Sample Exam 1

Question 1

Match the description with the most accurate attack type.
Not all attack types will be used.
Attack Types:

On-path
RFID cloning
Keylogger
Vishing
Rootkit
DDoS
Injection
Supply chain

Attacker obtains bank account number
and birth date by calling the victim
Select an Attack Type

Attacker accesses a database directly
from a web browser
Select an Attack Type

Attacker intercepts all communication between
a client and a web server
Select an Attack Type

Multiple attackers
overwhelm a web server
Select an Attack Type

Attacker obtains a list of all login credentials used
over the last 24 hours
Select an Attack Type

Answer 1

Attacker obtains bank account number
and birth date by calling the victim
Vishing

Attacker accesses a database directly
from a web browser
Injection

Attacker intercepts all communication between
a client and a web server
On-path

Multiple attackers
overwhelm a web server
DDoS

Attacker obtains a list of all login credentials used
over the last 24 hours
Keylogger

Question 2

The security team at a manufacturing company is creating a set of
security standards for employees and visitors.
Select the BEST security control for each location.

All of the available security controls will be used once.

Available Security
Controls:

Security guard
Authentication token
Access badge Lighting
Access control vestibule
Fencing
Biometrics

Answer 2

Outside Fencing
Building
Parking and
Visitor drop-off
Fencing, Lighting

Reception Building lobby
Security Guard, Access control vestibule

Data
Center
Door
Entrance from
inside building
Access Badge, Biometrics

Server
Administration
Authentication to
server console
in the data center
Authentication token

Question 3

Select the most appropriate security category.
Some categories may be used more than once.

Technical
Managerial
Operational
Physical

A guard checks the identification of all visitors

All returns must be approved by a Vice President

A generator is used during a power outage

Building doors can be unlocked with an access card

System logs are transferred automatically to a SIEM

Answer 3

Operational A guard checks the identification of all visitors

Managerial All returns must be approved by a Vice President

Physical A generator is used during a power outage

Physical Building doors can be unlocked with an access card

Technical System logs are transferred automatically to a SIEM

Question 4

Match the appropriate authentication factor to each description.
Each authentication factor will be used once.

Something you know
Something you are
Something you have
Somewhere you are

Answer 4

Description Authentication Factor

During the login process, your phone receives a
text message with a one-time passcode
Something you have

You enter your PIN to make
a deposit into an ATM
Something you know

You can use your fingerprint to unlock
the door to the data center
Something you are

Your login will not work unless you are
connected to the VPN
Somewhere you are

Question 5

Configure the following stateful firewall rules:
* Block HTTP sessions between the Web Server and the Database Server
* Allow the Storage Server to transfer files to the Video Server over HTTPS
* Allow the Management Server to use a secure terminal on the File Server

Answer 5

Rule # Source IP Destination
IP
Protocol
(TCP/UDP) Port # Allow/
Block
1 10.1.1.2 10.2.1.20 TCP 80 Block
2 10.2.1.33 10.1.1.7 TCP 443 Allow
3 10.2.1.47 10.1.1.3 TCP 22 Allow

Question 6

A company has hired a third-party to gather information about the company’s servers and data. This third-party will not have direct access to the company’s internal network, but they can gather information from any other source. Which of the following would BEST describe
this approach?
❍ A. Vulnerability scanning
❍ B. Passive reconnaissance
❍ C. Supply chain analysis
❍ D. Regulatory audit

Answer 6

The Answer: B. Passive reconnaissance
Passive reconnaissance focuses on gathering as much information from
open sources such as social media, corporate websites, and business
organizations.
The incorrect answers:
A. Vulnerability scanning
Some active reconnaissance tests will query systems directly to see if a
vulnerability currently exists.
C. Supply chain analysis
A supply chain analysis will examine the security associated with a
supplier, and the analysis will not provide any information regarding a
company’s own servers and data.
D. Regulatory audit
A regulatory audit is a detailed security analysis based on existing laws or
private guidelines. A regulatory audit commonly requires access to internal
systems and data.

Question 7

A company’s email server has received an email from a third-party, but the origination server does not match the list of authorized devices. Which of
the following would determine the disposition of this message?
❍ A. SPF
❍ B. NAC
❍ C. DMARC
❍ D. DKIM

Answer 7

The Answer: C. DMARC
DMARC (Domain-based Message Authentication Reporting and
Conformance) specifies the disposition of spam emails. The legitimate
owner of the originating email domain can choose to have these messages
accepted, sent to a spam folder, or rejected.
The incorrect answers:
A. SPF
SPF (Sender Policy Framework) is a list of all authorized mail servers for
a specific domain. All legitimate emails would be sent from one of the
servers listed in the SPF configuration.
B. NAC
NAC (Network Access Control) is a way to limit network access to only
authorized users. NAC is not commonly used to manage the transfer of
email messages.
D. DKIM
DKIM (Domain Keys Identified Mail) provides a way to validate all
digitally signed messages from a specific email server. DKIM does not
determine how the receiving server categorizes these digitally signed
messages.

Question 8

Which of these threat actors would be MOST likely to attack systems for
direct financial gain?
❍ A. Organized crime
❍ B. Hacktivist
❍ C. Nation state
❍ D. Shadow IT

Answer 8

The Answer: A. Organized crime
An organized crime actor is motivated by money, and their hacking
objectives are usually based around objectives that can be easily exchanged
for financial capital.
The incorrect answers:
B. Hacktivist
A hacktivist is focused on a political agenda and not commonly on a
financial gain.
C. Nation state
Nation states are already well funded, and their primary objective is not
usually based on revenue or income.
D. Shadow IT
Shadow IT describes part of the organization that works around the
existing IT department to build their own applications and infrastructure.

Question 9

A security administrator has examined a server recently compromised by
an attacker, and has determined the system was exploited due to a known
operating system vulnerability. Which of the following would BEST
describe this finding?
❍ A. Root cause analysis
❍ B. E-discovery
❍ C. Risk appetite
❍ D. Data subject

Answer 9

The Answer: A. Root cause analysis
The goal of a root cause analysis is to explain the ultimate cause of an
incident. Once the cause is known, it becomes easier to protect against
similar attacks in the future.
The incorrect answers:
B. E-discovery
E-discovery relates to the collection, preparation, review, interpretation,
and production of electronic documents. E-discovery itself is not involved
with the research and determination of an attack’s root cause.
C. Risk appetite
A risk appetite describes the amount of risk an organization is willing to
take before taking any action to reduce that risk. Risk appetite is not part
of a root cause analysis.
D. Data subject
A data subject describes any information relating to an identified or
identifiable natural person, especially when describing or managing private
information about the subject.

Question 10

A city is building an ambulance service network for emergency medical
dispatching. Which of the following should have the highest priority?
❍ A. Integration costs
❍ B. Patch availability
❍ C. System availability
❍ D. Power usage

Answer 10

The Answer: C. System availability
Requests to emergency services are often critical in nature, and it’s
important for a dispatching system to always be available when a call is
made.
The incorrect answers:
A. Integration costs
When lives are on the line, the cost is not commonly the most important
aspect of a system integration.
B. Patch availability
Although it’s important to always keep systems patched, it’s more
important that a life saving service be available to those who might need it.
D. Power usage
Power usage is not usually the most important consideration when
building a critical healthcare and emergency service infrastructure.

Question 11

A system administrator receives a text alert when access rights are
changed on a database containing private customer information. Which
of the following would describe this alert?
❍ A. Maintenance window
❍ B. Attestation and acknowledgment
❍ C. Automation
❍ D. External audit

Answer 11

The Answer: C. Automation
Automation ensures that compliance checks can be performed on a
regular basis without the need for human intervention. This can be
especially useful to provide alerts when a configuration change causes an
organization to be out of compliance.
The incorrect answers:
A. Maintenance window
A maintenance window describes the scheduling associated with the
change control process. Systems and services generally have limited
availability during a maintenance window.
B. Attestation and acknowledgment
With compliance, the process of attestation and acknowledgment is the
final verification of the formal compliance documentation. An alert from
an automated process would not qualify as attestation.
D. External audit
An external audit can be a valuable tool for verifying the compliance
process, but an automated alert from a monitoring system would not be
part of an external audit.

Question 12

A security administrator is concerned about the potential for data
exfiltration using external storage drives. Which of the following would
be the BEST way to prevent this method of data exfiltration?
❍ A. Create an operating system security policy to block
the use of removable media
❍ B. Monitor removable media usage in host-based firewall logs
❍ C. Only allow applications that do not use removable media
❍ D. Define a removable media block rule in the UTM

Answer 12

The Answer: A. Create an operating system security policy to prevent
the use of removable media
Removable media uses hot-pluggable interfaces such as USB to connect
storage drives. A security policy in the operating system can prevent any
files from being written to a removable drive.
The incorrect answers:
B. Monitor removable media usage in host-based firewall logs
A host-based firewall monitors traffic flows and does not commonly log
hardware or USB drive access.
C. Only allow applications that do not use removable media
File storage access options are not associated with applications, so it’s not
possible to allow based on external storage drive usage.
D. Define a removable media block rule in the UTM
A UTM (Unified Threat Manager) watches traffic flows across the
network and does not commonly manage the storage options on individual
computers.

Question 13

A company creates a standard set of government reports each calendar
quarter. Which of the following would describe this type of data?
❍ A. Data in use
❍ B. Obfuscated
❍ C. Trade secrets
❍ D. Regulated

Answer 13

The Answer: D. Regulated
Reports and information created for governmental use are regulated by
laws regarding the disclosure of certain types of data.
The incorrect answers:
A. Data in use
Data in use describes information actively processing in the memory of a
system, such as system RAM, CPU registers, or CPU cache. Government
reports are static documents and are not actively being processed.
B. Obfuscated
Obfuscation describes the modification of data to make something
understandable into something very difficult to understand. Information
contained in a government report is relatively easy to understand and
would not be considered obfuscated data.
C. Trade secrets
Trade secrets are the private details a company uses as part of their normal
business processes, and these trade secrets are not shared with any other
organization or business.

