SEC= Flashcards
(362 cards)
1
Q
Ann. a user, reported to the service desk that many files on her computer will not open or the contents are
not readable. The service desk technician asked Ann if she encountered any strange messages on boot-up
or login, and Ann indicated she did not. Which of the following has MOST likely occurred on Ann’s
computer?
A
The computer has been infected with crypto-malware
2
Q
A security administrator is investigating a report that a user is receiving suspicious emails. The user’s
machine has an old functioning modem installed. Which of the following security concerns need to be
identified and mitigated? (Choose two.)
A
War dialing
F. Hoaxing
3
Q
An administrator needs to protect rive websites with SSL certificates Three of the websites have different
domain names, and two of the websites share the domain name but have different subdomain prefixes. Which of the following SSL certificates should the administrator purchase to protect all the websites and be
able to administer them easily at a later time?
A
One Unified Communications Certificate and one wildcard certificate
4
Q
Which of the following are the MOST likely vectors for the unauthorized or unintentional inclusion of
vulnerable code in a software company’s final software releases? (Select TWO)
A
Unsecure protocols
Weak passwords
5
Q
An organization has hired a security analyst to perform a penetration test. The analyst captures 1GB worth
of inbound network traffic to the server and transfers the pcap back to the machine for analysis. Which of
the following tools should the analyst use to future review the pcap?
A
Wireshark
6
Q
An administrator is beginning an authorized penetration test of a corporate network. Which of the following
tools would BEST assist in identifying potential attacks?
A
Nmap
7
Q
A company is examining possible locations for a hot site. Which of the following considerations is of MOST
concern if the replication technology being used is highly sensitive to network latency?
A
Location proximity to the production site
8
Q
Which of the following is an example of the second A in the AAA model?
A
The one-time password is keyed in, and the login system grants access.
9
Q
Which of the following BEST explains the reason why a server administrator would place a document
named password.txt on the desktop of an administrator account on a server?
A
The document is a honeyfile and is meant to attract the attention of a cyberintruder
10
Q
A systems engineer is configuring a wireless network. The network must not require installation of
third-party software. Mutual authentication of the client and the server must be used. The company has an
internal PKI. Which of the following configuration should the engineer choose?
A
EAP-TLS
11
Q
A first responder needs to collect digital evidence from a compromised headless virtual host. Which of the
following should the first responder collect FIRST?
A
Snapshot
12
Q
An organization’s policy requires users to create passwords with an uppercase letter, lowercase letter, number, and symbol. This policy is enforced with technical controls, which also prevents users from using
any of their previous 12 passwords. The quantization does not use single sign-on, nor does it centralize
storage of passwords. The incident response team recently discovered that passwords for one system were compromised. Passwords for a completely separate system have NOT been compromised, but unusual login activity has
been detected for that separate system. Account login has been detected for users who are on vacation. Which of the following BEST describes what is happening?
A
The compromised password file has been brute-force hacked, and the complexity requirements are not
adequate to mitigate this risk
13
Q
A technician needs to prevent data loss in a laboratory. The laboratory is not connected to any external
networks. Which of the following methods would BEST prevent the exfiltration of data? (Select TWO)
A
Drive encryption
Network firewall
14
Q
A company has had a BYOD policy in place for many years and now wants to roll out an MDM solution. The
company has decided that end users who wish to utilize their personal devices for corporate use must opt
in to the MDM solution. End users are voicing concerns about the company having access to their personal
devices via the MDM solution. Which of the following should the company implement to ease these
concerns?
A
Application management
15
Q
A company has a backup site with equipment on site without any data. This is an example of:
A
a cold site.
16
Q
Fuzzing is used to reveal which of the following vulnerabilities in web applications?
A
Improper input handling
17
Q
A company occupies the third floor of a leased building that has other tenants. The path from the
demarcation point to the company’s controlled space runs through unsecured areas managed by other
companies. Which of the following could be used to protect the company’s cabling as it passes through
uncontrolled spaces?
A
Cable locks
18
Q
Which of the following is a security consideration for IoT devices?
A
. IoT devices have built-in accounts that users rarely access.
19
Q
A network administrator was concerned during an audit that users were able to use the same passwords
the day after a password change policy took effect. The following settings are in place: * Users must change their passwords every 30 days. * Users cannot reuse the last 10 passwords. Which of the following settings would prevent users from being able to immediately reuse the same
passwords?
A
Minimum password age of five days
20
Q
A security administrator is choosing an algorithm to generate password hashes. Which of the following
would offer the BEST protection against offline brute force attacks?
A
SHA-1
21
Q
A network technician discovered the usernames and passwords used for network device configuration have
been compromised by a user with a packet sniffer. Which of the following would secure the credentials from
sniffing?
A
Use SSH for remote access.
22
Q
A systems administrator needs to integrate multiple loT and small embedded devices into the company’s
wireless network securely Witch of the following should the administrator implement to ensure low-power
and legacy devices can connect to the wireless network?
A
WPS
23
Q
After segmenting the network, the network manager wants to control the traffic between the segments. Which of the following should the manager use to control the network traffic?
A
A VLAN
24
Q
An Organization requires secure configuration baselines for all platforms and technologies that are used. If
any system cannot conform to the secure baseline, the organization must process a risk acceptance and
receive approval before the system is placed into production. It may have non-conforming systems in its
lower environments (development and staging) without risk acceptance, but must receive risk approval
before the system is placed in production. Weekly scan reports identify systems that do not conform to any
secure baseline. The application team receive a report with the following results:
There are currently no risk acceptances for baseline deviations. This is a mission-critical application, and
the organization cannot operate If the application is not running. The application fully functions in the
development and staging environments. Which of the following actions should the application team take?
A
Process a risk acceptance for 2633 and remediate 3124.
25
Which of the following is the MOST likely motivation for a script kiddie threat actor?
Notoriety
26
An organization needs to integrate with a third-party cloud application. The organization has 15000 users
and does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the
following is the BEST way for the organization to integrate with the cloud application?
Configure a RADIUS federation between the organization and the cloud provider
27
A company hired a firm to test the security posture of its database servers and determine if any
vulnerabilities can be exploited. The company provided limited information pertaining to the infrastructure
and database server. Which of the following forms of testing does this BEST describe?
Gray box
28
A security administrator is implementing a SIEM and needs to ensure events can be compared against
each other based on when the events occurred and were collected. Which of the following does the
administrator need to implement to ensure this can be accomplished?
TOTP
29
Which of the following BEST explains why a development environment should have the same database
server secure baseline that exists in production even if there is no PII in the database?
Attackers can extract sensitive, personal information from lower development environment databases
just as easily as they can from production databases.
30
A salesperson often uses a USB drive to save and move files from a corporate laptop. The corporate laptop
was recently updated, and now the files on the USB are read-only. Which of the following was recently
added to the laptop?
DLP
31
Some call center representatives ‘workstations were recently updated by a contractor, who was able to
collect customer information from the call center workstations. Which of the following types of malware was
installed on the call center users’ systems?
Spyware
32
A security engineer wants to add SSL to the public web server. Which of the following would be the FIRST
step to implement the SSL certificate?
Generate a CSR.
33
Company engineers regularly participate in a public Internet forum with other engineers throughout the
industry. Which of the following tactics would an attacker MOST likely use in this scenario?
Watering-hole attack
34
An attacker is able to capture the payload for the following packet:
IP 192.168.1.22:2020 10.10.10.5:443
IP 192.166.1.10:1030 10.10.10.1:21
IP 192.168.1.57:5217 10.10.10.1:3389
During an investigation, an analyst discovers that the attacker was able to capture the information above
and use it to log on to other servers across the company. Which of the following is the MOST likely reason?
. The attacker is picking off unencrypted credentials and using those to log in to the secure server.
35
A company uses WPA2-PSK. and it appears there are multiple unauthorized devices connected to the
wireless network A technician suspects this is because the wireless password has been shared with
unauthorized individuals. Which of the following should the technician implement to BEST reduce the risk of
this happening in the future?
WPS
36
A systems administrator is receiving multiple alerts from the company NIPS. A review of the NIPS logs
shows the following:
reset both: 70.32.200.2:3194 –> 10.4.100.4:80 buffer overflow attempt reset both: 70.32.200.2:3230 –>
10.4.100.4:80 directory traversal attack reset client: 70.32.200.2:4019 –> 10.4.100.4:80 Blind SQL injection
attack
Which of the following should the systems administrator report back to management?
. The company web server was attacked by an external source, and the NIPS blocked the attack
37
A user attempts to send an email to an external domain and quickly receives a bounce-back message. The
user then contacts the help desk stating the message is important and needs to be delivered immediately. While digging through the email logs, a systems administrator finds the email and bounce-back details:
Your email has been rejected because It appears to contain SSN Information. Sending SSN information via
email external recipients violates company policy. Which of the following technologies successfully stopped the email from being sent?
DEP
38
Which of the following documents would provide specific guidance regarding ports and protocols that
should be disabled on an operating system?
Secure configuration guide
39
The Chief Executive Officer (CEO) received an email from the Chief Financial Ofcer (CFO), asking the CEO
to send nancial details. The CEO thought it was strange that the CFO would ask for the nancial details via
email. The email address was correct in the "From “section of the email. The CEO clicked the form and sent
the financial information as requested. Which of the following caused the incident?
