Security

Question 1

A single server hosts a sensitive SQL-based database and a web service containing static content. A few of the database fields need to be encrypted due to
regulatory requirements. Which of the following would provide the BEST encryption solution for this particular server?

A.
Individual file

B.
Database

C.
Full-disk

D.
Record based

Answer 1

D

Question 2

A building engineer just installed a new environmental control system (ECS) for a room that is critical to the company’s operation and needs the ability to manage
and monitor the system from any part of the network. Which of the following should the security administrator utilize to minimize the attack surface and still allow the
needed access?

A.
Configure the ECS host-based firewall to block non-ECS application traffic

B.
Create an encrypted connection between the ECS and the engineer’s computer

C.
Install a firewall that only allows traffic to the ECS from a single management and monitoring network

D.
Implement an ACL that permits the necessary management and monitoring traffic

Answer 2

A

Question 3

Following a site survey for an upcoming 5GHz wireless network implementation, the project manager determines that several areas of the facility receive
inadequate coverage due to the use of vertical antennas on all access points. Which of the following activities would be MOST likely to remediate the issue without
changing the current access point layout in the facility?

A.
Convert all access points to models operating at 2.4GHz.

B.
Install antennas with lower front-to-back ratios to narrow the focus of coverage as needed.

C.
Reorient the existing antennas in horizontal configuration.

D.
Install unidirectional antennas to focus coverage where needed.

Answer 3

D

Question 4

A company’s security analyst is investigating the suspected compromise of the company’s intranet web server. The compromise occurred at a time when no users
were logged into the domain. Which of the following is MOST likely to have prevented the attack from a new machine introduced to the corporate network?

A.
Domain log review

B.
802.1x

C.
NIDS

D.
Rogue detection

Answer 4

B

Question 5

Upper management wishes to implement a policy forbidding the use of personal devices on the corporate network. Which of the following is the primary reason why
such a policy would be put in place?

A.
Devices connected to the corporate network become legally bound to company SLAs.

B.
Personally owned devices might not be subjected to the same security controls as corporate devices.

C.
Personal devices might contain personally owned media that could leave company open to licensing issues.

D.
Employees might not be properly trained to utilize the device on the corporate network.

Answer 5

B

Question 6

The security administrator for a growing company is concerned about the increasing prevalence of personal devices connected to the corporate WLAN. Which of
the following actions should the administrator take FIRST to address this concern?

A.
Implement RADIUS to centrally manage access to the corporate network over WiFi.

B.
Request that senior management support the development of a policy that addresses personal devices.

C.
Establish a guest-access wireless network and request that employees use the guest network.

D.
Distribute a memo addressing the security risks associated with the use of personally-owned devices on the corporate WLAN.

Answer 6

B

Question 7

A security engineer is monitoring suspicious traffic from an internal endpoint to a malicious landing page of an external entity. The internal endpoint is configured
using a limited account, is fully patched to current standards, and has current antivirus signatures. No alerts have been received involving this endpoint. The
security engineer finds malicious code on the endpoint during a forensic analysis. Which of the following MOST likely explains this occurrence?

A.
The external entity breached the IDS

B.
The antivirus engine was evaded

C.
The DLP did not detect the malicious code

D.
The endpoint was running on a hypervisor

Answer 7

B

Question 8

A company uses PKI certificates stored on a smart chip enabled badge. The badge is used for a small number of devices that connect to a wireless network. A user
reported that their badge was stolen. Which of the following could the security administrator implement to prevent the stolen badge from being used to compromise
the wireless network?

A.
Asset tracking

B.
Honeynet

C.
Strong PSK

D.
MAC filtering

Answer 8

A

Question 9

A company is implementing a system to transfer direct deposit to a financial institution. One of the requirements is that the institution must be certain that the
deposit amounts within the file have not been charged. Which of the following should be used to meet requirement?

A.
Key escrow

B.
Perfect forward secrecy

C.
Transport encryption

D.
Digital signatures

E.
File encryption

Answer 9

D

Question 10

An application developer has coded a new application and needs to test all input fields. Which of the following should be used to fulfill this requirement?

A.
Application hardening

B.
Server-side validation

C.
Input validation

D.
Fuzzing

Answer 10

D

Question 11

A security analyst has been asked to perform penetration testing against a web application being deployed for the first time. When performing the test the
application stops responding and returns an error referring to failed database connections. Upon further investigation, the analyst finds the database server was
inundated with commits which exhausted available space on the volume. Which of the following has been performed against the database server?

A.
DoS

B.
SQL injection

C.
SYN flood

D.
DDoS

E.
Cross-site scripting

Answer 11

A

Question 12

Which of the following allows an application to securely authenticate a user by receiving credentials from a remote web domain?

A.
TACACS+

B.
RADIUS

C.
Kerberos

D.
SAML

Answer 12

D

Question 13

Ann is preparing a presentation for management to highlight some of the issues the security department is facing trying to integrate the organizations BYOD policy.
Highest of her list is the transparency of network resources. The DAC environment includes several departments including payroll, HR, IT, and Management.
However, the small company’s structure has never been updated to incorporate these departments. The organization continued to add users based on the same
original general user profile. Which of the following security methods should Ann suggest to management to BEST fix this issue?

A.
Two-factor authentication

B.
Mandatory access control

C.
Application firewall

D.
Network segmentation

Answer 13

D

Question 14

A university police department is housed on the first floor of a student dormitory. Which of the following would prevent students from using ARP spoofing attacks
against computers at the police department?

A.
Enable proxy ARP on router

B.
Private network addresses

C.
Separate Layer 2 VLANs

D.
Disable SSID broadcast

Answer 14

C

Question 15

The CEO for company A has asked the security engineer to design a PKI for company A. The CEO has asked that it allow company A users to send signed and
encrypted emails to company B. The users from company B must have an inherent trust in certificates from company A, because the security policy of company B
disallows adding of new CAs to their trusted root container. Which of the following is the BEST solution?

A.
Request email certificates for the users of company A from the PKI of company B.

B.
Build a new CA within the boundary of company A and issue email certificates to the users

C.
Establish a sub CA of company B’s root CA to issue email certificates to the users.

D.
Procure the services of a common Internet root CA to issue email certificates to the users.

Answer 15

D

Question 16

A security administrator is called to troubleshoot a computer infection. The computer’s software correctly identified the malware and flagged it to the central
management console; however the malicious payload was still executed. Which of the following can cause this scenario?