Question 14

An insurance company has created a set of policies to handle data
breaches. The security team has been given this set of requirements based
on these policies:
* Access records from all devices must be saved and archived
* Any data access outside of normal working hours
must be immediately reported
* Data access must only occur inside of the country
* Access logs and audit reports must be created from a single database
Which of the following should be implemented by the security team to
meet these requirements? (Select THREE)
❍ A. Restrict login access by IP address and GPS location
❍ B. Require government-issued identification
during the onboarding process
❍ C. Add additional password complexity for accounts that access data
❍ D. Conduct monthly permission auditing
❍ E. Consolidate all logs on a SIEM
❍ F. Archive the encryption keys of all disabled accounts
❍ G. Enable time-of-day restrictions on the authentication server

Answer 14

The Answer: A. Restrict login access by IP address and GPS location,
E. Consolidate all logs on a SIEM, and
G. Enable time-of-day restrictions on
the authentication server
Adding location-based policies will prevent direct data access from outside
of the country. Saving log information from all devices and creating audit
reports from a single database can be implemented through the use of a
SIEM (Security Information and Event Manager). Adding a check for the
time-of-day will report any access that occurs during non-working hours.
52 Practice Exam A - Answers
The incorrect answers:
B. Require government-issued identification during the
onboarding process
Requiring proper identification is always a good idea, but it’s not one of
the listed requirements.
C. Add additional password complexity for accounts that access data
Additional password complexity is another good best practice, but it’s not
part of the provided requirements.
D. Conduct monthly permission auditing
No requirements for ongoing auditing were included in the requirements,
but ongoing auditing is always an important consideration.
F. Archive the encryption keys of all disabled accounts
If an account is disabled, there may still be encrypted data that needs to be
recovered later. Archiving the encryption keys will allow access to that data
after the account is no longer in use.

Question 15

A security engineer, is viewing this record from the firewall logs:
UTC 04/05/2023 03:09:15809 AV Gateway Alert
136.127.92.171 80 -> 10.16.10.14 60818
Gateway Anti-Virus Alert:
XPACK.A_7854 (Trojan) blocked.
Which of the following can be observed from this log information?
❍ A. The victim’s IP address is 136.127.92.171
❍ B. A download was blocked from a web server
❍ C. A botnet DDoS attack was blocked
❍ D. The Trojan was blocked, but the file was not

Answer 15

The Answer: B. A download was blocked from a web server
A traffic flow from a web server port number (80) to a device port (60818)
indicates that this traffic flow originated on port 80 of the web server. A
file download is one of the most common ways to deliver a Trojan, and
this log entry shows that the file containing the XPACK.A_7854 Trojan
was blocked.
The incorrect answers:
A. The victim’s IP address is 136.127.92.171
The format for this log entry uses an arrow to differentiate between the
attacker and the victim. The attacker IP address is 136.127.92.171, and the
victim’s IP address is 10.16.10.14.
C. A botnet DDoS attack was blocked
A botnet attack would not commonly include a Trojan horse as part of a
distributed denial of service (DDoS) attack.
D. The Trojan was blocked, but the file was not
A Trojan horse attack involves malware that is disguised as legitimate
software. The Trojan malware and the file are the same entity, so there isn’t
a way to decouple the malware from the file.

Question 16

A user connects to a third-party website and receives this message:
Your connection is not private.
NET::ERR_CERT_INVALID
Which of the following attacks would be the MOST likely reason
for this message?
❍ A. Brute force
❍ B. DoS
❍ C. On-path
❍ D. Deauthentication

Answer 16

The Answer: C. On-path
An on-path attack is often associated with a third-party who is actively
intercepting network traffic. This entity in the middle would not be able
to provide a valid SSL certificate for a third-party website, and this error
would appear in the browser as a warning.
The incorrect answers:
A. Brute force
A brute force attack is commonly associated with password hacks. Brute
force attacks would not cause the certificate on a website to be invalid.
B. DoS
A DoS (Denial of Service) attack would prevent communication to a
server and most likely provide a timeout error. This error is not related to a
service availability issue.
D. Deauthentication
Deauthentication attacks are commonly associated with wireless networks,
and they usually cause disconnects and lack of connectivity. The error
message in this example does not appear to be associated with a network
outage or disconnection.

Question 17

Which of the following would be the BEST way to provide a website
login using existing credentials from a third-party site?
❍ A. Federation
❍ B. 802.1X
❍ C. EAP
❍ D. SSO

Answer 17

The Answer: A. Federation
Federation would allow members of one organization to authenticate
using the credentials of another organization.
The incorrect answers:
B. 802.1X
802.1X is a useful authentication protocol, but it needs additional
functionality to authenticate across multiple user databases.
C. EAP
EAP (Extensible Authentication Protocol) is an authentication
framework commonly associated with network access control. EAP by
itself does not provide the federation needed to authenticate users to a
third-party access database.
D. SSO
SSO (Single Sign-On) describes the process of enabling a single
authentication to grant access to many different network services.
Obtaining login credentials from a third-party access database does not
describe the process used by SSO.

Question 18

A system administrator is working on a contract that will specify a
minimum required uptime for a set of Internet-facing firewalls. The
administrator needs to know how often the firewall hardware is expected
to fail between repairs. Which of the following would BEST describe this
information?
❍ A. MTBF
❍ B. RTO
❍ C. MTTR
❍ D. RPO

Answer 18

The Answer: A. MTBF
The MTBF (Mean Time Between Failures) is a prediction of how often a
repairable system will fail.
The incorrect answers:
B. RTO
RTO (Recovery Time Objectives) define a set of objectives needed to
restore a particular service level.
C. MTTR
MTTR (Mean Time to Restore) is the amount of time it takes to repair a
component.
D. RPO
RPO (Recovery Point Objective) describes the minimum data or

Question 19

An attacker calls into a company’s help desk and pretends to be the
director of the company’s manufacturing department. The attacker
states that they have forgotten their password and they need to have the
password reset quickly for an important meeting. What kind of attack
would BEST describe this phone call?
❍ A. Social engineering
❍ B. Supply chain
❍ C. Watering hole
❍ D. On-path

Answer 19

The Answer: A. Social engineering
This social engineering attack uses impersonation to take advantage of
authority and urgency principles in an effort to convince someone else to
circumvent normal security controls.
The incorrect answers:
B. Supply chain
A supply chain attack focuses on the equipment or raw materials used to
deliver products or services to an organization or user. A call to the help
desk would not be categorized as part of the supply chain.
C. Watering hole
A watering hole attack uses a third-party site to perform attacks outside of
a user’s local (and usually more secure) network.
D. On-path
An on-path attack commonly occurs without any knowledge to the parties
involved, and there’s usually no additional notification that an attack is
underway. In this question, the attacker contacted the help desk engineer
directly.

Question 20

Two companies have been working together for a number of months,
and they would now like to qualify their partnership with a broad formal
agreement between both organizations. Which of the following would
describe this agreement?
❍ A. SLA
❍ B. SOW
❍ C. MOA
❍ D. NDA

Answer 20

The Answer: C. MOA
An MOA (Memorandum of Agreement) is a formal document where
both sides agree to a broad set of goals and objectives associated with the
partnership.
The incorrect answers:
A. SLA
An SLA (Service Level Agreement) is commonly provided as a formal
contract between two parties that documents the minimum terms for
services provided. The SLA often provides very specific requirements and
expectations between both parties.
B. SOW
An SOW (Statement of Work) is a detailed list of items to be completed
as part of overall project deliverables. For example, a list of expected job
tasks associated with a firewall installation would be documented in an
SOW.
D. NDA
An NDA (Non-Disclosure Agreement) is a confidentiality agreement
between parties. This question did not mention any requirement for
privacy or confidentiality.

Question 21

Which of the following would explain why a company would
automatically add a digital signature to each outgoing email message?
❍ A. Confidentiality
❍ B. Integrity
❍ C. Authentication
❍ D. Availability

Answer 21

The Answer: B. Integrity
Integrity refers to the trustworthiness of data. A digital signature allows
the recipient to confirm that none of the data has been changed since the
digital signature was created.
The incorrect answers:
A. Confidentiality
Confidentiality describes the privacy of data. Encrypting traffic sent over
a VPN or encrypting files stored on a flash drive would be an example of
data confidentiality.
C. Authentication
Authentication refers to the process of verifying the identity of an
individual or system. A username and password is a common method
of authentication, but digital signatures are not commonly used as an
authentication method.
D. Availability
Availability describes the ability of an authorized user to access data.
A digital signature does not provide any features associated with the
availability of the data.

Question 22

The embedded OS in a company’s time clock appliance is configured to
reset the file system and reboot when a file system error occurs. On one
of the time clocks, this file system error occurs during the startup process
and causes the system to constantly reboot. Which of the following
BEST describes this issue?
❍ A. Memory injection
❍ B. Resource consumption
❍ C. Race condition
❍ D. Malicious update

Answer 22

The Answer: C. Race condition
A race condition occurs when two processes occur at similar times, and
usually with unexpected results. The file system problem can often be fixed
before a reboot, but the reboot is occurring before the fix can be applied.
This has created a race condition that results in constant reboots.
The incorrect answers:
A. Memory injection
A memory injection is commonly used by malicious software to add code
to the memory of an existing process. The issue in this question was related
to a file system error and was not part of a malicious data injection.
B. Resource consumption
If the time clock was running out of storage space or memory, it would
most likely be unusable. In this example, the issue isn’t based on a lack of
resources.
D. Malicious update
A malicious update occurs when a software patch installs unwanted or
unauthorized code. Many attackers will use software patches to install
their own malicious code during a software update.

Question 23

A recent audit has found that existing password policies do not include
any restrictions on password attempts, and users are not required to
periodically change their passwords. Which of the following would
correct these policy issues? (Select TWO)
❍ A. Password complexity
❍ B. Password expiration
❍ C. Password reuse
❍ D. Account lockout
❍ E. Password managers

Answer 23

The Answer: B. Password expiration and D. Account lockout
Password expiration would require a password change after the expiration
date. An account lockout would disable an account after a predefined
number of unsuccessful login attempts.
The incorrect answers:
A. Password complexity
A complex password would make the password more difficult to brute
force, but it would not solve the issues listed in this question.
C. Password reuse
Maintaining a password history would prevent the reuse of any previous
passwords. Restricting password reuse would ensure that a different
password is used each time a password change is processed.
E. Password managers
A password manager would provide a way to securely store and retrieve
passwords, but it would not resolve any issues relating to password
expirations or account lockouts.

Question 24

What kind of security control is associated with a login banner?
❍ A. Preventive
❍ B. Deterrent
❍ C. Corrective
❍ D. Detective
❍ E. Compensating
❍ F. Directive

Answer 24

The Answer: B. Deterrent
A deterrent control does not directly stop an attack, but it may discourage
an action.
The incorrect answers:
A. Preventive
A preventive control physically limits access to a device or area.
C. Corrective
A corrective control can actively work to mitigate any damage.
D. Detective
A detective control may not prevent access, but it can identify and record
any intrusion attempts.
E. Compensating
A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means.
F. Directive
A directive control is relatively weak control which relies on security
compliance from the end users.