. SPF not enabled
40
A Chief Executive Officer (CEO) is staying at a hotel during a business trip. The hotel's wireless network
does not show a lock symbol. Which of the following precautions should the CEO take? (Select TWO).
Use a VPN.
Create a tunnel connection with EAP-TTLS
41
The SOC is reviewing processes and procedures after a recent incident. The review indicates it took more
than 30 minutes to determine that quarantining an infected host was the best course of action. This allowed
the malware to spread to additional hosts before it was contained. Which of the following would be BEST to
improve the incident response process?
. Providing additional end-user training on acceptable use
42
After running an online password cracking tool, an attacker recovers the following password:
gh;jSKSTOi;618&
Based on the above information, which of the following technical controls have been implemented (Select
TWO).
Complexity
Length
43
A vulnerability assessment report will include the CVSS score of the discovered vulnerabilities because the
score allows the organization to better:
prioritize remediation of vulnerabilities based on
44
A startup company is using multiple SaaS and laaS platforms to stand up a corporate infrastructure and
build out a customer-facing web application. Which of the following solutions would be BEST to provide
security, manageability, and visibility into the platforms?
CASB
45
A Security analyst has received an alert about PII being sent via email. The analyst’s Chief Information
Security Officer (CISO) has made it clear that PII must be handled with extreme care. From which of the
following did the alert MOST likely originate?
DLP
46
Given the information below:
MD5HASH document.doc 049eab40fd36caadlfab10b3cdf4a883 MD5HASH image.jpg
049eab40fd36caadlfab10b3cdf4a883
Which of the following concepts are described above? (Choose two.)
Collision
HASHING
47
Which of the following would MOST likely support the integrity of a voting machine?
Perfect forward secrecy
48
After successfully breaking into several networks and infecting multiple machines with malware. hackers
contact the network owners, demanding payment to remove the infection and decrypt files. The hackers
threaten to publicly release information about the breach if they are not paid. Which of the following BEST
describes these attackers?
. Organized crime
49
An email systems administrator is configuring the mail server to prevent spear phishing attacks through
email messages. Which of the following refers to what the administrator is doing?
Risk mitigation
50
Which of the following attacks is used to capture the WPA2 handshake?
Replay
51
An organization recently acquired an ISO 27001 certification. Which of the following would MOST likely be
considered a benefit of this certification?
It assures customers that the organization meets security standards.
52
Which of the following is the MOST likely motivation for a script kiddie threat actor?
Notoriety
53
A security administrator needs to create a RAID configuration that is focused on high read speeds and fault tolerance. It is unlikely that multiple drives will fail simultaneously. Which of the following RAID
configurations should the administrator use?
RAID 10
54
```
Given the following:
> md5.exe filel.txt
> ADIFAB103773DC6A1E6021B7E503A210
> md5.exe file2.txt
> ADIFAB103773DC6A1E602lB7E503A210
Which of the following concepts of cryptography is shown?
```
Salting
55
An employee opens a web browser and types a URL into the address bar. Instead of reaching the
requested site, the browser opens a completely different site. Which of the following types of attacks have
MOST likely occurred? (Choose two.)
DNS hijacking
Session hijacking
56
A technician is auditing network security by connecting a laptop to open hardwired jacks within the facility to
verify they cannot connect. Which of the following is being tested?
Port security
57
The security office has had reports of increased tailgating in the datacenter. Which of the following controls
should security put in place?
Mantrap
58
A healthcare company is revamping its IT strategy in light of recent regulations. The company is concerned
about compliance and wants to use a pay-per-use model. Which of the following is the BEST solution?
Public SaaS
59
A security professional wants to test a piece of malware that was isolated on a user’s computer to
document its effect on a system. Which of the following is the FIRST step the security professional should
take?
Create a secure baseline of the system state.
60
Which of the following describes the BEST approach for deploying application patches?
Apply the patches to the production systems, apply them in a staging environment, and then test all of
them in a testing environment.
61
After discovering a security incident and removing the affected files, an administrator disabled an unneeded
service that led to the breach. Which of the following steps in the incident response process has the
administrator just completed?
Eradication
62
A member of the IR team has identified an infected computer Which of the following IR phases should the
team member conduct NEXT?
Containment
63
Which of the following represents a multifactor authentication system?
A one-time password token combined with a proximity badge.
64
A company recently installed fingerprint scanners at all entrances to increase the facility’s security. The
scanners were installed on Monday morning, and by the end of the week it was determined that 1.5% of
valid users were denied entry. Which of the following measurements do these users fall under?
FRR
65
A systems engineer wants to leverage a cloud-based architecture with low latency between
network-connected devices that also reduces the bandwidth that is required by performing analytics directly
on the endpoints. Which of the following would BEST meet the requirements? (Select TWO).
Hybrid cloud
Fog computing
66
A systems engineer is setting up a RADIUS server to support a wireless network that uses certificate
authentication. Which of the following protocols must be supported by both the RADIUS server and the
WAPs?
EAP
67
Which of the following encryption algorithms require one encryption key? (Choose two.)
3DES
DSA
68
An organization handling highly condential information needs to update its systems. Which of the following
is the BEST method to prevent data compromise?
Shredding
69
A Chief Information Security Officer (CISO) is concerned about the organization's ability to continue
business operations in the event of a prolonged DDoS attack on its local datacenter that consumes server
resources. Which of the following will the CISO MOST likely recommend to mitigate this risk?
Implement a hot-site failover location.
70
A company uses WPA2-PSK, and it appears there are multiple unauthorized connected to the wireless
network. A technician suspects this is because the wireless passwords has been shared with unauthorized
individuals. Which of the following should the technician implement to BEST reduce the risk of this
happening in the future?
802.1X
71
A manufacturing company updates a policy that instructs employees not to enter a secure area in groups
and requires each employee to swipe their badge to enter the area When employees continue to ignore the
policy, a mantrap is installed. Which of the following BEST describe the controls that were implemented to
address this issue? (Select TWO).
Deterrent
Corrective
72
A company has migrated to two-factor authentication for accessing the corporate network, VPN, and SSO. Several legacy applications cannot support multifactor authentication and must continue to use usernames
and passwords. Which of the following should be implemented to ensure the legacy applications are as
secure as possible while ensuring functionality? (Select TWO).
Password complexity requirements
Account disablement
73
A systems administrator is installing and configuring an application service that requires access to read and write to log and configuration files on a local hard disk partition. The service must run as an account with
authorization to interact with the file system. Which of the following would reduce the attack surface added
by the service and account? (Select TWO)
Use a unique managed service account
Enforce least possible privileges for the account
74
A systems administrator is increasing the security settings on a virtual host to ensure users on one VM
cannot access information from another VM. Which of the following is the administrator protecting against?
VM escape
75
A mobile application developer wants to secure an application that transmits sensitive information Which of
the following should the developer implement to prevent SSL MITM attacks?
Pinning
76
Which of the following BEST explains how the use of configuration templates reduces organization risk?
It facilitates fault tolerance since applications can be migrated across templates.
77
A technician is required to configure updates on a guest operating system while maintaining the ability to
quickly revert the changes that were made while testing the updates. Which of the following should the
technician implement?
Snapshots
78
A credentialed vulnerability scan is often preferred over a non-credentialed scan because credentialed
scans:
are always non-intrusive
79
A security administrator suspects an employee has been emailing proprietary information to a competitor. Company policy requires the administrator to capture an exact copy of the employee's hard disk. Which of
the following should the administrator use?
dd
80
A Chief Information Security Officer (CISO) for a school district wants to enable SSL to protect all of the
public-facing servers in the domain. Which of the following is a secure solution that is the MOST cost
effective?
Purchase a load balancer and install a single certificate on the load balancer
81
A Chief Information Officer (CIO) is concerned that encryption keys might be exfiltrated by a contractor. The
CIO wants to keep control over key visibility and management. Which of the following would be the BEST
solution for the CIO to implement?”
HSM
82
Several systems and network administrators are determining how to manage access to a facility and enable
managers to allow after-hours access. Which of the following access control methods should managers use
to assign after-hours access to the employees?
Rule-based access control
83
A dumpster diver was able 10 retrieve hard drives from a competitor's trash bin. After installing the and hard
drives and running common date recovery software. Sensitive information was recovered. In which of the
following ways did the competitor apply media sanitation?
Formatting
84
A system uses an application server and database server Employing the principle of least privilege, only
database administrators are given administrative privileges on the database server, and only application
team members are given administrative privileges on the application server. Audit and log file reviews are
performed by the business unit (a separate group from the database and application teams). The organization wants to optimize operational efficiency when application or database changes are
needed, but it also wants to enforce least privilege, prevent modification of log files, and facilitate the audit
and log review performed by the business unit. Which of the following approaches would BEST meet the
organization's goals?
Restrict privileges on the log file directory to "read only" and use a service account to send a copy of
these files to the business unit.
85
Which of the following is an algorithm family that was developed for use cases in which power consumption
and lower computing power are constraints?
