D.
IPSec

Answer 68

D.

Why?

Question 69

An employee connects to a public wireless hotspot during a business trip. The employee attempts to go to a secure website, but instead connects to an attacker
who is performing a man-in-the-middle attack. Which of the following should employees do to mitigate the vulnerability described in the scenario?

A.
Connect to a VPN when using public wireless networks

B.
Only connect to WPA2 networks regardless of whether the network is public or private

C.
Ensure a host-based firewall is installed and running when using public wireless networks

D.
Check the address in the web browser before entering credentials

Answer 69

D

Question 70

An administrator installs a system that sends an SMS message containing a password recovery token to a user’s mobile device. Which of the following should also
be deployed to prevent accounts from being compromised?

A.
Password reuse limits

B.
Secure SMS gateway

C.
One-time token authentication

D.
Mobile device management

Answer 70

B

Question 71

During a recent network audit, several devices on the internal network were found not running antivirus or HIPS. Upon further investigation, it was found that these
devices were new laptops that were deployed without having the end-point protection suite used by the company installed. Which of the following could be used to
mitigate the risk of authorized devices that are unprotected residing on the network?

A.
Host-based firewall

B.
Network-based IPS

C.
Centralized end-point management

D.
MAC filtering

Answer 71

C

Question 72

A recent counter threat intelligence notification states that companies should review indicators of compromise on all systems. The notification stated that the
presence of a win32.dll was an identifier of a compromised system. A scan of the network reveals that all systems have this file. Which of the following should the
security analyst perform FIRST to determine if the files collected are part of the threat intelligence?

A.
Quarantine the file on each machine.

B.
Take a full system image of each machine.

C.
Take hashes of the files found for verification.

D.
Verify the time and date of the files found.

Answer 72

C

Check the hash to verify it’s all the same file.

Question 73

An IDS analyst while reviewing a TCPDUMP file concluded the traffic was a benign email correspondence. The presence and use of which of the following ports
confirms this assumption?

A.
22

B.
25

C.
53

D.
80

Answer 73

B

SMTP simple mail transfer protocol. I guess that’s secure in this case. That runs on port 23.

Question 74

A system administrator is configuring a site-to-site IPSec VPN tunnel. Which of the following should be configured on the VPN concentrator for payload encryption?

A.
ECDHE

B.
SHA256

C.
HTTPS

D.
3DES

Answer 74

D

What’s 3des

Question 75

During a recent audit, it was discovered that several database services were running with local user accounts named “admin” and “dbadmin”. The following controls
will prevent network administrators from using these types of usernames for services in the future? (Select TWO)

A.
Use shared account policies

B.
Prohibit generic or default accounts

C.
Perform continuous access monitoring

D.
Perform user account access reviews

E.
Require dedicated service accounts

Answer 75

B,E

Question 76

A major banking institution has been the victim of recurring, widespread fraud. The fraud has all occurred on the bank’s web portal. Recently, the bank implemented
a requirement for all users to obtain credentials in person at a physical office. However, this has not reduced the amount of fraud against legitimate customers.
Based on a review of the logs, most fraudulent transactions appear to be conducted with authentic credentials. Which of the following controls should be
strengthened to reduce the fraud through the website?

A.
Authentication

B.
DAC

C.
Identification

D.
Authorization

Answer 76

D

Question 77

The network administrator sees a “%CAM-TABLE-FULL” message on a network switch. Upon investigation, the administrator notices thousands of MAC addresses
associated with a single untagged port. Which of the following should be implemented to prevent this type of attack?

A.
Port security

B.
BPDU guard

C.
802.1X

D.
TACACS+

Answer 77

C

Because it filters MAC Addresses

Question 78

A security administrator has implemented a series of computers to research possible intrusions into the organizational network, and to determine the motives as
well as the tool used by malicious entities. Which of the following has the security administrator implemented?

A.
Honeypot

B.
DMZ

C.
Honeynet

D.
VLANs

Answer 78

C.

Honeynet vs honeypot is key here.

Question 79

A Chief Information Office (CIO) is working with his staff to develop a contingency plan for the organization. Which of the following steps should the CIO and his
staff to take FIRST?

A.
Review the company’s risk assessment

B.
Perform a business impact analysis

C.
Create contingency strategies

D.
Develop the contingency plan policy statement

Answer 79

A

Question 80

Which of the following types of malware can avoid detection by an antivirus system with up-to-date signatures?

A.
Trojan

B.
Backdoor

C.
Polymorphic

D.
Armored

Answer 80

D

Question 81

An auditor is reviewing the following logs from the company’s proxy server used to store both sensitive and public documents. The documents are edited via a client
web interface and all processing is performed on the server side.
http://www.documents-portal.com/editdoc.php?document1=this%20is%20the%20content%20of%20document1
http://www.documents-portal.com/editdoc.php?document2=this%20is%20the%20content%20of%20document2
http://www.documents-portal.com/editdoc.php?document3=this%20is%20the%20content%20of%20document3

A.
Two-factor authentication should be implemented for sensitive documents.

B.
Sensitive documents should be signed using enterprise PKI.

C.
Encryption should be implemented at the transport level.

D.
Document hashing should be done to preserve document integrity.

Answer 81

C

Question 82

A web server at an organization has been the target of distributed denial of service attacks. Which of the following, if correctly configured, would BEST mitigate
these and future attacks?

A.
SYN cookies

B.
Implicit deny

C.
Blacklisting

D.
URL filter

Answer 82

A

Question 83

After a wireless security breach, the network administrator discovers the tool used to break into the network. Using a brute force attack, the tool is able to obtain the
wireless password in less that 11,000 attempts. Which of the following should be disabled to prevent this type of attack in the future?

A.
WPS

B.
WEP

C.
WIPS

D.
WPA2-PSK

Answer 83

A

Question 84

Which of the following is an administrative control used to reduce tailgating?

A.
Delivering security training

B.
Erecting a fence

C.
Implementing magnetic locks on doors

D.
Installing a mantrap

Answer 84

A

administrative controls

Question 85

A system administrator is troubleshooting an issue affecting some FTP connections. Some employees are unable to upload or download files, although the firewall
is allowing the default FTP port. Which of the following can the administrator do to fix this case?

A.
Disable the use PASV in the FTP client

B.
Configure all FTP clients to use BIN transfer

C.
Enable inbound TCP port 20 on the firewall

D.
Enable both port 21 and 22 on the firewall

Answer 85

A

Question 86

A PKI architect is implementing a corporate enterprise solution. The solution must incorporate key escrow and recovery agents, as well as a tiered architecture.
Which of the following is required to implement the architecture correctly?

A.
Certificate revocation list

B.
Strong ciphers

C.
Intermediate authorities

D.
IPSec between CAs

Answer 86

C

Question 87

A security administrator has been asked to assist with the identification of a BYOD design that will ensure corporate data can be managed and monitored separately
from personal data. Which of the following would the security administrator recommend?

A.
Full device encryption

B.
Application control

C.
Key management

D.
Containerization

Answer 87

D

Question 88

A systems administrator is working with a third party to establish the automated transfer of large amounts of proprietary data. The interface will need to use secured
credentials and the transmission will consist of data that has been encrypted prior to transit and needs no additional protection. Which of the following would be the
MOST efficient method of data transmission given the established requirements?

A.
SSH

B.
TFTP

C.
FTP

D.
FTPS

Answer 88

A

Question 89

A high traffic website is experiencing numerous brute force attacks against its user base. The attackers are using a very large botnet to carry out the attack. As a
result, many users passwords are being compromised Which of the following actions is appropriate for the website administrator to take in order to reduce the
threat from this type of attack in the future. .

A.
Temporarily ban each IP address after five failed login attempts

B.
Prevent users from using dictionary words that they have used before.

C.
Prevent users from using passwords they have used before.

D.
Require user passwords to be at least ten characters in length

Answer 89

D

Question 90

A security auditor has full knowledge of company configuration and equipment. The auditor performs a test on the network, resulting in an exploitation of a zero-day
vulnerability.

A.
Grey box test

B.
Vulnerability scan

C.
Black box test

D.
Penetration test

Answer 90

D

Question 91

The border firewall rules were recently modified by a network administrator to allow access to a new service on Server 1 using the default https port. When testing
the new rules internal to the company network there are no issues and when testing from an external connection it does not work. The host running the service
does not receive external packets. Other services hosted on Server 1 are responding fine to to both internal and external connection attempts. Which of the
following is MOST likely configured improperly?