Question 25

An internal audit has discovered four servers that have not been updated
in over a year, and it will take two weeks to test and deploy the latest
patches. Which of the following would be the best way to quickly
respond to this situation in the meantime?
❍ A. Purchase cybersecurity insurance
❍ B. Implement an exception for all data center services
❍ C. Move the servers to a protected segment
❍ D. Hire a third-party to perform an extensive audit

Answer 25

The Answer: C. Move the servers to a protected segment
Segmenting the servers to their own protected network would allow
for additional security controls while still maintaining the uptime and
availability of the systems.
The incorrect answers:
A. Purchase cybersecurity insurance
Cybersecurity insurance can help plan for financial issues during a
significant attack, but it wouldn’t provide any assistance for mitigating
potential vulnerabilities during this two week period.
B. Implement an exception for all data center services
Security exceptions should be rare, and they should be very specific
to a small number of systems. It would be risky to create a broad
security exception for systems which are not in-scope for the identified
vulnerability.
D. Hire a third-party to perform an extensive audit
Audits take time, and hiring a third-party to perform an audit takes even
longer. By the time a third-party audit was underway, the problematic
systems would have already been tested and patched.

Question 26

A business manager is documenting a set of steps for processing orders
if the primary Internet connection fails. Which of these would BEST
describe these steps?
❍ A. Platform diversity
❍ B. Continuity of operations
❍ C. Cold site recovery
❍ D. Tabletop exercise

Answer 26

The Answer: B. Continuity of operations
It’s always useful to have an alternative set of processes to handle any type
of outage or issue. Continuity of operations planning ensures that the
business will continue to operate when these issues occur.
The incorrect answers:
A. Platform diversity
Using different operating systems and platforms can help mitigate issues
associated with a single OS, but it wouldn’t provide any mitigation if the
primary Internet connection was no longer available.
C. Cold site recovery
A cold site takes time to build, and the time and expense associated with
a disaster recovery switchover would be extensive. By the time a cold site
was enabled, the primary Internet connection may already be restored and
many alternative recovery options could have potentially been deployed.
D. Tabletop exercise
A tabletop exercise usually consists of a meeting where members of a
recovery team or disaster recovery talk through a disaster scenario.

Question 27

A company would like to examine the credentials of each individual
entering the data center building. Which of the following would BEST
facilitate this requirement?
❍ A. Access control vestibule
❍ B. Video surveillance
❍ C. Pressure sensors
❍ D. Bollards

Answer 27

The Answer: A. Access control vestibule
An access control vestibule is a room designed to restrict the flow of
individuals through an area. These are commonly used in high security
areas where each person needs to be evaluated and approved before access
can be provided.
The incorrect answers:
B. Video surveillance
Although video surveillance can assist with monitoring access to a
building or room, it doesn’t provide a way to validate the credentials of
each visitor.
C. Pressure sensors
Pressure sensors are commonly used on doors or windows to detect
movement in those devices. However, pressure sensors would not be used
to check visitor credentials.
D. Bollards
Bollards and barricades are often used on the exterior of a facility to
prevent access to motorized vehicles and channel people through a specific
access location.

Question 28

A company stores some employee information in encrypted form, but
other public details are stored as plaintext. Which of the following would
BEST describe this encryption strategy?
❍ A. Full-disk
❍ B. Record
❍ C. Asymmetric
❍ D. Key escrow

Answer 28

The Answer: B. Record
Record-level encryption is commonly used with databases to encrypt
individual columns within the database. This would store some
information in the database as plaintext and other information as
encrypted data.
The incorrect answers:
A. Full-disk
Full-disk encryption ensures that all data on a storage drive is protected.
Full-disk encryption protects all data on the drive, and none of the
information would remain as the original plaintext.
C. Asymmetric
Asymmetric encryption uses a public and private key pair to encrypt data.
Asymmetric encryption does not store some information as plaintext and
other information as encrypted data.
D. Key escrow
Key escrow describes the storage and management of decryption keys by
a third-party. Key escrow does not determine which data is selected for
encryption or the method of encryption.

Question 29

A company would like to minimize database corruption if power is lost to
a server. Which of the following would be the BEST strategy to follow?
❍ A. Encryption
❍ B. Off-site backups
❍ C. Journaling
❍ D. Replication

Answer 29

The Answer: C. Journaling
Journaling writes data to a temporary journal before writing the
information to the database. If power is lost, the system can recover the
last transaction from the journal when power is restored.
The incorrect answers:
A. Encryption
Encryption would provide confidentiality of the data, but it would not
provide any additional integrity features if power was lost.
B. Off-site backups
Off-site backups can be used to recover a corrupted database, but this does
not minimize or prevent database corruption from occurring.
D. Replication
Replication is used to create a duplicate copy of data. Although this
process does provide a backup, it doesn’t add any additional integrity and
could still potentially corrupt data if power is lost.

Question 30

A company is creating a security policy for corporate mobile devices:
* All mobile devices must be automatically locked after a predefined
time period.
* The location of each device needs to be traceable.
* All of the user’s information should be completely separate from
company data.
Which of the following would be the BEST way to establish these
security policy rules?
❍ A. Segmentation
❍ B. Biometrics
❍ C. COPE
❍ D. MDM

Answer 30

The Answer: D. MDM
An MDM (Mobile Device Manager) provides a centralized management
system for all mobile devices. From this central console, security
administrators can set policies for many different types of mobile devices.
The incorrect answers:
A. Segmentation
Segmentation describes the separation of user data from company data,
but the implementation all policies is managed by the MDM.
B. Biometrics
Biometrics can be used as another layer of device security, but you need
more than biometrics to implement the required security policies in this
question.
C. COPE
A device that is COPE (Corporately Owned and Personally Enabled) is
commonly purchased by the corporation and allows the use of the mobile
device for both business and personal use. The use of a COPE device does
not provide any policy management of the device.

Question 31

A security engineer runs a monthly vulnerability scan. The scan doesn’t
list any vulnerabilities for Windows servers, but a significant vulnerability
was announced last week and none of the servers are patched yet. Which
of the following best describes this result?
❍ A. Exploit
❍ B. Compensating controls
❍ C. Zero-day attack
❍ D. False negative

Answer 31

The Answer: D. False negative
A false negative is a result that fails to detect an issue when one
actually exists.
The incorrect answers:
A. Exploit
An exploit is an attack against a vulnerability. Vulnerability scans do not
commonly attempt to exploit the vulnerabilities that they identify.
B. Compensating controls
Compensating controls are used to mitigate a vulnerability when an
optimal security response may not be available. For example, if a company
can’t deploy a patch for a vulnerability, they can revoke or limit application
access until a patch is provided.
C. Zero-day attack
A zero-day attack focuses on previously unknown vulnerabilities. In this
example, the vulnerability scan isn’t an attack, and the vulnerabilities are
already known and patches are available.

Question 32

An IT help desk is using automation to improve the response time for
security events. Which of the following use cases would apply to this
process?
❍ A. Escalation
❍ B. Guard rails
❍ C. Continuous integration
❍ D. Resource provisioning

Answer 32

The Answer: A. Escalation
Automation can recognize security events and escalate a security-related
ticket to the incident response team without any additional human
interaction.
The incorrect answers:
B. Guard rails
Guard rails are used by application developers to provide a set of
automated validations to user input and behavior. Guard rails are not used
by the help desk team.
C. Continuous integration
Continuous integration and testing provides an automated method
of constantly developing, testing, and deploying code. The continuous
integration process is not used by the help desk.
D. Resource provisioning
Resource provisioning can be automated during the on-boarding and
off-boarding process to quickly create or remove rights and permissions.
Resource provisioning is not commonly part of the automation associated
with security event notification.

Question 33

A network administrator would like each user to authenticate with
their corporate username and password when connecting to the
company’s wireless network. Which of the following should the network
administrator configure on the wireless access points?
❍ A. WPA3
❍ B. 802.1X
❍ C. PSK
❍ D. MFA

Answer 33

The Answer: B. 802.1X
802.1X uses a centralized authentication server, and this allows all users to
use their corporate credentials during the login process.
The incorrect answers:
A. WPA3
WPA3 (Wi-Fi Protected Access 3) is an encryption protocol for 802.11
wireless networking. The WPA3 encryption itself does not include the
centralized authentication process described in this question.
C. PSK
PSK (Pre-Shared Key) is a wireless configuration option that allows
everyone on the network to use the same access key or password when
connecting to the wireless network. This question requires each person to
use unique authentication credentials.
D. MFA
MFA (Multifactor Authentication) describes the use of multiple types
of authentication checks. A username and password is a single factor
(something you know), and the use of MFA does not itself require unique
username and password credentials for each user.

Question 34

A company’s VPN service performs a posture assessment during the
login process. Which of the following mitigation techniques would this
describe?
❍ A. Encryption
❍ B. Decommissioning
❍ C. Least privilege
❍ D. Configuration enforcement

Answer 34

The Answer: D. Configuration enforcement
A posture assessment evaluates the configuration of a system to ensure
all configurations and applications are up to date and secure as possible.
If a configuration does not meet these standards, the user is commonly
provided with options for resolving the issue before proceeding.
The incorrect answers:
A. Encryption
Encryption is an important part of a VPN (Virtual Private Network), but
the encryption of network data is not related to the posture assessment
process.
B. Decommissioning
It’s important to properly manage data during any decommissioning
process, but the decommissioning isn’t part of the VPN login process.
C. Least privilege
Least privilege describes the minimum rights and permissions that would
allow an individual to perform their job function. Least privilege is not
part of a posture assessment.

Question 35

A user has assigned individual rights and permissions to a file on their
network drive. The user adds three additional individuals to have readonly
access to the file. Which of the following would describe this access
control model?
❍ A. Discretionary
❍ B. Mandatory
❍ C. Attribute-based
❍ D. Role-based

Answer 35

The Answer: A. Discretionary
Discretionary access control is used in many operating systems, and this
model allows the owner of the resource to control who has access.
The incorrect answers:
B. Mandatory
Mandatory access control allows access based on the security level assigned
to an object. Only users with the object’s assigned security level or higher
may access the resource.
C. Attribute-based
Attribute-based access control combines many different parameters to
determine if a user has access to a resource.
D. Role-based
Role-based access control assigns rights and permissions based on the role
of a user. These roles are usually assigned by group.