Elliptic curve
86
A developer is building a new web portal for internal use. The web portal will only the accessed by internal
users and will store operational documents. Which of the following certicate types should the developer
install if the company is MOST interested in minimizing costs?
Self-signed
87
The Chief Financial Officer (CFO) of an insurance company received an email from Ann, the company's
Chief Executive Officer (CEO), requesting a transfer of $10,000 to an account. The email states Ann is on
vacation and has lost her purse, containing cash and credit cards. Which of the following social-engineering
techniques is the attacker using?
Whaling
88
Exploitation of a system using widely known credentials and network addresses that results in DoS is an
example of:
default configurations.
89
A security engineer needs to build a solution to satisfy regulatory requirements that state certain critical
server must be accessed using MFA. However, the critical servers are older and are unable to support the
addition of MFA. Which of the following will the engineer MOST likely use to achieve this objective?
A stateful firewall
90
A transitive trust:
is automatically established between a parent and a child
91
Which of the following is a passive method to test whether transport encryption is implemented?
Port scan
92
A technician, who is managing a secure B2B connection, noticed the connection broke last night. All
networking equipment and media are functioning as expected, which leads the technician to QUESTION
NO: certain PKI components. Which of the following should the technician use to validate this assumption?
(Choose two.)
CRL
OCSP
93
Which of the following should a technician use to protect a cellular phone that is needed for an investigation,
to ensure the data will not be removed remotely?
Faraday cage
94
A state-sponsored threat actor has launched several successful attacks against a corporate network. Although the target has a robust patch management program in place, the attacks continue in depth and
scope, and the security department has no idea how the attacks are able to gain access. Given that patch
management and vulnerability scanners are being used, which of the following would be used to analyze
the attack methodology?
Honeypots
95
A security administrator found the following piece of code referenced on a domain controller's task
scheduler:
$var = GetDomainAdmins If $var != ‘fabio’ SetDomainAdmins = NULL
With which of the following types of malware is the code associated?
Logic bomb
96
Which of the following impacts MOST likely result from poor exception handling?
Local disruption of services
97
A user loses a COPE device. Which of the following should the user do NEXT to protect the data on the
device?
Call the company help desk to remotely wipe the device.
98
An organization wants to set up a wireless network in the most secure way. Budget is not a major
consideration, and the organization is willing to accept some complexity when clients are connecting. It is
also willing to deny wireless connectivity for clients who cannot be connected in the most secure manner. Which of the following would be the MOST secure setup that conforms to the organization’s requirements?
Use WPA2-PSK with a 24-character complex password and change the password monthly.
99
A company is performing an analysis of the corporate enterprise network with the intent of identifying any
one system, person, function, or service that, when neutralized, will cause or cascade disproportionate
damage to the company’s revenue, referrals, and reputation. Which of the following is an element of the
BIA that this action is addressing?
Identication of critical systems
100
A technician is designing a solution that will be required to process sensitive information, including
classified government data. The system needs to be common criteria certified. Which of the following
should the technician select?
Trusted operating system
101
Which of the following BEST describes a security exploit for which a vendor patch is not readily available?
Zero-day
102
After a ransomware attack. a forensics company needs to review a cryptocurrency transaction between the
victim and the attacker. Which of the following will the company MOST likely review to trace this
transaction?
The event log
103
Moving laterally within a network once an initial exploit is used to gain persistent access for the purpose of
establishing further control of a system is known as:
active reconnaissance.
104
When accessing a popular website, a user receives a warning that the certificate for the website is not valid. Upon investigation, it was noted that the certificate is not revoked and the website is working fine for other
users. Which of the following is the MOST likely cause for this?
The system date on the user's device is out of sync.
105
A security team has downloaded a public database of the largest collection of password dumps on the
Internet. This collection contains the cleartext credentials of every major breach for the last four years. The
security team pulls and compares users' credentials to the database and discovers that more than 30% of
the users were still using passwords discovered in this list. Which of the following would be the BEST
combination to reduce the risks discovered?
Password length, password encryption, password complexity
106
Which of the following needs to be performed during a forensics investigation to ensure the data contained
in a drive image has not been compromised?
Compare the image hash to the original hash.
107
Which of the following models is considered an iterative approach with frequent testing?
Agile
108
A security analyst is performing a BIA. The analyst notes that in a disaster, failover systems must be up and
running within 30 minutes. The failover systems must use backup data that is no older than one hour. Which of the following should the analyst include in the business continuity plan?
A maximum RPO of 60 minutes
109
An organization's Chief Executive Officer (CEO) directs a newly hired computer technician to install an OS
on the CEO‘s: personal laptop. The technician performs the installation, and a software audit later in the
month indicates a violallon of the EULA occurred as a result. Which of the following would address this violation going forward?
AUP
110
A company is deploying MFDs in its office to improve employee productivity when dealing with paperwork. Which of the following concerns is MOST likely to be raised as a possible security issue in relation Io these
devices?
Sensitive scanned materials being saved on the local hard drive
111
A network administrator has been asked to install an IDS to improve the security posture of an organization. Which of the following control types Is an IDS?
Detective
112
An organization has decided to host its web application and database in the cloud. Which of the following
BEST describes the security concerns for this decision?
The cloud vendor is a new attack vector within the supply chain.
113
A security administrator suspects there may be unnecessary services running on a server. Which of the
following tools will the administrator MOST likely use to confirm the suspicions?
Nmap
114
A Chief Information Security Officer (CISO) is performing a BIA for the organization in case of a natural
disaster. Which of the following should be at the top of the CISO’s list?
Identity mission-critical applications and systems.
115
To further secure a company's email system, an administrator is adding public keys to DNS records in the
company's domain. Which of the following is being used?
DNSSEC
116
A customer calls a technician and needs to remotely connect to a web server to change some code
manually. The technician needs to configure the user's machine with protocols to connect to the Unix web
server, which is behind a firewall. Which of the following protocols does the technician MOST likely need to
configure?
SSH
117
Which of the following is the BEST use of a WAF?
To protect sites on web servers that are publicly accessible
118
An organization is concerned about video emissions from users’ desktops. Which of the following is the
BEST solution to implement?
Screen filters
119
A security engineer is installing a WAF to protect the company's website from malicious web requests over
SSL. Which of the following is needed to meet the objective?
A decryption certificate
120
A company recently experienced data exfiltration via the corporate network. In response to the breach, a
security analyst recommends deploying an out-of-band IDS solution. The analyst says the solution can be
implemented without purchasing any additional network hardware. Which of the following solutions will be
used to deploy the IDS?
Network tap
121
A government organization recently contacted three different vendors to obtain cost quotes for a desktop
PC refresh. The quote from one of the vendors was significantly lower than the other two and was selected
for the purchase. When the PCs arrived, a technician determined some NICs had been tampered with. Which of the following MOST accurately describes the security risk presented in this situation?
. Supply chain
122
A systems administrator needs to install the same X.509 certificate on multiple servers. Which of the
following should the administrator use?
D18912E1457D5D1DDCBD40AB3BF70D5D
An extended validation certificate
123
A small business just recovered from a ransomware attack against its file servers by purchasing the
decryption keys from the attackers. The issue was triggered by a phishing email and the IT administrator
wants lo ensure il does not happen again. Which of the following should the IT administrator do FIRST after
recovery?
. Scan the NAS for residual or dormant malware and take new dally backups that are tested on a frequent
basis.
124
A systems administrator needs to configure an SSL remote access VPN according to the following
organizational guidelines: * The VPN must support encryption of header and payload. * The VPN must route all traffic through the company's gateway. Which of the following should be configured on the VPN concentrator?
. Full tunnel
125
Joe, an employee, asks a coworker how long ago Ann started working at the help desk. The coworker
expresses surprise since nobody named Ann works at the help desk. Joe mentions that Ann called several
people in the customer service department 10 help reset their passwords over the phone due to unspecied
“server issues.‘ Which of the following has occurred?
Social engineering
126
Which of the following control types would a backup of server data provide in case of a system issue?
. Corrector
127
The help desk received a call from a user who was trying to access a set of files from the day before but
received the following error message: File format not recognized. Which of the following types of malware MOST likely caused this to occur?
Ransomware
128
A network administrator is trying to provide the most resilient hard drive configuration in a server. With five
hard drives, which of the following is the MOST fault-tolerant configuration?
RAID 5
129
Which of the following types of security testing is the MOST cost-effective approach used to analyze
existing code and identity areas that require patching?
White box
130
Which of the following involves the use of targeted and highly crafted custom attacks against a population
of users who may have access to a particular service or program?
Hoaxing
131
Which of the following is an example of federated access management?
Using a popular website login to provide access to another website
132
An organization is drafting an IRP and needs to determine which employees have the authority to take
systems offline during an emergency situation. Which of the following is being outlined?
Roles and responsibilities
133
If a current private key is compromised, which of the following would ensure it cannot be used to decrypt all
historical data?
Homomorphic encryption
134
An organization wants to implement a solution that allows for automated logical controls for network
defense. An engineer plans to select an appropriate network security component, which automates
response actions based on security threats to the network. Which of the following would be MOST
appropriate based on the engineer's requirements?