A.
The payload hash did not match known malware

B.
The antivirus is running an older virus definition

C.
The computer is running an IDS

D.
The payload is a zero-day attack

Answer 16

C

Question 17

Am organization decides to implement a BYOD policy but wants to ensure they address requirements associated with any legal investigations and controls needed
to comply with the analysis and recreation of an incident. This concern is also known as which of the following?

A.
Data ownership

B.
Forensics

C.
Chain of custody

D.
Acceptable use

Answer 17

B

Question 18

A security administrator is having continued issues with malware variants infecting systems infecting systems and encrypting several types of files. The malware
uses a document macro to create a randomly named executable that downloads the encrypted payload of the malware. Once downloaded, the malware searches
all drives, creates and HTML file with the decryption instructions in the directory, and then proceeds to encrypt the target files. Which of the following actions would
BEST interrupt the malware before it encrypts other files while minimizing the adverse impacts to the users?

A.
Block execution of documents with macros

B.
Block addition of documents with macros

C.
Block the creation of the HTML of the HTML document on the local system

D.
Block running external files from within documents.

Answer 18

A

Question 19

A media company would like to securely stream live video feeds over the Internet to clients. The security administrator suggests that the video feed is encrypted in
transport and configures the web server to prefer ciphers suited to the live video feeds. Which of the following cipher suites should the administrator implement on
the web server to minimize the computational and performance overhead of delivering live feeds?

A.
ECDHE-RSA-RC4-SHA

B.
DHE-DSA-DES-CBC-SHA

C.
ECDHE-RSA-AES-CBC-SHA

D.
ECDHE-RSA-AES256-CBC-SHA

Answer 19

A

Question 20

Several users require administrative access for software compatibility reasons. Over time, these users have made several changes to important system settings.
Which of the following is the BEST course of action to ensure the system settings are properly enforced?

A.
Require users to run under a standard user account

B.
Use centralized group policy to configure the settings

C.
Conduct user access reviews to determine appropriate privileges

D.
Implement an application whitelist throughout the company

Answer 20

B

Question 21

In the course of troubleshooting wireless issues from users, a technician discovers that users are connecting to their home SSIDs while at work. The technician
scans detects none of those SSIDs. The technician eventually discovers a rogue access point that spoofs any SSID that a client requests. Which of the following
allows wireless use while mitigating this type of attack?

A.
Configure the device to verify access point MAC addresses

B.
Disable automatic connection to known SSIDs

C.
Only connect to trusted wireless networks

D.
Enable MAC filtering on the wireless access point

Answer 21

A

Question 22

An employee connects a wireless access point to the only jack in the conference room to provide Internet access during a movie. The access point is configured to
secure its users with WPA2-TKIP. A malicious user is able to intercept clear text HTTP communication between the meeting attendees and the Internet. Which of

the following is the reason the malicious user is able to intercept and see clear text communications?

A.
The malicious user is running a wireless sniffer

B.
The wireless access point is broadcasting the SSID

C.
The malicious user is able to capture the wired communication

D.
The meeting attendees are using unencrypted hard drives

Answer 22

C

Question 23

A security engineer notices that unknown devices are connecting to the company’s wireless network and trying to access the database server. The wireless access
point is configured with WPA for encryption and the network administrator setup a 8 digit pin for easy setup to the wireless access point. Which of the following is
the MOST likely type of attack?

A.
IV attack

B.
WPS attack

C.
Bluesnarfing attack

D.
Replay attack

Answer 23

B

Question 24

A user contacts the help desk after being unable to log in to the corporate website. The user can log into the site from another computer in the next office, but not
from the PC. The user’s PC was able to connect earlier in the day. The help desk has the user restart the NTP service. Afterwards, the user is able to log into the
website. The MOST likely reason for the initial failure was that the website was configured to use which of the following authentication mechanisms?

A.
Secure LDAP

B.
RADIUS

C.
NTLMv2

D.
Kerberos

Answer 24

D

Question 25

A network administrator recently implemented two caching proxy servers on the network. How can the administrator BEST aggregate the log files from the proxy
servers?

A. Syslog

B.
Configure each proxy server to write to log files stored locally

C.
Configure both proxy servers to log to a network share

D.
Configure both proxy servers to log to a centralized switch

Answer 25

A

Question 26

A company wants to ensure that all software executing on a corporate server have been authorized to do so by a central control point. Which of the following can be
implemented to enable such a control?

A.
Digital signatures

B.
Mandatory access control

C.
Session keys

D.
Non repudiation

Answer 26

A

Question 27

A new help desk employee at a cloud services provider receives a call from a customer. The customer is unable to log into the provider’s web application database.
The help desk employee is unable to find the customer’s user account in the directory services console, but see the customer information in the application
database. The application does nit appear to have any fields for a password. The customer then remembers the password and is able to log in. The help desk
employee still does not see the user account in directory services. Which of the following is the MOST likely ?

A.
A bug has been discovered in the application

B.
An application uses a weak encryption cipher

C.
A federated authentication model is being used.

D.
The application uses single sign on.

Answer 27

C

Question 28

An organization uses a Kerberos-based LDAP service for network authentication. The service is also utilized by internal web applications. Finally, access to terminal
applications is achieved using the same authentication method by joining the legacy system to the Kerberos realm. The company is using Kerberos to achieve
which of the following?

A.
Trusted operating system

B.
Rule-based access control

C.
Single sign-on

D.
Mandatory access control

Answer 28

C

Question 29

A security program manager wants to actively test the security posture of a system. The system is not yet in production and has no uptime requirement or active
user base. Which of the following methods will produce a report which shows vulnerabilities that were actually exploited?

A.
Peer review

B.
Component testing

C.
Penetration testing

D.
Vulnerability testing

Answer 29

C

Question 30

The chief security officer (CS0) has issued a new policy that requires that all internal websites be configured for HTTPS traffic only. The network administrator has
been tasked to update all internal sites without incurring additional costs. Which of the following is the best solution for the network administrator to secure each
internal website?