A.
Network access control lists

B.
802.1x

C.
Port security

D.
Implicit deny

Answer 91

A

Question 92

The Chief Security Officer (CSO) is concerned with unauthorized access at the company’s off-site datacenter. The CSO would like to enhance the security posture
of the datacenter. Which of the following would BEST prevent unauthorized individuals from gaining access to the datacenter?

A.
Security guard

B.
Video monitoring

C.
Magnetic entry cards

D.
Fencing

Answer 92

A

Question 93

Which of the following is MOST effective at cracking hashed passwords?

A.
Rainbow tables

B.
Dictionary attack

C.
Birthday attack

D.
Brute force attack

Answer 93

A

Question 94

An enterprise needs to be able to receive files that contain PII from many customers at different times. The data must remain encrypted during transport and while
at rest. Which of the following encryption solutions would meet both of these requirements?

A.
PGP

B.
SCP

C.
SSL

D.
TLS

Answer 94

A

Question 95

A company provides wireless access for employees and a guest wireless network for visitors. The employee wireless network is encrypted and requires a
password. The guest wireless network does not use an encrypted connection and does not require a password. An administrator walks by a visitor’s laptop and
notices the following command line output:
reaver – I mon – b 7a : E5 : 9A : 42 : 2C : C1 – vv
Starting…..
[+] Trying pin 12345678
[+] 93.41% complete @ 2015-01-10 10:30:21 (15 seconds)
[!] WARNING: 10 failed connections in a row
[+] Trying pin 12345688
…
Which of the following should the administrator implement and why?

A.
Initiate employee password changes because the visitor has captured passwords and is attempting offline cracking of those passwords.

B.
Implement two-factor wireless authentication because the visitor will eventually brute force the network key.

C.
Apply WPA or WPA2 encryption because the visitor is trying to crack the employee network that is encrypted with WEP.

D.
Disable WPS because the visitor is trying to crack the employee network.

E.
Apply MAC filtering because the visitor already has the network password.

Answer 95

D

Question 96

A firewall administrator has been instructed to block common Microsoft file sharing ports due to a recent malware outbreak. Which of the following ports should be
blocked by the firewall? (Select TWO).

A.
TCP/137

B.
UDP/137

C.
TCP/139

D.
UDP/139

E.
TCP/443

F.
UDP/443

G.
TCP/445

H.
UDP/445

Answer 96

C,G

http://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for

Question 97

A company hosts sites for multiple vendors and provides information to users globally. Which of the following is a critical security consideration in this environment?

A.
Proxy servers to enforce a single access mechanism to the data warehouse

B.
Firewalls to ensure that the data warehouse is not accessible to the Internet

C.
Access controls to prevent users from accessing the entire data warehouse

D.
Query protocols should use non-standard ports to protect user result-sets

Answer 97

C

Question 98

A security administrator wishes to implement a secure method of file transfer when communicating with outside organizations. Which of the following protocols
would BEST facilitate secure file transfers? (Select TWO).

A.
SCP

B.
TFTP

C.
SNMP

D.
FTP

E.
SMTP

F.
FTPS

Answer 98

A,F

Question 99

As their data set rapidly grows and changes, a company is experiencing availability problems with their database. The security manager recommends switching to a
more scalable system with dynamic schemas. Which of the following would meet the security manager’s requirements?

A.
SSDs

B.
NoSQL

C.
MariaDB

D.
RDBMS

Answer 99

B

Question 100

Which of the following should be implemented to enforce the corporate policy requiring up-to-date antivirus and OS patches on all computers connecting to the
network via VPN?

A.
VLAN

B.
NAT

C.
NAC

D.
DMZ

Answer 100

What is NAC

Question 101

A business has set up a Customer Service kiosk within a shopping mall. The location will be staffed by an employee using a laptop during the mall business hours,
but there are still concerns regarding the physical safety of the equipment after business hours. Which of the following controls would BEST address this security
concern?

A.
Host-based firewall

B.
Cable locks

C.
Locking cabinets

D.
Surveillance video

Answer 101

C

Question 102

The Chief Security Officer (CSO) has issued a new policy that requires that all internal website be configured for HTTPS traffic only. The network administrator has
been tasked to update all internal sites without incurring additional costs. Which of the following is the BEST solution for the network administrator to secure each
internal website?

A.
Use certificates signed by the company CA.

B.
Use a signing certificate as a wild card certificate.

C.
Use certificates signed by a public CA.

D.
Use a self-signed certificate on each internal server

Answer 102

A

Question 103

Which of the following is an active penetration testing method?

A.
Searching the WHOIS database for administrator contact information

B.
Running a port scanner against the target’s network

C.
War driving from a target’s parking lot to footprint the wireless network

D.
Calling the target’s helpdesk, requesting a password reset

Answer 103

B

Question 104

A security manager has noticed several unrecognized devices connecting to the company’s internal wireless network. Only company-issued devices should be
connected to the network. Which of the following controls should be implemented to prevent the unauthorized devices from connecting to the wireless network?
(Select TWO).

A.
MAC filtering

B.
Create a separate wireless VLAN

C.
Implement 802.11n

D.
Enable WPA2

E.
Configure DHCP reservations

Answer 104

A,D

Question 105

A vulnerability in the underlying SSL/TLS library used by a web server has been announced. The vulnerability allows an attacker to access the web server’s
memory. Which of the following actions should be taken after the vulnerability is patched? (Select TWO).

A.
Implement a web application firewall

B.
Instruct users of the website to change their passwords

C.
Replace the server’s private key

D.
Reissue the SSL certificate

E.
Create a new recovery agent

F.
Change the cipher order on the server

Answer 105

C,D

Question 106

A security administrator suspects that an employee has altered some fields within a noSQL database. Which of the following should the security administrator do to
confirm the suspicion and identify the employee?

A.
Review the video of the employee’s workstation.

B.
Review the database access log files.no

C.
Capture a system image of the entire server.

D.
Generate file hashes of the database to compare to the last version.

Answer 106

D how does that identify him?

Question 107

An administrator learns that port 389 will soon be blocked by the internal firewall for security reasons. Which of the following should the administrator now use to
maintain compatibility with most applications?

A.
SMTPS

B.
LDAPS

C.
SAML

D.
Kerberos

Answer 107

Port 389 is LDAP port. so use secure version instead.

Question 108

A plant security officer is continually losing connection to two IP cameras that monitor several critical high voltage motors. Which of the following should the network
administrator do to BEST ensure the availability of the IP camera connections?

A.
Use a wireless bridge instead of the network cables

B.
Replace patch cables with shielded cables

C.
Change existing cables with optical cables

D.
Add new conduit runs for the network cables

Answer 108

C

Question 109

Which of the following is important to reduce risk?

A.
Separation of duties

B.
Risk acceptance

C.
Risk transference

D.
Threat modeling

Answer 109

A

Question 110

A database server has been compromised. A local user logged into the console and exploited a vulnerability caused by a missing operating system patch to get a
system level command shell. Which of the following does this represent?

A.
Zero-day exploit

B.
Buffer overflow

C.
SQL injection attack

D.
Privilege escalation

Answer 110

D

Question 111

Recently, the desktop support group has been performing a hardware refresh and has replaced numerous computers. An auditor discovered that a number of the
new computers did not have the company’s antivirus software installed on them. Which of the following could be utilized to notify the network support group when
computers without the antivirus software are added to the network?

A.
Network port protection

B.
NAC

C.
NIDS

D.
MAC filtering

Answer 111

B

Question 112

A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The
assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using
in-house or cheaply available resources. There cannot be a possibility of any equipment being damaged in the test. Which of the following has the administrator
been tasked to perform?

A.
Risk transference

B.
Penetration test

C.
Threat assessment

D.
Vulnerability assessment

Answer 112

D

Question 113

A company wants to ensure that all software executing on a corporate server has been authorized to do so by a central control point. Which of the following can be
implemented to enable such control.

A.
Digital signatures

B.
Mandatory access control

C.
Session keys

D.
Non-repudiation

Answer 113

A

Question 114

A single server hosts a sensitive SQL-based database and a web service containing static content. A few of the database fields need to be encrypted due to
regulatory requirements. Which of the following would provide the BEST encryption solution for this particular server?

A.
Individual file

B.
Database

C.
Full-disk

D.
Record based

Answer 114

D

Question 115

A company’s security analyst is investigating the suspected compromise of the company’s intranet web server. The compromise occurred at a time when no users
were logged into the domain. Which of the following is MOST likely to have prevented the attack from a new machine introduced to the corporate network?