NIPS
135
An organization was recently compromised by an attacker who used a server certificate with the company's
domain issued by an irrefutable CA. Which of the following should be used to mitigate this risk in the future?
DNSSEC
136
The CSIRT is reviewing the lessons learned from a recent incident A worm was able to spread unhindered
throughout the network and infect a large number of computers and servers. Which of the following
recommendations would be BEST to mitigate the impacts of a similar incident in the future?
Update all antivirus signatures daily
137
When building a hosted datacenter. Which of the following is the MOST important consideration for physical
security within the datacenter?
Security guards
138
A user recently entered a username and password into a recruiting application website that had been
forged to look like the legitimate site. Upon Investigation, a security analyst identifies the following: * The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP. * The forged website's IP address appears to be 10.2.12.99. based on NetFlow records. * All three of the organization's DNS servers show the website correctly resolves to the legitimate IP. * DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the
approximate time of the suspected compromise. Which of the following MOST likely occurred?
An SSL strip MITM attack was performed.
139
An IT manager is estimating the mobile device budget for the upcoming year. Over the last five years, the
number of devices that were replaced due to loss, damage, or theft steadily increased by 10%. Which of the
following would BEST describe the estimated number of devices to be replaced next year?
SLE
140
Which of the following is MOST likely caused by improper input handling?
Loss of database tables
141
A computer forensics analyst collected a flash drive that contained a single file with 500 pages of text. Which of the following algorithms should the analyst use to validate the integrity of the file?
MD5
142
A user is unable to obtain an IP address from the corporate DHCP server. Which of the following is MOST likely the cause?
Resource exhaustion
143
As part of a corporate merger. two companies are combining resources. As a result, they must transfer files
through the internet in a secure manner. Which of the following protocols would BEST meet this
objec1ive?(Select TWO)
SFTP
HTTPS
144
Which of the following is a risk that is specifically associated with hosting applications in the public cloud?
Insider threat
145
A company employee recently retired, and there was a schedule delay because no one was capable of
filling the employee’s position. Which of the following practices would BEST help to prevent this situation in
the future?
Job rotation
146
A security analyst investigate a report from an employee in the human resources (HR) department who is
issues with Internal access. When the security analyst pull the UTM logs for the IP addresses in the HR
group, the following activity is shown:
Which of the following actions should the security analyst take?
Ensure the HR employee is in the appropriate user group
147
While testing a new vulnerability scanner, a technician becomes concerned about reports that list security
concerns that are not present on the systems being tested. Which of the following BEST describes this
flaw?
False positives
148
An attacker has obtained the user ID and password of a datacenter’s backup operator and has gained
access to a production system. Which of the following would be the attacker's NEXT action?
Initiate a confidential data exfiltration process.
149
A systems administrator has been assigned to create accounts for summer interns. The interns are only
authorized to be in the facility and operate computers under close supervision. They must also leave the
facility at designated times each day. However, the interns can access intern file folders without supervision. Which of the following represents the BEST way to configure the accounts? (Select TWO).
Implement time-of-day restrictions.
Create privileged accounts.
150
A security administrator plans to conduct a vulnerability scan on the network to determine if system
applications are up to date. The administrator wants to limit disruptions to operations but not consume too
many resources. Which of the following types of vulnerability scans should be conducted?
Credentialed
151
A company wants to provide centralized authentication for its wireless system. The wireless authentication
system must integrate with the directory back end. Which of the following is an AAA solution that will
provide the required wireless authentication?
RADIUS
152
A security analyst is investigating a call from a user regarding one of the websites receiving a 503: Service
Unavailable error. The analyst runs a netstat -an command to discover if the web server is up and listening. The analyst receives the following output:
TCP 10.1.5.2:80 192.168.2.112:60973 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60974 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60975 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60976 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60977 TIME_WAIT
TCP 10.1.5.2:80 192.168.2.112:60978 TIME_WAIT
Which of the following types of attack is the analyst seeing?
Denial of service
153
An application developer is working on a new calendar and scheduling application. The developer wants to
test new functionality that is time/date dependent and set the local system time to one year in the future. The application also has a feature that uses SHA-256 hashing and AES encryption for data exchange. The
application attempts to connect to a separate remote server using SSL, but the connection fails. Which of
the following is the MOST likely cause and next step?
. The date is past the certificate expiration; reset the system to the current time and see if the connection
still fails.
154
To reduce costs and overhead, an organization wants to move from an on-premises email solution to a
cloud-based email solution. At this time, no other services will be moving. Which of the following cloud
models would BEST meet the needs of the organization?
SaaS
155
A security engineer needs to obtain a recurring log of changes to system les. The engineer is most
concerned with detecting unauthorized changes to system data. Which of the following tools can be used to
fulll the requirements that were established by the engineer?
File integrity monitor
156
A computer forensics team is performing an integrity check on key systems files. The team is comparing the
signatures of original baseline les with the latest signatures. The original baseline was taken on March 2, 2016. and was established to be clean of malware and uncorrupted. The latest tile signatures were
generated yesterday. One file is known to be corrupted, but when the team compares the signatures of the
original and latest ies, the team sees the
Following:
Original: 2d da b1 4a fc f1 98 06 b1 e5 26 b2 df e5 5b 3e cb 83 e1 Latest: 2d da b1 4a 98 fc f1 98 bl e5 26
b2 df e5 5b 3e cb 83 e1 Which of the following is MOST likely the situation?
The algorithm used to calculate the hash has a collision weakness, and an attacker has exploited it.
157
Which of the following BEST explains ‘likelihood of occurrence'?
The probability that a threat actor will target and attempt to exploit an organization's systems
158
A security engineer is concerned about susceptibility to HTTP downgrade attacks because the current
customer portal redirects users from port 80 to the secure site on port 443. Which of the following would be
MOST appropriate to mitigate the attack?
HSTS
159
During the penetration testing of an organization, the tester was provided with the names of a few key
servers, along with their IP address. Which of the following is the organization conducting?
Gray box testing
160
An incident responder is preparing to acquire images and files from a workstation that has been
compromised. The workstation is still powered on and running. Which of the following should be acquired
LAST?
Application files on hard disk
161
An analyst is currently looking at the following output:
| Which of the following security issues has been discovered based on the output?
License compliance violation
162
An attachment that was emailed to finance employees contained an embedded message. The security
administrator investigates and finds the intent was to conceal the embedded information from public view. Which of the following BEST describes this type of message?
Obfuscation
163
A cryptographer has developed a new proprietary hash function for a company and solicited employees to
test the function before recommending its implementation. An employee takes the plaintext version of a
document and hashes it, then changes the original plaintext document slightly and hashes it, and continues
repeating this process until two identical hash values are produced from two different documents. Which of
the following BEST describes this cryptographic attack?
Collision
164
Which of the following is a benefit of credentialed vulnerability scans?
The vulnerability scanner is able to inventory software on the target.
165
Which of the following scenarios would make a DNS sinkhole effective in thwarting an attack?
DNS routing tables have been compromised, and an attacker is rerouting traffic to malicious websites
166
A penetration tester is checking to see if an internal system is vulnerable to an attack using a remote
listener. Which of the following commands should the penetration tester use to verify if this vulnerability
exists? (Choose two.)
nc
nmap
167
An organization discovers that unauthorized applications have been installed on company-provided mobile
phones. The organization issues these devices, but some users have managed to bypass the security
controls. Which of the following Is the MOST likely issue, and how can the organization BEST prevent this
from happening?
Some advanced users are jailbreaking the OS and bypassing the controls. Implement an MDM solution
to control access to company resources.
168
A security consultant is analyzing data from a recent compromise. The following data points are
documented
Access to data on share drives and certain networked hosts was lost after an employee logged in to an
interactive session as a privileged user. The data was unreadable by any known commercial software. The issue spread through the enterprise via SMB only when certain users accessed data. Removal instructions were not available from any major antivirus vendor. Which of the following types of malware is this example of‘?
RAT
169
A company needs to fix some audit findings related to its physical security. A key finding was that multiple
people could physically enter a location at the same time. Which of the following is the BEST control to
address this audit finding?
Mantrap
170
A security administrator wants to determine if a company's web servers have the latest operating system
and application patches installed. Which of the following types of vulnerability scans should be conducted?
Credentialed
171
Which of the following BEST distinguishes Agile development from other methodologies in terms of
vulnerability management?
Daily standups
172
Which of the following identity access methods creates a cookie on the rst logic to a central authority to
allow logins to subsequent applications without referring credentials?
Single sign-on
173
A security specialist is notified about a certificate warning that users receive when using a new internal
website. After being given the URL from one of the users and seeing the warning, the security specialist
inspects the certificate and realizes it has been issued to the IP address, which is how the developers reach
the site. Which of the following would BEST resolve the issue?
OSCP
174
A law ofce has been leasing dark ber from a local telecommunications company to connect a remote ofce
to company headquarters. The telecommunication company has decided to discontinue its dark ber product
and is offering an MPLS connection. Which the law office feels is too expensive. Which of the following is
the BEST solution for the law office?
Site-to-site VPN
175
During a risk assessment, results show that a fire in one of the company's datacenters could cost up to $20
million in equipment damages and lost revenue. As a result, the company insures the datacenter for up to
$20 million in damages for the cost of $30,000 a year. Which of the following risk response techniques has
the company chosen?