A.
Use certificates signed by the company CA

B.
Use a signing certificate as a wild card certificate

C.
Use certificates signed by a public ca

D.
Use a self-signed certificate on each internal server

Answer 30

A

Question 31

An administrator intends to configure an IPSec solution that provides ESP with integrity protection, but not confidentiality protection. Which of the following AES

modes of operation would meet this integrity-only requirement?

A.
GMAC

B.
PCBC

C.
CBC

D.
GCM

E.
CFB

Answer 31

A

Question 32

A company wants to ensure that the validity of publicly trusted certificates used by its web server can be determined even during an extended internet outage.
Which of the following should be implemented?

A.
Recovery agent

B.
OCSP

C.
CRL

D.
Key escrow

Answer 32

C

Question 33

A computer on a company network was infected with a zero-day exploit after an employee accidentally opened an email that contained malicious content. The
employee recognized the email as malicious and was attempting to delete it, but accidentally opened it. Which of the following should be done to prevent this
scenario from occurring again in the future?

A.
Install host-based firewalls on all computers that have an email client installed

B.
Set the email program default to open messages in plain text

C.
Install end-point protection on all computers that access web email

D.
Create new email spam filters to delete all messages from that sender

Answer 33

B

Question 34

A company researched the root cause of a recent vulnerability in its software. It was determined that the vulnerability was the result of two updates made in the last
release. Each update alone would not have resulted in the vulnerability. In order to prevent similar situations in the future, the company should improve which of the
following?

A.
Change management procedures

B.
Job rotation policies

C.
Incident response management

D.
Least privilege access controls

Answer 34

A

Question 35

A security administrator is developing training for corporate users on basic security principles for personal email accounts. Which of the following should be
mentioned as the MOST secure way for password recovery?

A.
Utilizing a single question for password recovery

B.
Sending a PIN to a smartphone through text message

C.
Utilizing CAPTCHA to avoid brute force attacks

D.
Use a different e-mail address to recover password

Answer 35

B

Question 36

Which of the following use the SSH protocol? (Choose two).

A.
Stelnet

B.
SCP

C.
SNMP

D.
FTPS

E.
SSL

F.
SFTP

Answer 36

B, F

Question 37

A network administrator is attempting to troubleshoot an issue regarding certificates on a secure website. During the troubleshooting process, the network
administrator notices that the web gateway proxy on the local network has signed all of the certificates on the local machine. Which of the following describes the
type of attack the proxy has been legitimately programmed to perform?

A.
Transitive access

B.
Spoofing

C.
Man-in-the-middle

D.
Replay

Answer 37

C

Question 38

A security administrator is tasked with conducting an assessment made to establish the baseline security posture of the corporate IT infrastructure. The

assessment must report actual flaws and weaknesses in the infrastructure. Due to the expense of hiring outside consultants, the testing must be performed using
in-house or cheaply available resource. There cannot be a possibility of any requirement being damaged in the test. Which of the following has the administrator
been tasked to perform?

A.
Risk transference

B.
Penetration test

C.
Threat assessment

D.
Vulnerability assessment

Answer 38

D

Question 39

An attacker wearing a building maintenance uniform approached a company’s receptionist asking for access to a secure area. The receptionist asks for
identification, a building access badge and checks the company’s list approved maintenance personnel prior to granting physical access to the secure are. The
controls used by the receptionist are in place to prevent which of the following types of attacks?

A.
Tailgating

B.
Shoulder surfing

C.
Impersonation

D.
Hoax

Answer 39

C

Question 40

A security analyst has been asked to perform a review of an organization’s software development lifecycle. The analyst reports that the lifecycle does not contain a
phase in which team members evaluate and provide critical feedback of another developer’s code. Which of the following assessment techniques is BEST
described in the analyst’s report?

A.
Architecture evaluation

B.
Baseline reporting

C.
Whitebox testing

D.
Peer review

Answer 40

D

Question 41

A security engineer is faced with competing requirements from the networking group and database administrators. The database administrators would like ten
application servers on the same subnet for ease of administration, whereas the networking group would like to segment all applications from one another. Which of
the following should the security administrator do to rectify this issue?

A.
Recommend performing a security assessment on each application, and only segment the applications with the most vulnerability

B.
Recommend classifying each application into like security groups and segmenting the groups from one another

C.
Recommend segmenting each application, as it is the most secure approach

D.
Recommend that only applications with minimal security features should be segmented to protect them

Answer 41

B

Question 42

An organization has hired a penetration tester to test the security of its ten web servers. The penetration tester is able to gain root/administrative access in several
servers by exploiting vulnerabilities associated with the implementation of SMTP, POP, DNS, FTP, Telnet, and IMAP. Which of the following recommendations
should the penetration tester provide to the organization to better protect their web servers in the future?

A.
Use a honeypot

B.
Disable unnecessary services

C.
Implement transport layer security

D.
Increase application event logging

Answer 42

B

Question 43

A member of a digital forensics team, Joe arrives at a crime scene and is preparing to collect system data. Before powering the system off, Joe knows that he must
collect the most volatile date first. Which of the following is the correct order in which Joe should collect the data?

A.
CPU cache, paging/swap files, RAM, remote logging data

B.
RAM, CPU cache. Remote logging data, paging/swap files

C.
Paging/swap files, CPU cache, RAM, remote logging data

D.
CPU cache, RAM, paging/swap files, remote logging data

Answer 43

D

Question 44

A mobile device user is concerned about geographic positioning information being included in messages sent between users on a popular social network platform.
The user turns off the functionality in the application, but wants to ensure the application cannot re-enable the setting without the knowledge of the user. Which of
the following mobile device capabilities should the user disable to achieve the stated goal?

A.
Device access control

B.
Location based services

C.
Application control

D.
Geo-Tagging

Answer 44

B

Question 45

A chief Financial Officer (CFO) has asked the Chief Information Officer (CISO) to provide responses to a recent audit report detailing deficiencies in the
organization security controls. The CFO would like to know ways in which the organization can improve its authorization controls. Given the request by the CFO,
which of the following controls should the CISO focus on in the report? (Select Three)

A.
Password complexity policies

B.
Hardware tokens

C.
Biometric systems

D.
Role-based permissions

E.
One time passwords

F.
Separation of duties

G.
Multifactor authentication

H.
Single sign-on

I.
Least privilege

Answer 45

D, F, I

Question 46

A user of the wireless network is unable to gain access to the network. The symptoms are:
1.) Unable to connect to both internal and Internet resources 2.) The wireless icon shows connectivity but has no network access The wireless network is WPA2
Enterprise and users must be a member of the wireless security group to authenticate. Which of the following is the MOST likely cause of the connectivity issues?