A.
Domain log review

B.
802.1x

C.
NIDS

D.
Rogue detection

Answer 115

B

Question 116

The security administrator for a growing company is concerned about the increasing prevalence of personal devices connected to the corporate WLAN. Which of
the following actions should the administrator take FIRST to address this concern?

A.
Implement RADIUS to centrally manage access to the corporate network over WiFi.

B.
Request that senior management support the development of a policy that addresses personal devices.

C.
Establish a guest-access wireless network and request that employees use the guest network.

D.
Distribute a memo addressing the security risks associated with the use of personally-owned devices on the corporate WLAN.

Answer 116

B

Question 117

A security engineer is monitoring suspicious traffic from an internal endpoint to a malicious landing page of an external entity. The internal endpoint is configured
using a limited account, is fully patched to current standards, and has current antivirus signatures. No alerts have been received involving this endpoint. The
security engineer finds malicious code on the endpoint during a forensic analysis. Which of the following MOST likely explains this occurrence?

A.
The external entity breached the IDS

B.
The antivirus engine was evaded

C.
The DLP did not detect the malicious code

D.
The endpoint was running on a hypervisor

Answer 117

B

Question 118

A company uses PKI certificates stored on a smart chip enabled badge. The badge is used for a small number of devices that connect to a wireless network. A user
reported that their badge was stolen. Which of the following could the security administrator implement to prevent the stolen badge from being used to compromise
the wireless network?

A.
Asset tracking

B.
Honeynet

C.
Strong PSK

D.
MAC filtering

Answer 118

A

Question 119

A security analyst has been asked to perform penetration testing against a web application being deployed for the first time. When performing the test the
application stops responding and returns an error referring to failed database connections. Upon further investigation, the analyst finds the database server was
inundated with commits which exhausted available space on the volume. Which of the following has been performed against the database server?

A.
DoS

B.
SQL injection

C.
SYN flood

D.
DDoS

E.
Cross-site scripting

Answer 119

A

Question 120

A university police department is housed on the first floor of a student dormitory. Which of the following would prevent students from using ARP spoofing attacks
against computers at the police department?

A.
Enable proxy ARP on router

B.
Private network addresses

C.
Separate Layer 2 VLANs

D.
Disable SSID broadcast

Answer 120

B

Question 121

The CEO for company A has asked the security engineer to design a PKI for company A. The CEO has asked that it allow company A users to send signed and
encrypted emails to company B. The users from company B must have an inherent trust in certificates from company A, because the security policy of company B
disallows adding of new CAs to their trusted root container. Which of the following is the BEST solution?

A.
Request email certificates for the users of company A from the PKI of company B.

B.
Build a new CA within the boundary of company A and issue email certificates to the users

C.
Establish a sub CA of company B’s root CA to issue email certificates to the users.

D.
Procure the services of a common Internet root CA to issue email certificates to the users.

Answer 121

D

Question 122

A security administrator is called to troubleshoot a computer infection. The computer’s software correctly identified the malware and flagged it to the central
management console; however the malicious payload was still executed. Which of the following can cause this scenario?

A.
The payload hash did not match known malware

B.
The antivirus is running an older virus definition

C.
The computer is running an IDS

D.
The payload is a zero-day attack

Answer 122

C

Question 123

Am organization decides to implement a BYOD policy but wants to ensure they address requirements associated with any legal investigations and controls needed
to comply with the analysis and recreation of an incident. This concern is also known as which of the following?

A.
Data ownership

B.
Forensics

C.
Chain of custody

D.
Acceptable use

Answer 123

B

Question 124

A security administrator is having continued issues with malware variants infecting systems infecting systems and encrypting several types of files. The malware
uses a document macro to create a randomly named executable that downloads the encrypted payload of the malware. Once downloaded, the malware searches
all drives, creates and HTML file with the decryption instructions in the directory, and then proceeds to encrypt the target files. Which of the following actions would
BEST interrupt the malware before it encrypts other files while minimizing the adverse impacts to the users?

A.
Block execution of documents with macros

B.
Block addition of documents with macros

C.
Block the creation of the HTML of the HTML document on the local system

D.
Block running external files from within documents

Answer 124

A

Question 125

In the course of troubleshooting wireless issues from users, a technician discovers that users are connecting to their home SSIDs while at work. The technician
scans detects none of those SSIDs. The technician eventually discovers a rogue access point that spoofs any SSID that a client requests. Which of the following
allows wireless use while mitigating this type of attack?

A.
Configure the device to verify access point MAC addresses

B.
Disable automatic connection to unknown SSIDs

C.
Only connect to trusted wireless networks

D.
Enable MAC filtering on the wireless access point

Answer 125

B

Question 126

An employee connects a wireless access point to the only jack in the conference room to provide Internet access during a movie. The access point is configured to
secure its users with WPA2-TKIP. A malicious user is able to intercept clear text HTTP communication between the meeting attendees and the Internet. Which of

the following is the reason the malicious user is able to intercept and see clear text communications?

A.
The malicious user is running a wireless sniffer

B.
The wireless access point is broadcasting the SSID

C.
The malicious user is able to capture the wired communication

D.
The meeting attendees are using unencrypted hard drives

Answer 126

C

Question 127

A user contacts the help desk after being unable to log in to the corporate website. The user can log into the site from another computer in the next office, but not
from the PC. The user’s PC was able to connect earlier in the day. The help desk has the user restart the NTP service. Afterwards, the user is able to log into the
website. The MOST likely reason for the initial failure was that the website was configured to use which of the following authentication mechanisms?

A.
Secure LDAP

B.
RADIUS

C.
NTLMv2

D.
Kerberos

Answer 127

D

Question 128

A new help desk employee at a cloud services provider receives a call from a customer. The customer is unable to log into the provider’s web application database.
The help desk employee is unable to find the customer’s user account in the directory services console, but see the customer information in the application
database. The application does nit appear to have any fields for a password. The customer then remembers the password and is able to log in. The help desk
employee still does not see the user account in directory services. Which of the following is the MOST likely ?

A.
A bug has been discovered in the application

B.
An application uses a weak encryption cipher

C.
A federated authentication model is being used.

D.
The application uses single sign on.

Answer 128

c

Question 129

The chief security officer (CS0) has issued a new policy that requires that all internal websites be configured for HTTPS traffic only. The network administrator has
been tasked to update all internal sites without incurring additional costs. Which of the following is the best solution for the network administrator to secure each
internal website?

A.
Use certificates signed by the company CA

B.
Use a signing certificate as a wild card certificate

C.
Use certificates signed by a public ca

D.
Use a self-signed certificate on each internal server

Answer 129

A

Question 130

An administrator intends to configure an IPSec solution that provides ESP with integrity protection, but not confidentiality protection. Which of the following AES

modes of operation would meet this integrity-only requirement?

A.
GMAC

B.
PCBC

C.
CBC

D.
GCM

E.
CFB

Answer 130

A

Question 131

A company wants to ensure that the validity of publicly trusted certificates used by its web server can be determined even during an extended internet outage.
Which of the following should be implemented?

A.
Recovery agent

B.
OCSP

C.
CRL

D.
Key escrow

Answer 131

c

Question 132

A security engineer is faced with competing requirements from the networking group and database administrators. The database administrators would like ten
application servers on the same subnet for ease of administration, whereas the networking group would like to segment all applications from one another. Which of
the following should the security administrator do to rectify this issue?

A.
Recommend performing a security assessment on each application, and only segment the applications with the most vulnerability

B.
Recommend classifying each application into like security groups and segmenting the groups from one another

C.
Recommend segmenting each application, as it is the most secure approach

D.
Recommend that only applications with minimal security features should be segmented to protect them

Answer 132

B

Question 133

A member of a digital forensics team, Joe arrives at a crime scene and is preparing to collect system data. Before powering the system off, Joe knows that he must
collect the most volatile date first. Which of the following is the correct order in which Joe should collect the data?

A.
CPU cache, paging/swap files, RAM, remote logging data

B.
RAM, CPU cache. Remote logging data, paging/swap files

C.
Paging/swap files, CPU cache, RAM, remote logging data

D.
CPU cache, RAM, paging/swap files, remote logging data

Answer 133

D

Question 134

A user of the wireless network is unable to gain access to the network. The symptoms are:
1.) Unable to connect to both internal and Internet resources 2.) The wireless icon shows connectivity but has no network access The wireless network is WPA2
Enterprise and users must be a member of the wireless security group to authenticate. Which of the following is the MOST likely cause of the connectivity issues?