Transference
176
A security engineer implements multiple technical measures to secure an enterprise network. The engineer
also works with the Chief information Ofcer (CID) to implement policies to govern user behavior. Which of
the following strategies is the security engineer executing?
Control diversity
177
A systems administrator has created network file shares for each department with associated security
groups for each role within the organization. Which of the following security concepts is the systems
administrator implementing?
Least privilege
178
A preventive control differs from a compensating control in that a preventive control is:
relied on to address gaps in the existing control structure.
179
Which of the following has the potential to create a DoS attack on a system?
A disabled user account that has not been deleted
180
Which of the following BEST describes the concept of perfect forward secrecy?
Preventing cryptographic reuse so a compromise of one operation does not affect other operations
181
A chief information security officer (CISO) asks the security architect to design a method for contractors to
access the company's internal wiki, corporate directory, and email services securely without allowing
access to systems beyond the scope of their project. Which of the following methods would BEST fit the
needs of the CISO?
vpn
182
A technician is recommending preventive physical security controls for a server room. Which of the
technician MOST likely recommend? (Select Two).
Protected cabinets
Mantrap
183
An email recipient is unable to open a message encrypted through PKI that was sent from another
organization. Which of the following does the recipient need to decrypt the message?
The sender’s public key
184
In the event of a security incident, which of the following should be captured FIRST?
System memory
185
A security analyst is interested in setting up an IDS to monitor the company network. The analyst has been
told there can be no network downtime to implement the solution, but the IDS must capture all of the
network traffic. Which of the following should be used for the IDS implementation?
Network tap
186
A systems developer needs to provide machine-to-machine interface between an application and a
database server in the production environment. This interface will exchange data once per day. Which of
the following access control account practices would BEST be used in this situation?
Use a service account and prohibit users from accessing this account for development work.
187
An organization has the following written policies: • Users must request approval for non-standard software installation • Administrators will perform all software installations
• Software must be installed from a trusted repository
A recent security audit identified crypto-currency software installed on one user's machine There are no
indications of compromise on this machine Which of the following is the MOST likely cause of this policy
violation and the BEST remediation to prevent a reoccurrence'?
The user's machine was infected with malware implement the organization's incident response
188
A systems administrator just issued the ssh-keygen -t rsa command on a Linux terminal Which of the
following BEST describes what the rsa portion of the command represents?
A key generation algorithm
189
A company is deploying a wireless network. It is a requirement that client devices must use X.509
certifications to mutually authenticate before connecting to the wireless network. Which of the following
protocols would be required to accomplish this?
EAP-TLS
190
Which of the following can be used to increase the time needed to brute force a hashed password?
BCRYPT
191
Which of the following controls is implemented in lieu of the primary security controls?
Deterrent
192
`A tester was able to leverage a pass-the-hash attack during a recent penetration test. The tester gained a
foothold and moved laterally through the network Which of the following would prevent this type of attack
from reoccurring?
Renaming all active service accounts and disabling all inactive service accounts
193
A red team initiated a DoS attack on the management interface of a switch using a known vulnerability The
monitoring solution then raised an alert prompting a network engineer to log in to the switch to diagnose the
issue When the engineer logged in. the red team was able to capture the credentials and subsequently log
in to the switch Which of the following actions should the network team take to prevent this type of breach
from reoccurring?
Encrypt all communications with TLS 1 3
194
Users are attempting to access a company's website but are transparently redirected to another website. The users confirm the URL is correct. Which of the following would BEST prevent this issue in the future?
DNSSEC
195
A technician is required to configure updates on a guest operating system while maintaining the ability to
quickly revert the changes that were made while testing the updates. Which of the following should the
technician implement?
Snapshots
196
A network technician is setting up a new branch for a company. The users at the new branch will need to
access resources securely as if they were at ‘the main location. Which of the following networking concepts
would BEST accomplish this‘?
Sits-to-sits VPN
197
Which of the following is the purpose of an industry-standard framework?
To provide guidance across common system implementations
198
An organization requires that all workstations he issued client computer certicates from the organization‘s
PKI. Which of the following congurations should be implemented?
EAP-TLS
199
A company's IT staff is given the task of securely disposing of 100 server HDDs. The security team informs
the IT staff that the data must not be accessible by a third party after disposal. Which of the following is the
MOST time-efficient method to achieve this goal?
Use a degausser to sanitize the drives
200
A public relations team will be taking a group of guests on a tour through the facility of a large e-commerce
company. The day before the tour, the company sends out an email to employees to ensure all whiteboards
are cleaned and all desks are cleared. The company is MOST likely trying to protect against.
social engineering
201
During an incident, a company's CIRT determines it is necessary to observe the continued network-based
transactions between a callback domain and the malware running on an enterprise PC. Which of the
following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the
risk that the adversary would notice any changes?
Create and apply micro segmentation rules.
202
A network engineer has been asked to investigate why several wireless barcode scanners and wireless
computers in a warehouse have intermittent connectivity to the shipping server. The barcode scanners and
computers are all on forklift trucks and move around the warehouse during their regular use. Which of the
following should the engineer do to determine the issue? (Select Two)
Perform a site survey.
Scan for rogue access points.
203
Given the following output:
| Which of the following BEST describes the scanned environment?
A host was scanned, and web-based vulnerabilities were found.
204
A network administrator is implementing multifactor authentication for employees who travel and use
company devices remotely by using the company VPN. Which of the following would provide the required
level of authentication?
802.1X and OTP
205
Which of the following command line tools would be BEST to identify the services running in a server?
Netstat
206
A technician suspects that a desktop was compromised with a rootkit. After removing lhe hard drive from
the desktop and running an offline le integrity check, the technician reviews the following output: Based on
the above output, which of the following is the malicious file?
notepad.exe
207
An organization is building a new customer services team, and the manager needs to keep the team focused on customer issues and minimize distractions. The users have a specific set of tools installed, which they must use to perform their duties. Other tools are not permitted for compliance and tracking
purposes. Team members have access to the Internet for product lookups and to research customer issues. Which of the following should a security engineer employ to fulfill the requirements for the manager?
Implement containerization on the workstations.
208
An organization wishes to allow its users to select devices for business use but does not want to overwhelm
the service desk with requests for too many different device types and models. Which of the following
deployment models should the organization use to BEST meet these requirements?
CYOD model
209
A network administrator is setting up wireless access points in all the conference rooms and wants to
authenticate devices using PKI. Which of the following should the administrator configure?
WPS
210
Which of the following could an attacker use to overwrite instruction pointers in order to execute malicious
code?
Buffer over flow
211
A security administrator is creating a risk assessment on BYOD. One of the requirements of the risk
assessment is to address the following
•Centrally managing mobile devices
•Data loss prevention
Which of the following recommendations should the administrator include in the assessment? (Select
TWO).
implement hashing.
implement an MDM with mobile device hardening.
212
Condential corporate data was recently stolen by an attacker who exploited data transport protections. Which of the following vulnerabilities is the MOST likely cause of this data breach?
Improper input handling on the FTP site
213
A user wants to send a condential message to a customer to ensure unauthorized users cannot access the
information. Which of the following can be used to ensure the security of the document while in transit and
at rest?
PGP
214
A security administrator receives alerts from the perimeter UTM. Upon checking the logs, the administrator
finds the following output:
Time: 12/25 0300
From Zone: Untrust To Zone: DMZ
Attacker: externalip.com Victim: 172.16.0.20
To Port: 80 Action: Alert Severity: Critical
When examining the PCAP associated with the event, the security administrator finds the following
information:
alert ("Click
here for important information regarding your account! http://externalip.com/account.php ");
Which of the following actions should the security administrator take?
. Manually copy the data from the PCAP file and generate a blocking signature in the HIDS to block the traffic for future events.
215
On which of the following is the live acquisition of data for forensic analysis MOST dependent? (Select
TWO)
Cryptographic or hash algorithm
Data retention legislation
216
A technician needs lo document which application versions are listening on open ports. Which of the
following is MOST likely to return the information the technician needs?
Banner grabbing
217
A network administrator is brute forcing accounts through a web interface. Which of the following would
provide the BEST defense from an account password being discovered?
Account lockout
218
When a malicious user is able to retrieve sensitive information from RAM, the programmer has failed a
implement:
encryption of data in use.
219
Joe recently assumed the role of data custodian for this organization. While cleaning out an unused storage
safe, he discovers several hard drives that are labeled “unclassified” and awaiting destruction. The hard
drives are obsolete and cannot be installed in any of his current computing equipment. Which of the
following is the BEST method for disposing of the hard drives?
Pulverizing
220
Which of the following is the MOST significant difference between intrusive and non-intrusive vulnerability
scanning?
One has a higher potential for disrupting system operations.
221
A systems administrator is implementing a remote access method for the system that will utilize GUI. Which
of the following protocols would be BEST suited for this?
SSH
222
An analyst is concerned about data leaks and wants to restrict access to Internet services to authorized
users only. The analyst also wants to control the actions each user can perform on each service Which of
the following would be the BEST technology for me analyst to consider implementing?