A.
The wireless signal is not strong enough

B.
A remote DDoS attack against the RADIUS server is taking place

C.
The user’s laptop only supports WPA and WEP

D.
The DHCP scope is full

E.
The dynamic encryption key did not update while the user was offline

Answer 46

C

Question 47

An administrator has concerns regarding the traveling sales team who works primarily from smart phones. Given the sensitive nature of their work, which of the
following would BEST prevent access to the data in case of loss or theft?

A.
Enable screensaver locks when the phones are not in use to prevent unauthorized access

B.
Configure the smart phones so that the stored data can be destroyed from a centralized location

C.
Configure the smart phones so that all data is saved to removable media and kept separate from the device

D.
Enable GPS tracking on all smart phones so that they can be quickly located and recovered

Answer 47

B

Question 48

A network administrator wants to ensure that users do not connect any unauthorized devices to the company network. Each desk needs to connect a VoIP phone
and computer. Which of the following is the BEST way to accomplish this?

A.
Enforce authentication for network devices

B.
Configure the phones on one VLAN, and computers on another

C.
Enable and configure port channels

D.
Make users sign an Acceptable use Agreement

Answer 48

A

Question 49

While reviewing the monthly internet usage it is noted that there is a large spike in traffic classified as “unknown” and does not appear to be within the bounds of the
organizations Acceptable Use Policy. Which of the following tool or technology would work BEST for obtaining more information on this traffic?

A.
Firewall logs

B.
IDS logs

C.
Increased spam filtering

D.
Protocol analyzer

Answer 49

D

Question 50

The Chief Security Officer (CISO) at a multinational banking corporation is reviewing a plan to upgrade the entire corporate IT infrastructure. The architecture
consists of a centralized cloud environment hosting the majority of data, small server clusters at each corporate location to handle the majority of customer
transaction processing, ATMs, and a new mobile banking application accessible from smartphones, tablets, and the Internet via HTTP. The corporation does
business having varying data retention and privacy laws. Which of the following technical modifications to the architecture and corresponding security controls
should be implemented to provide the MOST complete protection of data?

A.
Revoke exiting root certificates, re-issue new customer certificates, and ensure all transactions are digitally signed to minimize fraud, implement encryption for
data in-transit between data centers

B.
Ensure all data is encryption according to the most stringent regulatory guidance applicable, implement encryption for data in-transit between data centers,
increase data availability by replicating all data, transaction data, logs between each corporate location

C.
Store customer data based on national borders, ensure end-to end encryption between ATMs, end users, and servers, test redundancy and COOP plans to
ensure data is not inadvertently shifted from one legal jurisdiction to another with more stringent regulations

D.
Install redundant servers to handle corporate customer processing, encrypt all customer data to ease the transfer from one country to another, implement endto-end encryption between mobile applications and the cloud.

Answer 50

C

Question 51

A technician has installed new vulnerability scanner software on a server that is joined to the company domain. The vulnerability scanner is able to provide visibility
over the patch posture of all company’s clients. Which of the following is being used?

A.
Gray box vulnerability testing

B.
Passive scan

C.
Credentialed scan

D.
Bypassing security controls

Answer 51

C

Question 52

A security administrator must implement a system to ensure that invalid certificates are not used by a custom developed application. The system must be able to
check the validity of certificates even when internet access is unavailable. Which of the following MUST be implemented to support this requirement?

A.
CSR

B.
OCSP

C.
CRL

D.
SSH

Answer 52

C

Question 53

A portable data storage device has been determined to have malicious firmware. Which of the following is the BEST course of action to ensure data confidentiality?

A.
Format the device

B.
Re-image the device

C.
Perform virus scan in the device

D.
Physically destroy the device

Answer 53

D

Question 54

Technicians working with servers hosted at the company’s datacenter are increasingly complaining of electric shocks when touching metal items which have been
linked to hard drive failures. Which of the following should be implemented to correct this issue?

A.
Decrease the room temperature

B.
Increase humidity in the room

C.
Utilize better hot/cold aisle configurations

D.
Implement EMI shielding

Answer 54

B

Question 55

A web application is configured to target browsers and allow access to bank accounts to siphon money to a foreign account. This is an example of which of the
following attacks?

A.
SQL injection

B.
Header manipulation

C.
Cross-site scripting

D.
Flash cookie exploitation

Answer 55

C

Question 56

Which of the following works by implanting software on systems but delays execution until a specific set of conditions is met?

A.
Logic bomb

B.
Trojan

C.
Scareware

D.
Ransomware

Answer 56

A

Question 57

Which of the following should identify critical systems and components?

A.
MOU

B.
BPA

C.
ITCP

D.
BCP

Answer 57

D

Question 58

During a routine audit, it is discovered that someone has been using a stale administrator account to log into a seldom used server. The person has been using the
server to view inappropriate websites that are prohibited to end users. Which of the following could best prevent this from occurring again?

A.
Credential management

B.
Group policy management

C.
Acceptable use policy

D.
Account expiration policy

Answer 58

D

Question 59

Company policy requires the use if passphrases instead if passwords. Which of the following technical controls MUST be in place in order to promote the use of
passphrases?

A.
Reuse

B.
Length

C.
History

D.
Complexity

Answer 59

B

Question 60

A security administrator has been tasked with improving the overall security posture related to desktop machines on the network. An auditor has recently that
several machines with confidential customer information displayed in the screens are left unattended during the course of the day. Which of the following could the
security administrator implement to reduce the risk associated with the finding?