Question 36

A remote user has received a text message with a link to login and
confirm their upcoming work schedule. Which of the following would
BEST describe this attack?
❍ A. Brute force
❍ B. Watering hole
❍ C. Typosquatting
❍ D. Smishing

Answer 36

The Answer: D. Smishing
Smishing, or SMS (Short Message Service) phishing, is a social
engineering attack that asks for sensitive information using SMS or
text messages.
The incorrect answers:
A. Brute force
A brute force attack tries multiple password combinations in an effort to
identify the correct authentication details.
B. Watering hole
A watering hole attack will infect a third-party site visited by the victim.
Watering hole attacks are not commonly associated with received text
messages.
C. Typosquatting
Typosquatting uses a misspelling of a domain name to convince victims
they are visiting a legitimate website. The information provided in this
question does not provide any specific domain names or links.

Question 37

A company is formalizing the design and deployment process used by
their application programmers. Which of the following policies would
apply?
❍ A. Business continuity
❍ B. Acceptable use policy
❍ C. Incident response
❍ D. Development lifecycle

Answer 37

The Answer: D. Development lifecycle
A formal software development lifecycle defines the specific policies
associated with the design, development, testing, deployment, and
maintenance of the application development process.
The incorrect answers:
A. Business continuity
Business continuity plans define the procedures used when the primary
business systems are unavailable. The business continuity process is not
commonly associated with the application development process.
B. Acceptable use policy
An acceptable use policy formally defines the proper use of company assets
and technology devices.
C. Incident response
Incident response policies define the procedures to follow when a security
incident is identified. Incident response is not part of the application
development process

Question 38

A security administrator has copied a suspected malware executable from
a user’s computer and is running the program in a sandbox. Which of the
following would describe this part of the incident response process?
❍ A. Eradication
❍ B. Preparation
❍ C. Recovery
❍ D. Containment

Answer 38

The Answer: D. Containment
The isolation and containment process prevents malware from spreading
and allows the administrator to analyze the operation of the malware
without putting any other devices at risk.
The incorrect answers:
A. Eradication
The eradication phase is associated with completely removing malware
from a system. This process usually involves removing all data from a
system and installing or re-imaging with a known-good operating system.
B. Preparation
The preparation process occurs before a security incident is discovered,
and it can include the documentation of communication methods, the
compiling of mitigation software, or gathering network and application
documentation.
C. Recovery
The recovery phase is associated with the recovery of a system after
a security incident. Running malware in a sandbox is not part of the
recovery process.

Question 39

A server administrator at a bank has noticed a decrease in the number
of visitors to the bank’s website. Additional research shows that users are
being directed to a different IP address than the bank’s web server. Which
of the following would MOST likely describe this attack?
❍ A. Deauthentication
❍ B. DDoS
❍ C. Buffer overflow
❍ D. DNS poisoning

Answer 39

The Answer: D. DNS poisoning
A DNS poisoning can modify a DNS server to modify the IP address
provided during the name resolution process. If an attacker modifies the
DNS information, they can direct client computers to any destination IP
address.
The incorrect answers:
A. Deauthentication
Deauthentication attacks are commonly associated with wireless networks.
The deauthentication attack is used to remove devices from the wireless
network, and it does not commonly redirect clients to a different website.
B. DDoS
A DDoS (Distributed Denial of Service) is used by attackers to
cause services to be unavailable. In this example, the bank’s website is
operational but clients are not resolving the correct IP address.
C. Buffer overflow
Buffer overflows are associated with application attacks and can cause
applications to crash or act in unexpected ways. A buffer overflow would
not commonly redirect clients to a different website IP address.

Question 40

Which of the following considerations are MOST commonly associated
with a hybrid cloud model?
❍ A. Microservice outages
❍ B. IoT support
❍ C. Network protection mismatches
❍ D. Containerization backups

Answer 40

The Answer: C. Network protection mismatches
A hybrid cloud includes more than one private or public cloud. This adds
additional complexity to the overall infrastructure, and it’s common to
inadvertently apply different authentication options and user permissions
across multiple cloud providers.
The incorrect answers:
A. Microservice outages
Microservices are used to create a scalable and resilient application
instance. However, the availability of a microservice is not specific to a
hybrid cloud model.
B. IoT support
IoT (Internet of Things) support is available in many cloud infrastructure
models, and this would not be specific to a hybrid cloud.
D. Containerization backups
Containerization provides an efficient method of deploying application
instances, but the use and backup of these containers is not specific to a
hybrid cloud infrastructure.

Question 41

A company hires a large number of seasonal employees, and their
system access should normally be disabled when the employee leaves
the company. The security administrator would like to verify that their
systems cannot be accessed by any of the former employees. Which of the
following would be the BEST way to provide this verification?
❍ A. Confirm that no unauthorized accounts have administrator access
❍ B. Validate the account lockout policy
❍ C. Validate the offboarding processes and procedures
❍ D. Create a report that shows all authentications for a 24-hour period

Answer 41

The Answer: C. Validate the offboarding processes and procedures
The disabling of an employee account is commonly part of the offboarding
process. One way to validate an offboarding policy is to perform an audit
of all accounts and compare active accounts with active employees.
The incorrect answers:
A. Confirm that no unauthorized accounts have administrator access
It’s always a good idea to periodically audit administrator accounts, but
this audit won’t provide any validation that all former employee accounts
have been disabled.
B. Validate the account lockout policy
Account lockouts occur when a number of invalid authentication attempts
have been made to a valid account. Disabled accounts would not be locked
out because they are not currently valid accounts.
D. Create a report that shows all authentications for a 24-hour period
A list of all authentications would be quite large, and it would not be
obvious to see which authentications were made with valid accounts and
which authentications were made with former employee accounts.

Question 42

Which of the following is used to describe how cautious an organization
might be to taking a specific risk?
❍ A. Risk appetite
❍ B. Risk register
❍ C. Risk transfer
❍ D. Risk reporting

Answer 42

The Answer: A. Risk appetite
A risk appetite is a broad description of how much risk-taking is deemed
acceptable. An organization’s risk appetite posture might be conservative,
or they might be more expansionary and willing to take additional risks.
The incorrect answers:
B. Risk register
A risk register identifies and documents the risks associated with each
step of a project plan. A risk register is not designed to describe an
organization’s level of caution associated with each risk.
C. Risk transfer
Some organizations will transfer their risk to a third-party. For example,
many organizations will purchase cybersecurity insurance to minimize the
financial impact of a cybersecurity event.
D. Risk reporting
Risk reporting is the formal process of identifying risk and documenting
all details associated with the risk. These reports are commonly designed
for the decision making process by the senior management of an
organization.

Question 43

A technician is applying a series of patches to fifty web servers during a
scheduled maintenance window. After patching and rebooting the first
server, the web service fails with a critical error. Which of the following
should the technician do NEXT?
❍ A. Contact the stakeholders regarding the outage
❍ B. Follow the steps listed in the backout plan
❍ C. Test the upgrade process in the lab
❍ D. Evaluate the impact analysis associated with the change

Answer 43

The Answer: B. Follow the steps listed in the backout plan
The backout plan associated with the change control process provides
information on reverting to the previous configuration if an unrecoverable
error is found during the change.
The incorrect answers:
A. Contact the stakeholders regarding the outage
The stakeholders don’t commonly require a detailed notification of every
step during the maintenance window. The final disposition of the change
can be communicated to the stakeholders after the maintenance window
has concluded.
C. Test the upgrade process in the lab
The testing phase of the change control process takes place prior to the
maintenance window. Once the maintenance window has started, it’s too
late to perform any additional tests in the lab.
D. Evaluate the impact analysis associated with the change
An impact analysis determines the risk for making the proposed change.
This analysis is created prior to the change control approval, and it would
not be very useful when troubleshooting during the maintenance window.

Question 44

An attacker has discovered a way to disable a server by sending specially
crafted packets from many remote devices to the operating system. When
the packet is received, the system crashes and must be rebooted to restore
normal operations. Which of the following would BEST describe this
attack?
❍ A. Privilege escalation
❍ B. SQL injection
❍ C. Replay attack
❍ D. DDoS

Answer 44

The Answer: D. DDoS
A DDoS (Distributed Denial of Service) is an attack that overwhelms or
disables a service to prevent the service from operating normally. Packets
from multiple devices that disable a server would be an example of a
DDoS attack.
The incorrect answers:
A. Privilege escalation
A privilege escalation attack allows a user to exceed their normal rights
and permissions. In this example, user permission escalations were not
required to perform this attack.
B. SQL injection
A SQL (Structured Query Language) injection is used to circumvent an
application and communicate directly to the application’s database. In this
question, there was no mention of application vulnerabilities or specific
SQL statements.
C. Replay attack
A replay attack captures information and then replays that information
as the method of attack. In this question, no mention was made of a prior
data capture.

Question 45

A data breach has occurred in a large insurance company. A security
administrator is building new servers and security systems to get all of
the financial systems back online. Which part of the incident response
process would BEST describe these actions?
❍ A. Lessons learned
❍ B. Containment
❍ C. Recovery
❍ D. Analysis

Answer 45

The Answer: C. Recovery
The recovery after a breach can be a phased approach that may take
months to complete.
The incorrect answers:
A. Lessons learned
Once the event is over, it’s useful to revisit the process to learn and
improve for next time.
B. Containment
During an incident, it’s useful to separate infected systems from the rest of
the network.
D. Analysis
The analysis phase can include the analysis of log files and alerts. These
data source can help warn of a potential attack or evidence an attack is
underway.

Question 46

A network team has installed new access points to support an application
launch. In less than 24 hours, the wireless network was attacked and
private company information was accessed. Which of the following would
be the MOST likely reason for this breach?
❍ A. Race condition
❍ B. Jailbreaking
❍ C. Impersonation
❍ D. Misconfiguration

Answer 46

The Answer: D. Misconfiguration
There are many different configuration options when installing an access
point, and it’s likely one of those options allowed an attacker to gain access
to the internal network.
The incorrect answers:
A. Race condition
A race condition occurs when two different application processes are
executing simultaneously. If the two processes are not aware of each other,
the application may have unexpected results. In this example, there’s no
evidence the access points were experiencing a race condition.
B. Jailbreaking
Jailbreaking replaces the firmware on a mobile device to gain access to
features not normally available in the operating system. Jailbreaking is not
commonly associated with wireless access points.
C. Impersonation
Impersonation is an attacker pretending to be someone or something they
are not. In this example, there’s no evidence that impersonation was used
to breach the wireless network.