A.
The wireless signal is not strong enough

B.
A remote DDoS attack against the RADIUS server is taking place

C.
The user’s laptop only supports WPA and WEP

D.
The DHCP scope is full

E.
The dynamic encryption key did not update while the user was offline

Answer 134

A

Question 135

While reviewing the monthly internet usage it is noted that there is a large spike in traffic classified as “unknown” and does not appear to be within the bounds of the
organizations Acceptable Use Policy. Which of the following tool or technology would work BEST for obtaining more information on this traffic?

A.
Firewall logs

B.
IDS logs

C.
Increased spam filtering

D.
Protocol analyzer

Answer 135

D

Question 136

The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to upgrade the entire corporate IT infrastructure. The architecture
consists of a centralized cloud environment hosting the majority of data, small server clusters at each corporate location to handle the majority of customer
transaction processing, ATMs, and a new mobile banking application accessible from smartphones, tablets, and the Internet via HTTP. The corporation does
business having varying data retention and privacy laws. Which of the following technical modifications to the architecture and corresponding security controls
should be implemented to provide the MOST complete protection of data?

A.
Revoke exiting root certificates, re-issue new customer certificates, and ensure all transactions are digitally signed to minimize fraud, implement encryption for
data in-transit between data centers

B.
Ensure all data is encryption according to the most stringent regulatory guidance applicable, implement encryption for data in-transit between data centers,
increase data availability by replicating all data, transaction data, logs between each corporate location

C.
Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to
ensure data is not inadvertently shifted from one legal jurisdiction to another with more stringent regulations

D.
Install redundant servers to handle corporate customer processing, encrypt all customer data to ease the transfer from one country to another, implement endto-end encryption between mobile applications and the cloud.

Answer 136

C

Question 137

A technician has installed new vulnerability scanner software on a server that is joined to the company domain. The vulnerability scanner is able to provide visibility
over the patch posture of all company’s clients. Which of the following is being used?

A.
Gray box vulnerability testing

B.
Passive scan

C.
Credentialed scan

D.
Bypassing security controls

Answer 137

C

Question 138

A portable data storage device has been determined to have malicious firmware. Which of the following is the BEST course of action to ensure data confidentiality?

A.
Format the device

B.
Re-image the device

C.
Perform virus scan in the device

D.
Physically destroy the device

Answer 138

D

Question 139

Technicians working with servers hosted at the company’s datacenter are increasingly complaining of electric shocks when touching metal items which have been
linked to hard drive failures. Which of the following should be implemented to correct this issue?

A.
Decrease the room temperature

B.
Increase humidity in the room

C.
Utilize better hot/cold aisle configurations

D.
Implement EMI shielding

Answer 139

B

Question 140

A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of which of the
following attacks?

A.
SQL injection

B.
Header manipulation

C.
Cross-site scripting

D.
Flash cookie exploitation

Answer 140

C

Question 141

Which of the following should identify critical systems and components?

A.
MOU

B.
BPA

C.
ITCP

D.
BCP

Answer 141

D - Business continuity plan

Question 142

Company policy requires the use if passphrases instead if passwords. Which of the following technical controls MUST be in place in order to promote the use of
passphrases?

A.
Reuse

B.
Length

C.
History

D.
Complexity

Answer 142

B

Question 143

A bank requires tellers to get manager approval when a customer wants to open a new account. A recent audit shows that there have been four cases in the
previous year where tellers opened accounts without management approval. The bank president thought separation of duties would prevent this from happening. In
order to implement a true separation of duties approach the bank could:

A.
Require the use of two different passwords held by two different individuals to open an account

B.
Administer account creation on a role based access control approach

C.
Require all new accounts to be handled by someone else other than a teller since they have different duties

D.
Administer account creation on a rule based access control approach

Answer 143

C

Question 144

A security administrator returning from a short vacation receives an account lock-out message when attempting to log into the computer. After getting the account
unlocked the security administrator immediately notices a large amount of emails alerts pertaining to several different user accounts being locked out during the
past three days. The security administrator uses system logs to determine that the lock-outs were due to a brute force attack on all accounts that has been
previously logged into that machine. Which of the following can be implemented to reduce the likelihood of this attack going undetected?

A.
Password complexity rules

B.
Continuous monitoring

C.
User access reviews

D.
Account lockout policies

Answer 144

B

Question 145

An attacker discovers a new vulnerability in an enterprise application. The attacker takes advantage of the vulnerability by developing new malware. After installing
the malware the attacker is provided with access to the infected machine. Which of the following is being described?

A.
Zero-day exploit

B.
Remote code execution

C.
Session hijacking

D.
Command injection

Answer 145

A

Question 146

A security administrator has been assigned to review the security posture of the standard corporate system image for virtual machines. The security administrator
conducts a thorough review of the system logs, installation procedures, and network configuration of the VM image. Upon reviewing the access logs and user
accounts, the security administrator determines that several accounts will not be used in production. Which of the following would correct the deficiencies?

A.
Mandatory access controls

B.
Disable remote login

C.
Host hardening

D.
Disabling services

Answer 146

C

Question 147

A company has a security policy that specifies all endpoint computing devices should be assigned a unique identifier that can be tracked via an inventory
management system. Recent changes to airline security regulations have cause many executives in the company to travel with mini tablet devices instead of
laptops. These tablet devices are difficult to tag and track. An RDP application is used from the tablet to connect into the company network. Which of the following
should be implemented in order to meet the security policy requirements?

A.
Virtual desktop infrastructure (VDI)

B.
WS-security and geo-fencing

C.
A hardware security module (HSM)

D.
RFID tagging system

E.
MDM software

F.
Security Requirements Traceability Matrix (SRTM)

Answer 147

D

Question 148

A security administrator is creating a subnet on one of the corporate firewall interfaces to use as a DMZ which is expected to accommodate at most 14 physical
hosts. Which of the following subnets would BEST meet the requirements?

A.
192.168.0.16 255.25.255.248

B.
192.168.0.16/28

C.
192.168.1.50 255.255.25.240

D.
192.168.2.32/27

Answer 148

B

Question 149

After a merger between two companies a security analyst has been asked to ensure that the organization’s systems are secured against infiltration by any former
employees that were terminated during the transition. Which of the following actions are MOST appropriate to harden applications against infiltration by former
employees? (Select TWO)

A.
Monitor VPN client access

B.
Reduce failed login settings

C.
Develop and implement updated access control policies

D.
Review and address invalid login attempts

E.
Increase password complexity requirements

F.
Assess and eliminate inactive accounts

Answer 149

C,F

Question 150

A security administrator is trying to encrypt communication. For which of the following reasons should administrator take advantage of the Subject Alternative
Names (SAN) attribute of a certificate?

A.
It can protect multiple domains

B.
It provides extended site validation

C.
It does not require a trusted certificate authority

D.
It protects unlimited subdomains

Answer 150

A

Question 151

Which of the following should be used to implement voice encryption?

A.
SSLv3

B.
VDSL

C.
SRTP

D.
VoIP

Answer 151

C

Secure real time protocol

Question 152

The SSID broadcast for a wireless router has been disabled but a network administrator notices that unauthorized users are accessing the wireless network. The
administrator has determined that attackers are still able to detect the presence of the wireless network despite the fact the SSID has been disabled. Which of the
following would further obscure the presence of the wireless network?

A.
Upgrade the encryption to WPA or WPA2

B.
Create a non-zero length SSID for the wireless router

C.
Reroute wireless users to a honeypot

D.
Disable responses to a broadcast probe request

Answer 152

D

Question 153

An administrator is testing the collision resistance of different hashing algorithms. Which of the following is the strongest collision resistance test?

A.
Find two identical messages with different hashes

B.
Find two identical messages with the same hash

C.
Find a common hash between two specific messages

D.
Find a common hash between a specific message and a random message

Answer 153

D

Question 154

Which of the following best describes the initial processing phase used in mobile device forensics?

A.
The phone should be powered down and the battery removed to preserve the state of data on any internal or removable storage utilized by the mobile device

B.
The removable data storage cards should be processed first to prevent data alteration when examining the mobile device

C.
The mobile device should be examined first, then removable storage and lastly the phone without removable storage should be examined again

D.
The phone and storage cards should be examined as a complete unit after examining the removable storage cards separately.