DLP
223
Which of the following control types are alerts sent from a SIEM fulfilling based on vulnerably signatures?
Detective
224
Which of the following implements two-factor authentication on a VPN?
Username, password, and source IP
225
Which of the following provides PFS?
DHE
226
A manufacturer creates designs for very high security products that are required to be protected and
controlled by government regulations. These designs are not accessible by corporate networks or the
Internet. Which of the following is the BEST solution to protect these designs?
A Faraday cage
227
After entering a username and password, an administrator must draw a gesture on a touch screen. Which
of the following demonstrates what the administrator is providing?
Something you can do
228
Which of the following BEST explains why sandboxing is a best practice for testing software from an
untrusted vendor prior to an enterprise deployment?
It restricts the access of the software to a contained logical space and limits possible damage.
229
A company utilizes 802.11 for all client connectivity within a facility. Users in one part of the building are
reporting they are unable to access company resources when connected to the company SSID. Which of
the following should the security administrator use to assess connectivity?
Routing tables
230
An application developer has neglected to include input validation checks in the design of the company’s
new web application. An employee discovers that repeatedly submitting large amounts of data, including
custom code, to an application will allow the execution of the custom code at the administrator level. Which
of the following BEST identifies this application attack?
Buffer overflow
231
A security analyst is performing a forensic investigation involving compromised account credentials. Using
the Event Viewer, the analyst was able to defect the following message: "Special privileges assigned to
new logon.' Several of these messages did not have a valid logon associated with the user before these
privileges were assigned. Which of the following attacks is MOST likely being detected?
Buffer overflow
232
A user received an SMS on a mobile phone that asked for bank details. Which of the following
social-engineering techniques was used in this case?
Vishing
233
A threat actor motivated by political goals that is active for a short period of time but has virtually unlimited
resources is BEST categorized as a:
nation-state
234
Using a one-time code that has been texted to a smartphone is an example of:
something you have.
235
A company recently implemented a new security system. In the course of configuration, the security
administrator adds the following entry:
#Whitelist USB\VID_13FE&PID_4127&REV_0100
Which of the following security technologies is MOST likely being configured?
Removable media control
236
A security technician has been given the task of preserving emails that are potentially involved in a dispute
between a company and a contractor.
Legal hold
237
An organization is struggling to differentiate threats from normal traffic and access to systems A security
engineer has been asked to recommend a system that will aggregate data and provide metrics that will
assist in Identifying malicious actors or other anomalous activity throughout the environment. Which of the
following solutions should the engineer recommend?
SIEM
238
An organization with a low tolerance tor user inconvenience wants to protect laptop hard drives against loss
of data theft Which of the following would be the MOST acceptable?
DLP
239
A highly complex password policy has made it nearly impossible to crack account passwords. Which of the
following might a hacker still be able to perform?
Pass-the-hash attack
240
When considering IoT systems, which of the following represents the GREATEST ongoing risk after a
vulnerability has been discovered?
Tight integration to existing systems
241
Which of the following is the proper use of a Faraday cage?
To block electronic signals sent to erase a cell phone
242
A company has just completed a vulnerability scan of its servers. A legacy application that monitors the
HVAC system in the datacenter presents several challenges, as the application vendor is no longer in
business Which of the following secure network architecture concepts would BEST protect the other company
servers if the legacy server were to be exploited?
Air gap
243
A security technician is configuring a new firewall appliance for a production environment. The firewall must
support secure web services for client workstations on the 10.10.10.0/24 network. The same client
workstations are configured to contact a server at 192.168.1.15/24 for domain name resolution. Which of
the following rules should the technician add to the firewall to allow this connectivity for the client
workstations? (Select TWO).
Permit 10.10.10.0/24 0.0.0.0-p tcp --dport 443
Permit 10.10.10.0/24 192.168.1.15/24 -p tcp --dport 53
244
In which of the following situations would it be BEST to use a detective control type for mitigation?
. A company implemented a network load balancer to ensure 99 999% availability of its web application
245
A Chief Information Security Officer (CISO) asks the security architect to design a method for contractors to
access the company’s internal network securely without allowing access to systems beyond the scope of
their project. Which of the following methods would BEST fit the needs of the CISO?
VPN
246
Which of the following disaster recovery sites would require the MOST time to get operations beck online?
Cold
247
An attacker has gathered information about a company employee by obtaining publicly available
information from the Internet and social networks. Which of the following types of activity is the attacker
performing?
Social engineering
248
A security administrator is analyzing a user report in which the computer exhibits odd network-related
outages. The administrator, however, does not see any suspicious process running. A prior technician’s
notes indicate the machine has been remediated twice, but the system still exhibits odd behavior. Files
were deleted from the system recently. Which of the following is the MOST likely cause of this behavior?
Rootkit
249
Which of the following are the BEST selection criteria to use when assessing hard drive suitability for
time-sensitive applications that deal with large amounts of critical information? (Select TWO
MTBF
MTTR
250
Which of the following is a technical preventive control?
Two-factor authentication
251
Which of the following environments typically hosts the current version configurations and code, compares
user-story responses and workflow, and uses a modified version of actual data for testing?
Development
252
A security engineer at a manufacturing company is implementing a third-party cloud application. Rather
than creating users manually in the application, the engineer decides to use the SAML protocol. Which of
the following is being used for this implementation?
The manufacturing company is the service provider, and the cloud company is the identity provider.
253
A company has purchased a new SaaS application and is in the process of configuring it to meet the
company’s needs. The director of security has requested that the SaaS application be integrated into the
company’s IAM processes. Which of the following configurations should the security administrator set up in
order to complete this request?
RADIUS
254
A system in the network is used to store proprietary secrets and needs the highest level of security possible. Which of the following should a security administrator implement to ensure the system cannot be reached
from the Internet?
Air gap
255
A cybersecurity administrator needs to add disk redundancy for a critical server. The solution must have a
two-drive failure for better fault tolerance. Which of the following RAID levels should the administrator
select?
1
256
Using an ROT13 cipher to protocol confidential information for unauthorized access is known as:
Obfuscation
257
A security analyst is emailing PII in a spreadsheet file to an audit validator for after-actions related to a
security assessment. The analyst must make sure the PII data is protected with the following minimum
requirements: *Ensure confidentiality at rest. * Ensure the integrity of the original email message. Which of the following controls would ensure these data security requirements are carried out?
Encrypt and sign the email using S/MIME.
258
Which of the following policies would help an organization identify and mitigate potential single points of
failure in the company's IT/security operations?
. Awareness training
259
Which of the following concepts ensure ACL rules on a directory are functioning as expected? (Select
TWO).
Accounting
Auditing
260
A technician has been asked to document which services are running on each of a collection of 200 servers. Which of the following tools BEST meets this need while minimizing the work required?
Nmap
261
An organization is concerned that Its hosted web servers are not running the most updated version of the
software. Which of the following would work BEST to help identify potential vulnerabilities?
. nc -1 -v compria.org -p 60
262
During a penetration test, the tester performs a preliminary scan for any responsive hosts. Which of the
following BEST explains why the tester is doing this?
To identify servers for subsequent scans and further investigation
263
A security analyst is assessing a small company's internal servers against recommended security practices. Which of the following should the analyst do to conduct the assessment? (Select TWO).
Review the company's current security baseline,
Run an exploitation framework to confirm vulnerabilities
264
Which of the following often operates in a client-server architecture to act as a service repository, providing
enterprise consumers access to structured threat Intelligence data?
CIRT
265
Joe, a contractor, is hired by a firm to perform a penetration test against the firm's infrastructure. While
conducting the scan, he receives only the network diagram and the network list to scan against the network. Which of the following scan types is Joe performing?
. Gray box
266
A company uses an enterprise desktop imaging solution to manage deployment of its desktop computers. Desktop computer users are only permitted to use software that is part of the baseline image. Which of the
following technical solutions was MOST likely deployed by the company to ensure only known-good
software can be installed on corporate desktops?
File integrity checks
267
Which of the following types of attack is being used when an attacker responds by sending the MAC
address of the attacking machine to resolve the MAC to IP address of a valid server?
ARP poisoning
268
A company is planning to utilize its legacy desktop systems by converting them into dummy terminals and
moving all heavy applications and storage to a centralized server that hosts all of the company’s required
desktop applications. Which of the following describes the BEST deployment method to meet these
requirements?
VDI
269
A systems administrator has implemented multiple websites using host headers on the same server. The
server hosts two websites that require encryption and other websites where encryption is optional. Which of
the following should the administrator implement to encrypt web traffic for the required websites?
Wildcard certificate
270
The IT department's on-site developer has been with the team for many years. Each time an application is
released, the security team is able to identify multiple vulnerabilities. Which of the following would BEST
help the team ensure the application is ready to be released to production?
Obfuscate the source code.
271
Which of the following are considered among the BEST indicators that a received message is a hoax?
(Choose two.)
No valid digital signature from a known security organization
Embedded URLs`
272
If two employees are encrypting traffic between them using a single encryption key, which of the following
algorithms are they using?
SHA-2
273
The president of a company that specializes in military contracts receives a request for an interview. During
the interview, the reporter seems more interested in discussing the president's family life and personal
history than the details of a recent company success. Which of the following security concerns is this MOST
likely an example of?