A.
Implement a clean desk policy

B.
Security training to prevent shoulder surfing

C.
Enable group policy based screensaver timeouts

D.
Install privacy screens on monitors

Answer 60

C

Question 61

A bank requires tellers to get manager approval when a customer wants to open a new account. A recent audit shows that there have been four cases in the
previous year where tellers opened accounts without management approval. The bank president thought separation of duties would prevent this from happening. In
order to implement a true separation of duties approach the bank could:

A.
Require the use of two different passwords held by two different individuals to open an account

B.
Administer account creation on a role based access control approach

C.
Require all new accounts to be handled by someone else other than a teller since they have different duties

D.
Administer account creation on a rule based access control approach

Answer 61

C

Question 62

A security administrator returning from a short vacation receives an account lock-out message when attempting to log into the computer. After getting the account
unlocked the security administrator immediately notices a large amount of emails alerts pertaining to several different user accounts being locked out during the
past three days. The security administrator uses system logs to determine that the lock-outs were due to a brute force attack on all accounts that has been
previously logged into that machine. Which of the following can be implemented to reduce the likelihood of this attack going undetected?

A.
Password complexity rules

B.
Continuous monitoring

C.
User access reviews

D.
Account lockout policies

Answer 62

B

Question 63

An attacker discovers a new vulnerability in an enterprise application. The attacker takes advantage of the vulnerability by developing new malware. After installing
the malware the attacker is provided with access to the infected machine. Which of the following is being described?

A.
Zero-day exploit

B.
Remote code execution

C.
Session hijacking

D.
Command injection

Answer 63

A

Question 64

Although a web enabled application appears to only allow letters in the comment field of a web form, malicious user was able to carry a SQL injection attack by
sending special characters through the web comment field. Which of the following has the application programmer failed to implement?

A.
Revision control system

B.
Client side exception handling

C.
Server side validation

D.
Server hardening

Answer 64

C

Question 65

A security administrator has been assigned to review the security posture of the standard corporate system image for virtual machines. The security administrator
conducts a thorough review of the system logs, installation procedures, and network configuration of the VM image. Upon reviewing the access logs and user
accounts, the security administrator determines that several accounts will not be used in production. Which of the following would correct the deficiencies?

A.
Mandatory access controls

B.
Disable remote login

C.
Host hardening

D.
Disabling services

Answer 65

C

Question 66

A technician is configuring a wireless guest network. After applying the most recent changes the technician finds the new devices can no longer find the wireless
network by name but existing devices are still able to use the wireless network. Which of the following security measures did the technician MOST likely implement
to cause this Scenario?

A.
Deactivation of SSID broadcast

B.
Reduction of WAP signal output power

C.
Activation of 802.1X with RADIUS

D.
Implementation of MAC filtering

E.
Beacon interval was decreased

Answer 66

A

Question 67

The security administrator receives an email on a non-company account from a coworker stating that some reports are not exporting correctly. Attached to the
email was an example report file with several customers’ names and credit card numbers with the PIN. Which of the following is the BEST technical controls that
will help mitigate this risk of disclosing sensitive data?

A.
Configure the mail server to require TLS connections for every email to ensure all transport data is encrypted

B.
Create a user training program to identify the correct use of email and perform regular audits to ensure compliance

C.
Implement a DLP solution on the email gateway to scan email and remove sensitive data or files

D.
Classify all data according to its sensitivity and inform the users of data that is prohibited to share

Answer 67

C

Question 68

A company has a security policy that specifies all endpoint computing devices should be assigned a unique identifier that can be tracked via an inventory
management system. Recent changes to airline security regulations have cause many executives in the company to travel with mini tablet devices instead of
laptops. These tablet devices are difficult to tag and track. An RDP application is used from the tablet to connect into the company network. Which of the following
should be implemented in order to meet the security policy requirements?

A.
Virtual desktop infrastructure (VDI)

B.
WS-security and geo-fencing

C.
A hardware security module (HSM)

D.
RFID tagging system

E.
MDM software

F.
Security Requirements Traceability Matrix (SRTM)

Answer 68

D

Question 69

A security administrator is creating a subnet on one of the corporate firewall interfaces to use as a DMZ which is expected to accommodate at most 14 physical
hosts. Which of the following subnets would BEST meet the requirements?

A.
192.168.0.16 255.25.255.248

B.
192.168.0.16/28

C.
192.168.1.50 255.255.25.240

D.
192.168.2.32/27

Answer 69

B

Question 70

A new mobile application is being developed in-house. Security reviews did not pick up any major flaws, however vulnerability scanning results show fundamental
issues at the very end of the project cycle. Which of the following security activities should also have been performed to discover vulnerabilities earlier in the
lifecycle?

A.
Architecture review

B.
Risk assessment

C.
Protocol analysis

D.
Code review

Answer 70

D

Question 71

After a merger between two companies a security analyst has been asked to ensure that the organization’s systems are secured against infiltration by any former
employees that were terminated during the transition. Which of the following actions are MOST appropriate to harden applications against infiltration by former
employees? (Select TWO)

A.
Monitor VPN client access

B.
Reduce failed login settings

C.
Develop and implement updated access control policies

D.
Review and address invalid login attempts

E.
Increase password complexity requirements

F.
Assess and eliminate inactive accounts

Answer 71

C, F

Question 72

A security administrator is trying to encrypt communication. For which of the following reasons should administrator take advantage of the Subject Alternative
Names (SAN) attribute of a certificate?

A.
It can protect multiple domains

B.
It provides extended site validation

C.
It does not require a trusted certificate authority

D.
It protects unlimited subdomains

Answer 72

A

Question 73

New magnetic locks were ordered for an entire building. In accordance with company policy, employee safety is the top priority. In case of a fire where electricity is
cut, which of the following should be taken into consideration when installing the new locks?

A.
Fail safe

B.
Fault tolerance

C.
Fail secure

D.
Redundancy

Answer 73

A

Question 74

A security administrator needs to implement a system that detects possible intrusions based upon a vendor provided list. Which of the following BEST describes
this type of IDS?

A.
Signature based

B.
Heuristic

C.
Anomaly-based

D.
Behavior-based

Answer 74

A

Question 75

Which of the following is the proper way to quantify the total monetary damage resulting from an exploited vulnerability?

A.
Calculate the ALE

B.
Calculate the ARO

C.
Calculate the MTBF

D.
Calculate the TCO

Answer 75

A

Question 76

A company exchanges information with a business partner. An annual audit of the business partner is conducted against the SLA in order to verify:

A.
Performance and service delivery metrics

B.
Backups are being performed and tested

C.
Data ownership is being maintained and audited

D.
Risk awareness is being adhered to and enforced

Answer 76

A

Question 77

After a merger, it was determined that several individuals could perform the tasks of a network administrator in the merged organization. Which of the following
should have been performed to ensure that employees have proper access?