Answer 154

C

Question 155

The data backup window has expanded into the morning hours and has begun to affect production users. The main bottleneck in the process is the time it takes to
replicate the backups to separate servers at the offsite data center. Which of the following uses of deduplication could be implemented to reduce the backup
window?

A.
Implement deduplication at the network level between the two locations

B.
Implement deduplication on the storage array to reduce the amount of drive space needed

C.
Implement deduplication on the server storage to reduce the data backed up

D.
Implement deduplication on both the local and remote servers

Answer 155

D

Question 156

A global gaming console manufacturer is launching a new gaming platform to its customers. Which of the following controls reduces the risk created by malicious
gaming customers attempting to circumvent control by way of modifying consoles? (Choose two)

A.
Firmware version control

B.
Manual software upgrades

C.
Vulnerability scanning

D.
Automatic updates

E.
Network segmentation

F.
Application firewalls

Answer 156

A,D

Question 157

An administrator has configured a new Linux server with the FTP service. Upon verifying that the service was configured correctly, the administrator has several
users test the FTP service. Users report that they are able to connect to the FTP service and download their personal files, however, they cannot transfer new files
to the server. Which of the following will most likely fix the uploading issue for the users?

A.
Create an ACL to allow the FTP service write access to user directories

B.
Set the Boolean selinux value to allow FTP home directory uploads

C.
Reconfigure the ftp daemon to operate without utilizing the PSAV mode

D.
Configure the FTP daemon to utilize PAM authentication pass through user permissions

Answer 157

B

Question 158

Which of the following is the appropriate network structure used to protect servers and services that must be provided to external clients without completely
eliminating access for internal users?

A.
NAC

B.
VLAN

C.
DMZ

D.
Subnet

Answer 158

C

Question 159

Which of the following would enhance the security of accessing data stored in the cloud? (Select TWO)

A.
Block level encryption

B.
SAML authentication

C.
Transport encryption

D.
Multifactor authentication

E.
Predefined challenge questions

F.
Hashing

Answer 159

B,D

Question 160

The help desk is receiving numerous password change alerts from users in the accounting department. These alerts occur multiple times on the same day for each

of the affected users’ accounts. Which of the following controls should be implemented to curtail this activity?

A.
Password Reuse

B.
Password complexity

C.
Password History

D.
Password Minimum age

Answer 160

D

Question 161

Which of the following delineates why it is important to perform egress filtering and monitoring on Internet connected security zones of interfaces on a firewall?

A.
Egress traffic is more important than ingress traffic for malware prevention

B.
To rebalance the amount of outbound traffic and inbound traffic

C.
Outbound traffic could be communicating to known botnet sources

D.
To prevent DDoS attacks originating from external network

Answer 161

C

Question 162

When designing a web based client server application with single application server and database cluster backend, input validation should be performed:

A.
On the client

B.
Using database stored procedures

C.
On the application server

D.
Using HTTPS

Answer 162

C

Question 163

Which of the following techniques can be bypass a user or computer’s web browser privacy settings? (Select Two)

A.
SQL injection

B.
Session hijacking

C.
Cross-site scripting

D.
Locally shared objects

E.
LDAP injection

Answer 163

B,D

Question 164

A datacenter manager has been asked to prioritize critical system recovery priorities. Which of the following is the MOST critical for immediate recovery?

A.
Communications software

B.
Operating system software

C.
Weekly summary reports to management

D.
Financial and production software

Answer 164

B

Question 165

A security administrator needs an external vendor to correct an urgent issue with an organization’s physical access control system (PACS). The PACS does not
currently have internet access because it is running a legacy operation system. Which of the following methods should the security administrator select the best
balances security and efficiency?

A.
Temporarily permit outbound internet access for the pacs so desktop sharing can be set up

B.
Have the external vendor come onsite and provide access to the PACS directly

C.
Set up VPN concentrator for the vendor and restrict access to the PACS using desktop sharing

D.
Set up a web conference on the administrator’s pc; then remotely connect to the pacs

Answer 165

B

Question 166

A company is investigating a data compromise where data exfiltration occurred. Prior to the investigation, the supervisor terminates an employee as a result of the
suspected data loss. During the investigation, the supervisor is absent for the interview, and little evidence can be provided from the role-based authentication
system in use by the company. The situation can be identified for future mitigation as which of the following?

A.
Job rotation

B.
Logging failure

C.
Lack of training

D.
Insider threat

Answer 166

B

Question 167

Six months into development, the core team assigned to implement a new internal piece of software must convene to discuss a new requirement with the
stakeholders. A stakeholder identified a missing feature critical to the organization, which must be implemented. The team needs to validate the feasibility of the
newly introduced requirement and ensure it does not introduce new vulnerabilities to the software and other applications that will integrate with it. Which of the
following BEST describes the current software development phase?

A.
The system integration phase of the SDLC

B.
The system analysis phase of SSDSLC

C.
The system design phase of the SDLC

D.
The system development phase of the SDLC

Answer 167

D

Question 168

Which of the following can be used to control specific commands that can be executed on a network infrastructure device?

A.
LDAP

B.
Kerberos

C.
SAML

D.
TACACS+

Answer 168

D

Question 169

A company is deploying a new VoIP phone system. They require 99.999% uptime for their phone service and are concerned about their existing data network
interfering with the VoIP phone system. The core switches in the existing data network are almost fully saturated. Which of the following options will provide the best
performance and availability for both the VoIP traffic, as well as the traffic on the existing data network?

A.
Put the VoIP network into a different VLAN than the existing data network.

B.
Upgrade the edge switches from 10/100/1000 to improve network speed

C.
Physically separate the VoIP phones from the data network

D.
Implement flood guards on the data network

Answer 169

A

Question 170

Which of the following allows an application to securely authenticate a user by receiving credentials from a web domain?

A.
TACACS+

B.
RADIUS

C.
Kerberos

D.
SAML

Answer 170

D

Question 171

The administrator installs database software to encrypt each field as it is written to disk. Which of the following describes the encrypted data?

A.
In-transit

B.
In-use

C.
Embedded

D.
At-rest

Answer 171

D

Question 172

When generating a request for a new x.509 certificate for securing a website, which of the following is the MOST appropriate hashing algorithm?

A.
RC4

B.
MD5

C.
HMAC

D.
SHA

Answer 172

D SHA

Question 173

An organization wants to conduct secure transactions of large data files. Before encrypting and exchanging the data files, the organization wants to ensure a secure
exchange of keys. Which of the following algorithms is appropriate for securing the key exchange?

A.
DES

B.
Blowfish

C.
DSA

D.
Diffie-Hellman

E.
3DES

Answer 173

D

Question 174

Which of the following attacks takes advantage of user provided input to inject executable binary code into a running program?

A.
SQL injection

B.
Session hijacking

C.
Heder manipulation

D.
Buffer overflow

Answer 174

D

Question 175

A security analyst is reviewing the following packet capture of an attack directed at a company’s server located in the DMZ:

Which of the following ACLs provides the BEST protection against the above attack and any further attacks from the same IP, while minimizing service interruption?

A.
DENY TCO From ANY to 172.31.64.4

B.
Deny UDP from 192.168.1.0/24 to 172.31.67.0/24

C.
Deny IP from 192.168.1.10/32 to 0.0.0.0/0

D.
Deny TCP from 192.168.1.10 to 172.31.67.4

Answer 175

C

Question 176

Many employees are receiving email messages similar to the one shown below:
From IT department
To employee
Subject email quota exceeded
Pease click on the following link http:www.website.info/email.php?quota=1Gb and provide your username and password to increase your email quota. Upon
reviewing other similar emails, the security administrator realized that all the phishing URLs have the following common elements; they all use HTTP, they all come
from .info domains, and they all contain the same URI.
Which of the following should the security administrator configure on the corporate content filter to prevent users from accessing the phishing URL, while at the
same time minimizing false positives?

A.
BLOCK http://www.*.info/”

B.
DROP http://”website.info/email.php?*

C.
Redirect http://www,. Info/email.php?quota=TOhttp://company.com/corporate_polict.html

D.
DENY http://*.info/email.php?quota=1Gb

Answer 176

D

Question 177

An attacker captures the encrypted communication between two parties for a week, but is unable to decrypt the messages. The attacker then compromises the
session key during one exchange and successfully compromises a single message. The attacker plans to use this key to decrypt previously captured and future
communications, but is unable to. This is because the encryption scheme in use adheres to:

A.
Asymmetric encryption

B.
Out-of-band key exchange

C.
Perfect forward secrecy

D.
Secure key escrow

Answer 177

C

Perfect forward secrecy, which ensures that if one key is compromised, subsequent keys will not be compromised.