Social engineering
274
A coffee company has hired an IT consultant to set up a WiFi network that will provide Internet access to
customers who visit the company's chain of cafés. The coffee company has provided no requirements other
Lead to pass your exam quickly and easily. First Test, First Pass! - visit - http://www.certleader.com
than that customers should be granted access after registering via a web form and accepting the terms of
service. Which of the following is the MINIMUM acceptable configuration to meet this single requirement?
Captive portal
275
A hospital has received reports from multiple patients that their PHI was stolen after completing forms on
the hospital's website. Upon investigation, the hospital finds a packet analyzer was used to steal data. Which of the following protocols would prevent this attack from reoccurring?
SFTP
276
A systems administrator is auditing the company's Active Directory environment. It is quickly noted that the
username "company\bsmith" is interactively logged into several desktops across the organization. Which of
the following has the systems administrator MOST likely come across?
. Shared credentials
277
An Organization wants to separate permissions for individuals who perform system changes from
individuals who perform auditing of those system changes. Which of the following access control
approaches is BEST suited for this?
Assign administrators and auditors to different groups and restrict permissions on system log files to
read-only for the auditor group.
278
In highly secure environments where the risk of malicious actors attempting to steal data is high, which of
the following is the BEST reason to deploy Faraday cages?
To minimize external RF interference with embedded processors
279
Which of the following BEST explains the difference between a credentialed scan and a non-credentialed
scan?
. A credentialed scan sees the system the way an authorized user sees the system, while a
non-credentialed scan sees the system as a guest.
280
Which of the following would provide a safe environment for an application to access only the resources
needed to function while not having access to run at the system level?
Sandbox
281
Two companies are enabling TLS on their respective email gateways to secure communications over the
Internet. Which of the following cryptography concepts is being implemented?
Data in transit
282
Which of the following explains why a vulnerability scan might return a false positive?
The signature matches the product but not the version information.
283
A systems administrator is configuring a new network switch for TACACS+ management and
authentication. Which of the following must be configured to provide authentication between the switch and
the TACACS+ server?
Shared secret
284
A company uses wireless for ail laptops and keeps a very detailed record of its assets, along with a
comprehensive list of devices that are authorized to be on the wireless network. The Chief Information
Officer (CIO) is concerned about a script kiddie potentially using an unauthorized device to brute force the
wireless PSK and obtain access to the internal network. Which of the following should the company
implement to BEST prevent this from occurring?
A WIDS
285
Which of the following is the primary reason for implementing layered security measures in a cyber security
architecture?
It decreases the tone a CERT has to respond to a security incedent
286
Which of the following methods is used by internal security teams to assess the security of internally
Lead to pass your exam quickly and easily. First Test, First Pass! - visit - http://www.certleader.com
developed applications?
White box testing
287
Which of the following serves to warn users against downloading and installing pirated software on
company devices?
AUP
288
A security analyst is looking for a solution to help communicate to the leadership team the severity levels of
the organization's vulnerabilities. Which of the following would BEST meet this need?
SOAR
289
An organization’s IRP prioritizes containment over eradication. An incident has been discovered where an
attacker outside of the organization has installed cryptocurrency mining software on the organization’s web
servers. Given the organization’s stated priorities, which of the following would be the NEXT step?
Remove the affected servers from the network
290
A junior systems administrator noticed that one of two hard drives in a server room had a red error
notification. The administrator removed the hard drive to replace it but was unaware that the server was
configured in an array. Which of the following configurations would ensure no data is lost?
. RAID 1
291
A security analyst is specifying requirements for a wireless network. The analyst must explain the security
features provided by various architecture choices. Which of the following is provided by PEAP, EAP-TLS, and EAP-TTLS?
Mutual authentication
292
A security administrator is adding a NAC requirement for all VPN users to ensure the co requirement?
Implement a permanent agent
293
A small enterprise decides to implement a warm site to be available for business continuity in case of a
disaster. Which of the following BEST meets its requirements?
An operational site requiring some equipment to be relocated as well as data transfer to the site
294
A security administrator in a bank is required to enforce an access control policy so no single individual is
allowed to both initiate and approve financial transactions. Which of the following BEST represents the
impact the administrator is deterring?
Principle of least privilege
295
A security analyst is running a credential-based vulnerability scanner on a Windows host. The vulnerability
scanner is using the protocol NetBIOS over TCP/IP to connect to various systems, However, the scan does
not return any results. To address the issue, the analyst should ensure that which of the following default
ports is open on systems?
137
296
A company that processes sensitive information has implemented a BYOD policy and an MDM solution to
secure sensitive data that is processed by corporate and personally owned mobile devices. Which of the
following should the company implement to prevent sensitive data from being stored on mobile devices?
Storage segmentation
297
A company is implementing a tool to mask all PII when moving data from a production server to a testing
server. Which of the following security techniques is the company applying?
Data sanitization
298
A security analyst wishes to scan the network to view potentially vulnerable systems the way an attacker
would. Which of the following would BEST enable the analyst to complete the objective?
Perform a non-credentialed scan.
299
An organization’s research department uses workstations in an air-gapped network. A competitor released
products based on files that originated in the research department. Which of the following should
management do to improve the security and confidentiality of the research files?
Configure removable media controls on the workstations.
300
An attacker is attempting to harvest user credentials on a client's website. A security analyst notices
multiple attempts of random usernames and passwords. When the analyst types in a random username
and password, the logon screen displays the following message:
The username you entered does not exist. Which of the following should the analyst recommend be enabled?
. Username lockout
301
A company wants to configure its wireless network to require username and password authentication. Which of the following should the systems administrator Implement?
WPS
302
A security consultant was asked to revise the security baselines that are utilized by a large organization. Although the company provides different platforms for its staff, including desktops, laptops, and mobile
devices, the applications do not vary by platform. Which of the following should the consultant recommend?
(Select Two).
Apply patch management on a daily basis
Disable default accounts and/or passwords.
303
A company network is currently under attack. Although security controls are in place to stop the attack, the
security administrator needs more information about the types of attacks being used. Which of the following
network types would BEST help the administrator gather this information?
Honeynet
304
A company has won an important government contract. Several employees have been transferred from
their existing projects to support a new contract. Some of the employees who have transferred will be
working long hours and still need access to their project information to transition work to their replacements. Which of the following should be implemented to validate that the appropriate offboarding process has been
followed?
Permission auditing
305
The Chief Information Officer (CIO) has determined the company’s new PKI will not use OCSP. The
purpose of OCSP still needs to be addressed. Which of the following should be implemented?
Install a CRL.
306
A company wants to deploy PKI on its Internet-facing website. The applications that are currently deployed
are: • www company com (mam website) • contactus company com (for locating a nearby location) • quotes company com (for requesting a price quote)
The company wants to purchase one SSL certificate that will work for all the existing applications and any
future applications that follow the same naming conventions, such as store company com. Which of the
following certificate types would BEST meet the requirements?
Wildcard
307
A contracting company recently completed its period of performance on a government contract and would
like to destroy all information associated with contract performance. Which of the following is the best NEXT
step for the company to take?
Consult data disposition policies in the contract.
308
Which of the following BEST describes the purpose of authorization?
Authorization provides permissions to a resource and comes after authentication.
309
A company has just experienced a malware attack affecting a large number of desktop users. The antivirus
solution was not able to block the malware, but the HIDS alerted to C2 calls as 'Troj.Generic'. Once the
security team found a solution to remove the malware, they were able to remove the malware files
successfully, and the HIDS stopped alerting. The next morning, however, the HIDS once again started
alerting on the same desktops, and the security team discovered the files were back. Which of the following
BEST describes the type of malware infecting this company's network?
Trojan
310
Which of the following attacks can be mitigated by proper data retention policies?
Dumpster diving
311
While monitoring the SIEM, a security analyst observes traffic from an external IP to an IP address of the
business network on port 443. Which of the following protocols would MOST likely cause this traffic?
SSH
312
Which of the following terms BEST describes an exploitable vulnerability that exists but has not been
publicly disclosed yet?
Zero-day
313
An organization has hired a new remote workforce. Many new employees are reporting that they are unable
to access the shared network resources while traveling. They need to be able to travel to and from different
locations on a weekly basis. Shared offices are retained at the headquarters location. The remote
workforce will have identical file and system access requirements, and must also be able to log in to the
headquarters location remotely. Which of the following BEST represent how the remote employees should
have been set up initially? (Select TWO).
Group-based access control
Individual accounts
314
Which of the following algorithms would be used to provide non-repudiation of a file transmission?
MD5
315
Which of the following access management concepts is MOST closely associated with the use of a
password or PIN??
Authentication
316
Which of the following is an example of resource exhaustion?
. A penetration tester requests every available IP address from a DHCP server.
317
During a security audit of a company's network, unsecure protocols were found to be in use. A network
administrator wants to ensure browser-based access to company switches is using the most secure
protocol. Which of the following protocols should be implemented?
SSH2
318
Which of the following attacks can be used to exploit a vulnerability that was created by untrained users?