Question 47

An organization has identified a significant vulnerability in an Internetfacing
firewall. The firewall company has stated the firewall is no
longer available for sale and there are no plans to create a patch for this
vulnerability. Which of the following would BEST describe this issue?
❍ A. End-of-life
❍ B. Improper input handling
❍ C. Improper key management
❍ D. Incompatible OS

Answer 47

The Answer: A. End-of-life
Because the firewall is no longer available for sale, the firewall company
has decided to stop supporting and updating the device. A product no
longer supported by the manufacturer is consider to be end-of-life.
The incorrect answers:
B. Improper input handling
A best practice for application security is to provide the proper handling
of invalid or unnecessary input. A missing patch for the firewall firmware
would not be related to input handling.
C. Improper key management
Cryptographic keys can be used for many security purposes, but managing
those keys isn’t part of the patching process from a vendor.
D. Incompatible OS
The operating system in the firewall would normally be supported by the
manufacturer, and the operating systems are not commonly modified on a
purpose-built device such as a firewall.

Question 48

A company has decided to perform a disaster recovery exercise during an
annual meeting with the IT directors and senior directors. A simulated
disaster will be presented, and the participants will discuss the logistics
and processes required to resolve the disaster. Which of the following
would BEST describe this exercise?
❍ A. Capacity planning
❍ B. Business impact analysis
❍ C. Continuity of operations
❍ D. Tabletop exercise

Answer 48

The Answer: D. Tabletop exercise
A tabletop exercise allows a disaster recovery team to evaluate and plan
disaster recovery processes without performing a full-scale drill.
The incorrect answers:
A. Capacity planning
Capacity planning is used to determine how many resources would
be required for a particular task. A formal tabletop exercise would not
commonly include a capacity planning analysis.
B. Business impact analysis
A business impact analysis is usually created during the disaster recovery
planning process. Once the disaster has occurred, it becomes much more
difficult to complete an accurate impact analysis.
C. Continuity of operations
If an outage occurs, it’s common to have a backup plan to provide
continuity of operations. This plan can be used for any significant outage
and is not specific to disaster recovery testing.

Question 49

A security administrator needs to block users from visiting websites
hosting malicious software. Which of the following would be the BEST
way to control this access?
❍ A. Honeynet
❍ B. Data masking
❍ C. DNS filtering
❍ D. Data loss prevention

Answer 49

The Answer: C. DNS filtering
DNS filtering uses a database of known malicious websites to resolve an
incorrect or null IP address. If a user attempts to visit a known malicious
site, the DNS resolution will fail and the user will not be able to visit the
website.
The incorrect answers:
A. Honeynet
A honeynet is a non-production network created to attract attackers. A
honeynet is not used to block traffic to known malicious Internet sites.
B. Data masking
Data masking provides a way to hide data by substitution, shuffling,
encryption, and other methods. Data masking does not provide a method
of blocking communication to malicious websites.
D. Data loss prevention
Data Loss Prevention (DLP) systems can identify and block private
information from being transferred between systems. DLP does not
provide any direct method of blocking network traffic to known malware
repositories.

Question 50

A system administrator has been called to a system with a malware
infection. As part of the incident response process, the administrator has
imaged the operating system to a known-good version. Which of these
incident response steps is the administrator following?
❍ A. Lessons learned
❍ B. Recovery
❍ C. Detection
❍ D. Containment

Answer 50

The Answer: B. Recovery
The recovery phase describes the process of returning the system and data
to the state prior to the malware infection. With a malware infection, this
often requires deleting all data and reinstalling a known-good operating
system.
The incorrect answers:
A. Lessons learned
A post-incident meeting can help the incident response participants
discuss the phases of the incident that went well and which processes can
be improved for future events.
C. Detection
The detection of the malware is an early phase in the incident response
process. If the administrator is imaging a system, the malware was
previously detected and any critical documents were already recovered.
D. Containment
The containment phase isolates the system from any other devices to
prevent the spread of any malicious software. The containment phase
generally occurs immediately after

Question 51

A company has placed a SCADA system on a segmented network with
limited access from the rest of the corporate network. Which of the
following would describe this process?
❍ A. Load balancing
❍ B. Least privilege
❍ C. Data retention
❍ D. Hardening

Answer 51

The Answer: D. Hardening
The hardening process for an industrial SCADA (Supervisory Control and
Data Acquisition) system might include network segmentation, additional
firewall controls, and the implementation of access control lists.
The incorrect answers:
A. Load balancing
A load balancer is used to distribute transactions across multiple systems.
A single system was the only device referenced in this question, so a load
balancing option would not be available.
B. Least privilege
Least privilege defines the minimum rights and permissions for
completing a specific task. In this example, there was no mention of
specific tasks or their necessary permissions.
C. Data retention
Data retention is important for long-term storage of important
information. In this example, the mandated storage of data was not a
consideration.

Question 52

An administrator is viewing the following security log:
Which of the following would describe this attack?

Dec 30 08:40:03 web01 Failed password for root
from 10.101.88.230 port 26244 ssh2

Dec 30 08:40:05 web01 Failed password for root
from 10.101.88.230 port 26244 ssh2

Dec 30 08:40:09 web01 445 more authentication
failures; rhost=10.101.88.230 user=root

❍ A. Spraying
❍ B. Downgrade
❍ C. Brute force
❍ D. DDoS

Answer 52

The Answer: C. Brute force
A brute force attack discovers password by attempting a large combination
of letters, numbers, and special characters until a match is found. In this
example, the notification of over four hundred attempts would qualify as a
brute force attack.
The incorrect answers:
A. Spraying
A spraying attack is similar to a brute force attack, but spraying limits the
number of attempts to prevent alerts or an account lockout. A spraying
attack often uses accounts passwords stolen from other sites or a short list
of the most common passwords.
B. Downgrade
A downgrade attack is often used to force an insecure encryption
algorithm or the disabling of encryption entirely. In this example, no
evidence of a downgrade attack is contained in the security log.
D. DDoS
A DDoS (Distributed Denial of Service) would involve many different
devices to cause a system outage. In this example, a single IP address was
logged and there was no evidence of a service outage.

Question 53

During a morning login process, a user’s laptop was moved to a private
VLAN and a series of updates were automatically installed. Which of the
following would describe this process?
❍ A. Account lockout
❍ B. Configuration enforcement
❍ C. Decommissioning
❍ D. Sideloading

Answer 53

The Answer: B. Configuration enforcement
Many organizations will perform a posture assessment during the login
process to verify the proper security controls are in place. If the device does
not pass the assessment, the system can be quarantined and any missing
security updates can then be installed.
The incorrect answers:
A. Account lockout
In this example, there were no errors or notifications regarding the account
or authentication status.
C. Decommissioning
The decommissioning process is often used to permanently remove devices
from the network. In this example, the laptop mitigation would allow the
device to return to the network once the updates were complete.
D. Sideloading
Sideloading describes the installation of software on a mobile device
through the use of third-party operating systems or websites.

Question 54

Which of the following describes two-factor authentication?
❍ A. A printer uses a password and a PIN
❍ B. The door to a building requires a fingerprint scan
❍ C. An application requires a pseudo-random code
❍ D. A Windows Domain requires a password and smart card

Answer 54

The Answer: D. A Windows Domain requires a password and smart card
The multiple factors of authentication for this Windows Domain are a
password (something you know), and a smart card (something you have).
The incorrect answers:
A. A printer uses a password and a PIN
A password and a PIN (Personal Identification Number) are both
something you know, so only one authentication factor is used.
B. The door to a building requires a fingerprint scan
A biometric scan (something you are) is a single factor of authentication.
C. An application requires a pseudo-random code
Pseudo-random authentication codes are often provided using a hardware
dongle or mobile app. This single factor of authentication is something you
have.

Question 55

A company is deploying a new application to all employees in the field.
Some of the problems associated with this roll out include:
* The company does not have a way to manage the devices in the field
* Team members have many different kinds of mobile devices
* The same device needs to be used for both corporate and private use
Which of the following deployment models would address these
concerns?
❍ A. CYOD
❍ B. SSO
❍ C. COPE
❍ D. BYOD

Answer 55

The Answer: C. COPE
A COPE (Corporate-owned, Personally Enabled) device would solve the
issue of device standardization and would allow the device to be used for
both corporate access and personal use.
The incorrect answers:
A. CYOD
CYOD (Choose Your Own Device) allows the user to pick the make and
model of their device. This would not solve the issue of different kinds of
mobile devices used in the field.
B. SSO
SSO (Single Sign-On) is used to authenticate once when accessing
multiple resources. SSO would not resolve any of the listed issues.
D. BYOD
With BYOD (Bring Your Own Device), the employee uses their personal
device at work. This would not address the issue of mobile device
management or standardization of mobile devices.

Question 56

An organization is installing a UPS for their new data center. Which of
the following would BEST describe this control type?
❍ A. Compensating
❍ B. Directive
❍ C. Deterrent
❍ D. Detective

Answer 56

The Answer: A. Compensating
A compensating security control doesn’t prevent an attack, but it does
restore from an attack using other means. In this example, the UPS
(Uninterruptible Power Supply) does not stop a power outage, but it does
provide alternative power if an outage occurs.
The incorrect answers:
B. Directive
A directive control provides security controls using instructions and
guidance. A UPS is not categorized as a directive control.
C. Deterrent
A deterrent control discourages an intrusion attempt. A UPS is used after
power has been lost, so it would not be categorized as a deterrent.
D. Detective
A detective control may not prevent access, but it can identify and record
intrusion attempts.

Question 57

A manufacturing company would like to track the progress of parts used
on an assembly line. Which of the following technologies would be the
BEST choice for this task?
❍ A. Secure enclave
❍ B. Blockchain
❍ C. Hashing
❍ D. Asymmetric encryption

Answer 57

The Answer: B. Blockchain
The ledger functionality of a blockchain can be used to track or verify
components, digital media, votes, and other physical or digital objects.
The incorrect answers:
A. Secure enclave
A secure enclave is a protected area for secret information, and the secure
enclave is often implemented as a hardware processor in a device.
C. Hashing
Cryptographic hashes are commonly used to provide integrity
verifications, but they don’t necessarily include any method of tracking
components on an assembly line.
D. Asymmetric encryption
Asymmetric encryption uses different keys for encryption and decryption.
Asymmetric encryption does not provide any method for tracking objects
on an assembly line.