A.
Time-of-day restrictions

B.
Change management

C.
Periodic auditing of user credentials

D.
User rights and permission review

Answer 77

D

Question 78

During an application design, the development team specifics a LDAP module for single sign-on communication with the company’s access control database. This
is an example of which of the following?

A.
Application control

B.
Data in-transit

C.
Identification

D.
Authentication

Answer 78

D

Question 79

Which of the following should be used to implement voice encryption?

A.
SSLv3

B.
VDSL

C.
SRTP

D.
VoIP

Answer 79

C

Question 80

The SSID broadcast for a wireless router has been disabled but a network administrator notices that unauthorized users are accessing the wireless network. The
administrator has determined that attackers are still able to detect the presence of the wireless network despite the fact the SSID has been disabled. Which of the
following would further obscure the presence of the wireless network?

A.
Upgrade the encryption to WPA or WPA2

B.
Create a non-zero length SSID for the wireless router

C.
Reroute wireless users to a honeypot

D.
Disable responses to a broadcast probe request

Answer 80

D

Question 81

An administrator is testing the collision resistance of different hashing algorithms. Which of the following is the strongest collision resistance test?

A.
Find two identical messages with different hashes

B.
Find two identical messages with the same hash

C.
Find a common hash between two specific messages

D.
Find a common hash between a specific message and a random message

Answer 81

D

Question 82

Ann a security analyst is monitoring the IDS console and noticed multiple connections from an internal host to a suspicious call back domain \. Which of the
following tools would aid her to decipher the network traffic?

A.
Vulnerability Scanner

B.
Nmap

C.
netstat

D.
Packet Analyzer

Answer 82

D

Question 83

Which of the following best describes the initial processing phase used in mobile device forensics?

A.
The phone should be powered down and the battery removed to preserve the state of data on any internal or removable storage utilized by the mobile device

B.
The removable data storage cards should be processed first to prevent data alteration when examining the mobile device

C.
The mobile device should be examined first, then removable storage and lastly the phone without removable storage should be examined again

D.
The phone and storage cards should be examined as a complete unit after examining the removable storage cards separately.

Answer 83

C

Question 84

A penetration testing is preparing for a client engagement in which the tester must provide data that proves and validates the scanning tools’ results. Which of the
following is the best method for collecting this information?

A.
Set up the scanning system’s firewall to permit and log all outbound connections

B.
Use a protocol analyzer to log all pertinent network traffic

C.
Configure network flow data logging on all scanning system

D.
Enable debug level logging on the scanning system and all scanning tools used.

Answer 84

B

Question 85

An organization is moving its human resources system to a cloud services provider. The company plans to continue using internal usernames and passwords with
the service provider, but the security manager does not want the service provider to have a company of the passwords. Which of the following options meets all of
these requirements?

A.
Two-factor authentication

B.
Account and password synchronization

C.
Smartcards with PINs

D.
Federated authentication

Answer 85

D

Question 86

An attacker uses a network sniffer to capture the packets of a transaction that adds $20 to a gift card. The attacker then user a function of the sniffer to push those
packets back onto the network again, adding another $20 to the gift card. This can be done many times. Which of the following describes this type of attack?

A.
Integer overflow attack

B.
Smurf attack

C.
Replay attack

D.
Buffer overflow attack

E.
Cross-site scripting attack

Answer 86

C

Question 87

Joe, a technician, is working remotely with his company provided laptop at the coffee shop near his home. Joe is concerned that another patron of the coffee shop
may be trying to access his laptop. Which of the following is an appropriate control to use to prevent the other patron from accessing Joe’s laptop directly?

A.
full-disk encryption

B.
Host-based firewall

C.
Current antivirus definitions

D.
Latest OS updates

Answer 87

B

Question 88

Ann, a security administrator, has been instructed to perform fuzz-based testing on the company’s applications.
Which of the following best describes what she will do?

A.
Enter random or invalid data into the application in an attempt to cause it to fault

B.
Work with the developers to eliminate horizontal privilege escalation opportunities

C.
Test the applications for the existence of built-in- back doors left by the developers

D.
Hash the application to verify it won’t cause a false positive on the HIPS.

Answer 88

A

Question 89

An audit has revealed that database administrators are also responsible for auditing database changes and backup logs. Which of the following access control
methodologies would BEST mitigate this concern?

A.
Time of day restrictions

B.
Principle of least privilege

C.
Role-based access control

D.
Separation of duties

Answer 89

D

Question 90

A global gaming console manufacturer is launching a new gaming platform to its customers. Which of the following controls reduces the risk created by malicious
gaming customers attempting to circumvent control by way of modifying consoles? (Select Two)

A.
Firmware version control

B.
Manual software upgrades

C.
Vulnerability scanning

D.
Automatic updates

E.
Network segmentation

F.
Application firewalls

Answer 90

A, D

Question 91

An administrator thinks the UNIX systems may be compromised, but a review of system log files provides no useful information. After discussing the situation with
the security team, the administrator suspects that the attacker may be altering the log files and removing evidence of intrusion activity. Which of the following
actions will help detect attacker attempts to further alter log files?

A.
Enable verbose system logging

B.
Change the permissions on the user’s home directory

C.
Implement remote syslog

D.
Set the bash_history log file to “read only”

Answer 91

C

Question 92

An administrator has configured a new Linux server with the FTP service. Upon verifying that the service was configured correctly, the administrator has several
users test the FTP service. Users report that they are able to connect to the FTP service and download their personal files, however, they cannot transfer new files
to the server. Which of the following will most likely fix the uploading issue for the users?

A.
Create an ACL to allow the FTP service write access to user directories

B.
Set the Boolean selinux value to allow FTP home directory uploads

C.
Reconfigure the ftp daemon to operate without utilizing the PSAV mode

D.
Configure the FTP daemon to utilize PAM authentication pass through user permissions

Answer 92

B

Question 93

Which of the following is the appropriate network structure used to protect servers and services that must be provided to external clients without completely
eliminating access for internal users?