A spear-phishing email with a file attachment
319
Which of the following is unique to a stream cipher?
It performs bit-level encryption
320
Which of the following can occur when a scanning tool cannot authenticate to a server and has to rely on
limited information obtained from service banners?
. False positive
321
A security analyst is investigating a vulnerability In which a default file permission was set incorrectly. The
company uses non-credentialed scanning for vulnerability management. Which of the following tools can
the analyst use to verify the permissions?
chmod
322
A member of the human resources department received the following email message after sending an
email containing benefit and tax information to a candidate: “Your message has been quarantined for the following policy violation: external potential_PII. Please
contact the IT security administrator for further details”. Which of the following BEST describes why this message was received?
The DLP system flagged the message.
323
A cybersecurity analyst needs to Implement secure authentication to third-party websites without users' passwords Which of the following would be the BEST way to achieve this objective?
SSO
324
A retail executive recently accepted a job with a major competitor. The following week, a security analyst
reviews the security logs and Identifies successful logon attempts to access the departed executive's
accounts. Which of the following security practices would have addressed the issue?
Least privilege
325
After patching computers with the latest application security patches/updates, users are unable to open
certain applications. Which of the following will correct the issue?
Modifying the security policy for DLP
326
An incident response analyst at a large corporation is reviewing proxy log data. The analyst believes a
malware infection may have occurred. Upon further review, the analyst determines the computer
responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO). Which of the
following is the best NEXT step for the analyst to take?
Disconnect the CEO's workstation from the network.
327
Users are attempting to access a company’s website but are transparently redirected to another websites. The users confirm the URL is correct. Which of the following would BEST prevent this issue in the future?
DNSSEC
328
A security analyst needs to be proactive in understanding the types of attacks that could potentially target
the company's executives. Which of the following intelligence sources should the security analyst review?
Vulnerability feeds
329
An analyst has determined that a server was not patched and an external actor extiltrated data on port 139. Which of the following sources should the analyst review to BEST ascertain how the incident could have
been prevented?
The security logs
330
A company has a team of penetration testers. This team has located a file on the company file server that
they believe contains cleartext usernames followed by a hash. Which of the following tools should the
penetration testers use to learn more about the content of this file?
Password cracker
331
A government contracting company Issues smartphones lo employees lo enable access lo corporate
resources. Several employees will need to travel to a foreign country (or business purposes and will require
access lo their phones. However, the company recently received intelligence that its intellectual property is
highly desired by the same country's government. Which of the following MDM configurations would BEST
reduce the risk of compromise while on foreign soil?
Disable wipe
332
A security analyst is hardening a large-scale wireless network. The primary requirements are the following
* Must use authentication through EAP-TLS certificates
Lead to pass your exam quickly and easily. First Test, First Pass! - visit - http://www.certleader.com
* Must use an AAA server * Must use the most secure encryption protocol
Given these requirements, which of the following should the analyst implement and recommend? (Select
TWO).
802.1X
WPA2-PSK
333
A security analyst is performing a manual audit of captured data from a packet analyzer. The analyst looks
forbase64 encoded strings and applies the filter http.authbasic. Which of the following describes what the
analysts looking for?
Unencrypted credentials
334
During a forensic investigation, which of the following must be addressed FIRST according to the order of
volatility?
RAM
335
A buffer overflow can result in:
privilege escalation caused by TPN override.
336
After a security assessment was performed on the enterprise network, it was discovered that:
Configuration changes have been made by users without the consent of IT. Network congestion has increased due to the use of social media. Users are accessing file folders and network shares that are beyond the scope of their need to know. Which of the following BEST describe the vulnerabilities that exist in this environment? (Choose two.
Poorly trained users
Improperly configured accounts
337
Which of !he following Impacts are associated with vulnerabilities in embedded systems? (Select TWO).
Repeated exploitation due to unpatchtable firmware
Denial of service due to an integrated legacy operating system
338
During an audit, the auditor requests to see a copy of the identified mission-critical applications as well as
their disaster recovery plans. The company being audited has an SLA around the applications it hosts. With
which of the following is the auditor MOST likely concerned?
RTO/RPO
339
Which of the following may indicate a configuration item has reached end-of-life?
The vendor has not published security patches recently
340
A security administrator is configuring a RADIUS server for wireless authentication. The configuration must
ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the
following protocols should be configured on the RADIUS server? (Select TWO).
MSCHAP
PEAP
341
A user receives a security alert pop-up from the host-based IDS, and a few minutes later notices a
document on the desktop has disappeared and in its place is an odd filename with no icon image. When
clicking on this icon, the user receives a system notification that it cannot find the correct program to use to
open this file. Which of the following types of malware has MOST likely targeted this workstation?
Ransomware
342
A company is having Issues with intellectual property being sent to a competitor from its system. The
information being sent Is not random but has an identifiable pattern. Which of the following should be
implemented in the system to stop the content from being sent?
DLP
343
A security analyst is using a recently released security advisory to review historical logs, looking for the
specific activity that was outlined in the advisory. Which of the following is
Credentialed vulnerability scanning`
344
An organization has decided to purchase an insurance policy because a risk assessment determined that
the cost to remediate the risk Is greater than the five-year cost of the insurance policy. The organization is
enabling risk:
acceptance
345
A systems administrator wants to implement a secure wireless network requiring wireless clients to
pre-register with the company and install a PKI client certificate prior to being able to connect to the
wireless network. Which of the following should the systems administrator configure?
EAP-TLS
346
In a lessons learned report, it is suspected that a well-organized, well-funded, and extremely sophisticated
group of attackers may have been responsible for a breach at a nuclear facility. Which of the following describes the type of actors that may have been implicated?
Nation-state
347
After reading a security bulletin, a network security manager Is concerned that a malicious actor may have
breached the network using the same software flaw. The exploit code Is publicly available and has been
reported as being used against other industries in the same vertical. Which of the following should the
network security manager consult FIRST to determine a priority list for forensic review?
The vulnerability scan output
348
A network technician needs to monitor and view the websites that are visited by an employee. The
employee Is connected to a network switch. Which of the following would allow the technician to monitor the
employee's web traffic?
Install and configure a transparent proxy server
349
A manager makes an unannounced visit to the marketing department and performs a walk-through of the
office. The manager observes unclaimed documents on printers. A closer look at these documents reveals
employee names, addresses, ages, birth dates, marital/dependent statuses, and favorite ice cream flavors.
Lead to pass your exam quickly and easily. First Test, First Pass! - visit - http://www.certleader.com
The manager brings this to the attention of the marketing department head. The manager believes this
information to be PII, but the marketing head does not agree. Having reached a stalemate, which of the
following is the MOST appropriate action to take NEXT?
Find the privacy officer in the organization and let the officer act as the arbiter.
350
A security operations team recently detected a breach of credentials. The team mitigated the risk and
followed proper processes to reduce risk. Which of the following processes would BEST help prevent this
issue from happening again?
Chain of custody
351
A security analyst wants to verify that a client-server (non-web) application is sending encrypted traffic. Which of the following should the analyst use?
tcpdump
352
A company recently experienced a security incident in which its domain controllers were the target of a DoS
attack. In which of the following steps should technicians connect domain controllers to the network and
begin authenticating users again?
Recovery
353
An accountant is attempting to log in to the internal accounting system and receives a message that the
website's certificate is fraudulent. The accountant finds instructions for manually installing the new trusted
root onto the local machine. Which of the following would be the company's BEST option for this situation in
the future?
Implement certificate management.
354
Which of the following are considered to be "something you do"? (Select TWO).
Handwriting
Gait
355
A systems analyst is responsible for generating a new digital forensics chain-of-custody form. Which of the
following should the analyst include in this documentation? (Select TWO)
A checksum
The location of the artifacts
356
A large Industrial system's smart generator monitors the system status and sends alerts to third-party
maintenance personnel when critical failures occur. While reviewing the network logs, the company's
security manager notices the generator's IP is sending packets to an internal file server's IP. Which of the
following mitigations would be BEST for the security manager to implement while maintaining alerting
capabilities?
Firewall whitelisting
357
A security engineer is analyzing the following line of JavaScript code that was found in a comment field on a
web forum, which was recently involved in a security breach:
Given the line of code above, which of the following BEST represents the attack performed during the
breach?
XSS
358
Which of the following vulnerabilities can lead to unexpected system behavior, including the bypassing of
security controls, due to differences between the time of commitment and the time of execution?
Buffer overflow
359
A security administrator is Implementing a secure method that allows developers to place files or objects
onto a Linux server Developers ate required to log In using a username. password, and asymmetric key. Which of the following protocols should be implemented?
SFTP
360
A systems administrator wants to replace the process of using a CRL to verify certificate validity. Frequent
downloads are becoming problematic. Which of the following would BEST suit the administrator's needs?
OCSP
361
A company is performing an analysis of which corporate units are most likely to cause revenue loss in the
event the unit is unable to operate. Which of the following is an element of the BIA that this action is
addressing?
Mission-essential functions
362
A systems administrator wants to configure an enterprise wireless solution that supports authentication
over HTTPS and wireless encryption using AES. Which of the following should the administrator configure
to support these requirements? (Select TWO).
802.1X
WPA2