Question 58

A company’s website has been compromised and the website content has
been replaced with a political message. Which of the following threat
actors would be the MOST likely culprit?
❍ A. Insider
❍ B. Organized crime
❍ C. Shadow IT
❍ D. Hacktivist

Answer 58

The Answer: D. Hacktivist
A hacktivist is motivated by a particular philosophy, and their goal
is to spread their message by defacing web sites and releasing private
documents.
The incorrect answers:
A. Insider
An insider has access to many company services, but the motivations of
an insider threat would not commonly result in the posting of political
information.
B. Organized crime
Organized crime actors are motivated by money. It would be unusual for
an organized crime hack to include the posting of political messages.
C. Shadow IT
A shadow IT group is mostly interested in building their own systems and
applications, and they would not commonly deface a website in an attempt
to spread a specific political message.

Question 59

A Linux administrator is downloading an updated version of her Linux
distribution. The download site shows a link to the ISO and a SHA256
hash value. Which of these would describe the use of this hash value?
❍ A. Verifies that the file was not corrupted during the file transfer
❍ B. Provides a key for decrypting the ISO after download
❍ C. Authenticates the site as an official ISO distribution site
❍ D. Confirms that the file does not contain any malware

Answer 59

The Answer: A. Verifies that the file was not corrupted during
the file transfer
Once the file is downloaded, the administrator can calculate the file’s
SHA256 hash and confirm that it matches the value on the website.
The incorrect answers:
B. Provides a key for decrypting the ISO after download
ISO files containing public information are usually distributed without
any encryption, and a hash value would not commonly be used as a
decryption key.
C. Authenticates the site as an official ISO distribution site
Although it’s important to download files from known good sites,
providing a hash value on a site would not provide any information about
the site’s authentication.
D. Confirms that the file does not contain any malware
A hash value doesn’t inherently provide any protection against malware.

Question 60

A company’s security policy requires that login access should only
be available if a person is physically within the same building as the
server. Which of the following would be the BEST way to provide this
requirement?
❍ A. USB security key
❍ B. Biometric scanner
❍ C. PIN
❍ D. SMS

Answer 60

The Answer: B. Biometric scanner
A biometric scanner would require a person to be physically present to
verify the authentication.
The incorrect answers:
A. USB security key
A security key can be used to store a certificate on a USB (Universal
Serial Bus) drive. The security key is commonly used as an authentication
method for a user or application, and it doesn’t provide any information
about the location of the security key.
C. PIN
Although a PIN (Personal Identification Number) can be used as an
authentication factor, the use of the PIN does not guarantee that a person
is physically present.
D. SMS
SMS (Short Message Service), or text messages, are commonly used as
authentication factors. However, the use of a mobile device to receive the
SMS message does not guarantee that the owner of the mobile device is
physically present.

Question 61

A development team has installed a new application and database to a
cloud service. After running a vulnerability scanner on the application
instance, a security administrator finds the database is available for
anyone to query without providing any authentication. Which of these
vulnerabilities is MOST associated with this issue?
❍ A. Legacy software
❍ B. Open permissions
❍ C. Race condition
❍ D. Malicious update

Answer 61

The Answer: B. Open permissions
Just like local systems, proper permissions and security controls are
required when applications are installed to a cloud-based system. If
permissions are not properly configured, the application data may be
accessible by anyone on the Internet.
The incorrect answers:
A. Legacy software
Legacy software often describes an older application with limited support
options. The application and database in this example is a new installation
and would not normally be categorized as legacy.
C. Race condition
If two processes occur simultaneously without coordination between
the processes, unexpected results could occur. In this example, a single
vulnerability scan has identified the issue and other processes do not
appear to be involved.
D. Malicious update
A malicious update involves the installation of unwanted software during
a normal update process. In this example, an update was not performed
and the resulting public access would not generally be part of a malicious
update.

Question 62

Employees of an organization have received an email with a link offering
a cash bonus for completing an internal training course. Which of the
following would BEST describe this email?
❍ A. Watering hole attack
❍ B. Cross-site scripting
❍ C. Zero-day
❍ D. Phishing campaign

Answer 62

The Answer: D. Phishing campaign
A phishing campaign is an internal process used to test the security habits
of the user community. An email with a link from a server not under the
control of the company could be an email sent by the IT department as
part of a phishing campaign.
The incorrect answers:
A. Watering hole attack
A watering hole attack is used as an alternative to attacking a victim’s
device directly. With a watering hole attack, an attacker will compromise a
site used by the victim and will simply wait for the victim to visit.
B. Cross-site scripting
Cross-site scripting takes advantage of the trust already existing in a
web browser. In this example, there’s no evidence of a vulnerable web
application or a specific browser-based vulnerability.
C. Zero-day
A zero-day attack describes a vulnerability where a software patch or
similar mitigation is not immediately available. A link in an email by itself
does not describe a zero-day attack.

Question 63

Which of the following risk management strategies would include the
purchase and installation of an NGFW?
❍ A. Transfer
❍ B. Mitigate
❍ C. Accept
❍ D. Avoid

Answer 63

The Answer: B. Mitigate
Mitigation is a strategy that decreases the threat level. This is commonly
done through the use of additional security systems and monitoring, such
as an NGFW (Next-Generation Firewall).
The incorrect answers:
A. Transfer
Transferring risk would move the risk from one entity to another. Adding
an NGFW would not transfer any risk to another party.
C. Accept
The acceptance of risk is a position where the owner understands the risk
and has decided to accept the potential results.
D. Avoidance
With risk avoidance, the owner of the risk decides to stop participating in
a high-risk activity. This effectively avoids the risky activity and prevents
any future issues.

Question 64

An organization is implementing a security model where all application
requests must be validated at a policy enforcement point. Which of the
following would BEST describe this model?
❍ A. Public key infrastructure
❍ B. Zero trust
❍ C. Discretionary access control
❍ D. Federation

Answer 64

The Answer: B. Zero trust
Zero trust describes a model where nothing is inherently trusted and
everything must be verified to gain access. A central policy enforcement
point is commonly used to implement a zero trust architecture.
The incorrect answers:
A. Public key infrastructure
A public key infrastructure (PKI) uses public and private keys to provide
confidentiality and integrity. Asymmetric encryption and digital signatures
are used as foundational technologies in PKI.
C. Discretionary access control.
Discretionary access control is an authorization method where the owner
of the data determines the scope and type of access. A discretionary
access control model does not specifically define how the authorization is
implemented.
D. Federation
Federation provides a way to manage authentication to a third-party
database. Federation does not describe the use of a policy enforcement
point.

Question 65

A company is installing a new application in a public cloud. Which of
the following determines the assignment of data security in this cloud
infrastructure?
❍ A. Playbook
❍ B. Audit committee
❍ C. Responsibility matrix
❍ D. Right-to-audit clause

Answer 65

The Answer: C. Responsibility matrix
A cloud responsibility matrix is usually published by the provider to
document the responsibilities for all cloud-based services. For example,
the customer responsibilities for an IaaS (Infrastructure as a Service)
implementation will be different than SaaS (Software as a Service).
The incorrect answers:
A. Playbook
A playbook provides conditional steps to follow when managing an
organization’s processes and procedures. For example, the process of
recovering from a virus infection would be documented in a playbook.
B. Audit committee
An audit committee oversees the risk management activities for an
organization. For example, the committee would be responsible for
verifying the security implementation documented in the responsibility
matrix.
D. Right-to-audit clause
A right-to-audit clause is often included in a third-party contract to define
the terms and conditions around periodic audits. This is often part of a
larger product or services contract.

Question 66

When decommissioning a device, a company documents the type and
size of storage drive, the amount of RAM, and any installed adapter cards.
Which of the following describes this process?
❍ A. Destruction
❍ B. Sanitization
❍ C. Certification
❍ D. Enumeration

Answer 66

The Answer: D. Enumeration
Enumeration describes the detailed listing of all parts in a particular
device. For a computer, this could include the CPU type, memory, storage
drive details, keyboard model, and more.
The incorrect answers:
A. Destruction
Destruction involves physically damaging a device or component to
prevent any future use or data access. Although the company may choose
to destroy these computers at a later date, this question does not describe
the destruction process.
B. Sanitization
Sanitization deletes data from storage media and allows the storage device
to be used in the future. For example, a sector-by-sector format would
sanitize a hard drive and allow the drive to be installed into another
computer without the concern of a data breach.
C. Certification
If a third-party is providing destruction services, they often will certify the
work and document which device serial numbers were destroyed as part of
their service.

Question 67

An attacker has sent more information than expected in a single API
call, and this has allowed the execution of arbitrary code. Which of the
following would BEST describe this attack?
❍ A. Buffer overflow
❍ B. Replay attack
❍ C. Cross-site scripting
❍ D. DDoS

Answer 67

The Answer: A. Buffer overflow
The results of a buffer overflow can cause random results, but sometimes
the actions can be repeatable and controlled. In the best possible case for
the hacker, a buffer overflow can be manipulated to execute code on the
remote device.
The incorrect answers:
B. Replay attack
A replay attack does not require the sending of more information than
expected, and often a replay attack consists of normal traffic and expected
application input.
C. Cross-site scripting
A cross-site scripting attack allows a third party to take advantage of the
trust a browser might have with another website. This question involves an
API call and does not appear to reference a browser or third-party website.
D. DDoS
A DDoS (Distributed Denial of Service) renders a service unavailable,
and it involves the input of many devices to operate. A DDoS would not
require sending more information than expected, and it rarely results in
the execution of arbitrary code.

Question 68

A company encourages users to encrypt all of their confidential materials
on a central server. The organization would like to enable key escrow as
a backup option. Which of these keys should the organization place into
escrow?
❍ A. Private
❍ B. CA
❍ C. Session
❍ D. Public

Answer 68

The Answer: A. Private
With asymmetric encryption, the private key is used to decrypt
information that has been encrypted with the public key. To ensure
continued access to the encrypted data, the company must have a copy of
each private key.
The incorrect answers:
B. CA
A CA (Certificate Authority) key is commonly used to validate the digital
signature from a trusted CA. This is not commonly used for user data
encryption.
C. Session
Session keys are commonly used temporarily to provide confidentiality
during a single session. Once the session is complete, the keys are
discarded. Session keys are not used to provide long-term data encryption.
D. Public
In asymmetric encryption, a public key is already available to everyone. It
would not be necessary to escrow a public key.

Question 69

A company is in the process of configuring and enabling host-based
firewalls on all user devices. Which of the following threats is the
company addressing?
❍ A. Default credentials
❍ B. Vishing
❍ C. Instant messaging
❍ D. On-path

Answer 69

The Answer: C. Instant messaging
Instant messaging is commonly used as an attack vector, and one way to
help protect against malicious links delivered by instant messaging is a
host-based firewall.
The incorrect answers:
A. Default credentials
Users commonly login with unique credentials that are specific to the user.
A host-based firewall would not identify the use of a default username and
password.
B. Vishing
Vishing, or voice phishing, occurs over a phone or other voice
communication method. A host-based firewall would not be able to
protect against a voice-related attack vector.
D. On-path
A on-path attack describes a third-party in the middle of a
communications path. The victims of an on-path attack are usually not
aware an attack is taking place, so a host-based firewall would not be able
to detect an on-path attack.