A.
NAC

B.
VLAN

C.
DMZ

D.
Subnet

Answer 93

C

Question 94

During a third-party audit, it is determined that a member of the firewall team can request, approve, and implement a new rule-set on the firewall. Which of the
following will the audit team most l likely recommend during the audit out brief?

A.
Discretionary access control for the firewall team

B.
Separation of duties policy for the firewall team

C.
Least privilege for the firewall team

D.
Mandatory access control for the firewall team

Answer 94

B

Question 95

During a data breach cleanup, it is discovered that not all of the sites involved have the necessary data wiping tools. The necessary tools are quickly distributed to
the required technicians, but when should this problem best be revisited?

A.
Reporting

B.
Preparation

C.
Mitigation

D.
Lessons learned

Answer 95

D

Question 96

Which of the following would enhance the security of accessing data stored in the cloud? (Select TWO)

A.
Block level encryption

B.
SAML authentication

C.
Transport encryption

D.
Multifactor authentication

E.
Predefined challenge questions

F.
Hashing

Answer 96

B, D

Question 97

The help desk is receiving numerous password change alerts from users in the accounting department. These alerts occur multiple times on the same day for each

of the affected users’ accounts. Which of the following controls should be implemented to curtail this activity?

A.
Password Reuse

B.
Password complexity

C.
Password History

D.
Password Minimum age

Answer 97

D

Question 98

Which of the following delineates why it is important to perform egress filtering and monitoring on Internet connected security zones of interfaces on a firewall?

A.
Egress traffic is more important than ingress traffic for malware prevention

B.
To rebalance the amount of outbound traffic and inbound traffic

C.
Outbound traffic could be communicating to known botnet sources

D.
To prevent DDoS attacks originating from external network

Answer 98

C

Question 99

When designing a web based client server application with single application server and database cluster backend, input validation should be performed:

A.
On the client

B.
Using database stored procedures

C.
On the application server

D.
Using HTTPS

Answer 99

C

Question 100

Which of the following techniques can be bypass a user or computer’s web browser privacy settings? (Select Two)

A.
SQL injection

B.
Session hijacking

C.
Cross-site scripting

D.
Locally shared objects

E.
LDAP injection

Answer 100

B, D

Question 101

A datacenter manager has been asked to prioritize critical system recovery priorities. Which of the following is the MOST critical for immediate recovery?

A.
Communications software

B.
Operating system software

C.
Weekly summary reports to management

D.
Financial and production software

Answer 101

B

Question 102

A security administrator needs an external vendor to correct an urgent issue with an organization’s physical access control system (PACS). The PACS does not
currently have internet access because it is running a legacy operation system. Which of the following methods should the security administrator select the best
balances security and efficiency?

A.
Temporarily permit outbound internet access for the pacs so desktop sharing can be set up

B.
Have the external vendor come onsite and provide access to the PACS directly

C.
Set up VPN concentrator for the vendor and restrict access to the PACS using desktop sharing

D.
Set up a web conference on the administrator’s pc; then remotely connect to the pacs

Answer 102

B

Question 103

A company is investigating a data compromise where data exfiltration occurred. Prior to the investigation, the supervisor terminates an employee as a result of the
suspected data loss. During the investigation, the supervisor is absent for the interview, and little evidence can be provided from the role-based authentication
system in use by the company. The situation can be identified for future mitigation as which of the following?

A.
Job rotation

B.
Logging failure

C.
Lack of training

D.
Insider threat

Answer 103

B

Question 104

Six months into development, the core team assigned to implement a new internal piece of software must convene to discuss a new requirement with the
stakeholders. A stakeholder identified a missing feature critical to the organization, which must be implemented. The team needs to validate the feasibility of the
newly introduced requirement and ensure it does not introduce new vulnerabilities to the software and other applications that will integrate with it. Which of the
following BEST describes the current software development phase?

A.
The system integration phase of the SDLC

B.
The system analysis phase of SSDSLC

C.
The system design phase of the SDLC

D.
The system development phase of the SDLC

Answer 104

D

Question 105

Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate- based authentication with its users. The company uses SSLinspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication. Which of the following model prevents the IDS from
capturing credentials used to authenticate users to the new service or keys to decrypt that communication?

A.
Use of OATH between the user and the service and attestation from the company domain

B.
Use of active directory federation between the company and the cloud-based service

C.
Use of smartcards that store x.509 keys, signed by a global CA

D.
Use of a third-party, SAML-based authentication service for attestation

Answer 105

D

Question 106

Which of the following can be used to control specific commands that can be executed on a network infrastructure device?

A.
LDAP

B.
Kerberos

C.
SAML

D.
TACACS+

Answer 106

D

Question 107

A server administrator needs to administer a server remotely using RDP, but the specified port is closed on the outbound firewall on the network. How could he
access the server using RDP on a port other than the typical registered port for the RDP protocol?

A.
TLS

B.
MPLS

C.
SCP

D.
SSH

Answer 107

D

Question 108

A company is deploying a new VoIP phone system. They require 99.999% uptime for their phone service and are concerned about their existing data network
interfering with the VoIP phone system. The core switches in the existing data network are almost fully saturated. Which of the following options will provide the best
performance and availability for both the VoIP traffic, as well as the traffic on the existing data network?

A.
Put the VoIP network into a different VLAN than the existing data network.

B.
Upgrade the edge switches from 10/100/1000 to improve network speed

C.
Physically separate the VoIP phones from the data network

D.
Implement flood guards on the data network

Answer 108

A

Question 109

A security administrator suspects that data on a server has been exfiltrated as a result of unauthorized remote access. Which of the following would assist the
administrator in confirming the suspicions? (Select TWO)

A.
Networking access control

B.
DLP alerts

C.
Log analysis

D.
File integrity monitoring

E.
Host firewall rules

Answer 109

B, C

Question 110

The security administrator has noticed cars parking just outside of the building fence line. Which of the following security measures can the administrator use to
help protect the company’s WiFi network against war driving? (Select TWO)

A.
Create a honeynet

B.
Reduce beacon rate

C.
Add false SSIDs

D.
Change antenna placement

E.
Adjust power level controls

F.
Implement a warning banner

Answer 110

D, E

Question 111

A network technician is trying to determine the source of an ongoing network based attack. Which of the following should the technician use to view IPv4 packet
data on a particular internal network segment?