Question 178

A security administrator is tasked with implementing centralized management of all network devices. Network administrators will be required to logon to network
devices using their LDAP credentials. All command executed by network administrators on network devices must fall within a preset list of authorized commands
and must be logged to a central facility. Which of the following configuration commands should be implemented to enforce this requirement?

A.
LDAP server 10.55.199.3

B.
CN=company, CN=com, OU=netadmin, DC=192.32.10.233

C.
SYSLOG SERVER 172.16.23.50

D.
TACACS+ server 192.168.1.100

Answer 178

D

Question 179

An organization is trying to decide which type of access control is most appropriate for the network. The current access control approach is too complex and
requires significant overhead. Management would like to simplify the access control and provide user with the ability to determine what permissions should be
applied to files, document, and directories. The access control method that BEST satisfies these objectives is:

A.
Rule-based access control

B.
Role-based access control

C.
Mandatory access control

D.
Discretionary access control

Answer 179

D

Question 180

A security administrator has been asked to implement a VPN that will support remote access over IPsec Which of the following is an encryption algorithm that
would meet this requirement?

A.
MD5

B.
AES

C.
UDP

D.
PKI

Ex

Answer 180

B

Question 181

Which of the following is commonly used for federated identity management across multiple organizations?

A.
SAML

B.
Active Directory

C.
Kerberos

D.
LDAP

Answer 181

A

Question 182

The process of applying a salt and cryptographic hash to a password then repeating the process many times is known as which of the following?

A.
Collision resistance

B.
Rainbow table

C.
Key stretching

D.
Brute force attack

Answer 182

C

Question 183

An information system owner has supplied a new requirement to the development team that calls for increased non-repudiation within the application. After
undergoing several audits, the owner determined that current levels of non-repudiation were insufficient. Which of the following capabilities would be MOST
appropriate to consider implementing is response to the new requirement?

A.
Transitive trust

B.
Symmetric encryption

C.
Two-factor authentication

D.
Digital signatures

E.
One-time passwords

Answer 183

D

Question 184

Joe notices there are several user accounts on the local network generating spam with embedded malicious code. Which of the following technical control should
Joe put in place to BEST reduce these incidents?

A.
Account lockout

B.
Group Based Privileges

C.
Least privilege

D.
Password complexity

Answer 184

A

Question 185

Given the log output:
Max 15 00:15:23.431 CRT: #SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: msmith] [Source:
10.0.12.45]
[localport: 23] at 00:15:23:431 CET Sun Mar 15 2015
Which of the following should the network administrator do to protect data security?

A.
Configure port security for logons

B.
Disable telnet and enable SSH

C.
Configure an AAA server

D.
Disable password and enable RSA authentication

Answer 185

B

Question 186

Which of the following are MOST susceptible to birthday attacks?

A.
Hashed passwords

B.
Digital certificates

C.
Encryption passwords

D.
One time passwords

Answer 186

A

Question 187

A company is planning to encrypt the files in several sensitive directories of a file server with a symmetric key.
Which of the following could be used?

A.
RSA

B.
TwoFish

C.
Diffie-Helman

D.
NTLMv2

E.
RIPEMD

Answer 187

B

Question 188

Malware that changes its binary pattern on specific dates at specific times to avoid detection is known as a (n):

A.
armored virus

B.
logic bomb

C.
polymorphic virus

D.
Trojan

Answer 188

C

Question 189

A Chief Security Officer (CSO) has been unsuccessful in attempts to access the website for a potential partner (www.example.net). Which of the following rules is
preventing the CSO from accessing the site? Blocked sites: *.nonews.com, *.rumorhasit.net, *.mars?

A.
Rule 1: deny from inside to outside source any destination any service smtp

B.
Rule 2: deny from inside to outside source any destination any service ping

C.
Rule 3: deny from inside to outside source any destination {blocked sites} service http-https

D.
Rule 4: deny from any to any source any destination any service any

Answer 189

D

Question 190

A security administrator wants to implement a company-wide policy to empower data owners to manage and enforce access control rules on various resources.
Which of the following should be implemented?

A.
Mandatory access control

B.
Discretionary access control

C.
Role based access control

D.
Rule-based access control

Answer 190

B

Question 191

An organization is working with a cloud services provider to transition critical business applications to a hybrid cloud environment. The organization retains sensitive
customer data and wants to ensure the provider has sufficient administrative and logical controls in place to protect its data. In which of the following documents
would this concern MOST likely be addressed?

A.
Service level agreement

B.
Interconnection security agreement

C.
Non-disclosure agreement

D.
Business process analysis

Answer 191

B

Question 192

A company often processes sensitive data for the government. The company also processes a large amount of commercial work and as such is often providing
tours to potential customers that take them into various workspaces. Which of the following security methods can provide protection against tour participants
viewing sensitive information at minimal cost?

A.
Strong passwords

B.
Screen protectors

C.
Clean-desk policy

D.
Mantraps

Answer 192

C

Question 193

Recently clients are stating they can no longer access a secure banking site’s webpage. In reviewing the clients’ web browser settings, the certificate chain is
showing the following:
Certificate Chain:
X Digi Cert
Digi Cert High assurance C3
* banksite.com
Certificate Store:
Digi Cert Others Certificate Store
Digi Cert High assurance C3 Others Certificate Store
Based on the information provided, which of the following is the problem when connecting to the website?

A.
The certificate signature request was invalid

B.
Key escrow is failing for the certificate authority

C.
The certificate authority has revoked the certificate

D.
The clients do not trust the certificate authority

Answer 193

C

Question 194

An administrator is configuring a new Linux web server where each user account is confined to a cheroot jail.
Which of the following describes this type of control?

A.
SysV

B.
Sandbox

C.
Zone

D.
Segmentation

Answer 194

B

Question 195

An organization receives an email that provides instruction on how to protect a system from being a target of new malware that is rapidly infecting systems. The
incident response team investigates the notification and determines it to invalid and notifies users to disregard the email. Which of the following BEST describes this
occurrence?

A.
Phishing

B.
Scareware

C.
SPAM

D.
Hoax

Answer 195

D

Question 196

A government agency wants to ensure that the systems they use have been deployed as security as possible. Which of the following technologies will enforce
protections on these systems to prevent files and services from operating outside of a strict rule set?

A.
Host based Intrusion detection

B.
Host-based firewall

C.
Trusted OS

D.
Antivirus

Answer 196

B

Question 197

A forensics analyst is tasked identifying identical files on a hard drive. Due to the large number of files to be compared, the analyst must use an algorithm that is
known to have the lowest collision rate. Which of the following should be selected?

A.
MD5

B.
RC4

C.
SHA1

D.
AES-256

Answer 197

C

Question 198

Joe a system architect wants to implement appropriate solutions to secure the company’s distributed database. Which of the following concepts should be
considered to help ensure data security? (Select TWO)

A.
Data at rest

B.
Data in use

C.
Replication

D.
Wiping

E.
Retention

F.
Cloud Storage

Answer 198

A,C

Question 199

A system administrator is implementing a firewall ACL to block specific communication to and from a predefined list of IP addresses, while allowing all other
communication. Which of the following rules is necessary to support this implementation?

A.
Implicit allow as the last rule

B.
Implicit allow as the first rule

C.
Implicit deny as the first rule

D.
Implicit deny as the last rule

Answer 199

A

Question 200

An administrator wants to provide onboard hardware based cryptographic processing and secure key storage for full-disk encryption. Which of the following should
the administrator use to fulfill the requirements?

A.
AES

B.
TPM

C.
FDE

D.
PAM

Answer 200

B

Question 201

Which of the following is a proprietary protocol commonly used for router authentication across an enterprise?

A.
SAML

B.
TACACS

C.
LDAP

D.
RADIUS

Answer 201

B

Question 202

A security manager is preparing the training portion of an incident plan. Which of the following job roles should receive training on forensics, chain of custody, and
the order of volatility?

A.
System owners

B.
Data custodians

C.
First responders

D.
Security guards

Answer 202

C

Question 203

A developer needs to utilize AES encryption in an application but requires the speed of encryption and decryption to be as fast as possible. The data that will be
secured is not sensitive so speed is valued over encryption complexity. Which of the following would BEST satisfy these requirements?