Question 70

A manufacturing company would like to use an existing router to separate
a corporate network from a manufacturing floor. Both networks use
the same physical switch, and the company does not want to install any
additional hardware. Which of the following would be the BEST choice
for this segmentation?
❍ A. Connect the corporate network and the manufacturing floor
with a VPN
❍ B. Build an air gapped manufacturing floor network
❍ C. Use host-based firewalls on each device
❍ D. Create separate VLANs for the corporate network and the
manufacturing floor

Answer 70

The Answer: D. Create separate VLANs for the corporate network and
the manufacturing floor
Creating VLANs (Virtual Local Area Networks) will segment a network
without requiring additional switches.
The incorrect answers:
A. Connect the corporate network and the manufacturing floor
with a VPN
A VPN (Virtual Private Network) would encrypt all information between
the two networks, but it would not provide any segmentation. This process
would also commonly require additional hardware to provide VPN
connectivity.
B. Build an air gapped manufacturing floor network
An air gapped network would require separate physical switches on each
side of the gap, and this would require the purchase of an additional
switch.
C. Use host-based firewalls on each device
While personal firewalls provide protection for individual devices, they
do not segment networks. It’s also uncommon for personal firewalls to be
installed on manufacturing equipment.

Question 71

An organization needs to provide a remote access solution for a newly
deployed cloud-based application. This application is designed to be used
by mobile field service technicians. Which of the following would be the
best option for this requirement?
❍ A. RTOS
❍ B. CRL
❍ C. Zero-trust
❍ D. SASE

Answer 71

The Answer: D. SASE
A SASE (Secure Access Service Edge) solution is a next-generation VPN
technology designed to optimize the process of secure communication to
cloud services.
The incorrect answers:
A. RTOS
An RTOS (Real-time Operating System) is an OS designed for industrial
equipment, automobiles, and other time-sensitive applications.
B. CRL
A CRL (Certificate Revocation List) is used to determine if a certificate
has been administratively revoked. A CRL would not provide any remote
access functionality.
C. Zero-trust
Zero-trust is a security strategy where all devices on the network are
verified before connecting to another device. Zero-trust does not provide
remote access functions.

Question 72

A company is implementing a quarterly security awareness campaign.
Which of the following would MOST likely be part of this campaign?
❍ A. Suspicious message reports from users
❍ B. An itemized statement of work
❍ C. An IaC configuration file
❍ D. An acceptable use policy document

Answer 72

The Answer: A. Suspicious message reports from users
A security awareness campaign often involves automated phishing
attempts, and most campaigns will include a process for users to report a
suspected phishing attempt to the IT security team.
The incorrect answers:
B. An itemized statement of work
A statement of work (SOW) is commonly used for service engagements.
The SOW provides a list of deliverables for the professional services, and
this list is often used to determine if the services were completed.
C. An IaC configuration file
An IaC (Infrastructure as Code) configuration file describes an
infrastructure configuration commonly used by cloud-based systems. An
IaC configuration file would not be used by a security awareness campaign.
D. An acceptable use policy document
An acceptable use policy (AUP) is defined by an employer to describe the
proper use of technology and systems within an organization. The AUP
itself is not part of a security awareness campaign.

Question 73

A recent report shows the return of a vulnerability that was previously
patched four months ago. After researching this issue, the security team
has found a recent patch has reintroduced this vulnerability on the servers.
Which of the following should the security administrator implement to
prevent this issue from occurring in the future?
❍ A. Containerization
❍ B. Data masking
❍ C. 802.1X
❍ D. Change management

Answer 73

The Answer: D. Change management
The change management process includes a testing phase that can help
identify potential issues relating to an application change or upgrade.
The incorrect answers:
A. Containerization
Containerization is an efficient method of deploying application instances,
but it doesn’t provide any mitigation for security vulnerabilities.
B. Data masking
Data masking can be used to limit access to sensitive data, but it does not
prevent the implementation of a security vulnerability.
C. 802.1X
802.1X is a standard for port-based network access control, and it can
help manage the authentication process of network users. 802.1X does not
provide any mitigation for security vulnerabilities.

Question 74

A security manager would like to ensure that unique hashes are used with
an application login process. Which of the following would be the BEST
way to add random data when generating a set of stored password hashes?
❍ A. Salting
❍ B. Obfuscation
❍ C. Key stretching
❍ D. Digital signature

Answer 74

The Answer: A. Salting
Adding random data, or salt, to a password when performing the hashing
process will create a unique hash, even if other users have chosen the same
password.
The incorrect answers:
B. Obfuscation
Obfuscation is the process of making something difficult for humans to
read or understand. The obfuscation process isn’t commonly associated
with adding random information to hashes.
C. Key stretching
Key stretching uses a cryptographic key multiple times for additional
protection against brute force attacks. Key stretching by itself does not
commonly add random data to the hashing process.
D. Digital signature
Digital signatures use a hash and asymmetric encryption to provide
integrity of data. Digital signatures aren’t commonly used for storing
passwords.

Question 75

Which cryptographic method is used to add trust to a digital certificate?
❍ A. Steganography
❍ B. Hash
❍ C. Symmetric encryption
❍ D. Digital signature

Answer 75

The Answer: D. Digital signature
A certificate authority will digitally sign a certificate to add trust. If you
trust the certificate authority, you can therefore trust the certificate.
The incorrect answers:
A. Steganography
Steganography is a technique for hiding information inside of another
media type. Steganography is a method of obfuscating data and does not
provide a method of adding trust to a certificate.
B. Hash
A hash can help verify that the certificate has not been altered, but it does
not provide additional third-party trust.
C. Symmetric encryption
Symmetric encryption provides data confidentiality, but it doesn’t add any
additional trust to the encryption process.

Question 76

A company is using SCAP as part of their security monitoring processes.
Which of the following would BEST describe this implementation?
❍ A. Train the user community to better identify phishing attempts
❍ B. Present the results of an internal audit to the board
❍ C. Automate the validation and patching of security issues
❍ D. Identify and document authorized data center visitors

Answer 76

The Answer: C. Automate the validation and patching of security issues
SCAP (Security Content Automation Protocol) focuses on the
standardization of vulnerability management across multiple security tools.
This allows different tools to identify and act on the same security criteria.
The incorrect answers:
A. Train the user community to better identify phishing attempts
Security awareness training is an important part of an overall security
strategy, but the training process does not generally involve SCAP.
B. Present the results of an internal audit to the board
A presentation of audit results can provide important feedback, but the
presentation itself does not generally use SCAP.
D. Identify and document authorized data center visitors
The identification and documentation process for visitors is an important
security policy, but it does not generally require the use of SCAP.

Question 77

An organization maintains a large database of customer information for
sales tracking and customer support. Which person in the organization
would be responsible for managing the access rights to this data?
❍ A. Data processor
❍ B. Data owner
❍ C. Data subject
❍ D. Data custodian

Answer 77

The Answer: D. Data custodian
The data custodian manages access rights and sets security controls
to the data.
The incorrect answers:
A. Data processor
The data processor manages the operational use of the data, but not the
rights and permissions to the information.
B. Data owner
The data owner is usually a higher-level executive who makes business
decisions regarding the data.
C. Data subject
The data subjects are the individuals who have their personal information
contained in this customer information database.

Question 78

An organization’s content management system currently labels files
and documents as “Public” and “Restricted.” On a recent update, a new
classification type of “Private” was added. Which of the following would
be the MOST likely reason for this addition?
❍ A. Minimized attack surface
❍ B. Simplified categorization
❍ C. Expanded privacy compliance
❍ D. Decreased search time

Answer 78

The Answer: C. Expanded privacy compliance
The labeling of data as private is often associated with compliance and
confidentiality concerns.
The incorrect answers:
A. Minimized attack surface
The categorization of data has little impact on the size of the potential
attack surface associated with a system.
B. Simplified categorization
Adding additional categories would not commonly be considered a
simplification.
D. Decreased search time
Adding additional classifications would not necessarily provide any
decreased search times.

Question 79

A corporate security team would like to consolidate and protect the
private keys across all of their web servers. Which of these would be the
BEST way to securely store these keys?
❍ A. Integrate an HSM
❍ B. Implement full disk encryption on the web servers
❍ C. Use a TPM
❍ D. Upgrade the web servers to use a UEFI BIOS

Answer 79

The Answer: A. Integrate an HSM
An HSM (Hardware Security Module) is a high-end cryptographic
hardware appliance that can securely store keys and certificates for all
devices.
The incorrect answers:
B. Implement full disk encryption on the web servers
Full-disk encryption would only protect the keys if someone does not have
the proper credentials, and it won’t help consolidate all of the web server
keys to a central point.
C. Use a TPM
A TPM (Trusted Platform Module) is used on individual devices to
provide cryptographic functions and securely store encryption keys.
Individual TPMs would not provide any consolidation of web server
private keys.
D. Upgrade the web servers to use a UEFI BIOS
A UEFI (Unified Extensible Firmware Interface) BIOS (Basic Input/
Output System) does not provide any additional security or consolidation
features for web server private keys.

Question 80

A security technician is reviewing this security log from an IPS:

ALERT 2023-06-01 13:07:29 [163bcf65118-179b547b]
Cross-Site Scripting in JSON Data
222.43.112.74:3332 -> 64.235.145.35:80
URL/index.html - Method POST - Query String “-“
User Agent: curl/7.21.3 (i386-redhat-linux-gnu) libcurl/7.21.3
NSS/3.13.1.0 zlib/1.2.5 libidn/1.19 libssh2/1.2.7
Detail: token=”

" key="key7" value="
alert(2)
"

Which of the following can be determined from this log information?
(Select TWO)

❍ A. The alert was generated from a malformed User Agent header
❍ B. The alert was generated from an embedded script
❍ C. The attacker’s IP address is 222.43.112.74
❍ D. The attacker’s IP address is 64.235.145.35
❍ E. The alert was generated due to an invalid client port number

Answer 80

The Answer: B. The alert was generated from an embedded script and
C. The attacker’s IP address is 222.43.112.74
The details of the IPS (Intrusion Prevention System) alert show a script
value embedded into JSON (JavaScript Object Notation) data. The IPS
log also shows the flow of the attack with an arrow in the middle. The
attacker was IP address 222.43.112.74 with port 3332, and the victim was
64.235.145.35 over port 80.
The incorrect answers:
A. The alert was generated from a malformed User Agent header
The user agent information is provided as additional supporting data
associated with the alert. The agent itself is not the cause of this alert.
D. The attacker’s IP address is 64.235.145.35
The attacker’s IP address is listed first, so the victim’s IP address is
64.235.145.35.
E. The alert was generated due to an invalid client port number
The port number associated with the client, 3332, is a valid port number
and not associated with the cause of the alert.