A.
Proxy

B.
Protocol analyzer

C.
Switch

D.
Firewall

Answer 111

B

Question 112

Which of the following allows an application to securely authenticate a user by receiving credentials from a web domain?

A.
TACACS+

B.
RADIUS

C.
Kerberos

D.
SAML

Answer 112

D

Question 113

The administrator installs database software to encrypt each field as it is written to disk. Which of the following describes the encrypted data?

A.
In-transit

B.
In-use

C.
Embedded

D.
At-rest

Answer 113

D

Question 114

When generating a request for a new x.509 certificate for securing a website, which of the following is the MOST appropriate hashing algorithm?

A.
RC4

B.
MD5

C.
HMAC

D.
SHA

Answer 114

D

Question 115

During a recent audit, it was discovered that many services and desktops were missing security patches. Which of the following BEST describes the assessment
that was performed to discover this issue?

A.
Network mapping

B.
Vulnerability scan

C.
Port Scan

D.
Protocol analysis

Answer 115

B

Question 116

Ann, a college professor, was recently reprimanded for posting disparaging remarks regarding her coworkers on a web site. Ann stated that she was not aware that
the public was able to view her remakes. Which of the following security-related training could have made Ann aware of the repercussions of her actions?

A.
Data Labeling and disposal

B.
Use of social networking

C.
Use of P2P networking

D.
Role-based training

Answer 116

B

Question 117

An organization wants to conduct secure transactions of large data files. Before encrypting and exchanging the data files, the organization wants to ensure a secure
exchange of keys. Which of the following algorithms is appropriate for securing the key exchange?

A.
DES

B.
Blowfish

C.
DSA

D.
Diffie-Hellman

E.
3DES

Answer 117

D

Question 118

An attack that is using interference as its main attack to impede network traffic is which of the following?

A.
Introducing too much data to a targets memory allocation

B.
Utilizing a previously unknown security flaw against the target

C.
Using a similar wireless configuration of a nearby network

D.
Inundating a target system with SYN requests

Answer 118

C

Question 119

The IT department needs to prevent users from installing untested applications. Which of the following would provide the BEST solution?

A.
Job rotation

B.
Least privilege

C.
Account lockout

D.
Antivirus

Answer 119

B

Question 120

Many employees are receiving email messages similar to the one shown below:
From IT department
To employee
Subject email quota exceeded
Pease click on the following link http:www.website.info/email.php?quota=1Gb and provide your username and password to increase your email quota. Upon
reviewing other similar emails, the security administrator realized that all the phishing URLs have the following common elements; they all use HTTP, they all come
from .info domains, and they all contain the same URI.
Which of the following should the security administrator configure on the corporate content filter to prevent users from accessing the phishing URL, while at the
same time minimizing false positives?

A.
BLOCK http://www.*.info/”

B.
DROP http://”website.info/email.php?*

C.
Redirect http://www,. Info/email.php?quota=TOhttp://company.com/corporate_polict.html

D.
DENY http://*.info/email.php?quota=1Gb

Answer 120

D

Question 121

An attacker captures the encrypted communication between two parties for a week, but is unable to decrypt the messages. The attacker then compromises the
session key during one exchange and successfully compromises a single message. The attacker plans to use this key to decrypt previously captured and future
communications, but is unable to. This is because the encryption scheme in use adheres to:

A.
Asymmetric encryption

B.
Out-of-band key exchange

C.
Perfect forward secrecy

D.
Secure key escrow

Answer 121

C

Question 122

A website administrator has received an alert from an application designed to check the integrity of the company’s website. The alert indicated that the hash value
for a particular MPEG file has changed. Upon further investigation, the media appears to be the same as it was before the alert. Which of the following methods has
MOST likely been used?

A.
Cryptography

B.
Time of check/time of use

C.
Man in the middle

D.
Covert timing

E.
Steganography

Answer 122

E

Question 123

A security administrator is tasked with implementing centralized management of all network devices. Network administrators will be required to logon to network
devices using their LDAP credentials. All command executed by network administrators on network devices must fall within a preset list of authorized commands
and must be logged to a central facility. Which of the following configuration commands should be implemented to enforce this requirement?

A.
LDAP server 10.55.199.3

B.
CN=company, CN=com, OU=netadmin, DC=192.32.10.233

C.
SYSLOG SERVER 172.16.23.50

D.
TACACS+ server 192.168.1.100

Answer 123

D

Question 124

A security administrator determined that users within the company are installing unapproved software. Company policy dictates that only certain applications may be
installed or ran on the user’s computers without exception. Which of the following should the administrator do to prevent all unapproved software from running on
the user’s computer?

A.
Deploy antivirus software and configure it to detect and remove pirated software

B.
Configure the firewall to prevent the downloading of executable files

C.
Create an application whitelist and use OS controls to enforce it

D.
Prevent users from running as administrator so they cannot install software.

Answer 124

C

Question 125

While reviewing the security controls in place for a web-based application, a security controls assessor notices that there are no password strength requirements in
place. Because of this vulnerability, passwords might be easily discovered using a brute force attack. Which of the following password requirements will MOST
effectively improve the security posture of the application against these attacks? (Select two)

A.
Minimum complexity

B.
Maximum age limit

C.
Maximum length

D.
Minimum length

E.
Minimum age limit

F.
Minimum re-use limit

Answer 125

A, D

Question 126

An organization is trying to decide which type of access control is most appropriate for the network. The current access control approach is too complex and
requires significant overhead. Management would like to simplify the access control and provide user with the ability to determine what permissions should be
applied to files, document, and directories. The access control method that BEST satisfies these objectives is:

A.
Rule-based access control

B.
Role-based access control

C.
Mandatory access control

D.
Discretionary access control

Answer 126

D

Question 127

A consultant has been tasked to assess a client’s network. The client reports frequent network outages. Upon viewing the spanning tree configuration, the
consultant notices that an old and slow performing edge switch on the network has been elected to be the root bridge. Which of the following explains this scenario?

A.
The switch also serves as the DHCP server

B.
The switch has the lowest MAC address

C.
The switch has spanning tree loop protection enabled

D.
The switch has the fastest uplink port

Answer 127

B