A.
AES with output feedback

B.
AES with cipher feedback

C.
AES with cipher block chaining

D.
AES with counter mode

Answer 203

D

Question 204

An administrator needs to protect against downgrade attacks due to various vulnerabilities in SSL/TLS. Which of the following actions should be performed? (Select
TWO)

A.
Set minimum protocol supported

B.
Request a new certificate from the CA

C.
Configure cipher order

D.
Disable flash cookie support

E.
Re-key the SSL certificate

F.
Add the old certificate to the CRL

Answer 204

A,C

Question 205

A project manager is evaluating proposals for a cloud computing project. The project manager is particularly concerned about logical security controls in place at
the service provider’s facility. Which of the following sections of the proposal would be MOST important to review, given the project manager’s concerns?

A.
CCTV monitoring

B.
Perimeter security lighting system

C.
Biometric access system

D.
Environmental system configuration

Answer 205

C

Logical security consists of software safeguards for an organization’s systems, including user identification and password access, authenticating,
access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a
workstation.

Question 206

An administrator is hardening systems and wants to disable unnecessary services. One Linux server hosts files used by a Windows web server on another
machine. The Linux server is only used for secure file transfer, but requires a share for the Windows web server as well. The administrator sees the following output
from a netstat -1p command:

Which of the following processes can the administrator kill without risking impact to the purpose and function of the Linux or Windows servers? (Select Three)

A.
1488

B.
1680

C.
2120

D.
2121

E.
2680

F.
8217

Answer 206

B,D,E

Question 207

A system administrator runs a network inventory scan every Friday at 10:00 am to track the progress of a large organization’s operating system upgrade of all
laptops. The system administrator discovers that some laptops are now only being reported as IP addresses. Which of the following options is MOST likely the
cause of this issue?

A.
HIDS

B.
Host-based firewalls rules

C.
All the laptops are currently turned off

D.
DNS outage

Answer 207

B

Question 208

A company must send sensitive data over a non-secure network via web services. The company suspects that competitors are actively trying to intercept all
transmissions. Some of the information may be valuable to competitors, even years after it has been sent. Which of the following will help mitigate the risk in the
scenario?

A.
Digitally sign the data before transmission

B.
Choose steam ciphers over block ciphers

C.
Use algorithms that allow for PFS

D.
Enable TLS instead of SSL

E.
Use a third party for key escrow

Answer 208

C

Question 209

When information is shared between two separate organizations, which of the following documents would describe the sensitivity as well as the type and flow of the

information?

A.
SLA

B.
ISA

C.
BPA

D.
MOA

Answer 209

B

Interconnection security agreement

Question 210

The chief security officer (CSO) has reported a rise in data loss but no break-ins have occurred. By doing which of the following would the CSO MOST likely to
reduce the number of incidents?

A.
Implement protected distribution

B.
Employ additional firewalls

C.
Conduct security awareness training

D.
Install perimeter barricades

Answer 210

A

Question 211

Which of the following best describes the objectives of succession planning?

A.
To identify and document the successive order in which critical systems should be reinstated following a disaster situation

B.
To ensure that a personnel management plan is in place to ensure continued operation of critical processes during an incident

C.
To determine the appropriate order in which contract internal resources, third party suppliers and external customers during a disaster response

D.
To document the order that systems should be reinstated at the primary site following a failover operation at a backup site.

Answer 211

B

Question 212

A security technician is concerned there is not enough security staff available the web servers and database server located in the DMZ around the clock. Which of
the following technologies, when deployed, would provide the BEST round the clock automated protection?

A.
HIPS & SIEM

B.
NIPS & HIDS

C.
HIDS & SIEM

D.
NIPS & HIPS

Answer 212

D

Question 213

A corporate wireless guest network uses an open SSID with a captive portal to authenticate guest users. Guests can obtain their portal password at the service
desk. A security consultant alerts the administrator that the captive portal is easily bypassed, as long as one other wireless guest user is on the network. Which of
the following attacks did the security consultant use?

A.
ARP poisoning

B.
DNS cache poisoning

C.
MAC spoofing

D.
Rouge DHCP server

Answer 213

C

Question 214

The security administrator receives a service ticket saying a host based firewall is interfering with the operation of a new application that is being tested in
development. The administrator asks for clarification on which ports need to be open. The software vendor replies that it could use up to 20 ports and many
customers have disabled the host based firewall. After examining the system the administrator sees several ports that are open for database and application
servers that only used locally. The vendor continues to recommend disabling the host based firewall. Which of the following is the best course of action for the
administrator to take?

A.
Allow ports used by the application through the network firewall

B.
Allow ports used externally through the host firewall

C.
Follow the vendor recommendations and disable the host firewall

D.
Allow ports used locally through the host firewall

Answer 214

D

Question 215

A chief information officer (CIO) is concerned about PII contained in the organization’s various data warehouse platforms. Since not all of the PII transferred to the
organization is required for proper operation of the data warehouse application, the CIO requests the needed PII data be parsed and securely discarded. Which of
the following controls would be MOST appropriate in this scenario?

A.
Execution of PII data identification assessments

B.
Implementation of data sanitization routines

C.
Encryption of data-at-rest

D.
Introduction of education programs and awareness training

E.
Creation of policies and procedures

Answer 215

E

Question 216

A security administrator is selecting an MDM solution for an organization, which has strict security requirements for the confidentiality of its data on end user
devices. The organization decides to allow BYOD, but requires that users wishing to participate agree to the following specific device configurations; camera
disablement, password enforcement, and application whitelisting. The organization must be able to support a device portfolio of differing mobile operating systems.
Which of the following represents the MOST relevant technical security criteria for the MDM?

A.
Breadth of support for device manufacturers’ security configuration APIs

B.
Ability to extend the enterprise password polices to the chosen MDM

C.
Features to support the backup and recovery of the stored corporate data

D.
Capability to require the users to accept an AUP prior to device onboarding

Answer 216

A

Question 217

a company is deploying an new video conferencing system to be used by the executive team for board meetings. The security engineer has been asked to choose
the strongest available asymmetric cipher to be used for encryption of board papers, and chose the strongest available stream cipher to be configured for video
streaming. Which of the following ciphers should be chosen? (Select two)

A.
RSA

B.
RC4

C.
3DES

D.
HMAC

E.
SHA-256

Answer 217

A,B

Question 218

A network administrator was to implement a solution that will allow authorized traffic, deny unauthorized traffic and ensure that appropriate ports are being used for
a number of TCP and UDP protocols. Which of the following network controls would meet these requirements?

A.
Stateful firewall

B.
Web security gateway

C.
URL filter

D.
proxy server

E.
web application firewall

Answer 218

A

Question 219

A switch is set up to allow only 2 simultaneous MAC addresses per switch port. An administrator is reviewing a log and determines that a switch port has been
deactivated in a conference room after it detected 3 or more MAC addresses on the same port. Which of the following reasons could have caused this port to be
disabled?

A.
A pc had a NIC replaced and reconnected to the switch

B.
An ip telephone has been plugged in

C.
A rouge access point was plugged in

D.
An arp attack was launched from a pc on this port

Answer 219

D

Question 220

During a recent audit, the auditors cited the company’s current virtual machine infrastructure as a concern. The auditors cited the fact that servers containing
sensitive customer information reside on the same physical host as numerous virtual machines that follow less stringent security guild lines. Which of the following
would be the best choice to implement to address this audit concern while maintain the current infrastructure?

A.
Migrate the individual virtual machines that do not contain sensitive data to separate physical machines

B.
Implement full disk encryption on all servers that do not contain sensitive customer data

C.
Move the virtual machines that contain the sensitive information to a separate host

D.
Create new VLANs and segment the network according to the level of data sensitivity

Answer 220

D

Question 221

A security analyst is working on a project team responsible for the integration of an enterprise SSO solution. The SSO solution requires the use of an open standard
for the exchange of authentication and authorization across numerous web based applications. Which of the following solutions is most appropriate for the analyst

to recommend in this scenario?

A.
SAML

B.
XTACACS

C.
RADIUS

D.
TACACS+

E.
Secure LDAP

Answer 221

A

Question 222

An organization currently uses FTP for the transfer of large files, due to recent security enhancements, is now required to use a secure method of file transfer and is
testing both SFTP and FTPS as alternatives. Which of the following ports should be opened on the firewall in order to test the two alternatives? (Select Two)

A.
TCP 22

B.
TCP 25

C.
TCP 69

D.
UDP 161

E.
TCP 990

F.
TCP 3380

Answer 222

A,E

Question 223

Which of the following will allow the live state of the virtual machine to be easily reverted after a failed upgrade?