Question 81

Which of the following describes a monetary loss if one event occurs?
❍ A. ALE
❍ B. SLE
❍ C. RTO
❍ D. ARO

Answer 81

The Answer: B. SLE
SLE (Single Loss Expectancy) describes the financial impact of
a single event.
The incorrect answers:
A. ALE
ALE (Annual Loss Expectancy) is the financial loss over an entire
12-month period.
C. RTO
RTO (Recovery Time Objectives) define a set of objectives needed to
restore a particular service level.
D. ARO
The ARO (Annualized Rate of Occurrence) is the number of times an
event will occur in a 12-month period.

Question 82

A user with restricted access has typed this text in a search field of an
internal web-based application:
USER77’ OR ‘1’=’1
After submitting this search request, all database records are displayed on
the screen. Which of the following would BEST describe this search?
❍ A. Cross-site scripting
❍ B. Buffer overflow
❍ C. SQL injection
❍ D. SSL stripping

Answer 82

The Answer: C. SQL injection
SQL (Structured Query Language) injection takes advantage of poor
input validation to circumvent the application and allows the attacker to
query the database directly.
The incorrect answers:
A. Cross-site scripting
Cross-site scripting takes advantage of a third-party trust to a web
application. The attack demonstrated in this question does not use another
user’s credentials or access rights to obtain information.
B. Buffer overflow
A buffer overflow uses an application vulnerability to submit more
information than an application can properly manage. The attack syntax
in this question is specific to SQL injections, and it does not appear to be
manipulating a buffer overflow vulnerability.
D. SSL stripping
SSL stripping is a downgrade attack that modifies web site addresses to
allow access to encrypted information. The attack in this question does not
appear to include a third-party.

Question 83

A user has opened a helpdesk ticket complaining of poor system
performance, excessive pop up messages, and the cursor moving
without anyone touching the mouse. This issue began after they opened
a spreadsheet from a vendor containing part numbers and pricing
information. Which of the following is MOST likely the cause of this
user’s issues?
❍ A. On-path
❍ B. Worm
❍ C. Trojan horse
❍ D. Logic bomb

Answer 83

The Answer: C. Trojan horse
Since a Trojan horse is usually disguised as legitimate software, the
victim often doesn’t realize they’re installing malware. Once the Trojan is
installed, the attacker can install additional software to control the infected
system.
The incorrect answers:
A. On-path
An on-path attack commonly occurs without any knowledge to the parties
involved, and there’s usually no additional notification that an attack is
underway.
B. Worm
A worm is malware that can replicate itself between systems without any
user intervention, so a spreadsheet that requires additional a user to click
warning messages would not be categorized as a worm.
D. Logic bomb
A logic bomb is malware that installs and operates silently until a certain
event occurs. Once the logic bomb has been triggered, the results usually
involve loss of data or a disabled operating system.

Question 84

A web-based manufacturing company processes monthly charges to credit
card information saved in the customer’s profile. All of the customer
information is encrypted and protected with additional authentication
factors. Which of the following would be the justification for these
security controls?
❍ A. Chain of custody
❍ B. Password vaulting
❍ C. Compliance reporting
❍ D. Sandboxing

Answer 84

The Answer: C. Compliance reporting
The storage of sensitive information such as customer details and payment
information may require additional reporting to ensure compliance with
the proper security controls.
The incorrect answers:
A. Chain of custody
Chain of custody describes the control and integrity of collected evidence.
Chain of custody would not involve the implementation of encryption and
authentication factors in this example.
B. Password vaulting
Password vaults are used as secure storage and retrieval of authentication
credentials. The protection of user data is not associated with password
vaulting.
D. Sandboxing
Sandboxing is the process of running a service or system in a protected
environment. This sandbox allows for testing and analysis without affecting
other systems that may currently be in production.

Question 85

A security manager has created a report showing intermittent network
communication from certain workstations on the internal network to one
external IP address. These traffic patterns occur at random times during
the day. Which of the following would be the MOST likely reason for
these traffic patterns?
❍ A. On-path attack
❍ B. Keylogger
❍ C. Replay attack
❍ D. Brute force

Answer 85

The Answer: B. Keylogger
A keylogger captures keystrokes and occasionally transmits this
information to the attacker for analysis. The traffic patterns identified
by the security manager could potentially be categorized as malicious
keylogger transfers.
The incorrect answers:
A. On-path attack
An on-path attack is an exploit often associated with a device monitoring
data in the middle of a conversation. This question did not provide any
evidence of third-party monitoring.
C. Replay attack
A replay attack is often used by an attacker to gain access to a service
through the use of credentials gathered from a previous authentication.
Internal devices communicating to an external server would not be a
common pattern for a replay attack.
D. Brute force
A brute force attack attempts to find authentication credentials by
attempting to guess a password. In this example, the source of the traffic
and the traffic patterns don’t match those seen with common brute force
attempts.

Question 86

The security policies in a manufacturing company prohibit the
transmission of customer information. However, a security administrator
has received an alert that credit card numbers were transmitted as an
email attachment. Which of the following was the MOST likely source
of this alert message?
❍ A. IPS
❍ B. DLP
❍ C. RADIUS
❍ D. IPsec

Answer 86

The Answer: B. DLP
DLP (Data Loss Prevention) technologies can identify and block the
transmission of sensitive data across the network.
The incorrect answers:
A. IPS
IPS (Intrusion Prevention System) signatures are useful for identifying
known vulnerabilities, but they don’t commonly provide a way to identify
and block PII (Personally Identifiable Information) or sensitive data.
C. RADIUS
RADIUS (Remote Authentication Dial-In User Service) is an
authentication protocol commonly used to validate user credentials.
RADIUS would not be used to identify sensitive data transfers.
D. IPsec
IPsec (Internet Protocol Security) is a protocol suite for authenticating
and encrypting network communication. IPsec does not include any
features for identifying and alerting on sensitive information.

Question 87

A security administrator has configured a virtual machine in a screened
subnet with a guest login account and no password. Which of the
following would be the MOST likely reason for this configuration?
❍ A. The server is a honeypot for attracting potential attackers
❍ B. The server is a cloud storage service for remote users
❍ C. The server will be used as a VPN concentrator
❍ D. The server is a development sandbox for third-party
programming projects

Answer 87

The Answer: A. The server is a honeypot for attracting potential attackers
A screened subnet is a good location to configure services that can be
accessed from the Internet, and building a system that can be easily
compromised is a common tactic for honeypot systems.
The incorrect answers:
B. The server is a cloud storage service for remote users
Although cloud storage is a useful service, configuring storage on a server
with an open guest account is not a best practice.
C. The server will be used as a VPN concentrator
VPN (Virtual Private Networking) concentrators should be installed
on secure devices, and configuring an open guest account would not be
considered a secure configuration.
D. The server is a development sandbox for third-party
programming projects
It would not be secure to configure a development sandbox on a system
with an open guest account.

Question 88

A security administrator is configuring a DNS server with a SPF record.
Which of the following would be the reason for this configuration?
❍ A. Transmit all outgoing email over an encrypted tunnel
❍ B. List all servers authorized to send emails
❍ C. Digitally sign all outgoing email messages
❍ D. Obtain disposition instructions for emails marked as spam

Answer 88

The Answer: B. List all servers authorized to send emails
SPF (Sender Policy Framework) is used to publish a list of all authorized
email servers for a specific domain.
The incorrect answers:
A. Transmit all outgoing email over an encrypted tunnel
The option to use encrypted protocols for email transfer is configured in
the email server and not in the DNS (Domain Name System) server.
C. Digitally sign all outgoing email messages
DKIM (Domain Keys Identified Mail) is used to publish the public key
used for the digital signature for all outgoing email.
D. Obtain disposition instructions for emails marked as spam
A DMARC (Domain-based Message Authentication, Reporting, and
Conformance) record announces the preferred email disposition if a
message is identified as spam. DMARC options include accepting the
messages, sending them to a spam folder, or simply rejecting the emails.

Question 89

A company would like to securely deploy applications without the
overhead of installing a virtual machine for each system. Which of the
following would be the BEST way to deploy these applications?
❍ A. Containerization
❍ B. IoT
❍ C. Proxy
❍ D. RTOS

Answer 89

The Answer: A. Containerization
Application containerization uses a single virtual machine to use as a
foundation for separate application “containers.” These containers are
implemented as isolated instances, and an application in one container is
not inherently accessible from other containers on the system.
The incorrect answers:
B. IoT
IoT (Internet of Things) is a broad category of embedded devices often
installed in our homes and businesses. IoT devices are not commonly
associated with the application deployment process.
C. Proxy
Proxies can be used as security devices, but they aren’t commonly used for
deploying application instances.
D. RTOS
RTOS (Real-Time Operating Systems) are designed for time-sensitive
applications and services. Manufacturing equipment and transportation
systems often incorporate an RTOS.

Question 90

A company has just purchased a new application server, and the security
director wants to determine if the system is secure. The system is currently
installed in a test environment and will not be available to users until the
roll out to production next week. Which of the following would be the
BEST way to determine if any part of the system can be exploited?
❍ A. Tabletop exercise
❍ B. Vulnerability scanner
❍ C. DDoS
❍ D. Penetration test

Answer 90

The Answer: D. Penetration test
A penetration test can be used to actively exploit potential vulnerabilities
in a system or application. This could cause a denial of service or loss of
data, so the best practice is to perform the penetration test during nonproduction
hours or in a test environment.
The incorrect answers:
A. Tabletop exercise
A tabletop exercise is used to talk through a security event with an
incident response team around a conference room table. This is commonly
performed as a training device instead of performing a full-scale disaster
drill.
B. Vulnerability scanner
Vulnerability scanners may identify a vulnerability, but they do not actively
attempt to exploit the vulnerability.
C. DDoS
A DDoS (Distributed Denial of Service) attack is often used to disable
a service or application, but it doesn’t provide any particular information
regarding an application vulnerability.