A.
Replication

B.
Backups

C.
Fault tolerance

D.
Snapshots

Answer 223

D

Question 224

Which of the following technologies when applied to android and iOS environments, can an organization use to add security restrictions and encryption to existing
mobile applications? (Select Two)

A.
Mobile device management

B.
Containerization

C.
Application whitelisting

D.
Application wrapping

E.
Mobile application store

Answer 224

B,D

Question 225

An attacker is attempting to insert malicious code into an installer file that is available on the internet. The attacker is able to gain control of the web server that
houses both the installer and the web page which features information about the downloadable file. To implement the attack and delay detection, the attacker
should modify both the installer file and the:

A.
SSL certificate on the web server

B.
The HMAC of the downloadable file available on the website

C.
Digital signature on the downloadable file

D.
MD5 hash of the file listed on the website

Answer 225

D

Question 226

An organization has an internal PKI that utilizes client certificates on each workstation. When deploying a new wireless network, the security engineer has asked
that the new network authenticate clients by utilizes the existing client certificates. Which of the following authentication mechanisms should be utilized to meet this
goal?

A.
EAP-FAST

B.
LEAP

C.
PEAP

D.
EAP-TLS

Answer 226

D

Question 227

Which of the following best describes the reason for using hot and cold aisles?

A.
To ensure air exhaust from one aisle doesn’t blow into the air intake of the next aisle

B.
To ensure the dewpoint stays low enough that water doesn’t condensate on equipment

C.
To decrease amount of power wiring that is run to each aisle

D.
Too maintain proper humidity in the datacenter across all aisles

Answer 227

A

Question 228

hich of the following forms of software testing can best be performed with no knowledge of how a system is internally structured or functions? (Select Two.)

A.
Boundary testing

B.
White box

C.
Fuzzing

D.
Black box

E.
Grey Box

Answer 228

C,D

Question 229

Which of the following describes the implementation of PAT?

A.
Translating the source and destination IPS, but not the source and destination ports

B.
A one to one persistent mapping between on private IP and one Public IP

C.
Changing the priority of a TCP stream based on the source address

D.
Associating multiple private IP addresses with one public address

Answer 229

D

Question 230

The chief information officer (CIO) of a major company intends to increase employee connectivity and productivity by issuing employees mobile devices with access
to their enterprise email, calendar, and contacts. The solution the CIO intends to use requires a PKI that automates the enrollment of mobile device certificates.
Which of the following, when implemented and configured securely, will meet the CIO’s requirement?

A.
OCSP

B.
SCEP

C.
SAML

D.
OSI

Answer 230

B

Simple Certificate Enrollment Protocol

Question 231

During a routine configuration audit, a systems administrator determines that a former employee placed an executable on an application server. Once the system
was isolated and diagnosed, it was determined that the executable was programmed to establish a connection to a malicious command and control server. Which
of the following forms of malware is best described in the scenario?

A.
Logic bomb

B.
Rootkit

C.
Back door

D.
Ransomware

Answer 231

C

Question 232

A network manager needs a cost-effective solution to allow for the restoration of information with a RPO of 24 hours. The disaster recovery plan also requires that
backups occur within a restricted timeframe during the week and be take offsite weekly. Which of the following should the manager choose to BEST address these
requirements?

A.
Daily incremental backup to tape

B.
Disk-to-disk hourly server snapshots

C.
Replication of the environment at a hot site

D.
Daily differential backup to tape

E.
Daily full backup to tape

Answer 232

E

Question 233

Which of the following is a best practice when setting up a client to use the LDAPS protocol with a server?

A.
The client should follow LDAP referrals to other secure servers on the network

B.
The client should trust the CA that signed the server’s certificate

C.
The client should present a self-signed certificate to the server

D.
The client should have access to port 389 on the server

Answer 233

C

Question 234

A user, Ann, has been issued a smart card and is having problems opening old encrypted email. Ann published her certificates to the local windows store and to the
global address list. Which of the following would still need to be performed?

A.
Setup the email security with her new certificates

B.
Recover her old private certificate

C.
Reinstall her previous public certificate

D.
Verify the correct email address is associated with her certificate

Answer 234

B

Question 235

A security administrator needs to implement a technology that creates a secure key exchange. Neither party involved in the key exchange will have pre-existing
knowledge of one another. Which of the following technologies would allow for this?

A.
Blowfish

B.
NTLM

C.
Diffie-Hellman

D.
CHAP

Answer 235

C

Question 236

An administrator performs a risk calculation to determine if additional availability controls need to be in place. The administrator estimates that a server fails and
needs to be replaced once every 2 years at a cost of $8,000. Which of the following represents the factors that the administrator would use to facilitate this
calculation?

A.
ARO= 0.5; SLE= $4,000; ALE= $2,000

B.
ARO=0.5; SLE=$8,000; ALE=$4,000

C.
ARO=0.5; SLE= $4,000; ALE=$8,000

D.
ARO=2; SLE= $4,000; ALE=$8,000

E.
ARO=2; SLE= $8,000; ALE= $16,000

Answer 236

B

Question 237

A bank is planning to implement a third factor to protect customer ATM transactions. Which of the following could the bank implement?

A.
SMS

B.
Fingerprint

C.
Chip and Pin

D.
OTP

Answer 237

B

Question 238

A project team is developing requirements of the new version of a web application used by internal and external users. The application already features username
and password requirements for login, but the organization is required to implement multifactor authentication to meet regulatory requirements. Which of the
following would be added requirements will satisfy the regulatory requirement? (Select THREE.)

A.
Digital certificate

B.
Personalized URL

C.
Identity verification questions

D.
Keystroke dynamics

E.
Tokenized mobile device

F.
Time-of-day restrictions

G.
Increased password complexity

H.

Answer 238

A,D,E

Question 239

n administrator receives a security alert that appears to be from one of the company’s vendors. The email contains information and instructions for patching a
serious flaw that has not been publicly announced. Which of the following can an employee use to validate the authenticity if the email?

A.
Hashing algorithm

B.
Ephemeral Key

C.
SSL certificate chain

D.
Private key

E.
Digital signature

Answer 239

E

Question 240

A chief information security officer (CISO) is providing a presentation to a group of network engineers. In the presentation, the CISO presents information regarding
exploit kits. Which of the following might the CISO present?

A.
Exploit kits are tools capable of taking advantage of multiple CVEs

B.
Exploit kits are vulnerability scanners used by penetration testers

C.
Exploit kits are WIFI scanning tools that can find new honeypots

D.
Exploit kits are a new type of malware that allow attackers to control their computers

Answer 240

A

Question 241

An administrator is implementing a new management system for the machinery on the company’s production line. One requirement is that the system only be
accessible while within the production facility. Which of the following will be the MOST effective solution in limiting access based on this requirement?

A.
Access control list

B.
Firewall policy

C.
Air Gap

D.
MAC filter

Answer 241

C

Question 242

The IT department has been tasked with reducing the risk of sensitive information being shared with unauthorized entities from computers it is saved on, without
impeding the ability of the employees to access the internet. Implementing which of the following would be the best way to accomplish this objective?

A.
Host-based firewalls

B.
DLP

C.
URL filtering

D.
Pop-up blockers

Answer 242

B

Question 243

A Company transfers millions of files a day between their servers. A programmer for the company has created a program that indexes and verifies the integrity of
each file as it is replicated between servers. The programmer would like to use the fastest algorithm to ensure integrity. Which of the following should the
programmer use?

A.
SHA1

B.
RIPEMD

C.
DSA

D.
MD5

Answer 243

D

Question 244

A classroom utilizes workstations running virtualization software for a maximum of one virtual machine per working station. The network settings on the virtual
machines are set to bridged. Which of the following describes how the switch in the classroom should be configured to allow for the virtual machines and host
workstation to connect to network resources?

A.
The maximum-mac settings of the ports should be set to zero

B.
The maximum-mac settings of the ports should be set to one

C.
The maximum-mac settings of the ports should be set to two

D.
The maximum mac settings of the ports should be set to three

Answer 244

A

Question 245

Joe, a security analyst, is attempting to determine if a new server meets the security requirements of his organization. As a step in this process, he attempts to
identify a lack of security controls and to identify common misconfigurations on the server. Which of the following is Joe attempting to complete?

A.
Black hat testing

B.
Vulnerability scanning

C.
Black box testing

D.
Penetration testing

Answer 245

B